aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssh-portable
diff options
context:
space:
mode:
authorbdrewery <bdrewery@FreeBSD.org>2017-01-17 03:30:31 +0800
committerbdrewery <bdrewery@FreeBSD.org>2017-01-17 03:30:31 +0800
commita6f37bc0979ae75e98448f25d3b4733ac77cf99b (patch)
tree10555beba9bd193e2b56e1f8e413b3abb7242681 /security/openssh-portable
parent95ae8bde49afa5970b51a6a72794455235b4bb4b (diff)
downloadfreebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.tar.gz
freebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.tar.zst
freebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.zip
Update to 7.4p1.
- Update X509 patch to 9.3 - SCTP patch from soralx@cydem.org Changes: https://www.openssh.com/txt/release-7.4
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile16
-rw-r--r--security/openssh-portable/distinfo14
-rw-r--r--security/openssh-portable/files/extra-patch-hpn54
-rw-r--r--security/openssh-portable/files/extra-patch-ldns20
-rw-r--r--security/openssh-portable/files/extra-patch-sctp20
-rw-r--r--security/openssh-portable/files/extra-patch-tcpwrappers14
-rw-r--r--security/openssh-portable/files/extra-patch-x509-glue39
-rw-r--r--security/openssh-portable/files/patch-kex.c33
-rw-r--r--security/openssh-portable/files/patch-misc.c43
-rw-r--r--security/openssh-portable/files/patch-readconf.c40
-rw-r--r--security/openssh-portable/files/patch-serverloop.c23
-rw-r--r--security/openssh-portable/files/patch-session.c81
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.136
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c126
-rw-r--r--security/openssh-portable/files/patch-ssh_config.521
-rw-r--r--security/openssh-portable/files/patch-sshd_config.574
16 files changed, 264 insertions, 390 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index a79e0decfbf2..4c0cc65e122a 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 7.3p1
-PORTREVISION= 5
+DISTVERSION= 7.4p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -60,15 +60,15 @@ HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 9.0
+X509_VERSION= 9.3
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-7.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue
+X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
-#SCTP_BROKEN= does not apply to 7.3+
SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1
MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5
@@ -94,8 +94,8 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
-# 7.3 patch taken from
-# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
+# Patch from:
+# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
# http://www.sxw.org.uk/computing/patches/
# It is mirrored simply to apply gzip -9.
@@ -103,7 +103,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
-PATCHFILES+= openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz:-p1:gsskex
+PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
.endif
# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 73d7fe5a4473..d634e474f732 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,9 +1,9 @@
-TIMESTAMP = 1470675521
-SHA256 (openssh-7.3p1.tar.gz) = 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
-SIZE (openssh-7.3p1.tar.gz) = 1522617
+TIMESTAMP = 1484161900
+SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
+SIZE (openssh-7.4p1.tar.gz) = 1511780
SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.3p1+x509-9.0.diff.gz) = ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900
-SIZE (openssh-7.3p1+x509-9.0.diff.gz) = 571918
-SHA256 (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 83698da23a7d4dd24be9bc15ea7e801890dfc9303815135552c8ddfd158f1a95
-SIZE (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 26818
+SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
+SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
+SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
+SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index db3eaa7d89c4..d99575c65ede 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -695,7 +695,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#define atime tv[0]
--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500
+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500
-@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions
+@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions
options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL;
@@ -710,7 +710,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
-@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption
+@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
}
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
@@ -768,7 +768,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
-@@ -406,6 +465,12 @@ typedef enum {
+@@ -412,6 +471,12 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -781,7 +781,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -537,6 +602,14 @@ static struct {
+@@ -548,6 +613,14 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -796,7 +796,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions
+@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
@@ -819,8 +819,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ goto parse_int;
+#endif
+
- case sRhostsRSAAuthentication:
- intptr = &options->rhosts_rsa_authentication;
+ case sHostbasedAuthentication:
+ intptr = &options->hostbased_authentication;
goto parse_flag;
--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
@@ -842,7 +842,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
int num_permitted_opens;
--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500
-@@ -1051,6 +1051,12 @@
+@@ -526,6 +526,12 @@ server_request_tun(void)
sock = tun_open(tun, mode);
if (sock < 0)
goto done;
@@ -855,7 +855,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
-@@ -1088,6 +1094,10 @@
+@@ -563,6 +569,10 @@ server_request_session(void)
c = channel_new("session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
@@ -1101,7 +1101,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
strlen(client_version_string)) != strlen(client_version_string))
--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
-@@ -80,6 +80,14 @@
+@@ -81,6 +81,14 @@
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@@ -1116,7 +1116,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* SSH2 key exchange
-@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
+@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@@ -1145,10 +1145,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
}
/*
-@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
- pubkey_cleanup(&authctxt);
- ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
+ if (!authctxt.success)
+ fatal("Authentication failed.");
+#ifdef NONE_CIPHER_ENABLED
+ /*
+ * if the user wants to use the none cipher do it
@@ -1177,13 +1177,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
--- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700
+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800
-@@ -431,8 +431,13 @@ sshd_exchange_identification(int sock_in
- minor = PROTOCOL_MINOR_1;
- }
+@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh
+ char buf[256]; /* Must not be larger than remote_version. */
+ char remote_version[256]; /* Must be at least as big as buf. */
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
- major, minor, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN,
+#else
@@ -1192,7 +1192,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1155,6 +1160,10 @@ server_listen(void)
+@@ -1027,6 +1032,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1195,6 +1204,13 @@ server_listen(void)
+@@ -1067,6 +1076,13 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1693,6 +1709,15 @@ main(int ac, char **av)
+@@ -1591,6 +1607,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1233,9 +1233,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2123,6 +2148,11 @@ main(int ac, char **av)
- cleanup_exit(255);
+@@ -2085,6 +2110,11 @@ main(int ac, char **av)
}
+ #endif
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
@@ -1243,9 +1243,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
/*
- * We use get_canonical_hostname with usedns = 0 instead of
- * get_remote_ipaddr here so IP options will be checked.
-@@ -2539,6 +2569,11 @@ do_ssh2_kex(void)
+ * In privilege separation, we fork another child and prepare
+ * file descriptor passing.
+@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
struct kex *kex;
int r;
@@ -1259,7 +1259,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
-@@ -127,6 +127,20 @@
+@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns
index 7bd369a84444..2d06f100c0c0 100644
--- a/security/openssh-portable/files/extra-patch-ldns
+++ b/security/openssh-portable/files/extra-patch-ldns
@@ -35,17 +35,17 @@ be verified, OpenSSH will print a message and prompt the user as usual.
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
---- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800
-+++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800
-@@ -1715,7 +1715,10 @@
- or
- .Dq ask .
+--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
++++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
+@@ -1635,7 +1635,10 @@ need to confirm new host keys according
+ .Cm StrictHostKeyChecking
+ option.
The default is
--.Dq no .
-+.Dq yes
+-.Cm no .
++.Cm yes
+if compiled with LDNS and
-+.Dq no
++.Cm no
+otherwise.
.Pp
- See also VERIFYING HOST KEYS in
- .Xr ssh 1 .
+ See also
+ .Sx VERIFYING HOST KEYS
diff --git a/security/openssh-portable/files/extra-patch-sctp b/security/openssh-portable/files/extra-patch-sctp
index 0d20b03b8953..f0b5297e184c 100644
--- a/security/openssh-portable/files/extra-patch-sctp
+++ b/security/openssh-portable/files/extra-patch-sctp
@@ -278,9 +278,9 @@ index b19d30e..14b0a0f 100644
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->transport = -1;
- options->protocol = SSH_PROTO_UNKNOWN;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+ options->fwd_opts.streamlocal_bind_unlink = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
options->allow_streamlocal_forwarding = FORWARD_ALLOW;
if (options->allow_agent_forwarding == -1)
@@ -438,9 +438,9 @@ index b19d30e..14b0a0f 100644
+ filename, linenum);
+ break;
+
- case sProtocol:
- intptr = &options->protocol;
- arg = strdelim(&cp);
+ case sSubsystem:
+ if (options->num_subsystems >= MAX_SUBSYSTEMS) {
+ fatal("%s line %d: too many subsystems defined.",
@@ -1992,6 +2111,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(allow_streamlocal_forwarding);
M_CP_INTOPT(allow_agent_forwarding);
@@ -482,9 +482,9 @@ index f4137af..63a0637 100644
char *macs; /* Supported SSH2 macs. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
+ int transport; /* Transport protocol(s) used */
- int protocol; /* Supported protocol versions. */
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
+ LogLevel log_level;<--->/* Level for system logging. */
diff --git a/ssh.1 b/ssh.1
index cc53343..b1a45e8 100644
--- a/ssh.1
@@ -566,7 +566,7 @@ index caf13a6..a088f30 100644
@@ -1597,6 +1597,12 @@ This is important in scripts, and many users want it too.
.Pp
To disable TCP keepalive messages, the value should be set to
- .Dq no .
+ .Cm no .
+.It Cm Transport
+Specifies the transport protocol while connecting. Valid values are
+.Dq TCP
@@ -686,9 +686,9 @@ index 430569c..4ca58ed 100644
+#include <netinet/sctp.h>
+#endif
+
- #ifndef O_NOCTTY
- #define O_NOCTTY 0
- #endif
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1164,6 +1168,12 @@ server_listen(void)
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -853,7 +853,7 @@ index a37a3ac..24e3826 100644
@@ -1508,6 +1508,17 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
- .Dq no .
+ .Cm no .
+.It Cm Transport
+Specifies the transport protocol that should be used by
+.Xr sshd 8 .
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index ad495d433383..14a0452bdefa 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -43,9 +43,9 @@ index 0ade557..045f149 100644
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -122,6 +122,13 @@
- #include "ssh-sandbox.h"
+@@ -123,6 +123,13 @@
#include "version.h"
+ #include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
@@ -54,10 +54,10 @@ index 0ade557..045f149 100644
+int deny_severity;
+#endif /* LIBWRAP */
+
- #ifndef O_NOCTTY
- #define O_NOCTTY 0
- #endif
-@@ -2027,6 +2034,24 @@ main(int ac, char **av)
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -1971,6 +1978,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
@@ -81,7 +81,7 @@ index 0ade557..045f149 100644
+#endif /* LIBWRAP */
/* Log the connection. */
- verbose("Connection from %s port %d on %s port %d",
+ laddr = get_local_ipaddr(sock_in);
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac
diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue
new file mode 100644
index 000000000000..fe9cbd9d3ec4
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-x509-glue
@@ -0,0 +1,39 @@
+--- session.c.orig 2017-01-12 11:58:30.754769000 -0800
++++ session.c 2017-01-12 11:58:35.360654000 -0800
+@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+-#ifdef __ANDROID__
+-{
+-#define COPY_ANDROID_ENV(name) { \
+- char *s = getenv(name); \
+- if (s) child_set_env(&env, &envsize, name, s); }
+-
+- /* from /init.rc */
+- COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
+- COPY_ANDROID_ENV("ANDROID_ROOT");
+- COPY_ANDROID_ENV("ANDROID_ASSETS");
+- COPY_ANDROID_ENV("ANDROID_DATA");
+- COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
+- COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
+- COPY_ANDROID_ENV("BOOTCLASSPATH");
+-
+- /* FIXME: keep android property workspace open
+- * (see openbsd-compat/bsd-closefrom.c)
+- */
+- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
+-
+- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */
+- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */
+- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */
+-
+- /* may contain path to custom libraries */
+- COPY_ANDROID_ENV("LD_LIBRARY_PATH");
+-#undef COPY_ANDROID_ENV
+-}
+-#endif
+-
+ /* Set custom environment options from RSA authentication. */
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
diff --git a/security/openssh-portable/files/patch-kex.c b/security/openssh-portable/files/patch-kex.c
deleted file mode 100644
index 339687643ebf..000000000000
--- a/security/openssh-portable/files/patch-kex.c
+++ /dev/null
@@ -1,33 +0,0 @@
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git kex.c kex.c
-index 3f97f8c..6a94bc5 100644
---- kex.c
-+++ kex.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
-+/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
- /*
- * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
- *
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- if (kex == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- ptr = sshpkt_ptr(ssh, &dlen);
- if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- return r;
diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-misc.c
new file mode 100644
index 000000000000..9ce31ea43fa6
--- /dev/null
+++ b/security/openssh-portable/files/patch-misc.c
@@ -0,0 +1,43 @@
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by: delphij@
+[rewritten for 7.4 by bdrewery@]
+
+--- misc.c.orig 2017-01-12 11:54:41.058558000 -0800
++++ misc.c 2017-01-12 11:55:16.531356000 -0800
+@@ -56,6 +56,8 @@
+ #include <net/if.h>
+ #endif
+
++#include <sys/sysctl.h>
++
+ #include "xmalloc.h"
+ #include "misc.h"
+ #include "log.h"
+@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a,
+ int
+ bind_permitted(int port, uid_t uid)
+ {
+- if (port < IPPORT_RESERVED && uid != 0)
++ int ipport_reserved;
++#ifdef __FreeBSD__
++ size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++ ipport_reserved = IPPORT_RESERVED;
++ else
++ ipport_reserved++;
++#else
++ ipport_reserved = IPPORT_RESERVED;
++#endif
++ if (port < ipport_reserved && uid != 0)
+ return 0;
+ return 1;
+ }
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 7fcb0a3dfd44..8d98c57c2f82 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -9,48 +9,8 @@ Changed paths:
Apply FreeBSD's configuration defaults.
-------------------------------------------------------------------------
-r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
-Changed paths:
- M /head/crypto/openssh/readconf.c
-
-Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
-Submitted upstream, no reaction.
-
-Submitted by: delphij@
-
--- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500
+++ readconf.c 2014-11-03 16:45:05.188796445 -0600
-@@ -17,6 +17,7 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
-+#include <sys/sysctl.h>
- #include <sys/wait.h>
- #include <sys/un.h>
-
-@@ -311,8 +312,19 @@ add_local_forward(Options *options, cons
- struct Forward *fwd;
- extern uid_t original_real_uid;
- int i;
--
-- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
-+ int ipport_reserved;
-+#ifdef __FreeBSD__
-+ size_t len_ipport_reserved = sizeof(ipport_reserved);
-+
-+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+ ipport_reserved = IPPORT_RESERVED;
-+ else
-+ ipport_reserved++;
-+#else
-+ ipport_reserved = IPPORT_RESERVED;
-+#endif
-+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
- newfwd->listen_path == NULL)
- fatal("Privileged ports can only be forwarded by root.");
- /* Don't add duplicates */
@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
if (options->batch_mode == -1)
options->batch_mode = 0;
diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c
deleted file mode 100644
index 53c08eebf15f..000000000000
--- a/security/openssh-portable/files/patch-serverloop.c
+++ /dev/null
@@ -1,23 +0,0 @@
-Fix CVE-2016-10010
-
-
---- serverloop.c.orig 2016-07-27 17:54:27.000000000 -0500
-+++ serverloop.c 2017-01-11 18:44:42.881227000 -0600
-@@ -999,7 +999,7 @@
-
- /* XXX fine grained permissions */
- if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-- !no_port_forwarding_flag) {
-+ !no_port_forwarding_flag && use_privsep) {
- c = channel_connect_to_path(target,
- "direct-streamlocal@openssh.com", "direct-streamlocal");
- } else {
-@@ -1280,7 +1280,7 @@
-
- /* check permissions */
- if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-- || no_port_forwarding_flag) {
-+ || no_port_forwarding_flag || !use_privsep) {
- success = 0;
- packet_send_debug("Server has disabled port forwarding.");
- } else {
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 0905c5fc72ba..cb99bbc1bfee 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,6 +1,18 @@
+------------------------------------------------------------------------
+r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/session.c
+
+Make sure the environment variables set by setusercontext() are passed on
+to the child process.
+
+Reviewed by: ache
+Sponsored by: DARPA, NAI Labs
+
+
--- session.c 2013-03-14 19:22:37 UTC
+++ session.c
-@@ -1131,6 +1136,9 @@
+@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -10,7 +22,7 @@
#endif
/* Initialize the environment. */
-@@ -1152,6 +1160,9 @@
+@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she
}
#endif
@@ -20,50 +32,49 @@
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1171,11 +1182,22 @@
- child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she
+ child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
- child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-+ snprintf(buf, sizeof buf, "%.200s/%.50s",
-+ _PATH_MAILDIR, pw->pw_name);
-+ child_set_env(&env, &envsize, "MAIL", buf);
+ child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
++ child_set_env(&env, &envsize, "MAIL", buf);
#ifdef HAVE_LOGIN_CAP
-- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-- else
-- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
-+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-+ child_set_env(&env, &envsize, "TERM", "su");
-+ senv = environ;
-+ environ = xmalloc(sizeof(char *));
-+ *environ = NULL;
-+ (void) setusercontext(lc, pw, pw->pw_uid,
-+ LOGIN_SETENV|LOGIN_SETPATH);
-+ copy_environment(environ, &env, &envsize);
-+ for (var = environ; *var != NULL; ++var)
-+ free(*var);
-+ free(environ);
-+ environ = senv;
+- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+- else
+- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++ child_set_env(&env, &envsize, "TERM", "su");
++ senv = environ;
++ environ = xmalloc(sizeof(char *));
++ *environ = NULL;
++ (void) setusercontext(lc, pw, pw->pw_uid,
++ LOGIN_SETENV|LOGIN_SETPATH);
++ copy_environment(environ, &env, &envsize);
++ for (var = environ; *var != NULL; ++var)
++ free(*var);
++ free(environ);
++ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
- /*
-@@ -1196,15 +1218,9 @@
+ /*
+@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
-- snprintf(buf, sizeof buf, "%.200s/%.50s",
-- _PATH_MAILDIR, pw->pw_name);
-- child_set_env(&env, &envsize, "MAIL", buf);
+- snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
+- child_set_env(&env, &envsize, "MAIL", buf);
-
- /* Normal systems set SHELL by default. */
- child_set_env(&env, &envsize, "SHELL", shell);
- }
+ /* Normal systems set SHELL by default. */
+ child_set_env(&env, &envsize, "SHELL", shell);
+
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-
+-
/* Set custom environment options from RSA authentication. */
- if (!options.use_login) {
-@@ -1483,7 +1499,7 @@
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
+@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
index 5edff7769268..3acde74be9fe 100644
--- a/security/openssh-portable/files/patch-ssh-agent.1
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -4,12 +4,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
-Add a -P option to specify PKCS11_WHITELIST
-
-
---- ssh-agent.1.orig 2016-07-27 17:54:27.000000000 -0500
-+++ ssh-agent.1 2017-01-11 19:05:12.513900000 -0600
-@@ -43,10 +43,11 @@
+--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500
+@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
@@ -18,30 +15,7 @@ Add a -P option to specify PKCS11_WHITELIST
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
-+.Op Fl P Ar pkcs11_whitelist
- .Op Ar command Op Ar arg ...
- .Nm ssh-agent
- .Op Fl c | s
-@@ -121,6 +122,18 @@
- Kill the current agent (given by the
- .Ev SSH_AGENT_PID
- environment variable).
-+.It Fl P
-+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
-+that may be added using the
-+.Fl s
-+option to
-+.Xr ssh-add 1 .
-+The default is to allow loading PKCS#11 libraries from
-+.Dq /usr/lib/*,/usr/local/lib/* .
-+PKCS#11 libraries that do not match the whitelist will be refused.
-+See PATTERNS in
-+.Xr ssh_config 5
-+for a description of pattern-list syntax.
- .It Fl s
- Generate Bourne shell commands on
- .Dv stdout .
-@@ -135,6 +148,8 @@
+@@ -128,6 +128,8 @@
.Xr ssh-add 1
overrides this value.
Without this option the default maximum lifetime is forever.
@@ -49,4 +23,4 @@ Add a -P option to specify PKCS11_WHITELIST
+Exit after the last client has disconnected.
.El
.Pp
- If a command line is given, this is executed as a subprocess of the agent.
+ If a commandline is given, this is executed as a subprocess of the agent.
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 75243fa5c57e..97bc26aa335b 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,39 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
-Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
-
-
---- ssh-agent.c.orig 2016-07-27 17:54:27.000000000 -0500
-+++ ssh-agent.c 2017-01-11 19:02:59.600125000 -0600
-@@ -83,11 +83,16 @@
- #include "misc.h"
- #include "digest.h"
- #include "ssherr.h"
-+#include "match.h"
-
- #ifdef ENABLE_PKCS11
- #include "ssh-pkcs11.h"
- #endif
-
-+#ifndef DEFAULT_PKCS11_WHITELIST
-+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
-+#endif
-+
- typedef enum {
- AUTH_UNUSED,
- AUTH_SOCKET,
-@@ -135,6 +140,9 @@
- char socket_name[PATH_MAX];
- char socket_dir[PATH_MAX];
-
-+/* PKCS#11 path whitelist */
-+static char *pkcs11_whitelist;
-+
- /* locking */
- #define LOCK_SIZE 32
- #define LOCK_SALT_SIZE 16
-@@ -150,15 +158,34 @@
+--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500
+@@ -157,15 +157,34 @@ static long lifetime = 0;
static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -75,50 +45,7 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
}
static void
-@@ -738,7 +765,7 @@
- static void
- process_add_smartcard_key(SocketEntry *e)
- {
-- char *provider = NULL, *pin;
-+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
- int r, i, version, count = 0, success = 0, confirm = 0;
- u_int seconds;
- time_t death = 0;
-@@ -770,10 +797,21 @@
- goto send;
- }
- }
-+ if (realpath(provider, canonical_provider) == NULL) {
-+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
-+ provider, strerror(errno));
-+ goto send;
-+ }
-+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
-+ verbose("refusing PKCS#11 add of \"%.100s\": "
-+ "provider not whitelisted", canonical_provider);
-+ goto send;
-+ }
-+ debug("%s: add %.100s", __func__, canonical_provider);
- if (lifetime && !death)
- death = monotime() + lifetime;
-
-- count = pkcs11_add_provider(provider, pin, &keys);
-+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
- for (i = 0; i < count; i++) {
- k = keys[i];
- version = k->type == KEY_RSA1 ? 1 : 2;
-@@ -781,8 +819,8 @@
- if (lookup_identity(k, version) == NULL) {
- id = xcalloc(1, sizeof(Identity));
- id->key = k;
-- id->provider = xstrdup(provider);
-- id->comment = xstrdup(provider); /* XXX */
-+ id->provider = xstrdup(canonical_provider);
-+ id->comment = xstrdup(canonical_provider); /* XXX */
- id->death = death;
- id->confirm = confirm;
- TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-@@ -945,6 +983,10 @@
+@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
{
u_int i, old_alloc, new_alloc;
@@ -129,18 +56,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
set_nonblock(fd);
if (fd > max_fd)
-@@ -1172,8 +1214,8 @@
+@@ -1190,7 +1213,7 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
-- " [-t life] [command [arg ...]]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
-+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
- }
-@@ -1204,6 +1246,7 @@
+@@ -1222,6 +1245,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -148,28 +73,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
platform_disable_tracing(0); /* strict=no */
-@@ -1214,7 +1257,7 @@
+@@ -1232,7 +1256,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
-- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
+- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1229,6 +1272,11 @@
- case 'k':
- k_flag++;
- break;
-+ case 'P':
-+ if (pkcs11_whitelist != NULL)
-+ fatal("-P option already specified");
-+ pkcs11_whitelist = xstrdup(optarg);
-+ break;
- case 's':
- if (c_flag)
- usage();
-@@ -1253,6 +1301,9 @@
+@@ -1276,6 +1300,9 @@ main(int ac, char **av)
usage();
}
break;
@@ -179,22 +92,3 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009)
default:
usage();
}
-@@ -1263,6 +1314,9 @@
- if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
- usage();
-
-+ if (pkcs11_whitelist == NULL)
-+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
-+
- if (ac == 0 && !c_flag && !s_flag) {
- shell = getenv("SHELL");
- if (shell != NULL && (len = strlen(shell)) > 2 &&
-@@ -1410,7 +1464,7 @@
- signal(SIGTERM, cleanup_handler);
- nalloc = 0;
-
-- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
-+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
- fatal("%s: pledge: %s", __progname, strerror(errno));
- platform_pledge_agent();
-
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
index ea28ceeb8e75..416c64f83fe9 100644
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ b/security/openssh-portable/files/patch-ssh_config.5
@@ -6,12 +6,21 @@ rev 1.2 of readconf.c.
--- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600
+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600
-@@ -164,7 +164,7 @@
- .Dq no ,
+@@ -377,8 +377,7 @@ or
+ .Cm no .
+ .It Cm CheckHostIP
+ If set to
+-.Cm yes
+-(the default),
++.Cm yes ,
+ .Xr ssh 1
+ will additionally check the host IP address in the
+ .Pa known_hosts
+@@ -390,6 +389,7 @@ in the process, regardless of the settin
+ .Cm StrictHostKeyChecking .
+ If the option is set to
+ .Cm no ,
++(the default),
the check will not be executed.
- The default is
--.Dq yes .
-+.Dq no .
.It Cm Cipher
Specifies the cipher to use for encrypting the session
- in protocol version 1.
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 3948f4056b96..41e8a6283bd0 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,6 +1,6 @@
---- sshd_config.5.orig 2015-05-29 03:27:21.000000000 UTC
-+++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500
-@@ -375,7 +375,9 @@ By default, no banner is displayed.
+--- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800
++++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800
+@@ -373,7 +373,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or through authentication styles supported in
@@ -9,21 +9,32 @@
+See also
+.Cm UsePAM .
The default is
- .Dq yes .
+ .Cm yes .
.It Cm ChrootDirectory
-@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic
+@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .
+ .It Cm HostbasedAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful public key client host authentication is allowed
+ (host-based authentication).
+ The default is
+@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-+.Dq no ,
++.Cm no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
- .Dq yes .
+ .Cm yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
-+.Dq yes ,
++.Cm yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
@@ -34,58 +45,47 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1158,6 +1175,13 @@ or
- .Dq no .
+@@ -1216,6 +1235,13 @@ and
+ .Cm ethernet .
The default is
- .Dq no .
+ .Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
-+.Dq yes ,
++.Cm yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
-+.Dq without-password .
++.Cm without-password .
.Pp
- If this option is set to
- .Dq without-password ,
-@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as
- For more information on KRLs, see the KEY REVOCATION LISTS section in
- .Xr ssh-keygen 1 .
- .It Cm RhostsRSAAuthentication
--Specifies whether rhosts or /etc/hosts.equiv authentication together
-+Specifies whether rhosts or
-+.Pa /etc/hosts.equiv
-+authentication together
- with successful RSA host authentication is allowed.
- The default is
- .Dq no .
-@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run
+ Independent of this setting, the permissions of the selected
+ .Xr tun 4
+@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1520,7 +1546,10 @@ restrictions.
+@@ -1500,7 +1526,10 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
--.Dq none .
-+.Dq %%SSH_VERSION_FREEBSD_PORT%% .
+-.Cm none .
++.Cm %%SSH_VERSION_FREEBSD_PORT%% .
+The value
-+.Dq none
++.Cm none
+may be used to disable this.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
-@@ -1534,7 +1563,7 @@ The argument must be
+@@ -1514,7 +1543,7 @@ The argument must be
or
- .Dq no .
+ .Cm no .
The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the