diff options
author | bdrewery <bdrewery@FreeBSD.org> | 2017-01-17 03:30:31 +0800 |
---|---|---|
committer | bdrewery <bdrewery@FreeBSD.org> | 2017-01-17 03:30:31 +0800 |
commit | a6f37bc0979ae75e98448f25d3b4733ac77cf99b (patch) | |
tree | 10555beba9bd193e2b56e1f8e413b3abb7242681 /security/openssh-portable | |
parent | 95ae8bde49afa5970b51a6a72794455235b4bb4b (diff) | |
download | freebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.tar.gz freebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.tar.zst freebsd-ports-gnome-a6f37bc0979ae75e98448f25d3b4733ac77cf99b.zip |
Update to 7.4p1.
- Update X509 patch to 9.3
- SCTP patch from soralx@cydem.org
Changes: https://www.openssh.com/txt/release-7.4
Diffstat (limited to 'security/openssh-portable')
-rw-r--r-- | security/openssh-portable/Makefile | 16 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 14 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn | 54 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-ldns | 20 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-sctp | 20 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-tcpwrappers | 14 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-x509-glue | 39 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-kex.c | 33 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-misc.c | 43 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-readconf.c | 40 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-serverloop.c | 23 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-session.c | 81 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.1 | 36 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 126 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh_config.5 | 21 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config.5 | 74 |
16 files changed, 264 insertions, 390 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index a79e0decfbf2..4c0cc65e122a 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.3p1 -PORTREVISION= 5 +DISTVERSION= 7.4p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -60,15 +60,15 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 9.0 +X509_VERSION= 9.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-7.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue +X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 #SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp -#SCTP_BROKEN= does not apply to 7.3+ SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 @@ -94,8 +94,8 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} -# 7.3 patch taken from -# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch +# Patch from: +# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ # It is mirrored simply to apply gzip -9. @@ -103,7 +103,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif -PATCHFILES+= openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz:-p1:gsskex +PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex .endif # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 73d7fe5a4473..d634e474f732 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,9 +1,9 @@ -TIMESTAMP = 1470675521 -SHA256 (openssh-7.3p1.tar.gz) = 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc -SIZE (openssh-7.3p1.tar.gz) = 1522617 +TIMESTAMP = 1484161900 +SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 +SIZE (openssh-7.4p1.tar.gz) = 1511780 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.3p1+x509-9.0.diff.gz) = ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 -SIZE (openssh-7.3p1+x509-9.0.diff.gz) = 571918 -SHA256 (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 83698da23a7d4dd24be9bc15ea7e801890dfc9303815135552c8ddfd158f1a95 -SIZE (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 26818 +SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee +SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572 +SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b +SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index db3eaa7d89c4..d99575c65ede 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -695,7 +695,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o #define atime tv[0] --- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 +++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 -@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions +@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; options->authorized_principals_command = NULL; options->authorized_principals_command_user = NULL; @@ -710,7 +710,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption +@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -768,7 +768,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -406,6 +465,12 @@ typedef enum { +@@ -412,6 +471,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, @@ -781,7 +781,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, -@@ -537,6 +602,14 @@ static struct { +@@ -548,6 +613,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -796,7 +796,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions +@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions intptr = &options->ignore_user_known_hosts; goto parse_flag; @@ -819,8 +819,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + goto parse_int; +#endif + - case sRhostsRSAAuthentication: - intptr = &options->rhosts_rsa_authentication; + case sHostbasedAuthentication: + intptr = &options->hostbased_authentication; goto parse_flag; --- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 @@ -842,7 +842,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o int num_permitted_opens; --- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500 -@@ -1051,6 +1051,12 @@ +@@ -526,6 +526,12 @@ server_request_tun(void) sock = tun_open(tun, mode); if (sock < 0) goto done; @@ -855,7 +855,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; -@@ -1088,6 +1094,10 @@ +@@ -563,6 +569,10 @@ server_request_session(void) c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); @@ -1101,7 +1101,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o strlen(client_version_string)) != strlen(client_version_string)) --- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800 +++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800 -@@ -80,6 +80,14 @@ +@@ -81,6 +81,14 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; @@ -1116,7 +1116,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * SSH2 key exchange -@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc +@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc return ret; } @@ -1145,10 +1145,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o } /* -@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co - pubkey_cleanup(&authctxt); - ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); +@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co + if (!authctxt.success) + fatal("Authentication failed."); +#ifdef NONE_CIPHER_ENABLED + /* + * if the user wants to use the none cipher do it @@ -1177,13 +1177,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o --- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700 +++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800 -@@ -431,8 +431,13 @@ sshd_exchange_identification(int sock_in - minor = PROTOCOL_MINOR_1; - } +@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh + char buf[256]; /* Must not be larger than remote_version. */ + char remote_version[256]; /* Must be at least as big as buf. */ - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", - major, minor, SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN, +#else @@ -1192,7 +1192,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); -@@ -1155,6 +1160,10 @@ server_listen(void) +@@ -1027,6 +1032,10 @@ server_listen(void) int ret, listen_sock, on = 1; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1195,6 +1204,13 @@ server_listen(void) +@@ -1067,6 +1076,13 @@ server_listen(void) debug("Bind to port %s on %s.", strport, ntop); @@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -1693,6 +1709,15 @@ main(int ac, char **av) +@@ -1591,6 +1607,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1233,9 +1233,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; -@@ -2123,6 +2148,11 @@ main(int ac, char **av) - cleanup_exit(255); +@@ -2085,6 +2110,11 @@ main(int ac, char **av) } + #endif +#ifdef HPN_ENABLED + /* set the HPN options for the child */ @@ -1243,9 +1243,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + /* - * We use get_canonical_hostname with usedns = 0 instead of - * get_remote_ipaddr here so IP options will be checked. -@@ -2539,6 +2569,11 @@ do_ssh2_kex(void) + * In privilege separation, we fork another child and prepare + * file descriptor passing. +@@ -2163,6 +2193,11 @@ do_ssh2_kex(void) struct kex *kex; int r; @@ -1259,7 +1259,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 -@@ -127,6 +127,20 @@ +@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns index 7bd369a84444..2d06f100c0c0 100644 --- a/security/openssh-portable/files/extra-patch-ldns +++ b/security/openssh-portable/files/extra-patch-ldns @@ -35,17 +35,17 @@ be verified, OpenSSH will print a message and prompt the user as usual. +# VerifyHostKeyDNS yes # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h ---- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800 -+++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800 -@@ -1715,7 +1715,10 @@ - or - .Dq ask . +--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800 ++++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800 +@@ -1635,7 +1635,10 @@ need to confirm new host keys according + .Cm StrictHostKeyChecking + option. The default is --.Dq no . -+.Dq yes +-.Cm no . ++.Cm yes +if compiled with LDNS and -+.Dq no ++.Cm no +otherwise. .Pp - See also VERIFYING HOST KEYS in - .Xr ssh 1 . + See also + .Sx VERIFYING HOST KEYS diff --git a/security/openssh-portable/files/extra-patch-sctp b/security/openssh-portable/files/extra-patch-sctp index 0d20b03b8953..f0b5297e184c 100644 --- a/security/openssh-portable/files/extra-patch-sctp +++ b/security/openssh-portable/files/extra-patch-sctp @@ -278,9 +278,9 @@ index b19d30e..14b0a0f 100644 options->macs = NULL; options->kex_algorithms = NULL; + options->transport = -1; - options->protocol = SSH_PROTO_UNKNOWN; options->fwd_opts.gateway_ports = -1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; + options->fwd_opts.streamlocal_bind_unlink = -1; @@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) options->allow_streamlocal_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) @@ -438,9 +438,9 @@ index b19d30e..14b0a0f 100644 + filename, linenum); + break; + - case sProtocol: - intptr = &options->protocol; - arg = strdelim(&cp); + case sSubsystem: + if (options->num_subsystems >= MAX_SUBSYSTEMS) { + fatal("%s line %d: too many subsystems defined.", @@ -1992,6 +2111,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(allow_streamlocal_forwarding); M_CP_INTOPT(allow_agent_forwarding); @@ -482,9 +482,9 @@ index f4137af..63a0637 100644 char *macs; /* Supported SSH2 macs. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ + int transport; /* Transport protocol(s) used */ - int protocol; /* Supported protocol versions. */ struct ForwardOptions fwd_opts; /* forwarding options */ SyslogFacility log_facility; /* Facility for system logging. */ + LogLevel log_level;<--->/* Level for system logging. */ diff --git a/ssh.1 b/ssh.1 index cc53343..b1a45e8 100644 --- a/ssh.1 @@ -566,7 +566,7 @@ index caf13a6..a088f30 100644 @@ -1597,6 +1597,12 @@ This is important in scripts, and many users want it too. .Pp To disable TCP keepalive messages, the value should be set to - .Dq no . + .Cm no . +.It Cm Transport +Specifies the transport protocol while connecting. Valid values are +.Dq TCP @@ -686,9 +686,9 @@ index 430569c..4ca58ed 100644 +#include <netinet/sctp.h> +#endif + - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) @@ -1164,6 +1168,12 @@ server_listen(void) for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -853,7 +853,7 @@ index a37a3ac..24e3826 100644 @@ -1508,6 +1508,17 @@ This avoids infinitely hanging sessions. .Pp To disable TCP keepalive messages, the value should be set to - .Dq no . + .Cm no . +.It Cm Transport +Specifies the transport protocol that should be used by +.Xr sshd 8 . diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ad495d433383..14a0452bdefa 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -43,9 +43,9 @@ index 0ade557..045f149 100644 /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -122,6 +122,13 @@ - #include "ssh-sandbox.h" +@@ -123,6 +123,13 @@ #include "version.h" + #include "ssherr.h" +#ifdef LIBWRAP +#include <tcpd.h> @@ -54,10 +54,10 @@ index 0ade557..045f149 100644 +int deny_severity; +#endif /* LIBWRAP */ + - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif -@@ -2027,6 +2034,24 @@ main(int ac, char **av) + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -1971,6 +1978,24 @@ main(int ac, char **av) #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif @@ -81,7 +81,7 @@ index 0ade557..045f149 100644 +#endif /* LIBWRAP */ /* Log the connection. */ - verbose("Connection from %s port %d on %s port %d", + laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 --- configure.ac diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue new file mode 100644 index 000000000000..fe9cbd9d3ec4 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-x509-glue @@ -0,0 +1,39 @@ +--- session.c.orig 2017-01-12 11:58:30.754769000 -0800 ++++ session.c 2017-01-12 11:58:35.360654000 -0800 +@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); + +-#ifdef __ANDROID__ +-{ +-#define COPY_ANDROID_ENV(name) { \ +- char *s = getenv(name); \ +- if (s) child_set_env(&env, &envsize, name, s); } +- +- /* from /init.rc */ +- COPY_ANDROID_ENV("ANDROID_BOOTLOGO"); +- COPY_ANDROID_ENV("ANDROID_ROOT"); +- COPY_ANDROID_ENV("ANDROID_ASSETS"); +- COPY_ANDROID_ENV("ANDROID_DATA"); +- COPY_ANDROID_ENV("ASEC_MOUNTPOINT"); +- COPY_ANDROID_ENV("LOOP_MOUNTPOINT"); +- COPY_ANDROID_ENV("BOOTCLASSPATH"); +- +- /* FIXME: keep android property workspace open +- * (see openbsd-compat/bsd-closefrom.c) +- */ +- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE"); +- +- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */ +- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */ +- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */ +- +- /* may contain path to custom libraries */ +- COPY_ANDROID_ENV("LD_LIBRARY_PATH"); +-#undef COPY_ANDROID_ENV +-} +-#endif +- + /* Set custom environment options from RSA authentication. */ + while (custom_environment) { + struct envstring *ce = custom_environment; diff --git a/security/openssh-portable/files/patch-kex.c b/security/openssh-portable/files/patch-kex.c deleted file mode 100644 index 339687643ebf..000000000000 --- a/security/openssh-portable/files/patch-kex.c +++ /dev/null @@ -1,33 +0,0 @@ -From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 -From: "markus@openbsd.org" <markus@openbsd.org> -Date: Mon, 10 Oct 2016 19:28:48 +0000 -Subject: [PATCH] upstream commit - -Unregister the KEXINIT handler after message has been -received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause -allocation of up to 128MB -- until the connection is closed. Reported by -shilei-c at 360.cn - -Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 ---- - kex.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git kex.c kex.c -index 3f97f8c..6a94bc5 100644 ---- kex.c -+++ kex.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */ -+/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */ - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. - * -@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r; diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-misc.c new file mode 100644 index 000000000000..9ce31ea43fa6 --- /dev/null +++ b/security/openssh-portable/files/patch-misc.c @@ -0,0 +1,43 @@ +------------------------------------------------------------------------ +r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. +Submitted upstream, no reaction. + +Submitted by: delphij@ +[rewritten for 7.4 by bdrewery@] + +--- misc.c.orig 2017-01-12 11:54:41.058558000 -0800 ++++ misc.c 2017-01-12 11:55:16.531356000 -0800 +@@ -56,6 +56,8 @@ + #include <net/if.h> + #endif + ++#include <sys/sysctl.h> ++ + #include "xmalloc.h" + #include "misc.h" + #include "log.h" +@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, + int + bind_permitted(int port, uid_t uid) + { +- if (port < IPPORT_RESERVED && uid != 0) ++ int ipport_reserved; ++#ifdef __FreeBSD__ ++ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ ++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", ++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) ++ ipport_reserved = IPPORT_RESERVED; ++ else ++ ipport_reserved++; ++#else ++ ipport_reserved = IPPORT_RESERVED; ++#endif ++ if (port < ipport_reserved && uid != 0) + return 0; + return 1; + } diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c index 7fcb0a3dfd44..8d98c57c2f82 100644 --- a/security/openssh-portable/files/patch-readconf.c +++ b/security/openssh-portable/files/patch-readconf.c @@ -9,48 +9,8 @@ Changed paths: Apply FreeBSD's configuration defaults. ------------------------------------------------------------------------- -r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines -Changed paths: - M /head/crypto/openssh/readconf.c - -Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. -Submitted upstream, no reaction. - -Submitted by: delphij@ - --- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500 +++ readconf.c 2014-11-03 16:45:05.188796445 -0600 -@@ -17,6 +17,7 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/socket.h> -+#include <sys/sysctl.h> - #include <sys/wait.h> - #include <sys/un.h> - -@@ -311,8 +312,19 @@ add_local_forward(Options *options, cons - struct Forward *fwd; - extern uid_t original_real_uid; - int i; -- -- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 && -+ int ipport_reserved; -+#ifdef __FreeBSD__ -+ size_t len_ipport_reserved = sizeof(ipport_reserved); -+ -+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) -+ ipport_reserved = IPPORT_RESERVED; -+ else -+ ipport_reserved++; -+#else -+ ipport_reserved = IPPORT_RESERVED; -+#endif -+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 && - newfwd->listen_path == NULL) - fatal("Privileged ports can only be forwarded by root."); - /* Don't add duplicates */ @@ -1934,7 +1946,7 @@ fill_default_options(Options * options) if (options->batch_mode == -1) options->batch_mode = 0; diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c deleted file mode 100644 index 53c08eebf15f..000000000000 --- a/security/openssh-portable/files/patch-serverloop.c +++ /dev/null @@ -1,23 +0,0 @@ -Fix CVE-2016-10010 - - ---- serverloop.c.orig 2016-07-27 17:54:27.000000000 -0500 -+++ serverloop.c 2017-01-11 18:44:42.881227000 -0600 -@@ -999,7 +999,7 @@ - - /* XXX fine grained permissions */ - if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && -- !no_port_forwarding_flag) { -+ !no_port_forwarding_flag && use_privsep) { - c = channel_connect_to_path(target, - "direct-streamlocal@openssh.com", "direct-streamlocal"); - } else { -@@ -1280,7 +1280,7 @@ - - /* check permissions */ - if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 -- || no_port_forwarding_flag) { -+ || no_port_forwarding_flag || !use_privsep) { - success = 0; - packet_send_debug("Server has disabled port forwarding."); - } else { diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 0905c5fc72ba..cb99bbc1bfee 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -1,6 +1,18 @@ +------------------------------------------------------------------------ +r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines +Changed paths: + M /head/crypto/openssh/session.c + +Make sure the environment variables set by setusercontext() are passed on +to the child process. + +Reviewed by: ache +Sponsored by: DARPA, NAI Labs + + --- session.c 2013-03-14 19:22:37 UTC +++ session.c -@@ -1131,6 +1136,9 @@ +@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -10,7 +22,7 @@ #endif /* Initialize the environment. */ -@@ -1152,6 +1160,9 @@ +@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she } #endif @@ -20,50 +32,49 @@ #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1171,11 +1182,22 @@ - child_set_env(&env, &envsize, "LOGIN", pw->pw_name); +@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif - child_set_env(&env, &envsize, "HOME", pw->pw_dir); -+ snprintf(buf, sizeof buf, "%.200s/%.50s", -+ _PATH_MAILDIR, pw->pw_name); -+ child_set_env(&env, &envsize, "MAIL", buf); + child_set_env(&env, &envsize, "HOME", pw->pw_dir); ++ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); ++ child_set_env(&env, &envsize, "MAIL", buf); #ifdef HAVE_LOGIN_CAP -- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) -- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -- else -- child_set_env(&env, &envsize, "PATH", getenv("PATH")); -+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -+ child_set_env(&env, &envsize, "TERM", "su"); -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ (void) setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH); -+ copy_environment(environ, &env, &envsize); -+ for (var = environ; *var != NULL; ++var) -+ free(*var); -+ free(environ); -+ environ = senv; +- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) +- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +- else +- child_set_env(&env, &envsize, "PATH", getenv("PATH")); ++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); ++ child_set_env(&env, &envsize, "TERM", "su"); ++ senv = environ; ++ environ = xmalloc(sizeof(char *)); ++ *environ = NULL; ++ (void) setusercontext(lc, pw, pw->pw_uid, ++ LOGIN_SETENV|LOGIN_SETPATH); ++ copy_environment(environ, &env, &envsize); ++ for (var = environ; *var != NULL; ++var) ++ free(*var); ++ free(environ); ++ environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN - /* -@@ -1196,15 +1218,9 @@ + /* +@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ -- snprintf(buf, sizeof buf, "%.200s/%.50s", -- _PATH_MAILDIR, pw->pw_name); -- child_set_env(&env, &envsize, "MAIL", buf); +- snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); +- child_set_env(&env, &envsize, "MAIL", buf); - - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); - } + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); + - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - +- /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { -@@ -1483,7 +1499,7 @@ + while (custom_environment) { + struct envstring *ce = custom_environment; +@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 index 5edff7769268..3acde74be9fe 100644 --- a/security/openssh-portable/files/patch-ssh-agent.1 +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -4,12 +4,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Add a -P option to specify PKCS11_WHITELIST - - ---- ssh-agent.1.orig 2016-07-27 17:54:27.000000000 -0500 -+++ ssh-agent.1 2017-01-11 19:05:12.513900000 -0600 -@@ -43,10 +43,11 @@ +--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s @@ -18,30 +15,7 @@ Add a -P option to specify PKCS11_WHITELIST .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash .Op Fl t Ar life -+.Op Fl P Ar pkcs11_whitelist - .Op Ar command Op Ar arg ... - .Nm ssh-agent - .Op Fl c | s -@@ -121,6 +122,18 @@ - Kill the current agent (given by the - .Ev SSH_AGENT_PID - environment variable). -+.It Fl P -+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries -+that may be added using the -+.Fl s -+option to -+.Xr ssh-add 1 . -+The default is to allow loading PKCS#11 libraries from -+.Dq /usr/lib/*,/usr/local/lib/* . -+PKCS#11 libraries that do not match the whitelist will be refused. -+See PATTERNS in -+.Xr ssh_config 5 -+for a description of pattern-list syntax. - .It Fl s - Generate Bourne shell commands on - .Dv stdout . -@@ -135,6 +148,8 @@ +@@ -128,6 +128,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. @@ -49,4 +23,4 @@ Add a -P option to specify PKCS11_WHITELIST +Exit after the last client has disconnected. .El .Pp - If a command line is given, this is executed as a subprocess of the agent. + If a commandline is given, this is executed as a subprocess of the agent. diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 75243fa5c57e..97bc26aa335b 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,39 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) - - ---- ssh-agent.c.orig 2016-07-27 17:54:27.000000000 -0500 -+++ ssh-agent.c 2017-01-11 19:02:59.600125000 -0600 -@@ -83,11 +83,16 @@ - #include "misc.h" - #include "digest.h" - #include "ssherr.h" -+#include "match.h" - - #ifdef ENABLE_PKCS11 - #include "ssh-pkcs11.h" - #endif - -+#ifndef DEFAULT_PKCS11_WHITELIST -+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" -+#endif -+ - typedef enum { - AUTH_UNUSED, - AUTH_SOCKET, -@@ -135,6 +140,9 @@ - char socket_name[PATH_MAX]; - char socket_dir[PATH_MAX]; - -+/* PKCS#11 path whitelist */ -+static char *pkcs11_whitelist; -+ - /* locking */ - #define LOCK_SIZE 32 - #define LOCK_SALT_SIZE 16 -@@ -150,15 +158,34 @@ +--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 +@@ -157,15 +157,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -75,50 +45,7 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) } static void -@@ -738,7 +765,7 @@ - static void - process_add_smartcard_key(SocketEntry *e) - { -- char *provider = NULL, *pin; -+ char *provider = NULL, *pin, canonical_provider[PATH_MAX]; - int r, i, version, count = 0, success = 0, confirm = 0; - u_int seconds; - time_t death = 0; -@@ -770,10 +797,21 @@ - goto send; - } - } -+ if (realpath(provider, canonical_provider) == NULL) { -+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", -+ provider, strerror(errno)); -+ goto send; -+ } -+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { -+ verbose("refusing PKCS#11 add of \"%.100s\": " -+ "provider not whitelisted", canonical_provider); -+ goto send; -+ } -+ debug("%s: add %.100s", __func__, canonical_provider); - if (lifetime && !death) - death = monotime() + lifetime; - -- count = pkcs11_add_provider(provider, pin, &keys); -+ count = pkcs11_add_provider(canonical_provider, pin, &keys); - for (i = 0; i < count; i++) { - k = keys[i]; - version = k->type == KEY_RSA1 ? 1 : 2; -@@ -781,8 +819,8 @@ - if (lookup_identity(k, version) == NULL) { - id = xcalloc(1, sizeof(Identity)); - id->key = k; -- id->provider = xstrdup(provider); -- id->comment = xstrdup(provider); /* XXX */ -+ id->provider = xstrdup(canonical_provider); -+ id->comment = xstrdup(canonical_provider); /* XXX */ - id->death = death; - id->confirm = confirm; - TAILQ_INSERT_TAIL(&tab->idlist, id, next); -@@ -945,6 +983,10 @@ +@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -129,18 +56,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) set_nonblock(fd); if (fd > max_fd) -@@ -1172,8 +1214,8 @@ +@@ -1190,7 +1213,7 @@ static void usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" -- " [-t life] [command [arg ...]]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" -+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" + " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); - } -@@ -1204,6 +1246,7 @@ +@@ -1222,6 +1245,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -148,28 +73,16 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) platform_disable_tracing(0); /* strict=no */ -@@ -1214,7 +1257,7 @@ +@@ -1232,7 +1256,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { +- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { + while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1229,6 +1272,11 @@ - case 'k': - k_flag++; - break; -+ case 'P': -+ if (pkcs11_whitelist != NULL) -+ fatal("-P option already specified"); -+ pkcs11_whitelist = xstrdup(optarg); -+ break; - case 's': - if (c_flag) - usage(); -@@ -1253,6 +1301,9 @@ +@@ -1276,6 +1300,9 @@ main(int ac, char **av) usage(); } break; @@ -179,22 +92,3 @@ Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) default: usage(); } -@@ -1263,6 +1314,9 @@ - if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) - usage(); - -+ if (pkcs11_whitelist == NULL) -+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST); -+ - if (ac == 0 && !c_flag && !s_flag) { - shell = getenv("SHELL"); - if (shell != NULL && (len = strlen(shell)) > 2 && -@@ -1410,7 +1464,7 @@ - signal(SIGTERM, cleanup_handler); - nalloc = 0; - -- if (pledge("stdio cpath unix id proc exec", NULL) == -1) -+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) - fatal("%s: pledge: %s", __progname, strerror(errno)); - platform_pledge_agent(); - diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 index ea28ceeb8e75..416c64f83fe9 100644 --- a/security/openssh-portable/files/patch-ssh_config.5 +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -6,12 +6,21 @@ rev 1.2 of readconf.c. --- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600 +++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600 -@@ -164,7 +164,7 @@ - .Dq no , +@@ -377,8 +377,7 @@ or + .Cm no . + .It Cm CheckHostIP + If set to +-.Cm yes +-(the default), ++.Cm yes , + .Xr ssh 1 + will additionally check the host IP address in the + .Pa known_hosts +@@ -390,6 +389,7 @@ in the process, regardless of the settin + .Cm StrictHostKeyChecking . + If the option is set to + .Cm no , ++(the default), the check will not be executed. - The default is --.Dq yes . -+.Dq no . .It Cm Cipher Specifies the cipher to use for encrypting the session - in protocol version 1. diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 3948f4056b96..41e8a6283bd0 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,6 +1,6 @@ ---- sshd_config.5.orig 2015-05-29 03:27:21.000000000 UTC -+++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500 -@@ -375,7 +375,9 @@ By default, no banner is displayed. +--- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800 ++++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800 +@@ -373,7 +373,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in @@ -9,21 +9,32 @@ +See also +.Cm UsePAM . The default is - .Dq yes . + .Cm yes . .It Cm ChrootDirectory -@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic +@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa + The list of available key types may also be obtained using + .Qq ssh -Q key . + .It Cm HostbasedAuthentication +-Specifies whether rhosts or /etc/hosts.equiv authentication together ++Specifies whether rhosts or ++.Pa /etc/hosts.equiv ++authentication together + with successful public key client host authentication is allowed + (host-based authentication). + The default is +@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is -+.Dq no , ++.Cm no , +unless +.Nm sshd +was built without PAM support, in which case the default is - .Dq yes . + .Cm yes . +Note that if +.Cm ChallengeResponseAuthentication +is -+.Dq yes , ++.Cm yes , +and the PAM authentication policy for +.Nm sshd +includes @@ -34,58 +45,47 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1158,6 +1175,13 @@ or - .Dq no . +@@ -1216,6 +1235,13 @@ and + .Cm ethernet . The default is - .Dq no . + .Cm no . +Note that if +.Cm ChallengeResponseAuthentication +is -+.Dq yes , ++.Cm yes , +the root user may be allowed in with its password even if +.Cm PermitRootLogin is set to -+.Dq without-password . ++.Cm without-password . .Pp - If this option is set to - .Dq without-password , -@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as - For more information on KRLs, see the KEY REVOCATION LISTS section in - .Xr ssh-keygen 1 . - .It Cm RhostsRSAAuthentication --Specifies whether rhosts or /etc/hosts.equiv authentication together -+Specifies whether rhosts or -+.Pa /etc/hosts.equiv -+authentication together - with successful RSA host authentication is allowed. - The default is - .Dq no . -@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run + Independent of this setting, the permissions of the selected + .Xr tun 4 +@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is --.Dq no . -+.Dq yes . +-.Cm no . ++.Cm yes . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1520,7 +1546,10 @@ restrictions. +@@ -1500,7 +1526,10 @@ The default is Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is --.Dq none . -+.Dq %%SSH_VERSION_FREEBSD_PORT%% . +-.Cm none . ++.Cm %%SSH_VERSION_FREEBSD_PORT%% . +The value -+.Dq none ++.Cm none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1534,7 +1563,7 @@ The argument must be +@@ -1514,7 +1543,7 @@ The argument must be or - .Dq no . + .Cm no . The default is --.Dq no . -+.Dq yes . +-.Cm no . ++.Cm yes . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the |