diff options
| author | bdrewery <bdrewery@FreeBSD.org> | 2013-04-17 08:35:31 +0800 |
|---|---|---|
| committer | bdrewery <bdrewery@FreeBSD.org> | 2013-04-17 08:35:31 +0800 |
| commit | bedfa10f82819630369aec3754049d52cd556bf5 (patch) | |
| tree | 986fc7c841dac95f12967492631cc358124fb739 /security/openssh-portable | |
| parent | dd6cf566905e89b0953aa236248111ecb8826d3a (diff) | |
| download | freebsd-ports-gnome-bedfa10f82819630369aec3754049d52cd556bf5.tar.gz freebsd-ports-gnome-bedfa10f82819630369aec3754049d52cd556bf5.tar.zst freebsd-ports-gnome-bedfa10f82819630369aec3754049d52cd556bf5.zip | |
- Remove compatibiliy for FreeBSD <4.x
* /var/empty has been in hier(7) since 4.x
* User sshd has been in base since 4.x
* Simplify a patch for realhostname_sa(3) usage
- Remove SUID_SSH - It was removed from ssh in 2002
- Fix 'make test'
- Add some hints into the patches on where they came from
- Mirror all patches
- Move LPK patch out of files/
- Remove the need for 2 patches
* Removal of 'host-key check-config' in install phase
* Adding -lutil
- Add SCTP support [1]
- Remove FILECONTROL as it has not been supported since the 5.8
update
- Replace tab with space pkg-descr
- Remove default WRKSRC
- Add 'configtest' command to rc script
- Mark X509 broken with other patches due to PATCH_DIST_STRIP=-p1
PR: ports/174570 [1]
Submitted by: oleg <proler@gmail.com> [1]
Obtained from: https://bugzilla.mindrot.org/show_bug.cgi?id=2016 (upstream) [1]
Feature safe: yes
Diffstat (limited to 'security/openssh-portable')
23 files changed, 193 insertions, 1971 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 64e44e564faf..2c480aacd667 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -13,8 +13,6 @@ PKGNAMESUFFIX= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH -WRKSRC= ${WRKDIR}/${PORTNAME}-${DISTVERSION} - MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 MLINKS= ssh.1 slogin.1 MAN5= moduli.5 ssh_config.5 sshd_config.5 @@ -22,7 +20,12 @@ MAN8= sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8 CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* +# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here. +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \ + http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex + USE_PERL5_BUILD= yes +USE_AUTOTOOLS= autoconf autoheader USE_OPENSSL= yes GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no @@ -36,37 +39,46 @@ ETCOLD= ${PREFIX}/etc SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" -OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT SUID_SSH BSM KERBEROS \ - KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 FILECONTROL \ - OVERWRITE_BASE +OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM KERBEROS \ + KERB_GSSAPI OPENSSH_CHROOT HPN LPK X509 \ + OVERWRITE_BASE SCTP OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS TCP_WRAPPERS_DESC= Enable tcp_wrappers support -SUID_SSH_DESC= Enable suid SSH (Recommended off) BSM_DESC= Enable OpenBSM Auditing KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI) OPENSSH_CHROOT_DESC= Enable CHROOT support HPN_DESC= Enable HPN-SSH patch LPK_DESC= Enable LDAP Public Key (LPK) patch X509_DESC= Enable x509 certificate patch -FILECONTROL_DESC= Enable file control patch (broken) +SCTP_DESC= Enable SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base .include <bsd.port.pre.mk> .if ${OSVERSION} >= 900000 -EXTRA_PATCHES= ${FILESDIR}/extra-patch-configure +CONFIGURE_LIBS+= -lutil .endif .if ${OSVERSION} >= 900007 CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog .endif -.if ${PORT_OPTIONS:MX509} && ${PORT_OPTIONS:MHPN} -BROKEN= X509 patches and HPN patches do not apply cleanly together -.endif +.if ${PORT_OPTIONS:MX509} +. if ${PORT_OPTIONS:MHPN} +BROKEN= X509 patch and HPN patch do not apply cleanly together +. endif -.if ${PORT_OPTIONS:MX509} && ${PORT_OPTIONS:MKERB_GSSAPI} +. if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch +. endif + +. if ${PORT_OPTIONS:MSCTP} +BROKEN= X509 patch and SCTP patch do not apply cleanly together +. endif + +. if ${PORT_OPTIONS:MLPK} +BROKEN= X509 patch and LPK patch do not apply cleanly together +. endif .endif .if defined(OPENSSH_OVERWRITE_BASE) @@ -85,10 +97,6 @@ CONFIGURE_ARGS+= --with-tcp-wrappers CONFIGURE_ARGS+= --with-libedit .endif -.if !${PORT_OPTIONS:MSUID_SSH} -CONFIGURE_ARGS+= --disable-suid-ssh -.endif - .if ${PORT_OPTIONS:MBSM} CONFIGURE_ARGS+= --with-audit=bsm .endif @@ -97,8 +105,8 @@ CONFIGURE_ARGS+= --with-audit=bsm CONFIGURE_ARGS+= --with-kerberos5 LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 .if ${PORT_OPTIONS:MKERB_GSSAPI} -PATCH_SITES+= http://www.sxw.org.uk/computing/patches/ -PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch +PATCH_SITES+= http://www.sxw.org.uk/computing/patches/:gsskex +PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch:gsskex PATCH_DIST_STRIP= .endif .if ${OPENSSLBASE} == "/usr" @@ -115,8 +123,8 @@ CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} CFLAGS+= -DCHROOT .endif +# http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz PATCH_DIST_STRIP= .endif @@ -125,19 +133,19 @@ PATCH_DIST_STRIP= # and svn repo described here: # http://code.google.com/p/openssh-lpk/source/checkout .if ${PORT_OPTIONS:MLPK} -EXTRA_PATCHES+= ${FILESDIR}/openssh-lpk-5.8p2.patch +PATCHFILES+= ${PORTNAME}-lpk-5.8p2.patch.gz USE_OPENLDAP= yes CPPFLAGS+= -I${LOCALBASE}/include CONFIGURE_ARGS+= --with-ldap=yes \ - --with-libs='-lldap' \ --with-ldflags='-L${LOCALBASE}/lib' \ --with-cppflags='${CPPFLAGS}' +CONFIGURE_LIBS+= -lldap .endif # See http://www.roumenpetrov.info/openssh/ .if ${PORT_OPTIONS:MX509} -PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/ -PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz +PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/:x509 +PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509 PATCH_DIST_STRIP= -p1 PLIST_SUB+= X509="" MAN5+= ssh_engine.5 @@ -145,33 +153,24 @@ MAN5+= ssh_engine.5 PLIST_SUB+= X509="@comment " .endif -# See http://sftpfilecontrol.sourceforge.net/ -.if ${PORT_OPTIONS:MFILECONTROL} -# Latest sftpfilecontrol patch is against 5.4p1 which does not apply -# cleanly against 5.8p2, but it's close. -BROKEN= latest upstream sftp file control public key patch is not up to date for OpenSSH 5.8p2 -EXTRA_PATCHES+= ${FILESDIR}/openssh-${DISTVERSION}.sftpfilecontrol-v1.3.patch +# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 +.if ${PORT_OPTIONS:MSCTP} +PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz +CONFIGURE_ARGS+= --with-sctp .endif +EMPTYDIR= /var/empty + .if ${PORT_OPTIONS:MOVERWRITE_BASE} WITH_OPENSSL_BASE= yes CONFIGURE_ARGS+= --localstatedir=/var -EMPTYDIR= /var/empty PREFIX= /usr ETCSSH= /etc/ssh USE_RCORDER= openssh PLIST_SUB+= NOTBASE="@comment " PLIST_SUB+= BASE="" PLIST_SUB+= BASEPREFIX="${PREFIX}" -PLIST_SUB+= ERASEEMPTY="@comment " .else -.if exists(/var/empty) -EMPTYDIR= /var/empty -PLIST_SUB+= ERASEEMPTY="@comment " -.else -EMPTYDIR= ${PREFIX}/empty -PLIST_SUB+= ERASEEMPTY="" -.endif ETCSSH= ${PREFIX}/etc/ssh USE_RC_SUBR= openssh PLIST_SUB+= NOTBASE="" @@ -180,13 +179,16 @@ PLIST_SUB+= BASE="@comment " # After all SUB_LIST+= ETCSSH="${ETCSSH}" -PLIST_SUB+= EMPTYDIR="${EMPTYDIR}" CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR} +.if !empty(CONFIGURE_LIBS) +CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' +.endif RC_SCRIPT_NAME= openssh post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure + @${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ @@ -203,10 +205,6 @@ post-patch: .endif pre-su-install: - @${MKDIR} ${EMPTYDIR} - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ - -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi .if !exists(${ETCSSH}) @${MKDIR} ${ETCSSH} .endif @@ -224,7 +222,7 @@ post-install: @${CAT} ${PKGMESSAGE} test: build - (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} TEST_SHELL=/bin/sh \ + (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS}) diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 8f65dea9f1e9..d8e67f738b72 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -6,3 +6,7 @@ SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7 SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277 SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359 SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889 +SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7 +SIZE (openssh-lpk-5.8p2.patch.gz) = 17822 +SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03 +SIZE (openssh-sctp-2163.patch.gz) = 6764 diff --git a/security/openssh-portable/files/extra-patch-configure b/security/openssh-portable/files/extra-patch-configure deleted file mode 100644 index d83a0a647291..000000000000 --- a/security/openssh-portable/files/extra-patch-configure +++ /dev/null @@ -1,10 +0,0 @@ ---- configure.orig 2011-09-01 20:36:35.000000000 +0400 -+++ configure 2011-09-02 13:59:02.000000000 +0400 -@@ -12856,6 +12856,7 @@ - - - -+LIBS="-lutil $LIBS" - for ac_func in \ - arc4random \ - arc4random_buf \ diff --git a/security/openssh-portable/files/openssh-lpk-5.8p2.patch b/security/openssh-portable/files/openssh-lpk-5.8p2.patch deleted file mode 100644 index 5ea0e10833de..000000000000 --- a/security/openssh-portable/files/openssh-lpk-5.8p2.patch +++ /dev/null @@ -1,1880 +0,0 @@ -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/Makefile.in ./Makefile.in ---- ../openssh-5.8p2-orig/Makefile.in 2011-10-03 16:53:52.329344087 +0400 -+++ ./Makefile.in 2011-10-03 16:54:04.009342681 +0400 -@@ -94,7 +94,7 @@ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ -- roaming_common.o roaming_serv.o -+ roaming_common.o roaming_serv.o ldapauth.o - - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/README.lpk ./README.lpk ---- ../openssh-5.8p2-orig/README.lpk 1970-01-01 03:00:00.000000000 +0300 -+++ ./README.lpk 2011-10-03 16:54:04.018338857 +0400 -@@ -0,0 +1,267 @@ -+OpenSSH LDAP PUBLIC KEY PATCH -+Copyright (c) 2003 Eric AUGE (eau@phear.org) -+All rights reserved. -+ -+Redistribution and use in source and binary forms, with or without -+modification, are permitted provided that the following conditions -+are met: -+1. Redistributions of source code must retain the above copyright -+ notice, this list of conditions and the following disclaimer. -+2. Redistributions in binary form must reproduce the above copyright -+ notice, this list of conditions and the following disclaimer in the -+ documentation and/or other materials provided with the distribution. -+3. The name of the author may not be used to endorse or promote products -+ derived from this software without specific prior written permission. -+ -+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ -+purposes of this patch: -+ -+This patch would help to have authentication centralization policy -+using ssh public key authentication. -+This patch could be an alternative to other "secure" authentication system -+working in a similar way (Kerberos, SecurID, etc...), except the fact -+that it's based on OpenSSH and its public key abilities. -+ -+>> FYI: << -+'uid': means unix accounts existing on the current server -+'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config) -+ -+example schema: -+ -+ -+ server1 (uid: eau,rival,toto) (lpkServerGroup: unix) -+ ___________ / -+ / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix) -+ | LDAP Server | \ -+ | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup: unix) -+ | titi ,toto | -+ | userx,.... | server5 (uid: eau) (lpkServerGroup: mail) -+ \___________/ \ / -+ ----- - server4 (uid: eau, rival) (no group configured) -+ \ -+ etc... -+ -+- WHAT WE NEED : -+ -+ * configured LDAP server somewhere on the network (i.e. OpenLDAP) -+ * patched sshd (with this patch ;) -+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): -+ User entry: -+ - attached to the 'ldapPublicKey' objectclass -+ - attached to the 'posixAccount' objectclass -+ - with a filled 'sshPublicKey' attribute -+ Example: -+ dn: uid=eau,ou=users,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: Eric AUGE Account -+ userPassword: blah -+ cn: Eric AUGE -+ sn: Eric AUGE -+ uid: eau -+ uidNumber: 1034 -+ gidNumber: 1 -+ homeDirectory: /export/home/eau -+ sshPublicKey: ssh-dss AAAAB3... -+ sshPublicKey: ssh-dss AAAAM5... -+ -+ Group entry: -+ - attached to the 'posixGroup' objectclass -+ - with a 'cn' groupname attribute -+ - with multiple 'memberUid' attributes filled with usernames allowed in this group -+ Example: -+ # few members -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: eau -+ memberUid: user1 -+ memberUid: user2 -+ -+ -+- HOW IT WORKS : -+ -+ * without patch -+ If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) -+ and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). -+ -+ * with the patch -+ If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. -+ It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. -+ (usually in $HOME/.ssh/authorized_keys) -+ -+ If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into. -+ If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled). -+ -+ 7 tokens are added to sshd_config : -+ # here is the new patched ldap related tokens -+ # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup -+ UseLPK yes # look the pub key into LDAP -+ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format) -+ LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ? -+ LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ? -+ LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ? -+ LpkBindPw asecret # bind DN credidentials -+ LpkServerGroup agroupname # the group the server is part of -+ -+ Right now i'm using anonymous binding to get public keys, because getting public keys of someone doesn't impersonate him¸ but there is some -+ flaws you have to take care of. -+ -+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY -+ -+ * my way (there is plenty :) -+ - create ldif file (i.e. users.ldif) -+ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub -+ - my way in 4 steps : -+ Example: -+ -+ # you add this to the user entry in the LDIF file : -+ [...] -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ [...] -+ sshPubliKey: ssh-dss AAAABDh12DDUR2... -+ [...] -+ -+ # insert your entry and you're done :) -+ ldapadd -D balblabla -w bleh < file.ldif -+ -+ all standard options can be present in the 'sshPublicKey' attribute. -+ -+- WHY : -+ -+ Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP -+ as authentication method (like pam_ldap etc..). -+ -+ After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get -+ public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' -+ objectclass within LDAP and part of the group the SSH server is in). -+ -+ Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase -+ so each user can change it as much as he wants). -+ -+ Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). -+ -+- RULES : -+ Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. -+ and the additionnal lpk.schema. -+ -+ This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication -+ (pamldap, nss_ldap, etc..). -+ -+ This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). -+ -+ Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' -+ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. -+ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able -+ to log in 'server5' (i hope you got the idea, my english is bad :). -+ -+ Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP -+ server. -+ When you want to allow a new user to have access to the server parc, you just add him an account on -+ your servers, you add his public key into his entry on the LDAP server, it's done. -+ -+ Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). -+ -+ When the user needs to change his passphrase he can do it directly from his workstation by changing -+ his own key set lock passphrase, and all servers are automatically aware. -+ -+ With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself -+ so he can add/modify/delete himself his public key when needed. -+ -+ FLAWS : -+ LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some -+ of your users in all your server farm be VERY CAREFUL. -+ -+ MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -+ as the impersonnated user. -+ -+ If LDAP server is down then, fallback on passwd auth. -+ -+ the ldap code part has not been well audited yet. -+ -+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) -+ --- CUT HERE --- -+ dn: uid=jdoe,ou=users,dc=foobar,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: My account -+ cn: John Doe -+ sn: John Doe -+ uid: jdoe -+ uidNumber: 100 -+ gidNumber: 100 -+ homeDirectory: /home/jdoe -+ sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... -+ [...] -+ --- CUT HERE --- -+ -+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) -+ --- CUT HERE --- -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: jdoe -+ memberUid: user1 -+ memberUid: user2 -+ [...] -+ --- CUT HERE --- -+ -+>> FYI: << -+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry -+ -+- COMPILING: -+ 1. Apply the patch -+ 2. ./configure --with-your-options --with-ldap=/prefix/to/ldap_libs_and_includes -+ 3. make -+ 4. it's done. -+ -+- BLA : -+ I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. -+ -+- TODO : -+ Redesign differently. -+ -+- DOCS/LINK : -+ http://pacsec.jp/core05/psj05-barisani-en.pdf -+ http://fritz.potsdam.edu/projects/openssh-lpk/ -+ http://fritz.potsdam.edu/projects/sshgate/ -+ http://dev.inversepath.com/trac/openssh-lpk -+ http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm ) -+ -+- CONTRIBUTORS/IDEAS/GREETS : -+ - Falk Siemonsmeier. -+ - Jacob Rief. -+ - Michael Durchgraf. -+ - frederic peters. -+ - Finlay dobbie. -+ - Stefan Fisher. -+ - Robin H. Johnson. -+ - Adrian Bridgett. -+ -+- CONTACT : -+ - Eric AUGE <eau@phear.org> -+ - Andrea Barisani <andrea@inversepath.com> -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/auth-rsa.c ./auth-rsa.c ---- ../openssh-5.8p2-orig/auth-rsa.c 2011-10-03 16:53:52.329344087 +0400 -+++ ./auth-rsa.c 2011-10-03 16:54:04.020347508 +0400 -@@ -174,10 +174,96 @@ - FILE *f; - u_long linenum = 0; - Key *key; -+#ifdef WITH_LDAP_PUBKEY -+ ldap_key_t * k; -+ unsigned int i = 0; -+#endif - - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - -+#ifdef WITH_LDAP_PUBKEY -+ /* here is the job */ -+ key = key_new(KEY_RSA1); -+ -+ if (options.lpk.on) { -+ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name); -+ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) { -+ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { -+ for (i = 0 ; i < k->num ; i++) { -+ char *cp, *options = NULL; -+ -+ for (cp = k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (!*cp || *cp == '\n' || *cp == '#') -+ continue; -+ -+ /* -+ * Check if there are options for this key, and if so, -+ * save their starting address and skip the option part -+ * for now. If there are no options, set the starting -+ * address to NULL. -+ */ -+ if (*cp < '0' || *cp > '9') { -+ int quoted = 0; -+ options = cp; -+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { -+ if (*cp == '\\' && cp[1] == '"') -+ cp++; /* Skip both */ -+ else if (*cp == '"') -+ quoted = !quoted; -+ } -+ } else -+ options = NULL; -+ -+ /* Parse the key from the line. */ -+ if (hostfile_read_key(&cp, &bits, key) == 0) { -+ debug("[LDAP] line %d: non ssh1 key syntax", i); -+ continue; -+ } -+ /* cp now points to the comment part. */ -+ -+ /* Check if the we have found the desired key (identified by its modulus). */ -+ if (BN_cmp(key->rsa->n, client_n) != 0) -+ continue; -+ -+ /* check the real bits */ -+ if (bits != (unsigned int)BN_num_bits(key->rsa->n)) -+ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " -+ "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); -+ -+ /* We have found the desired key. */ -+ /* -+ * If our options do not allow this key to be used, -+ * do not send challenge. -+ */ -+ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) -+ continue; -+ -+ /* break out, this key is allowed */ -+ allowed = 1; -+ -+ /* add the return stuff etc... */ -+ /* Restore the privileged uid. */ -+ restore_uid(); -+ -+ /* return key if allowed */ -+ if (allowed && rkey != NULL) -+ *rkey = key; -+ else -+ key_free(key); -+ -+ ldap_keys_free(k); -+ return (allowed); -+ } -+ } else { -+ logit("[LDAP] no keys found for '%s'!", pw->pw_name); -+ } -+ } else { -+ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); -+ } -+ } -+#endif - /* The authorized keys. */ - file = authorized_keys_file(pw); - debug("trying public RSA key file %s", file); -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/auth2-pubkey.c ./auth2-pubkey.c ---- ../openssh-5.8p2-orig/auth2-pubkey.c 2011-10-03 16:53:52.304343933 +0400 -+++ ./auth2-pubkey.c 2011-10-03 16:54:04.023341687 +0400 -@@ -59,6 +59,10 @@ - #include "authfile.h" - #include "match.h" - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - /* import */ - extern ServerOptions options; - extern u_char *session_id2; -@@ -265,10 +269,79 @@ - u_long linenum = 0; - Key *found; - char *fp; -+#ifdef WITH_LDAP_PUBKEY -+ ldap_key_t * k; -+ unsigned int i = 0; -+#endif - - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - -+#ifdef WITH_LDAP_PUBKEY -+ found_key = 0; -+ /* allocate a new key type */ -+ found = key_new(key->type); -+ -+ /* first check if the options is enabled, then try.. */ -+ if (options.lpk.on) { -+ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name); -+ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) { -+ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { -+ /* Skip leading whitespace, empty and comment lines. */ -+ for (i = 0 ; i < k->num ; i++) { -+ /* dont forget if multiple keys to reset options */ -+ char *cp, *options = NULL; -+ -+ for (cp = (char *)k->keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (!*cp || *cp == '\n' || *cp == '#') -+ continue; -+ -+ if (key_read(found, &cp) != 1) { -+ /* no key? check if there are options for this key */ -+ int quoted = 0; -+ debug2("[LDAP] user_key_allowed: check options: '%s'", cp); -+ options = cp; -+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { -+ if (*cp == '\\' && cp[1] == '"') -+ cp++; /* Skip both */ -+ else if (*cp == '"') -+ quoted = !quoted; -+ } -+ /* Skip remaining whitespace. */ -+ for (; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (key_read(found, &cp) != 1) { -+ debug2("[LDAP] user_key_allowed: advance: '%s'", cp); -+ /* still no key? advance to next line*/ -+ continue; -+ } -+ } -+ -+ if (key_equal(found, key) && -+ auth_parse_options(pw, options, file, linenum) == 1) { -+ found_key = 1; -+ debug("[LDAP] matching key found"); -+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -+ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp); -+ -+ /* restoring memory */ -+ ldap_keys_free(k); -+ xfree(fp); -+ restore_uid(); -+ key_free(found); -+ return found_key; -+ break; -+ } -+ }/* end of LDAP for() */ -+ } else { -+ logit("[LDAP] no keys found for '%s'!", pw->pw_name); -+ } -+ } else { -+ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); -+ } -+ } -+#endif - debug("trying public key file %s", file); - f = auth_openkeyfile(file, pw, options.strict_modes); - -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/config.h.in ./config.h.in ---- ../openssh-5.8p2-orig/config.h.in 2011-10-03 16:53:52.297346449 +0400 -+++ ./config.h.in 2011-10-03 16:54:04.026338066 +0400 -@@ -596,6 +596,9 @@ - /* Define to 1 if you have the <linux/if_tun.h> header file. */ - #undef HAVE_LINUX_IF_TUN_H - -+/* Define if you want LDAP support */ -+#undef WITH_LDAP_PUBKEY -+ - /* Define if your libraries define login() */ - #undef HAVE_LOGIN - -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/configure ./configure ---- ../openssh-5.8p2-orig/configure 2011-10-03 16:53:52.324344816 +0400 -+++ ./configure 2011-10-03 16:54:04.049342888 +0400 -@@ -1337,6 +1337,7 @@ - --without-rpath Disable auto-added -R linker paths - --with-cflags Specify additional flags to pass to compiler - --with-cppflags Specify additional flags to pass to preprocessor -+ --with-ldap[=PATH] Enable LDAP pubkey support (optionally in PATH) - --with-ldflags Specify additional flags to pass to linker - --with-libs Specify additional libraries to link with - --with-Werror Build main code with -Werror -@@ -12197,6 +12198,85 @@ - fi - - -+# Check whether user wants LDAP support -+LDAP_MSG="no" -+ -+# Check whether --with-ldap was given. -+if test "${with_ldap+set}" = set; then -+ withval=$with_ldap; -+ if test "x$withval" != "xno" ; then -+ -+ if test "x$withval" != "xyes" ; then -+ CPPFLAGS="$CPPFLAGS -I${withval}/include" -+ LDFLAGS="$LDFLAGS -L${withval}/lib" -+ fi -+ -+ -+cat >>confdefs.h <<\_ACEOF -+#define WITH_LDAP_PUBKEY 1 -+_ACEOF -+ -+ LIBS="-lldap $LIBS" -+ LDAP_MSG="yes" -+ -+ { echo "$as_me:$LINENO: checking for LDAP support" >&5 -+echo $ECHO_N "checking for LDAP support... $ECHO_C" >&6; } -+ cat >conftest.$ac_ext <<_ACEOF -+/* confdefs.h. */ -+_ACEOF -+cat confdefs.h >>conftest.$ac_ext -+cat >>conftest.$ac_ext <<_ACEOF -+/* end confdefs.h. */ -+#include <sys/types.h> -+ #include <ldap.h> -+int -+main () -+{ -+(void)ldap_init(0, 0); -+ ; -+ return 0; -+} -+_ACEOF -+rm -f conftest.$ac_objext -+if { (ac_try="$ac_compile" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 -+ (eval "$ac_compile") 2>conftest.er1 -+ ac_status=$? -+ grep -v '^ *+' conftest.er1 >conftest.err -+ rm -f conftest.er1 -+ cat conftest.err >&5 -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest.$ac_objext; then -+ { echo "$as_me:$LINENO: result: yes" >&5 -+echo "${ECHO_T}yes" >&6; } -+else -+ echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ -+ { echo "$as_me:$LINENO: result: no" >&5 -+echo "${ECHO_T}no" >&6; } -+ { { echo "$as_me:$LINENO: error: ** Incomplete or missing ldap libraries **" >&5 -+echo "$as_me: error: ** Incomplete or missing ldap libraries **" >&2;} -+ { (exit 1); exit 1; }; } -+ -+ -+fi -+ -+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -+ fi -+ -+ -+fi -+ -+ - - - -@@ -31973,6 +32053,7 @@ - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " LDAP support: $LDAP_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/configure.ac ./configure.ac ---- ../openssh-5.8p2-orig/configure.ac 2011-10-03 16:53:52.291342253 +0400 -+++ ./configure.ac 2011-10-03 16:54:04.056338012 +0400 -@@ -1422,6 +1422,37 @@ - esac ] - ) - -+# Check whether user wants LDAP support -+LDAP_MSG="no" -+AC_ARG_WITH(ldap, -+ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)], -+ [ -+ if test "x$withval" != "xno" ; then -+ -+ if test "x$withval" != "xyes" ; then -+ CPPFLAGS="$CPPFLAGS -I${withval}/include" -+ LDFLAGS="$LDFLAGS -L${withval}/lib" -+ fi -+ -+ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support]) -+ LIBS="-lldap $LIBS" -+ LDAP_MSG="yes" -+ -+ AC_MSG_CHECKING([for LDAP support]) -+ AC_TRY_COMPILE( -+ [#include <sys/types.h> -+ #include <ldap.h>], -+ [(void)ldap_init(0, 0);], -+ [AC_MSG_RESULT(yes)], -+ [ -+ AC_MSG_RESULT(no) -+ AC_MSG_ERROR([** Incomplete or missing ldap libraries **]) -+ ] -+ ) -+ fi -+ ] -+) -+ - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS( \ - arc4random \ -@@ -4319,6 +4350,7 @@ - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " LDAP support: $LDAP_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/ldapauth.c ./ldapauth.c ---- ../openssh-5.8p2-orig/ldapauth.c 1970-01-01 03:00:00.000000000 +0300 -+++ ./ldapauth.c 2011-10-03 16:54:04.072343230 +0400 -@@ -0,0 +1,575 @@ -+/* -+ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau Exp $ -+ */ -+ -+/* -+ * -+ * Copyright (c) 2005, Eric AUGE <eau@phear.org> -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -+ * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, -+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ * -+ */ -+ -+#include "includes.h" -+ -+#ifdef WITH_LDAP_PUBKEY -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <unistd.h> -+#include <string.h> -+ -+#include "ldapauth.h" -+#include "log.h" -+ -+static char *attrs[] = { -+ PUBKEYATTR, -+ NULL -+}; -+ -+/* filter building infos */ -+#define FILTER_GROUP_PREFIX "(&(objectclass=posixGroup)" -+#define FILTER_OR_PREFIX "(|" -+#define FILTER_OR_SUFFIX ")" -+#define FILTER_CN_PREFIX "(cn=" -+#define FILTER_CN_SUFFIX ")" -+#define FILTER_UID_FORMAT "(memberUid=%s)" -+#define FILTER_GROUP_SUFFIX ")" -+#define FILTER_GROUP_SIZE(group) (size_t) (strlen(group)+(ldap_count_group(group)*5)+52) -+ -+/* just filter building stuff */ -+#define REQUEST_GROUP_SIZE(filter, uid) (size_t) (strlen(filter)+strlen(uid)+1) -+#define REQUEST_GROUP(buffer, prefilter, pwname) \ -+ buffer = (char *) calloc(REQUEST_GROUP_SIZE(prefilter, pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return FAILURE; \ -+ } \ -+ snprintf(buffer, REQUEST_GROUP_SIZE(prefilter,pwname), prefilter, pwname) -+/* -+XXX OLD group building macros -+#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46) -+#define REQUEST_GROUP(buffer,pwname,grp) \ -+ buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return FAILURE; \ -+ } \ -+ snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname) -+ */ -+ -+/* -+XXX stock upstream version without extra filter support -+#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64) -+#define REQUEST_USER(buffer, pwname) \ -+ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return NULL; \ -+ } \ -+ snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname) -+ */ -+ -+#define REQUEST_USER_SIZE(uid, filter) (size_t) (strlen(uid)+64+(filter != NULL ? strlen(filter) : 0)) -+#define REQUEST_USER(buffer, pwname, customfilter) \ -+ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname, customfilter), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return NULL; \ -+ } \ -+ snprintf(buffer, REQUEST_USER_SIZE(pwname, customfilter), \ -+ "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)", \ -+ pwname, (customfilter != NULL ? customfilter : "")) -+ -+/* some portable and working tokenizer, lame though */ -+static int tokenize(char ** o, size_t size, char * input) { -+ unsigned int i = 0, num; -+ const char * charset = " \t"; -+ char * ptr = input; -+ -+ /* leading white spaces are ignored */ -+ num = strspn(ptr, charset); -+ ptr += num; -+ -+ while ((num = strcspn(ptr, charset))) { -+ if (i < size-1) { -+ o[i++] = ptr; -+ ptr += num; -+ if (*ptr) -+ *ptr++ = '\0'; -+ } -+ } -+ o[i] = NULL; -+ return SUCCESS; -+} -+ -+void ldap_close(ldap_opt_t * ldap) { -+ -+ if (!ldap) -+ return; -+ -+ if ( ldap_unbind_ext(ldap->ld, NULL, NULL) < 0) -+ ldap_perror(ldap->ld, "ldap_unbind()"); -+ -+ ldap->ld = NULL; -+ FLAG_SET_DISCONNECTED(ldap->flags); -+ -+ return; -+} -+ -+/* init && bind */ -+int ldap_connect(ldap_opt_t * ldap) { -+ int version = LDAP_VERSION3; -+ -+ if (!ldap->servers) -+ return FAILURE; -+ -+ /* Connection Init and setup */ -+ ldap->ld = ldap_init(ldap->servers, LDAP_PORT); -+ if (!ldap->ld) { -+ ldap_perror(ldap->ld, "ldap_init()"); -+ return FAILURE; -+ } -+ -+ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION)"); -+ return FAILURE; -+ } -+ -+ /* Timeouts setup */ -+ if (ldap_set_option(ldap->ld, LDAP_OPT_NETWORK_TIMEOUT, &ldap->b_timeout) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT)"); -+ } -+ if (ldap_set_option(ldap->ld, LDAP_OPT_TIMEOUT, &ldap->s_timeout) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_TIMEOUT)"); -+ } -+ -+ /* TLS support */ -+ if ( (ldap->tls == -1) || (ldap->tls == 1) ) { -+ if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) { -+ /* failed then reinit the initial connect */ -+ ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()"); -+ if (ldap->tls == 1) -+ return FAILURE; -+ -+ ldap->ld = ldap_init(ldap->servers, LDAP_PORT); -+ if (!ldap->ld) { -+ ldap_perror(ldap->ld, "ldap_init()"); -+ return FAILURE; -+ } -+ -+ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option()"); -+ return FAILURE; -+ } -+ } -+ } -+ -+ -+ if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_simple_bind_s()"); -+ return FAILURE; -+ } -+ -+ /* says it is connected */ -+ FLAG_SET_CONNECTED(ldap->flags); -+ -+ return SUCCESS; -+} -+ -+/* must free allocated ressource */ -+static char * ldap_build_host(char *host, int port) { -+ unsigned int size = strlen(host)+11; -+ char * h = (char *) calloc (size, sizeof(char)); -+ int rc; -+ if (!h) -+ return NULL; -+ -+ rc = snprintf(h, size, "%s:%d ", host, port); -+ if (rc == -1) -+ return NULL; -+ return h; -+} -+ -+static int ldap_count_group(const char * input) { -+ const char * charset = " \t"; -+ const char * ptr = input; -+ unsigned int count = 0; -+ unsigned int num; -+ -+ num = strspn(ptr, charset); -+ ptr += num; -+ -+ while ((num = strcspn(ptr, charset))) { -+ count++; -+ ptr += num; -+ ptr++; -+ } -+ -+ return count; -+} -+ -+/* format filter */ -+char * ldap_parse_groups(const char * groups) { -+ unsigned int buffer_size = FILTER_GROUP_SIZE(groups); -+ char * buffer = (char *) calloc(buffer_size, sizeof(char)); -+ char * g = NULL; -+ char * garray[32]; -+ unsigned int i = 0; -+ -+ if ((!groups)||(!buffer)) -+ return NULL; -+ -+ g = strdup(groups); -+ if (!g) { -+ free(buffer); -+ return NULL; -+ } -+ -+ /* first separate into n tokens */ -+ if ( tokenize(garray, sizeof(garray)/sizeof(*garray), g) < 0) { -+ free(g); -+ free(buffer); -+ return NULL; -+ } -+ -+ /* build the final filter format */ -+ strlcat(buffer, FILTER_GROUP_PREFIX, buffer_size); -+ strlcat(buffer, FILTER_OR_PREFIX, buffer_size); -+ i = 0; -+ while (garray[i]) { -+ strlcat(buffer, FILTER_CN_PREFIX, buffer_size); -+ strlcat(buffer, garray[i], buffer_size); -+ strlcat(buffer, FILTER_CN_SUFFIX, buffer_size); -+ i++; -+ } -+ strlcat(buffer, FILTER_OR_SUFFIX, buffer_size); -+ strlcat(buffer, FILTER_UID_FORMAT, buffer_size); -+ strlcat(buffer, FILTER_GROUP_SUFFIX, buffer_size); -+ -+ free(g); -+ return buffer; -+} -+ -+/* a bit dirty but leak free */ -+char * ldap_parse_servers(const char * servers) { -+ char * s = NULL; -+ char * tmp = NULL, *urls[32]; -+ unsigned int num = 0 , i = 0 , asize = 0; -+ LDAPURLDesc *urld[32]; -+ -+ if (!servers) -+ return NULL; -+ -+ /* local copy of the arg */ -+ s = strdup(servers); -+ if (!s) -+ return NULL; -+ -+ /* first separate into URL tokens */ -+ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0) -+ return NULL; -+ -+ i = 0; -+ while (urls[i]) { -+ if (! ldap_is_ldap_url(urls[i]) || -+ (ldap_url_parse(urls[i], &urld[i]) != 0)) { -+ return NULL; -+ } -+ i++; -+ } -+ -+ /* now free(s) */ -+ free (s); -+ -+ /* how much memory do we need */ -+ num = i; -+ for (i = 0 ; i < num ; i++) -+ asize += strlen(urld[i]->lud_host)+11; -+ -+ /* alloc */ -+ s = (char *) calloc( asize+1 , sizeof(char)); -+ if (!s) { -+ for (i = 0 ; i < num ; i++) -+ ldap_free_urldesc(urld[i]); -+ return NULL; -+ } -+ -+ /* then build the final host string */ -+ for (i = 0 ; i < num ; i++) { -+ /* built host part */ -+ tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port); -+ strncat(s, tmp, strlen(tmp)); -+ ldap_free_urldesc(urld[i]); -+ free(tmp); -+ } -+ -+ return s; -+} -+ -+void ldap_options_print(ldap_opt_t * ldap) { -+ debug("ldap options:"); -+ debug("servers: %s", ldap->servers); -+ if (ldap->u_basedn) -+ debug("user basedn: %s", ldap->u_basedn); -+ if (ldap->g_basedn) -+ debug("group basedn: %s", ldap->g_basedn); -+ if (ldap->binddn) -+ debug("binddn: %s", ldap->binddn); -+ if (ldap->bindpw) -+ debug("bindpw: %s", ldap->bindpw); -+ if (ldap->sgroup) -+ debug("group: %s", ldap->sgroup); -+ if (ldap->filter) -+ debug("filter: %s", ldap->filter); -+} -+ -+void ldap_options_free(ldap_opt_t * l) { -+ if (!l) -+ return; -+ if (l->servers) -+ free(l->servers); -+ if (l->u_basedn) -+ free(l->u_basedn); -+ if (l->g_basedn) -+ free(l->g_basedn); -+ if (l->binddn) -+ free(l->binddn); -+ if (l->bindpw) -+ free(l->bindpw); -+ if (l->sgroup) -+ free(l->sgroup); -+ if (l->fgroup) -+ free(l->fgroup); -+ if (l->filter) -+ free(l->filter); -+ if (l->l_conf) -+ free(l->l_conf); -+ free(l); -+} -+ -+/* free keys */ -+void ldap_keys_free(ldap_key_t * k) { -+ ldap_value_free_len(k->keys); -+ free(k); -+ return; -+} -+ -+ldap_key_t * ldap_getuserkey(ldap_opt_t *l, const char * user) { -+ ldap_key_t * k = (ldap_key_t *) calloc (1, sizeof(ldap_key_t)); -+ LDAPMessage *res, *e; -+ char * filter; -+ int i; -+ -+ if ((!k) || (!l)) -+ return NULL; -+ -+ /* Am i still connected ? RETRY n times */ -+ /* XXX TODO: setup some conf value for retrying */ -+ if (!(l->flags & FLAG_CONNECTED)) -+ for (i = 0 ; i < 2 ; i++) -+ if (ldap_connect(l) == 0) -+ break; -+ -+ /* quick check for attempts to be evil */ -+ if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) || -+ (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) -+ return NULL; -+ -+ /* build filter for LDAP request */ -+ REQUEST_USER(filter, user, l->filter); -+ -+ if ( ldap_search_st( l->ld, -+ l->u_basedn, -+ LDAP_SCOPE_SUBTREE, -+ filter, -+ attrs, 0, &l->s_timeout, &res ) != LDAP_SUCCESS) { -+ -+ ldap_perror(l->ld, "ldap_search_st()"); -+ -+ free(filter); -+ free(k); -+ -+ /* XXX error on search, timeout etc.. close ask for reconnect */ -+ ldap_close(l); -+ -+ return NULL; -+ } -+ -+ /* free */ -+ free(filter); -+ -+ /* check if any results */ -+ i = ldap_count_entries(l->ld,res); -+ if (i <= 0) { -+ ldap_msgfree(res); -+ free(k); -+ return NULL; -+ } -+ -+ if (i > 1) -+ debug("[LDAP] duplicate entries, using the FIRST entry returned"); -+ -+ e = ldap_first_entry(l->ld, res); -+ k->keys = ldap_get_values_len(l->ld, e, PUBKEYATTR); -+ k->num = ldap_count_values_len(k->keys); -+ -+ ldap_msgfree(res); -+ return k; -+} -+ -+ -+/* -1 if trouble -+ 0 if user is NOT member of current server group -+ 1 if user IS MEMBER of current server group -+ */ -+int ldap_ismember(ldap_opt_t * l, const char * user) { -+ LDAPMessage *res; -+ char * filter; -+ int i; -+ -+ if ((!l->sgroup) || !(l->g_basedn)) -+ return 1; -+ -+ /* Am i still connected ? RETRY n times */ -+ /* XXX TODO: setup some conf value for retrying */ -+ if (!(l->flags & FLAG_CONNECTED)) -+ for (i = 0 ; i < 2 ; i++) -+ if (ldap_connect(l) == 0) -+ break; -+ -+ /* quick check for attempts to be evil */ -+ if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) || -+ (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) -+ return FAILURE; -+ -+ /* build filter for LDAP request */ -+ REQUEST_GROUP(filter, l->fgroup, user); -+ -+ if (ldap_search_st( l->ld, -+ l->g_basedn, -+ LDAP_SCOPE_SUBTREE, -+ filter, -+ NULL, 0, &l->s_timeout, &res) != LDAP_SUCCESS) { -+ -+ ldap_perror(l->ld, "ldap_search_st()"); -+ -+ free(filter); -+ -+ /* XXX error on search, timeout etc.. close ask for reconnect */ -+ ldap_close(l); -+ -+ return FAILURE; -+ } -+ -+ free(filter); -+ -+ /* check if any results */ -+ if (ldap_count_entries(l->ld, res) > 0) { -+ ldap_msgfree(res); -+ return 1; -+ } -+ -+ ldap_msgfree(res); -+ return 0; -+} -+ -+/* -+ * ldap.conf simple parser -+ * XXX TODO: sanity checks -+ * must either -+ * - free the previous ldap_opt_before replacing entries -+ * - free each necessary previously parsed elements -+ * ret: -+ * -1 on FAILURE, 0 on SUCCESS -+ */ -+int ldap_parse_lconf(ldap_opt_t * l) { -+ FILE * lcd; /* ldap.conf descriptor */ -+ char buf[BUFSIZ]; -+ char * s = NULL, * k = NULL, * v = NULL; -+ int li, len; -+ -+ lcd = fopen (l->l_conf, "r"); -+ if (lcd == NULL) { -+ /* debug("Cannot open %s", l->l_conf); */ -+ perror("ldap_parse_lconf()"); -+ return FAILURE; -+ } -+ -+ while (fgets (buf, sizeof (buf), lcd) != NULL) { -+ -+ if (*buf == '\n' || *buf == '#') -+ continue; -+ -+ k = buf; -+ v = k; -+ while (*v != '\0' && *v != ' ' && *v != '\t') -+ v++; -+ -+ if (*v == '\0') -+ continue; -+ -+ *(v++) = '\0'; -+ -+ while (*v == ' ' || *v == '\t') -+ v++; -+ -+ li = strlen (v) - 1; -+ while (v[li] == ' ' || v[li] == '\t' || v[li] == '\n') -+ --li; -+ v[li + 1] = '\0'; -+ -+ if (!strcasecmp (k, "uri")) { -+ if ((l->servers = ldap_parse_servers(v)) == NULL) { -+ fatal("error in ldap servers"); -+ return FAILURE; -+ } -+ -+ } -+ else if (!strcasecmp (k, "base")) { -+ s = strchr (v, '?'); -+ if (s != NULL) { -+ len = s - v; -+ l->u_basedn = malloc (len + 1); -+ strncpy (l->u_basedn, v, len); -+ l->u_basedn[len] = '\0'; -+ } else { -+ l->u_basedn = strdup (v); -+ } -+ } -+ else if (!strcasecmp (k, "binddn")) { -+ l->binddn = strdup (v); -+ } -+ else if (!strcasecmp (k, "bindpw")) { -+ l->bindpw = strdup (v); -+ } -+ else if (!strcasecmp (k, "timelimit")) { -+ l->s_timeout.tv_sec = atoi (v); -+ } -+ else if (!strcasecmp (k, "bind_timelimit")) { -+ l->b_timeout.tv_sec = atoi (v); -+ } -+ else if (!strcasecmp (k, "ssl")) { -+ if (!strcasecmp (v, "start_tls")) -+ l->tls = 1; -+ } -+ } -+ -+ fclose (lcd); -+ return SUCCESS; -+} -+ -+#endif /* WITH_LDAP_PUBKEY */ -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/ldapauth.h ./ldapauth.h ---- ../openssh-5.8p2-orig/ldapauth.h 1970-01-01 03:00:00.000000000 +0300 -+++ ./ldapauth.h 2011-10-03 16:54:04.076341855 +0400 -@@ -0,0 +1,124 @@ -+/* -+ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau Exp $ -+ */ -+ -+/* -+ * -+ * Copyright (c) 2005, Eric AUGE <eau@phear.org> -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -+ * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, -+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ * -+ */ -+ -+#ifndef LDAPAUTH_H -+#define LDAPAUTH_H -+ -+#define LDAP_DEPRECATED 1 -+ -+#include <string.h> -+#include <time.h> -+#include <ldap.h> -+#include <lber.h> -+ -+/* tokens in use for config */ -+#define _DEFAULT_LPK_TOKEN "UseLPK" -+#define _DEFAULT_SRV_TOKEN "LpkServers" -+#define _DEFAULT_USR_TOKEN "LpkUserDN" -+#define _DEFAULT_GRP_TOKEN "LpkGroupDN" -+#define _DEFAULT_BDN_TOKEN "LpkBindDN" -+#define _DEFAULT_BPW_TOKEN "LpkBindPw" -+#define _DEFAULT_MYG_TOKEN "LpkServerGroup" -+#define _DEFAULT_FIL_TOKEN "LpkFilter" -+#define _DEFAULT_TLS_TOKEN "LpkForceTLS" -+#define _DEFAULT_BTI_TOKEN "LpkBindTimelimit" -+#define _DEFAULT_STI_TOKEN "LpkSearchTimelimit" -+#define _DEFAULT_LDP_TOKEN "LpkLdapConf" -+ -+/* default options */ -+#define _DEFAULT_LPK_ON 0 -+#define _DEFAULT_LPK_SERVERS NULL -+#define _DEFAULT_LPK_UDN NULL -+#define _DEFAULT_LPK_GDN NULL -+#define _DEFAULT_LPK_BINDDN NULL -+#define _DEFAULT_LPK_BINDPW NULL -+#define _DEFAULT_LPK_SGROUP NULL -+#define _DEFAULT_LPK_FILTER NULL -+#define _DEFAULT_LPK_TLS -1 -+#define _DEFAULT_LPK_BTIMEOUT 10 -+#define _DEFAULT_LPK_STIMEOUT 10 -+#define _DEFAULT_LPK_LDP NULL -+ -+/* flags */ -+#define FLAG_EMPTY 0x00000000 -+#define FLAG_CONNECTED 0x00000001 -+ -+/* flag macros */ -+#define FLAG_SET_EMPTY(x) x&=(FLAG_EMPTY) -+#define FLAG_SET_CONNECTED(x) x|=(FLAG_CONNECTED) -+#define FLAG_SET_DISCONNECTED(x) x&=~(FLAG_CONNECTED) -+ -+/* defines */ -+#define FAILURE -1 -+#define SUCCESS 0 -+#define PUBKEYATTR "sshPublicKey" -+ -+/* -+ * -+ * defined files path -+ * (should be relocated to pathnames.h, -+ * if one day it's included within the tree) -+ * -+ */ -+#define _PATH_LDAP_CONFIG_FILE "/etc/ldap.conf" -+ -+/* structures */ -+typedef struct ldap_options { -+ int on; /* Use it or NOT */ -+ LDAP * ld; /* LDAP file desc */ -+ char * servers; /* parsed servers for ldaplib failover handling */ -+ char * u_basedn; /* user basedn */ -+ char * g_basedn; /* group basedn */ -+ char * binddn; /* binddn */ -+ char * bindpw; /* bind password */ -+ char * sgroup; /* server group */ -+ char * fgroup; /* group filter */ -+ char * filter; /* additional filter */ -+ char * l_conf; /* use ldap.conf */ -+ int tls; /* TLS only */ -+ struct timeval b_timeout; /* bind timeout */ -+ struct timeval s_timeout; /* search timeout */ -+ unsigned int flags; /* misc flags (reconnection, future use?) */ -+} ldap_opt_t; -+ -+typedef struct ldap_keys { -+ struct berval ** keys; /* the public keys retrieved */ -+ unsigned int num; /* number of keys */ -+} ldap_key_t; -+ -+ -+/* function headers */ -+void ldap_close(ldap_opt_t *); -+int ldap_connect(ldap_opt_t *); -+char * ldap_parse_groups(const char *); -+char * ldap_parse_servers(const char *); -+void ldap_options_print(ldap_opt_t *); -+void ldap_options_free(ldap_opt_t *); -+void ldap_keys_free(ldap_key_t *); -+int ldap_parse_lconf(ldap_opt_t *); -+ldap_key_t * ldap_getuserkey(ldap_opt_t *, const char *); -+int ldap_ismember(ldap_opt_t *, const char *); -+ -+#endif -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/lpk-user-example.txt ./lpk-user-example.txt ---- ../openssh-5.8p2-orig/lpk-user-example.txt 1970-01-01 03:00:00.000000000 +0300 -+++ ./lpk-user-example.txt 2011-10-03 16:54:04.081343446 +0400 -@@ -0,0 +1,117 @@ -+ -+Post to ML -> User Made Quick Install Doc. -+Contribution from John Lane <john@lane.uk.net> -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -+ -+OpenSSH LDAP keystore Patch -+=========================== -+ -+NOTE: these notes are a transcript of a specific installation -+ they work for me, your specifics may be different! -+ from John Lane March 17th 2005 john@lane.uk.net -+ -+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys -+from their LDAP record as an alternative to ~/.ssh/authorized_keys. -+ -+(Assuming here that necessary build stuff is in $BUILD) -+ -+cd $BUILD/openssh-4.0p1 -+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch -+mkdir -p /var/empty && -+./configure --prefix=/usr --sysconfdir=/etc/ssh \ -+ --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ -+ --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" -+Now do. -+make && -+make install -+ -+Add the following config to /etc/ssh/ssh_config -+UseLPK yes -+LpkServers ldap://myhost.mydomain.com -+LpkUserDN ou=People,dc=mydomain,dc=com -+ -+We need to tell sshd about the SSL keys during boot, as root's -+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. -+Change the startup code from this: -+ echo "Starting SSH Server..." -+ loadproc /usr/sbin/sshd -+ ;; -+to this: -+ echo "Starting SSH Server..." -+ LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd -+ ;; -+ -+Re-start the sshd daemon: -+/etc/rc.d/init.d/sshd restart -+ -+Install the additional LDAP schema -+cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema -+ -+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: -+Add the following to the end of the existing block of schema includes -+include /etc/openldap/schema/openssh.schema -+ -+Re-start the LDAP server: -+/etc/rc.d/init.d/slapd restart -+ -+To add one or more public keys to a user, eg "testuser" : -+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser -+ -+append the following to this /tmp/testuser file -+objectclass: ldapPublicKey -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS -+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI -+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+Then do a modify: -+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f -+/tmp/testuser -Z -+Enter LDAP Password: -+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" -+And check the modify is ok: -+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" -+Enter LDAP Password: -+# extended LDIF -+# -+# LDAPv3 -+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub -+# filter: (objectclass=*) -+# requesting: ALL -+# -+ -+# testuser, People, mydomain.com -+dn: uid=testuser,ou=People,dc=mydomain,dc=com -+uid: testuser -+cn: testuser -+objectClass: account -+objectClass: posixAccount -+objectClass: top -+objectClass: shadowAccount -+objectClass: ldapPublicKey -+shadowLastChange: 12757 -+shadowMax: 99999 -+shadowWarning: 7 -+loginShell: /bin/bash -+uidNumber: 9999 -+gidNumber: 501 -+homeDirectory: /home/testuser -+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z -+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+# search result -+search: 3 -+result: 0 Success -+ -+# numResponses: 2 -+# numEntries: 1 -+ -+Now start a ssh session to user "testuser" from usual ssh client (e.g. -+puTTY). Login should succeed. -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/openssh-lpk_openldap.schema ./openssh-lpk_openldap.schema ---- ../openssh-5.8p2-orig/openssh-lpk_openldap.schema 1970-01-01 03:00:00.000000000 +0300 -+++ ./openssh-lpk_openldap.schema 2011-10-03 16:54:04.083343698 +0400 -@@ -0,0 +1,19 @@ -+# -+# LDAP Public Key Patch schema for use with openssh-ldappubkey -+# Author: Eric AUGE <eau@phear.org> -+# -+# Based on the proposal of : Mark Ruijter -+# -+ -+ -+# octetString SYNTAX -+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' -+ DESC 'MANDATORY: OpenSSH Public key' -+ EQUALITY octetStringMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -+ -+# printableString SYNTAX yes|no -+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY -+ DESC 'MANDATORY: OpenSSH LPK objectclass' -+ MUST ( sshPublicKey $ uid ) -+ ) -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/openssh-lpk_sun.schema ./openssh-lpk_sun.schema ---- ../openssh-5.8p2-orig/openssh-lpk_sun.schema 1970-01-01 03:00:00.000000000 +0300 -+++ ./openssh-lpk_sun.schema 2011-10-03 16:54:04.085343791 +0400 -@@ -0,0 +1,21 @@ -+# -+# LDAP Public Key Patch schema for use with openssh-ldappubkey -+# Author: Eric AUGE <eau@phear.org> -+# -+# Schema for Sun Directory Server. -+# Based on the original schema, modified by Stefan Fischer. -+# -+ -+dn: cn=schema -+ -+# octetString SYNTAX -+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' -+ DESC 'MANDATORY: OpenSSH Public key' -+ EQUALITY octetStringMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -+ -+# printableString SYNTAX yes|no -+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY -+ DESC 'MANDATORY: OpenSSH LPK objectclass' -+ MUST ( sshPublicKey $ uid ) -+ ) -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/servconf.c ./servconf.c ---- ../openssh-5.8p2-orig/servconf.c 2011-10-03 16:53:52.353344636 +0400 -+++ ./servconf.c 2011-10-03 16:54:10.682337546 +0400 -@@ -46,6 +46,10 @@ - #include "channels.h" - #include "groupaccess.h" - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - static void add_listen_addr(ServerOptions *, char *, int); - static void add_one_listen_addr(ServerOptions *, char *, int); - -@@ -139,6 +143,24 @@ - options->authorized_principals_file = NULL; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; -+#ifdef WITH_LDAP_PUBKEY -+ /* XXX dirty */ -+ options->lpk.ld = NULL; -+ options->lpk.on = -1; -+ options->lpk.servers = NULL; -+ options->lpk.u_basedn = NULL; -+ options->lpk.g_basedn = NULL; -+ options->lpk.binddn = NULL; -+ options->lpk.bindpw = NULL; -+ options->lpk.sgroup = NULL; -+ options->lpk.filter = NULL; -+ options->lpk.fgroup = NULL; -+ options->lpk.l_conf = NULL; -+ options->lpk.tls = -1; -+ options->lpk.b_timeout.tv_sec = -1; -+ options->lpk.s_timeout.tv_sec = -1; -+ options->lpk.flags = FLAG_EMPTY; -+#endif - } - - void -@@ -281,6 +303,32 @@ - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_THROUGHPUT; -+#ifdef WITH_LDAP_PUBKEY -+ if (options->lpk.on == -1) -+ options->lpk.on = _DEFAULT_LPK_ON; -+ if (options->lpk.servers == NULL) -+ options->lpk.servers = _DEFAULT_LPK_SERVERS; -+ if (options->lpk.u_basedn == NULL) -+ options->lpk.u_basedn = _DEFAULT_LPK_UDN; -+ if (options->lpk.g_basedn == NULL) -+ options->lpk.g_basedn = _DEFAULT_LPK_GDN; -+ if (options->lpk.binddn == NULL) -+ options->lpk.binddn = _DEFAULT_LPK_BINDDN; -+ if (options->lpk.bindpw == NULL) -+ options->lpk.bindpw = _DEFAULT_LPK_BINDPW; -+ if (options->lpk.sgroup == NULL) -+ options->lpk.sgroup = _DEFAULT_LPK_SGROUP; -+ if (options->lpk.filter == NULL) -+ options->lpk.filter = _DEFAULT_LPK_FILTER; -+ if (options->lpk.tls == -1) -+ options->lpk.tls = _DEFAULT_LPK_TLS; -+ if (options->lpk.b_timeout.tv_sec == -1) -+ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT; -+ if (options->lpk.s_timeout.tv_sec == -1) -+ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT; -+ if (options->lpk.l_conf == NULL) -+ options->lpk.l_conf = _DEFAULT_LPK_LDP; -+#endif - - /* Turn privilege separation on by default */ - if (use_privsep == -1) -@@ -329,6 +377,12 @@ - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, - sKexAlgorithms, sIPQoS, - sDeprecated, sUnsupported -+#ifdef WITH_LDAP_PUBKEY -+ ,sLdapPublickey, sLdapServers, sLdapUserDN -+ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup -+ ,sLdapFilter, sForceTLS, sBindTimeout -+ ,sSearchTimeout, sLdapConf -+#endif - } ServerOpCodes; - - #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ -@@ -452,6 +506,20 @@ - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, - { "ipqos", sIPQoS, SSHCFG_ALL }, -+#ifdef WITH_LDAP_PUBKEY -+ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL }, -+ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL }, -+ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL }, -+ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL }, -+ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL }, -+ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL }, -+ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL }, -+ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL }, -+ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL }, -+ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL }, -+ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL }, -+ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL }, -+#endif - { NULL, sBadOption, 0 } - }; - -@@ -1412,6 +1480,107 @@ - arg = strdelim(&cp); - break; - -+#ifdef WITH_LDAP_PUBKEY -+ case sLdapPublickey: -+ intptr = &options->lpk.on; -+ goto parse_flag; -+ case sLdapServers: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL) -+ fatal("%s line %d: error in ldap servers", filename, linenum); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sLdapUserDN: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.u_basedn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sLdapGroupDN: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.g_basedn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBindDN: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing binddn",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.binddn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBindPw: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing bindpw",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.bindpw = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sMyGroup: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing groupname",filename, linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.sgroup = xstrdup(arg); -+ if (options->lpk.sgroup) -+ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sLdapFilter: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing filter",filename, linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.filter = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sForceTLS: -+ intptr = &options->lpk.tls; -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing yes/no argument.", -+ filename, linenum); -+ value = 0; /* silence compiler */ -+ if (strcmp(arg, "yes") == 0) -+ value = 1; -+ else if (strcmp(arg, "no") == 0) -+ value = 0; -+ else if (strcmp(arg, "try") == 0) -+ value = -1; -+ else -+ fatal("%s line %d: Bad yes/no argument: %s", -+ filename, linenum, arg); -+ if (*intptr == -1) -+ *intptr = value; -+ break; -+ case sBindTimeout: -+ intptr = (int *) &options->lpk.b_timeout.tv_sec; -+ goto parse_int; -+ case sSearchTimeout: -+ intptr = (int *) &options->lpk.s_timeout.tv_sec; -+ goto parse_int; -+ break; -+ case sLdapConf: -+ arg = cp; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing LpkLdapConf", filename, linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.l_conf = xstrdup(arg); -+ memset(arg, 0, strlen(arg)); -+ break; -+#endif - default: - fatal("%s line %d: Missing handler for opcode %s (%d)", - filename, linenum, arg, opcode); -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/servconf.h ./servconf.h ---- ../openssh-5.8p2-orig/servconf.h 2011-10-03 16:53:52.312343102 +0400 -+++ ./servconf.h 2011-10-03 16:54:04.087343603 +0400 -@@ -16,6 +16,10 @@ - #ifndef SERVCONF_H - #define SERVCONF_H - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - #define MAX_PORTS 256 /* Max # ports. */ - - #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ -@@ -153,6 +157,9 @@ - int use_pam; /* Enable auth via PAM */ - - int permit_tun; -+#ifdef WITH_LDAP_PUBKEY -+ ldap_opt_t lpk; -+#endif - - int num_permitted_opens; - -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/sshd.c ./sshd.c ---- ../openssh-5.8p2-orig/sshd.c 2011-10-03 16:53:52.332343106 +0400 -+++ ./sshd.c 2011-10-03 16:54:04.091340108 +0400 -@@ -127,6 +127,10 @@ - int deny_severity; - #endif /* LIBWRAP */ - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif -@@ -1542,6 +1546,16 @@ - exit(1); - } - -+#ifdef WITH_LDAP_PUBKEY -+ /* ldap_options_print(&options.lpk); */ -+ /* XXX initialize/check ldap connection and set *LD */ -+ if (options.lpk.on) { -+ if (options.lpk.l_conf && (ldap_parse_lconf(&options.lpk) < 0) ) -+ error("[LDAP] could not parse %s", options.lpk.l_conf); -+ if (ldap_connect(&options.lpk) < 0) -+ error("[LDAP] could not initialize ldap connection"); -+ } -+#endif - debug("sshd version %.100s", SSH_RELEASE); - - /* Store privilege separation user for later use if required. */ -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/sshd_config ./sshd_config ---- ../openssh-5.8p2-orig/sshd_config 2011-10-03 16:53:52.304343933 +0400 -+++ ./sshd_config 2011-10-03 16:54:04.093339440 +0400 -@@ -108,6 +108,21 @@ - # no default banner path - #Banner none - -+# here are the new patched ldap related tokens -+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -+#UseLPK yes -+#LpkLdapConf /etc/ldap.conf -+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -+#LpkUserDN ou=users,dc=phear,dc=org -+#LpkGroupDN ou=groups,dc=phear,dc=org -+#LpkBindDN cn=Manager,dc=phear,dc=org -+#LpkBindPw secret -+#LpkServerGroup mail -+#LpkFilter (hostAccess=master.phear.org) -+#LpkForceTLS no -+#LpkSearchTimelimit 3 -+#LpkBindTimelimit 3 -+ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -diff -Nur -x '*.orig' -x '*.rej' ../openssh-5.8p2-orig/sshd_config.5 ./sshd_config.5 ---- ../openssh-5.8p2-orig/sshd_config.5 2011-10-03 16:53:52.361343285 +0400 -+++ ./sshd_config.5 2011-10-03 16:54:04.096340739 +0400 -@@ -1141,6 +1141,62 @@ - program. - The default is - .Pa /usr/X11R6/bin/xauth . -+.It Cm UseLPK -+Specifies whether LDAP public key retrieval must be used or not. It allow -+an easy centralisation of public keys within an LDAP directory. The argument must be -+.Dq yes -+or -+.Dq no . -+.It Cm LpkLdapConf -+Specifies whether LDAP Public keys should parse the specified ldap.conf file -+instead of sshd_config Tokens. The argument must be a valid path to an ldap.conf -+file like -+.Pa /etc/ldap.conf -+.It Cm LpkServers -+Specifies LDAP one or more [:space:] separated server's url the following form may be used: -+.Pp -+LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3 -+.It Cm LpkUserDN -+Specifies the LDAP user DN. -+.Pp -+LpkUserDN ou=users,dc=phear,dc=org -+.It Cm LpkGroupDN -+Specifies the LDAP groups DN. -+.Pp -+LpkGroupDN ou=groups,dc=phear,dc=org -+.It Cm LpkBindDN -+Specifies the LDAP bind DN to use if necessary. -+.Pp -+LpkBindDN cn=Manager,dc=phear,dc=org -+.It Cm LpkBindPw -+Specifies the LDAP bind credential. -+.Pp -+LpkBindPw secret -+.It Cm LpkServerGroup -+Specifies one or more [:space:] separated group the server is part of. -+.Pp -+LpkServerGroup unix mail prod -+.It Cm LpkFilter -+Specifies an additional LDAP filter to use for finding SSH keys -+.Pp -+LpkFilter (hostAccess=master.phear.org) -+.It Cm LpkForceTLS -+Specifies if the LDAP server connection must be tried, forced or not used. The argument must be -+.Dq yes -+or -+.Dq no -+or -+.Dq try . -+.It Cm LpkSearchTimelimit -+Sepcifies the search time limit before the search is considered over. value is -+in seconds. -+.Pp -+LpkSearchTimelimit 3 -+.It Cm LpkBindTimelimit -+Sepcifies the bind time limit before the connection is considered dead. value is -+in seconds. -+.Pp -+LpkBindTimelimit 3 - .El - .Sh TIME FORMATS - .Xr sshd 8 diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index 4d2c77333093..f55233d8568c 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -25,9 +25,11 @@ load_rc_config ${name} : ${openssh_skipportscheck="NO"} command=%%PREFIX%%/sbin/sshd -extra_commands="reload keygen" +extra_commands="configtest reload keygen" start_precmd="${name}_checks" +reload_precmd="${name}_configtest" restart_precmd="${name}_checks" +configtest_cmd="${name}_configtest" keygen_cmd="${name}_keygen" pidfile=${openssh_pidfile:="/var/run/sshd.pid"} @@ -137,6 +139,12 @@ openssh_check_same_ports(){ fi } +openssh_configtest() +{ + echo "Performing sanity check on ${name} configuration." + eval ${command} ${openssh_flags} -t +} + openssh_checks() { if checkyesno sshd_enable ; then @@ -146,7 +154,7 @@ openssh_checks() fi run_rc_command keygen - eval "${command} -t" + openssh_configtest } run_rc_command "$1" diff --git a/security/openssh-portable/files/patch-Makefile.in b/security/openssh-portable/files/patch-Makefile.in deleted file mode 100644 index 7026ec7a90a3..000000000000 --- a/security/openssh-portable/files/patch-Makefile.in +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in.orig 2010-05-12 00:51:39.000000000 -0600 -+++ Makefile.in 2010-09-14 16:14:12.000000000 -0600 -@@ -238,7 +238,7 @@ - $(AUTORECONF) - -rm -rf autom4te.cache - --install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config -+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf - install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf - install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files - diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c index 8eec3dc3ba36..a12017191b5d 100644 --- a/security/openssh-portable/files/patch-auth.c +++ b/security/openssh-portable/files/patch-auth.c @@ -1,3 +1,12 @@ +r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines +Changed paths: + M /head/crypto/openssh/auth.c + +Use login_getpwclass() instead of login_getclass() so that the root +vs. default login class distinction is made correctly. + +PR: 37416 + --- auth.c.orig 2010-08-12 11:33:01.000000000 -0600 +++ auth.c 2010-09-14 16:14:12.000000000 -0600 @@ -594,7 +594,7 @@ diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c index bebcc89d3c56..2b98f7f5b2e0 100644 --- a/security/openssh-portable/files/patch-auth1.c +++ b/security/openssh-portable/files/patch-auth1.c @@ -1,3 +1,20 @@ +r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines +Changed paths: + M /head/security/hpn-ssh/Makefile + M /head/security/hpn-ssh/files/patch-auth.c + A /head/security/hpn-ssh/files/patch-auth1.c + A /head/security/hpn-ssh/files/patch-auth2.c + M /head/security/hpn-ssh/files/patch-session.c + M /head/security/openssh-portable/Makefile + M /head/security/openssh-portable/files/patch-auth.c + A /head/security/openssh-portable/files/patch-auth1.c + A /head/security/openssh-portable/files/patch-auth2.c + M /head/security/openssh-portable/files/patch-session.c + +Merged patches for HAVE_LOGIN_CAP from stable + +PR: 35904 + --- auth1.c.orig 2010-06-25 18:01:33.000000000 -0600 +++ auth1.c 2010-09-14 16:14:12.000000000 -0600 @@ -40,6 +40,7 @@ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c index d57566e1b1bb..0c5730a733c6 100644 --- a/security/openssh-portable/files/patch-auth2.c +++ b/security/openssh-portable/files/patch-auth2.c @@ -1,3 +1,20 @@ +r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines +Changed paths: + M /head/security/hpn-ssh/Makefile + M /head/security/hpn-ssh/files/patch-auth.c + A /head/security/hpn-ssh/files/patch-auth1.c + A /head/security/hpn-ssh/files/patch-auth2.c + M /head/security/hpn-ssh/files/patch-session.c + M /head/security/openssh-portable/Makefile + M /head/security/openssh-portable/files/patch-auth.c + A /head/security/openssh-portable/files/patch-auth1.c + A /head/security/openssh-portable/files/patch-auth2.c + M /head/security/openssh-portable/files/patch-session.c + +Merged patches for HAVE_LOGIN_CAP from stable + +PR: 35904 + --- auth2.c.orig 2009-06-22 00:11:07.000000000 -0600 +++ auth2.c 2010-09-14 16:14:12.000000000 -0600 @@ -46,6 +46,7 @@ diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c index a45629ea6ec7..8e2e847a2252 100644 --- a/security/openssh-portable/files/patch-loginrec.c +++ b/security/openssh-portable/files/patch-loginrec.c @@ -1,26 +1,28 @@ ---- loginrec.c.orig 2010-04-09 02:13:27.000000000 -0600 -+++ loginrec.c 2010-09-14 16:14:12.000000000 -0600 -@@ -179,6 +179,9 @@ - #ifdef HAVE_UTIL_H - # include <util.h> - #endif -+#ifdef __FreeBSD__ -+#include <osreldate.h> -+#endif - - #ifdef HAVE_LIBUTIL_H - # include <libutil.h> -@@ -693,8 +696,13 @@ +r63028 | dinoex | 2002-07-15 15:08:01 -0500 (Mon, 15 Jul 2002) | 6 lines + +- Fix Problem with HAVE_HOST_IN_UTMP +- update monitor.c + +PR: 40576 +Submitted by: lxv@a-send-pr.sink.omut.org + +r99768 | des | 2002-07-11 05:36:10 -0500 (Thu, 11 Jul 2002) | 6 lines + +Use realhostname_sa(3) so the IP address will be used instead of the +hostname if the latter is too long for utmp. + +Submitted by: ru + +--- loginrec.c.orig 2013-04-14 08:28:40.482762815 -0500 ++++ loginrec.c 2013-04-14 08:29:03.723757797 -0500 +@@ -694,8 +694,8 @@ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP -+# if defined(__FreeBSD__) && __FreeBSD_version < 400000 - strncpy(ut->ut_host, li->hostname, - MIN_SIZEOF(ut->ut_host, li->hostname)); -+# else +- strncpy(ut->ut_host, li->hostname, +- MIN_SIZEOF(ut->ut_host, li->hostname)); + realhostname_sa(ut->ut_host, sizeof ut->ut_host, + &li->hostaddr.sa, li->hostaddr.sa.sa_len); -+# endif # endif # ifdef HAVE_ADDR_IN_UTMP /* this is just a 32-bit IP address */ diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c index df44d83e8e37..9e76a49f5990 100644 --- a/security/openssh-portable/files/patch-readconf.c +++ b/security/openssh-portable/files/patch-readconf.c @@ -1,3 +1,11 @@ +r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/myproposal.h + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/servconf.c + +Apply FreeBSD's configuration defaults. + --- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600 +++ readconf.c 2010-09-14 16:14:12.000000000 -0600 @@ -1169,7 +1169,7 @@ diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 47a52541fd00..f962d1ca87fc 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -1,3 +1,11 @@ +r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/myproposal.h + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/servconf.c + +Apply FreeBSD's configuration defaults. + --- servconf.c.orig 2010-06-25 17:38:45.000000000 -0600 +++ servconf.c 2010-09-14 16:14:12.000000000 -0600 @@ -139,7 +139,7 @@ diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 4c7d773de54c..226a94c19245 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -1,3 +1,20 @@ +r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines +Changed paths: + M /head/security/hpn-ssh/Makefile + M /head/security/hpn-ssh/files/patch-auth.c + A /head/security/hpn-ssh/files/patch-auth1.c + A /head/security/hpn-ssh/files/patch-auth2.c + M /head/security/hpn-ssh/files/patch-session.c + M /head/security/openssh-portable/Makefile + M /head/security/openssh-portable/files/patch-auth.c + A /head/security/openssh-portable/files/patch-auth1.c + A /head/security/openssh-portable/files/patch-auth2.c + M /head/security/openssh-portable/files/patch-session.c + +Merged patches for HAVE_LOGIN_CAP from stable + +PR: 35904 + --- session.c.orig 2011-07-21 18:55:33.883559116 +0200 +++ session.c 2011-07-21 19:02:17.789294035 +0200 @@ -896,6 +896,24 @@ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index c1f4ac1046f2..21a83d64beee 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -1,3 +1,7 @@ +r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines + +Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. + --- ssh-agent.c.orig 2010-04-15 23:56:22.000000000 -0600 +++ ssh-agent.c 2010-09-14 16:14:13.000000000 -0600 @@ -1086,6 +1086,7 @@ diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c index bc95ec9c7ca6..b0d67498a75f 100644 --- a/security/openssh-portable/files/patch-ssh.c +++ b/security/openssh-portable/files/patch-ssh.c @@ -1,6 +1,10 @@ $FreeBSD$ -Make the same change to use the canonical hostname as the base FreeBSD ssh. +r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/ssh.c + +Canonicize the host name before looking it up in the host file. --- ssh.c.orig 2010-08-16 09:59:31.000000000 -0600 +++ ssh.c 2010-08-25 17:55:01.000000000 -0600 diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config index ccd054622801..7a4a16f40530 100644 --- a/security/openssh-portable/files/patch-ssh_config +++ b/security/openssh-portable/files/patch-ssh_config @@ -1,3 +1,8 @@ +r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines + +Document the FreeBSD default for CheckHostIP, which was changed in +rev 1.2 of readconf.c. + --- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700 +++ ssh_config 2010-09-14 16:14:13.000000000 -0600 @@ -27,7 +27,7 @@ diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 index a71a5415b66d..764515076a63 100644 --- a/security/openssh-portable/files/patch-ssh_config.5 +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -1,3 +1,8 @@ +r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines + +Document the FreeBSD default for CheckHostIP, which was changed in +rev 1.2 of readconf.c. + --- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600 +++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600 @@ -164,7 +164,7 @@ diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8 index 3cb59aac14bf..4bab7b855567 100644 --- a/security/openssh-portable/files/patch-sshd.8 +++ b/security/openssh-portable/files/patch-sshd.8 @@ -1,3 +1,5 @@ +Document FreeBSD/port-specific paths + --- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600 +++ sshd.8 2010-09-14 16:14:14.000000000 -0600 @@ -70,7 +70,7 @@ diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 257ac2db74e5..08514d4eec49 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -1,3 +1,13 @@ +r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines +Changed paths: + M /head/crypto/openssh/sshd.c + +Force early initialization of the resolver library, since the resolver +configuration files will no longer be available once sshd is chrooted. + +PR: 39953, 40894 +Submitted by: dinoex + --- sshd.c.orig 2010-04-15 23:56:22.000000000 -0600 +++ sshd.c 2010-09-14 16:14:13.000000000 -0600 @@ -83,6 +83,13 @@ diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index 9142874bde58..8802619fbcfb 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,3 +1,10 @@ +r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/ssh_config + M /head/crypto/openssh/sshd_config + +Document FreeBSD defaults. + --- sshd_config.orig 2009-10-11 04:51:09.000000000 -0600 +++ sshd_config 2010-09-14 16:14:13.000000000 -0600 @@ -36,7 +36,7 @@ diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index fdbe1df2a10c..f3ab982bd0fa 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,3 +1,5 @@ +Document defaults + --- sshd_config.5.orig 2010-07-01 21:37:17.000000000 -0600 +++ sshd_config.5 2010-08-31 05:27:27.000000000 -0600 @@ -223,7 +223,9 @@ diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr index 58bd0e028500..4aa11afe57fd 100644 --- a/security/openssh-portable/pkg-descr +++ b/security/openssh-portable/pkg-descr @@ -12,4 +12,4 @@ are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). The official OpenBSD source will never use the 'p' suffix, but will instead increment the version number when they hit 'stable spots' in their development. -WWW: http://www.openssh.org/portable.html +WWW: http://www.openssh.org/portable.html diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist index 75ab8de9b1c4..dbc2df02433e 100644 --- a/security/openssh-portable/pkg-plist +++ b/security/openssh-portable/pkg-plist @@ -24,7 +24,3 @@ sbin/sshd libexec/sftp-server libexec/ssh-keysign libexec/ssh-pkcs11-helper -@exec if [ ! -d %%EMPTYDIR%% ]; then mkdir -p %%EMPTYDIR%% ; fi -%%ERASEEMPTY%%@dirrm empty -@exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi -@exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi |