Update to 3.2.5:

* Fixed a critical security bug with RSA signature verification. Mitigating factors: DSA is used by default (not vulnerable). Also, the attack requires that attacker has the public key and the attacker needs to precompute the signature data so, that it looks like a valid PKCS#1 signature. This is a non-trivial task to perform without the private key. Nonetheless, all users should update their servers and clients as soon as convenient. Workarounds are to not use RSA keys as host keys (though connecting to existing hosts with RSA hostkeys poses a serious risk with a vulnerable client), and disabling publickey authentication. Update your clients and servers. Update MASTER_SITES, remove sites that are down or no langer carry ssh2 and add some new. - Turn Kerberos and group writeability support into knobs so one hasn't to edit the Makefile. - Remove dependency on security/tcp_wrapper for tcp-wrapper support on systems < FreeBSD 4.0, that port is no longer persistent. - Fix pkg-plist for WITH_STATIC_SFTP case. - Replace referneces to /etc/ssh2/* in man pages with references to PREFIX/etc/ssh2/* in order to better fit for FreeBSD. - Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc. - Remove duplicated mechanism for generating the host key if an old one isn't found in the post-install target in the Makefile of the port, this is already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile. - Fix differences between the install action done when installing the package versus installing the port. I.e. make the package create the host key with what ever bits ssh-keygen2 defaults to (currently 2048) instead of 1024 bits, copy over the configuration files for ssh2 and sshd2 from the examples if not already existent and create the directories for the global host keys and known hosts files. - Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2, i.e. configuration files that don't differ from the corresponding examples and empty directories. Inform the user to remove what's left over if any. - Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of "/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH and seems more usefull. One might want to patch ssh2 to also use login_cap(3) so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf. - Change MAINTAINER. - Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist. Submitted by: Marius Strobl <marius@alchemy.franken.de> Approved by: maintainer
author: netchild <netchild@FreeBSD.org> 2003-07-07 22:19:07 +0800
committer: netchild <netchild@FreeBSD.org> 2003-07-07 22:19:07 +0800
commit: f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a (patch)
tree: f5e8525f278e89f7fe0cd37a9fbb49fb95d6dc28 /security/ssh2
parent: 1d30615c8073f0aca809a416023c32f680279d8f (diff)
download: freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.tar.gz
freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.tar.zst
freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.zip
4 files changed, 80 insertions, 42 deletions
diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile
index ea13d0b706c9..90dd7ec4a9fb 100644
--- a/security/ssh2/Makefile
+++ b/security/ssh2/Makefile
@@ -6,22 +6,22 @@
 #
 
 PORTNAME=	ssh2
-PORTVERSION=	3.2.3
+PORTVERSION=	3.2.5
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.ssh.com/pub/ssh/ \
 		ftp://sunsite.unc.edu/pub/packages/security/ssh/ \
-		ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/ \
-		ftp://ftp.cis.fed.gov/pub/ssh/ \
 		ftp://ftp.keystealth.org/pub/ssh/ \
-		ftp://mirror.chpc.utah.edu/pub/ssh/ \
 		ftp://metalab.unc.edu/pub/packages/security/ssh/ \
-		ftp://herbie.ucs.indiana.edu/pub/security/ssh/
+		ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/ \
+		ftp://ftp.cronyx.ru/mirror/ssh/ \
+		ftp://ftp.univie.ac.at/applications/ssh.com/
 DISTNAME=	ssh-${PORTVERSION}
 
-MAINTAINER=	larse@ISI.EDU
+MAINTAINER=	marius@alchemy.franken.de
 COMMENT=	Secure shell client and server (remote login program)
 
 GNU_CONFIGURE=	YES
+USE_REINPLACE=	YES
 
 CONFIGURE_ARGS=	--with-etcdir=${SSH2_ETC} --disable-debug
 
@@ -29,43 +29,43 @@ SSH2_ETC=	${PREFIX}/etc/ssh2
 SSH2_RCD=	${PREFIX}/etc/rc.d
 CONFIG_FILES=	ssh2_config sshd2_config
 
-# Uncomment if all your users are in their own group and their homedir
+.include <bsd.port.pre.mk>
+
+# Define if all your users are in their own group and their homedir
 # is writeable by that group.  Beware the security implications!
 #
-#CONFIGURE_ARGS+=	--enable-group-writeability
+.if defined(WITH_GROUP_WRITEABILITY)
+CONFIGURE_ARGS+=	--enable-group-writeability
+.endif
 
-# Kerberos support is untested.
+# Kerberos5 support in ssh2 is EXPERIMENTAL and requires MIT Kerberos,
+# Heimdal is unsupported.
 #
-#.if defined(KRB5_HOME) && exists(${KRB5_HOME})
-#CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
-#.endif
+.if defined(WITH_KERBEROS) && defined(KRB5_HOME) && \
+	exists(${KRB5_HOME}/lib/libkrb5.a)
+CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
+.endif
 
-# Auto-configure tcp_wrappers support.
-#
-.if exists(/usr/include/tcpd.h) && !defined(WITHOUT_TCPWRAP) && \
-	!defined(WITHOUT_TCPWRAP)
+.if exists(/usr/include/tcpd.h) && !defined(WITHOUT_TCPWRAP)
 CONFIGURE_ARGS+=	--with-libwrap
-.elif defined(WITH_TCPWRAP)
-CONFIGURE_ARGS+=	--with-libwrap="-L${LOCALBASE}/lib -lwrap"
-
-LIB_DEPENDS+=	wrap.7:${PORTSDIR}/security/tcp_wrapper
 .endif
 
-.include <bsd.port.pre.mk>
-
-# This is necessary for a working ssh-chrootmgr. Added by mic@nethack.at
+# This is necessary for a working ssh-chrootmgr. Added by mic@nethack.at.
 #
 .if defined(WITH_STATIC_SFTP)
 CONFIGURE_ARGS+=	--enable-static
+PLIST_SUB=		STATIC=""
+.else
+PLIST_SUB=		STATIC="@comment "
 .endif
 
 .if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \
 	&& exists(${X11BASE}/bin/xauth) && !defined(WITHOUT_X11))
 USE_XLIB=	yes
-PLIST_SUB=	WITH_X11:=""
+PLIST_SUB+=	WITH_X11:=""
 .else
 CONFIGURE_ARGS+=	--without-x
-PLIST_SUB=	WITH_X11:="@comment "
+PLIST_SUB+=	WITH_X11:="@comment "
 .endif
 
 MAN1=		ssh2.1 ssh-keygen2.1 ssh-add2.1 ssh-agent2.1 scp2.1 sftp2.1 \
@@ -81,6 +81,14 @@ MANCOMPRESSED=	no
 PORTDOCS=	CHANGES FAQ INSTALL LICENSE MANIFEST NEWS README \
 		REGEX-SYNTAX SSH2.QUICKSTART
 
+post-patch:
+.for i in ${MAN1} ${MAN5} ${MAN8}
+	@${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g;' \
+		${WRKSRC}/apps/ssh/${i}
+.endfor
+	@${REINPLACE_CMD} -E -e 's|\$$\(ETCDIR\)|${PREFIX}\/etc|g;' \
+		${WRKSRC}/apps/ssh/ssh_dummy_shell.out
+
 post-install:
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${DOCSDIR}
@@ -88,11 +96,7 @@ post-install:
 	${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR}
 .endfor
 .endif
-	@if [ ! -f ${SSH2_ETC}/hostkey ]; then \
-	    ${ECHO} "Generating a secret host key..."; \
-	    ${PREFIX}/bin/ssh-keygen2 -P -b 1024 -t dsa ${SSH2_ETC}/hostkey; \
-	fi; \
-	if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then \
+	if [ "`${GREP} ssh /etc/inetd.conf | ${GREP} -v ^#ssh`" = "" ]; then \
 	    if [ ! -f ${SSH2_RCD}/sshd.sh ]; then \
 		${ECHO} "Installing ${SSH2_RCD}/sshd.sh startup file."; \
 		${SED} -e 's+!!PREFIX!!+${PREFIX}+' < ${FILESDIR}/sshd.sh \
diff --git a/security/ssh2/distinfo b/security/ssh2/distinfo
index c383355ab278..60f0dd3cf395 100644
--- a/security/ssh2/distinfo
+++ b/security/ssh2/distinfo
@@ -1 +1 @@
-MD5 (ssh-3.2.3.tar.gz) = d74afd27a5df00ae8fbbe066ec82c88a
+MD5 (ssh-3.2.5.tar.gz) = 0d9da1d79e4ce9cff44daf93e5b66a11
diff --git a/security/ssh2/files/patch-apps::ssh::sshchsession.c b/security/ssh2/files/patch-apps::ssh::sshchsession.c
new file mode 100644
index 000000000000..36f18b967cbe
--- /dev/null
+++ b/security/ssh2/files/patch-apps::ssh::sshchsession.c
@@ -0,0 +1,22 @@
+--- apps/ssh/sshchsession.c.orig	Thu Jul  3 00:19:57 2003
++++ apps/ssh/sshchsession.c	Thu Jul  3 00:21:12 2003
+@@ -218,8 +218,8 @@
+ #ifdef _PATH_USERPATH
+ #define DEFAULT_PATH            _PATH_USERPATH
+ #else
+-#ifdef _PATH_DEFPATH
+-#define DEFAULT_PATH            _PATH_DEFPATH
++#ifdef _PATH_STDPATH
++#define DEFAULT_PATH            _PATH_STDPATH
+ #else
+ #define DEFAULT_PATH    "/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin"
+ #endif
+@@ -502,7 +502,7 @@
+   ssh_child_set_env(envp, envsizep, "HOME", user_dir);
+   ssh_child_set_env(envp, envsizep, "USER", user_name);
+   ssh_child_set_env(envp, envsizep, "LOGNAME", user_name);
+-  ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
++  ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH SSH_BINDIR);
+ 
+ #ifdef MAIL_SPOOL_DIRECTORY
+   ssh_snprintf(buf, sizeof(buf), "%s/%s", MAIL_SPOOL_DIRECTORY, user_name);
diff --git a/security/ssh2/pkg-plist b/security/ssh2/pkg-plist
index 93342b159841..99f686a4c729 100644
--- a/security/ssh2/pkg-plist
+++ b/security/ssh2/pkg-plist
@@ -8,7 +8,9 @@ bin/ssh-add2
 bin/ssh-signer2
 bin/ssh-probe2
 bin/sftp-server2
+%%STATIC%%bin/sftp-server2.static
 bin/ssh-dummy-shell
+%%STATIC%%bin/ssh-dummy-shell.static
 bin/ssh
 bin/ssh-agent
 bin/ssh-add
@@ -20,24 +22,34 @@ bin/sftp-server
 bin/ssh-signer
 bin/ssh-probe
 etc/rc.d/sshd.sh
+@unexec if cmp -s %D/etc/ssh2/sshd2_config %D/etc/ssh2/sshd2_config.example; then rm -f %D/etc/ssh2/sshd2_config; fi
 etc/ssh2/sshd2_config.example
+@exec [ -f %B/sshd2_config ] || cp %B/%f %B/sshd2_config
+@unexec if cmp -s %D/etc/ssh2/ssh2_config %D/etc/ssh2/ssh2_config.example; then rm -f %D/etc/ssh2/ssh2_config; fi
 etc/ssh2/ssh2_config.example
+@exec [ -f %B/ssh2_config ] || cp %B/%f %B/ssh2_config
 etc/ssh2/ssh_dummy_shell.out
 etc/ssh2/subconfig/anonymous.example
 etc/ssh2/subconfig/host_ext.example
 etc/ssh2/subconfig/host_int.example
 etc/ssh2/subconfig/user.example
+@exec [ -d %D/etc/ssh2/hostkeys ] || mkdir %D/etc/ssh2/hostkeys
+@exec [ -d %D/etc/ssh2/knownhosts ] || mkdir %D/etc/ssh2/knownhosts
 sbin/sshd2
 sbin/sshd-check-conf
 sbin/sshd
-@exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating 1024 bit host key."; %D/bin/ssh-keygen2 -P -b 1024 -t dsa %D/etc/ssh2/hostkey;  fi
-%%PORTDOCS%%share/doc/ssh2/CHANGES
-%%PORTDOCS%%share/doc/ssh2/FAQ
-%%PORTDOCS%%share/doc/ssh2/INSTALL
-%%PORTDOCS%%share/doc/ssh2/LICENSE
-%%PORTDOCS%%share/doc/ssh2/MANIFEST
-%%PORTDOCS%%share/doc/ssh2/NEWS
-%%PORTDOCS%%share/doc/ssh2/README
-%%PORTDOCS%%share/doc/ssh2/REGEX-SYNTAX
-%%PORTDOCS%%share/doc/ssh2/SSH2.QUICKSTART
-%%PORTDOCS%%@dirrm share/doc/ssh2
+@exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating host key."; %D/bin/ssh-keygen2 -P -t dsa "DSA hostkey" %D/etc/ssh2/hostkey;  fi
+%%PORTDOCS%%%%DATADIR%%/CHANGES
+%%PORTDOCS%%%%DATADIR%%/FAQ
+%%PORTDOCS%%%%DATADIR%%/INSTALL
+%%PORTDOCS%%%%DATADIR%%/LICENSE
+%%PORTDOCS%%%%DATADIR%%/MANIFEST
+%%PORTDOCS%%%%DATADIR%%/NEWS
+%%PORTDOCS%%%%DATADIR%%/README
+%%PORTDOCS%%%%DATADIR%%/REGEX-SYNTAX
+%%PORTDOCS%%%%DATADIR%%/SSH2.QUICKSTART
+%%PORTDOCS%%@dirrm %%DATADIR%%
+@unexec rmdir %D/etc/ssh2/hostkeys 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2/knownhosts 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2/subconfig 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2 2> /dev/null || echo "If permanently deleting this package, %D/etc/ssh2 and its contents must be removed manually."
author	netchild <netchild@FreeBSD.org>	2003-07-07 22:19:07 +0800
committer	netchild <netchild@FreeBSD.org>	2003-07-07 22:19:07 +0800
commit	f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a (patch)
tree	f5e8525f278e89f7fe0cd37a9fbb49fb95d6dc28 /security/ssh2
parent	1d30615c8073f0aca809a416023c32f680279d8f (diff)
download	freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.tar.gz freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.tar.zst freebsd-ports-gnome-f2d0f58fb7ba9f5a9f2f903c5c6c5afb7cce208a.zip