- Update to 6.2p2

- The LPK patch has been updated but is obsolete, deprecated and untested. It has been replaced by AuthorizedKeysCommand - The upstream HPN's last update was for 6.1 and is mostly abandoned. The patch has had bugs since 5.9. I have reworked it and split into into HPN and AES_THREADED options. The debugging/logging part of the patch is incomplete. I may change the patch to more closely match our base version eventually. - The KERB_GSSAPI option has been removed as the patch has not been updated by upstream since 5.7 - sshd VersionAddendum is currently not working as intended; it will be fixed later to allow removing the port/pkg version. - Update our patchset to match latest base version - Bring in ssh-agent -x support from base - I incrementally updated the port from 5.8 up to 6.2p2 along with patches. You can find all of the versions at https://github.com/bdrewery/openssh Changes: http://www.openssh.com/txt/release-5.9 http://www.openssh.org/txt/release-6.0 http://www.openssh.org/txt/release-6.1 http://www.openssh.org/txt/release-6.2 http://www.openssh.org/txt/release-6.2p2
author: bdrewery <bdrewery@FreeBSD.org> 2013-05-18 03:47:35 +0800
committer: bdrewery <bdrewery@FreeBSD.org> 2013-05-18 03:47:35 +0800
commit: a669ac8951511cf30b0de9f58c5fdca2a12c492a (patch)
tree: 7373f8f1143ea52d37890bda37f8aa4ace292847 /security
parent: 12085e2b635ccc55468b76aca5ffb0aff89fae72 (diff)
download: freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.gz
freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.zst
freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.zip
15 files changed, 369 insertions, 261 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index dcef21ca3821..46dd3bfb9521 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	5.8p2
-PORTREVISION=	5
+DISTVERSION=	6.2p2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -20,9 +19,9 @@ MAN8=	sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.*
 
-# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here.
+# XXX: ports/52706 will allow using DEFAULT,x509 here.
 PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/ \
-			http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex
+			http://mirror.shatow.net/freebsd/${PORTNAME}/:x509
 
 USE_PERL5_BUILD=	yes
 USE_AUTOTOOLS=		autoconf autoheader
@@ -40,22 +39,22 @@ SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
-			KERB_GSSAPI HPN LPK X509 \
-			OVERWRITE_BASE SCTP
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS
+			HPN LPK X509 \
+			OVERWRITE_BASE SCTP AES_THREADED
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	Enable tcp_wrappers support
 BSM_DESC=		Enable OpenBSM Auditing
-KERB_GSSAPI_DESC=	Enable Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		Enable HPN-SSH patch
-LPK_DESC=		Enable LDAP Public Key (LPK) patch
+LPK_DESC=		Enable LDAP Public Key (LPK) [OBSOLETE]
 X509_DESC=		Enable x509 certificate patch
 SCTP_DESC=		Enable SCTP support
 OVERWRITE_BASE_DESC=	OpenSSH overwrite base
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
+AES_THREADED_DESC=	Threaded AES-CTR [HPN/Experimental]
 
 .include <bsd.port.pre.mk>
 
@@ -63,8 +62,11 @@ MIT_DESC=		MIT Kerberos (security/krb5)
 CONFIGURE_LIBS+=	-lutil
 .endif
 
+# 900007 is when utmp(5) was removed and utmpx(3) added
 .if ${OSVERSION} >= 900007
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
+.else
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-sshd-utmp-size
 .endif
 
 .if ${PORT_OPTIONS:MX509}
@@ -72,8 +74,8 @@ CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif
 
-.  if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
+.  if ${PORT_OPTIONS:MAES_THREADED}
+BROKEN=		X509 patch and AES_THREADED patch do not apply cleanly together
 .  endif
 
 .  if ${PORT_OPTIONS:MSCTP}
@@ -118,11 +120,6 @@ IGNORE=		You have selected HEIMDAL_BASE but do not have heimdal installed in bas
 CONFIGURE_LIBS+=	-lgssapi_krb5
 .	endif
 .  endif
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/:gsskex
-PATCHFILES+=		openssh-5.7p1-gsskex-all-20110125.patch:gsskex
-PATCH_DIST_STRIP=
-.endif
 .if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
@@ -135,15 +132,25 @@ CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 
 # http://www.psc.edu/index.php/hpn-ssh
 .if ${PORT_OPTIONS:MHPN}
-PATCHFILES+=		${PORTNAME}-5.8p1-hpn13v11.diff.gz
+HPN_VERSION=		13v14
+PATCHFILES+=		${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-window-size
+PATCH_DIST_STRIP=
+.endif
+
+# http://www.psc.edu/index.php/hpn-ssh
+.if ${PORT_OPTIONS:MAES_THREADED}
+AES_THREADED_VERSION=		v14
+PATCHFILES+=		${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
 PATCH_DIST_STRIP=
 .endif
 
 # See http://code.google.com/p/openssh-lpk/wiki/Main
 # and svn repo described here:
 # http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
 .if ${PORT_OPTIONS:MLPK}
-PATCHFILES+=		${PORTNAME}-lpk-5.8p2.patch.gz
+PATCHFILES+=		${PORTNAME}-lpk-6.2p1.patch.gz
 USE_OPENLDAP=		yes
 CPPFLAGS+=		-I${LOCALBASE}/include
 CONFIGURE_ARGS+=	--with-ldap=yes \
@@ -154,8 +161,9 @@ CONFIGURE_LIBS+=	-lldap
 
 # See http://www.roumenpetrov.info/openssh/
 .if ${PORT_OPTIONS:MX509}
-PATCH_SITES+=		http://www.roumenpetrov.info/openssh/x509-7.0/:x509
-PATCHFILES+=		${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509
+X509_VERSION=		7.4.1
+PATCH_SITES+=		http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+PATCHFILES+=		${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
 PATCH_DIST_STRIP=	-p1
 PLIST_SUB+=		X509=""
 MAN5+=			ssh_engine.5
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index d8e67f738b72..0ad77f8e1f23 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,12 +1,12 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b
-SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277
-SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359
-SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889
-SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7
-SIZE (openssh-lpk-5.8p2.patch.gz) = 17822
+SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
+SIZE (openssh-6.2p2.tar.gz) = 1182922
+SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
+SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
+SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
+SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
+SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
+SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
+SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
+SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
 SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
 SIZE (openssh-sctp-2163.patch.gz) = 6764
diff --git a/security/openssh-portable/files/extra-patch-hpn-window-size b/security/openssh-portable/files/extra-patch-hpn-window-size
new file mode 100644
index 000000000000..76f50a43eccb
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn-window-size
@@ -0,0 +1,24 @@
+r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines
+Changed paths:
+   M /user/brooks/openssh-hpn/channels.h
+
+It looks like the HPN patch didn't track the window size bump in OpenBSD
+rev 1.89 back in 2007.  Chase the updates to reduce diffs to head
+
+Index: channels.h
+===================================================================
+--- channels.h	(revision 223212)
++++ channels.h	(revision 223213)
+@@ -163,10 +163,10 @@
+ 
+ /* default window/packet sizes for tcp/x11-fwd-channel */
+ #define CHAN_SES_PACKET_DEFAULT	(32*1024)
+-#define CHAN_SES_WINDOW_DEFAULT	(4*CHAN_SES_PACKET_DEFAULT)
++#define CHAN_SES_WINDOW_DEFAULT	(64*CHAN_SES_PACKET_DEFAULT)
+ 
+ #define CHAN_TCP_PACKET_DEFAULT	(32*1024)
+-#define CHAN_TCP_WINDOW_DEFAULT	(4*CHAN_TCP_PACKET_DEFAULT)
++#define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
+ 
+ #define CHAN_X11_PACKET_DEFAULT	(16*1024)
+ #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
diff --git a/security/openssh-portable/files/extra-patch-sshd-utmp-size b/security/openssh-portable/files/extra-patch-sshd-utmp-size
new file mode 100644
index 000000000000..d72985ff7768
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-sshd-utmp-size
@@ -0,0 +1,36 @@
+r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines
+Changed paths:
+   M /head/crypto/openssh/loginrec.c
+   M /head/crypto/openssh/sshd.c
+
+At some point, construct_utmp() was changed to use realhostname() to fill
+in the struct utmp due to concerns about the length of the hostname buffer.
+However, this breaks the UseDNS option.  There is a simpler and better
+solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of
+MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the
+buffer.
+
+PR:             bin/97499
+Submitted by:   Bruce Cran <bruce@cran.org.uk>
+
+Index: sshd.c
+===================================================================
+--- sshd.c	(revision 184121)
++++ sshd.c	(revision 184122)
+@@ -72,6 +72,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <utmp.h>
+ 
+ #include <openssl/dh.h>
+ #include <openssl/bn.h>
+@@ -238,7 +239,7 @@
+ u_int session_id2_len = 0;
+ 
+ /* record remote hostname or ip */
+-u_int utmp_len = MAXHOSTNAMELEN;
++u_int utmp_len = UT_HOSTSIZE;
+ 
+ /* options.max_startup sized array of fd ints */
+ int *startup_pipes = NULL;
diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c
deleted file mode 100644
index 2b98f7f5b2e0..000000000000
--- a/security/openssh-portable/files/patch-auth1.c
+++ /dev/null
@@ -1,68 +0,0 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
-Changed paths:
-   M /head/security/hpn-ssh/Makefile
-   M /head/security/hpn-ssh/files/patch-auth.c
-   A /head/security/hpn-ssh/files/patch-auth1.c
-   A /head/security/hpn-ssh/files/patch-auth2.c
-   M /head/security/hpn-ssh/files/patch-session.c
-   M /head/security/openssh-portable/Makefile
-   M /head/security/openssh-portable/files/patch-auth.c
-   A /head/security/openssh-portable/files/patch-auth1.c
-   A /head/security/openssh-portable/files/patch-auth2.c
-   M /head/security/openssh-portable/files/patch-session.c
-
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR:             35904
-
---- auth1.c.orig	2010-06-25 18:01:33.000000000 -0600
-+++ auth1.c	2010-09-14 16:14:12.000000000 -0600
-@@ -40,6 +40,7 @@
- #endif
- #include "monitor_wrap.h"
- #include "buffer.h"
-+#include "canohost.h"
- 
- /* import */
- extern ServerOptions options;
-@@ -239,6 +240,13 @@
- 	char info[1024];
- 	int prev = 0, type = 0;
- 	const struct AuthMethod1 *meth;
-+#ifdef HAVE_LOGIN_CAP
-+	login_cap_t *lc;
-+	const char *from_host, *from_ip;
-+
-+	from_host = get_canonical_hostname(options.use_dns);
-+	from_ip = get_remote_ipaddr();
-+#endif
- 
- 	debug("Attempting authentication for %s%.100s.",
- 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -292,6 +300,26 @@
- 			goto skip;
- 		}
- 
-+#ifdef HAVE_LOGIN_CAP
-+		if (authctxt->pw != NULL) {
-+			lc = login_getpwclass(authctxt->pw);
-+			if (lc == NULL)
-+				lc = login_getclassbyname(NULL, authctxt->pw);
-+			if (!auth_hostok(lc, from_host, from_ip)) {
-+				logit("Denied connection for %.200s from %.200s [%.200s].",
-+				       authctxt->pw->pw_name, from_host, from_ip);
-+				packet_disconnect("Sorry, you are not allowed to connect.");
-+			}
-+			if (!auth_timeok(lc, time(NULL))) {
-+				logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+				       authctxt->pw->pw_name, from_host);
-+				packet_disconnect("Logins not available right now.");
-+			}
-+			login_close(lc);
-+			lc = NULL;
-+		}
-+#endif  /* HAVE_LOGIN_CAP */
-+
- 		if (!*(meth->enabled)) {
- 			verbose("%s authentication disabled.", meth->name);
- 			goto skip;
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 0c5730a733c6..f94918e9477a 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -1,31 +1,12 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
+r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
 Changed paths:
-   M /head/security/hpn-ssh/Makefile
-   M /head/security/hpn-ssh/files/patch-auth.c
-   A /head/security/hpn-ssh/files/patch-auth1.c
-   A /head/security/hpn-ssh/files/patch-auth2.c
-   M /head/security/hpn-ssh/files/patch-session.c
-   M /head/security/openssh-portable/Makefile
-   M /head/security/openssh-portable/files/patch-auth.c
-   A /head/security/openssh-portable/files/patch-auth1.c
-   A /head/security/openssh-portable/files/patch-auth2.c
-   M /head/security/openssh-portable/files/patch-session.c
+   M /head/crypto/openssh/auth2.c
 
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR:             35904
+Apply class-imposed login restrictions.
 
 --- auth2.c.orig	2009-06-22 00:11:07.000000000 -0600
 +++ auth2.c	2010-09-14 16:14:12.000000000 -0600
-@@ -46,6 +46,7 @@
- #include "key.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-@@ -217,6 +218,13 @@
+@@ -222,6 +221,13 @@
  	Authmethod *m = NULL;
  	char *user, *service, *method, *style = NULL;
  	int authenticated = 0;
@@ -39,29 +20,29 @@ PR:             35904
  
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
-@@ -261,6 +269,27 @@
+@@ -274,6 +274,27 @@
  		    "(%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
 +
 +#ifdef HAVE_LOGIN_CAP
-+        if (authctxt->pw != NULL) {
-+                lc = login_getpwclass(authctxt->pw);
-+                if (lc == NULL)
-+                        lc = login_getclassbyname(NULL, authctxt->pw);
-+                if (!auth_hostok(lc, from_host, from_ip)) {
-+                        logit("Denied connection for %.200s from %.200s [%.200s].",
-+                            authctxt->pw->pw_name, from_host, from_ip);
-+                        packet_disconnect("Sorry, you are not allowed to connect.");
-+                }
-+                if (!auth_timeok(lc, time(NULL))) {
-+                        logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+                            authctxt->pw->pw_name, from_host);
-+                        packet_disconnect("Logins not available right now.");
-+                }
-+                login_close(lc);
-+                lc = NULL;
-+        }
++	if (authctxt->pw != NULL) {
++		lc = login_getpwclass(authctxt->pw);
++		if (lc == NULL)
++			lc = login_getclassbyname(NULL, authctxt->pw);
++		if (!auth_hostok(lc, from_host, from_ip)) {
++			logit("Denied connection for %.200s from %.200s [%.200s].",
++			    authctxt->pw->pw_name, from_host, from_ip);
++			packet_disconnect("Sorry, you are not allowed to connect.");
++		}
++		if (!auth_timeok(lc, time(NULL))) {
++			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++			    authctxt->pw->pw_name, from_host);
++			packet_disconnect("Logins not available right now.");
++		}
++		login_close(lc);
++		lc = NULL;
++	}
 +#endif  /* HAVE_LOGIN_CAP */
 +
  	/* reset state */
diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c
deleted file mode 100644
index 8e2e847a2252..000000000000
--- a/security/openssh-portable/files/patch-loginrec.c
+++ /dev/null
@@ -1,28 +0,0 @@
-r63028 | dinoex | 2002-07-15 15:08:01 -0500 (Mon, 15 Jul 2002) | 6 lines
-
-- Fix Problem with HAVE_HOST_IN_UTMP
-- update monitor.c
-
-PR:             40576
-Submitted by:   lxv@a-send-pr.sink.omut.org
-
-r99768 | des | 2002-07-11 05:36:10 -0500 (Thu, 11 Jul 2002) | 6 lines
-
-Use realhostname_sa(3) so the IP address will be used instead of the
-hostname if the latter is too long for utmp.
-
-Submitted by:   ru
-
---- loginrec.c.orig	2013-04-14 08:28:40.482762815 -0500
-+++ loginrec.c	2013-04-14 08:29:03.723757797 -0500
-@@ -694,8 +694,8 @@
- 	strncpy(ut->ut_name, li->username,
- 	    MIN_SIZEOF(ut->ut_name, li->username));
- # ifdef HAVE_HOST_IN_UTMP
--	strncpy(ut->ut_host, li->hostname,
--	    MIN_SIZEOF(ut->ut_host, li->hostname));
-+	realhostname_sa(ut->ut_host, sizeof ut->ut_host,
-+	    &li->hostaddr.sa, li->hostaddr.sa.sa_len);
- # endif
- # ifdef HAVE_ADDR_IN_UTMP
- 	/* this is just a 32-bit IP address */
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 9e76a49f5990..6cb81723314c 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -6,6 +6,17 @@ Changed paths:
 
 Apply FreeBSD's configuration defaults.
 
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by:   delphij@
+
+
 --- readconf.c.orig	2010-08-03 00:04:46.000000000 -0600
 +++ readconf.c	2010-09-14 16:14:12.000000000 -0600
 @@ -1169,7 +1169,7 @@
@@ -17,3 +28,34 @@ Apply FreeBSD's configuration defaults.
  	if (options->strict_host_key_checking == -1)
  		options->strict_host_key_checking = 2;	/* 2 is default */
  	if (options->compression == -1)
+--- readconf.c	(revision 181917)
++++ readconf.c	(revision 181918)
+@@ -18,6 +18,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
++#include <sys/sysctl.h>
+ 
+ #include <netinet/in.h>
+ 
+@@ -245,7 +246,19 @@
+ 	Forward *fwd;
+ #ifndef NO_IPPORT_RESERVED_CONCEPT
+ 	extern uid_t original_real_uid;
+-	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
++	int ipport_reserved;
++#ifdef __FreeBSD__
++	size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++		ipport_reserved = IPPORT_RESERVED;
++	else
++		ipport_reserved++;
++#else
++	ipport_reserved = IPPORT_RESERVED;
++#endif
++	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
+ 		fatal("Privileged ports can only be forwarded by root.");
+ #endif
+ 	if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index f962d1ca87fc..67e45e98a1fe 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -1,15 +1,7 @@
-r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/myproposal.h
-   M /head/crypto/openssh/readconf.c
-   M /head/crypto/openssh/servconf.c
-
-Apply FreeBSD's configuration defaults.
-
---- servconf.c.orig	2010-06-25 17:38:45.000000000 -0600
-+++ servconf.c	2010-09-14 16:14:12.000000000 -0600
-@@ -139,7 +139,7 @@
- {
+--- servconf.c.orig	2013-05-12 21:26:30.642630751 -0500
++++ servconf.c	2013-05-12 21:52:43.069625377 -0500
+@@ -162,7 +162,7 @@
+ 
  	/* Portable-specific options */
  	if (options->use_pam == -1)
 -		options->use_pam = 0;
@@ -17,7 +9,7 @@ Apply FreeBSD's configuration defaults.
  
  	/* Standard Options */
  	if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -170,7 +170,7 @@
+@@ -197,7 +197,7 @@
  	if (options->key_regeneration_time == -1)
  		options->key_regeneration_time = 3600;
  	if (options->permit_root_login == PERMIT_NOT_SET)
@@ -26,7 +18,7 @@ Apply FreeBSD's configuration defaults.
  	if (options->ignore_rhosts == -1)
  		options->ignore_rhosts = 1;
  	if (options->ignore_user_known_hosts == -1)
-@@ -180,7 +180,7 @@
+@@ -207,7 +207,7 @@
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
  	if (options->x11_forwarding == -1)
@@ -35,7 +27,7 @@ Apply FreeBSD's configuration defaults.
  	if (options->x11_display_offset == -1)
  		options->x11_display_offset = 10;
  	if (options->x11_use_localhost == -1)
-@@ -218,7 +218,11 @@
+@@ -245,7 +245,11 @@
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
  	if (options->password_authentication == -1)
@@ -47,3 +39,12 @@ Apply FreeBSD's configuration defaults.
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
+@@ -335,7 +339,7 @@
+ 		options->version_addendum = xstrdup("");
+ 	/* Turn privilege separation on by default */
+ 	if (use_privsep == -1)
+-		use_privsep = PRIVSEP_NOSANDBOX;
++		use_privsep = PRIVSEP_ON;
+ 
+ #ifndef HAVE_MMAP
+ 	if (use_privsep && options->compression == 1) {
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index df1ab8e9db9a..7a19c85c4787 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,23 +1,6 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
-Changed paths:
-   M /head/security/hpn-ssh/Makefile
-   M /head/security/hpn-ssh/files/patch-auth.c
-   A /head/security/hpn-ssh/files/patch-auth1.c
-   A /head/security/hpn-ssh/files/patch-auth2.c
-   M /head/security/hpn-ssh/files/patch-session.c
-   M /head/security/openssh-portable/Makefile
-   M /head/security/openssh-portable/files/patch-auth.c
-   A /head/security/openssh-portable/files/patch-auth1.c
-   A /head/security/openssh-portable/files/patch-auth2.c
-   M /head/security/openssh-portable/files/patch-session.c
-
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR:             35904
-
---- session.c.orig	2011-07-21 18:55:33.883559116 +0200
-+++ session.c	2011-07-21 19:02:17.789294035 +0200
-@@ -1125,6 +1143,9 @@
+--- session.c	2013-03-14 19:22:37.000000000 -0500
++++ session.c	2013-04-12 21:10:44.510757912 -0500
+@@ -1131,6 +1136,9 @@
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -27,7 +10,7 @@ PR:             35904
  #endif
  
  	/* Initialize the environment. */
-@@ -1146,6 +1167,9 @@
+@@ -1152,6 +1160,9 @@
  	}
  #endif
  
@@ -37,7 +20,7 @@ PR:             35904
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1165,11 +1189,22 @@
+@@ -1171,11 +1182,22 @@
  		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
  		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -64,7 +47,7 @@ PR:             35904
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  		/*
-@@ -1190,15 +1225,9 @@
+@@ -1196,15 +1218,9 @@
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -80,35 +63,12 @@ PR:             35904
  
  	/* Set custom environment options from RSA authentication. */
  	if (!options.use_login) {
-@@ -1473,9 +1502,9 @@
- 	platform_setusercontext(pw);
- 
+@@ -1483,7 +1499,7 @@
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
 -		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
-+ 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETENV))) < 0) {
++		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
  			perror("unable to set user context");
  			exit(1);
  		}
-@@ -1700,6 +1729,10 @@
- 	 */
- 	environ = env;
- 
-+#ifdef HAVE_LOGIN_CAP
-+	r = login_getcapbool(lc, "requirehome", 0);
-+	login_close(lc);
-+#endif
- #if defined(KRB5) && defined(USE_AFS)
- 	/*
- 	 * At this point, we check to see if AFS is active and if we have
-@@ -1729,9 +1762,6 @@
- 	/* Change current directory to the user's home directory. */
- 	if (chdir(pw->pw_dir) < 0) {
- 		/* Suppress missing homedir warning for chroot case */
--#ifdef HAVE_LOGIN_CAP
--		r = login_getcapbool(lc, "requirehome", 0);
--#endif
- 		if (r || options.chroot_directory == NULL ||
- 		    strcasecmp(options.chroot_directory, "none") == 0)
- 			fprintf(stderr, "Could not chdir to home "
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
new file mode 100644
index 000000000000..7d1e2a68ddf0
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -0,0 +1,27 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+Index: ssh-agent.1
+===================================================================
+--- ssh-agent.1	(revision 226102)
++++ ssh-agent.1	(revision 226103)
+@@ -44,7 +44,7 @@
+ .Sh SYNOPSIS
+ .Nm ssh-agent
+ .Op Fl c | s
+-.Op Fl d
++.Op Fl dx
+ .Op Fl a Ar bind_address
+ .Op Fl t Ar life
+ .Op Ar command Op Ar arg ...
+@@ -103,6 +103,8 @@
+ .Xr ssh-add 1
+ overrides this value.
+ Without this option the default maximum lifetime is forever.
++.It Fl x
++Exit after the last client has disconnected.
+ .El
+ .Pp
+ If a commandline is given, this is executed as a subprocess of the agent.
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 21a83d64beee..38abeaf70fbb 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -2,9 +2,68 @@ r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
 
 Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
 
---- ssh-agent.c.orig	2010-04-15 23:56:22.000000000 -0600
-+++ ssh-agent.c	2010-09-14 16:14:13.000000000 -0600
-@@ -1086,6 +1086,7 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+--- ssh-agent.c.orig	2011-06-02 23:14:16.000000000 -0500
++++ ssh-agent.c	2013-05-09 15:59:14.044627857 -0500
+@@ -137,15 +137,34 @@
+ /* Default lifetime (0 == forever) */
+ static int lifetime = 0;
+ 
++/*
++ * Client connection count; incremented in new_socket() and decremented in
++ * close_socket().  When it reaches 0, ssh-agent will exit.  Since it is
++ * normally initialized to 1, it will never reach 0.  However, if the -x
++ * option is specified, it is initialized to 0 in main(); in that case,
++ * ssh-agent will exit as soon as it has had at least one client but no
++ * longer has any.
++ */
++static int xcount = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
++	int last = 0;
++
++	if (e->type == AUTH_CONNECTION) {
++		debug("xcount %d -> %d", xcount, xcount - 1);
++		if (--xcount == 0)
++			last = 1;
++	}
+ 	close(e->fd);
+ 	e->fd = -1;
+ 	e->type = AUTH_UNUSED;
+ 	buffer_free(&e->input);
+ 	buffer_free(&e->output);
+ 	buffer_free(&e->request);
++	if (last)
++		cleanup_exit(0);
+ }
+ 
+ static void
+@@ -900,6 +919,10 @@
+ {
+ 	u_int i, old_alloc, new_alloc;
+ 
++	if (type == AUTH_CONNECTION) {
++		debug("xcount %d -> %d", xcount, xcount + 1);
++		++xcount;
++	}
+ 	set_nonblock(fd);
+ 
+ 	if (fd > max_fd)
+@@ -1120,6 +1143,7 @@
+ 	fprintf(stderr, "  -d          Debug mode.\n");
+ 	fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
+ 	fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
++	fprintf(stderr, "  -x          Exit when the last client disconnects.\n");
+ 	exit(1);
+ }
+ 
+@@ -1149,6 +1173,7 @@
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -12,3 +71,32 @@ Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
  
  #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  	/* Disable ptrace on Linux without sgid bit */
+@@ -1160,7 +1185,7 @@
+ 	__progname = ssh_get_progname(av[0]);
+ 	seed_rng();
+ 
+-	while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
++	while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) {
+ 		switch (ch) {
+ 		case 'c':
+ 			if (s_flag)
+@@ -1189,6 +1214,9 @@
+ 				usage();
+ 			}
+ 			break;
++		case 'x':
++			xcount = 0;
++			break;
+ 		default:
+ 			usage();
+ 		}
+@@ -1348,8 +1376,7 @@
+ 	if (ac > 0)
+ 		parent_alive_interval = 10;
+ 	idtab_init();
+-	if (!d_flag)
+-		signal(SIGINT, SIG_IGN);
++	signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
+ 	signal(SIGPIPE, SIG_IGN);
+ 	signal(SIGHUP, cleanup_handler);
+ 	signal(SIGTERM, cleanup_handler);
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 17c74f2b06dc..422d49a735b1 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -74,11 +74,11 @@ connections, do not protect connection handlers spawned from inetd.
 +#ifdef __FreeBSD__
 +	/*
 +	 * Initialize the resolver.  This may not happen automatically
-+	 * before privsep chroot().                                   
++	 * before privsep chroot().
 +	 */
 +	if ((_res.options & RES_INIT) == 0) {
-+		debug("res_init()");         
-+		res_init();         
++		debug("res_init()");
++		res_init();
 +	}
 +#ifdef GSSAPI
 +	/*
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 8802619fbcfb..4727afd69d26 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,13 +1,16 @@
-r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/ssh_config
-   M /head/crypto/openssh/sshd_config
-
-Document FreeBSD defaults.
-
---- sshd_config.orig	2009-10-11 04:51:09.000000000 -0600
-+++ sshd_config	2010-09-14 16:14:13.000000000 -0600
-@@ -36,7 +36,7 @@
+--- sshd_config.orig	2013-02-11 18:02:09.000000000 -0600
++++ sshd_config	2013-05-13 06:46:45.153627197 -0500
+@@ -10,6 +10,9 @@
+ # possible, but leave them commented.  Uncommented options override the
+ # default value.
+ 
++# Note that some of FreeBSD's defaults differ from OpenBSD's, and
++# FreeBSD has a few additional options.
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -37,7 +40,7 @@
  # Authentication:
  
  #LoginGraceTime 2m
@@ -16,7 +19,17 @@ Document FreeBSD defaults.
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
-@@ -55,11 +55,11 @@
+@@ -46,8 +49,7 @@
+ #PubkeyAuthentication yes
+ 
+ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+ 
+ #AuthorizedPrincipalsFile none
+ 
+@@ -64,11 +66,11 @@
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
@@ -31,7 +44,7 @@ Document FreeBSD defaults.
  #ChallengeResponseAuthentication yes
  
  # Kerberos options
-@@ -72,7 +72,7 @@
+@@ -81,7 +83,7 @@
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  
@@ -40,7 +53,7 @@ Document FreeBSD defaults.
  # and session processing. If this is enabled, PAM authentication will 
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
-@@ -81,12 +81,12 @@
+@@ -90,19 +92,19 @@
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -55,3 +68,11 @@ Document FreeBSD defaults.
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #UseLogin no
+-UsePrivilegeSeparation sandbox		# Default for new installations.
++#UsePrivilegeSeparation sandbox
+ #PermitUserEnvironment no
+ #Compression delayed
+ #ClientAliveInterval 0
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index f3ab982bd0fa..3e62cb1be0bf 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,8 +1,6 @@
-Document defaults
-
---- sshd_config.5.orig	2010-07-01 21:37:17.000000000 -0600
-+++ sshd_config.5	2010-08-31 05:27:27.000000000 -0600
-@@ -223,7 +223,9 @@
+--- sshd_config.5.orig	2013-02-11 18:02:09.000000000 -0600
++++ sshd_config.5	2013-05-13 06:49:28.164628328 -0500
+@@ -277,7 +277,9 @@
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
  PAM or though authentication styles supported in
@@ -13,7 +11,16 @@ Document defaults
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -714,7 +716,22 @@
+@@ -555,7 +557,7 @@
+ .Pp
+ .Pa /etc/hosts.equiv
+ and
+-.Pa /etc/shosts.equiv
++.Pa /etc/ssh/shosts.equiv
+ are still used.
+ The default is
+ .Dq yes .
+@@ -841,7 +843,22 @@
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -36,7 +43,7 @@ Document defaults
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -757,7 +774,14 @@
+@@ -887,7 +904,14 @@
  or
  .Dq no .
  The default is
@@ -52,9 +59,9 @@ Document defaults
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -869,7 +893,9 @@
- Note that if this file is not readable, then public key authentication will
- be refused for all users.
+@@ -1006,7 +1030,9 @@
+ section in
+ .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
 +Specifies whether rhosts or
@@ -63,7 +70,7 @@ Document defaults
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1009,7 +1035,7 @@
+@@ -1146,7 +1172,7 @@
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -72,7 +79,16 @@ Document defaults
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1034,7 +1060,7 @@
+@@ -1157,7 +1183,7 @@
+ The goal of privilege separation is to prevent privilege
+ escalation by containing any corruption within the unprivileged processes.
+ The default is
+-.Dq yes .
++.Dq sandbox .
+ If
+ .Cm UsePrivilegeSeparation
+ is set to
+@@ -1182,7 +1208,7 @@
  or
  .Dq no .
  The default is
author	bdrewery <bdrewery@FreeBSD.org>	2013-05-18 03:47:35 +0800
committer	bdrewery <bdrewery@FreeBSD.org>	2013-05-18 03:47:35 +0800
commit	a669ac8951511cf30b0de9f58c5fdca2a12c492a (patch)
tree	7373f8f1143ea52d37890bda37f8aa4ace292847 /security
parent	12085e2b635ccc55468b76aca5ffb0aff89fae72 (diff)
download	freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.gz freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.tar.zst freebsd-ports-gnome-a669ac8951511cf30b0de9f58c5fdca2a12c492a.zip