aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/openssh-portable/Makefile48
-rw-r--r--security/openssh-portable/distinfo20
-rw-r--r--security/openssh-portable/files/extra-patch-hpn-window-size24
-rw-r--r--security/openssh-portable/files/extra-patch-sshd-utmp-size36
-rw-r--r--security/openssh-portable/files/patch-auth1.c68
-rw-r--r--security/openssh-portable/files/patch-auth2.c63
-rw-r--r--security/openssh-portable/files/patch-loginrec.c28
-rw-r--r--security/openssh-portable/files/patch-readconf.c42
-rw-r--r--security/openssh-portable/files/patch-servconf.c31
-rw-r--r--security/openssh-portable/files/patch-session.c56
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.127
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c94
-rw-r--r--security/openssh-portable/files/patch-sshd.c6
-rw-r--r--security/openssh-portable/files/patch-sshd_config47
-rw-r--r--security/openssh-portable/files/patch-sshd_config.540
15 files changed, 369 insertions, 261 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index dcef21ca3821..46dd3bfb9521 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 5.8p2
-PORTREVISION= 5
+DISTVERSION= 6.2p2
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@@ -20,9 +19,9 @@ MAN8= sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
-# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here.
+# XXX: ports/52706 will allow using DEFAULT,x509 here.
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \
- http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex
+ http://mirror.shatow.net/freebsd/${PORTNAME}/:x509
USE_PERL5_BUILD= yes
USE_AUTOTOOLS= autoconf autoheader
@@ -40,22 +39,22 @@ SUDO?= # empty
MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
- KERB_GSSAPI HPN LPK X509 \
- OVERWRITE_BASE SCTP
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS
+ HPN LPK X509 \
+ OVERWRITE_BASE SCTP AES_THREADED
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= Enable tcp_wrappers support
BSM_DESC= Enable OpenBSM Auditing
-KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= Enable HPN-SSH patch
-LPK_DESC= Enable LDAP Public Key (LPK) patch
+LPK_DESC= Enable LDAP Public Key (LPK) [OBSOLETE]
X509_DESC= Enable x509 certificate patch
SCTP_DESC= Enable SCTP support
OVERWRITE_BASE_DESC= OpenSSH overwrite base
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
+AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
.include <bsd.port.pre.mk>
@@ -63,8 +62,11 @@ MIT_DESC= MIT Kerberos (security/krb5)
CONFIGURE_LIBS+= -lutil
.endif
+# 900007 is when utmp(5) was removed and utmpx(3) added
.if ${OSVERSION} >= 900007
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
+.else
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
.endif
.if ${PORT_OPTIONS:MX509}
@@ -72,8 +74,8 @@ CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN= X509 patch incompatible with KERB_GSSAPI patch
+. if ${PORT_OPTIONS:MAES_THREADED}
+BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
. endif
. if ${PORT_OPTIONS:MSCTP}
@@ -118,11 +120,6 @@ IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in bas
CONFIGURE_LIBS+= -lgssapi_krb5
. endif
. endif
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCH_SITES+= http://www.sxw.org.uk/computing/patches/:gsskex
-PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch:gsskex
-PATCH_DIST_STRIP=
-.endif
.if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS= # empty
@@ -135,15 +132,25 @@ CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MHPN}
-PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz
+HPN_VERSION= 13v14
+PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
+PATCH_DIST_STRIP=
+.endif
+
+# http://www.psc.edu/index.php/hpn-ssh
+.if ${PORT_OPTIONS:MAES_THREADED}
+AES_THREADED_VERSION= v14
+PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
PATCH_DIST_STRIP=
.endif
# See http://code.google.com/p/openssh-lpk/wiki/Main
# and svn repo described here:
# http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
.if ${PORT_OPTIONS:MLPK}
-PATCHFILES+= ${PORTNAME}-lpk-5.8p2.patch.gz
+PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
USE_OPENLDAP= yes
CPPFLAGS+= -I${LOCALBASE}/include
CONFIGURE_ARGS+= --with-ldap=yes \
@@ -154,8 +161,9 @@ CONFIGURE_LIBS+= -lldap
# See http://www.roumenpetrov.info/openssh/
.if ${PORT_OPTIONS:MX509}
-PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/:x509
-PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509
+X509_VERSION= 7.4.1
+PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
PATCH_DIST_STRIP= -p1
PLIST_SUB+= X509=""
MAN5+= ssh_engine.5
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index d8e67f738b72..0ad77f8e1f23 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,12 +1,12 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b
-SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277
-SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359
-SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889
-SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7
-SIZE (openssh-lpk-5.8p2.patch.gz) = 17822
+SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
+SIZE (openssh-6.2p2.tar.gz) = 1182922
+SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
+SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
+SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
+SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
+SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
+SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
+SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
+SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
SIZE (openssh-sctp-2163.patch.gz) = 6764
diff --git a/security/openssh-portable/files/extra-patch-hpn-window-size b/security/openssh-portable/files/extra-patch-hpn-window-size
new file mode 100644
index 000000000000..76f50a43eccb
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn-window-size
@@ -0,0 +1,24 @@
+r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines
+Changed paths:
+ M /user/brooks/openssh-hpn/channels.h
+
+It looks like the HPN patch didn't track the window size bump in OpenBSD
+rev 1.89 back in 2007. Chase the updates to reduce diffs to head
+
+Index: channels.h
+===================================================================
+--- channels.h (revision 223212)
++++ channels.h (revision 223213)
+@@ -163,10 +163,10 @@
+
+ /* default window/packet sizes for tcp/x11-fwd-channel */
+ #define CHAN_SES_PACKET_DEFAULT (32*1024)
+-#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
++#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
+
+ #define CHAN_TCP_PACKET_DEFAULT (32*1024)
+-#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
++#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
+
+ #define CHAN_X11_PACKET_DEFAULT (16*1024)
+ #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
diff --git a/security/openssh-portable/files/extra-patch-sshd-utmp-size b/security/openssh-portable/files/extra-patch-sshd-utmp-size
new file mode 100644
index 000000000000..d72985ff7768
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-sshd-utmp-size
@@ -0,0 +1,36 @@
+r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines
+Changed paths:
+ M /head/crypto/openssh/loginrec.c
+ M /head/crypto/openssh/sshd.c
+
+At some point, construct_utmp() was changed to use realhostname() to fill
+in the struct utmp due to concerns about the length of the hostname buffer.
+However, this breaks the UseDNS option. There is a simpler and better
+solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of
+MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the
+buffer.
+
+PR: bin/97499
+Submitted by: Bruce Cran <bruce@cran.org.uk>
+
+Index: sshd.c
+===================================================================
+--- sshd.c (revision 184121)
++++ sshd.c (revision 184122)
+@@ -72,6 +72,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <utmp.h>
+
+ #include <openssl/dh.h>
+ #include <openssl/bn.h>
+@@ -238,7 +239,7 @@
+ u_int session_id2_len = 0;
+
+ /* record remote hostname or ip */
+-u_int utmp_len = MAXHOSTNAMELEN;
++u_int utmp_len = UT_HOSTSIZE;
+
+ /* options.max_startup sized array of fd ints */
+ int *startup_pipes = NULL;
diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c
deleted file mode 100644
index 2b98f7f5b2e0..000000000000
--- a/security/openssh-portable/files/patch-auth1.c
+++ /dev/null
@@ -1,68 +0,0 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
-Changed paths:
- M /head/security/hpn-ssh/Makefile
- M /head/security/hpn-ssh/files/patch-auth.c
- A /head/security/hpn-ssh/files/patch-auth1.c
- A /head/security/hpn-ssh/files/patch-auth2.c
- M /head/security/hpn-ssh/files/patch-session.c
- M /head/security/openssh-portable/Makefile
- M /head/security/openssh-portable/files/patch-auth.c
- A /head/security/openssh-portable/files/patch-auth1.c
- A /head/security/openssh-portable/files/patch-auth2.c
- M /head/security/openssh-portable/files/patch-session.c
-
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR: 35904
-
---- auth1.c.orig 2010-06-25 18:01:33.000000000 -0600
-+++ auth1.c 2010-09-14 16:14:12.000000000 -0600
-@@ -40,6 +40,7 @@
- #endif
- #include "monitor_wrap.h"
- #include "buffer.h"
-+#include "canohost.h"
-
- /* import */
- extern ServerOptions options;
-@@ -239,6 +240,13 @@
- char info[1024];
- int prev = 0, type = 0;
- const struct AuthMethod1 *meth;
-+#ifdef HAVE_LOGIN_CAP
-+ login_cap_t *lc;
-+ const char *from_host, *from_ip;
-+
-+ from_host = get_canonical_hostname(options.use_dns);
-+ from_ip = get_remote_ipaddr();
-+#endif
-
- debug("Attempting authentication for %s%.100s.",
- authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -292,6 +300,26 @@
- goto skip;
- }
-
-+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
-+#endif /* HAVE_LOGIN_CAP */
-+
- if (!*(meth->enabled)) {
- verbose("%s authentication disabled.", meth->name);
- goto skip;
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 0c5730a733c6..f94918e9477a 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -1,31 +1,12 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
+r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
- M /head/security/hpn-ssh/Makefile
- M /head/security/hpn-ssh/files/patch-auth.c
- A /head/security/hpn-ssh/files/patch-auth1.c
- A /head/security/hpn-ssh/files/patch-auth2.c
- M /head/security/hpn-ssh/files/patch-session.c
- M /head/security/openssh-portable/Makefile
- M /head/security/openssh-portable/files/patch-auth.c
- A /head/security/openssh-portable/files/patch-auth1.c
- A /head/security/openssh-portable/files/patch-auth2.c
- M /head/security/openssh-portable/files/patch-session.c
+ M /head/crypto/openssh/auth2.c
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR: 35904
+Apply class-imposed login restrictions.
--- auth2.c.orig 2009-06-22 00:11:07.000000000 -0600
+++ auth2.c 2010-09-14 16:14:12.000000000 -0600
-@@ -46,6 +46,7 @@
- #include "key.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-@@ -217,6 +218,13 @@
+@@ -222,6 +221,13 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@@ -39,29 +20,29 @@ PR: 35904
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -261,6 +269,27 @@
+@@ -274,6 +274,27 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
++ if (authctxt->pw != NULL) {
++ lc = login_getpwclass(authctxt->pw);
++ if (lc == NULL)
++ lc = login_getclassbyname(NULL, authctxt->pw);
++ if (!auth_hostok(lc, from_host, from_ip)) {
++ logit("Denied connection for %.200s from %.200s [%.200s].",
++ authctxt->pw->pw_name, from_host, from_ip);
++ packet_disconnect("Sorry, you are not allowed to connect.");
++ }
++ if (!auth_timeok(lc, time(NULL))) {
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ authctxt->pw->pw_name, from_host);
++ packet_disconnect("Logins not available right now.");
++ }
++ login_close(lc);
++ lc = NULL;
++ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c
deleted file mode 100644
index 8e2e847a2252..000000000000
--- a/security/openssh-portable/files/patch-loginrec.c
+++ /dev/null
@@ -1,28 +0,0 @@
-r63028 | dinoex | 2002-07-15 15:08:01 -0500 (Mon, 15 Jul 2002) | 6 lines
-
-- Fix Problem with HAVE_HOST_IN_UTMP
-- update monitor.c
-
-PR: 40576
-Submitted by: lxv@a-send-pr.sink.omut.org
-
-r99768 | des | 2002-07-11 05:36:10 -0500 (Thu, 11 Jul 2002) | 6 lines
-
-Use realhostname_sa(3) so the IP address will be used instead of the
-hostname if the latter is too long for utmp.
-
-Submitted by: ru
-
---- loginrec.c.orig 2013-04-14 08:28:40.482762815 -0500
-+++ loginrec.c 2013-04-14 08:29:03.723757797 -0500
-@@ -694,8 +694,8 @@
- strncpy(ut->ut_name, li->username,
- MIN_SIZEOF(ut->ut_name, li->username));
- # ifdef HAVE_HOST_IN_UTMP
-- strncpy(ut->ut_host, li->hostname,
-- MIN_SIZEOF(ut->ut_host, li->hostname));
-+ realhostname_sa(ut->ut_host, sizeof ut->ut_host,
-+ &li->hostaddr.sa, li->hostaddr.sa.sa_len);
- # endif
- # ifdef HAVE_ADDR_IN_UTMP
- /* this is just a 32-bit IP address */
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
index 9e76a49f5990..6cb81723314c 100644
--- a/security/openssh-portable/files/patch-readconf.c
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -6,6 +6,17 @@ Changed paths:
Apply FreeBSD's configuration defaults.
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by: delphij@
+
+
--- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600
+++ readconf.c 2010-09-14 16:14:12.000000000 -0600
@@ -1169,7 +1169,7 @@
@@ -17,3 +28,34 @@ Apply FreeBSD's configuration defaults.
if (options->strict_host_key_checking == -1)
options->strict_host_key_checking = 2; /* 2 is default */
if (options->compression == -1)
+--- readconf.c (revision 181917)
++++ readconf.c (revision 181918)
+@@ -18,6 +18,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
++#include <sys/sysctl.h>
+
+ #include <netinet/in.h>
+
+@@ -245,7 +246,19 @@
+ Forward *fwd;
+ #ifndef NO_IPPORT_RESERVED_CONCEPT
+ extern uid_t original_real_uid;
+- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
++ int ipport_reserved;
++#ifdef __FreeBSD__
++ size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++ ipport_reserved = IPPORT_RESERVED;
++ else
++ ipport_reserved++;
++#else
++ ipport_reserved = IPPORT_RESERVED;
++#endif
++ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
+ fatal("Privileged ports can only be forwarded by root.");
+ #endif
+ if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index f962d1ca87fc..67e45e98a1fe 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -1,15 +1,7 @@
-r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
- M /head/crypto/openssh/myproposal.h
- M /head/crypto/openssh/readconf.c
- M /head/crypto/openssh/servconf.c
-
-Apply FreeBSD's configuration defaults.
-
---- servconf.c.orig 2010-06-25 17:38:45.000000000 -0600
-+++ servconf.c 2010-09-14 16:14:12.000000000 -0600
-@@ -139,7 +139,7 @@
- {
+--- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500
++++ servconf.c 2013-05-12 21:52:43.069625377 -0500
+@@ -162,7 +162,7 @@
+
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
@@ -17,7 +9,7 @@ Apply FreeBSD's configuration defaults.
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -170,7 +170,7 @@
+@@ -197,7 +197,7 @@
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -26,7 +18,7 @@ Apply FreeBSD's configuration defaults.
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -180,7 +180,7 @@
+@@ -207,7 +207,7 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -35,7 +27,7 @@ Apply FreeBSD's configuration defaults.
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -218,7 +218,11 @@
+@@ -245,7 +245,11 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -47,3 +39,12 @@ Apply FreeBSD's configuration defaults.
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
+@@ -335,7 +339,7 @@
+ options->version_addendum = xstrdup("");
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+- use_privsep = PRIVSEP_NOSANDBOX;
++ use_privsep = PRIVSEP_ON;
+
+ #ifndef HAVE_MMAP
+ if (use_privsep && options->compression == 1) {
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index df1ab8e9db9a..7a19c85c4787 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,23 +1,6 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
-Changed paths:
- M /head/security/hpn-ssh/Makefile
- M /head/security/hpn-ssh/files/patch-auth.c
- A /head/security/hpn-ssh/files/patch-auth1.c
- A /head/security/hpn-ssh/files/patch-auth2.c
- M /head/security/hpn-ssh/files/patch-session.c
- M /head/security/openssh-portable/Makefile
- M /head/security/openssh-portable/files/patch-auth.c
- A /head/security/openssh-portable/files/patch-auth1.c
- A /head/security/openssh-portable/files/patch-auth2.c
- M /head/security/openssh-portable/files/patch-session.c
-
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR: 35904
-
---- session.c.orig 2011-07-21 18:55:33.883559116 +0200
-+++ session.c 2011-07-21 19:02:17.789294035 +0200
-@@ -1125,6 +1143,9 @@
+--- session.c 2013-03-14 19:22:37.000000000 -0500
++++ session.c 2013-04-12 21:10:44.510757912 -0500
+@@ -1131,6 +1136,9 @@
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -27,7 +10,7 @@ PR: 35904
#endif
/* Initialize the environment. */
-@@ -1146,6 +1167,9 @@
+@@ -1152,6 +1160,9 @@
}
#endif
@@ -37,7 +20,7 @@ PR: 35904
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1165,11 +1189,22 @@
+@@ -1171,11 +1182,22 @@
child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -64,7 +47,7 @@ PR: 35904
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
-@@ -1190,15 +1225,9 @@
+@@ -1196,15 +1218,9 @@
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -80,35 +63,12 @@ PR: 35904
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
-@@ -1473,9 +1502,9 @@
- platform_setusercontext(pw);
-
+@@ -1483,7 +1499,7 @@
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
-+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETENV))) < 0) {
++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}
-@@ -1700,6 +1729,10 @@
- */
- environ = env;
-
-+#ifdef HAVE_LOGIN_CAP
-+ r = login_getcapbool(lc, "requirehome", 0);
-+ login_close(lc);
-+#endif
- #if defined(KRB5) && defined(USE_AFS)
- /*
- * At this point, we check to see if AFS is active and if we have
-@@ -1729,9 +1762,6 @@
- /* Change current directory to the user's home directory. */
- if (chdir(pw->pw_dir) < 0) {
- /* Suppress missing homedir warning for chroot case */
--#ifdef HAVE_LOGIN_CAP
-- r = login_getcapbool(lc, "requirehome", 0);
--#endif
- if (r || options.chroot_directory == NULL ||
- strcasecmp(options.chroot_directory, "none") == 0)
- fprintf(stderr, "Could not chdir to home "
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
new file mode 100644
index 000000000000..7d1e2a68ddf0
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -0,0 +1,27 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+Index: ssh-agent.1
+===================================================================
+--- ssh-agent.1 (revision 226102)
++++ ssh-agent.1 (revision 226103)
+@@ -44,7 +44,7 @@
+ .Sh SYNOPSIS
+ .Nm ssh-agent
+ .Op Fl c | s
+-.Op Fl d
++.Op Fl dx
+ .Op Fl a Ar bind_address
+ .Op Fl t Ar life
+ .Op Ar command Op Ar arg ...
+@@ -103,6 +103,8 @@
+ .Xr ssh-add 1
+ overrides this value.
+ Without this option the default maximum lifetime is forever.
++.It Fl x
++Exit after the last client has disconnected.
+ .El
+ .Pp
+ If a commandline is given, this is executed as a subprocess of the agent.
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 21a83d64beee..38abeaf70fbb 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -2,9 +2,68 @@ r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
---- ssh-agent.c.orig 2010-04-15 23:56:22.000000000 -0600
-+++ ssh-agent.c 2010-09-14 16:14:13.000000000 -0600
-@@ -1086,6 +1086,7 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+--- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500
++++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500
+@@ -137,15 +137,34 @@
+ /* Default lifetime (0 == forever) */
+ static int lifetime = 0;
+
++/*
++ * Client connection count; incremented in new_socket() and decremented in
++ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
++ * normally initialized to 1, it will never reach 0. However, if the -x
++ * option is specified, it is initialized to 0 in main(); in that case,
++ * ssh-agent will exit as soon as it has had at least one client but no
++ * longer has any.
++ */
++static int xcount = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
++ int last = 0;
++
++ if (e->type == AUTH_CONNECTION) {
++ debug("xcount %d -> %d", xcount, xcount - 1);
++ if (--xcount == 0)
++ last = 1;
++ }
+ close(e->fd);
+ e->fd = -1;
+ e->type = AUTH_UNUSED;
+ buffer_free(&e->input);
+ buffer_free(&e->output);
+ buffer_free(&e->request);
++ if (last)
++ cleanup_exit(0);
+ }
+
+ static void
+@@ -900,6 +919,10 @@
+ {
+ u_int i, old_alloc, new_alloc;
+
++ if (type == AUTH_CONNECTION) {
++ debug("xcount %d -> %d", xcount, xcount + 1);
++ ++xcount;
++ }
+ set_nonblock(fd);
+
+ if (fd > max_fd)
+@@ -1120,6 +1143,7 @@
+ fprintf(stderr, " -d Debug mode.\n");
+ fprintf(stderr, " -a socket Bind agent socket to given name.\n");
+ fprintf(stderr, " -t life Default identity lifetime (seconds).\n");
++ fprintf(stderr, " -x Exit when the last client disconnects.\n");
+ exit(1);
+ }
+
+@@ -1149,6 +1173,7 @@
/* drop */
setegid(getgid());
setgid(getgid());
@@ -12,3 +71,32 @@ Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
+@@ -1160,7 +1185,7 @@
+ __progname = ssh_get_progname(av[0]);
+ seed_rng();
+
+- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) {
+ switch (ch) {
+ case 'c':
+ if (s_flag)
+@@ -1189,6 +1214,9 @@
+ usage();
+ }
+ break;
++ case 'x':
++ xcount = 0;
++ break;
+ default:
+ usage();
+ }
+@@ -1348,8 +1376,7 @@
+ if (ac > 0)
+ parent_alive_interval = 10;
+ idtab_init();
+- if (!d_flag)
+- signal(SIGINT, SIG_IGN);
++ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
+ signal(SIGPIPE, SIG_IGN);
+ signal(SIGHUP, cleanup_handler);
+ signal(SIGTERM, cleanup_handler);
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 17c74f2b06dc..422d49a735b1 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -74,11 +74,11 @@ connections, do not protect connection handlers spawned from inetd.
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
-+ * before privsep chroot().
++ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
-+ debug("res_init()");
-+ res_init();
++ debug("res_init()");
++ res_init();
+ }
+#ifdef GSSAPI
+ /*
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 8802619fbcfb..4727afd69d26 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,13 +1,16 @@
-r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
- M /head/crypto/openssh/ssh_config
- M /head/crypto/openssh/sshd_config
-
-Document FreeBSD defaults.
-
---- sshd_config.orig 2009-10-11 04:51:09.000000000 -0600
-+++ sshd_config 2010-09-14 16:14:13.000000000 -0600
-@@ -36,7 +36,7 @@
+--- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600
++++ sshd_config 2013-05-13 06:46:45.153627197 -0500
+@@ -10,6 +10,9 @@
+ # possible, but leave them commented. Uncommented options override the
+ # default value.
+
++# Note that some of FreeBSD's defaults differ from OpenBSD's, and
++# FreeBSD has a few additional options.
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -37,7 +40,7 @@
# Authentication:
#LoginGraceTime 2m
@@ -16,7 +19,17 @@ Document FreeBSD defaults.
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-@@ -55,11 +55,11 @@
+@@ -46,8 +49,7 @@
+ #PubkeyAuthentication yes
+
+ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile .ssh/authorized_keys
++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+ #AuthorizedPrincipalsFile none
+
+@@ -64,11 +66,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -31,7 +44,7 @@ Document FreeBSD defaults.
#ChallengeResponseAuthentication yes
# Kerberos options
-@@ -72,7 +72,7 @@
+@@ -81,7 +83,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
@@ -40,7 +53,7 @@ Document FreeBSD defaults.
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -81,12 +81,12 @@
+@@ -90,19 +92,19 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
@@ -55,3 +68,11 @@ Document FreeBSD defaults.
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #UseLogin no
+-UsePrivilegeSeparation sandbox # Default for new installations.
++#UsePrivilegeSeparation sandbox
+ #PermitUserEnvironment no
+ #Compression delayed
+ #ClientAliveInterval 0
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index f3ab982bd0fa..3e62cb1be0bf 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,8 +1,6 @@
-Document defaults
-
---- sshd_config.5.orig 2010-07-01 21:37:17.000000000 -0600
-+++ sshd_config.5 2010-08-31 05:27:27.000000000 -0600
-@@ -223,7 +223,9 @@
+--- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600
++++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500
+@@ -277,7 +277,9 @@
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or though authentication styles supported in
@@ -13,7 +11,16 @@ Document defaults
The default is
.Dq yes .
.It Cm ChrootDirectory
-@@ -714,7 +716,22 @@
+@@ -555,7 +557,7 @@
+ .Pp
+ .Pa /etc/hosts.equiv
+ and
+-.Pa /etc/shosts.equiv
++.Pa /etc/ssh/shosts.equiv
+ are still used.
+ The default is
+ .Dq yes .
+@@ -841,7 +843,22 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -36,7 +43,7 @@ Document defaults
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -757,7 +774,14 @@
+@@ -887,7 +904,14 @@
or
.Dq no .
The default is
@@ -52,9 +59,9 @@ Document defaults
.Pp
If this option is set to
.Dq without-password ,
-@@ -869,7 +893,9 @@
- Note that if this file is not readable, then public key authentication will
- be refused for all users.
+@@ -1006,7 +1030,9 @@
+ section in
+ .Xr ssh-keygen 1 .
.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
@@ -63,7 +70,7 @@ Document defaults
with successful RSA host authentication is allowed.
The default is
.Dq no .
-@@ -1009,7 +1035,7 @@
+@@ -1146,7 +1172,7 @@
.Xr sshd 8
as a non-root user.
The default is
@@ -72,7 +79,16 @@ Document defaults
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1034,7 +1060,7 @@
+@@ -1157,7 +1183,7 @@
+ The goal of privilege separation is to prevent privilege
+ escalation by containing any corruption within the unprivileged processes.
+ The default is
+-.Dq yes .
++.Dq sandbox .
+ If
+ .Cm UsePrivilegeSeparation
+ is set to
+@@ -1182,7 +1208,7 @@
or
.Dq no .
The default is