cvs commit: ports/security/ssh2 Makefile distinfo pkg-plist ports/security/ssh2/files patch-apps::ssh::sshchsession.c

Alexander Leidinger netchild at
Mon Jul 7 07:19:08 PDT 2003

netchild    2003/07/07 07:19:07 PDT

  FreeBSD ports repository

  Modified files:
    security/ssh2        Makefile distinfo pkg-plist 
  Added files:
    security/ssh2/files  patch-apps::ssh::sshchsession.c 
  Update to 3.2.5:
          * Fixed a critical security bug with RSA signature
            verification. Mitigating factors: DSA is used by default (not
            vulnerable). Also, the attack requires that attacker has the
            public key and the attacker needs to precompute the signature
            data so, that it looks like a valid PKCS#1 signature. This is a
            non-trivial task to perform without the private
            key. Nonetheless, all users should update their servers and
            clients as soon as convenient. Workarounds are to not use RSA
            keys as host keys (though connecting to existing hosts with RSA
            hostkeys poses a serious risk with a vulnerable client), and
            disabling publickey authentication. Update your clients and
   Update MASTER_SITES, remove sites that are down or no langer carry ssh2
    and add some new.
  - Turn Kerberos and group writeability support into knobs so one hasn't to
    edit the Makefile.
  - Remove dependency on security/tcp_wrapper for tcp-wrapper support on
    systems < FreeBSD 4.0, that port is no longer persistent.
  - Fix pkg-plist for WITH_STATIC_SFTP case.
  - Replace referneces to /etc/ssh2/* in man pages with references to
    PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
  - Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
  - Remove duplicated mechanism for generating the host key if an old one isn't
    found in the post-install target in the Makefile of the port, this is
    already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
  - Fix differences between the install action done when installing the
    package versus installing the port. I.e. make the package create the host
    key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
    of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
    the examples if not already existent and create the directories for the
    global host keys and known hosts files.
  - Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
    i.e. configuration files that don't differ from the corresponding examples
    and empty directories. Inform the user to remove what's left over if any.
  - Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
    set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
    "/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
    and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
    so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
  - Change MAINTAINER.
  - Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.
  Submitted by:   Marius Strobl <marius at>
  Approved by:    maintainer
  Revision  Changes    Path
  1.114     +34 -30    ports/security/ssh2/Makefile
  1.34      +1 -1      ports/security/ssh2/distinfo
  1.1       +22 -0     ports/security/ssh2/files/patch-apps::ssh::sshchsession.c (new)
  1.25      +23 -11    ports/security/ssh2/pkg-plist

More information about the cvs-ports mailing list