svn commit: r555518 - in head/security/openssh-portable: . files
Bryan Drewery
bdrewery at FreeBSD.org
Mon Nov 16 22:25:29 UTC 2020
Author: bdrewery
Date: Mon Nov 16 22:25:28 2020
New Revision: 555518
URL: https://svnweb.freebsd.org/changeset/ports/555518
Log:
- Slightly reduce diff with base
- No functional changes.
PR: 223010
Submitted by: brnrd (earlier patch)
Deleted:
head/security/openssh-portable/files/patch-configure.ac
Modified:
head/security/openssh-portable/Makefile
head/security/openssh-portable/files/patch-auth2.c
head/security/openssh-portable/files/patch-serverloop.c
head/security/openssh-portable/files/patch-ssh_config.5
Modified: head/security/openssh-portable/Makefile
==============================================================================
Modified: head/security/openssh-portable/files/patch-auth2.c
==============================================================================
--- head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 21:15:56 2020 (r555517)
+++ head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 22:25:28 2020 (r555518)
@@ -5,41 +5,29 @@ Changed paths:
Apply class-imposed login restrictions.
---- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700
-+++ auth2.c 2018-11-10 11:35:07.816193000 -0800
-@@ -48,6 +48,7 @@
- #include "sshkey.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "sshbuf.h"
-@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
- char *user, *service, *method, *style = NULL;
- int authenticated = 0;
+--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700
++++ auth2.c 2020-11-16 13:55:25.222771000 -0800
+@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ int r, authenticated = 0;
double tstart = monotime_double();
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
-
-+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+ from_ip = ssh_remote_ipaddr(ssh);
+#endif
-+
+
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-
-@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
- "(%s,%s) -> (%s,%s)",
+@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
+ "not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
++ if (authctxt->pw != NULL &&
++ (lc = login_getpwclass(authctxt->pw)) != NULL) {
++ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
@@ -51,7 +39,6 @@ Apply class-imposed login restrictions.
+ ssh_packet_disconnect(ssh, "Logins not available right now.");
+ }
+ login_close(lc);
-+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
+
Modified: head/security/openssh-portable/files/patch-serverloop.c
==============================================================================
--- head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 21:15:56 2020 (r555517)
+++ head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 22:25:28 2020 (r555518)
@@ -6,12 +6,13 @@ Changed paths:
Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
Submitted upstream, no reaction.
-Submitted by: delphij@
-[rewritten for 7.4 by bdrewery@]
+Submitted by: delphij
+[rewritten for 7.4 by bdrewery]
+[base removed this in 7.8 but it is still useful - bdrewery]
---- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800
-+++ serverloop.c 2018-11-10 11:38:19.497300000 -0800
-@@ -55,6 +55,8 @@
+--- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700
++++ serverloop.c 2020-11-16 12:58:44.823775000 -0800
+@@ -56,6 +56,8 @@
#include <unistd.h>
#include <stdarg.h>
@@ -20,24 +21,32 @@ Submitted by: delphij@
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "packet.h"
-@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
- {
- if (use_privsep)
- return 1; /* allow system to decide */
-- if (port < IPPORT_RESERVED && uid != 0)
-+ int ipport_reserved;
+@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *);
+ /* requested tunnel forwarding interface(s), shared with session.c */
+ char *tun_fwd_ifnames = NULL;
+
++static int
++ipport_reserved(void)
++{
+#ifdef __FreeBSD__
-+ size_t len_ipport_reserved = sizeof(ipport_reserved);
++ int old;
++ size_t len = sizeof(old);
+
+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+ ipport_reserved = IPPORT_RESERVED;
-+ else
-+ ipport_reserved++;
-+#else
-+ ipport_reserved = IPPORT_RESERVED;
++ &old, &len, NULL, 0) == 0)
++ return (old + 1);
+#endif
-+ if (port < ipport_reserved && uid != 0)
++ return (IPPORT_RESERVED);
++}
++
+ /* returns 1 if bind to specified port by specified user is permitted */
+ static int
+ bind_permitted(int port, uid_t uid)
+ {
+ if (use_privsep)
+ return 1; /* allow system to decide */
+- if (port < IPPORT_RESERVED && uid != 0)
++ if (port < ipport_reserved() && uid != 0)
return 0;
return 1;
}
Modified: head/security/openssh-portable/files/patch-ssh_config.5
==============================================================================
--- head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 21:15:56 2020 (r555517)
+++ head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 22:25:28 2020 (r555518)
@@ -4,9 +4,9 @@ r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Ju
Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.
---- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600
-+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600
-@@ -377,8 +377,7 @@ or
+--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800
++++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800
+@@ -420,8 +420,7 @@ or
.Cm no .
.It Cm CheckHostIP
If set to
@@ -16,11 +16,12 @@ rev 1.2 of readconf.c.
.Xr ssh 1
will additionally check the host IP address in the
.Pa known_hosts
-@@ -390,6 +389,7 @@ in the process, regardless of the settin
- .Cm StrictHostKeyChecking .
+@@ -434,6 +433,8 @@ in the process, regardless of the setting of
If the option is set to
.Cm no ,
-+(the default),
the check will not be executed.
- .It Cm Cipher
- Specifies the cipher to use for encrypting the session
++The default is
++.Cm no .
+ .It Cm Ciphers
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.
More information about the svn-ports-all
mailing list