svn commit: r555518 - in head/security/openssh-portable: . files

Bryan Drewery bdrewery at FreeBSD.org
Mon Nov 16 22:25:29 UTC 2020 

Author: bdrewery
Date: Mon Nov 16 22:25:28 2020
New Revision: 555518
URL: https://svnweb.freebsd.org/changeset/ports/555518

Log:
  - Slightly reduce diff with base
  - No functional changes.
  
  PR:		223010
  Submitted by:	brnrd (earlier patch)

Deleted:
  head/security/openssh-portable/files/patch-configure.ac
Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/patch-auth2.c
  head/security/openssh-portable/files/patch-serverloop.c
  head/security/openssh-portable/files/patch-ssh_config.5

Modified: head/security/openssh-portable/Makefile
==============================================================================

Modified: head/security/openssh-portable/files/patch-auth2.c
==============================================================================
--- head/security/openssh-portable/files/patch-auth2.c	Mon Nov 16 21:15:56 2020	(r555517)
+++ head/security/openssh-portable/files/patch-auth2.c	Mon Nov 16 22:25:28 2020	(r555518)
@@ -5,41 +5,29 @@ Changed paths:
 
 Apply class-imposed login restrictions.
 
---- auth2.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ auth2.c	2018-11-10 11:35:07.816193000 -0800
-@@ -48,6 +48,7 @@
- #include "sshkey.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "sshbuf.h"
-@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
- 	char *user, *service, *method, *style = NULL;
- 	int authenticated = 0;
+--- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
++++ auth2.c	2020-11-16 13:55:25.222771000 -0800
+@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
+ 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ 	int r, authenticated = 0;
  	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
- 
-+	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+	from_ip = ssh_remote_ipaddr(ssh);
 +#endif
-+
+ 
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
- 
-@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		    "(%s,%s) -> (%s,%s)",
+@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
+ 		    "not allowed: (%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
 +
 +#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL) {
-+		lc = login_getpwclass(authctxt->pw);
-+		if (lc == NULL)
-+			lc = login_getclassbyname(NULL, authctxt->pw);
++	if (authctxt->pw != NULL &&
++	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
++		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++		from_ip = ssh_remote_ipaddr(ssh);
 +		if (!auth_hostok(lc, from_host, from_ip)) {
 +			logit("Denied connection for %.200s from %.200s [%.200s].",
 +			    authctxt->pw->pw_name, from_host, from_ip);
@@ -51,7 +39,6 @@ Apply class-imposed login restrictions.
 +			ssh_packet_disconnect(ssh, "Logins not available right now.");
 +		}
 +		login_close(lc);
-+		lc = NULL;
 +	}
 +#endif  /* HAVE_LOGIN_CAP */
 +

Modified: head/security/openssh-portable/files/patch-serverloop.c
==============================================================================
--- head/security/openssh-portable/files/patch-serverloop.c	Mon Nov 16 21:15:56 2020	(r555517)
+++ head/security/openssh-portable/files/patch-serverloop.c	Mon Nov 16 22:25:28 2020	(r555518)
@@ -6,12 +6,13 @@ Changed paths:
 Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
 Submitted upstream, no reaction.
 
-Submitted by:   delphij@
-[rewritten for 7.4 by bdrewery@]
+Submitted by:   delphij
+[rewritten for 7.4 by bdrewery]
+[base removed this in 7.8 but it is still useful - bdrewery]
 
---- serverloop.c.orig	2018-11-10 11:38:16.728617000 -0800
-+++ serverloop.c	2018-11-10 11:38:19.497300000 -0800
-@@ -55,6 +55,8 @@
+--- serverloop.c.orig	2020-09-27 00:25:01.000000000 -0700
++++ serverloop.c	2020-11-16 12:58:44.823775000 -0800
+@@ -56,6 +56,8 @@
  #include <unistd.h>
  #include <stdarg.h>
  
@@ -20,24 +21,32 @@ Submitted by:   delphij@
  #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
  #include "packet.h"
-@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
- {
- 	if (use_privsep)
- 		return 1; /* allow system to decide */
--	if (port < IPPORT_RESERVED && uid != 0)
-+	int ipport_reserved;
+@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *);
+ /* requested tunnel forwarding interface(s), shared with session.c */
+ char *tun_fwd_ifnames = NULL;
+ 
++static int
++ipport_reserved(void)
++{
 +#ifdef __FreeBSD__
-+	size_t len_ipport_reserved = sizeof(ipport_reserved);
++	int old;
++	size_t len = sizeof(old);
 +
 +	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+		ipport_reserved = IPPORT_RESERVED;
-+	else
-+		ipport_reserved++;
-+#else
-+	ipport_reserved = IPPORT_RESERVED;
++	    &old, &len, NULL, 0) == 0)
++		return (old + 1);
 +#endif
-+	if (port < ipport_reserved && uid != 0)
++	return (IPPORT_RESERVED);
++}
++
+ /* returns 1 if bind to specified port by specified user is permitted */
+ static int
+ bind_permitted(int port, uid_t uid)
+ {
+ 	if (use_privsep)
+ 		return 1; /* allow system to decide */
+-	if (port < IPPORT_RESERVED && uid != 0)
++	if (port < ipport_reserved() && uid != 0)
  		return 0;
  	return 1;
  }

Modified: head/security/openssh-portable/files/patch-ssh_config.5
==============================================================================
--- head/security/openssh-portable/files/patch-ssh_config.5	Mon Nov 16 21:15:56 2020	(r555517)
+++ head/security/openssh-portable/files/patch-ssh_config.5	Mon Nov 16 22:25:28 2020	(r555518)
@@ -4,9 +4,9 @@ r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Ju
 Document the FreeBSD default for CheckHostIP, which was changed in
 rev 1.2 of readconf.c.
 
---- ssh_config.5.orig	2010-08-04 21:03:13.000000000 -0600
-+++ ssh_config.5	2010-09-14 16:14:13.000000000 -0600
-@@ -377,8 +377,7 @@ or
+--- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
++++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
+@@ -420,8 +420,7 @@ or
  .Cm no .
  .It Cm CheckHostIP
  If set to
@@ -16,11 +16,12 @@ rev 1.2 of readconf.c.
  .Xr ssh 1
  will additionally check the host IP address in the
  .Pa known_hosts
-@@ -390,6 +389,7 @@ in the process, regardless of the settin
- .Cm StrictHostKeyChecking .
+@@ -434,6 +433,8 @@ in the process, regardless of the setting of
  If the option is set to
  .Cm no ,
-+(the default),
  the check will not be executed.
- .It Cm Cipher
- Specifies the cipher to use for encrypting the session
++The default is
++.Cm no .
+ .It Cm Ciphers
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.

More information about the svn-ports-all mailing list