svn commit: r318400 - in head/security/openssh-portable: . files
Bryan Drewery
bdrewery at FreeBSD.org
Fri May 17 19:47:38 UTC 2013
Author: bdrewery
Date: Fri May 17 19:47:35 2013
New Revision: 318400
URL: http://svnweb.freebsd.org/changeset/ports/318400
Log:
- Update to 6.2p2
- The LPK patch has been updated but is obsolete, deprecated and
untested. It has been replaced by AuthorizedKeysCommand
- The upstream HPN's last update was for 6.1 and is mostly
abandoned. The patch has had bugs since 5.9. I have reworked
it and split into into HPN and AES_THREADED options. The
debugging/logging part of the patch is incomplete. I may
change the patch to more closely match our base version
eventually.
- The KERB_GSSAPI option has been removed as the patch has not
been updated by upstream since 5.7
- sshd VersionAddendum is currently not working as intended;
it will be fixed later to allow removing the port/pkg version.
- Update our patchset to match latest base version
- Bring in ssh-agent -x support from base
- I incrementally updated the port from 5.8 up to 6.2p2 along
with patches. You can find all of the versions at
https://github.com/bdrewery/openssh
Changes:
http://www.openssh.com/txt/release-5.9
http://www.openssh.org/txt/release-6.0
http://www.openssh.org/txt/release-6.1
http://www.openssh.org/txt/release-6.2
http://www.openssh.org/txt/release-6.2p2
Added:
head/security/openssh-portable/files/extra-patch-hpn-window-size (contents, props changed)
head/security/openssh-portable/files/extra-patch-sshd-utmp-size (contents, props changed)
head/security/openssh-portable/files/patch-ssh-agent.1 (contents, props changed)
Deleted:
head/security/openssh-portable/files/patch-auth1.c
head/security/openssh-portable/files/patch-loginrec.c
Modified:
head/security/openssh-portable/Makefile
head/security/openssh-portable/distinfo
head/security/openssh-portable/files/patch-auth2.c
head/security/openssh-portable/files/patch-readconf.c
head/security/openssh-portable/files/patch-servconf.c
head/security/openssh-portable/files/patch-session.c
head/security/openssh-portable/files/patch-ssh-agent.c
head/security/openssh-portable/files/patch-sshd.c
head/security/openssh-portable/files/patch-sshd_config
head/security/openssh-portable/files/patch-sshd_config.5
Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/Makefile Fri May 17 19:47:35 2013 (r318400)
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 5.8p2
-PORTREVISION= 5
+DISTVERSION= 6.2p2
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@@ -20,9 +19,9 @@ MAN8= sftp-server.8 sshd.8 ssh-keysign.8
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
-# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here.
+# XXX: ports/52706 will allow using DEFAULT,x509 here.
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \
- http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex
+ http://mirror.shatow.net/freebsd/${PORTNAME}/:x509
USE_PERL5_BUILD= yes
USE_AUTOTOOLS= autoconf autoheader
@@ -40,22 +39,22 @@ SUDO?= # empty
MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
- KERB_GSSAPI HPN LPK X509 \
- OVERWRITE_BASE SCTP
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS
+ HPN LPK X509 \
+ OVERWRITE_BASE SCTP AES_THREADED
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= Enable tcp_wrappers support
BSM_DESC= Enable OpenBSM Auditing
-KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= Enable HPN-SSH patch
-LPK_DESC= Enable LDAP Public Key (LPK) patch
+LPK_DESC= Enable LDAP Public Key (LPK) [OBSOLETE]
X509_DESC= Enable x509 certificate patch
SCTP_DESC= Enable SCTP support
OVERWRITE_BASE_DESC= OpenSSH overwrite base
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
+AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
.include <bsd.port.pre.mk>
@@ -63,8 +62,11 @@ MIT_DESC= MIT Kerberos (security/krb5)
CONFIGURE_LIBS+= -lutil
.endif
+# 900007 is when utmp(5) was removed and utmpx(3) added
.if ${OSVERSION} >= 900007
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
+.else
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
.endif
.if ${PORT_OPTIONS:MX509}
@@ -72,8 +74,8 @@ CONFIGURE_ARGS+= --disable-utmp --disabl
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN= X509 patch incompatible with KERB_GSSAPI patch
+. if ${PORT_OPTIONS:MAES_THREADED}
+BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
. endif
. if ${PORT_OPTIONS:MSCTP}
@@ -118,11 +120,6 @@ IGNORE= You have selected HEIMDAL_BASE
CONFIGURE_LIBS+= -lgssapi_krb5
. endif
. endif
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCH_SITES+= http://www.sxw.org.uk/computing/patches/:gsskex
-PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch:gsskex
-PATCH_DIST_STRIP=
-.endif
.if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS= # empty
@@ -135,15 +132,25 @@ CONFIGURE_ARGS+= --with-ssl-dir=${OPENSS
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MHPN}
-PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz
+HPN_VERSION= 13v14
+PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
+PATCH_DIST_STRIP=
+.endif
+
+# http://www.psc.edu/index.php/hpn-ssh
+.if ${PORT_OPTIONS:MAES_THREADED}
+AES_THREADED_VERSION= v14
+PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
PATCH_DIST_STRIP=
.endif
# See http://code.google.com/p/openssh-lpk/wiki/Main
# and svn repo described here:
# http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
.if ${PORT_OPTIONS:MLPK}
-PATCHFILES+= ${PORTNAME}-lpk-5.8p2.patch.gz
+PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
USE_OPENLDAP= yes
CPPFLAGS+= -I${LOCALBASE}/include
CONFIGURE_ARGS+= --with-ldap=yes \
@@ -154,8 +161,9 @@ CONFIGURE_LIBS+= -lldap
# See http://www.roumenpetrov.info/openssh/
.if ${PORT_OPTIONS:MX509}
-PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/:x509
-PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509
+X509_VERSION= 7.4.1
+PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
PATCH_DIST_STRIP= -p1
PLIST_SUB+= X509=""
MAN5+= ssh_engine.5
Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/distinfo Fri May 17 19:47:35 2013 (r318400)
@@ -1,12 +1,12 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b
-SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277
-SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359
-SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889
-SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7
-SIZE (openssh-lpk-5.8p2.patch.gz) = 17822
+SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
+SIZE (openssh-6.2p2.tar.gz) = 1182922
+SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
+SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
+SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
+SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
+SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
+SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
+SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
+SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
SIZE (openssh-sctp-2163.patch.gz) = 6764
Added: head/security/openssh-portable/files/extra-patch-hpn-window-size
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openssh-portable/files/extra-patch-hpn-window-size Fri May 17 19:47:35 2013 (r318400)
@@ -0,0 +1,24 @@
+r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines
+Changed paths:
+ M /user/brooks/openssh-hpn/channels.h
+
+It looks like the HPN patch didn't track the window size bump in OpenBSD
+rev 1.89 back in 2007. Chase the updates to reduce diffs to head
+
+Index: channels.h
+===================================================================
+--- channels.h (revision 223212)
++++ channels.h (revision 223213)
+@@ -163,10 +163,10 @@
+
+ /* default window/packet sizes for tcp/x11-fwd-channel */
+ #define CHAN_SES_PACKET_DEFAULT (32*1024)
+-#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
++#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
+
+ #define CHAN_TCP_PACKET_DEFAULT (32*1024)
+-#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
++#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
+
+ #define CHAN_X11_PACKET_DEFAULT (16*1024)
+ #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
Added: head/security/openssh-portable/files/extra-patch-sshd-utmp-size
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openssh-portable/files/extra-patch-sshd-utmp-size Fri May 17 19:47:35 2013 (r318400)
@@ -0,0 +1,36 @@
+r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines
+Changed paths:
+ M /head/crypto/openssh/loginrec.c
+ M /head/crypto/openssh/sshd.c
+
+At some point, construct_utmp() was changed to use realhostname() to fill
+in the struct utmp due to concerns about the length of the hostname buffer.
+However, this breaks the UseDNS option. There is a simpler and better
+solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of
+MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the
+buffer.
+
+PR: bin/97499
+Submitted by: Bruce Cran <bruce at cran.org.uk>
+
+Index: sshd.c
+===================================================================
+--- sshd.c (revision 184121)
++++ sshd.c (revision 184122)
+@@ -72,6 +72,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <utmp.h>
+
+ #include <openssl/dh.h>
+ #include <openssl/bn.h>
+@@ -238,7 +239,7 @@
+ u_int session_id2_len = 0;
+
+ /* record remote hostname or ip */
+-u_int utmp_len = MAXHOSTNAMELEN;
++u_int utmp_len = UT_HOSTSIZE;
+
+ /* options.max_startup sized array of fd ints */
+ int *startup_pipes = NULL;
Modified: head/security/openssh-portable/files/patch-auth2.c
==============================================================================
--- head/security/openssh-portable/files/patch-auth2.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-auth2.c Fri May 17 19:47:35 2013 (r318400)
@@ -1,31 +1,12 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
+r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
- M /head/security/hpn-ssh/Makefile
- M /head/security/hpn-ssh/files/patch-auth.c
- A /head/security/hpn-ssh/files/patch-auth1.c
- A /head/security/hpn-ssh/files/patch-auth2.c
- M /head/security/hpn-ssh/files/patch-session.c
- M /head/security/openssh-portable/Makefile
- M /head/security/openssh-portable/files/patch-auth.c
- A /head/security/openssh-portable/files/patch-auth1.c
- A /head/security/openssh-portable/files/patch-auth2.c
- M /head/security/openssh-portable/files/patch-session.c
+ M /head/crypto/openssh/auth2.c
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR: 35904
+Apply class-imposed login restrictions.
--- auth2.c.orig 2009-06-22 00:11:07.000000000 -0600
+++ auth2.c 2010-09-14 16:14:12.000000000 -0600
-@@ -46,6 +46,7 @@
- #include "key.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-@@ -217,6 +218,13 @@
+@@ -222,6 +221,13 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@@ -39,29 +20,29 @@ PR: 35904
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -261,6 +269,27 @@
+@@ -274,6 +274,27 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
++ if (authctxt->pw != NULL) {
++ lc = login_getpwclass(authctxt->pw);
++ if (lc == NULL)
++ lc = login_getclassbyname(NULL, authctxt->pw);
++ if (!auth_hostok(lc, from_host, from_ip)) {
++ logit("Denied connection for %.200s from %.200s [%.200s].",
++ authctxt->pw->pw_name, from_host, from_ip);
++ packet_disconnect("Sorry, you are not allowed to connect.");
++ }
++ if (!auth_timeok(lc, time(NULL))) {
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ authctxt->pw->pw_name, from_host);
++ packet_disconnect("Logins not available right now.");
++ }
++ login_close(lc);
++ lc = NULL;
++ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
Modified: head/security/openssh-portable/files/patch-readconf.c
==============================================================================
--- head/security/openssh-portable/files/patch-readconf.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-readconf.c Fri May 17 19:47:35 2013 (r318400)
@@ -6,6 +6,17 @@ Changed paths:
Apply FreeBSD's configuration defaults.
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by: delphij@
+
+
--- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600
+++ readconf.c 2010-09-14 16:14:12.000000000 -0600
@@ -1169,7 +1169,7 @@
@@ -17,3 +28,34 @@ Apply FreeBSD's configuration defaults.
if (options->strict_host_key_checking == -1)
options->strict_host_key_checking = 2; /* 2 is default */
if (options->compression == -1)
+--- readconf.c (revision 181917)
++++ readconf.c (revision 181918)
+@@ -18,6 +18,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/socket.h>
++#include <sys/sysctl.h>
+
+ #include <netinet/in.h>
+
+@@ -245,7 +246,19 @@
+ Forward *fwd;
+ #ifndef NO_IPPORT_RESERVED_CONCEPT
+ extern uid_t original_real_uid;
+- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
++ int ipport_reserved;
++#ifdef __FreeBSD__
++ size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++ ipport_reserved = IPPORT_RESERVED;
++ else
++ ipport_reserved++;
++#else
++ ipport_reserved = IPPORT_RESERVED;
++#endif
++ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
+ fatal("Privileged ports can only be forwarded by root.");
+ #endif
+ if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
Modified: head/security/openssh-portable/files/patch-servconf.c
==============================================================================
--- head/security/openssh-portable/files/patch-servconf.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-servconf.c Fri May 17 19:47:35 2013 (r318400)
@@ -1,15 +1,7 @@
-r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
- M /head/crypto/openssh/myproposal.h
- M /head/crypto/openssh/readconf.c
- M /head/crypto/openssh/servconf.c
-
-Apply FreeBSD's configuration defaults.
-
---- servconf.c.orig 2010-06-25 17:38:45.000000000 -0600
-+++ servconf.c 2010-09-14 16:14:12.000000000 -0600
-@@ -139,7 +139,7 @@
- {
+--- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500
++++ servconf.c 2013-05-12 21:52:43.069625377 -0500
+@@ -162,7 +162,7 @@
+
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
@@ -17,7 +9,7 @@ Apply FreeBSD's configuration defaults.
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -170,7 +170,7 @@
+@@ -197,7 +197,7 @@
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -26,7 +18,7 @@ Apply FreeBSD's configuration defaults.
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -180,7 +180,7 @@
+@@ -207,7 +207,7 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -35,7 +27,7 @@ Apply FreeBSD's configuration defaults.
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -218,7 +218,11 @@
+@@ -245,7 +245,11 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -47,3 +39,12 @@ Apply FreeBSD's configuration defaults.
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
+@@ -335,7 +339,7 @@
+ options->version_addendum = xstrdup("");
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+- use_privsep = PRIVSEP_NOSANDBOX;
++ use_privsep = PRIVSEP_ON;
+
+ #ifndef HAVE_MMAP
+ if (use_privsep && options->compression == 1) {
Modified: head/security/openssh-portable/files/patch-session.c
==============================================================================
--- head/security/openssh-portable/files/patch-session.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-session.c Fri May 17 19:47:35 2013 (r318400)
@@ -1,23 +1,6 @@
-r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines
-Changed paths:
- M /head/security/hpn-ssh/Makefile
- M /head/security/hpn-ssh/files/patch-auth.c
- A /head/security/hpn-ssh/files/patch-auth1.c
- A /head/security/hpn-ssh/files/patch-auth2.c
- M /head/security/hpn-ssh/files/patch-session.c
- M /head/security/openssh-portable/Makefile
- M /head/security/openssh-portable/files/patch-auth.c
- A /head/security/openssh-portable/files/patch-auth1.c
- A /head/security/openssh-portable/files/patch-auth2.c
- M /head/security/openssh-portable/files/patch-session.c
-
-Merged patches for HAVE_LOGIN_CAP from stable
-
-PR: 35904
-
---- session.c.orig 2011-07-21 18:55:33.883559116 +0200
-+++ session.c 2011-07-21 19:02:17.789294035 +0200
-@@ -1125,6 +1143,9 @@
+--- session.c 2013-03-14 19:22:37.000000000 -0500
++++ session.c 2013-04-12 21:10:44.510757912 -0500
+@@ -1131,6 +1136,9 @@
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -27,7 +10,7 @@ PR: 35904
#endif
/* Initialize the environment. */
-@@ -1146,6 +1167,9 @@
+@@ -1152,6 +1160,9 @@
}
#endif
@@ -37,7 +20,7 @@ PR: 35904
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1165,11 +1189,22 @@
+@@ -1171,11 +1182,22 @@
child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -64,7 +47,7 @@ PR: 35904
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
-@@ -1190,15 +1225,9 @@
+@@ -1196,15 +1218,9 @@
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -80,35 +63,12 @@ PR: 35904
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
-@@ -1473,9 +1502,9 @@
- platform_setusercontext(pw);
-
+@@ -1483,7 +1499,7 @@
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
-+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETENV))) < 0) {
++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}
-@@ -1700,6 +1729,10 @@
- */
- environ = env;
-
-+#ifdef HAVE_LOGIN_CAP
-+ r = login_getcapbool(lc, "requirehome", 0);
-+ login_close(lc);
-+#endif
- #if defined(KRB5) && defined(USE_AFS)
- /*
- * At this point, we check to see if AFS is active and if we have
-@@ -1729,9 +1762,6 @@
- /* Change current directory to the user's home directory. */
- if (chdir(pw->pw_dir) < 0) {
- /* Suppress missing homedir warning for chroot case */
--#ifdef HAVE_LOGIN_CAP
-- r = login_getcapbool(lc, "requirehome", 0);
--#endif
- if (r || options.chroot_directory == NULL ||
- strcasecmp(options.chroot_directory, "none") == 0)
- fprintf(stderr, "Could not chdir to home "
Added: head/security/openssh-portable/files/patch-ssh-agent.1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openssh-portable/files/patch-ssh-agent.1 Fri May 17 19:47:35 2013 (r318400)
@@ -0,0 +1,27 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+Index: ssh-agent.1
+===================================================================
+--- ssh-agent.1 (revision 226102)
++++ ssh-agent.1 (revision 226103)
+@@ -44,7 +44,7 @@
+ .Sh SYNOPSIS
+ .Nm ssh-agent
+ .Op Fl c | s
+-.Op Fl d
++.Op Fl dx
+ .Op Fl a Ar bind_address
+ .Op Fl t Ar life
+ .Op Ar command Op Ar arg ...
+@@ -103,6 +103,8 @@
+ .Xr ssh-add 1
+ overrides this value.
+ Without this option the default maximum lifetime is forever.
++.It Fl x
++Exit after the last client has disconnected.
+ .El
+ .Pp
+ If a commandline is given, this is executed as a subprocess of the agent.
Modified: head/security/openssh-portable/files/patch-ssh-agent.c
==============================================================================
--- head/security/openssh-portable/files/patch-ssh-agent.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-ssh-agent.c Fri May 17 19:47:35 2013 (r318400)
@@ -2,9 +2,68 @@ r110506 | des | 2003-02-07 09:48:27 -060
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
---- ssh-agent.c.orig 2010-04-15 23:56:22.000000000 -0600
-+++ ssh-agent.c 2010-09-14 16:14:13.000000000 -0600
-@@ -1086,6 +1086,7 @@
+r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
+
+Add a -x option that causes ssh-agent(1) to exit when all clients have
+disconnected.
+
+--- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500
++++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500
+@@ -137,15 +137,34 @@
+ /* Default lifetime (0 == forever) */
+ static int lifetime = 0;
+
++/*
++ * Client connection count; incremented in new_socket() and decremented in
++ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
++ * normally initialized to 1, it will never reach 0. However, if the -x
++ * option is specified, it is initialized to 0 in main(); in that case,
++ * ssh-agent will exit as soon as it has had at least one client but no
++ * longer has any.
++ */
++static int xcount = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
++ int last = 0;
++
++ if (e->type == AUTH_CONNECTION) {
++ debug("xcount %d -> %d", xcount, xcount - 1);
++ if (--xcount == 0)
++ last = 1;
++ }
+ close(e->fd);
+ e->fd = -1;
+ e->type = AUTH_UNUSED;
+ buffer_free(&e->input);
+ buffer_free(&e->output);
+ buffer_free(&e->request);
++ if (last)
++ cleanup_exit(0);
+ }
+
+ static void
+@@ -900,6 +919,10 @@
+ {
+ u_int i, old_alloc, new_alloc;
+
++ if (type == AUTH_CONNECTION) {
++ debug("xcount %d -> %d", xcount, xcount + 1);
++ ++xcount;
++ }
+ set_nonblock(fd);
+
+ if (fd > max_fd)
+@@ -1120,6 +1143,7 @@
+ fprintf(stderr, " -d Debug mode.\n");
+ fprintf(stderr, " -a socket Bind agent socket to given name.\n");
+ fprintf(stderr, " -t life Default identity lifetime (seconds).\n");
++ fprintf(stderr, " -x Exit when the last client disconnects.\n");
+ exit(1);
+ }
+
+@@ -1149,6 +1173,7 @@
/* drop */
setegid(getgid());
setgid(getgid());
@@ -12,3 +71,32 @@ Set the ruid to the euid at startup as a
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
+@@ -1160,7 +1185,7 @@
+ __progname = ssh_get_progname(av[0]);
+ seed_rng();
+
+- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) {
+ switch (ch) {
+ case 'c':
+ if (s_flag)
+@@ -1189,6 +1214,9 @@
+ usage();
+ }
+ break;
++ case 'x':
++ xcount = 0;
++ break;
+ default:
+ usage();
+ }
+@@ -1348,8 +1376,7 @@
+ if (ac > 0)
+ parent_alive_interval = 10;
+ idtab_init();
+- if (!d_flag)
+- signal(SIGINT, SIG_IGN);
++ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
+ signal(SIGPIPE, SIG_IGN);
+ signal(SIGHUP, cleanup_handler);
+ signal(SIGTERM, cleanup_handler);
Modified: head/security/openssh-portable/files/patch-sshd.c
==============================================================================
--- head/security/openssh-portable/files/patch-sshd.c Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-sshd.c Fri May 17 19:47:35 2013 (r318400)
@@ -74,11 +74,11 @@ connections, do not protect connection h
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
-+ * before privsep chroot().
++ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
-+ debug("res_init()");
-+ res_init();
++ debug("res_init()");
++ res_init();
+ }
+#ifdef GSSAPI
+ /*
Modified: head/security/openssh-portable/files/patch-sshd_config
==============================================================================
--- head/security/openssh-portable/files/patch-sshd_config Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-sshd_config Fri May 17 19:47:35 2013 (r318400)
@@ -1,13 +1,16 @@
-r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
- M /head/crypto/openssh/ssh_config
- M /head/crypto/openssh/sshd_config
-
-Document FreeBSD defaults.
-
---- sshd_config.orig 2009-10-11 04:51:09.000000000 -0600
-+++ sshd_config 2010-09-14 16:14:13.000000000 -0600
-@@ -36,7 +36,7 @@
+--- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600
++++ sshd_config 2013-05-13 06:46:45.153627197 -0500
+@@ -10,6 +10,9 @@
+ # possible, but leave them commented. Uncommented options override the
+ # default value.
+
++# Note that some of FreeBSD's defaults differ from OpenBSD's, and
++# FreeBSD has a few additional options.
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -37,7 +40,7 @@
# Authentication:
#LoginGraceTime 2m
@@ -16,7 +19,17 @@ Document FreeBSD defaults.
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-@@ -55,11 +55,11 @@
+@@ -46,8 +49,7 @@
+ #PubkeyAuthentication yes
+
+ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile .ssh/authorized_keys
++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+ #AuthorizedPrincipalsFile none
+
+@@ -64,11 +66,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -31,7 +44,7 @@ Document FreeBSD defaults.
#ChallengeResponseAuthentication yes
# Kerberos options
-@@ -72,7 +72,7 @@
+@@ -81,7 +83,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
@@ -40,7 +53,7 @@ Document FreeBSD defaults.
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -81,12 +81,12 @@
+@@ -90,19 +92,19 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
@@ -55,3 +68,11 @@ Document FreeBSD defaults.
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #UseLogin no
+-UsePrivilegeSeparation sandbox # Default for new installations.
++#UsePrivilegeSeparation sandbox
+ #PermitUserEnvironment no
+ #Compression delayed
+ #ClientAliveInterval 0
Modified: head/security/openssh-portable/files/patch-sshd_config.5
==============================================================================
--- head/security/openssh-portable/files/patch-sshd_config.5 Fri May 17 19:36:19 2013 (r318399)
+++ head/security/openssh-portable/files/patch-sshd_config.5 Fri May 17 19:47:35 2013 (r318400)
@@ -1,8 +1,6 @@
-Document defaults
-
---- sshd_config.5.orig 2010-07-01 21:37:17.000000000 -0600
-+++ sshd_config.5 2010-08-31 05:27:27.000000000 -0600
-@@ -223,7 +223,9 @@
+--- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600
++++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500
+@@ -277,7 +277,9 @@
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or though authentication styles supported in
@@ -13,7 +11,16 @@ Document defaults
The default is
.Dq yes .
.It Cm ChrootDirectory
-@@ -714,7 +716,22 @@
+@@ -555,7 +557,7 @@
+ .Pp
+ .Pa /etc/hosts.equiv
+ and
+-.Pa /etc/shosts.equiv
++.Pa /etc/ssh/shosts.equiv
+ are still used.
+ The default is
+ .Dq yes .
+@@ -841,7 +843,22 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -36,7 +43,7 @@ Document defaults
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -757,7 +774,14 @@
+@@ -887,7 +904,14 @@
or
.Dq no .
The default is
@@ -52,9 +59,9 @@ Document defaults
.Pp
If this option is set to
.Dq without-password ,
-@@ -869,7 +893,9 @@
- Note that if this file is not readable, then public key authentication will
- be refused for all users.
+@@ -1006,7 +1030,9 @@
+ section in
+ .Xr ssh-keygen 1 .
.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
@@ -63,7 +70,7 @@ Document defaults
with successful RSA host authentication is allowed.
The default is
.Dq no .
-@@ -1009,7 +1035,7 @@
+@@ -1146,7 +1172,7 @@
.Xr sshd 8
as a non-root user.
The default is
@@ -72,7 +79,16 @@ Document defaults
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1034,7 +1060,7 @@
+@@ -1157,7 +1183,7 @@
+ The goal of privilege separation is to prevent privilege
+ escalation by containing any corruption within the unprivileged processes.
+ The default is
+-.Dq yes .
++.Dq sandbox .
+ If
+ .Cm UsePrivilegeSeparation
+ is set to
+@@ -1182,7 +1208,7 @@
or
.Dq no .
The default is
More information about the svn-ports-head
mailing list