git: ae66cffc19f3 - main - security/openssh-portable: Update to 8.9p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 03 Mar 2022 19:25:53 UTC
The branch main has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=ae66cffc19f357cbd51d5841c9b110a9ffd63e32
commit ae66cffc19f357cbd51d5841c9b110a9ffd63e32
Author: Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-03-03 18:27:34 +0000
Commit: Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-03 19:25:36 +0000
security/openssh-portable: Update to 8.9p1
- Unbreak GSSAPI [1]
- rc.d/openssh: Allow modifying host key generation [2]
Changes: https://www.openssh.com/txt/release-8.9
PR: 259909 [1]
PR: 202169 [2]
Submitted by: Rick Miller [1]
Submitted by: Chad Jacob Milios [2]
---
security/openssh-portable/Makefile | 8 ++---
security/openssh-portable/distinfo | 8 +++--
.../files/extra-patch-gssapi-auth2-gss.c | 19 +++++++++++
.../files/extra-patch-gssapi-sshconnect2.c | 12 -------
security/openssh-portable/files/extra-patch-hpn | 16 ++++-----
.../openssh-portable/files/extra-patch-tcpwrappers | 12 +++----
security/openssh-portable/files/openssh.in | 39 +++++++++++++++-------
.../files/patch-platform-tracing.c | 25 --------------
security/openssh-portable/files/patch-ssh-agent.c | 22 ++++++------
9 files changed, 80 insertions(+), 81 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index aa173a32ce63..578274ed6edb 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,8 +1,8 @@
# Created by: dwcjr@inethouston.net
PORTNAME= openssh
-DISTVERSION= 8.8p1
-PORTREVISION= 2
+DISTVERSION= 8.9p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -100,7 +100,7 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
-BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
+#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
@@ -114,7 +114,7 @@ PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_S
# Bump this when updating the patch location
GSSAPI_UPDATE_DATE= 20200607
PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c
.endif
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index f08db16ada6a..3d0367adc20e 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,3 +1,5 @@
-TIMESTAMP = 1634059537
-SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
-SIZE (openssh-8.8p1.tar.gz) = 1815060
+TIMESTAMP = 1646332316
+SHA256 (openssh-8.9p1.tar.gz) = fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
+SIZE (openssh-8.9p1.tar.gz) = 1820282
+SHA256 (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 0e53e7d26c54713afdb6bca7c6034ab1b2b35483270feaa5e7665ceda9867f16
+SIZE (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 127245
diff --git a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
new file mode 100644
index 000000000000..3f9694c8d466
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
@@ -0,0 +1,19 @@
+--- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800
++++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800
+@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+ static int
+-userauth_gsskeyex(struct ssh *ssh)
++userauth_gsskeyex(struct ssh *ssh, const char *method)
+ {
+ Authctxt *authctxt = ssh->authctxt;
+ int r, authenticated = 0;
+@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh
+
+ Authmethod method_gsskeyex = {
+ "gssapi-keyex",
++ NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication
+ };
diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
deleted file mode 100644
index 7cb08ee12a5e..000000000000
--- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
+++ /dev/null
@@ -1,12 +0,0 @@
-Avoid free(const char*)
---- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800
-+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800
-@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
- /* Fall back to specified host if we are using proxy command
- * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) {
-- gss_host = authctxt->host;
-+ gss_host = xstrdup(authctxt->host);
- }
- } else {
- gss_host = xstrdup(authctxt->host);
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index ed7a78ab71a0..907775d94642 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
free(cipher_list);
return 0;
}
---- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
-@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800
++++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800
+@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
@@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- __func__, ssh_err(r));
- return NULL;
- }
+@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+ else
+ debug2_fr(r, "ssh_agent_bind_hostkey");
+
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
+ c = channel_new(ssh, "authentication agent connection",
@@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index ba8cc71ea828..ba7d2834a16a 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -83,11 +83,9 @@ index 0ade557..045f149 100644
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
-diff --git configure.ac configure.ac
-index f48ba4a..66fbe82 100644
---- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700
-+++ configure.ac 2019-07-02 20:58:48.627832000 -0700
-@@ -1494,6 +1494,62 @@ else
+--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800
++++ configure.ac 2022-03-02 12:47:49.958341000 -0800
+@@ -1599,6 +1599,62 @@ else
AC_MSG_RESULT([no])
fi
@@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG"
+@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
- echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in
index ee179b28faba..fc9e5f26402a 100644
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@@ -22,6 +22,15 @@ load_rc_config ${name}
: ${openssh_enable:="NO"}
: ${openssh_skipportscheck="NO"}
+: ${openssh_dsa_keygen_enable="YES"}
+: ${openssh_dsa_keygen_flags=""}
+: ${openssh_rsa_keygen_enable="YES"}
+: ${openssh_rsa_keygen_flags=""}
+: ${openssh_ecdsa_keygen_enable="YES"}
+: ${openssh_ecdsa_keygen_flags=""}
+: ${openssh_ed25519_keygen_enable="YES"}
+: ${openssh_ed25519_keygen_flags=""}
+
command=%%PREFIX%%/sbin/sshd
extra_commands="configtest reload keygen"
start_precmd="${name}_checks"
@@ -33,10 +42,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
openssh_keygen()
{
- if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
- -f %%ETCDIR%%/ssh_host_rsa_key -a \
- -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
- -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
+ local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
+ checkyesno openssh_dsa_keygen_enable || skip_dsa=y
+ checkyesno openssh_rsa_keygen_enable || skip_rsa=y
+ checkyesno openssh_ecdsa_keygen_enable || skip_ecdsa=y
+ checkyesno openssh_ed25519_keygen_enable || skip_ed25519=y
+
+ if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
+ \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
+ \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
+ \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
return 0
fi
@@ -50,8 +65,8 @@ openssh_keygen()
echo "You already have a DSA host key" \
"in %%ETCDIR%%/ssh_host_dsa_key"
echo "Skipping protocol version 2 DSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t dsa \
+ elif checkyesno openssh_dsa_keygen_enable; then
+ %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_keygen_flags \
-f %%ETCDIR%%/ssh_host_dsa_key -N ''
fi
@@ -59,8 +74,8 @@ openssh_keygen()
echo "You already have a RSA host key" \
"in %%ETCDIR%%/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t rsa \
+ elif checkyesno openssh_rsa_keygen_enable; then
+ %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_keygen_flags \
-f %%ETCDIR%%/ssh_host_rsa_key -N ''
fi
@@ -68,8 +83,8 @@ openssh_keygen()
echo "You already have a Elliptic Curve DSA host key" \
"in %%ETCDIR%%/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t ecdsa \
+ elif checkyesno openssh_ecdsa_keygen_enable; then
+ %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_keygen_flags \
-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
fi
@@ -77,8 +92,8 @@ openssh_keygen()
echo "You already have a Elliptic Curve ED25519 host key" \
"in %%ETCDIR%%/ssh_host_ed25519_key"
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t ed25519 \
+ elif checkyesno openssh_ed25519_keygen_enable; then
+ %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_keygen_flags \
-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
fi
}
diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c
deleted file mode 100644
index 54f6db4421ad..000000000000
--- a/security/openssh-portable/files/patch-platform-tracing.c
+++ /dev/null
@@ -1,25 +0,0 @@
---- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700
-+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700
-@@ -16,6 +16,10 @@
-
- #include "includes.h"
-
-+#if defined(HAVE_PROCCTL)
-+#include <string.h>
-+#include <unistd.h>
-+#endif
- #include <sys/types.h>
- #ifdef HAVE_SYS_PROCCTL_H
- #include <sys/procctl.h>
-@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
- /* On FreeBSD, we should make this process untraceable */
- int disable_trace = PROC_TRACE_CTL_DISABLE;
-
-- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
-- fatal("unable to make the process untraceable");
-+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
-+ fatal("unable to make the process untraceable: %s for pid %d",
-+ strerror(errno), (int)getpid());
- #endif
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /* Disable ptrace on Linux without sgid bit */
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index de53881aa541..2937b4a7d2f9 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
---- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700
-+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700
-@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800
++++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800
+@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
@@ -27,17 +27,19 @@ disconnected.
static void
close_socket(SocketEntry *e)
{
+ size_t i;
+ int last = 0;
-+
+
+ if (e->type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount - 1);
+ if (--xcount == 0)
+ last = 1;
+ }
++
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
-@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
+@@ -206,6 +223,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
@@ -46,7 +48,7 @@ disconnected.
}
static void
-@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
+@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@@ -57,7 +59,7 @@ disconnected.
set_nonblock(fd);
if (fd > max_fd)
-@@ -1360,7 +1383,7 @@ static void
+@@ -1999,7 +2022,7 @@ static void
usage(void)
{
fprintf(stderr,
@@ -66,7 +68,7 @@ disconnected.
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
-@@ -1394,6 +1417,7 @@ main(int ac, char **av)
+@@ -2033,6 +2056,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -74,7 +76,7 @@ disconnected.
platform_disable_tracing(0); /* strict=no */
-@@ -1405,7 +1429,7 @@ main(int ac, char **av)
+@@ -2044,7 +2068,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@@ -83,7 +85,7 @@ disconnected.
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1454,6 +1478,9 @@ main(int ac, char **av)
+@@ -2093,6 +2117,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}