ports/122879: update security/openssh-portable
Tsurutani Naoki
turutani at scphys.kyoto-u.ac.jp
Fri Apr 18 04:00:03 UTC 2008
>Number: 122879
>Category: ports
>Synopsis: update security/openssh-portable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 18 04:00:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Tsurutani Naoki
>Release: FreeBSD 6.3-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #11: Wed Jan 16 16:30:07 JST 2008 turutani at polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386
>Description:
update security/openssh-portable.
some security issues have been reported.
>How-To-Repeat:
>Fix:
here is a patch to ports skelton.
fixes about files/* are not necessary indeed, except patch-auth2.c and
patch-session.c.
openssh-lpk-5.0p1-0.3.9.patch is not available from original site,
and can be downloaded from http://jfut.featia.net/linux/openssh/openssh-lpk-5.0p1-0.3.9.patch .
I examined with some options, and no trouble about patching found.
diff -urN openssh-portable.orig/Makefile openssh-portable/Makefile
--- openssh-portable.orig/Makefile 2008-01-18 04:34:38.000000000 +0900
+++ openssh-portable/Makefile 2008-04-18 12:45:35.000000000 +0900
@@ -6,9 +6,7 @@
#
PORTNAME= openssh
-DISTVERSION= 4.7p1
-PORTREVISION= 1
-PORTEPOCH= 1
+DISTVERSION= 5.0p1
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
@@ -95,7 +93,7 @@
.if defined(WITH_KERB_GSSAPI)
PATCH_DIST_STRIP= -p0
PATCH_SITES+= http://www.sxw.org.uk/computing/patches/
-PATCHFILES+= openssh-4.7p1-gsskex-20070927.patch
+PATCHFILES+= openssh-5.0p1-gsskex-20080404.patch
.endif
PORTABLE_SUFFIX= # empty
GSSAPI_SUFFIX= -gssapi
@@ -140,14 +138,14 @@
.if defined(WITH_HPN)
PATCH_DIST_STRIP= -p1
PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/
-PATCHFILES+= openssh-4.7p1-hpn12v20.diff.gz
+PATCHFILES+= openssh-5.0p1-hpn13v3.diff.gz
.endif
# See http://dev.inversepath.com/trac/openssh-lpk
.if defined(WITH_LPK)
PATCH_DIST_STRIP= -p2
PATCH_SITES+= http://dev.inversepath.com/openssh-lpk/
-PATCHFILES+= openssh-lpk-4.6p1-0.3.9.patch
+PATCHFILES+= openssh-lpk-5.0p1-0.3.9.patch
USE_OPENLDAP= yes
CPPFLAGS+= "-I${LOCALBASE}/include -DWITH_LDAP_PUBKEY"
CONFIGURE_ARGS+= --with-libs='-lldap' --with-ldflags='-L/usr/local/lib' \
diff -urN openssh-portable.orig/distinfo openssh-portable/distinfo
--- openssh-portable.orig/distinfo 2008-01-18 04:34:38.000000000 +0900
+++ openssh-portable/distinfo 2008-04-18 12:44:02.000000000 +0900
@@ -1,12 +1,12 @@
-MD5 (openssh-4.7p1.tar.gz) = 50a800fd2c6def9e9a53068837e87b91
-SHA256 (openssh-4.7p1.tar.gz) = d47133f0c6737d2889bf8da7bdf389fc2268d1c7fa3cd11a52451501eab548bc
-SIZE (openssh-4.7p1.tar.gz) = 991119
-MD5 (openssh-4.7p1-gsskex-20070927.patch) = ad58a9848dcaa3ad5a2ab14182fb9212
-SHA256 (openssh-4.7p1-gsskex-20070927.patch) = 7ef9009baa842c696d356c7e5e5d022797a227531c1662dd998510e45a6dd597
-SIZE (openssh-4.7p1-gsskex-20070927.patch) = 66693
-MD5 (openssh-4.7p1-hpn12v20.diff.gz) = 7a75e87b03e4d713973c5a3330a68ab5
-SHA256 (openssh-4.7p1-hpn12v20.diff.gz) = 4b951b444f3c093ca3dbb1ae6e9825c33610719ee8ca593e660ec8248c5b09c6
-SIZE (openssh-4.7p1-hpn12v20.diff.gz) = 15211
-MD5 (openssh-lpk-4.6p1-0.3.9.patch) = f43a8aae7d69e72f0ec07bc96e46b328
-SHA256 (openssh-lpk-4.6p1-0.3.9.patch) = e12335e8bf020508ea3866db07b306f4c965e3f9de262c06f62fad494e93107e
-SIZE (openssh-lpk-4.6p1-0.3.9.patch) = 61605
+MD5 (openssh-5.0p1.tar.gz) = 1f1dfaa775f33dd3328169de9bdc292a
+SHA256 (openssh-5.0p1.tar.gz) = 73a58620cd475155be8524f46997ba1942bc9e54204eeb15f0465e54ca279f4f
+SIZE (openssh-5.0p1.tar.gz) = 1011556
+MD5 (openssh-5.0p1-gsskex-20080404.patch) = d13bf38e852e38b7f29b9e6993b00b52
+SHA256 (openssh-5.0p1-gsskex-20080404.patch) = 8f8b9910af767ce8e2a5d4854e95c8eb8b089bb250b290d22add38e9ddb1791e
+SIZE (openssh-5.0p1-gsskex-20080404.patch) = 68272
+MD5 (openssh-5.0p1-hpn13v3.diff.gz) = 95e7f78d63b419babd820c0653aa47ef
+SHA256 (openssh-5.0p1-hpn13v3.diff.gz) = e9000f969705dbdf72f7ea069e5f8a2475eb89e88e014c678ecb102ddf4bcde2
+SIZE (openssh-5.0p1-hpn13v3.diff.gz) = 24060
+MD5 (openssh-lpk-5.0p1-0.3.9.patch) = 11aa3cbecd88887a771ae8a1a7f5147d
+SHA256 (openssh-lpk-5.0p1-0.3.9.patch) = 65c32699eec19b780a06f97621fcf51dc713478414142275ce8cc63468192e85
+SIZE (openssh-lpk-5.0p1-0.3.9.patch) = 62050
diff -urN openssh-portable.orig/files/gss-serv.c.patch openssh-portable/files/gss-serv.c.patch
--- openssh-portable.orig/files/gss-serv.c.patch 2006-02-08 05:07:54.000000000 +0900
+++ openssh-portable/files/gss-serv.c.patch 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- gss-serv.c.orig Sat Nov 5 02:07:05 2005
-+++ gss-serv.c Thu Feb 2 22:45:37 2006
-@@ -134,6 +134,16 @@
+--- gss-serv.c.orig 2007-06-12 22:40:39.000000000 +0900
++++ gss-serv.c 2008-04-18 11:32:41.000000000 +0900
+@@ -191,6 +191,16 @@
OM_uint32 offset;
OM_uint32 oidl;
diff -urN openssh-portable.orig/files/openssh.in openssh-portable/files/openssh.in
--- openssh-portable.orig/files/openssh.in 2006-02-22 04:28:37.000000000 +0900
+++ openssh-portable/files/openssh.in 1970-01-01 09:00:00.000000000 +0900
@@ -1,88 +0,0 @@
-#!/bin/sh
-#
-# $FreeBSD: ports/security/openssh-portable/files/openssh.in,v 1.2 2006/02/21 19:28:37 mnag Exp $
-#
-# PROVIDE: openssh
-# REQUIRE: DAEMON
-#
-# Add the following lines to /etc/rc.conf to enable openssh:
-#
-# openssh_enable (bool): Set it to "YES" to enable openssh.
-# Default is "NO".
-# openssh_flags (flags): Set extra flags to openssh.
-# Default is "". see sshd(1).
-# openssh_pidfile (file): Set full path to pid file.
-# Default is "/var/run/sshd.pid".
-#
-
-. %%RC_SUBR%%
-
-name="openssh"
-rcvar=${name}_enable
-
-load_rc_config ${name}
-
-: ${openssh_enable="NO"}
-: ${openssh_pidfile="/var/run/sshd.pid"}
-
-command=%%PREFIX%%/sbin/sshd
-extra_commands="reload keygen"
-start_precmd="${name}_checks"
-restart_precmd="${name}_checks"
-keygen_cmd="${name}_keygen"
-pidfile=${openssh_pidfile}
-
-openssh_keygen()
-{
- if [ ! -f %%ETCSSH%%/ssh_host_key -o \
- ! -f %%ETCSSH%%/ssh_host_dsa_key -o \
- ! -f %%ETCSSH%%/ssh_host_rsa_key ]; then
-
- umask 022
-
- # Can't do anything if ssh is not installed
- [ -x %%PREFIX%%/bin/ssh-keygen ] || {
- err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
- }
-
- if [ -f %%ETCSSH%%/ssh_host_key ]; then
- echo "You already have an RSA host key" \
- "in %%ETCSSH%%/ssh_host_key"
- echo "Skipping protocol version 1 RSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \
- -f %%ETCSSH%%/ssh_host_key -N ''
- fi
-
- if [ -f %%ETCSSH%%/ssh_host_dsa_key ]; then
- echo "You already have a DSA host key" \
- "in %%ETCSSH%%/ssh_host_dsa_key"
- echo "Skipping protocol version 2 DSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t dsa \
- -f %%ETCSSH%%/ssh_host_dsa_key -N ''
- fi
-
- if [ -f %%ETCSSH%%/ssh_host_rsa_key ]; then
- echo "You already have a RSA host key" \
- "in %%ETCSSH%%/ssh_host_rsa_key"
- echo "Skipping protocol version 2 RSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t rsa \
- -f %%ETCSSH%%/ssh_host_rsa_key -N ''
- fi
-
- fi
-}
-
-openssh_checks()
-{
- if checkyesno sshd_enable ; then
- err 1 "sshd_enable is set. Please set sshd_enable to NO in your rc.conf"
- fi
-
- run_rc_command keygen
- eval "${command} -t"
-}
-
-run_rc_command "$1"
diff -urN openssh-portable.orig/files/patch-Makefile.in openssh-portable/files/patch-Makefile.in
--- openssh-portable.orig/files/patch-Makefile.in 2006-02-08 05:07:54.000000000 +0900
+++ openssh-portable/files/patch-Makefile.in 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- Makefile.in.orig Fri Feb 25 18:12:38 2005
-+++ Makefile.in Sat Mar 19 19:53:44 2005
-@@ -230,7 +230,7 @@
+--- Makefile.in.orig 2008-03-13 10:41:31.000000000 +0900
++++ Makefile.in 2008-04-18 11:32:41.000000000 +0900
+@@ -231,7 +231,7 @@
-rm -rf autom4te.cache
(cd scard && $(MAKE) -f Makefile.in distprep)
diff -urN openssh-portable.orig/files/patch-auth.c openssh-portable/files/patch-auth.c
--- openssh-portable.orig/files/patch-auth.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-auth.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- auth.c.orig Wed Sep 6 21:36:43 2006
-+++ auth.c Sat Sep 30 10:38:04 2006
-@@ -500,7 +501,7 @@
+--- auth.c.orig 2007-10-26 13:25:13.000000000 +0900
++++ auth.c 2008-04-18 11:32:41.000000000 +0900
+@@ -500,7 +500,7 @@
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
diff -urN openssh-portable.orig/files/patch-auth1.c openssh-portable/files/patch-auth1.c
--- openssh-portable.orig/files/patch-auth1.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-auth1.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,5 +1,5 @@
---- auth1.c.orig Fri Sep 1 02:38:36 2006
-+++ auth1.c Sat Sep 30 18:47:57 2006
+--- auth1.c.orig 2007-10-26 13:25:13.000000000 +0900
++++ auth1.c 2008-04-18 11:32:41.000000000 +0900
@@ -39,6 +39,7 @@
#endif
#include "monitor_wrap.h"
@@ -22,11 +22,10 @@
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -288,6 +296,26 @@
- "type %d", type);
+@@ -289,6 +297,26 @@
goto skip;
}
-+
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL) {
+ lc = login_getpwclass(authctxt->pw);
@@ -46,6 +45,7 @@
+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
-
++
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
+ goto skip;
diff -urN openssh-portable.orig/files/patch-auth2.c openssh-portable/files/patch-auth2.c
--- openssh-portable.orig/files/patch-auth2.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-auth2.c 2008-04-18 12:01:59.000000000 +0900
@@ -1,14 +1,14 @@
--- auth2.c.orig Fri Aug 4 23:39:39 2006
+++ auth2.c Sat Sep 30 10:38:04 2006
-@@ -44,6 +45,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-+#include "canohost.h"
-
- #ifdef GSSAPI
+@@ -49,6 +49,7 @@
#include "ssh-gss.h"
-@@ -147,6 +149,13 @@
+ #endif
+ #include "monitor_wrap.h"
++#include "canohost.h"
+
+ /* import */
+ extern ServerOptions options;
+@@ -142,6 +143,13 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@@ -22,7 +22,7 @@
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -190,6 +199,27 @@
+@@ -185,6 +193,27 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
diff -urN openssh-portable.orig/files/patch-loginrec.c openssh-portable/files/patch-loginrec.c
--- openssh-portable.orig/files/patch-loginrec.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-loginrec.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,16 +1,16 @@
---- loginrec.c.orig Tue Feb 15 12:19:28 2005
-+++ loginrec.c Sat Mar 19 20:55:59 2005
-@@ -164,6 +164,9 @@
- #ifdef HAVE_LIBUTIL_H
- # include <libutil.h>
+--- loginrec.c.orig 2007-04-29 11:10:58.000000000 +0900
++++ loginrec.c 2008-04-18 11:32:41.000000000 +0900
+@@ -179,6 +179,9 @@
+ #ifdef HAVE_UTIL_H
+ # include <util.h>
#endif
+#ifdef __FreeBSD__
+#include <osreldate.h>
+#endif
- RCSID("$Id: loginrec.c,v 1.67 2005/02/15 11:19:28 dtucker Exp $");
-
-@@ -670,8 +673,13 @@
+ #ifdef HAVE_LIBUTIL_H
+ # include <libutil.h>
+@@ -688,8 +691,13 @@
strncpy(ut->ut_name, li->username,
MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
diff -urN openssh-portable.orig/files/patch-readconf.c openssh-portable/files/patch-readconf.c
--- openssh-portable.orig/files/patch-readconf.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-readconf.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- readconf.c.orig Fri Sep 1 02:38:37 2006
-+++ readconf.c Sat Sep 30 10:38:05 2006
-@@ -1112,7 +1122,7 @@
+--- readconf.c.orig 2008-02-10 20:25:52.000000000 +0900
++++ readconf.c 2008-04-18 11:32:41.000000000 +0900
+@@ -1112,7 +1112,7 @@
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
diff -urN openssh-portable.orig/files/patch-servconf.c openssh-portable/files/patch-servconf.c
--- openssh-portable.orig/files/patch-servconf.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-servconf.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- servconf.c.orig Fri Aug 18 11:23:15 2006
-+++ servconf.c Sat Sep 30 21:54:26 2006
-@@ -129,7 +129,7 @@
+--- servconf.c.orig 2008-02-10 20:48:55.000000000 +0900
++++ servconf.c 2008-04-18 11:32:41.000000000 +0900
+@@ -130,7 +130,7 @@
{
/* Portable-specific options */
if (options->use_pam == -1)
@@ -9,7 +9,7 @@
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -159,7 +159,7 @@
+@@ -160,7 +160,7 @@
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,7 +18,7 @@
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -169,7 +169,7 @@
+@@ -170,7 +170,7 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -27,7 +27,7 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -207,7 +207,11 @@
+@@ -208,7 +208,11 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
diff -urN openssh-portable.orig/files/patch-session.c openssh-portable/files/patch-session.c
--- openssh-portable.orig/files/patch-session.c 2006-11-17 04:31:44.000000000 +0900
+++ openssh-portable/files/patch-session.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,5 +1,5 @@
---- session.c.orig Mon Oct 23 14:01:56 2006
-+++ session.c Fri Nov 10 12:21:51 2006
+--- session.c.orig 2008-03-27 09:03:05.000000000 +0900
++++ session.c 2008-04-18 11:32:41.000000000 +0900
@@ -776,6 +776,24 @@
{
FILE *f;
@@ -25,7 +25,7 @@
if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
-@@ -1004,6 +1022,9 @@
+@@ -1005,6 +1023,9 @@
struct passwd *pw = s->pw;
#ifndef HAVE_LOGIN_CAP
char *path = NULL;
@@ -35,7 +35,7 @@
#endif
/* Initialize the environment. */
-@@ -1025,6 +1046,9 @@
+@@ -1026,6 +1047,9 @@
}
#endif
@@ -45,7 +45,7 @@
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1044,11 +1068,22 @@
+@@ -1045,11 +1069,22 @@
child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -72,7 +72,7 @@
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
-@@ -1069,15 +1104,9 @@
+@@ -1070,15 +1105,9 @@
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -88,19 +88,19 @@
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
-@@ -1287,6 +1316,10 @@
- void
- do_setusercontext(struct passwd *pw)
+@@ -1346,6 +1375,10 @@
{
+ char *chroot_path, *tmp;
+
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
- #ifndef HAVE_CYGWIN
- if (getuid() == 0 || geteuid() == 0)
- #endif /* HAVE_CYGWIN */
-@@ -1313,8 +1346,27 @@
- do_pam_setcred(0);
+ #ifdef WITH_SELINUX
+ /* Cache selinux status for later use */
+ (void)ssh_selinux_enabled();
+@@ -1369,6 +1402,25 @@
+ do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
+#ifdef CHROOT
@@ -123,13 +123,10 @@
+ }
+#endif /* CHROOT */
if (setusercontext(lc, pw, pw->pw_uid,
-- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
- exit(1);
- }
-@@ -1472,6 +1524,9 @@
- char *argv[10];
+@@ -1540,6 +1592,9 @@
+ char *argv[ARGV_MAX];
const char *shell, *shell0, *hostname = NULL;
struct passwd *pw = s->pw;
+#ifdef HAVE_LOGIN_CAP
@@ -138,7 +135,7 @@
/* remove hostkey from the child's memory */
destroy_sensitive_data();
-@@ -1559,6 +1614,10 @@
+@@ -1627,6 +1682,10 @@
*/
environ = env;
@@ -149,7 +146,7 @@
#if defined(KRB5) && defined(USE_AFS)
/*
* At this point, we check to see if AFS is active and if we have
-@@ -1590,7 +1649,7 @@
+@@ -1658,7 +1717,7 @@
fprintf(stderr, "Could not chdir to home directory %s: %s\n",
pw->pw_dir, strerror(errno));
#ifdef HAVE_LOGIN_CAP
diff -urN openssh-portable.orig/files/patch-ssh-agent.c openssh-portable/files/patch-ssh-agent.c
--- openssh-portable.orig/files/patch-ssh-agent.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-ssh-agent.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- ssh-agent.c.orig Fri Sep 1 02:38:37 2006
-+++ ssh-agent.c Sat Sep 30 18:30:32 2006
-@@ -1036,6 +1036,7 @@
+--- ssh-agent.c.orig 2008-02-28 17:13:52.000000000 +0900
++++ ssh-agent.c 2008-04-18 11:32:41.000000000 +0900
+@@ -1055,6 +1055,7 @@
/* drop */
setegid(getgid());
setgid(getgid());
diff -urN openssh-portable.orig/files/patch-ssh.c openssh-portable/files/patch-ssh.c
--- openssh-portable.orig/files/patch-ssh.c 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-ssh.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,10 +1,9 @@
---- ssh.c.orig Sat Sep 2 02:32:40 2006
-+++ ssh.c Sat Sep 30 10:38:05 2006
-@@ -639,6 +640,23 @@
-
+--- ssh.c.orig 2008-02-28 17:13:52.000000000 +0900
++++ ssh.c 2008-04-18 11:32:41.000000000 +0900
+@@ -645,6 +645,23 @@
if (options.hostname != NULL)
host = options.hostname;
-+
+
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
+ struct addrinfo hints;
@@ -21,6 +20,7 @@
+ freeaddrinfo(ai);
+ }
+ }
-
++
/* force lowercase for hostkey matching */
if (options.host_key_alias != NULL) {
+ for (p = options.host_key_alias; *p; p++)
diff -urN openssh-portable.orig/files/patch-ssh_config openssh-portable/files/patch-ssh_config
--- openssh-portable.orig/files/patch-ssh_config 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-ssh_config 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- ssh_config.orig Tue Jun 13 00:01:10 2006
-+++ ssh_config Sat Sep 30 10:39:07 2006
-@@ -27,7 +28,7 @@
+--- ssh_config.orig 2007-06-11 13:04:42.000000000 +0900
++++ ssh_config 2008-04-18 11:32:41.000000000 +0900
+@@ -27,7 +27,7 @@
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
diff -urN openssh-portable.orig/files/patch-ssh_config.5 openssh-portable/files/patch-ssh_config.5
--- openssh-portable.orig/files/patch-ssh_config.5 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-ssh_config.5 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- ssh_config.5.orig Fri Aug 4 22:34:51 2006
-+++ ssh_config.5 Sat Sep 30 10:39:07 2006
-@@ -165,7 +166,7 @@
+--- ssh_config.5.orig 2007-12-02 21:09:30.000000000 +0900
++++ ssh_config.5 2008-04-18 11:32:41.000000000 +0900
+@@ -163,7 +163,7 @@
.Dq no ,
the check will not be executed.
The default is
diff -urN openssh-portable.orig/files/patch-sshd.8 openssh-portable/files/patch-sshd.8
--- openssh-portable.orig/files/patch-sshd.8 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-sshd.8 2008-04-18 11:36:27.000000000 +0900
@@ -1,15 +1,15 @@
---- sshd.8.orig Tue Aug 29 22:07:01 2006
-+++ sshd.8 Sat Sep 30 20:05:16 2006
-@@ -65,7 +65,7 @@
+--- sshd.8.orig 2008-04-03 18:52:51.000000000 +0900
++++ sshd.8 2008-04-18 11:32:42.000000000 +0900
+@@ -68,7 +68,7 @@
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
-+.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% .
++.Pa /usr/local/etc/rc.d/openssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
-@@ -342,8 +342,9 @@
+@@ -346,8 +346,9 @@
If the login is on a tty, records login time.
.It
Checks
@@ -21,7 +21,7 @@
(unless root).
.It
Changes to run with normal user privileges.
-@@ -365,7 +366,8 @@
+@@ -369,7 +370,8 @@
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
diff -urN openssh-portable.orig/files/patch-sshd.c openssh-portable/files/patch-sshd.c
--- openssh-portable.orig/files/patch-sshd.c 2006-11-17 04:31:44.000000000 +0900
+++ openssh-portable/files/patch-sshd.c 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- sshd.c.patch Sun Sep 17 01:04:46 2006
-+++ sshd.c Sat Sep 30 10:38:05 2006
-@@ -80,6 +81,13 @@
+--- sshd.c.orig 2008-03-11 20:58:25.000000000 +0900
++++ sshd.c 2008-04-18 11:32:41.000000000 +0900
+@@ -82,6 +82,13 @@
#include <prot.h>
#endif
@@ -14,11 +14,10 @@
#include "xmalloc.h"
#include "ssh.h"
#include "ssh1.h"
-@@ -1697,6 +1705,29 @@
- signal(SIGQUIT, SIG_DFL);
+@@ -1723,6 +1730,29 @@
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
-+
+
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
@@ -41,6 +40,7 @@
+ }
+#endif
+#endif
-
++
/*
* Register our connection. This turns encryption off because we do
+ * not have a key.
diff -urN openssh-portable.orig/files/patch-sshd_config openssh-portable/files/patch-sshd_config
--- openssh-portable.orig/files/patch-sshd_config 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-sshd_config 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- sshd_config.orig Mon Jul 24 01:06:47 2006
-+++ sshd_config Sat Sep 30 21:52:31 2006
-@@ -34,7 +34,7 @@
+--- sshd_config.orig 2008-02-10 20:40:12.000000000 +0900
++++ sshd_config 2008-04-18 11:32:41.000000000 +0900
+@@ -38,7 +38,7 @@
# Authentication:
#LoginGraceTime 2m
@@ -9,7 +9,7 @@
#StrictModes yes
#MaxAuthTries 6
-@@ -52,11 +52,11 @@
+@@ -56,11 +56,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -24,7 +24,7 @@
#ChallengeResponseAuthentication yes
# Kerberos options
-@@ -69,7 +69,7 @@
+@@ -73,7 +73,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
@@ -33,7 +33,7 @@
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -78,11 +78,11 @@
+@@ -82,11 +82,11 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
diff -urN openssh-portable.orig/files/patch-sshd_config.5 openssh-portable/files/patch-sshd_config.5
--- openssh-portable.orig/files/patch-sshd_config.5 2006-10-01 11:15:00.000000000 +0900
+++ openssh-portable/files/patch-sshd_config.5 2008-04-18 11:36:27.000000000 +0900
@@ -1,6 +1,6 @@
---- sshd_config.5.orig Tue Aug 29 22:06:34 2006
-+++ sshd_config.5 Sat Sep 30 10:39:07 2006
-@@ -169,9 +170,16 @@
+--- sshd_config.5.orig 2008-03-27 09:02:02.000000000 +0900
++++ sshd_config.5 2008-04-18 11:32:41.000000000 +0900
+@@ -168,9 +168,16 @@
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
@@ -19,8 +19,8 @@
+variables.
The default is
.Dq yes .
- .It Cm Ciphers
-@@ -554,7 +560,22 @@
+ .It Cm ChrootDirectory
+@@ -610,7 +617,22 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -43,7 +43,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -597,7 +618,14 @@
+@@ -653,7 +675,14 @@
or
.Dq no .
The default is
@@ -59,7 +59,7 @@
.Pp
If this option is set to
.Dq without-password ,
-@@ -704,7 +732,9 @@
+@@ -760,7 +789,9 @@
.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm RhostsRSAAuthentication
@@ -70,7 +70,7 @@
with successful RSA host authentication is allowed.
The default is
.Dq no .
-@@ -814,7 +844,7 @@
+@@ -881,7 +912,7 @@
.Xr sshd 8
as a non-root user.
The default is
@@ -79,7 +79,7 @@
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -839,7 +874,7 @@
+@@ -906,7 +937,7 @@
or
.Dq no .
The default is
diff -urN openssh-portable.orig/files/scardin.patch openssh-portable/files/scardin.patch
--- openssh-portable.orig/files/scardin.patch 1970-01-01 09:00:00.000000000 +0900
+++ openssh-portable/files/scardin.patch 2008-04-18 11:49:18.000000000 +0900
@@ -0,0 +1,111 @@
+--- scard-opensc.c.orig 2007-03-13 05:35:39.000000000 +0900
++++ scard-opensc.c 2008-04-18 11:40:40.000000000 +0900
+@@ -43,6 +43,8 @@
+ #include "misc.h"
+ #include "scard.h"
+
++int ask_for_pin=0;
++
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+@@ -124,6 +126,7 @@
+ struct sc_pkcs15_prkey_info *key;
+ struct sc_pkcs15_object *pin_obj;
+ struct sc_pkcs15_pin_info *pin;
++ char *passphrase = NULL;
+
+ priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
+ if (priv == NULL)
+@@ -161,24 +164,47 @@
+ goto err;
+ }
+ pin = pin_obj->data;
++
++ if (sc_pin)
++ passphrase = sc_pin;
++ else if (ask_for_pin) {
++ /* we need a pin but don't have one => ask for the pin */
++ char prompt[64];
++
++ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
++ key_obj->label ? key_obj->label : "smartcard key");
++ passphrase = read_passphrase(prompt, 0);
++ if (!passphrase || !strcmp(passphrase, ""))
++ goto err;
++ } else
++ /* no pin => error */
++ goto err;
++
+ r = sc_lock(card);
+ if (r) {
+ error("Unable to lock smartcard: %s", sc_strerror(r));
+ goto err;
+ }
+- if (sc_pin != NULL) {
+- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
+- strlen(sc_pin));
+- if (r) {
+- sc_unlock(card);
+- error("PIN code verification failed: %s",
+- sc_strerror(r));
+- goto err;
+- }
++ r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
++ strlen(passphrase));
++ if (r) {
++ sc_unlock(card);
++ error("PIN code verification failed: %s",
++ sc_strerror(r));
++ goto err;
+ }
++
+ *key_obj_out = key_obj;
++ if (!sc_pin) {
++ memset(passphrase, 0, strlen(passphrase));
++ xfree(passphrase);
++ }
+ return 0;
+ err:
++ if (!sc_pin && passphrase) {
++ memset(passphrase, 0, strlen(passphrase));
++ xfree(passphrase);
++ }
+ sc_close();
+ return -1;
+ }
+--- scard.c.orig 2006-11-07 21:14:42.000000000 +0900
++++ scard.c 2008-04-18 11:40:40.000000000 +0900
+@@ -40,6 +40,9 @@
+ #include "misc.h"
+ #include "scard.h"
+
++/* currently unused */
++int ask_for_pin = 0;
++
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+--- scard.h.orig 2006-08-05 11:39:40.000000000 +0900
++++ scard.h 2008-04-18 11:40:40.000000000 +0900
+@@ -31,6 +31,8 @@
+ #define SCARD_ERROR_NOCARD -2
+ #define SCARD_ERROR_APPLET -3
+
++extern int ask_for_pin;
++
+ Key **sc_get_keys(const char *, const char *);
+ void sc_close(void);
+ int sc_put_key(Key *, const char *);
+--- ssh.c.orig 2008-02-28 17:13:52.000000000 +0900
++++ ssh.c 2008-04-18 11:48:17.000000000 +0900
+@@ -1239,6 +1239,9 @@
+ #ifdef SMARTCARD
+ Key **keys;
+
++ if (!options.batch_mode)
++ ask_for_pin = 1;
++
+ if (options.smartcard_device != NULL &&
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
diff -urN openssh-portable.orig/files/scardpin.patch openssh-portable/files/scardpin.patch
--- openssh-portable.orig/files/scardpin.patch 2007-08-31 04:31:21.000000000 +0900
+++ openssh-portable/files/scardpin.patch 1970-01-01 09:00:00.000000000 +0900
@@ -1,134 +0,0 @@
-#
-# https://bugzilla.mindrot.org/show_bug.cgi?id=608
-#
-Index: scard-opensc.c
-===================================================================
-RCS file: /cvs/openssh/scard-opensc.c,v
-retrieving revision 1.12
-diff -u -r1.12 scard-opensc.c
---- scard-opensc.c 25 Aug 2003 00:58:26 -0000 1.12
-+++ scard-opensc.c 27 Aug 2003 11:42:02 -0000
-@@ -38,6 +38,8 @@
- #include "readpass.h"
- #include "scard.h"
-
-+int ask_for_pin=0;
-+
- #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
- #define USE_ENGINE
- #define RSA_get_default_method RSA_get_default_openssl_method
-@@ -119,6 +121,7 @@
- struct sc_pkcs15_prkey_info *key;
- struct sc_pkcs15_object *pin_obj;
- struct sc_pkcs15_pin_info *pin;
-+ char *passphrase = NULL;
-
- priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
- if (priv == NULL)
-@@ -156,24 +159,47 @@
- goto err;
- }
- pin = pin_obj->data;
-+
-+ if (sc_pin)
-+ passphrase = sc_pin;
-+ else if (ask_for_pin) {
-+ /* we need a pin but don't have one => ask for the pin */
-+ char prompt[64];
-+
-+ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
-+ key_obj->label ? key_obj->label : "smartcard key");
-+ passphrase = read_passphrase(prompt, 0);
-+ if (!passphrase || !strcmp(passphrase, ""))
-+ goto err;
-+ } else
-+ /* no pin => error */
-+ goto err;
-+
- r = sc_lock(card);
- if (r) {
- error("Unable to lock smartcard: %s", sc_strerror(r));
- goto err;
- }
-- if (sc_pin != NULL) {
-- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
-- strlen(sc_pin));
-- if (r) {
-- sc_unlock(card);
-- error("PIN code verification failed: %s",
-- sc_strerror(r));
-- goto err;
-- }
-+ r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
-+ strlen(passphrase));
-+ if (r) {
-+ sc_unlock(card);
-+ error("PIN code verification failed: %s",
-+ sc_strerror(r));
-+ goto err;
- }
-+
- *key_obj_out = key_obj;
-+ if (!sc_pin) {
-+ memset(passphrase, 0, strlen(passphrase));
-+ xfree(passphrase);
-+ }
- return 0;
- err:
-+ if (!sc_pin && passphrase) {
-+ memset(passphrase, 0, strlen(passphrase));
-+ xfree(passphrase);
-+ }
- sc_close();
- return -1;
- }
-Index: scard.c
-===================================================================
-RCS file: /cvs/openssh/scard.c,v
-retrieving revision 1.27
-diff -u -r1.27 scard.c
---- scard.c 18 Jun 2003 10:28:40 -0000 1.27
-+++ scard.c 27 Aug 2003 11:42:02 -0000
-@@ -35,6 +35,9 @@
- #include "readpass.h"
- #include "scard.h"
-
-+/* currently unused */
-+int ask_for_pin = 0;
-+
- #if OPENSSL_VERSION_NUMBER < 0x00907000L
- #define USE_ENGINE
- #define RSA_get_default_method RSA_get_default_openssl_method
-Index: scard.h
-===================================================================
-RCS file: /cvs/openssh/scard.h,v
-retrieving revision 1.10
-diff -u -r1.10 scard.h
---- scard.h 18 Jun 2003 10:28:40 -0000 1.10
-+++ scard.h 27 Aug 2003 11:42:02 -0000
-@@ -33,6 +33,8 @@
- #define SCARD_ERROR_NOCARD -2
- #define SCARD_ERROR_APPLET -3
-
-+extern int ask_for_pin;
-+
- Key **sc_get_keys(const char *, const char *);
- void sc_close(void);
- int sc_put_key(Key *, const char *);
-Index: ssh.c
-===================================================================
-RCS file: /cvs/openssh/ssh.c,v
-retrieving revision 1.180
-diff -u -r1.180 ssh.c
---- ssh.c 21 Aug 2003 23:34:41 -0000 1.180
-+++ ssh.c 27 Aug 2003 11:42:02 -0000
-@@ -1155,6 +1155,9 @@
- #ifdef SMARTCARD
- Key **keys;
-
-+ if (!options.batch_mode)
-+ ask_for_pin = 1;
-+
- if (options.smartcard_device != NULL &&
- options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
- (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list