Date: Wed, 9 Sep 2009 16:30:03 GMT From: Denis Barov <dindin@yandex-team.ru>; To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/138409: [MAINTAINER] security/openssh-portable: cumulative port update for: ports/137192, ports/137100, ports/138284, ports/137985 Message-ID: <200909091630.n89GU3pT035159@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/138409; it has been noted by GNATS.
From: Denis Barov <dindin@yandex-team.ru>;
To: bug-followup@FreeBSD.org
Cc: Denis Barov <dindin@dindin.ru>
Subject: Re: ports/138409: [MAINTAINER] security/openssh-portable:
cumulative port update for: ports/137192, ports/137100,
ports/138284, ports/137985
Date: Wed, 9 Sep 2009 20:22:56 +0400
PORTREVISION bumped
---------- openssh-portable 5.2p1_2 patch ----------
diff -urN /usr/ports/security/openssh-portable/Makefile /usr/ports/security/openssh-portable/Makefile
--- /usr/ports/security/openssh-portable/Makefile 2009-08-08 11:13:49.000000000 +0400
+++ /usr/ports/security/openssh-portable/Makefile 2009-09-09 20:02:43.000000000 +0400
@@ -7,7 +7,7 @@
PORTNAME= openssh
DISTVERSION= 5.2p1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security ipv6
.if defined(OPENSSH_SNAPSHOT)
@@ -57,6 +57,7 @@
LIBEDIT "Enable readline support to sftp(1)" on \
KERBEROS "Enable kerberos (autodetection)" on \
SUID_SSH "Enable suid SSH (Recommended off)" off \
+ BSM "Enable OpenBSM Auditing" off \
GSSAPI "Enable GSSAPI support (req: KERBEROS)" off \
KERB_GSSAPI "Enable Kerberos/GSSAPI patch (req: GSSAPI)" off \
OPENSSH_CHROOT "Enable CHROOT support" off \
@@ -69,10 +70,6 @@
.include <bsd.port.pre.mk>
-.if ${OSVERSION} >= 800037
-BROKEN= does not compile
-.endif
-
.if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK))
BROKEN= X509 patch incompatible with HPN and LPK patches
.endif
@@ -97,13 +94,16 @@
CONFIGURE_ARGS+= --disable-suid-ssh
.endif
+.if defined(WITH_BSM)
+CONFIGURE_ARGS+= --with-audit=bsm
+.endif
+
.if !defined(WITHOUT_KERBEROS)
.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
.if defined(WITH_KERB_GSSAPI)
-BROKEN= KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
PATCH_DIST_STRIP= -p0
PATCH_SITES+= http://www.sxw.org.uk/computing/patches/
-PATCHFILES+= openssh-5.0p1-gsskex-20080404.patch
+PATCHFILES+= openssh-5.2p1-gsskex-all-20090726.patch
.endif
PORTABLE_SUFFIX= # empty
GSSAPI_SUFFIX= -gssapi
@@ -182,8 +182,7 @@
EMPTYDIR= /var/empty
PREFIX= /usr
ETCSSH= /etc/ssh
-USE_RC_SUBR= yes
-SUB_FILES+= openssh
+USE_RC_SUBR= openssh
PLIST_SUB+= NOTBASE="@comment "
PLIST_SUB+= BASE=""
PLIST_SUB+= BASEPREFIX="${PREFIX}"
diff -urN /usr/ports/security/openssh-portable/distinfo /usr/ports/security/openssh-portable/distinfo
--- /usr/ports/security/openssh-portable/distinfo 2009-05-15 15:00:27.000000000 +0400
+++ /usr/ports/security/openssh-portable/distinfo 2009-09-09 20:02:43.000000000 +0400
@@ -1,6 +1,6 @@
MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad
SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
SIZE (openssh-5.2p1.tar.gz) = 1016612
-MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
-SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
-SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010
+MD5 (openssh-5.2p1-gsskex-all-20090726.patch) = e5c116b4bc3f4b816206e8403dd08af7
+SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) = 6eb297d6fa74be3323c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7
+SIZE (openssh-5.2p1-gsskex-all-20090726.patch) = 90959
diff -urN /usr/ports/security/openssh-portable/openssh-lpk+hpn-servconf.patch /usr/ports/security/openssh-portable/openssh-lpk+hpn-servconf.patch
--- /usr/ports/security/openssh-portable/openssh-lpk+hpn-servconf.patch 1970-01-01 03:00:00.000000000 +0300
+++ /usr/ports/security/openssh-portable/openssh-lpk+hpn-servconf.patch 2009-09-09 20:02:43.000000000 +0400
@@ -0,0 +1,240 @@
+--- servconf.c.orig 2009-05-02 19:35:42.000000000 +0400
++++ servconf.c 2009-05-02 19:37:13.000000000 +0400
+@@ -42,6 +42,10 @@
+ #include "channels.h"
+ #include "groupaccess.h"
+
++#ifdef WITH_LDAP_PUBKEY
++#include "ldapauth.h"
++#endif
++
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+
+@@ -74,7 +78,7 @@
+ options->ignore_user_known_hosts = -1;
+ options->print_motd = -1;
+ options->print_lastlog = -1;
+- options->x11_forwarding = -1;
++ options->x11_forwarding = 1;
+ options->x11_display_offset = -1;
+ options->x11_use_localhost = -1;
+ options->xauth_location = NULL;
+@@ -127,12 +131,39 @@
+ options->num_permitted_opens = -1;
+ options->adm_forced_command = NULL;
+ options->chroot_directory = NULL;
++ options->none_enabled = -1;
++ options->tcp_rcv_buf_poll = -1;
++ options->hpn_disabled = -1;
++ options->hpn_buffer_size = -1;
+ options->zero_knowledge_password_authentication = -1;
++#ifdef WITH_LDAP_PUBKEY
++ /* XXX dirty */
++ options->lpk.ld = NULL;
++ options->lpk.on = -1;
++ options->lpk.servers = NULL;
++ options->lpk.u_basedn = NULL;
++ options->lpk.g_basedn = NULL;
++ options->lpk.binddn = NULL;
++ options->lpk.bindpw = NULL;
++ options->lpk.sgroup = NULL;
++ options->lpk.filter = NULL;
++ options->lpk.fgroup = NULL;
++ options->lpk.l_conf = NULL;
++ options->lpk.tls = -1;
++ options->lpk.b_timeout.tv_sec = -1;
++ options->lpk.s_timeout.tv_sec = -1;
++ options->lpk.flags = FLAG_EMPTY;
++#endif
+ }
+
+ void
+ fill_default_server_options(ServerOptions *options)
+ {
++ /* needed for hpn socket tests */
++ int sock;
++ int socksize;
++ int socksizelen = sizeof(int);
++
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+ options->use_pam = 1;
+@@ -265,6 +296,32 @@
+ options->permit_tun = SSH_TUNMODE_NO;
+ if (options->zero_knowledge_password_authentication == -1)
+ options->zero_knowledge_password_authentication = 0;
++#ifdef WITH_LDAP_PUBKEY
++ if (options->lpk.on == -1)
++ options->lpk.on = _DEFAULT_LPK_ON;
++ if (options->lpk.servers == NULL)
++ options->lpk.servers = _DEFAULT_LPK_SERVERS;
++ if (options->lpk.u_basedn == NULL)
++ options->lpk.u_basedn = _DEFAULT_LPK_UDN;
++ if (options->lpk.g_basedn == NULL)
++ options->lpk.g_basedn = _DEFAULT_LPK_GDN;
++ if (options->lpk.binddn == NULL)
++ options->lpk.binddn = _DEFAULT_LPK_BINDDN;
++ if (options->lpk.bindpw == NULL)
++ options->lpk.bindpw = _DEFAULT_LPK_BINDPW;
++ if (options->lpk.sgroup == NULL)
++ options->lpk.sgroup = _DEFAULT_LPK_SGROUP;
++ if (options->lpk.filter == NULL)
++ options->lpk.filter = _DEFAULT_LPK_FILTER;
++ if (options->lpk.tls == -1)
++ options->lpk.tls = _DEFAULT_LPK_TLS;
++ if (options->lpk.b_timeout.tv_sec == -1)
++ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT;
++ if (options->lpk.s_timeout.tv_sec == -1)
++ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT;
++ if (options->lpk.l_conf == NULL)
++ options->lpk.l_conf = _DEFAULT_LPK_LDP;
++#endif
+
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+@@ -345,8 +402,15 @@
+ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
++ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+ sZeroKnowledgePasswordAuthentication,
+ sDeprecated, sUnsupported
++#ifdef WITH_LDAP_PUBKEY
++ ,sLdapPublickey, sLdapServers, sLdapUserDN
++ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
++ ,sLdapFilter, sForceTLS, sBindTimeout
++ ,sSearchTimeout, sLdapConf
++#endif
+ } ServerOpCodes;
+
+ #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
+@@ -457,6 +521,20 @@
+ { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
+ { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
+ { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
++#ifdef WITH_LDAP_PUBKEY
++ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL },
++ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL },
++ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL },
++ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL },
++ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL },
++ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL },
++ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL },
++ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL },
++ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL },
++ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL },
++ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL },
++ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL },
++#endif
+ { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+ { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
+ { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
+@@ -1368,6 +1446,107 @@
+ while (arg)
+ arg = strdelim(&cp);
+ break;
++#ifdef WITH_LDAP_PUBKEY
++ case sLdapPublickey:
++ intptr = &options->lpk.on;
++ goto parse_flag;
++ case sLdapServers:
++ /* arg = strdelim(&cp); */
++ p = line;
++ while(*p++);
++ arg = p;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing ldap server",filename,linenum);
++ arg[strlen(arg)] = '\0';
++ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL)
++ fatal("%s line %d: error in ldap servers", filename, linenum);
++ memset(arg,0,strlen(arg));
++ break;
++ case sLdapUserDN:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing ldap server",filename,linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.u_basedn = xstrdup(arg);
++ memset(arg,0,strlen(arg));
++ break;
++ case sLdapGroupDN:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing ldap server",filename,linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.g_basedn = xstrdup(arg);
++ memset(arg,0,strlen(arg));
++ break;
++ case sBindDN:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing binddn",filename,linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.binddn = xstrdup(arg);
++ memset(arg,0,strlen(arg));
++ break;
++ case sBindPw:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing bindpw",filename,linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.bindpw = xstrdup(arg);
++ memset(arg,0,strlen(arg));
++ break;
++ case sMyGroup:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing groupname",filename, linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.sgroup = xstrdup(arg);
++ if (options->lpk.sgroup)
++ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup);
++ memset(arg,0,strlen(arg));
++ break;
++ case sLdapFilter:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing filter",filename, linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.filter = xstrdup(arg);
++ memset(arg,0,strlen(arg));
++ break;
++ case sForceTLS:
++ intptr = &options->lpk.tls;
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing yes/no argument.",
++ filename, linenum);
++ value = 0; /* silence compiler */
++ if (strcmp(arg, "yes") == 0)
++ value = 1;
++ else if (strcmp(arg, "no") == 0)
++ value = 0;
++ else if (strcmp(arg, "try") == 0)
++ value = -1;
++ else
++ fatal("%s line %d: Bad yes/no argument: %s",
++ filename, linenum, arg);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
++ case sBindTimeout:
++ intptr = (int *) &options->lpk.b_timeout.tv_sec;
++ goto parse_int;
++ case sSearchTimeout:
++ intptr = (int *) &options->lpk.s_timeout.tv_sec;
++ goto parse_int;
++ break;
++ case sLdapConf:
++ arg = cp;
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing LpkLdapConf", filename, linenum);
++ arg[strlen(arg)] = '\0';
++ options->lpk.l_conf = xstrdup(arg);
++ memset(arg, 0, strlen(arg));
++ break;
++#endif
+
+ default:
+ fatal("%s line %d: Missing handler for opcode %s (%d)",
diff -urN /usr/ports/security/openssh-portable/patch-includes.h /usr/ports/security/openssh-portable/patch-includes.h
--- /usr/ports/security/openssh-portable/patch-includes.h 1970-01-01 03:00:00.000000000 +0300
+++ /usr/ports/security/openssh-portable/patch-includes.h 2009-09-09 20:02:43.000000000 +0400
@@ -0,0 +1,13 @@
+--- includes.h 2008-07-04 17:10:49.000000000 +0400
++++ includes.h 2009-08-31 22:01:13.000000000 +0400
+@@ -31,7 +31,8 @@
+ #endif
+ #if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
+ defined(GLOB_HAS_GL_MATCHC) && \
+- defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0
++ defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
++ !defined(BROKEN_GLOB)
+ # include <glob.h>
+ #endif
+ #ifdef HAVE_ENDIAN_H
+
---------- openssh-portable 5.2p1_2 patch ----------
--
Cheers
Denis Barov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909091630.n89GU3pT035159>