From nobody Wed Jun 22 18:45:26 2022 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 012E7872DBC; Wed, 22 Jun 2022 18:45:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LSslB6C2Nz3Ny0; Wed, 22 Jun 2022 18:45:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655923526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9htQLrxwbLgPcHHwthO4rOnTnC/rvv76v8STvci/6So=; b=FGeVqPCK33s4WG/tnU+15qtHyiRf4dLtNjd5r9oE/zNOGLae+exUeetEjYi3urP0lj9+lJ lim6waZhT8am5F0AdFxyrppbFK17j0yxiPbGO1dwtoOpoZg3KaSg5ResUofp1uq6+DByHy TraBK8Os/D77l1p36ywsslj+8dUjOFBn/+jkWviUb8757gM0bdhSF0FGZh7cOOlIMRpkOt Z2HxjSbEbDPq/vViAP9LhQ7bzdohwIp2UmRug3dTZJL6QLl/OW4gVeqVfLXS88y6Vl6Egk hVcmcYEiXy38UrcVfuhFCz8K/QFmwAeOV2P2Kglbco6upLqUQNaR2Z8BQK7s5w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B4C6D38D8; Wed, 22 Jun 2022 18:45:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 25MIjQig098090; Wed, 22 Jun 2022 18:45:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 25MIjQm0098089; Wed, 22 Jun 2022 18:45:26 GMT (envelope-from git) Date: Wed, 22 Jun 2022 18:45:26 GMT Message-Id: <202206221845.25MIjQm0098089@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Bryan Drewery Subject: git: 61026a2af119 - 2022Q2 - security/openssh-portable: Fix some capsicum issues List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bdrewery X-Git-Repository: ports X-Git-Refname: refs/heads/2022Q2 X-Git-Reftype: branch X-Git-Commit: 61026a2af1198336a10d20df79d61f75e4a3bfaa Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1655923526; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9htQLrxwbLgPcHHwthO4rOnTnC/rvv76v8STvci/6So=; b=gR72oofzH2YCmYQzRVHohC/irzsUt7SRow1vwIX4euENKC8dWqxj/bCYEgIgBvfLwTMd3E uff3PbypaOK0hAKMU9q8lqxBh4z1Id8ajm5MWaFF1b1f9tD46shEqna4dhBbzS0WhMBlui 5iJzeiJuZ7DgLZyjhhSlijT7RYxr+IGjDrAFkFPL0huveMzoIGlsCHIe7bM0Bi6q7FZl52 6Sdy9Pcq7DAGS1sKkE/Flz6irDGTLsHx36Xipd9m0hjX9xEnWzLy1D600jPJBvWoXSqes/ ExndTM0pP45PHl/FsBnvrJIkd27dHY68Ta4B7W0gFrh7m8XD5HV1nEQdCTjdkg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1655923526; a=rsa-sha256; cv=none; b=n1fw4vvDz2Mf5LvyG7ib/fWlJyw7l3Bvh3IaAQXoZ9HtC6dHMGReA6e+Nk+xzt2fQME2Fe mWSo5qo++uqiamfHVYFJqVLlySzwylGiB8ENxt386nmOlRnCNbYyenTxBPYirFfU4kCt9X mg/bC9JveikU2zDmxY5p+r5SDhpipn2yICaaJHsIjgxqnG88FX9Dl1xaDMV6zknle0QtCi QBzdMMrQ88r96c5gQBCL/toQl/wR4DjTXmM8DAmlQOJGZgEOiE31qUpqBs93ar0xpTjFkv wolkPoNsgkkAz8j+pIz4SC5OkxLMuA+lf1yK4AZgTsubIFppbvFrZcYs8mU7rg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2022Q2 has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=61026a2af1198336a10d20df79d61f75e4a3bfaa commit 61026a2af1198336a10d20df79d61f75e4a3bfaa Author: Bryan Drewery AuthorDate: 2022-05-24 23:08:14 +0000 Commit: Bryan Drewery CommitDate: 2022-06-22 18:44:50 +0000 security/openssh-portable: Fix some capsicum issues - Brings in latest changes from base. See patches for details. - Version 9.0 is being worked on but I wanted to fix this issue before proceeding with bigger changes. PR: 263753 (cherry picked from commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca) --- security/openssh-portable/Makefile | 2 +- .../files/patch-FreeBSD-caph_cache_tzdata | 43 ++++++++++++++ .../openssh-portable/files/patch-FreeBSD-logincap | 69 ++++++++++++++++++++++ security/openssh-portable/files/patch-auth2.c | 47 --------------- 4 files changed, 113 insertions(+), 48 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 75f4d206e817..f55a7bd0c630 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssh DISTVERSION= 8.9p1 -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata new file mode 100644 index 000000000000..bf3889265b77 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata @@ -0,0 +1,43 @@ +commit fc3c19a9fceeea48a9259ac3833a125804342c0e +Author: Ed Maste +Date: Sat Oct 6 21:32:55 2018 +0000 + + sshd: address capsicum issues + + * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in + capability mode. + * Cache timezone data via caph_cache_tzdata() as we cannot access the + timezone file. + * Reverse resolve hostname before entering capability mode. + + PR: 231172 + Submitted by: naito.yuichiro@gmail.com + Reviewed by: cem, des + Approved by: re (rgrimes) + MFC after: 3 weeks + Differential Revision: https://reviews.freebsd.org/D17128 + +Notes: + svn path=/head/; revision=339216 + +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c +index 5f41d526292b..f728abd18250 100644 +--- sandbox-capsicum.c ++++ sandbox-capsicum.c +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); + #include + #include + #include ++#include + + #include "log.h" + #include "monitor.h" +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) + struct rlimit rl_zero; + cap_rights_t rights; + ++ caph_cache_tzdata(); ++ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap new file mode 100644 index 000000000000..78d772e8a024 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-logincap @@ -0,0 +1,69 @@ +(pulled from the PR) + +commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 +Author: Ed Maste +Date: Tue Aug 31 15:30:50 2021 -0400 + + openssh: simplify login class restrictions + + Login class-based restrictions were introduced in 5b400a39b8ad. The + code was adapted for sshd's Capsicum sandbox and received many changes + over time, including at least fc3c19a9fcee, bd393de91cc3, and + e8c56fba2926. + + During an attempt to upstream the work a much simpler approach was + suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with + future updates. + + Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) + Obtained from: https://github.com/openssh/openssh-portable/pull/262 + Reviewed by: allanjude, kevans + MFC after: 2 weeks + Differential Revision: https://reviews.freebsd.org/D31760 + + +--- auth.c ++++ auth.c +@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) + { + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; ++#ifdef HAVE_AUTH_HOSTOK ++ const char *from_host, *from_ip; ++#endif + #ifdef BSD_AUTH + auth_session_t *as; + #endif +@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) + debug("unable to get login class: %s", user); + return (NULL); + } ++#ifdef HAVE_AUTH_HOSTOK ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ debug("Denied connection for %.200s from %.200s [%.200s].", ++ pw->pw_name, from_host, from_ip); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_HOSTOK */ ++#ifdef HAVE_AUTH_TIMEOK ++ if (!auth_timeok(lc, time(NULL))) { ++ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_TIMEOK */ + #ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { +--- configure.ac ++++ configure.ac +@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) + + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ ++ auth_hostok \ ++ auth_timeok \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c deleted file mode 100644 index 38d366aeaf71..000000000000 --- a/security/openssh-portable/files/patch-auth2.c +++ /dev/null @@ -1,47 +0,0 @@ ---- UTC -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ auth2.c 2020-11-16 13:55:25.222771000 -0800 -@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct - "not allowed: (%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL && -+ (lc = login_getpwclass(authctxt->pw)) != NULL) { -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ ssh_packet_disconnect(ssh, "Logins not available right now."); -+ } -+ login_close(lc); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(ssh); -