From owner-svn-ports-all@FreeBSD.ORG Tue Jun 2 15:00:47 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1E0B8415; Tue, 2 Jun 2015 15:00:47 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A0A31DB2; Tue, 2 Jun 2015 15:00:47 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t52F0lIq064927; Tue, 2 Jun 2015 15:00:47 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t52F0ijN064910; Tue, 2 Jun 2015 15:00:44 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201506021500.t52F0ijN064910@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Tue, 2 Jun 2015 15:00:44 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r388363 - in head/security: . openssh-portable openssh-portable-devel openssh-portable-devel/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 15:00:47 -0000 Author: bdrewery Date: Tue Jun 2 15:00:43 2015 New Revision: 388363 URL: https://svnweb.freebsd.org/changeset/ports/388363 Log: Add openssh-portable-devel which is based on the upstream snapshots for staging and testing. Its initial version is 20150602 which is nearly the upcoming 6.9 version. Added: head/security/openssh-portable-devel/ - copied from r388360, head/security/openssh-portable/ Deleted: head/security/openssh-portable-devel/files/extra-patch-ttssh head/security/openssh-portable-devel/files/patch-compat.c head/security/openssh-portable-devel/files/patch-monitor_wrap.c Modified: head/security/Makefile head/security/openssh-portable-devel/Makefile head/security/openssh-portable-devel/distinfo head/security/openssh-portable-devel/files/extra-patch-hpn head/security/openssh-portable-devel/files/patch-servconf.c head/security/openssh-portable-devel/files/patch-ssh-agent.1 head/security/openssh-portable-devel/files/patch-ssh-agent.c head/security/openssh-portable-devel/files/patch-sshd_config head/security/openssh-portable-devel/files/patch-sshd_config.5 head/security/openssh-portable/Makefile Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Tue Jun 2 14:58:24 2015 (r388362) +++ head/security/Makefile Tue Jun 2 15:00:43 2015 (r388363) @@ -383,6 +383,7 @@ SUBDIR += openscep SUBDIR += openssh-askpass SUBDIR += openssh-portable + SUBDIR += openssh-portable-devel SUBDIR += openssl SUBDIR += openssl_tpm_engine SUBDIR += openvas-client Modified: head/security/openssh-portable-devel/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/Makefile Tue Jun 2 15:00:43 2015 (r388363) @@ -2,20 +2,23 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.8p1 -PORTREVISION= 7 -PORTEPOCH= 1 +DISTVERSION= 20150602 +PORTREVISION= 0 CATEGORIES= security ipv6 -MASTER_SITES= OPENBSD/OpenSSH/portable -PKGNAMESUFFIX?= -portable +MASTER_SITES= http://www.mindrot.org/openssh_snap/ \ + OPENBSD/OpenSSH/portable +PKGNAMESUFFIX?= -portable-devel MAINTAINER= bdrewery@FreeBSD.org -COMMENT= The portable version of OpenBSD's OpenSSH +COMMENT= The portable version of OpenBSD's OpenSSH (snapshot) #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE -CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* +DISTNAME= ${PORTNAME}-SNAP-${DISTVERSION} +WRKSRC= ${WRKDIR}/${PORTNAME}-SNAP + +CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-* USES= alias USE_AUTOTOOLS= autoconf autoheader @@ -47,7 +50,6 @@ NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ttssh TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns @@ -190,6 +192,9 @@ CONFIGURE_ARGS+= --with-xauth=${LOCALBAS RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} +post-extract: + @mv ${WRKDIR}/${PORTNAME} ${WRKSRC} + post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ Modified: head/security/openssh-portable-devel/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/distinfo Tue Jun 2 15:00:43 2015 (r388363) @@ -1,8 +1,6 @@ -SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e -SIZE (openssh-6.8p1.tar.gz) = 1475953 -SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 -SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 -SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 -SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 +SHA256 (openssh-SNAP-20150602.tar.gz) = 4893c2d7f1d2ecffe120ce3d5dcee02e89e7cd3a39b1f5a85c3302818263461b +SIZE (openssh-SNAP-20150602.tar.gz) = 1469236 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 +SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 +SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 Modified: head/security/openssh-portable-devel/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/extra-patch-hpn Tue Jun 2 15:00:43 2015 (r388363) @@ -398,15 +398,14 @@ diff -urN -x configure -x config.guess - return check[i].bugs; } } ---- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 -@@ -60,7 +60,10 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 +--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 +@@ -62,6 +62,9 @@ #define SSH_BUG_CURVE25519PAD 0x10000000 #define SSH_BUG_HOSTKEYS 0x20000000 + #define SSH_BUG_DHGEX_LARGE 0x40000000 +#ifdef HPN_ENABLED -+#define SSH_BUG_LARGEWINDOW 0x40000000 ++#define SSH_BUG_LARGEWINDOW 0x80000000 +#endif void enable_compat13(void); @@ -718,12 +717,12 @@ diff -urN -x configure -x config.guess - struct timeval tv[2]; #define atime tv[0] ---- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500 -+++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 -@@ -160,6 +160,14 @@ - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; +--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 +@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; + options->authorized_principals_command = NULL; + options->authorized_principals_command_user = NULL; +#ifdef NONE_CIPHER_ENABLED + options->none_enabled = -1; +#endif @@ -735,7 +734,7 @@ diff -urN -x configure -x config.guess - options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -326,6 +334,57 @@ +@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -793,7 +792,7 @@ diff -urN -x configure -x config.guess - if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -401,6 +460,12 @@ +@@ -406,6 +465,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, @@ -803,10 +802,10 @@ diff -urN -x configure -x config.guess - +#ifdef HPN_ENABLED + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +#endif + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, -@@ -529,6 +594,14 @@ +@@ -537,6 +602,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -821,7 +820,7 @@ diff -urN -x configure -x config.guess - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1113,6 +1186,25 @@ +@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions intptr = &options->ignore_user_known_hosts; goto parse_flag; Modified: head/security/openssh-portable-devel/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/patch-servconf.c Tue Jun 2 15:00:43 2015 (r388363) @@ -17,15 +17,6 @@ /* X.509 Standard Options */ #ifdef OPENSSL_FIPS -@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) @@ -287,7 +288,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; Modified: head/security/openssh-portable-devel/files/patch-ssh-agent.1 ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.1 Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/patch-ssh-agent.1 Tue Jun 2 15:00:43 2015 (r388363) @@ -3,20 +3,18 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Index: ssh-agent.1 -=================================================================== ---- ssh-agent.1 (revision 226102) -+++ ssh-agent.1 (revision 226103) -@@ -44,7 +44,7 @@ +--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl d -+.Op Fl dx +-.Op Fl Dd ++.Op Fl Ddx .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash .Op Fl t Ar life - .Op Ar command Op Ar arg ... -@@ -103,6 +103,8 @@ +@@ -128,6 +128,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. Modified: head/security/openssh-portable-devel/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/patch-ssh-agent.c Tue Jun 2 15:00:43 2015 (r388363) @@ -7,9 +7,9 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500 -+++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500 -@@ -150,15 +150,34 @@ static long lifetime = 0; +--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 +@@ -157,15 +157,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -44,7 +44,7 @@ disconnected. } static void -@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd) +@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -55,16 +55,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1138,7 +1161,7 @@ usage(void) +@@ -1166,7 +1189,7 @@ static void + usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n" -- " [-t life] [command [arg ...]]\n" -+ " [-t life] [-x] [command [arg ...]]\n" +- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + " [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); - } -@@ -1168,6 +1191,7 @@ main(int ac, char **av) +@@ -1197,6 +1220,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -72,16 +72,16 @@ disconnected. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1181,7 +1205,7 @@ main(int ac, char **av) +@@ -1210,7 +1234,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1215,6 +1239,9 @@ main(int ac, char **av) +@@ -1249,6 +1273,9 @@ main(int ac, char **av) usage(); } break; Modified: head/security/openssh-portable-devel/files/patch-sshd_config ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/patch-sshd_config Tue Jun 2 15:00:43 2015 (r388363) @@ -10,15 +10,6 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -41,7 +44,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin yes -+#PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 @@ -50,8 +53,7 @@ #PubkeyAuthentication yes Modified: head/security/openssh-portable-devel/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Tue Jun 2 13:50:16 2015 (r388360) +++ head/security/openssh-portable-devel/files/patch-sshd_config.5 Tue Jun 2 15:00:43 2015 (r388363) @@ -1,6 +1,6 @@ ---- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 -+++ sshd_config.5 2015-03-22 21:57:45.538655000 -0500 -@@ -304,7 +304,9 @@ By default, no banner is displayed. +--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500 ++++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500 +@@ -375,7 +375,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in @@ -11,7 +11,7 @@ The default is .Dq yes . .It Cm ChrootDirectory -@@ -977,7 +979,22 @@ are refused if the number of unauthentic +@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -34,12 +34,10 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1023,7 +1040,14 @@ The argument must be - or +@@ -1158,6 +1175,13 @@ or .Dq no . The default is --.Dq yes . -+.Dq no . + .Dq no . +Note that if +.Cm ChallengeResponseAuthentication +is @@ -50,7 +48,7 @@ .Pp If this option is set to .Dq without-password , -@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as +@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication @@ -61,7 +59,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run +@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is @@ -70,7 +68,7 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1365,7 +1391,10 @@ restrictions. +@@ -1520,7 +1546,10 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is @@ -82,7 +80,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1379,7 +1408,7 @@ The argument must be +@@ -1534,7 +1563,7 @@ The argument must be or .Dq no . The default is Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Tue Jun 2 14:58:24 2015 (r388362) +++ head/security/openssh-portable/Makefile Tue Jun 2 15:00:43 2015 (r388363) @@ -15,7 +15,7 @@ COMMENT= The portable version of OpenBSD #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE -CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* +CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias USE_AUTOTOOLS= autoconf autoheader