Date: Mon, 16 Nov 2020 22:25:28 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r555518 - in head/security/openssh-portable: . files Message-ID: <202011162225.0AGMPSsf011234@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Mon Nov 16 22:25:28 2020 New Revision: 555518 URL: https://svnweb.freebsd.org/changeset/ports/555518 Log: - Slightly reduce diff with base - No functional changes. PR: 223010 Submitted by: brnrd (earlier patch) Deleted: head/security/openssh-portable/files/patch-configure.ac Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-serverloop.c head/security/openssh-portable/files/patch-ssh_config.5 Modified: head/security/openssh-portable/Makefile ============================================================================== Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 22:25:28 2020 (r555518) @@ -5,41 +5,29 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700 -+++ auth2.c 2018-11-10 11:35:07.816193000 -0800 -@@ -48,6 +48,7 @@ - #include "sshkey.h" - #include "hostfile.h" - #include "auth.h" -+#include "canohost.h" - #include "dispatch.h" - #include "pathnames.h" - #include "sshbuf.h" -@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user, *service, *method, *style = NULL; - int authenticated = 0; +--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ auth2.c 2020-11-16 13:55:25.222771000 -0800 +@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct + char *user = NULL, *service = NULL, *method = NULL, *style = NULL; + int r, authenticated = 0; double tstart = monotime_double(); +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; - -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); +#endif -+ + if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); - -@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct - "(%s,%s) -> (%s,%s)", +@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct + "not allowed: (%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (authctxt->pw != NULL && ++ (lc = login_getpwclass(authctxt->pw)) != NULL) { ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); @@ -51,7 +39,6 @@ Apply class-imposed login restrictions. + ssh_packet_disconnect(ssh, "Logins not available right now."); + } + login_close(lc); -+ lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ + Modified: head/security/openssh-portable/files/patch-serverloop.c ============================================================================== --- head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 22:25:28 2020 (r555518) @@ -6,12 +6,13 @@ Changed paths: Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. Submitted upstream, no reaction. -Submitted by: delphij@ -[rewritten for 7.4 by bdrewery@] +Submitted by: delphij +[rewritten for 7.4 by bdrewery] +[base removed this in 7.8 but it is still useful - bdrewery] ---- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800 -+++ serverloop.c 2018-11-10 11:38:19.497300000 -0800 -@@ -55,6 +55,8 @@ +--- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ serverloop.c 2020-11-16 12:58:44.823775000 -0800 +@@ -56,6 +56,8 @@ #include <unistd.h> #include <stdarg.h> @@ -20,24 +21,32 @@ Submitted by: delphij@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "packet.h" -@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid) - { - if (use_privsep) - return 1; /* allow system to decide */ -- if (port < IPPORT_RESERVED && uid != 0) -+ int ipport_reserved; +@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *); + /* requested tunnel forwarding interface(s), shared with session.c */ + char *tun_fwd_ifnames = NULL; + ++static int ++ipport_reserved(void) ++{ +#ifdef __FreeBSD__ -+ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ int old; ++ size_t len = sizeof(old); + + if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) -+ ipport_reserved = IPPORT_RESERVED; -+ else -+ ipport_reserved++; -+#else -+ ipport_reserved = IPPORT_RESERVED; ++ &old, &len, NULL, 0) == 0) ++ return (old + 1); +#endif -+ if (port < ipport_reserved && uid != 0) ++ return (IPPORT_RESERVED); ++} ++ + /* returns 1 if bind to specified port by specified user is permitted */ + static int + bind_permitted(int port, uid_t uid) + { + if (use_privsep) + return 1; /* allow system to decide */ +- if (port < IPPORT_RESERVED && uid != 0) ++ if (port < ipport_reserved() && uid != 0) return 0; return 1; } Modified: head/security/openssh-portable/files/patch-ssh_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 22:25:28 2020 (r555518) @@ -4,9 +4,9 @@ r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Ju Document the FreeBSD default for CheckHostIP, which was changed in rev 1.2 of readconf.c. ---- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600 -+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600 -@@ -377,8 +377,7 @@ or +--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 ++++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 +@@ -420,8 +420,7 @@ or .Cm no . .It Cm CheckHostIP If set to @@ -16,11 +16,12 @@ rev 1.2 of readconf.c. .Xr ssh 1 will additionally check the host IP address in the .Pa known_hosts -@@ -390,6 +389,7 @@ in the process, regardless of the settin - .Cm StrictHostKeyChecking . +@@ -434,6 +433,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , -+(the default), the check will not be executed. - .It Cm Cipher - Specifies the cipher to use for encrypting the session ++The default is ++.Cm no . + .It Cm Ciphers + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011162225.0AGMPSsf011234>