From owner-svn-ports-all@freebsd.org Mon Nov 16 22:25:29 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB90B473C55; Mon, 16 Nov 2020 22:25:29 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CZkD95Mbtz4gcc; Mon, 16 Nov 2020 22:25:29 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AB0EC15560; Mon, 16 Nov 2020 22:25:29 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AGMPTuS011238; Mon, 16 Nov 2020 22:25:29 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AGMPSsf011234; Mon, 16 Nov 2020 22:25:28 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <202011162225.0AGMPSsf011234@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 16 Nov 2020 22:25:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r555518 - in head/security/openssh-portable: . files X-SVN-Group: ports-head X-SVN-Commit-Author: bdrewery X-SVN-Commit-Paths: in head/security/openssh-portable: . files X-SVN-Commit-Revision: 555518 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2020 22:25:29 -0000 Author: bdrewery Date: Mon Nov 16 22:25:28 2020 New Revision: 555518 URL: https://svnweb.freebsd.org/changeset/ports/555518 Log: - Slightly reduce diff with base - No functional changes. PR: 223010 Submitted by: brnrd (earlier patch) Deleted: head/security/openssh-portable/files/patch-configure.ac Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-serverloop.c head/security/openssh-portable/files/patch-ssh_config.5 Modified: head/security/openssh-portable/Makefile ============================================================================== Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-auth2.c Mon Nov 16 22:25:28 2020 (r555518) @@ -5,41 +5,29 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700 -+++ auth2.c 2018-11-10 11:35:07.816193000 -0800 -@@ -48,6 +48,7 @@ - #include "sshkey.h" - #include "hostfile.h" - #include "auth.h" -+#include "canohost.h" - #include "dispatch.h" - #include "pathnames.h" - #include "sshbuf.h" -@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user, *service, *method, *style = NULL; - int authenticated = 0; +--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ auth2.c 2020-11-16 13:55:25.222771000 -0800 +@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct + char *user = NULL, *service = NULL, *method = NULL, *style = NULL; + int r, authenticated = 0; double tstart = monotime_double(); +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; - -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); +#endif -+ + if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); - -@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct - "(%s,%s) -> (%s,%s)", +@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct + "not allowed: (%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (authctxt->pw != NULL && ++ (lc = login_getpwclass(authctxt->pw)) != NULL) { ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); @@ -51,7 +39,6 @@ Apply class-imposed login restrictions. + ssh_packet_disconnect(ssh, "Logins not available right now."); + } + login_close(lc); -+ lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ + Modified: head/security/openssh-portable/files/patch-serverloop.c ============================================================================== --- head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-serverloop.c Mon Nov 16 22:25:28 2020 (r555518) @@ -6,12 +6,13 @@ Changed paths: Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. Submitted upstream, no reaction. -Submitted by: delphij@ -[rewritten for 7.4 by bdrewery@] +Submitted by: delphij +[rewritten for 7.4 by bdrewery] +[base removed this in 7.8 but it is still useful - bdrewery] ---- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800 -+++ serverloop.c 2018-11-10 11:38:19.497300000 -0800 -@@ -55,6 +55,8 @@ +--- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ serverloop.c 2020-11-16 12:58:44.823775000 -0800 +@@ -56,6 +56,8 @@ #include #include @@ -20,24 +21,32 @@ Submitted by: delphij@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "packet.h" -@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid) - { - if (use_privsep) - return 1; /* allow system to decide */ -- if (port < IPPORT_RESERVED && uid != 0) -+ int ipport_reserved; +@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *); + /* requested tunnel forwarding interface(s), shared with session.c */ + char *tun_fwd_ifnames = NULL; + ++static int ++ipport_reserved(void) ++{ +#ifdef __FreeBSD__ -+ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ int old; ++ size_t len = sizeof(old); + + if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) -+ ipport_reserved = IPPORT_RESERVED; -+ else -+ ipport_reserved++; -+#else -+ ipport_reserved = IPPORT_RESERVED; ++ &old, &len, NULL, 0) == 0) ++ return (old + 1); +#endif -+ if (port < ipport_reserved && uid != 0) ++ return (IPPORT_RESERVED); ++} ++ + /* returns 1 if bind to specified port by specified user is permitted */ + static int + bind_permitted(int port, uid_t uid) + { + if (use_privsep) + return 1; /* allow system to decide */ +- if (port < IPPORT_RESERVED && uid != 0) ++ if (port < ipport_reserved() && uid != 0) return 0; return 1; } Modified: head/security/openssh-portable/files/patch-ssh_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 21:15:56 2020 (r555517) +++ head/security/openssh-portable/files/patch-ssh_config.5 Mon Nov 16 22:25:28 2020 (r555518) @@ -4,9 +4,9 @@ r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Ju Document the FreeBSD default for CheckHostIP, which was changed in rev 1.2 of readconf.c. ---- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600 -+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600 -@@ -377,8 +377,7 @@ or +--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 ++++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 +@@ -420,8 +420,7 @@ or .Cm no . .It Cm CheckHostIP If set to @@ -16,11 +16,12 @@ rev 1.2 of readconf.c. .Xr ssh 1 will additionally check the host IP address in the .Pa known_hosts -@@ -390,6 +389,7 @@ in the process, regardless of the settin - .Cm StrictHostKeyChecking . +@@ -434,6 +433,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , -+(the default), the check will not be executed. - .It Cm Cipher - Specifies the cipher to use for encrypting the session ++The default is ++.Cm no . + .It Cm Ciphers + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated.