From owner-svn-ports-all@FreeBSD.ORG Sun Oct 13 02:20:09 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6E513940; Sun, 13 Oct 2013 02:20:09 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4CEA82BAA; Sun, 13 Oct 2013 02:20:09 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9D2K94s025786; Sun, 13 Oct 2013 02:20:09 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9D2K7L5025771; Sun, 13 Oct 2013 02:20:07 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201310130220.r9D2K7L5025771@svn.freebsd.org> From: Bryan Drewery Date: Sun, 13 Oct 2013 02:20:07 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r330200 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Oct 2013 02:20:09 -0000 Author: bdrewery Date: Sun Oct 13 02:20:07 2013 New Revision: 330200 URL: http://svnweb.freebsd.org/changeset/ports/330200 Log: - Update to 6.3p1 Changelog: http://www.openssh.org/txt/release-6.3 - Use options helpers where possible - Use upstream patch mirror for x509 and HPN - Update HPN patch to v14 and use upstream version - Add option NONECIPHER to allow disabling NONE in HPN patch - Update x509 patch from 7.4.1 to 7.6 - Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default. See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html which describes this change, but is supported on releases before 10 as well with LDNS option. - Update SCTP to patchlevel 2329 - Update recommendation on secure usage of SSH - Add pkg-message warning about ECDSA key possibly being incorrect due to previously being written as DSA by the rc script and fixed in r299902 in 2012 Added: head/security/openssh-portable/files/extra-patch-hpn-build-options (contents, props changed) head/security/openssh-portable/files/extra-patch-hpn-no-hpn (contents, props changed) head/security/openssh-portable/files/extra-patch-ldns (contents, props changed) Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/patch-session.c head/security/openssh-portable/files/patch-ssh-agent.c head/security/openssh-portable/pkg-message head/security/openssh-portable/pkg-plist Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/Makefile Sun Oct 13 02:20:07 2013 (r330200) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.2p2 -PORTREVISION= 5 +DISTVERSION= 6.3p1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -33,8 +32,8 @@ MAKE_ENV+= SUDO="${SUDO}" OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN LPK X509 KERB_GSSAPI \ - OVERWRITE_BASE SCTP AES_THREADED -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN + OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -42,18 +41,84 @@ BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LPK_DESC= LDAP Public Key (LPK) [OBSOLETE] +LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch SCTP_DESC= SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) -AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental] +AES_THREADED_DESC= Threaded AES-CTR +NONECIPHER_DESC= NONE Cipher support +OPTIONS_SUB= yes PLIST_SUB+= MANPREFIX=${MANPREFIX} +LDNS_CONFIGURE_WITH= ldns +LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns +LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns +LDNS_CFLAGS= -I${LOCALBASE}/include +LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' + +# http://www.psc.edu/index.php/hpn-ssh +HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size +HPN_CONFIGURE_WITH= hpn +NONECIPHER_CONFIGURE_WITH= nonecipher +AES_THREADED_CONFIGURE_WITH= aes-threaded + +# See http://code.google.com/p/openssh-lpk/wiki/Main +# and svn repo described here: +# http://code.google.com/p/openssh-lpk/source/checkout +# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1 +LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz +LPK_CPPFLAGS= -I${LOCALBASE}/include +LPK_CONFIGURE_ON= --with-ldap=yes \ + --with-ldflags='-L${LOCALBASE}/lib' \ + --with-cppflags='${CPPFLAGS}' +LPK_USE= OPENLDAP=yes + +# See http://www.roumenpetrov.info/openssh/ +X509_VERSION= 7.6 +X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 +X509_PATCHFILES= ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509 + +# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 +SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz +SCTP_CONFIGURE_WITH= sctp + +# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/ +KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz + + +MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 +HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal + +PAM_CONFIGURE_WITH= pam +TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers + +LIBEDIT_CONFIGURE_WITH= libedit +BSM_CONFIGURE_ON= --with-audit=bsm + + +PORTDOCS= * + .include +# http://www.psc.edu/index.php/hpn-ssh +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} +HPN_VERSION= 14v2 +PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} +PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${DISTVERSION}/:hpn +PATCHFILES+= ${PORTNAME}-${DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options +# Remove HPN if only AES requested +. if !${PORT_OPTIONS:MHPN} +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn +. endif +.endif + +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn + .if ${OSVERSION} >= 900000 CONFIGURE_LIBS+= -lutil .endif @@ -66,14 +131,10 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch .endif .if ${PORT_OPTIONS:MX509} -. if ${PORT_OPTIONS:MHPN} +. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MAES_THREADED} -BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together -. endif - . if ${PORT_OPTIONS:MSCTP} BROKEN= X509 patch and SCTP patch do not apply cleanly together . endif @@ -92,44 +153,30 @@ BROKEN= X509 patch incompatible with KE BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif -.if defined(OPENSSH_OVERWRITE_BASE) -PORT_OPTIONS+= OVERWRITE_BASE -.endif - -.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h) -CONFIGURE_ARGS+= --with-pam +.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) +IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base .endif -.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h) -CONFIGURE_ARGS+= --with-tcp-wrappers +.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h) +IGNORE= Pam must be installed in base .endif -.if ${PORT_OPTIONS:MLIBEDIT} -CONFIGURE_ARGS+= --with-libedit +.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h) +IGNORE= Required /usr/include/tcpd.h missing .endif -.if ${PORT_OPTIONS:MBSM} -CONFIGURE_ARGS+= --with-audit=bsm +.if defined(OPENSSH_OVERWRITE_BASE) +PORT_OPTIONS+= OVERWRITE_BASE .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} -CONFIGURE_ARGS+= --with-kerberos5 -. if ${PORT_OPTIONS:MMIT} -LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 -. elif ${PORT_OPTIONS:MHEIMDAL} -LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal -. elif ${PORT_OPTIONS:MHEIMDAL_BASE} -. if !exists(/usr/lib/libkrb5.so) -IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base -. else +. if ${PORT_OPTIONS:MHEIMDAL_BASE} +. if ${PORT_OPTIONS:MKERB_GSSAPI} CONFIGURE_LIBS+= -lgssapi_krb5 -. endif -. endif - -# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/ -. if ${PORT_OPTIONS:MKERB_GSSAPI} -PATCHFILES+= openssh-6.2p2-gsskex-all-20110125-2.patch.gz -PATCH_DIST_STRIP= +. endif +CONFIGURE_ARGS+= --with-kerberos5=/usr +. else +CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath @@ -145,52 +192,10 @@ IGNORE= KERB_GSSAPI requires one of MIT CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif -# http://www.psc.edu/index.php/hpn-ssh -.if ${PORT_OPTIONS:MHPN} -HPN_VERSION= 13v14 -PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size -PATCH_DIST_STRIP= -.endif - -# http://www.psc.edu/index.php/hpn-ssh -.if ${PORT_OPTIONS:MAES_THREADED} -AES_THREADED_VERSION= v14 -PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz -PATCH_DIST_STRIP= -.endif - -# See http://code.google.com/p/openssh-lpk/wiki/Main -# and svn repo described here: -# http://code.google.com/p/openssh-lpk/source/checkout -# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1 .if ${PORT_OPTIONS:MLPK} -PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz -USE_OPENLDAP= yes -CPPFLAGS+= -I${LOCALBASE}/include -CONFIGURE_ARGS+= --with-ldap=yes \ - --with-ldflags='-L${LOCALBASE}/lib' \ - --with-cppflags='${CPPFLAGS}' CONFIGURE_LIBS+= -lldap .endif -# See http://www.roumenpetrov.info/openssh/ -.if ${PORT_OPTIONS:MX509} -X509_VERSION= 7.4.1 -PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509 -PATCH_DIST_STRIP= -p1 -PLIST_SUB+= X509="" -.else -PLIST_SUB+= X509="@comment " -.endif - -# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -.if ${PORT_OPTIONS:MSCTP} -PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz -CONFIGURE_ARGS+= --with-sctp -.endif - EMPTYDIR= /var/empty .if ${PORT_OPTIONS:MOVERWRITE_BASE} @@ -201,17 +206,14 @@ NO_MTREE= yes ETCSSH= /etc/ssh USE_RCORDER= openssh PLIST_SUB+= NOTBASE="@comment " -PLIST_SUB+= BASE="" PLIST_SUB+= BASEPREFIX="${PREFIX}" .else ETCSSH= ${PREFIX}/etc/ssh USE_RC_SUBR= openssh PLIST_SUB+= NOTBASE="" -PLIST_SUB+= BASE="@comment " .endif # After all -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509 SUB_LIST+= ETCSSH="${ETCSSH}" CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) @@ -222,7 +224,10 @@ RC_SCRIPT_NAME= openssh post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure - @${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} \ + -e 's|install: \(.*\) host-key check-config|install: \1|g' \ + -e 's|-lpthread|${PTHREAD_LIBS}|' \ + ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \ ${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \ ${WRKSRC}/ssh_config.5 @@ -252,6 +257,10 @@ pre-install: post-install: ${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist ${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} + ${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} +.endif test: build (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \ Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/distinfo Sun Oct 13 02:20:07 2013 (r330200) @@ -1,14 +1,12 @@ -SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b -SIZE (openssh-6.2p2.tar.gz) = 1182922 -SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b -SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984 -SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9 -SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908 -SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae -SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496 -SHA256 (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 597634f1a9e624b928f0ae647ec2ffba641f94a3ecad1161bce8fb2512c476b8 -SIZE (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 24205 -SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24 -SIZE (openssh-lpk-6.2p1.patch.gz) = 17881 -SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03 -SIZE (openssh-sctp-2163.patch.gz) = 6764 +SHA256 (openssh-6.3p1.tar.gz) = aea575ededd3ebd45c05d42d0a87af22c79131a847ea440c54e3fdd223f5a420 +SIZE (openssh-6.3p1.tar.gz) = 1201101 +SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca +SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450 +SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460 +SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962 +SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767 +SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486 +SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 +SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 +SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb +SIZE (openssh-sctp-2329.patch.gz) = 8706 Added: head/security/openssh-portable/files/extra-patch-hpn-build-options ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-hpn-build-options Sun Oct 13 02:20:07 2013 (r330200) @@ -0,0 +1,142 @@ +--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500 ++++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500 +@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co + } + } + ++#ifdef AES_THREADED + /* if we are using aes-ctr there can be issues in either a fork or sandbox + * so the initial aes-ctr is defined to point to the original single process + * evp. After authentication we'll be past the fork and the sandboxed privsep +@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co + cipher_reset_multithreaded(); + packet_request_rekeying(); + } ++#endif + + debug("Authentication succeeded (%s).", authctxt.method->name); + } +--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500 ++++ sshd.c 2013-10-11 08:53:25.929132033 -0500 +@@ -2186,6 +2186,7 @@ main(int ac, char **av) + + /* Start session. */ + ++#ifdef AES_THREADED + /* if we are using aes-ctr there can be issues in either a fork or sandbox + * so the initial aes-ctr is defined to point ot the original single process + * evp. After authentication we'll be past the fork and the sandboxed privsep +@@ -2201,6 +2202,7 @@ main(int ac, char **av) + cipher_reset_multithreaded(); + packet_request_rekeying(); + } ++#endif + + do_authenticated(authctxt); + +--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 ++++ readconf.c 2013-10-11 09:19:12.295135966 -0500 +@@ -251,12 +251,16 @@ static struct { + { "kexalgorithms", oKexAlgorithms }, + { "ipqos", oIPQoS }, + { "requesttty", oRequestTTY }, ++#ifdef NONECIPHER + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, ++#endif ++#ifdef HPN + { "tcprcvbufpoll", oTcpRcvBufPoll }, + { "tcprcvbuf", oTcpRcvBuf }, + { "hpndisabled", oHPNDisabled }, + { "hpnbuffersize", oHPNBufferSize }, ++#endif + { "ignoreunknown", oIgnoreUnknown }, + + { NULL, oBadOption } +@@ -1417,12 +1421,20 @@ fill_default_options(Options * options) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; ++#ifdef NONECIPHER + if (options->none_switch == -1) ++#endif + options->none_switch = 0; ++#ifdef NONECIPHER + if (options->none_enabled == -1) ++#endif + options->none_enabled = 0; ++#ifdef HPN + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; ++#else ++ options->hpn_disabled = 1; ++#endif + if (options->hpn_buffer_size > -1) + { + /* if a user tries to set the size to 0 set it to 1KB */ +--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500 ++++ servconf.c 2013-10-11 09:25:50.777137928 -0500 +@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption + options->permit_tun = SSH_TUNMODE_NO; + if (options->zero_knowledge_password_authentication == -1) + options->zero_knowledge_password_authentication = 0; ++#ifdef NONECIPHER + if (options->none_enabled == -1) ++#endif + options->none_enabled = 0; ++#ifdef HPN + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; ++#else ++ options->hpn_disabled = 1; ++#endif + + if (options->hpn_buffer_size == -1) { + /* option not explicitly set. Now we have to figure out */ +--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500 ++++ configure.ac 2013-10-12 17:18:35.610130039 -0500 +@@ -3968,6 +3968,34 @@ + ] + ) # maildir + ++#check whether user wants HPN support ++HPN_MSG="no" ++AC_ARG_WITH(hpn, ++ [ --with-hpn Enable HPN support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HPN,1,[Define if you want HPN support.]) ++ HPN_MSG="yes" ++ fi ] ++) ++#check whether user wants NONECIPHER support ++NONECIPHER_MSG="no" ++AC_ARG_WITH(nonecipher, ++ [ --with-nonecipher Enable NONECIPHER support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.]) ++ NONECIPHER_MSG="yes" ++ fi ] ++) ++#check whether user wants AES_THREADED support ++AES_THREADED_MSG="no" ++AC_ARG_WITH(aes-threaded, ++ [ --with-aes-threaded Enable AES_THREADED support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.]) ++ AES_THREADED_MSG="yes" ++ fi ] ++) ++ + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +@@ -4636,6 +4664,9 @@ + echo " BSD Auth support: $BSD_AUTH_MSG" + echo " Random number source: $RAND_MSG" + echo " Privsep sandbox style: $SANDBOX_STYLE" ++echo " HPN support: $HPN_MSG" ++echo " NONECIPHER support: $NONECIPHER_MSG" ++echo " AES_THREADED support: $AES_THREADED_MSG" + + echo "" + Added: head/security/openssh-portable/files/extra-patch-hpn-no-hpn ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-hpn-no-hpn Sun Oct 13 02:20:07 2013 (r330200) @@ -0,0 +1,32 @@ +--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500 ++++ sshd_config 2013-10-12 06:40:06.646129924 -0500 +@@ -125,20 +125,6 @@ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + +-# the following are HPN related configuration options +-# tcp receive buffer polling. disable in non autotuning kernels +-#TcpRcvBufPoll yes +- +-# disable hpn performance boosts +-#HPNDisabled no +- +-# buffer size for hpn to non-hpn connections +-#HPNBufferSize 2048 +- +- +-# allow the use of the none cipher +-#NoneEnabled no +- + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +--- version.h.orig 2013-10-12 06:42:19.578133368 -0500 ++++ version.h 2013-10-12 06:42:28.581136160 -0500 +@@ -3,5 +3,4 @@ + #define SSH_VERSION "OpenSSH_6.3" + + #define SSH_PORTABLE "p1" +-#define SSH_HPN "-hpn14v2" +-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN ++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE Added: head/security/openssh-portable/files/extra-patch-ldns ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-ldns Sun Oct 13 02:20:07 2013 (r330200) @@ -0,0 +1,51 @@ +r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines +Changed paths: + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/ssh_config + M /head/crypto/openssh/ssh_config.5 + +Change the default value of VerifyHostKeyDNS to "yes" if compiled with +LDNS. With that setting, OpenSSH will silently accept host keys that +match verified SSHFP records. If an SSHFP record exists but could not +be verified, OpenSSH will print a message and prompt the user as usual. + +--- readconf.c 2013-10-03 08:15:03.496131082 -0500 ++++ readconf.c 2013-10-03 08:15:22.716134315 -0500 +@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; ++#if HAVE_LDNS ++ if (options->verify_host_key_dns == -1) ++ /* automatically trust a verified SSHFP record */ ++ options->verify_host_key_dns = 1; ++#else + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; ++#endif + if (options->server_alive_interval == -1) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) +--- ssh_config 2013-10-03 08:15:03.537131330 -0500 ++++ ssh_config 2013-10-03 08:15:22.755131175 -0500 +@@ -44,5 +44,6 @@ + # TunnelDevice any:any + # PermitLocalCommand no + # VisualHostKey no ++# VerifyHostKeyDNS yes + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h +--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500 ++++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500 +@@ -1246,7 +1246,10 @@ The argument must be + or + .Dq ask . + The default is +-.Dq no . ++.Dq yes ++if compiled with LDNS and ++.Dq no ++otherwise. + Note that this option applies to protocol version 2 only. + .Pp + See also VERIFYING HOST KEYS in Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/files/patch-session.c Sun Oct 13 02:20:07 2013 (r330200) @@ -41,8 +41,8 @@ + LOGIN_SETENV|LOGIN_SETPATH); + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) -+ xfree(*var); -+ xfree(environ); ++ free(*var); ++ free(environ); + environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN Modified: head/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/files/patch-ssh-agent.c Sun Oct 13 02:20:07 2013 (r330200) @@ -90,13 +90,3 @@ disconnected. default: usage(); } -@@ -1348,8 +1376,7 @@ - if (ac > 0) - parent_alive_interval = 10; - idtab_init(); -- if (!d_flag) -- signal(SIGINT, SIG_IGN); -+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); - signal(SIGPIPE, SIG_IGN); - signal(SIGHUP, cleanup_handler); - signal(SIGTERM, cleanup_handler); Modified: head/security/openssh-portable/pkg-message ============================================================================== --- head/security/openssh-portable/pkg-message Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/pkg-message Sun Oct 13 02:20:07 2013 (r330200) @@ -10,6 +10,6 @@ the base system. Please be aware of thi OpenSSH port, and if truly necessary, re-enable remote root login by readjusting this option in your sshd_config. -Users are encouraged to create single-purpose users with ssh keys -and very narrowly defined sudo privileges instead of using root -for automated tasks. +Users are encouraged to create single-purpose users with ssh keys, disable +Password auth with 'PasswordAuthentication no' and define very narrow sudo +privileges instead of using root for automated tasks. Modified: head/security/openssh-portable/pkg-plist ============================================================================== --- head/security/openssh-portable/pkg-plist Sun Oct 13 02:01:16 2013 (r330199) +++ head/security/openssh-portable/pkg-plist Sun Oct 13 02:20:07 2013 (r330200) @@ -12,14 +12,15 @@ bin/ssh-keyscan %%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi %%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi -%%BASE%%@cwd / +%%OVERWRITE_BASE%%@cwd / etc/ssh/ssh_config-dist etc/ssh/sshd_config-dist -%%BASE%%@cwd %%BASEPREFIX%% +%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%% %%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi %%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi %%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca %%NOTBASE%%@dirrmtry etc/ssh +@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi sbin/sshd libexec/sftp-server libexec/ssh-keysign