From owner-svn-ports-head@FreeBSD.ORG Fri May 17 19:47:38 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 610525B2; Fri, 17 May 2013 19:47:38 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 523D6261; Fri, 17 May 2013 19:47:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4HJlcQU093916; Fri, 17 May 2013 19:47:38 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4HJlZrb093893; Fri, 17 May 2013 19:47:35 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201305171947.r4HJlZrb093893@svn.freebsd.org> From: Bryan Drewery Date: Fri, 17 May 2013 19:47:35 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r318400 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 19:47:38 -0000 Author: bdrewery Date: Fri May 17 19:47:35 2013 New Revision: 318400 URL: http://svnweb.freebsd.org/changeset/ports/318400 Log: - Update to 6.2p2 - The LPK patch has been updated but is obsolete, deprecated and untested. It has been replaced by AuthorizedKeysCommand - The upstream HPN's last update was for 6.1 and is mostly abandoned. The patch has had bugs since 5.9. I have reworked it and split into into HPN and AES_THREADED options. The debugging/logging part of the patch is incomplete. I may change the patch to more closely match our base version eventually. - The KERB_GSSAPI option has been removed as the patch has not been updated by upstream since 5.7 - sshd VersionAddendum is currently not working as intended; it will be fixed later to allow removing the port/pkg version. - Update our patchset to match latest base version - Bring in ssh-agent -x support from base - I incrementally updated the port from 5.8 up to 6.2p2 along with patches. You can find all of the versions at https://github.com/bdrewery/openssh Changes: http://www.openssh.com/txt/release-5.9 http://www.openssh.org/txt/release-6.0 http://www.openssh.org/txt/release-6.1 http://www.openssh.org/txt/release-6.2 http://www.openssh.org/txt/release-6.2p2 Added: head/security/openssh-portable/files/extra-patch-hpn-window-size (contents, props changed) head/security/openssh-portable/files/extra-patch-sshd-utmp-size (contents, props changed) head/security/openssh-portable/files/patch-ssh-agent.1 (contents, props changed) Deleted: head/security/openssh-portable/files/patch-auth1.c head/security/openssh-portable/files/patch-loginrec.c Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-readconf.c head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-session.c head/security/openssh-portable/files/patch-ssh-agent.c head/security/openssh-portable/files/patch-sshd.c head/security/openssh-portable/files/patch-sshd_config head/security/openssh-portable/files/patch-sshd_config.5 Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/Makefile Fri May 17 19:47:35 2013 (r318400) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 5.8p2 -PORTREVISION= 5 +DISTVERSION= 6.2p2 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -20,9 +19,9 @@ MAN8= sftp-server.8 sshd.8 ssh-keysign.8 CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* -# XXX: ports/52706 will allow using DEFAULT,x509,gsskex here. +# XXX: ports/52706 will allow using DEFAULT,x509 here. PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \ - http://mirror.shatow.net/freebsd/${PORTNAME}/:x509,gsskex + http://mirror.shatow.net/freebsd/${PORTNAME}/:x509 USE_PERL5_BUILD= yes USE_AUTOTOOLS= autoconf autoheader @@ -40,22 +39,22 @@ SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ - KERB_GSSAPI HPN LPK X509 \ - OVERWRITE_BASE SCTP -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS + HPN LPK X509 \ + OVERWRITE_BASE SCTP AES_THREADED +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= Enable tcp_wrappers support BSM_DESC= Enable OpenBSM Auditing -KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= Enable HPN-SSH patch -LPK_DESC= Enable LDAP Public Key (LPK) patch +LPK_DESC= Enable LDAP Public Key (LPK) [OBSOLETE] X509_DESC= Enable x509 certificate patch SCTP_DESC= Enable SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) +AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental] .include @@ -63,8 +62,11 @@ MIT_DESC= MIT Kerberos (security/krb5) CONFIGURE_LIBS+= -lutil .endif +# 900007 is when utmp(5) was removed and utmpx(3) added .if ${OSVERSION} >= 900007 CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog +.else +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size .endif .if ${PORT_OPTIONS:MX509} @@ -72,8 +74,8 @@ CONFIGURE_ARGS+= --disable-utmp --disabl BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MKERB_GSSAPI} -BROKEN= X509 patch incompatible with KERB_GSSAPI patch +. if ${PORT_OPTIONS:MAES_THREADED} +BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MSCTP} @@ -118,11 +120,6 @@ IGNORE= You have selected HEIMDAL_BASE CONFIGURE_LIBS+= -lgssapi_krb5 . endif . endif -.if ${PORT_OPTIONS:MKERB_GSSAPI} -PATCH_SITES+= http://www.sxw.org.uk/computing/patches/:gsskex -PATCHFILES+= openssh-5.7p1-gsskex-all-20110125.patch:gsskex -PATCH_DIST_STRIP= -.endif .if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty @@ -135,15 +132,25 @@ CONFIGURE_ARGS+= --with-ssl-dir=${OPENSS # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} -PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz +HPN_VERSION= 13v14 +PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size +PATCH_DIST_STRIP= +.endif + +# http://www.psc.edu/index.php/hpn-ssh +.if ${PORT_OPTIONS:MAES_THREADED} +AES_THREADED_VERSION= v14 +PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz PATCH_DIST_STRIP= .endif # See http://code.google.com/p/openssh-lpk/wiki/Main # and svn repo described here: # http://code.google.com/p/openssh-lpk/source/checkout +# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1 .if ${PORT_OPTIONS:MLPK} -PATCHFILES+= ${PORTNAME}-lpk-5.8p2.patch.gz +PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz USE_OPENLDAP= yes CPPFLAGS+= -I${LOCALBASE}/include CONFIGURE_ARGS+= --with-ldap=yes \ @@ -154,8 +161,9 @@ CONFIGURE_LIBS+= -lldap # See http://www.roumenpetrov.info/openssh/ .if ${PORT_OPTIONS:MX509} -PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-7.0/:x509 -PATCHFILES+= ${PORTNAME}-5.8p1+x509-7.0.diff.gz:x509 +X509_VERSION= 7.4.1 +PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 +PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509 PATCH_DIST_STRIP= -p1 PLIST_SUB+= X509="" MAN5+= ssh_engine.5 Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/distinfo Fri May 17 19:47:35 2013 (r318400) @@ -1,12 +1,12 @@ -SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314 -SIZE (openssh-5.8p2.tar.gz) = 1115475 -SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7 -SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993 -SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b -SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277 -SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359 -SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889 -SHA256 (openssh-lpk-5.8p2.patch.gz) = 718221d13a09fdf5be857cc4b349e61698c42ae47bd357bd5c83f331d490c6c7 -SIZE (openssh-lpk-5.8p2.patch.gz) = 17822 +SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b +SIZE (openssh-6.2p2.tar.gz) = 1182922 +SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b +SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984 +SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9 +SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908 +SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae +SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496 +SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24 +SIZE (openssh-lpk-6.2p1.patch.gz) = 17881 SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03 SIZE (openssh-sctp-2163.patch.gz) = 6764 Added: head/security/openssh-portable/files/extra-patch-hpn-window-size ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-hpn-window-size Fri May 17 19:47:35 2013 (r318400) @@ -0,0 +1,24 @@ +r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines +Changed paths: + M /user/brooks/openssh-hpn/channels.h + +It looks like the HPN patch didn't track the window size bump in OpenBSD +rev 1.89 back in 2007. Chase the updates to reduce diffs to head + +Index: channels.h +=================================================================== +--- channels.h (revision 223212) ++++ channels.h (revision 223213) +@@ -163,10 +163,10 @@ + + /* default window/packet sizes for tcp/x11-fwd-channel */ + #define CHAN_SES_PACKET_DEFAULT (32*1024) +-#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) ++#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) + + #define CHAN_TCP_PACKET_DEFAULT (32*1024) +-#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) ++#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) + + #define CHAN_X11_PACKET_DEFAULT (16*1024) + #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) Added: head/security/openssh-portable/files/extra-patch-sshd-utmp-size ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-sshd-utmp-size Fri May 17 19:47:35 2013 (r318400) @@ -0,0 +1,36 @@ +r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines +Changed paths: + M /head/crypto/openssh/loginrec.c + M /head/crypto/openssh/sshd.c + +At some point, construct_utmp() was changed to use realhostname() to fill +in the struct utmp due to concerns about the length of the hostname buffer. +However, this breaks the UseDNS option. There is a simpler and better +solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of +MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the +buffer. + +PR: bin/97499 +Submitted by: Bruce Cran + +Index: sshd.c +=================================================================== +--- sshd.c (revision 184121) ++++ sshd.c (revision 184122) +@@ -72,6 +72,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -238,7 +239,7 @@ + u_int session_id2_len = 0; + + /* record remote hostname or ip */ +-u_int utmp_len = MAXHOSTNAMELEN; ++u_int utmp_len = UT_HOSTSIZE; + + /* options.max_startup sized array of fd ints */ + int *startup_pipes = NULL; Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-auth2.c Fri May 17 19:47:35 2013 (r318400) @@ -1,31 +1,12 @@ -r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines +r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines Changed paths: - M /head/security/hpn-ssh/Makefile - M /head/security/hpn-ssh/files/patch-auth.c - A /head/security/hpn-ssh/files/patch-auth1.c - A /head/security/hpn-ssh/files/patch-auth2.c - M /head/security/hpn-ssh/files/patch-session.c - M /head/security/openssh-portable/Makefile - M /head/security/openssh-portable/files/patch-auth.c - A /head/security/openssh-portable/files/patch-auth1.c - A /head/security/openssh-portable/files/patch-auth2.c - M /head/security/openssh-portable/files/patch-session.c + M /head/crypto/openssh/auth2.c -Merged patches for HAVE_LOGIN_CAP from stable - -PR: 35904 +Apply class-imposed login restrictions. --- auth2.c.orig 2009-06-22 00:11:07.000000000 -0600 +++ auth2.c 2010-09-14 16:14:12.000000000 -0600 -@@ -46,6 +46,7 @@ - #include "key.h" - #include "hostfile.h" - #include "auth.h" -+#include "canohost.h" - #include "dispatch.h" - #include "pathnames.h" - #include "buffer.h" -@@ -217,6 +218,13 @@ +@@ -222,6 +221,13 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; @@ -39,29 +20,29 @@ PR: 35904 if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -261,6 +269,27 @@ +@@ -274,6 +274,27 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } ++ if (authctxt->pw != NULL) { ++ lc = login_getpwclass(authctxt->pw); ++ if (lc == NULL) ++ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ packet_disconnect("Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ packet_disconnect("Logins not available right now."); ++ } ++ login_close(lc); ++ lc = NULL; ++ } +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ Modified: head/security/openssh-portable/files/patch-readconf.c ============================================================================== --- head/security/openssh-portable/files/patch-readconf.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-readconf.c Fri May 17 19:47:35 2013 (r318400) @@ -6,6 +6,17 @@ Changed paths: Apply FreeBSD's configuration defaults. +------------------------------------------------------------------------ +r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. +Submitted upstream, no reaction. + +Submitted by: delphij@ + + --- readconf.c.orig 2010-08-03 00:04:46.000000000 -0600 +++ readconf.c 2010-09-14 16:14:12.000000000 -0600 @@ -1169,7 +1169,7 @@ @@ -17,3 +28,34 @@ Apply FreeBSD's configuration defaults. if (options->strict_host_key_checking == -1) options->strict_host_key_checking = 2; /* 2 is default */ if (options->compression == -1) +--- readconf.c (revision 181917) ++++ readconf.c (revision 181918) +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include + +@@ -245,7 +246,19 @@ + Forward *fwd; + #ifndef NO_IPPORT_RESERVED_CONCEPT + extern uid_t original_real_uid; +- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) ++ int ipport_reserved; ++#ifdef __FreeBSD__ ++ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ ++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", ++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) ++ ipport_reserved = IPPORT_RESERVED; ++ else ++ ipport_reserved++; ++#else ++ ipport_reserved = IPPORT_RESERVED; ++#endif ++ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0) + fatal("Privileged ports can only be forwarded by root."); + #endif + if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-servconf.c Fri May 17 19:47:35 2013 (r318400) @@ -1,15 +1,7 @@ -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ---- servconf.c.orig 2010-06-25 17:38:45.000000000 -0600 -+++ servconf.c 2010-09-14 16:14:12.000000000 -0600 -@@ -139,7 +139,7 @@ - { +--- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500 ++++ servconf.c 2013-05-12 21:52:43.069625377 -0500 +@@ -162,7 +162,7 @@ + /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 0; @@ -17,7 +9,7 @@ Apply FreeBSD's configuration defaults. /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -170,7 +170,7 @@ +@@ -197,7 +197,7 @@ if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) @@ -26,7 +18,7 @@ Apply FreeBSD's configuration defaults. if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -@@ -180,7 +180,7 @@ +@@ -207,7 +207,7 @@ if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -35,7 +27,7 @@ Apply FreeBSD's configuration defaults. if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -218,7 +218,11 @@ +@@ -245,7 +245,11 @@ if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) @@ -47,3 +39,12 @@ Apply FreeBSD's configuration defaults. if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) +@@ -335,7 +339,7 @@ + options->version_addendum = xstrdup(""); + /* Turn privilege separation on by default */ + if (use_privsep == -1) +- use_privsep = PRIVSEP_NOSANDBOX; ++ use_privsep = PRIVSEP_ON; + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-session.c Fri May 17 19:47:35 2013 (r318400) @@ -1,23 +1,6 @@ -r56266 | dinoex | 2002-03-17 14:24:24 -0600 (Sun, 17 Mar 2002) | 4 lines -Changed paths: - M /head/security/hpn-ssh/Makefile - M /head/security/hpn-ssh/files/patch-auth.c - A /head/security/hpn-ssh/files/patch-auth1.c - A /head/security/hpn-ssh/files/patch-auth2.c - M /head/security/hpn-ssh/files/patch-session.c - M /head/security/openssh-portable/Makefile - M /head/security/openssh-portable/files/patch-auth.c - A /head/security/openssh-portable/files/patch-auth1.c - A /head/security/openssh-portable/files/patch-auth2.c - M /head/security/openssh-portable/files/patch-session.c - -Merged patches for HAVE_LOGIN_CAP from stable - -PR: 35904 - ---- session.c.orig 2011-07-21 18:55:33.883559116 +0200 -+++ session.c 2011-07-21 19:02:17.789294035 +0200 -@@ -1125,6 +1143,9 @@ +--- session.c 2013-03-14 19:22:37.000000000 -0500 ++++ session.c 2013-04-12 21:10:44.510757912 -0500 +@@ -1131,6 +1136,9 @@ struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -27,7 +10,7 @@ PR: 35904 #endif /* Initialize the environment. */ -@@ -1146,6 +1167,9 @@ +@@ -1152,6 +1160,9 @@ } #endif @@ -37,7 +20,7 @@ PR: 35904 #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1165,11 +1189,22 @@ +@@ -1171,11 +1182,22 @@ child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -64,7 +47,7 @@ PR: 35904 #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1190,15 +1225,9 @@ +@@ -1196,15 +1218,9 @@ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -80,35 +63,12 @@ PR: 35904 /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1473,9 +1502,9 @@ - platform_setusercontext(pw); - +@@ -1483,7 +1499,7 @@ if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER|LOGIN_SETENV))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } -@@ -1700,6 +1729,10 @@ - */ - environ = env; - -+#ifdef HAVE_LOGIN_CAP -+ r = login_getcapbool(lc, "requirehome", 0); -+ login_close(lc); -+#endif - #if defined(KRB5) && defined(USE_AFS) - /* - * At this point, we check to see if AFS is active and if we have -@@ -1729,9 +1762,6 @@ - /* Change current directory to the user's home directory. */ - if (chdir(pw->pw_dir) < 0) { - /* Suppress missing homedir warning for chroot case */ --#ifdef HAVE_LOGIN_CAP -- r = login_getcapbool(lc, "requirehome", 0); --#endif - if (r || options.chroot_directory == NULL || - strcasecmp(options.chroot_directory, "none") == 0) - fprintf(stderr, "Could not chdir to home " Added: head/security/openssh-portable/files/patch-ssh-agent.1 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/patch-ssh-agent.1 Fri May 17 19:47:35 2013 (r318400) @@ -0,0 +1,27 @@ +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +Index: ssh-agent.1 +=================================================================== +--- ssh-agent.1 (revision 226102) ++++ ssh-agent.1 (revision 226103) +@@ -44,7 +44,7 @@ + .Sh SYNOPSIS + .Nm ssh-agent + .Op Fl c | s +-.Op Fl d ++.Op Fl dx + .Op Fl a Ar bind_address + .Op Fl t Ar life + .Op Ar command Op Ar arg ... +@@ -103,6 +103,8 @@ + .Xr ssh-add 1 + overrides this value. + Without this option the default maximum lifetime is forever. ++.It Fl x ++Exit after the last client has disconnected. + .El + .Pp + If a commandline is given, this is executed as a subprocess of the agent. Modified: head/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-ssh-agent.c Fri May 17 19:47:35 2013 (r318400) @@ -2,9 +2,68 @@ r110506 | des | 2003-02-07 09:48:27 -060 Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. ---- ssh-agent.c.orig 2010-04-15 23:56:22.000000000 -0600 -+++ ssh-agent.c 2010-09-14 16:14:13.000000000 -0600 -@@ -1086,6 +1086,7 @@ +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +--- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500 ++++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500 +@@ -137,15 +137,34 @@ + /* Default lifetime (0 == forever) */ + static int lifetime = 0; + ++/* ++ * Client connection count; incremented in new_socket() and decremented in ++ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is ++ * normally initialized to 1, it will never reach 0. However, if the -x ++ * option is specified, it is initialized to 0 in main(); in that case, ++ * ssh-agent will exit as soon as it has had at least one client but no ++ * longer has any. ++ */ ++static int xcount = 1; ++ + static void + close_socket(SocketEntry *e) + { ++ int last = 0; ++ ++ if (e->type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount - 1); ++ if (--xcount == 0) ++ last = 1; ++ } + close(e->fd); + e->fd = -1; + e->type = AUTH_UNUSED; + buffer_free(&e->input); + buffer_free(&e->output); + buffer_free(&e->request); ++ if (last) ++ cleanup_exit(0); + } + + static void +@@ -900,6 +919,10 @@ + { + u_int i, old_alloc, new_alloc; + ++ if (type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount + 1); ++ ++xcount; ++ } + set_nonblock(fd); + + if (fd > max_fd) +@@ -1120,6 +1143,7 @@ + fprintf(stderr, " -d Debug mode.\n"); + fprintf(stderr, " -a socket Bind agent socket to given name.\n"); + fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); ++ fprintf(stderr, " -x Exit when the last client disconnects.\n"); + exit(1); + } + +@@ -1149,6 +1173,7 @@ /* drop */ setegid(getgid()); setgid(getgid()); @@ -12,3 +71,32 @@ Set the ruid to the euid at startup as a #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ +@@ -1160,7 +1185,7 @@ + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) { + switch (ch) { + case 'c': + if (s_flag) +@@ -1189,6 +1214,9 @@ + usage(); + } + break; ++ case 'x': ++ xcount = 0; ++ break; + default: + usage(); + } +@@ -1348,8 +1376,7 @@ + if (ac > 0) + parent_alive_interval = 10; + idtab_init(); +- if (!d_flag) +- signal(SIGINT, SIG_IGN); ++ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); + signal(SIGPIPE, SIG_IGN); + signal(SIGHUP, cleanup_handler); + signal(SIGTERM, cleanup_handler); Modified: head/security/openssh-portable/files/patch-sshd.c ============================================================================== --- head/security/openssh-portable/files/patch-sshd.c Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-sshd.c Fri May 17 19:47:35 2013 (r318400) @@ -74,11 +74,11 @@ connections, do not protect connection h +#ifdef __FreeBSD__ + /* + * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). ++ * before privsep chroot(). + */ + if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); ++ debug("res_init()"); ++ res_init(); + } +#ifdef GSSAPI + /* Modified: head/security/openssh-portable/files/patch-sshd_config ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-sshd_config Fri May 17 19:47:35 2013 (r318400) @@ -1,13 +1,16 @@ -r99051 | des | 2002-06-29 05:55:18 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/ssh_config - M /head/crypto/openssh/sshd_config - -Document FreeBSD defaults. - ---- sshd_config.orig 2009-10-11 04:51:09.000000000 -0600 -+++ sshd_config 2010-09-14 16:14:13.000000000 -0600 -@@ -36,7 +36,7 @@ +--- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600 ++++ sshd_config 2013-05-13 06:46:45.153627197 -0500 +@@ -10,6 +10,9 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++# Note that some of FreeBSD's defaults differ from OpenBSD's, and ++# FreeBSD has a few additional options. ++ + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -37,7 +40,7 @@ # Authentication: #LoginGraceTime 2m @@ -16,7 +19,17 @@ Document FreeBSD defaults. #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -55,11 +55,11 @@ +@@ -46,8 +49,7 @@ + #PubkeyAuthentication yes + + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + +@@ -64,11 +66,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -31,7 +44,7 @@ Document FreeBSD defaults. #ChallengeResponseAuthentication yes # Kerberos options -@@ -72,7 +72,7 @@ +@@ -81,7 +83,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes @@ -40,7 +53,7 @@ Document FreeBSD defaults. # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -81,12 +81,12 @@ +@@ -90,19 +92,19 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -55,3 +68,11 @@ Document FreeBSD defaults. #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes + #PrintLastLog yes + #TCPKeepAlive yes + #UseLogin no +-UsePrivilegeSeparation sandbox # Default for new installations. ++#UsePrivilegeSeparation sandbox + #PermitUserEnvironment no + #Compression delayed + #ClientAliveInterval 0 Modified: head/security/openssh-portable/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Fri May 17 19:36:19 2013 (r318399) +++ head/security/openssh-portable/files/patch-sshd_config.5 Fri May 17 19:47:35 2013 (r318400) @@ -1,8 +1,6 @@ -Document defaults - ---- sshd_config.5.orig 2010-07-01 21:37:17.000000000 -0600 -+++ sshd_config.5 2010-08-31 05:27:27.000000000 -0600 -@@ -223,7 +223,9 @@ +--- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600 ++++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500 +@@ -277,7 +277,9 @@ .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or though authentication styles supported in @@ -13,7 +11,16 @@ Document defaults The default is .Dq yes . .It Cm ChrootDirectory -@@ -714,7 +716,22 @@ +@@ -555,7 +557,7 @@ + .Pp + .Pa /etc/hosts.equiv + and +-.Pa /etc/shosts.equiv ++.Pa /etc/ssh/shosts.equiv + are still used. + The default is + .Dq yes . +@@ -841,7 +843,22 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -36,7 +43,7 @@ Document defaults .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -757,7 +774,14 @@ +@@ -887,7 +904,14 @@ or .Dq no . The default is @@ -52,9 +59,9 @@ Document defaults .Pp If this option is set to .Dq without-password , -@@ -869,7 +893,9 @@ - Note that if this file is not readable, then public key authentication will - be refused for all users. +@@ -1006,7 +1030,9 @@ + section in + .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -63,7 +70,7 @@ Document defaults with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1009,7 +1035,7 @@ +@@ -1146,7 +1172,7 @@ .Xr sshd 8 as a non-root user. The default is @@ -72,7 +79,16 @@ Document defaults .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1034,7 +1060,7 @@ +@@ -1157,7 +1183,7 @@ + The goal of privilege separation is to prevent privilege + escalation by containing any corruption within the unprivileged processes. + The default is +-.Dq yes . ++.Dq sandbox . + If + .Cm UsePrivilegeSeparation + is set to +@@ -1182,7 +1208,7 @@ or .Dq no . The default is