From owner-svn-ports-all@freebsd.org Sat Apr 1 02:00:42 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2672ED28EA9; Sat, 1 Apr 2017 02:00:42 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [96.47.72.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 02253993; Sat, 1 Apr 2017 02:00:41 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v311xPDd074330; Sat, 1 Apr 2017 01:59:25 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v311xPbG074323; Sat, 1 Apr 2017 01:59:25 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201704010159.v311xPbG074323@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Sat, 1 Apr 2017 01:59:25 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r437391 - in head: . security/openssh-portable security/openssh-portable/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 02:00:42 -0000 Author: bdrewery Date: Sat Apr 1 01:59:25 2017 New Revision: 437391 URL: https://svnweb.freebsd.org/changeset/ports/437391 Log: - Update to 7.5p1. - Update X509 to 10.1. - Disable KERB_GSSAPI for now as it does not build. Changes: https://www.openssh.com/txt/release-7.5 Modified: head/UPDATING head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-sshd_config.5 Modified: head/UPDATING ============================================================================== --- head/UPDATING Sat Apr 1 00:31:09 2017 (r437390) +++ head/UPDATING Sat Apr 1 01:59:25 2017 (r437391) @@ -5,6 +5,23 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20170331: + AFFECTS: users of security/openssh-portable + AUTHOR: bdrewery@FreeBSD.org + + The format of several log messages emitted by the packet code has + changed to include additional information about the user and + their authentication state. Software that monitors ssh/sshd logs + may need to account for these changes. For example: + + Connection closed by user x 1.1.1.1 port 1234 [preauth] + Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] + Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] + + Affected messages include connection closure, timeout, remote + disconnection, negotiation failure and some other fatal messages + generated by the packet code. + 20170326: AFFECTS: users of samba43 AUTHOR: antoine@FreeBSD.org Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Sat Apr 1 00:31:09 2017 (r437390) +++ head/security/openssh-portable/Makefile Sat Apr 1 01:59:25 2017 (r437391) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.4p1 -PORTREVISION= 1 +DISTVERSION= 7.5p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -58,10 +58,10 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 9.3 +X509_VERSION= 10.1 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 @@ -92,6 +92,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_ # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= No patch for 7.5 yet. # Patch from: # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -215,6 +216,7 @@ test: build OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ + LOGNAME="${LOGNAME}" \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Sat Apr 1 00:31:09 2017 (r437390) +++ head/security/openssh-portable/distinfo Sat Apr 1 01:59:25 2017 (r437391) @@ -1,9 +1,9 @@ TIMESTAMP = 1484161900 -SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 -SIZE (openssh-7.4p1.tar.gz) = 1511780 +SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 +SIZE (openssh-7.5p1.tar.gz) = 1510857 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee -SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572 +SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 +SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721 SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091 Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Sat Apr 1 00:31:09 2017 (r437390) +++ head/security/openssh-portable/files/extra-patch-hpn Sat Apr 1 01:59:25 2017 (r437391) @@ -1181,8 +1181,8 @@ diff -urN -x configure -x config.guess - char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n", PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN, @@ -1190,7 +1190,7 @@ diff -urN -x configure -x config.guess - + "", +#endif *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); + options.version_addendum); @@ -1027,6 +1032,10 @@ server_listen(void) int ret, listen_sock, on = 1; @@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess - for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1067,6 +1076,13 @@ server_listen(void) +@@ -1072,6 +1081,13 @@ server_listen(void) debug("Bind to port %s on %s.", strport, ntop); @@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess - /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -1591,6 +1607,15 @@ main(int ac, char **av) +@@ -1596,6 +1612,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1233,7 +1233,7 @@ diff -urN -x configure -x config.guess - /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; -@@ -2085,6 +2110,11 @@ main(int ac, char **av) +@@ -2099,6 +2124,11 @@ main(int ac, char **av) } #endif @@ -1245,7 +1245,7 @@ diff -urN -x configure -x config.guess - /* * In privilege separation, we fork another child and prepare * file descriptor passing. -@@ -2163,6 +2193,11 @@ do_ssh2_kex(void) +@@ -2177,6 +2207,11 @@ do_ssh2_kex(void) struct kex *kex; int r; Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Sat Apr 1 00:31:09 2017 (r437390) +++ head/security/openssh-portable/files/patch-auth2.c Sat Apr 1 01:59:25 2017 (r437391) @@ -5,9 +5,9 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600 -+++ auth2.c 2013-05-22 17:21:37.979631466 -0500 -@@ -46,6 +46,7 @@ +--- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700 ++++ auth2.c 2017-03-20 11:52:27.960733000 -0700 +@@ -47,6 +47,7 @@ #include "key.h" #include "hostfile.h" #include "auth.h" @@ -15,12 +15,11 @@ Apply class-imposed login restrictions. #include "dispatch.h" #include "pathnames.h" #include "buffer.h" -@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32 +@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32 Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP -+ struct ssh *ssh = active_state; /* XXX */ + login_cap_t *lc; + const char *from_host, *from_ip; + @@ -30,7 +29,7 @@ Apply class-imposed login restrictions. if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32 +@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32 "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } Modified: head/security/openssh-portable/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Sat Apr 1 00:31:09 2017 (r437390) +++ head/security/openssh-portable/files/patch-sshd_config.5 Sat Apr 1 01:59:25 2017 (r437391) @@ -1,5 +1,5 @@ ---- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800 -+++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800 +--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 ++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 @@ -373,7 +373,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via @@ -11,7 +11,7 @@ The default is .Cm yes . .It Cm ChrootDirectory -@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa +@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa The list of available key types may also be obtained using .Qq ssh -Q key . .It Cm HostbasedAuthentication @@ -22,7 +22,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic +@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -45,7 +45,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1216,6 +1235,13 @@ and +@@ -1232,6 +1251,13 @@ and .Cm ethernet . The default is .Cm no . @@ -59,16 +59,13 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run +@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is -.Cm no . +.Cm yes . - .It Cm UsePrivilegeSeparation - Specifies whether - .Xr sshd 8 -@@ -1500,7 +1526,10 @@ The default is + .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is @@ -80,7 +77,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1514,7 +1543,7 @@ The argument must be +@@ -1512,7 +1541,7 @@ The argument must be or .Cm no . The default is