Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Nov 2014 18:08:15 +0000 (UTC)
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r372676 - in head/security/openssh-portable: . files
Message-ID:  <201411171808.sAHI8FB5091048@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bdrewery
Date: Mon Nov 17 18:08:14 2014
New Revision: 372676
URL: https://svnweb.freebsd.org/changeset/ports/372676
QAT: https://qat.redports.org/buildarchive/r372676/

Log:
  - Update to 6.7p1.
  
    Several patches do not currently apply. Use security/openssh-portable66 for:
    HPN, NONECIPHER, KERB_GSSAPI, X509.
  
  - Add a TCP_WRAPPER patch to re-enable support after it was removed upstream.

Added:
  head/security/openssh-portable/files/extra-patch-tcpwrappers   (contents, props changed)
Deleted:
  head/security/openssh-portable/files/extra-patch-openssh661
Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo
  head/security/openssh-portable/files/patch-readconf.c
  head/security/openssh-portable/files/patch-ssh-agent.c
  head/security/openssh-portable/files/patch-sshd_config.5

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Mon Nov 17 17:51:51 2014	(r372675)
+++ head/security/openssh-portable/Makefile	Mon Nov 17 18:08:14 2014	(r372676)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	6.6p1
-PORTREVISION=	4
+DISTVERSION=	6.7p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -33,33 +33,31 @@ ETCOLD=			${PREFIX}/etc
 SUDO?=		# empty
 MAKE_ENV+=	SUDO="${SUDO}"
 
-# https://github.com/openssh/openssh-portable/commit/5618210618256bbf5f4f71b2887ff186fd451736.patch
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-openssh661
-
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
-			HPN LPK X509 KERB_GSSAPI \
+			HPN X509 KERB_GSSAPI \
 			OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
-KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
-HPN_DESC=		HPN-SSH patch
-LPK_DESC=		LDAP Public Key (LPK) [OBSOLETE]
+KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI) [BROKEN]
+HPN_DESC=		HPN-SSH patch [BROKEN]
 LDNS_DESC=		SSHFP/LDNS support
-X509_DESC=		x509 certificate patch
+X509_DESC=		x509 certificate patch [BROKEN]
 SCTP_DESC=		SCTP support
 OVERWRITE_BASE_DESC=	OpenSSH overwrite base
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
-AES_THREADED_DESC=	Threaded AES-CTR
-NONECIPHER_DESC=	NONE Cipher support
+AES_THREADED_DESC=	Threaded AES-CTR [BROKEN]
+NONECIPHER_DESC=	NONE Cipher support [BROKEN]
 
 OPTIONS_SUB=		yes
 PLIST_SUB+=		MANPREFIX=${MANPREFIX}
 
+TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
+
 LDNS_CONFIGURE_WITH=	ldns
 LDNS_LIB_DEPENDS=	libldns.so:${PORTSDIR}/dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
@@ -72,24 +70,13 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 AES_THREADED_CONFIGURE_WITH=	aes-threaded
 
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
-LPK_PATCHFILES=		${PORTNAME}-lpk-6.3p1.patch.gz
-LPK_CPPFLAGS=		-I${LOCALBASE}/include
-LPK_CONFIGURE_ON=	--with-ldap=yes \
-			--with-ldflags='-L${LOCALBASE}/lib' \
-			--with-cppflags='${CPPFLAGS}'
-LPK_USE=		OPENLDAP=yes
-
 # See http://www.roumenpetrov.info/openssh/
 X509_VERSION=		7.9
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_PATCHFILES=	${PORTNAME}-6.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-SCTP_PATCHFILES=	${PORTNAME}-6.6p1-sctp-2329.patch.gz
+SCTP_PATCHFILES=	${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1
 SCTP_CONFIGURE_WITH=	sctp
 
 # 6.6 patch taken from http://www.stacken.kth.se/~haba/ which was originally
@@ -137,6 +124,16 @@ EXTRA_PATCHES+=		${FILESDIR}/extra-patch
 .endif
 
 .if ${PORT_OPTIONS:MX509}
+BROKEN=		X509 does not apply yet. Use security/openssh-portable66
+.endif
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+BROKEN=		HPN does not apply yet. Use security/openssh-portable66
+.endif
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		KERB_GSSAPI does not apply yet. Use security/openssh-portable66
+.endif
+
+.if ${PORT_OPTIONS:MX509}
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif
@@ -145,10 +142,6 @@ BROKEN=		X509 patch and HPN patch do not
 BROKEN=		X509 patch and SCTP patch do not apply cleanly together
 .  endif
 
-.  if ${PORT_OPTIONS:MLPK}
-BROKEN=		X509 patch and LPK patch do not apply cleanly together
-.  endif
-
 .  if ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
 .  endif
@@ -196,10 +189,6 @@ IGNORE=	KERB_GSSAPI requires one of MIT 
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
-.if ${PORT_OPTIONS:MLPK}
-CONFIGURE_LIBS+=	-lldap
-.endif
-
 EMPTYDIR=		/var/empty
 
 .if ${PORT_OPTIONS:MOVERWRITE_BASE}

Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo	Mon Nov 17 17:51:51 2014	(r372675)
+++ head/security/openssh-portable/distinfo	Mon Nov 17 18:08:14 2014	(r372676)
@@ -1,5 +1,5 @@
-SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
-SIZE (openssh-6.6p1.tar.gz) = 1282502
+SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507
+SIZE (openssh-6.7p1.tar.gz) = 1351367
 SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376
 SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473
 SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34
@@ -8,5 +8,5 @@ SHA256 (openssh-6.6p1-gsskex-all-2014031
 SIZE (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 24299
 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-6.6p1-sctp-2329.patch.gz) = e054529810815d63f7de5d1c6cc76fccb7766e1b2d1b62438ca83770afac9bfa
-SIZE (openssh-6.6p1-sctp-2329.patch.gz) = 8695
+SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db
+SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052

Added: head/security/openssh-portable/files/extra-patch-tcpwrappers
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/extra-patch-tcpwrappers	Mon Nov 17 18:08:14 2014	(r372676)
@@ -0,0 +1,179 @@
+Revert TCPWRAPPER removal -bdrewery
+$FreeBSD$
+
+commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Apr 20 13:22:18 2014 +1000
+
+       - tedu@cvs.openbsd.org 2014/03/26 19:58:37
+         [sshd.8 sshd.c]
+         remove libwrap support. ok deraadt djm mfriedl
+
+diff --git sshd.8 sshd.8
+index 289e13d..e6a900b 100644
+--- sshd.8
++++ sshd.8
+@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git sshd.c sshd.c
+index 0ade557..045f149 100644
+--- sshd.c
++++ sshd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */
++/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -122,6 +122,13 @@
+ #include "ssh-sandbox.h"
+ #include "version.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY	0
+ #endif
+@@ -2027,6 +2034,24 @@ main(int ac, char **av)
+ #ifdef SSH_AUDIT_EVENTS
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (packet_connection_is_on_socket()) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
+ 
+ 	/* Log the connection. */
+ 	verbose("Connection from %s port %d on %s port %d",
+commit f9696566fb41320820f3b257ab564fa321bb3751
+Author: Darren Tucker <dtucker@zip.com.au>
+Date:   Fri Jun 13 11:06:04 2014 +1000
+
+     - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+       been removed from sshd.c.
+
+diff --git ChangeLog ChangeLog
+index f4c6ea6..1c043ae 100644
+--- ChangeLog
++++ ChangeLog
+@@ -1,7 +1,3 @@
+-20140612
+- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+-   been removed from sshd.c.
+-
+ 20140611
+  - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
+    openbsd-compat/bsd-asprintf.c.
+diff --git configure.ac configure.ac
+index f48ba4a..66fbe82 100644
+--- configure.ac
++++ configure.ac
+@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey],
+ 	]
+ )
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4803,6 +4859,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"

Modified: head/security/openssh-portable/files/patch-readconf.c
==============================================================================
--- head/security/openssh-portable/files/patch-readconf.c	Mon Nov 17 17:51:51 2014	(r372675)
+++ head/security/openssh-portable/files/patch-readconf.c	Mon Nov 17 18:08:14 2014	(r372676)
@@ -18,22 +18,21 @@ Submitted upstream, no reaction.
 
 Submitted by:   delphij@
 
-
---- readconf.c.orig	2013-10-03 06:56:21.649139613 -0500
-+++ readconf.c	2013-10-03 06:56:50.961467272 -0500
+--- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
++++ readconf.c	2014-11-03 16:45:05.188796445 -0600
 @@ -17,6 +17,7 @@
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/socket.h>
 +#include <sys/sysctl.h>
  #include <sys/wait.h>
+ #include <sys/un.h>
  
- #include <netinet/in.h>
-@@ -282,7 +283,19 @@
- 	Forward *fwd;
+@@ -281,7 +282,19 @@ add_local_forward(Options *options, cons
+ 	struct Forward *fwd;
  #ifndef NO_IPPORT_RESERVED_CONCEPT
  	extern uid_t original_real_uid;
--	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
+-	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
 +	int ipport_reserved;
 +#ifdef __FreeBSD__
 +	size_t len_ipport_reserved = sizeof(ipport_reserved);
@@ -46,11 +45,11 @@ Submitted by:   delphij@
 +#else
 +	ipport_reserved = IPPORT_RESERVED;
 +#endif
-+	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
++	if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
+ 	    newfwd->listen_path == NULL)
  		fatal("Privileged ports can only be forwarded by root.");
  #endif
- 	options->local_forwards = xrealloc(options->local_forwards,
-@@ -1607,7 +1620,7 @@
+@@ -1674,7 +1687,7 @@ fill_default_options(Options * options)
  	if (options->batch_mode == -1)
  		options->batch_mode = 0;
  	if (options->check_host_ip == -1)

Modified: head/security/openssh-portable/files/patch-ssh-agent.c
==============================================================================
--- head/security/openssh-portable/files/patch-ssh-agent.c	Mon Nov 17 17:51:51 2014	(r372675)
+++ head/security/openssh-portable/files/patch-ssh-agent.c	Mon Nov 17 18:08:14 2014	(r372676)
@@ -7,11 +7,11 @@ r226103 | des | 2011-10-07 08:10:16 -050
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2011-06-02 23:14:16.000000000 -0500
-+++ ssh-agent.c	2013-05-09 15:59:14.044627857 -0500
-@@ -137,15 +137,34 @@
- /* Default lifetime (0 == forever) */
- static int lifetime = 0;
+--- ssh-agent.c.orig	2014-07-29 21:32:46.000000000 -0500
++++ ssh-agent.c	2014-11-03 16:48:03.930786112 -0600
+@@ -142,15 +142,34 @@ extern char *__progname;
+ /* Default lifetime in seconds (0 == forever) */
+ static long lifetime = 0;
  
 +/*
 + * Client connection count; incremented in new_socket() and decremented in
@@ -44,7 +44,7 @@ disconnected.
  }
  
  static void
-@@ -900,6 +919,10 @@
+@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -55,15 +55,16 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1120,6 +1143,7 @@
- 	fprintf(stderr, "  -d          Debug mode.\n");
- 	fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
- 	fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
-+	fprintf(stderr, "  -x          Exit when the last client disconnects.\n");
+@@ -1026,7 +1049,7 @@ usage(void)
+ {
+ 	fprintf(stderr,
+ 	    "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
+-	    "                 [command [arg ...]]\n"
++	    "                 [-x] [command [arg ...]]\n"
+ 	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
  }
- 
-@@ -1149,6 +1173,7 @@
+@@ -1056,6 +1079,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -71,7 +72,7 @@ disconnected.
  
  #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
  	/* Disable ptrace on Linux without sgid bit */
-@@ -1160,7 +1185,7 @@
+@@ -1069,7 +1093,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -80,7 +81,7 @@ disconnected.
  		switch (ch) {
  		case 'c':
  			if (s_flag)
-@@ -1189,6 +1214,9 @@
+@@ -1098,6 +1122,9 @@ main(int ac, char **av)
  				usage();
  			}
  			break;

Modified: head/security/openssh-portable/files/patch-sshd_config.5
==============================================================================
--- head/security/openssh-portable/files/patch-sshd_config.5	Mon Nov 17 17:51:51 2014	(r372675)
+++ head/security/openssh-portable/files/patch-sshd_config.5	Mon Nov 17 18:08:14 2014	(r372676)
@@ -1,9 +1,9 @@
---- sshd_config.5.orig	2013-02-11 18:02:09.000000000 -0600
-+++ sshd_config.5	2013-05-13 06:49:28.164628328 -0500
-@@ -277,7 +277,9 @@
+--- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
++++ sshd_config.5	2014-11-03 16:49:35.943778119 -0600
+@@ -304,7 +304,9 @@
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or though authentication styles supported in
+ PAM or through authentication styles supported in
 -.Xr login.conf 5 )
 +.Xr login.conf 5 ) .
 +See also
@@ -11,7 +11,7 @@
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -555,7 +557,7 @@
+@@ -615,7 +617,7 @@
  .Pp
  .Pa /etc/hosts.equiv
  and
@@ -20,7 +20,7 @@
  are still used.
  The default is
  .Dq yes .
-@@ -841,7 +843,22 @@
+@@ -977,7 +979,22 @@
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -43,7 +43,7 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -887,7 +904,14 @@
+@@ -1023,7 +1040,14 @@
  or
  .Dq no .
  The default is
@@ -59,8 +59,8 @@
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -1006,7 +1030,9 @@
- section in
+@@ -1178,7 +1202,9 @@
+ For more information on KRLs, see the KEY REVOCATION LISTS section in
  .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
 -Specifies whether rhosts or /etc/hosts.equiv authentication together
@@ -70,7 +70,7 @@
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1146,7 +1172,7 @@
+@@ -1343,7 +1369,7 @@
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -79,7 +79,7 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1182,7 +1208,7 @@
+@@ -1379,7 +1405,7 @@
  or
  .Dq no .
  The default is



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411171808.sAHI8FB5091048>