From owner-svn-ports-all@FreeBSD.ORG Mon Mar 23 04:23:11 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1676736E; Mon, 23 Mar 2015 04:23:11 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 00375849; Mon, 23 Mar 2015 04:23:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2N4NAT9024289; Mon, 23 Mar 2015 04:23:10 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2N4N9bN024284; Mon, 23 Mar 2015 04:23:09 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201503230423.t2N4N9bN024284@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 23 Mar 2015 04:23:09 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r381981 - in head: . security/openssh-portable security/openssh-portable/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2015 04:23:11 -0000 Author: bdrewery Date: Mon Mar 23 04:23:08 2015 New Revision: 381981 URL: https://svnweb.freebsd.org/changeset/ports/381981 QAT: https://qat.redports.org/buildarchive/r381981/ Log: Stop forcing the port version string into the server banner. The port now uses VersionAddendum in the sshd_config to allow overriding this value. Using "none" allows disabling the default of the port version string. The default is kept to show the port version string to remain close to the base version. Support for the client VersionAddendum may be added soon as well to better match base and not give surprises when switching from base to the port. PR: 193127 Requested by: many, including myself when this was broken years ago. Modified: head/UPDATING head/security/openssh-portable/Makefile head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-sshd_config.5 Modified: head/UPDATING ============================================================================== --- head/UPDATING Mon Mar 23 04:08:27 2015 (r381980) +++ head/UPDATING Mon Mar 23 04:23:08 2015 (r381981) @@ -5,6 +5,14 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20150322: + AFFECTS: Users of security/openssh-portable + AUTHOR: bdrewery@FreeBSD.org + + The port now uses VersionAddendum for the port version string. Setting + the value to "none" in your sshd_config and restarting openssh will allow + removing the version from the banner. + 20150321: AFFECTS: Users of x11-servers/xorg-server and other X servers AUTHOR: bapt@FreeBSD.org Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Mar 23 04:08:27 2015 (r381980) +++ head/security/openssh-portable/Makefile Mon Mar 23 04:23:08 2015 (r381981) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 6.7p1 -PORTREVISION= 2 +PORTREVISION= 3 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -200,6 +200,8 @@ CONFIGURE_ARGS+= --with-libs='${CONFIGUR .endif RC_SCRIPT_NAME= openssh +VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} +VERSION_ADDENDUM_SERVCONF_GREP= " options->version_addendum = xstrdup" post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @@ -212,18 +214,21 @@ post-patch: ${WRKSRC}/ssh_config.5 @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 - @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ - -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ - ${WRKSRC}/version.h -.if ${PORT_OPTIONS:MHPN} - @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ +# Making this a patch conflicts with the X509 option. Use grep to force failure. + @${ECHO_CMD} "===> Applying VersionAddendum patch to servconf.c" && \ + ${GREP} -q ${VERSION_ADDENDUM_SERVCONF_GREP} \ + ${WRKSRC}/servconf.c && \ + ${REINPLACE_CMD} \ + -e 's|\( ${VERSION_ADDENDUM_SERVCONF_GREP}\).*);|\1(SSH_VERSION_FREEBSD_PORT);|' \ + ${WRKSRC}/servconf.c + @${REINPLACE_CMD} \ + -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ + ${WRKSRC}/sshd_config + @${REINPLACE_CMD} \ + -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ + ${WRKSRC}/sshd_config.5 + @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h -.endif post-install: ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Mon Mar 23 04:08:27 2015 (r381980) +++ head/security/openssh-portable/files/patch-servconf.c Mon Mar 23 04:23:08 2015 (r381981) @@ -1,6 +1,14 @@ ---- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500 -+++ servconf.c 2013-05-12 21:52:43.069625377 -0500 -@@ -162,7 +162,7 @@ +--- servconf.c.orig 2015-03-22 22:16:53.563005000 -0500 ++++ servconf.c 2015-03-22 22:19:39.207917000 -0500 +@@ -54,6 +54,7 @@ + #include "packet.h" + #include "hostfile.h" + #include "auth.h" ++#include "version.h" + + static void add_listen_addr(ServerOptions *, char *, int); + static void add_one_listen_addr(ServerOptions *, char *, int); +@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) @@ -9,7 +17,7 @@ /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -197,7 +197,7 @@ +@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) @@ -18,7 +26,7 @@ if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -@@ -207,7 +207,7 @@ +@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -27,7 +35,7 @@ if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -245,7 +245,11 @@ +@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) @@ -39,8 +47,8 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) -@@ -335,7 +339,7 @@ - options->version_addendum = xstrdup(""); +@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption + options->fwd_opts.streamlocal_bind_unlink = 0; /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; Modified: head/security/openssh-portable/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Mon Mar 23 04:08:27 2015 (r381980) +++ head/security/openssh-portable/files/patch-sshd_config.5 Mon Mar 23 04:23:08 2015 (r381981) @@ -1,6 +1,6 @@ --- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 -+++ sshd_config.5 2014-11-03 16:49:35.943778119 -0600 -@@ -304,7 +304,9 @@ ++++ sshd_config.5 2015-03-22 21:57:45.538655000 -0500 +@@ -304,7 +304,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in @@ -11,7 +11,7 @@ The default is .Dq yes . .It Cm ChrootDirectory -@@ -615,7 +617,7 @@ +@@ -615,7 +617,7 @@ or .Pp .Pa /etc/hosts.equiv and @@ -20,7 +20,7 @@ are still used. The default is .Dq yes . -@@ -977,7 +979,22 @@ +@@ -977,7 +979,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -43,7 +43,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1023,7 +1040,14 @@ +@@ -1023,7 +1040,14 @@ The argument must be or .Dq no . The default is @@ -59,7 +59,7 @@ .Pp If this option is set to .Dq without-password , -@@ -1178,7 +1202,9 @@ +@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication @@ -70,7 +70,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1343,7 +1369,7 @@ +@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is @@ -79,7 +79,19 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1379,7 +1405,7 @@ +@@ -1365,7 +1391,10 @@ restrictions. + Optionally specifies additional text to append to the SSH protocol banner + sent by the server upon connection. + The default is +-.Dq none . ++.Dq %%SSH_VERSION_FREEBSD_PORT%% . ++The value ++.Dq none ++may be used to disable this. + .It Cm X11DisplayOffset + Specifies the first display number available for + .Xr sshd 8 Ns 's +@@ -1379,7 +1408,7 @@ The argument must be or .Dq no . The default is