From owner-svn-ports-head@freebsd.org Mon Jul 27 18:30:28 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5297D9AC812; Mon, 27 Jul 2015 18:30:28 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 410F82FF; Mon, 27 Jul 2015 18:30:28 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6RIUSxa099976; Mon, 27 Jul 2015 18:30:28 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6RIUPIw099961; Mon, 27 Jul 2015 18:30:25 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201507271830.t6RIUPIw099961@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 27 Jul 2015 18:30:25 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392998 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2015 18:30:28 -0000 Author: bdrewery Date: Mon Jul 27 18:30:24 2015 New Revision: 392998 URL: https://svnweb.freebsd.org/changeset/ports/392998 Log: - Update to 6.9p1 - Update X509 patch to 8.4 Changes: http://www.openssh.com/txt/release-6.9 Deleted: head/security/openssh-portable/files/extra-patch-ttssh head/security/openssh-portable/files/patch-compat.c head/security/openssh-portable/files/patch-monitor_wrap.c Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-ssh-agent.1 head/security/openssh-portable/files/patch-ssh-agent.c head/security/openssh-portable/files/patch-sshd_config head/security/openssh-portable/files/patch-sshd_config.5 Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/Makefile Mon Jul 27 18:30:24 2015 (r392998) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.8p1 -PORTREVISION= 8 +DISTVERSION= 6.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -47,7 +47,6 @@ NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ttssh TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns @@ -61,9 +60,9 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 8.3 +X509_VERSION= 8.4 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/distinfo Mon Jul 27 18:30:24 2015 (r392998) @@ -1,7 +1,7 @@ -SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e -SIZE (openssh-6.8p1.tar.gz) = 1475953 -SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 -SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 +SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe +SIZE (openssh-6.9p1.tar.gz) = 1487617 +SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb +SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/extra-patch-hpn Mon Jul 27 18:30:24 2015 (r392998) @@ -398,15 +398,14 @@ diff -urN -x configure -x config.guess - return check[i].bugs; } } ---- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 -@@ -60,7 +60,10 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 +--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 +@@ -62,6 +62,9 @@ #define SSH_BUG_CURVE25519PAD 0x10000000 #define SSH_BUG_HOSTKEYS 0x20000000 + #define SSH_BUG_DHGEX_LARGE 0x40000000 +#ifdef HPN_ENABLED -+#define SSH_BUG_LARGEWINDOW 0x40000000 ++#define SSH_BUG_LARGEWINDOW 0x80000000 +#endif void enable_compat13(void); @@ -718,12 +717,12 @@ diff -urN -x configure -x config.guess - struct timeval tv[2]; #define atime tv[0] ---- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500 -+++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 -@@ -160,6 +160,14 @@ - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; +--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 +@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; + options->authorized_principals_command = NULL; + options->authorized_principals_command_user = NULL; +#ifdef NONE_CIPHER_ENABLED + options->none_enabled = -1; +#endif @@ -735,7 +734,7 @@ diff -urN -x configure -x config.guess - options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -326,6 +334,57 @@ +@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; @@ -793,7 +792,7 @@ diff -urN -x configure -x config.guess - if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -401,6 +460,12 @@ +@@ -406,6 +465,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, @@ -803,10 +802,10 @@ diff -urN -x configure -x config.guess - +#ifdef HPN_ENABLED + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +#endif + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, -@@ -529,6 +594,14 @@ +@@ -537,6 +602,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, @@ -821,7 +820,7 @@ diff -urN -x configure -x config.guess - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1113,6 +1186,25 @@ +@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions intptr = &options->ignore_user_known_hosts; goto parse_flag; Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/patch-servconf.c Mon Jul 27 18:30:24 2015 (r392998) @@ -17,15 +17,6 @@ /* X.509 Standard Options */ #ifdef OPENSSL_FIPS -@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) @@ -287,7 +288,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; Modified: head/security/openssh-portable/files/patch-ssh-agent.1 ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.1 Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/patch-ssh-agent.1 Mon Jul 27 18:30:24 2015 (r392998) @@ -3,20 +3,18 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Index: ssh-agent.1 -=================================================================== ---- ssh-agent.1 (revision 226102) -+++ ssh-agent.1 (revision 226103) -@@ -44,7 +44,7 @@ +--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl d -+.Op Fl dx +-.Op Fl Dd ++.Op Fl Ddx .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash .Op Fl t Ar life - .Op Ar command Op Ar arg ... -@@ -103,6 +103,8 @@ +@@ -128,6 +128,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. Modified: head/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/patch-ssh-agent.c Mon Jul 27 18:30:24 2015 (r392998) @@ -7,9 +7,9 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500 -+++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500 -@@ -150,15 +150,34 @@ static long lifetime = 0; +--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 +@@ -157,15 +157,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -44,7 +44,7 @@ disconnected. } static void -@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd) +@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -55,16 +55,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1138,7 +1161,7 @@ usage(void) +@@ -1166,7 +1189,7 @@ static void + usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n" -- " [-t life] [command [arg ...]]\n" -+ " [-t life] [-x] [command [arg ...]]\n" +- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + " [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); - } -@@ -1168,6 +1191,7 @@ main(int ac, char **av) +@@ -1197,6 +1220,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -72,16 +72,16 @@ disconnected. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1181,7 +1205,7 @@ main(int ac, char **av) +@@ -1210,7 +1234,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1215,6 +1239,9 @@ main(int ac, char **av) +@@ -1249,6 +1273,9 @@ main(int ac, char **av) usage(); } break; Modified: head/security/openssh-portable/files/patch-sshd_config ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/patch-sshd_config Mon Jul 27 18:30:24 2015 (r392998) @@ -10,15 +10,6 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -41,7 +44,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin yes -+#PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 @@ -50,8 +53,7 @@ #PubkeyAuthentication yes Modified: head/security/openssh-portable/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Mon Jul 27 17:53:18 2015 (r392997) +++ head/security/openssh-portable/files/patch-sshd_config.5 Mon Jul 27 18:30:24 2015 (r392998) @@ -1,6 +1,6 @@ ---- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 -+++ sshd_config.5 2015-03-22 21:57:45.538655000 -0500 -@@ -304,7 +304,9 @@ By default, no banner is displayed. +--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500 ++++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500 +@@ -375,7 +375,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in @@ -11,7 +11,7 @@ The default is .Dq yes . .It Cm ChrootDirectory -@@ -977,7 +979,22 @@ are refused if the number of unauthentic +@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -34,12 +34,10 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1023,7 +1040,14 @@ The argument must be - or +@@ -1158,6 +1175,13 @@ or .Dq no . The default is --.Dq yes . -+.Dq no . + .Dq no . +Note that if +.Cm ChallengeResponseAuthentication +is @@ -50,7 +48,7 @@ .Pp If this option is set to .Dq without-password , -@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as +@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication @@ -61,7 +59,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run +@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is @@ -70,7 +68,7 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1365,7 +1391,10 @@ restrictions. +@@ -1520,7 +1546,10 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is @@ -82,7 +80,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1379,7 +1408,7 @@ The argument must be +@@ -1534,7 +1563,7 @@ The argument must be or .Dq no . The default is