Date: Thu, 3 Mar 2022 19:59:11 GMT From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 418bb1fbd26b - main - security/openssh-portable: fix docs when built without PAM support Message-ID: <202203031959.223JxBNi045135@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=418bb1fbd26b1b66b71096b364b0ee10477541b7 commit 418bb1fbd26b1b66b71096b364b0ee10477541b7 Author: Andrew Fyfe <andrew@neptune-one.net> AuthorDate: 2022-02-11 17:13:39 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-03-03 19:59:09 +0000 security/openssh-portable: fix docs when built without PAM support The defaults documented in sshd_config and sshd_config.5 are incorrect if OpenSSH was built without PAM support and can be misleading to the user whether or not password authentication is enabled. - Moved PAM specific changes out of patch-sshd_config and into extra-patch-pam-sshd_config - sshd_config.5 PasswordAuthentication: added a new line before the note to make it easier to read. - sshd_config.5 UsePAM: noted the default value depends on whether sshd was built with or without PAM support. PR: 261342 --- security/openssh-portable/Makefile | 4 ++- .../files/extra-patch-pam-sshd_config | 31 +++++++++++++++++++ security/openssh-portable/files/patch-sshd_config | 35 ++++------------------ .../openssh-portable/files/patch-sshd_config.5 | 26 +++++++++------- 4 files changed, 55 insertions(+), 41 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 578274ed6edb..8a5f71adabf9 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssh DISTVERSION= 8.9p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -67,6 +67,8 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes +PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config + TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config new file mode 100644 index 000000000000..9b6b2619e527 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-pam-sshd_config @@ -0,0 +1,31 @@ +--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 ++++ sshd_config 2022-02-11 19:20:45.334738000 +0000 +@@ -55,8 +55,8 @@ + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -72,7 +72,7 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -81,7 +81,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index b582ac8f3691..c19496486f4f 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,5 +1,8 @@ ---- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd_config 2021-09-07 12:34:49.372652000 -0700 +!!! +!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. +!!! +--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 ++++ sshd_config 2022-02-11 18:52:31.639435000 +0000 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -20,33 +23,7 @@ #AuthorizedPrincipalsFile none -@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - +@@ -84,7 +86,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 442225160130..2936c7cdca1a 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,8 @@ ---- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 -+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 -@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa - The list of available key types may also be obtained using - .Qq ssh -Q key . +--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 ++++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 +@@ -701,7 +701,9 @@ + .Qq ssh -Q HostbasedAcceptedAlgorithms . + This was formerly named HostbasedAcceptedKeyTypes. .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -11,7 +11,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic +@@ -1277,7 +1279,23 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -20,6 +20,7 @@ +.Nm sshd +was built without PAM support, in which case the default is .Cm yes . ++.Pp +Note that if +.Cm ChallengeResponseAuthentication +is @@ -34,7 +35,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1232,6 +1251,13 @@ and +@@ -1416,6 +1434,13 @@ .Cm ethernet . The default is .Cm no . @@ -48,12 +49,15 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run +@@ -1774,12 +1799,19 @@ .Xr sshd 8 as a non-root user. The default is --.Cm no . -+.Cm yes . ++.Cm yes , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Cm no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. @@ -66,7 +70,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1512,7 +1541,7 @@ The argument must be +@@ -1793,7 +1825,7 @@ or .Cm no . The default is
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202203031959.223JxBNi045135>