Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Apr 2026 23:35:27 +0000
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 5a1588f7fb0a - main - security/openssh-portable: Sync some files with src.
Message-ID:  <69ed4fbf.187fd.24d92d10@gitrepo.freebsd.org>

index | next in thread | raw e-mail

The branch main has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5a1588f7fb0a9eab446a33902b546420ba2df023

commit 5a1588f7fb0a9eab446a33902b546420ba2df023
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2026-04-25 22:35:51 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2026-04-25 23:35:14 +0000

    security/openssh-portable: Sync some files with src.
    
    Namely this updates some LIBWRAP behavior and updates a few incorrect
    docs.
    
    Submitted by:   jlduran
    Differential Revision:  https://reviews.freebsd.org/D53273
---
 security/openssh-portable/Makefile                 |   2 +-
 .../files/extra-patch-pam-sshd_config              |   5 +-
 .../openssh-portable/files/extra-patch-tcpwrappers |  70 ++++++++++++
 .../files/patch-regress__test-exec.sh              |   6 +-
 security/openssh-portable/files/patch-session.c    | 117 +++++++++++++--------
 security/openssh-portable/files/patch-ssh-agent.c  |   8 +-
 security/openssh-portable/files/patch-ssh.c        |  10 +-
 security/openssh-portable/files/patch-ssh_config.5 |  13 ---
 security/openssh-portable/files/patch-sshd.8       |   4 +-
 security/openssh-portable/files/patch-sshd.c       |  48 ++++-----
 security/openssh-portable/files/patch-uidswap.c    |   2 +-
 11 files changed, 187 insertions(+), 98 deletions(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 979f9cdd3da9..5855a233fbc2 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	10.2p1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config
index aa80ceeeb2c3..7d003cfc7f3f 100644
--- a/security/openssh-portable/files/extra-patch-pam-sshd_config
+++ b/security/openssh-portable/files/extra-patch-pam-sshd_config
@@ -1,12 +1,13 @@
 --- sshd_config.orig	2025-04-09 00:02:43.000000000 -0700
 +++ sshd_config	2025-04-10 21:52:39.463528000 -0700
-@@ -53,8 +53,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -53,8 +53,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
 -# To disable tunneled clear text passwords, change to "no" here!
 -#PasswordAuthentication yes
-+# To enable tunneled clear text passwords, change to yes here!
++# Change to "yes" to enable built-in password authentication.
++# Note that passwords may also be accepted via KbdInteractiveAuthentication.
 +#PasswordAuthentication no
  #PermitEmptyPasswords no
  
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index 5d9e8aced144..27fd19cbcfb0 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -1,4 +1,5 @@
 Revert TCPWRAPPER removal -bdrewery
+Syncs in sshd.c changes from src as well.
 
 commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
 Author: Damien Miller <djm@mindrot.org>
@@ -149,3 +150,72 @@ index 289e13d..e6a900b 100644
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "                   libldns support: $LDNS_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
+--- sshd.c.orig	2024-06-30 21:36:28.000000000 -0700
++++ sshd.c	2024-07-01 13:44:05.739756000 -0700
+@@ -90,6 +100,10 @@
+ #include "ssh-gss.h"
+ #endif
+ #include "monitor_wrap.h"
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++#endif /* LIBWRAP */
+ 
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+@@ -925,7 +939,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *n
+ 	socklen_t fromlen;
+ 	u_char rnd[256];
+ 	sigset_t nsigset, osigset;
++#ifdef LIBWRAP
++	struct request_info req;
+ 
++	request_init(&req, RQ_DAEMON, __progname, 0);
++#endif
++
+ 	/* pipes connected to unauthenticated child sshd processes */
+ 	child_alloc();
+ 	startup_pollfd = xcalloc(options.max_startups, sizeof(int));
+@@ -1133,6 +1152,42 @@ server_accept_loop(int *sock_in, int *sock_out, int *n
+ 					usleep(100 * 1000);
+ 				continue;
+ 			}
++#ifdef LIBWRAP
++			/* Check whether logins are denied from this host. */
++			request_set(&req, RQ_FILE, *newsock,
++			    RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
++			sock_host(&req);
++			if (!hosts_access(&req)) {
++				const struct linger l = { .l_onoff = 1,
++				    .l_linger  = 0 };
++
++				(void )setsockopt(*newsock, SOL_SOCKET,
++				    SO_LINGER, &l, sizeof(l));
++				(void )close(*newsock);
++				/*
++				 * Mimic message from libwrap's refuse() as
++				 * precisely as we can afford.  The authentic
++				 * message prints the IP address and the
++				 * hostname it resolves to in parentheses.  If
++				 * the IP address cannot be resolved to a
++				 * hostname, the IP address will be repeated
++				 * in parentheses.  As name resolution in the
++				 * main server loop could stall, and logging
++				 * resolved names adds little or no value to
++				 * incident investigation, this implementation
++				 * only repeats the IP address in parentheses.
++				 * This should resemble librwap's refuse()
++				 * closely enough not to break auditing
++				 * software like sshguard or custom scripts.
++				 */
++				syslog(LOG_WARNING,
++				    "refused connect from %s (%s)",
++				    eval_hostaddr(req.client),
++				    eval_hostaddr(req.client));
++				debug("Connection refused by tcp wrapper");
++				continue;
++			}
++#endif /* LIBWRAP */
+ 			if (unset_nonblock(*newsock) == -1) {
+ 				close(*newsock);
+ 				continue;
diff --git a/security/openssh-portable/files/patch-regress__test-exec.sh b/security/openssh-portable/files/patch-regress__test-exec.sh
index 0213e8cd5415..1f20e3ff8d27 100644
--- a/security/openssh-portable/files/patch-regress__test-exec.sh
+++ b/security/openssh-portable/files/patch-regress__test-exec.sh
@@ -1,10 +1,10 @@
 --- regress/test-exec.sh.orig	2015-04-03 18:20:32.256126000 UTC
 +++ regress/test-exec.sh	2015-04-03 18:20:41.599903000 -0500
-@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
+@@ -618,6 +618,7 @@ cat << EOF > $OBJ/sshd_config
  	LogLevel		DEBUG3
  	AcceptEnv		_XXX_TEST_*
  	AcceptEnv		_XXX_TEST
 +	PermitRootLogin		yes
  	Subsystem	sftp	$SFTPSERVER
- EOF
- 
+ 	SshdSessionPath		$SSHD_SESSION
+ 	SshdAuthPath		$SSHD_AUTH
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index b0b9e08008f8..da35125897b5 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -15,59 +15,90 @@ Sponsored by:   DARPA, NAI Labs
 
 --- session.c.orig	2021-04-15 20:55:25.000000000 -0700
 +++ session.c	2021-04-27 13:11:13.515917000 -0700
-@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
- }
- #endif /* HAVE_ETC_DEFAULT_LOGIN */
+@@ -939,6 +939,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ 	struct passwd *pw = s->pw;
+ #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
+ 	char *path = NULL;
++#else
++	extern char **environ;
++	char **senv, **var, *val;
+ #endif
  
--#if defined(USE_PAM) || defined(HAVE_CYGWIN)
-+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
- static void
- copy_environment_denylist(char **source, char ***env, u_int *envsize,
-     const char *denylist)
-@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ 	/* Initialize the environment. */
+@@ -960,6 +963,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ 	}
+ #endif
+ 
++	if (getenv("TZ"))
++		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
++
+ #ifdef GSSAPI
+ 	/* Allow any GSSAPI methods that we've used to alter
+ 	 * the child's environment as they see fit
+@@ -977,11 +983,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+ 	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+ #endif
+ 	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++	snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
++	child_set_env(&env, &envsize, "MAIL", buf);
+ #ifdef HAVE_LOGIN_CAP
+-	if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+-		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+-	else
+-		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++	child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++	child_set_env(&env, &envsize, "TERM", "su");
++	/*
++	 * Temporarily swap out our real environment with an empty one,
++	 * let setusercontext() apply any environment variables defined
++	 * for the user's login class, copy those variables to the child,
++	 * free the temporary environment, and restore the original.
++	 */
++	senv = environ;
++	environ = xmalloc(sizeof(*environ));
++	*environ = NULL;
++	(void)setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV|LOGIN_SETPATH);
++	for (var = environ; *var != NULL; ++var) {
++		if ((val = strchr(*var, '=')) != NULL) {
++			*val++ = '\0';
++			child_set_env(&env, &envsize, *var, val);
++		}
++		free(*var);
++	}
++	free(environ);
++	environ = senv;
+ #else /* HAVE_LOGIN_CAP */
+ # ifndef HAVE_CYGWIN
+ 	/*
+@@ -1001,17 +1026,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
 -	if (!options.use_pam) {
-+	/* FreeBSD PAM doesn't set default "MAIL" */
-+	if (1 || !options.use_pam) {
- 		snprintf(buf, sizeof buf, "%.200s/%.50s",
- 		    _PATH_MAILDIR, pw->pw_name);
- 		child_set_env(&env, &envsize, "MAIL", buf);
-@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+-		snprintf(buf, sizeof buf, "%.200s/%.50s",
+-		    _PATH_MAILDIR, pw->pw_name);
+-		child_set_env(&env, &envsize, "MAIL", buf);
+-	}
+-
+ 	/* Normal systems set SHELL by default. */
+ 	child_set_env(&env, &envsize, "SHELL", shell);
  
- 	if (getenv("TZ"))
- 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-+#ifdef HAVE_LOGIN_CAP
-+	/* Load environment from /etc/login.conf setenv directives. */
-+	{
-+		extern char **environ;
-+		char **senv, **var;
-+
-+		senv = environ;
-+		environ = xmalloc(sizeof(char *));
-+		*environ = NULL;
-+		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
-+		copy_environment_denylist(environ, &env, &envsize, NULL);
-+		for (var = environ; *var != NULL; ++var)
-+			free(*var);
-+		free(environ);
-+		environ = senv;
-+	}
-+#endif
+-	if (getenv("TZ"))
+-		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  	if (s->term)
  		child_set_env(&env, &envsize, "TERM", s->term);
  	if (s->display)
-@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
+@@ -1225,7 +1242,8 @@ do_nologin(struct passwd *pw)
+ do_nologin(struct passwd *pw)
+ {
+ 	FILE *f = NULL;
+-	char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
++	const char *nl;
++	char buf[1024], *def_nl = _PATH_NOLOGIN;
+ 	struct stat sb;
+ 
  #ifdef HAVE_LOGIN_CAP
- 	if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
- 		return;
--	nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
-+	nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl);
- #else
- 	if (pw->pw_uid == 0)
- 		return;
-@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1315,7 +1333,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index b17027d0e340..6f049a8847e5 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -85,13 +85,13 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -2286,6 +2310,9 @@ main(int ac, char **av)
+@@ -2285,6 +2309,9 @@ main(int ac, char **av)
+ 				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}
- 			break;
++			break;
 +		case 'x':
 +			xcount = 0;
-+			break;
+ 			break;
  		case 'T':
  			T_flag++;
- 			break;
diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c
index c49535dcf868..09da82981369 100644
--- a/security/openssh-portable/files/patch-ssh.c
+++ b/security/openssh-portable/files/patch-ssh.c
@@ -7,9 +7,9 @@ Canonicize the host name before looking it up in the host file.
 
 --- ssh.c.orig	2018-04-02 05:38:28 UTC
 +++ ssh.c
-@@ -1281,6 +1281,23 @@ main(int ac, char **av)
- 	ssh_digest_free(md);
- 	conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+@@ -1289,6 +1289,23 @@ main(int ac, char **av)
+ 			check_follow_cname(direct, &host, cname);
+ 	}
  
 +	/* Find canonic host name. */
 +	if (strchr(host, '.') == 0) {
@@ -29,5 +29,5 @@ Canonicize the host name before looking it up in the host file.
 +	}
 +
  	/*
- 	 * Expand tokens in arguments. NB. LocalCommand is expanded later,
- 	 * after port-forwarding is set up, so it may pick up any local
+ 	 * If canonicalisation is enabled then re-parse the configuration
+ 	 * files as new stanzas may match.
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
deleted file mode 100644
index 8c0e2bf1d5be..000000000000
--- a/security/openssh-portable/files/patch-ssh_config.5
+++ /dev/null
@@ -1,13 +0,0 @@
---- UTC
-
---- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
-+++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
-@@ -434,6 +433,8 @@ in the process, regardless of the setting of
- If the option is set to
- .Cm no ,
- the check will not be executed.
-+The default is
-+.Cm no .
- .It Cm Ciphers
- Specifies the ciphers allowed and their order of preference.
- Multiple ciphers must be comma-separated.
diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8
index 4d2a477899c6..eff25147d9dd 100644
--- a/security/openssh-portable/files/patch-sshd.8
+++ b/security/openssh-portable/files/patch-sshd.8
@@ -3,7 +3,7 @@ Document FreeBSD/port-specific paths
 
 --- sshd.8.orig	2010-08-04 21:03:13.000000000 -0600
 +++ sshd.8	2010-09-14 16:14:14.000000000 -0600
-@@ -70,7 +70,7 @@
+@@ -64,7 +64,7 @@
  .Nm
  listens for connections from clients.
  It is normally started at boot from
@@ -12,7 +12,7 @@ Document FreeBSD/port-specific paths
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -384,8 +384,9 @@
+@@ -355,8 +355,9 @@
  If the login is on a tty, records login time.
  .It
  Checks
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 6d522d520e90..f91c0da69b9f 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -41,28 +41,41 @@ connections, do not protect connection handlers spawned from inetd.
  #include <sys/ioctl.h>
 +#include <sys/mman.h>
  #include <sys/socket.h>
- #ifdef HAVE_SYS_STAT_H
- # include <sys/stat.h>
-@@ -69,6 +70,13 @@
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -63,6 +64,15 @@
  #include <prot.h>
  #endif
  
 +#ifdef __FreeBSD__
 +#include <resolv.h>
-+#ifdef GSSAPI
-+#include "ssh-gss.h"
++#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H)
++#include <gssapi/gssapi.h>
++#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H)
++#include <gssapi.h>
 +#endif
 +#endif
 +
  #include "xmalloc.h"
  #include "ssh.h"
  #include "sshpty.h"
-@@ -1671,7 +1679,30 @@ main(int ac, char **av)
- 	for (i = 0; i < options.num_log_verbose; i++)
- 		log_verbose_add(options.log_verbose[i]);
+@@ -1825,6 +1880,10 @@ main(int ac, char **av)
+ 	/* Reinitialize the log (because of the fork above). */
+ 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
-+#ifdef __FreeBSD__
++ 	/* Avoid killing the process in high-pressure swapping environments. */
++ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ 		debug("madvise(): %.200s", strerror(errno));
++
  	/*
+ 	 * Chdir to the root directory so that the current disk can be
+ 	 * unmounted if desired.
+@@ -1910,6 +1969,28 @@ main(int ac, char **av)
+ 	execv(rexec_argv[0], rexec_argv);
+ 
+ 	fatal("rexec of %s failed: %s", rexec_argv[0], strerror(errno));
++#ifdef __FreeBSD__
++	/*
 +	 * Initialize the resolver.  This may not happen automatically
 +	 * before privsep chroot().
 +	 */
@@ -83,19 +96,6 @@ connections, do not protect connection handlers spawned from inetd.
 +	}
 +#endif
 +#endif
-+
-+	/*
- 	 * If not in debugging mode, not started from inetd and not already
- 	 * daemonized (eg re-exec via SIGHUP), disconnect from the controlling
- 	 * terminal, and fork.  The original process exits.
-@@ -1687,6 +1718,10 @@ main(int ac, char **av)
- 	/* Reinitialize the log (because of the fork above). */
- 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ }
  
-+ 	/* Avoid killing the process in high-pressure swapping environments. */
-+ 	if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
-+ 		debug("madvise(): %.200s", strerror(errno));
-+
- 	/*
- 	 * Chdir to the root directory so that the current disk can be
- 	 * unmounted if desired.
+ /* server specific fatal cleanup */
diff --git a/security/openssh-portable/files/patch-uidswap.c b/security/openssh-portable/files/patch-uidswap.c
index b906d1d67480..daf522c58993 100644
--- a/security/openssh-portable/files/patch-uidswap.c
+++ b/security/openssh-portable/files/patch-uidswap.c
@@ -34,7 +34,7 @@ index 6ed3024d0180..0143f4994611 100644
  #include <errno.h>
  #include <pwd.h>
  #include <string.h>
-@@ -121,8 +124,20 @@ temporarily_use_uid(struct passwd *pw)
+@@ -121,8 +125,20 @@ temporarily_use_uid(struct passwd *pw)
  		fatal("setgroups: %.100s", strerror(errno));
  #ifndef SAVED_IDS_WORK_WITH_SETEUID
  	/* Propagate the privileged gid to all of our gids. */


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69ed4fbf.187fd.24d92d10>