Date: Sat, 25 Apr 2026 23:35:27 +0000 From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5a1588f7fb0a - main - security/openssh-portable: Sync some files with src. Message-ID: <69ed4fbf.187fd.24d92d10@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=5a1588f7fb0a9eab446a33902b546420ba2df023 commit 5a1588f7fb0a9eab446a33902b546420ba2df023 Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2026-04-25 22:35:51 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2026-04-25 23:35:14 +0000 security/openssh-portable: Sync some files with src. Namely this updates some LIBWRAP behavior and updates a few incorrect docs. Submitted by: jlduran Differential Revision: https://reviews.freebsd.org/D53273 --- security/openssh-portable/Makefile | 2 +- .../files/extra-patch-pam-sshd_config | 5 +- .../openssh-portable/files/extra-patch-tcpwrappers | 70 ++++++++++++ .../files/patch-regress__test-exec.sh | 6 +- security/openssh-portable/files/patch-session.c | 117 +++++++++++++-------- security/openssh-portable/files/patch-ssh-agent.c | 8 +- security/openssh-portable/files/patch-ssh.c | 10 +- security/openssh-portable/files/patch-ssh_config.5 | 13 --- security/openssh-portable/files/patch-sshd.8 | 4 +- security/openssh-portable/files/patch-sshd.c | 48 ++++----- security/openssh-portable/files/patch-uidswap.c | 2 +- 11 files changed, 187 insertions(+), 98 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 979f9cdd3da9..5855a233fbc2 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh DISTVERSION= 10.2p1 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config index aa80ceeeb2c3..7d003cfc7f3f 100644 --- a/security/openssh-portable/files/extra-patch-pam-sshd_config +++ b/security/openssh-portable/files/extra-patch-pam-sshd_config @@ -1,12 +1,13 @@ --- sshd_config.orig 2025-04-09 00:02:43.000000000 -0700 +++ sshd_config 2025-04-10 21:52:39.463528000 -0700 -@@ -53,8 +53,8 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -53,8 +53,9 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to "no" here! -#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! ++# Change to "yes" to enable built-in password authentication. ++# Note that passwords may also be accepted via KbdInteractiveAuthentication. +#PasswordAuthentication no #PermitEmptyPasswords no diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index 5d9e8aced144..27fd19cbcfb0 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -1,4 +1,5 @@ Revert TCPWRAPPER removal -bdrewery +Syncs in sshd.c changes from src as well. commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 Author: Damien Miller <djm@mindrot.org> @@ -149,3 +150,72 @@ index 289e13d..e6a900b 100644 echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" echo " Solaris process contract support: $SPC_MSG" +--- sshd.c.orig 2024-06-30 21:36:28.000000000 -0700 ++++ sshd.c 2024-07-01 13:44:05.739756000 -0700 +@@ -90,6 +100,10 @@ + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" ++#ifdef LIBWRAP ++#include <tcpd.h> ++#include <syslog.h> ++#endif /* LIBWRAP */ + + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) +@@ -925,7 +939,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *n + socklen_t fromlen; + u_char rnd[256]; + sigset_t nsigset, osigset; ++#ifdef LIBWRAP ++ struct request_info req; + ++ request_init(&req, RQ_DAEMON, __progname, 0); ++#endif ++ + /* pipes connected to unauthenticated child sshd processes */ + child_alloc(); + startup_pollfd = xcalloc(options.max_startups, sizeof(int)); +@@ -1133,6 +1152,42 @@ server_accept_loop(int *sock_in, int *sock_out, int *n + usleep(100 * 1000); + continue; + } ++#ifdef LIBWRAP ++ /* Check whether logins are denied from this host. */ ++ request_set(&req, RQ_FILE, *newsock, ++ RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0); ++ sock_host(&req); ++ if (!hosts_access(&req)) { ++ const struct linger l = { .l_onoff = 1, ++ .l_linger = 0 }; ++ ++ (void )setsockopt(*newsock, SOL_SOCKET, ++ SO_LINGER, &l, sizeof(l)); ++ (void )close(*newsock); ++ /* ++ * Mimic message from libwrap's refuse() as ++ * precisely as we can afford. The authentic ++ * message prints the IP address and the ++ * hostname it resolves to in parentheses. If ++ * the IP address cannot be resolved to a ++ * hostname, the IP address will be repeated ++ * in parentheses. As name resolution in the ++ * main server loop could stall, and logging ++ * resolved names adds little or no value to ++ * incident investigation, this implementation ++ * only repeats the IP address in parentheses. ++ * This should resemble librwap's refuse() ++ * closely enough not to break auditing ++ * software like sshguard or custom scripts. ++ */ ++ syslog(LOG_WARNING, ++ "refused connect from %s (%s)", ++ eval_hostaddr(req.client), ++ eval_hostaddr(req.client)); ++ debug("Connection refused by tcp wrapper"); ++ continue; ++ } ++#endif /* LIBWRAP */ + if (unset_nonblock(*newsock) == -1) { + close(*newsock); + continue; diff --git a/security/openssh-portable/files/patch-regress__test-exec.sh b/security/openssh-portable/files/patch-regress__test-exec.sh index 0213e8cd5415..1f20e3ff8d27 100644 --- a/security/openssh-portable/files/patch-regress__test-exec.sh +++ b/security/openssh-portable/files/patch-regress__test-exec.sh @@ -1,10 +1,10 @@ --- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC +++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500 -@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config +@@ -618,6 +618,7 @@ cat << EOF > $OBJ/sshd_config LogLevel DEBUG3 AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST + PermitRootLogin yes Subsystem sftp $SFTPSERVER - EOF - + SshdSessionPath $SSHD_SESSION + SshdAuthPath $SSHD_AUTH diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index b0b9e08008f8..da35125897b5 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -15,59 +15,90 @@ Sponsored by: DARPA, NAI Labs --- session.c.orig 2021-04-15 20:55:25.000000000 -0700 +++ session.c 2021-04-27 13:11:13.515917000 -0700 -@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui - } - #endif /* HAVE_ETC_DEFAULT_LOGIN */ +@@ -939,6 +939,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + struct passwd *pw = s->pw; + #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) + char *path = NULL; ++#else ++ extern char **environ; ++ char **senv, **var, *val; + #endif --#if defined(USE_PAM) || defined(HAVE_CYGWIN) -+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP) - static void - copy_environment_denylist(char **source, char ***env, u_int *envsize, - const char *denylist) -@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + /* Initialize the environment. */ +@@ -960,6 +963,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + } + #endif + ++ if (getenv("TZ")) ++ child_set_env(&env, &envsize, "TZ", getenv("TZ")); ++ + #ifdef GSSAPI + /* Allow any GSSAPI methods that we've used to alter + * the child's environment as they see fit +@@ -977,11 +983,30 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); + #endif + child_set_env(&env, &envsize, "HOME", pw->pw_dir); ++ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); ++ child_set_env(&env, &envsize, "MAIL", buf); + #ifdef HAVE_LOGIN_CAP +- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) +- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +- else +- child_set_env(&env, &envsize, "PATH", getenv("PATH")); ++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); ++ child_set_env(&env, &envsize, "TERM", "su"); ++ /* ++ * Temporarily swap out our real environment with an empty one, ++ * let setusercontext() apply any environment variables defined ++ * for the user's login class, copy those variables to the child, ++ * free the temporary environment, and restore the original. ++ */ ++ senv = environ; ++ environ = xmalloc(sizeof(*environ)); ++ *environ = NULL; ++ (void)setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV|LOGIN_SETPATH); ++ for (var = environ; *var != NULL; ++var) { ++ if ((val = strchr(*var, '=')) != NULL) { ++ *val++ = '\0'; ++ child_set_env(&env, &envsize, *var, val); ++ } ++ free(*var); ++ } ++ free(environ); ++ environ = senv; + #else /* HAVE_LOGIN_CAP */ + # ifndef HAVE_CYGWIN + /* +@@ -1001,17 +1026,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - if (!options.use_pam) { -+ /* FreeBSD PAM doesn't set default "MAIL" */ -+ if (1 || !options.use_pam) { - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); -@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +- snprintf(buf, sizeof buf, "%.200s/%.50s", +- _PATH_MAILDIR, pw->pw_name); +- child_set_env(&env, &envsize, "MAIL", buf); +- } +- + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+#ifdef HAVE_LOGIN_CAP -+ /* Load environment from /etc/login.conf setenv directives. */ -+ { -+ extern char **environ; -+ char **senv, **var; -+ -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV); -+ copy_environment_denylist(environ, &env, &envsize, NULL); -+ for (var = environ; *var != NULL; ++var) -+ free(*var); -+ free(environ); -+ environ = senv; -+ } -+#endif +- if (getenv("TZ")) +- child_set_env(&env, &envsize, "TZ", getenv("TZ")); if (s->term) child_set_env(&env, &envsize, "TERM", s->term); if (s->display) -@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw) +@@ -1225,7 +1242,8 @@ do_nologin(struct passwd *pw) + do_nologin(struct passwd *pw) + { + FILE *f = NULL; +- char buf[1024], *nl, *def_nl = _PATH_NOLOGIN; ++ const char *nl; ++ char buf[1024], *def_nl = _PATH_NOLOGIN; + struct stat sb; + #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) - return; -- nl = login_getcapstr(lc, "nologin", def_nl, def_nl); -+ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); - #else - if (pw->pw_uid == 0) - return; -@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw) +@@ -1315,7 +1333,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index b17027d0e340..6f049a8847e5 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -85,13 +85,13 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2286,6 +2310,9 @@ main(int ac, char **av) +@@ -2285,6 +2309,9 @@ main(int ac, char **av) + fprintf(stderr, "Invalid lifetime\n"); usage(); } - break; ++ break; + case 'x': + xcount = 0; -+ break; + break; case 'T': T_flag++; - break; diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c index c49535dcf868..09da82981369 100644 --- a/security/openssh-portable/files/patch-ssh.c +++ b/security/openssh-portable/files/patch-ssh.c @@ -7,9 +7,9 @@ Canonicize the host name before looking it up in the host file. --- ssh.c.orig 2018-04-02 05:38:28 UTC +++ ssh.c -@@ -1281,6 +1281,23 @@ main(int ac, char **av) - ssh_digest_free(md); - conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); +@@ -1289,6 +1289,23 @@ main(int ac, char **av) + check_follow_cname(direct, &host, cname); + } + /* Find canonic host name. */ + if (strchr(host, '.') == 0) { @@ -29,5 +29,5 @@ Canonicize the host name before looking it up in the host file. + } + /* - * Expand tokens in arguments. NB. LocalCommand is expanded later, - * after port-forwarding is set up, so it may pick up any local + * If canonicalisation is enabled then re-parse the configuration + * files as new stanzas may match. diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 deleted file mode 100644 index 8c0e2bf1d5be..000000000000 --- a/security/openssh-portable/files/patch-ssh_config.5 +++ /dev/null @@ -1,13 +0,0 @@ ---- UTC - ---- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 -+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 -@@ -434,6 +433,8 @@ in the process, regardless of the setting of - If the option is set to - .Cm no , - the check will not be executed. -+The default is -+.Cm no . - .It Cm Ciphers - Specifies the ciphers allowed and their order of preference. - Multiple ciphers must be comma-separated. diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8 index 4d2a477899c6..eff25147d9dd 100644 --- a/security/openssh-portable/files/patch-sshd.8 +++ b/security/openssh-portable/files/patch-sshd.8 @@ -3,7 +3,7 @@ Document FreeBSD/port-specific paths --- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600 +++ sshd.8 2010-09-14 16:14:14.000000000 -0600 -@@ -70,7 +70,7 @@ +@@ -64,7 +64,7 @@ .Nm listens for connections from clients. It is normally started at boot from @@ -12,7 +12,7 @@ Document FreeBSD/port-specific paths It forks a new daemon for each incoming connection. The forked daemons handle -@@ -384,8 +384,9 @@ +@@ -355,8 +355,9 @@ If the login is on a tty, records login time. .It Checks diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 6d522d520e90..f91c0da69b9f 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -41,28 +41,41 @@ connections, do not protect connection handlers spawned from inetd. #include <sys/ioctl.h> +#include <sys/mman.h> #include <sys/socket.h> - #ifdef HAVE_SYS_STAT_H - # include <sys/stat.h> -@@ -69,6 +70,13 @@ + #include <sys/stat.h> + #include <sys/time.h> +@@ -63,6 +64,15 @@ #include <prot.h> #endif +#ifdef __FreeBSD__ +#include <resolv.h> -+#ifdef GSSAPI -+#include "ssh-gss.h" ++#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H) ++#include <gssapi/gssapi.h> ++#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H) ++#include <gssapi.h> +#endif +#endif + #include "xmalloc.h" #include "ssh.h" #include "sshpty.h" -@@ -1671,7 +1679,30 @@ main(int ac, char **av) - for (i = 0; i < options.num_log_verbose; i++) - log_verbose_add(options.log_verbose[i]); +@@ -1825,6 +1880,10 @@ main(int ac, char **av) + /* Reinitialize the log (because of the fork above). */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); -+#ifdef __FreeBSD__ ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); ++ /* + * Chdir to the root directory so that the current disk can be + * unmounted if desired. +@@ -1910,6 +1969,28 @@ main(int ac, char **av) + execv(rexec_argv[0], rexec_argv); + + fatal("rexec of %s failed: %s", rexec_argv[0], strerror(errno)); ++#ifdef __FreeBSD__ ++ /* + * Initialize the resolver. This may not happen automatically + * before privsep chroot(). + */ @@ -83,19 +96,6 @@ connections, do not protect connection handlers spawned from inetd. + } +#endif +#endif -+ -+ /* - * If not in debugging mode, not started from inetd and not already - * daemonized (eg re-exec via SIGHUP), disconnect from the controlling - * terminal, and fork. The original process exits. -@@ -1687,6 +1718,10 @@ main(int ac, char **av) - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + } -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); -+ - /* - * Chdir to the root directory so that the current disk can be - * unmounted if desired. + /* server specific fatal cleanup */ diff --git a/security/openssh-portable/files/patch-uidswap.c b/security/openssh-portable/files/patch-uidswap.c index b906d1d67480..daf522c58993 100644 --- a/security/openssh-portable/files/patch-uidswap.c +++ b/security/openssh-portable/files/patch-uidswap.c @@ -34,7 +34,7 @@ index 6ed3024d0180..0143f4994611 100644 #include <errno.h> #include <pwd.h> #include <string.h> -@@ -121,8 +124,20 @@ temporarily_use_uid(struct passwd *pw) +@@ -121,8 +125,20 @@ temporarily_use_uid(struct passwd *pw) fatal("setgroups: %.100s", strerror(errno)); #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69ed4fbf.187fd.24d92d10>
