diff --git a/net-mgmt/nagios/Makefile b/net-mgmt/nagios/Makefile new file mode 100644 index 0000000..87d9812 --- /dev/null +++ b/net-mgmt/nagios/Makefile @@ -0,0 +1,105 @@ +PORTNAME= nagios +PORTVERSION= 3.5.1 +PORTREVISION= 12 +CATEGORIES= net-mgmt +MASTER_SITES= SF/${PORTNAME}/${PORTNAME}-3.x/${PORTNAME}-${PORTVERSION} + +MAINTAINER= joneum@FreeBSD.org +COMMENT= Powerful network monitoring system +WWW= https://www.nagios.org/ + +LICENSE= GPLv2 + +LIB_DEPENDS= libltdl.so:devel/libltdl \ + libgd.so:graphics/gd + +PORTSCOUT= limit:^3. + +USES= cpe localbase perl5 php +USE_PERL5= build +USE_RC_SUBR= nagios + +CONFLICTS= nagios-[12].* nagios-devel nagios4 + +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --with-command-user=${NAGIOSUSER} \ + --with-command-group=${WWWGRP} \ + --with-nagios-user=${NAGIOSUSER} \ + --with-nagios-group=${NAGIOSGROUP} \ + --with-htmurl=${NAGIOSHTMURL} \ + --with-cgiurl=${NAGIOSCGIURL} \ + --sbindir=${PREFIX}/${NAGIOSWWWDIR}/cgi-bin \ + --libexecdir=${PREFIX}/libexec/nagios \ + --datadir=${PREFIX}/${NAGIOSWWWDIR} \ + --sysconfdir=${PREFIX}/etc/nagios \ + --localstatedir=${NAGIOSDIR} \ + --with-httpd-conf=${PREFIX}/etc \ + --with-checkresult-dir=${NAGIOSDIR}/checkresults \ + --disable-statuswrl \ + ac_cv_lib_iconv_main=no +CONFIGURE_ENV= PERL=${PERL} + +MAKE_JOBS_UNSAFE= yes + +INSTALL_TARGET= install install-commandmode install-config +PLIST_SUB= NAGIOSDIR=${NAGIOSDIR} \ + NAGIOSWWWDIR=${NAGIOSWWWDIR} \ + NAGIOSUSER=${NAGIOSUSER} \ + NAGIOSGROUP=${NAGIOSGROUP} \ + WWWGRP=${WWWGRP} + +SUB_FILES= pkg-message + +# XXX: Don't remove PREFIX from SUB_LIST here. +SUB_LIST= PREFIX=${PREFIX} \ + NAGIOSHTMURL=${NAGIOSHTMURL} \ + NAGIOSCGIURL=${NAGIOSCGIURL} \ + ${PLIST_SUB} + +NAGIOSUSER?= nagios +NAGIOSGROUP?= nagios +NAGIOSDIR?= /var/spool/nagios + +NAGIOSWWWDIR?= www/nagios +NAGIOSHTMURL?= /nagios +NAGIOSCGIURL?= ${NAGIOSHTMURL}/cgi-bin + +USERS= ${NAGIOSUSER} +GROUPS= ${NAGIOSGROUP} + +OPTIONS_DEFINE= EMBEDDED_PERL NANOSLEEP EVENT_BROKER UNHANDLED_HACK +OPTIONS_RADIO= PLUGINS +OPTIONS_RADIO_PLUGINS= MONPLUGINS NAGPLUGINS +OPTIONS_DEFAULT= NAGPLUGINS +EMBEDDED_PERL_DESC= Enable embedded Perl [requires Perl 5.8.0+] +NANOSLEEP_DESC= Use nanosleep in event timing +EVENT_BROKER_DESC= Enable event broker functionality +UNHANDLED_HACK_DESC= Display passive checks in unhandled queries + +MONPLUGINS_RUN_DEPENDS= ${LOCALBASE}/libexec/nagios/check_nagios:net-mgmt/monitoring-plugins +NAGPLUGINS_RUN_DEPENDS= ${LOCALBASE}/libexec/nagios/check_nagios:net-mgmt/nagios-plugins + +OPTIONS_SUB= + +EMBEDDED_PERL_USE= perl5=run +EMBEDDED_PERL_CONFIGURE_ENABLE= embedded-perl +EMBEDDED_PERL_CONFIGURE_WITH= perlcache +NANOSLEEP_CONFIGURE_ENABLE= nanosleep +EVENT_BROKER_CONFIGURE_ENABLE= event-broker + +post-extract: + @${MV} ${WRKDIR}/${PORTNAME} ${WRKSRC} + +.include + +post-patch: + @${REINPLACE_CMD} '/^INSTALL_OPTS=/d' ${WRKSRC}/configure +.if ${PORT_OPTIONS:MUNHANDLED_HACK} + @${REINPLACE_CMD} -e 's#;serviceprops=42\&#;serviceprops=10\&#g' \ + -e 's#;hostprops=42\"#;hostprops=10\"#g' ${WRKSRC}/html/side.php +.endif + +post-install: + @${MV} ${STAGEDIR}${PREFIX}/${NAGIOSWWWDIR}/config.inc.php ${STAGEDIR}${PREFIX}/${NAGIOSWWWDIR}/config.inc.php.sample + +.include diff --git a/net-mgmt/nagios/distinfo b/net-mgmt/nagios/distinfo new file mode 100644 index 0000000..c261f85 --- /dev/null +++ b/net-mgmt/nagios/distinfo @@ -0,0 +1,2 @@ +SHA256 (nagios-3.5.1.tar.gz) = ca9dd68234fa090b3c35ecc8767b2c9eb743977eaf32612fa9b8341cc00a0f99 +SIZE (nagios-3.5.1.tar.gz) = 1763584 diff --git a/net-mgmt/nagios/files/nagios.in b/net-mgmt/nagios/files/nagios.in new file mode 100644 index 0000000..d6ee95a --- /dev/null +++ b/net-mgmt/nagios/files/nagios.in @@ -0,0 +1,100 @@ +#!/bin/sh + +# PROVIDE: nagios +# REQUIRE: LOGIN +# KEYWORD: shutdown + +# +# Add the following lines to /etc/rc.conf to enable nagios: +# nagios_enable (bool): Set to "NO" by default. +# Set it to "YES" to enable nagios. +# nagios_precache (bool): Set to "NO" by default. +# Set it to "YES" to enable pre-caching. +# nagios_flags (str): Set to "" by default. +# nagios_configfile (str): Set to "%%PREFIX%%/etc/nagios/nagios.cfg" by default. +# + +. /etc/rc.subr + +name="nagios" +rcvar=nagios_enable + +command="%%PREFIX%%/bin/nagios" +command_args="-d" +extra_commands="reload configtest" +pidfile="%%NAGIOSDIR%%/nagios.lock" +nagios_user="%%NAGIOSUSER%%" + +start_precmd="start_precmd" +stop_postcmd="stop_postcmd" +restart_precmd="nagios_checkconfig" +reload_precmd="reload_precmd" +configtest_cmd="nagios_checkconfig" +sig_reload=HUP + +load_rc_config "${name}" + +[ -z "${nagios_enable}" ] && nagios_enable="NO" +[ -z "${nagios_configfile}" ] && nagios_configfile="%%PREFIX%%/etc/nagios/nagios.cfg" +[ -z "${nagios_precache}" ] && nagios_precache="NO" + +required_files="${nagios_configfile}" +command_args="${command_args} ${nagios_configfile}" + +nagios_cacheconfig() { + if ! checkyesno nagios_precache; then + return 0 + fi + + echo -n "Pre-Caching nagios configuration: " + ${command} -pv ${nagios_configfile} 2>&1 >/dev/null + if [ $? != 0 ]; then + echo "FAILED" + ${command} -v ${nagios_configfile} + return 1 + else + command_args="-u -x ${command_args}" + echo "OK" + fi +} + +nagios_checkconfig() { + echo -n "Performing sanity check of nagios configuration: " + ${command} -v ${nagios_configfile} 2>&1 >/dev/null + if [ $? != 0 ]; then + echo "FAILED" + ${command} -v ${nagios_configfile} + return 1 + else + echo "OK" + fi +} + +reload_precmd() { + if ! nagios_checkconfig; then + return 1 + fi + + if ! nagios_cacheconfig; then + return 1 + fi +} + +start_precmd() { + if ! nagios_checkconfig; then + return 1 + fi + + if ! nagios_cacheconfig; then + return 1 + fi + + su -m "${nagios_user}" -c "touch \"%%NAGIOSDIR%%/nagios.log\" \"%%NAGIOSDIR%%/status.sav\"" + rm -f "%%NAGIOSDIR%%/rw/nagios.cmd" +} + +stop_postcmd() { + rm -f "%%NAGIOSDIR%%/nagios.tmp" "%%NAGIOSDIR%%/rw/nagios.cmd" +} + +run_rc_command "$1" diff --git a/net-mgmt/nagios/files/patch-0007-fix_downtime_struct b/net-mgmt/nagios/files/patch-0007-fix_downtime_struct new file mode 100644 index 0000000..819f80d --- /dev/null +++ b/net-mgmt/nagios/files/patch-0007-fix_downtime_struct @@ -0,0 +1,32 @@ +--- ./include/downtime.h.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./include/downtime.h 2014-04-18 10:49:26.000000000 +0200 +@@ -39,24 +39,26 @@ + char *service_description; + time_t entry_time; + time_t start_time; +- time_t flex_downtime_start; /* Time the flexible downtime started */ + time_t end_time; + int fixed; + unsigned long triggered_by; + unsigned long duration; + unsigned long downtime_id; +- int is_in_effect; +- int start_notification_sent; + char *author; + char *comment; + #ifdef NSCORE + unsigned long comment_id; ++#endif ++ int is_in_effect; ++#ifdef NSCORE + int start_flex_downtime; + int incremented_pending_downtime; + // int start_event; + // int stop_event; + #endif + struct scheduled_downtime_struct *next; ++ time_t flex_downtime_start; /* Time the flexible downtime started */ ++ int start_notification_sent; + } scheduled_downtime; + + diff --git a/net-mgmt/nagios/files/patch-Makefile.in b/net-mgmt/nagios/files/patch-Makefile.in new file mode 100644 index 0000000..44a22ea --- /dev/null +++ b/net-mgmt/nagios/files/patch-Makefile.in @@ -0,0 +1,66 @@ +--- ./Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./Makefile.in 2014-01-14 13:57:06.000000000 +0100 +@@ -30,8 +30,6 @@ + LIBEXECDIR=@libexecdir@ + HTMLDIR=@datadir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ +-COMMAND_OPTS=@COMMAND_OPTS@ + HTTPD_CONF=@HTTPD_CONF@ + INIT_DIR=@init_dir@ + INIT_OPTS=-o root -g root +@@ -234,12 +232,12 @@ + $(MAKE) install-basic + + install-basic: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LIBEXECDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(LIBEXECDIR) + $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LOGDIR) + $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(LOGDIR)/archives + $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CHECKRESULTDIR) + if [ $(INSTALLPERLSTUFF) = yes ]; then \ +- $(INSTALL) -m 664 $(INSTALL_OPTS) p1.pl $(DESTDIR)$(BINDIR); \ ++ $(INSTALL) -m 644 $(INSTALL_OPTS) p1.pl $(DESTDIR)$(BINDIR); \ + fi; + + @echo "" +@@ -261,19 +259,18 @@ + + + install-config: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR)/objects +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/nagios.cfg $(DESTDIR)$(CFGDIR)/nagios.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/cgi.cfg $(DESTDIR)$(CFGDIR)/cgi.cfg +- $(INSTALL) -b -m 660 $(INSTALL_OPTS) sample-config/resource.cfg $(DESTDIR)$(CFGDIR)/resource.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/templates.cfg $(DESTDIR)$(CFGDIR)/objects/templates.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/commands.cfg $(DESTDIR)$(CFGDIR)/objects/commands.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/contacts.cfg $(DESTDIR)$(CFGDIR)/objects/contacts.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/timeperiods.cfg $(DESTDIR)$(CFGDIR)/objects/timeperiods.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/localhost.cfg $(DESTDIR)$(CFGDIR)/objects/localhost.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/windows.cfg $(DESTDIR)$(CFGDIR)/objects/windows.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/printer.cfg $(DESTDIR)$(CFGDIR)/objects/printer.cfg +- $(INSTALL) -b -m 664 $(INSTALL_OPTS) sample-config/template-object/switch.cfg $(DESTDIR)$(CFGDIR)/objects/switch.cfg ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR)/objects ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/nagios.cfg $(DESTDIR)$(CFGDIR)/nagios.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/cgi.cfg $(DESTDIR)$(CFGDIR)/cgi.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/resource.cfg $(DESTDIR)$(CFGDIR)/resource.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/templates.cfg $(DESTDIR)$(CFGDIR)/objects/templates.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/commands.cfg $(DESTDIR)$(CFGDIR)/objects/commands.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/contacts.cfg $(DESTDIR)$(CFGDIR)/objects/contacts.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/timeperiods.cfg $(DESTDIR)$(CFGDIR)/objects/timeperiods.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/localhost.cfg $(DESTDIR)$(CFGDIR)/objects/localhost.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/printer.cfg $(DESTDIR)$(CFGDIR)/objects/printer.cfg-sample ++ $(INSTALL) -m 644 $(INSTALL_OPTS) sample-config/template-object/switch.cfg $(DESTDIR)$(CFGDIR)/objects/switch.cfg-sample + + @echo "" + @echo "*** Config files installed ***" +@@ -321,7 +318,6 @@ + + install-commandmode: + $(INSTALL) -m 775 $(COMMAND_OPTS) -d $(DESTDIR)$(LOGDIR)/rw +- chmod g+s $(DESTDIR)$(LOGDIR)/rw + + @echo "" + @echo "*** External command directory configured ***" diff --git a/net-mgmt/nagios/files/patch-base__Makefile.in b/net-mgmt/nagios/files/patch-base__Makefile.in new file mode 100644 index 0000000..88f1112 --- /dev/null +++ b/net-mgmt/nagios/files/patch-base__Makefile.in @@ -0,0 +1,24 @@ +--- ./base/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./base/Makefile.in 2014-01-14 13:57:06.000000000 +0100 +@@ -39,8 +39,6 @@ + CGIDIR=@sbindir@ + HTMLDIR=@datarootdir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ +-COMMAND_OPTS=@COMMAND_OPTS@ + STRIP=@STRIP@ + + CGIURL=@cgiurl@ +@@ -204,9 +202,9 @@ + $(MAKE) install-basic + + install-basic: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) @nagios_name@ $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) @nagiostats_name@ $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) @nagios_name@ $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) @nagiostats_name@ $(DESTDIR)$(BINDIR) + + strip-post-install: + $(STRIP) $(DESTDIR)$(BINDIR)/@nagios_name@ diff --git a/net-mgmt/nagios/files/patch-cgi__Makefile.in b/net-mgmt/nagios/files/patch-cgi__Makefile.in new file mode 100644 index 0000000..f431865 --- /dev/null +++ b/net-mgmt/nagios/files/patch-cgi__Makefile.in @@ -0,0 +1,23 @@ +--- ./cgi/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./cgi/Makefile.in 2014-01-14 13:57:06.000000000 +0100 +@@ -18,8 +18,6 @@ + CGIDIR=@sbindir@ + HTMLDIR=@datarootdir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ +-COMMAND_OPTS=@COMMAND_OPTS@ + STRIP=@STRIP@ + + CGIEXTRAS=@CGIEXTRAS@ +@@ -201,9 +199,9 @@ + $(MAKE) install-basic + + install-basic: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CGIDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(CGIDIR) + for file in *.cgi; do \ +- $(INSTALL) -m 775 $(INSTALL_OPTS) $$file $(DESTDIR)$(CGIDIR); \ ++ $(INSTALL) -m 755 $(INSTALL_OPTS) $$file $(DESTDIR)$(CGIDIR); \ + done + + strip-post-install: diff --git a/net-mgmt/nagios/files/patch-contrib__Makefile.in b/net-mgmt/nagios/files/patch-contrib__Makefile.in new file mode 100644 index 0000000..5a5cc61 --- /dev/null +++ b/net-mgmt/nagios/files/patch-contrib__Makefile.in @@ -0,0 +1,25 @@ +--- ./contrib/Makefile.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./contrib/Makefile.in 2014-01-14 13:57:06.000000000 +0100 +@@ -16,7 +16,6 @@ + # Generated automatically from configure script + SNPRINTF_O=@SNPRINTF_O@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ + + + prefix=@prefix@ +@@ -51,10 +50,10 @@ + devclean: distclean + + install: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CGIDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- for f in $(CGIS); do $(INSTALL) -m 775 $(INSTALL_OPTS) $$f $(DESTDIR)$(CGIDIR); done +- for f in $(UTILS); do $(INSTALL) -m 775 $(INSTALL_OPTS) $$f $(DESTDIR)$(BINDIR); done ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(CGIDIR) ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) ++ for f in $(CGIS); do $(INSTALL) -m 755 $(INSTALL_OPTS) $$f $(DESTDIR)$(CGIDIR); done ++ for f in $(UTILS); do $(INSTALL) -m 755 $(INSTALL_OPTS) $$f $(DESTDIR)$(BINDIR); done + + ############################################################################## + # rules and dependencies for actual target programs diff --git a/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 b/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 new file mode 100644 index 0000000..899807a --- /dev/null +++ b/net-mgmt/nagios/files/patch-d97e03f32741a7d851826b03ed73ff4c9612a866 @@ -0,0 +1,175 @@ +commit d97e03f32741a7d851826b03ed73ff4c9612a866 +Author: Eric Stanley +Date: 2013-12-20 13:14:30 -0600 + + CGIs: Fixed minor vulnerability where a custom query could crash the CGI. + + Most CGIs previously incremented the input variable counter twice when + it encountered a long key value. This could cause the CGI to read past + the end of the list of CGI variables. This commit removes the second + increment, removing the possibility of reading past the end of the list + of CGI variables. + +diff --git ./cgi/avail.c ./cgi/avail.c +index 76afd86..64eaadc 100644 +--- ./cgi/avail.c ++++ ./cgi/avail.c +@@ -1096,7 +1096,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/cmd.c ./cgi/cmd.c +index fa6cf5a..50504eb 100644 +--- ./cgi/cmd.c ++++ ./cgi/cmd.c +@@ -311,7 +311,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/config.c ./cgi/config.c +index f061b0f..3360e70 100644 +--- ./cgi/config.c ++++ ./cgi/config.c +@@ -344,7 +344,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/extinfo.c ./cgi/extinfo.c +index 62a1b18..5113df4 100644 +--- ./cgi/extinfo.c ++++ ./cgi/extinfo.c +@@ -591,7 +591,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/histogram.c ./cgi/histogram.c +index 4616541..f6934d0 100644 +--- ./cgi/histogram.c ++++ ./cgi/histogram.c +@@ -1060,7 +1060,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/notifications.c ./cgi/notifications.c +index 8ba11c1..461ae84 100644 +--- ./cgi/notifications.c ++++ ./cgi/notifications.c +@@ -327,7 +327,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/outages.c ./cgi/outages.c +index 426ede6..cb58dee 100644 +--- ./cgi/outages.c ++++ ./cgi/outages.c +@@ -225,7 +225,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/status.c ./cgi/status.c +index 3253340..4ec1c92 100644 +--- ./cgi/status.c ++++ ./cgi/status.c +@@ -567,7 +567,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/statusmap.c ./cgi/statusmap.c +index ea48368..2580ae5 100644 +--- ./cgi/statusmap.c ++++ ./cgi/statusmap.c +@@ -400,7 +400,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/statuswml.c ./cgi/statuswml.c +index bd8cea2..d25abef 100644 +--- ./cgi/statuswml.c ++++ ./cgi/statuswml.c +@@ -226,8 +226,13 @@ int process_cgivars(void) { + + for(x = 0; variables[x] != NULL; x++) { + ++ /* do some basic length checking on the variable identifier to prevent buffer overflows */ ++ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { ++ continue; ++ } ++ + /* we found the hostgroup argument */ +- if(!strcmp(variables[x], "hostgroup")) { ++ else if(!strcmp(variables[x], "hostgroup")) { + display_type = DISPLAY_HOSTGROUP; + x++; + if(variables[x] == NULL) { +diff --git ./cgi/summary.c ./cgi/summary.c +index 126ce5e..749a02c 100644 +--- ./cgi/summary.c ++++ ./cgi/summary.c +@@ -725,7 +725,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./cgi/trends.c ./cgi/trends.c +index b35c18e..895db01 100644 +--- ./cgi/trends.c ++++ ./cgi/trends.c +@@ -1263,7 +1263,6 @@ int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + +diff --git ./contrib/daemonchk.c ./contrib/daemonchk.c +index 78716e5..9bb6c4b 100644 +--- ./contrib/daemonchk.c ++++ ./contrib/daemonchk.c +@@ -174,7 +174,6 @@ static int process_cgivars(void) { + + /* do some basic length checking on the variable identifier to prevent buffer overflows */ + if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) { +- x++; + continue; + } + } diff --git a/net-mgmt/nagios/files/patch-html__Makefile.in b/net-mgmt/nagios/files/patch-html__Makefile.in new file mode 100644 index 0000000..53ef4d8 --- /dev/null +++ b/net-mgmt/nagios/files/patch-html__Makefile.in @@ -0,0 +1,97 @@ +--- html/Makefile.in.orig 2013-08-30 17:46:14 UTC ++++ html/Makefile.in +@@ -10,8 +10,6 @@ BINDIR=@bindir@ + CGIDIR=@sbindir@ + HTMLDIR=@datadir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ +-COMMAND_OPTS=@COMMAND_OPTS@ + + CP=@CP@ + +@@ -34,55 +32,55 @@ distclean: clean + devclean: distclean + + install: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/media +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/stylesheets +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/contexthelp +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/docs +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/docs/images +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/js +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/images +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/images/logos +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes/rss +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes/rss/extlib +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/ssi +- $(INSTALL) -m 664 $(INSTALL_OPTS) robots.txt $(DESTDIR)$(HTMLDIR) +-# $(INSTALL) -m 664 $(INSTALL_OPTS) docs/robots.txt $(DESTDIR)$(HTMLDIR)/docs ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR) ++# $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/media ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/stylesheets ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/contexthelp ++# $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/docs ++# $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/docs/images ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/js ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/images ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/images/logos ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes/rss ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/includes/rss/extlib ++ $(INSTALL) -m 755 $(INSTALL_OPTS) -d $(DESTDIR)$(HTMLDIR)/ssi ++ $(INSTALL) -m 644 $(INSTALL_OPTS) robots.txt $(DESTDIR)$(HTMLDIR) ++# $(INSTALL) -m 644 $(INSTALL_OPTS) docs/robots.txt $(DESTDIR)$(HTMLDIR)/docs + # Remove old HTML files (PHP files are used now) + rm -f $(DESTDIR)$(HTMLDIR)/index.html + rm -f $(DESTDIR)$(HTMLDIR)/main.html + rm -f $(DESTDIR)$(HTMLDIR)/side.html + for file in *.php; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR); done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR); done + # for file in media/*.wav; \ +-# do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/media; done ++# do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/media; done + for file in stylesheets/*.css; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/stylesheets; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/stylesheets; done + for file in contexthelp/*.html; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/contexthelp; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/contexthelp; done + for file in js/*.js; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/js; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/js; done + # for file in docs/*.html; \ +-# do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/docs; done ++# do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/docs; done + # for file in docs/images/*.*; \ +-# do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/docs/images; done ++# do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/docs/images; done + for file in images/*.gif; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done + for file in images/*.jpg; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done + for file in images/*.png; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done + for file in images/*.ico; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images; done + for file in images/logos/*.*; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images/logos; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/images/logos; done + for file in includes/*.*; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes; done + for file in includes/rss/*.*; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes/rss; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes/rss; done + for file in includes/rss/extlib/*.*; \ +- do $(INSTALL) -m 664 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes/rss/extlib; done ++ do $(INSTALL) -m 644 $(INSTALL_OPTS) $$file $(DESTDIR)$(HTMLDIR)/includes/rss/extlib; done + + install-unstripped: + $(MAKE) install diff --git a/net-mgmt/nagios/files/patch-html__index.php b/net-mgmt/nagios/files/patch-html__index.php new file mode 100644 index 0000000..aed2984 --- /dev/null +++ b/net-mgmt/nagios/files/patch-html__index.php @@ -0,0 +1,13 @@ +--- ./html/index.php.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./html/index.php 2014-01-14 13:57:06.000000000 +0100 +@@ -8,8 +8,9 @@ + + + Nagios® Core +
Version 3.5.1
+
August 30, 2013
+-
Check for updates
+ + + + +-
+- +-
+-
Warning: Automatic Update Checks are Disabled!
+-
Disabling update checks presents a possible security risk. Visit nagios.org to check for updates manually or enable update checks in your Nagios config file.
+-
+- +-
+-
A new version of Nagios Core is available!
+-
Visit nagios.org to download Nagios .
+-
+- +-
+- + + +
diff --git a/net-mgmt/nagios/files/patch-html_includes_rss_parse.inc b/net-mgmt/nagios/files/patch-html_includes_rss_parse.inc new file mode 100644 index 0000000..06215c2 --- /dev/null +++ b/net-mgmt/nagios/files/patch-html_includes_rss_parse.inc @@ -0,0 +1,11 @@ +--- html/includes/rss/rss_parse.inc.orig 2017-12-21 16:55:41.032397000 +0100 ++++ html/includes/rss/rss_parse.inc 2017-12-21 16:57:40.079068000 +0100 +@@ -150,7 +150,7 @@ + // check for a namespace, and split if found + $ns = false; + if ( strpos( $element, ':' ) ) { +- list($ns, $el) = split( ':', $element, 2); ++ list($ns, $el) = explode( ':', $element, 2); + } + if ( $ns and $ns != 'rdf' ) { + $this->current_namespace = $ns; diff --git a/net-mgmt/nagios/files/patch-include__locations.h.in b/net-mgmt/nagios/files/patch-include__locations.h.in new file mode 100644 index 0000000..048e909 --- /dev/null +++ b/net-mgmt/nagios/files/patch-include__locations.h.in @@ -0,0 +1,11 @@ +--- ./include/locations.h.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./include/locations.h.in 2014-01-14 13:57:06.000000000 +0100 +@@ -20,7 +20,7 @@ + + #define DEFAULT_TEMP_FILE "@localstatedir@/tempfile" + #define DEFAULT_TEMP_PATH "/tmp" +-#define DEFAULT_CHECK_RESULT_PATH "@localstatedir@/spool/checkresults" ++#define DEFAULT_CHECK_RESULT_PATH "@localstatedir@/checkresults" + #define DEFAULT_STATUS_FILE "@localstatedir@/status.dat" + #define DEFAULT_LOG_FILE "@localstatedir@/nagios.log" + #define DEFAULT_LOG_ARCHIVE_PATH "@localstatedir@/archives/" diff --git a/net-mgmt/nagios/files/patch-sample-config__cgi.cfg.in b/net-mgmt/nagios/files/patch-sample-config__cgi.cfg.in new file mode 100644 index 0000000..1e2bda2 --- /dev/null +++ b/net-mgmt/nagios/files/patch-sample-config__cgi.cfg.in @@ -0,0 +1,11 @@ +--- ./sample-config/cgi.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./sample-config/cgi.cfg.in 2014-01-14 13:57:06.000000000 +0100 +@@ -264,7 +264,7 @@ + # OS and distribution, so you may have to tweak this to + # work on your system. + +-ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$ ++ping_syntax=/sbin/ping -n -c 5 $HOSTADDRESS$ + + + diff --git a/net-mgmt/nagios/files/patch-sample-config__nagios.cfg.in b/net-mgmt/nagios/files/patch-sample-config__nagios.cfg.in new file mode 100644 index 0000000..fce7f00 --- /dev/null +++ b/net-mgmt/nagios/files/patch-sample-config__nagios.cfg.in @@ -0,0 +1,11 @@ +--- ./sample-config/nagios.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./sample-config/nagios.cfg.in 2014-01-14 13:57:06.000000000 +0100 +@@ -32,7 +32,7 @@ + cfg_file=@sysconfdir@/objects/timeperiods.cfg + cfg_file=@sysconfdir@/objects/templates.cfg + +-# Definitions for monitoring the local (Linux) host ++# Definitions for monitoring the local (FreeBSD) host + cfg_file=@sysconfdir@/objects/localhost.cfg + + # Definitions for monitoring a Windows machine diff --git a/net-mgmt/nagios/files/patch-sample-config__template-object__localhost.cfg.in b/net-mgmt/nagios/files/patch-sample-config__template-object__localhost.cfg.in new file mode 100644 index 0000000..7d70490 --- /dev/null +++ b/net-mgmt/nagios/files/patch-sample-config__template-object__localhost.cfg.in @@ -0,0 +1,40 @@ +--- ./sample-config/template-object/localhost.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./sample-config/template-object/localhost.cfg.in 2014-01-14 13:57:06.000000000 +0100 +@@ -5,7 +5,7 @@ + # + # NOTE: This config file is intended to serve as an *extremely* simple + # example of how you can create configuration entries to monitor +-# the local (Linux) machine. ++# the local (FreeBSD) machine. + # + ############################################################################### + +@@ -23,9 +23,9 @@ + # Define a host for the local machine + + define host{ +- use linux-server ; Name of host template to use ++ use freebsd-server ; Name of host template to use + ; This host definition will inherit all variables that are defined +- ; in (or inherited by) the linux-server host template definition. ++ ; in (or inherited by) the freebsd-server host template definition. + host_name localhost + alias localhost + address 127.0.0.1 +@@ -41,12 +41,12 @@ + ############################################################################### + ############################################################################### + +-# Define an optional hostgroup for Linux machines ++# Define an optional hostgroup for FreeBSD machines + + define hostgroup{ +- hostgroup_name linux-servers ; The name of the hostgroup +- alias Linux Servers ; Long name of the group +- members localhost ; Comma separated list of hosts that belong to this group ++ hostgroup_name freebsd-servers ; The name of the hostgroup ++ alias FreeBSD Servers ; Long name of the group ++ members localhost ; Comma separated list of hosts that belong to this group + } + + diff --git a/net-mgmt/nagios/files/patch-sample-config__template-object__templates.cfg.in b/net-mgmt/nagios/files/patch-sample-config__template-object__templates.cfg.in new file mode 100644 index 0000000..2408561 --- /dev/null +++ b/net-mgmt/nagios/files/patch-sample-config__template-object__templates.cfg.in @@ -0,0 +1,26 @@ +--- ./sample-config/template-object/templates.cfg.in.orig 2013-08-30 19:46:14.000000000 +0200 ++++ ./sample-config/template-object/templates.cfg.in 2014-01-14 13:57:06.000000000 +0100 +@@ -63,17 +63,17 @@ + } + + +-# Linux host definition template - This is NOT a real host, just a template! ++# FreeBSD host definition template - This is NOT a real host, just a template! + + define host{ +- name linux-server ; The name of this host template ++ name freebsd-server ; The name of this host template + use generic-host ; This template inherits other values from the generic-host template +- check_period 24x7 ; By default, Linux hosts are checked round the clock ++ check_period 24x7 ; By default, FreeBSD hosts are checked round the clock + check_interval 5 ; Actively check the host every 5 minutes + retry_interval 1 ; Schedule host check retries at 1 minute intervals +- max_check_attempts 10 ; Check each Linux host 10 times (max) +- check_command check-host-alive ; Default command to check Linux hosts +- notification_period workhours ; Linux admins hate to be woken up, so we only notify during the day ++ max_check_attempts 10 ; Check each FreeBSD host 10 times (max) ++ check_command check-host-alive ; Default command to check FreeBSD hosts ++ notification_period workhours ; FreeBSD admins hate to be woken up, so we only notify during the day + ; Note that the notification_period variable is being overridden from + ; the value that is inherited from the generic-host template! + notification_interval 120 ; Resend notifications every 2 hours diff --git a/net-mgmt/nagios/files/pkg-message.in b/net-mgmt/nagios/files/pkg-message.in new file mode 100644 index 0000000..7592622 --- /dev/null +++ b/net-mgmt/nagios/files/pkg-message.in @@ -0,0 +1,34 @@ +[ +{ +message: < + Order deny,allow + Deny from all + Allow from 127.0.0.1 + php_flag engine on + php_admin_value open_basedir %%PREFIX%%/%%NAGIOSWWWDIR%%/:%%NAGIOSDIR%%/ + + + + Options ExecCGI + + + ScriptAlias %%NAGIOSCGIURL%%/ %%PREFIX%%/%%NAGIOSWWWDIR%%/cgi-bin/ + Alias %%NAGIOSHTMURL%%/ %%PREFIX%%/%%NAGIOSWWWDIR%%/ +EOT +type: install +} +] diff --git a/net-mgmt/nagios/pkg-descr b/net-mgmt/nagios/pkg-descr new file mode 100644 index 0000000..cd8eefb --- /dev/null +++ b/net-mgmt/nagios/pkg-descr @@ -0,0 +1,8 @@ +Nagios is a host and service monitor designed to inform you of network +problems before your clients, end-users or managers do. The monitoring +daemon runs intermittent checks on hosts and services you specify +using external "plugins" which return status information to Nagios. +When problems are encountered, the daemon can send notifications out +to administrative contacts in a variety of different ways (email, +instant message, SMS, etc.). Current status information, historical +logs, and reports can all be accessed via a web browser. diff --git a/net-mgmt/nagios/pkg-plist b/net-mgmt/nagios/pkg-plist new file mode 100644 index 0000000..8d631a1 --- /dev/null +++ b/net-mgmt/nagios/pkg-plist @@ -0,0 +1,383 @@ +bin/nagios +bin/nagiostats +%%EMBEDDED_PERL%%bin/p1.pl +etc/nagios/cgi.cfg-sample +etc/nagios/nagios.cfg-sample +etc/nagios/objects/commands.cfg-sample +etc/nagios/objects/contacts.cfg-sample +etc/nagios/objects/localhost.cfg-sample +etc/nagios/objects/printer.cfg-sample +etc/nagios/objects/switch.cfg-sample +etc/nagios/objects/templates.cfg-sample +etc/nagios/objects/timeperiods.cfg-sample +etc/nagios/resource.cfg-sample +%%NAGIOSWWWDIR%%/cgi-bin/avail.cgi +%%NAGIOSWWWDIR%%/cgi-bin/cmd.cgi +%%NAGIOSWWWDIR%%/cgi-bin/config.cgi +%%NAGIOSWWWDIR%%/cgi-bin/extinfo.cgi +%%NAGIOSWWWDIR%%/cgi-bin/histogram.cgi +%%NAGIOSWWWDIR%%/cgi-bin/history.cgi +%%NAGIOSWWWDIR%%/cgi-bin/notifications.cgi +%%NAGIOSWWWDIR%%/cgi-bin/outages.cgi +%%NAGIOSWWWDIR%%/cgi-bin/showlog.cgi +%%NAGIOSWWWDIR%%/cgi-bin/status.cgi +%%NAGIOSWWWDIR%%/cgi-bin/statusmap.cgi +%%NAGIOSWWWDIR%%/cgi-bin/statuswml.cgi +%%NAGIOSWWWDIR%%/cgi-bin/summary.cgi +%%NAGIOSWWWDIR%%/cgi-bin/tac.cgi +%%NAGIOSWWWDIR%%/cgi-bin/trends.cgi +@sample %%NAGIOSWWWDIR%%/config.inc.php.sample +%%NAGIOSWWWDIR%%/contexthelp/A1.html +%%NAGIOSWWWDIR%%/contexthelp/A2.html +%%NAGIOSWWWDIR%%/contexthelp/A3.html +%%NAGIOSWWWDIR%%/contexthelp/A4.html +%%NAGIOSWWWDIR%%/contexthelp/A5.html +%%NAGIOSWWWDIR%%/contexthelp/A6.html +%%NAGIOSWWWDIR%%/contexthelp/A7.html +%%NAGIOSWWWDIR%%/contexthelp/B1.html +%%NAGIOSWWWDIR%%/contexthelp/C1.html +%%NAGIOSWWWDIR%%/contexthelp/D1.html +%%NAGIOSWWWDIR%%/contexthelp/E1.html +%%NAGIOSWWWDIR%%/contexthelp/F1.html +%%NAGIOSWWWDIR%%/contexthelp/G1.html +%%NAGIOSWWWDIR%%/contexthelp/G2.html +%%NAGIOSWWWDIR%%/contexthelp/G3.html +%%NAGIOSWWWDIR%%/contexthelp/G4.html +%%NAGIOSWWWDIR%%/contexthelp/G5.html +%%NAGIOSWWWDIR%%/contexthelp/G6.html +%%NAGIOSWWWDIR%%/contexthelp/H1.html +%%NAGIOSWWWDIR%%/contexthelp/H2.html +%%NAGIOSWWWDIR%%/contexthelp/H3.html +%%NAGIOSWWWDIR%%/contexthelp/H4.html +%%NAGIOSWWWDIR%%/contexthelp/H5.html +%%NAGIOSWWWDIR%%/contexthelp/H6.html +%%NAGIOSWWWDIR%%/contexthelp/H7.html +%%NAGIOSWWWDIR%%/contexthelp/H8.html +%%NAGIOSWWWDIR%%/contexthelp/I1.html +%%NAGIOSWWWDIR%%/contexthelp/I2.html +%%NAGIOSWWWDIR%%/contexthelp/I3.html +%%NAGIOSWWWDIR%%/contexthelp/I4.html +%%NAGIOSWWWDIR%%/contexthelp/I5.html +%%NAGIOSWWWDIR%%/contexthelp/I6.html +%%NAGIOSWWWDIR%%/contexthelp/I7.html +%%NAGIOSWWWDIR%%/contexthelp/I8.html +%%NAGIOSWWWDIR%%/contexthelp/I9.html +%%NAGIOSWWWDIR%%/contexthelp/J1.html +%%NAGIOSWWWDIR%%/contexthelp/K1.html +%%NAGIOSWWWDIR%%/contexthelp/L1.html +%%NAGIOSWWWDIR%%/contexthelp/L10.html +%%NAGIOSWWWDIR%%/contexthelp/L11.html +%%NAGIOSWWWDIR%%/contexthelp/L12.html +%%NAGIOSWWWDIR%%/contexthelp/L13.html +%%NAGIOSWWWDIR%%/contexthelp/L2.html +%%NAGIOSWWWDIR%%/contexthelp/L3.html +%%NAGIOSWWWDIR%%/contexthelp/L4.html +%%NAGIOSWWWDIR%%/contexthelp/L5.html +%%NAGIOSWWWDIR%%/contexthelp/L6.html +%%NAGIOSWWWDIR%%/contexthelp/L7.html +%%NAGIOSWWWDIR%%/contexthelp/L8.html +%%NAGIOSWWWDIR%%/contexthelp/L9.html +%%NAGIOSWWWDIR%%/contexthelp/M1.html +%%NAGIOSWWWDIR%%/contexthelp/M2.html +%%NAGIOSWWWDIR%%/contexthelp/M3.html +%%NAGIOSWWWDIR%%/contexthelp/M4.html +%%NAGIOSWWWDIR%%/contexthelp/M5.html +%%NAGIOSWWWDIR%%/contexthelp/M6.html +%%NAGIOSWWWDIR%%/contexthelp/N1.html +%%NAGIOSWWWDIR%%/contexthelp/N2.html +%%NAGIOSWWWDIR%%/contexthelp/N3.html +%%NAGIOSWWWDIR%%/contexthelp/N4.html +%%NAGIOSWWWDIR%%/contexthelp/N5.html +%%NAGIOSWWWDIR%%/contexthelp/N6.html +%%NAGIOSWWWDIR%%/contexthelp/N7.html +%%NAGIOSWWWDIR%%/images/Nagios-clearbg.png +%%NAGIOSWWWDIR%%/images/NagiosEnterprises-whitebg-112x46.png +%%NAGIOSWWWDIR%%/images/ack.gif +%%NAGIOSWWWDIR%%/images/action-graph.gif +%%NAGIOSWWWDIR%%/images/action-nagios.gif +%%NAGIOSWWWDIR%%/images/action-orig.gif +%%NAGIOSWWWDIR%%/images/action.gif +%%NAGIOSWWWDIR%%/images/b_first2.png +%%NAGIOSWWWDIR%%/images/b_last2.png +%%NAGIOSWWWDIR%%/images/b_next2.png +%%NAGIOSWWWDIR%%/images/b_prev2.png +%%NAGIOSWWWDIR%%/images/command.png +%%NAGIOSWWWDIR%%/images/comment.gif +%%NAGIOSWWWDIR%%/images/contexthelp1.gif +%%NAGIOSWWWDIR%%/images/contexthelp2.gif +%%NAGIOSWWWDIR%%/images/critical.png +%%NAGIOSWWWDIR%%/images/delay.gif +%%NAGIOSWWWDIR%%/images/delete.gif +%%NAGIOSWWWDIR%%/images/detail.gif +%%NAGIOSWWWDIR%%/images/disabled.gif +%%NAGIOSWWWDIR%%/images/down.gif +%%NAGIOSWWWDIR%%/images/downtime.gif +%%NAGIOSWWWDIR%%/images/empty.gif +%%NAGIOSWWWDIR%%/images/enabled.gif +%%NAGIOSWWWDIR%%/images/extinfo.gif +%%NAGIOSWWWDIR%%/images/favicon.ico +%%NAGIOSWWWDIR%%/images/flapping.gif +%%NAGIOSWWWDIR%%/images/globe-support-150x150.png +%%NAGIOSWWWDIR%%/images/graph.gif +%%NAGIOSWWWDIR%%/images/greendot.gif +%%NAGIOSWWWDIR%%/images/histogram.png +%%NAGIOSWWWDIR%%/images/history.gif +%%NAGIOSWWWDIR%%/images/hostevent.gif +%%NAGIOSWWWDIR%%/images/info.png +%%NAGIOSWWWDIR%%/images/left.gif +%%NAGIOSWWWDIR%%/images/logofullsize.png +%%NAGIOSWWWDIR%%/images/logos/aix.gd2 +%%NAGIOSWWWDIR%%/images/logos/aix.gif +%%NAGIOSWWWDIR%%/images/logos/aix.jpg +%%NAGIOSWWWDIR%%/images/logos/aix.png +%%NAGIOSWWWDIR%%/images/logos/amiga.gd2 +%%NAGIOSWWWDIR%%/images/logos/amiga.gif +%%NAGIOSWWWDIR%%/images/logos/amiga.jpg +%%NAGIOSWWWDIR%%/images/logos/amiga.png +%%NAGIOSWWWDIR%%/images/logos/apple.gd2 +%%NAGIOSWWWDIR%%/images/logos/apple.gif +%%NAGIOSWWWDIR%%/images/logos/apple.jpg +%%NAGIOSWWWDIR%%/images/logos/apple.png +%%NAGIOSWWWDIR%%/images/logos/beos.gd2 +%%NAGIOSWWWDIR%%/images/logos/beos.gif +%%NAGIOSWWWDIR%%/images/logos/beos.jpg +%%NAGIOSWWWDIR%%/images/logos/beos.png +%%NAGIOSWWWDIR%%/images/logos/bluetooth.png +%%NAGIOSWWWDIR%%/images/logos/caldera.gd2 +%%NAGIOSWWWDIR%%/images/logos/caldera.gif +%%NAGIOSWWWDIR%%/images/logos/caldera.jpg +%%NAGIOSWWWDIR%%/images/logos/caldera.png +%%NAGIOSWWWDIR%%/images/logos/cat1900.gd2 +%%NAGIOSWWWDIR%%/images/logos/cat2900.gd2 +%%NAGIOSWWWDIR%%/images/logos/cat5000.gd2 +%%NAGIOSWWWDIR%%/images/logos/database.gd2 +%%NAGIOSWWWDIR%%/images/logos/database.gif +%%NAGIOSWWWDIR%%/images/logos/debian.gd2 +%%NAGIOSWWWDIR%%/images/logos/debian.gif +%%NAGIOSWWWDIR%%/images/logos/debian.jpg +%%NAGIOSWWWDIR%%/images/logos/debian.png +%%NAGIOSWWWDIR%%/images/logos/desktop-server.gd2 +%%NAGIOSWWWDIR%%/images/logos/desktop-server.gif +%%NAGIOSWWWDIR%%/images/logos/ethernet_card.png +%%NAGIOSWWWDIR%%/images/logos/fax.gd2 +%%NAGIOSWWWDIR%%/images/logos/fax.gif +%%NAGIOSWWWDIR%%/images/logos/firewall.gd2 +%%NAGIOSWWWDIR%%/images/logos/firewall.gif +%%NAGIOSWWWDIR%%/images/logos/freebsd40.gd2 +%%NAGIOSWWWDIR%%/images/logos/freebsd40.gif +%%NAGIOSWWWDIR%%/images/logos/freebsd40.jpg +%%NAGIOSWWWDIR%%/images/logos/freebsd40.png +%%NAGIOSWWWDIR%%/images/logos/globe.png +%%NAGIOSWWWDIR%%/images/logos/graph.gif +%%NAGIOSWWWDIR%%/images/logos/hp-printer40.gd2 +%%NAGIOSWWWDIR%%/images/logos/hp-printer40.gif +%%NAGIOSWWWDIR%%/images/logos/hp-printer40.jpg +%%NAGIOSWWWDIR%%/images/logos/hp-printer40.png +%%NAGIOSWWWDIR%%/images/logos/hpux.gd2 +%%NAGIOSWWWDIR%%/images/logos/hpux.gif +%%NAGIOSWWWDIR%%/images/logos/hpux.jpg +%%NAGIOSWWWDIR%%/images/logos/hpux.png +%%NAGIOSWWWDIR%%/images/logos/hub.gd2 +%%NAGIOSWWWDIR%%/images/logos/hub.gif +%%NAGIOSWWWDIR%%/images/logos/internet.gd2 +%%NAGIOSWWWDIR%%/images/logos/internet.gif +%%NAGIOSWWWDIR%%/images/logos/internet_device.png +%%NAGIOSWWWDIR%%/images/logos/ip-pbx.gd2 +%%NAGIOSWWWDIR%%/images/logos/ip-pbx.gif +%%NAGIOSWWWDIR%%/images/logos/irix.gd2 +%%NAGIOSWWWDIR%%/images/logos/irix.gif +%%NAGIOSWWWDIR%%/images/logos/irix.jpg +%%NAGIOSWWWDIR%%/images/logos/irix.png +%%NAGIOSWWWDIR%%/images/logos/linux40.gd2 +%%NAGIOSWWWDIR%%/images/logos/linux40.gif +%%NAGIOSWWWDIR%%/images/logos/linux40.jpg +%%NAGIOSWWWDIR%%/images/logos/linux40.png +%%NAGIOSWWWDIR%%/images/logos/logo.gd2 +%%NAGIOSWWWDIR%%/images/logos/mac40.gd2 +%%NAGIOSWWWDIR%%/images/logos/mac40.gif +%%NAGIOSWWWDIR%%/images/logos/mac40.jpg +%%NAGIOSWWWDIR%%/images/logos/mac40.png +%%NAGIOSWWWDIR%%/images/logos/mainframe.gd2 +%%NAGIOSWWWDIR%%/images/logos/mainframe.gif +%%NAGIOSWWWDIR%%/images/logos/mandrake.gd2 +%%NAGIOSWWWDIR%%/images/logos/mandrake.gif +%%NAGIOSWWWDIR%%/images/logos/mandrake.jpg +%%NAGIOSWWWDIR%%/images/logos/mandrake.png +%%NAGIOSWWWDIR%%/images/logos/monitor.png +%%NAGIOSWWWDIR%%/images/logos/nagios.gd2 +%%NAGIOSWWWDIR%%/images/logos/nagios.gif +%%NAGIOSWWWDIR%%/images/logos/nagiosvrml.png +%%NAGIOSWWWDIR%%/images/logos/next.gd2 +%%NAGIOSWWWDIR%%/images/logos/next.gif +%%NAGIOSWWWDIR%%/images/logos/next.jpg +%%NAGIOSWWWDIR%%/images/logos/next.png +%%NAGIOSWWWDIR%%/images/logos/ng-switch40.gd2 +%%NAGIOSWWWDIR%%/images/logos/ng-switch40.gif +%%NAGIOSWWWDIR%%/images/logos/ng-switch40.jpg +%%NAGIOSWWWDIR%%/images/logos/ng-switch40.png +%%NAGIOSWWWDIR%%/images/logos/notebook.gd2 +%%NAGIOSWWWDIR%%/images/logos/notebook.gif +%%NAGIOSWWWDIR%%/images/logos/novell40.gd2 +%%NAGIOSWWWDIR%%/images/logos/novell40.gif +%%NAGIOSWWWDIR%%/images/logos/novell40.jpg +%%NAGIOSWWWDIR%%/images/logos/novell40.png +%%NAGIOSWWWDIR%%/images/logos/openbsd.gd2 +%%NAGIOSWWWDIR%%/images/logos/openbsd.gif +%%NAGIOSWWWDIR%%/images/logos/openbsd.jpg +%%NAGIOSWWWDIR%%/images/logos/openbsd.png +%%NAGIOSWWWDIR%%/images/logos/printer.gd2 +%%NAGIOSWWWDIR%%/images/logos/printer.gif +%%NAGIOSWWWDIR%%/images/logos/rack-server.gd2 +%%NAGIOSWWWDIR%%/images/logos/rack-server.gif +%%NAGIOSWWWDIR%%/images/logos/redhat.gd2 +%%NAGIOSWWWDIR%%/images/logos/redhat.gif +%%NAGIOSWWWDIR%%/images/logos/redhat.jpg +%%NAGIOSWWWDIR%%/images/logos/redhat.png +%%NAGIOSWWWDIR%%/images/logos/router.gd2 +%%NAGIOSWWWDIR%%/images/logos/router.gif +%%NAGIOSWWWDIR%%/images/logos/router40.gd2 +%%NAGIOSWWWDIR%%/images/logos/router40.gif +%%NAGIOSWWWDIR%%/images/logos/router40.jpg +%%NAGIOSWWWDIR%%/images/logos/router40.png +%%NAGIOSWWWDIR%%/images/logos/san.gd2 +%%NAGIOSWWWDIR%%/images/logos/san.gif +%%NAGIOSWWWDIR%%/images/logos/satellite.png +%%NAGIOSWWWDIR%%/images/logos/server.png +%%NAGIOSWWWDIR%%/images/logos/signal.png +%%NAGIOSWWWDIR%%/images/logos/slackware.gd2 +%%NAGIOSWWWDIR%%/images/logos/slackware.gif +%%NAGIOSWWWDIR%%/images/logos/slackware.jpg +%%NAGIOSWWWDIR%%/images/logos/slackware.png +%%NAGIOSWWWDIR%%/images/logos/stampede.gd2 +%%NAGIOSWWWDIR%%/images/logos/stampede.gif +%%NAGIOSWWWDIR%%/images/logos/stampede.jpg +%%NAGIOSWWWDIR%%/images/logos/stampede.png +%%NAGIOSWWWDIR%%/images/logos/station.gd2 +%%NAGIOSWWWDIR%%/images/logos/storm.gd2 +%%NAGIOSWWWDIR%%/images/logos/storm.gif +%%NAGIOSWWWDIR%%/images/logos/storm.jpg +%%NAGIOSWWWDIR%%/images/logos/storm.png +%%NAGIOSWWWDIR%%/images/logos/sun40.gd2 +%%NAGIOSWWWDIR%%/images/logos/sun40.gif +%%NAGIOSWWWDIR%%/images/logos/sun40.jpg +%%NAGIOSWWWDIR%%/images/logos/sun40.png +%%NAGIOSWWWDIR%%/images/logos/sunlogo.gd2 +%%NAGIOSWWWDIR%%/images/logos/sunlogo.gif +%%NAGIOSWWWDIR%%/images/logos/sunlogo.jpg +%%NAGIOSWWWDIR%%/images/logos/sunlogo.png +%%NAGIOSWWWDIR%%/images/logos/switch.gd2 +%%NAGIOSWWWDIR%%/images/logos/switch.gif +%%NAGIOSWWWDIR%%/images/logos/switch40.gd2 +%%NAGIOSWWWDIR%%/images/logos/switch40.gif +%%NAGIOSWWWDIR%%/images/logos/switch40.jpg +%%NAGIOSWWWDIR%%/images/logos/switch40.png +%%NAGIOSWWWDIR%%/images/logos/thin-client.gd2 +%%NAGIOSWWWDIR%%/images/logos/thin-client.gif +%%NAGIOSWWWDIR%%/images/logos/turbolinux.gd2 +%%NAGIOSWWWDIR%%/images/logos/turbolinux.gif +%%NAGIOSWWWDIR%%/images/logos/turbolinux.jpg +%%NAGIOSWWWDIR%%/images/logos/turbolinux.png +%%NAGIOSWWWDIR%%/images/logos/ultrapenguin.gd2 +%%NAGIOSWWWDIR%%/images/logos/ultrapenguin.gif +%%NAGIOSWWWDIR%%/images/logos/ultrapenguin.jpg +%%NAGIOSWWWDIR%%/images/logos/ultrapenguin.png +%%NAGIOSWWWDIR%%/images/logos/unicos.gd2 +%%NAGIOSWWWDIR%%/images/logos/unicos.gif +%%NAGIOSWWWDIR%%/images/logos/unicos.jpg +%%NAGIOSWWWDIR%%/images/logos/unicos.png +%%NAGIOSWWWDIR%%/images/logos/unknown.gd2 +%%NAGIOSWWWDIR%%/images/logos/unknown.gif +%%NAGIOSWWWDIR%%/images/logos/webcamera.png +%%NAGIOSWWWDIR%%/images/logos/wifi.gd2 +%%NAGIOSWWWDIR%%/images/logos/wifi.gif +%%NAGIOSWWWDIR%%/images/logos/wifi_modem.png +%%NAGIOSWWWDIR%%/images/logos/win40.gd2 +%%NAGIOSWWWDIR%%/images/logos/win40.gif +%%NAGIOSWWWDIR%%/images/logos/win40.jpg +%%NAGIOSWWWDIR%%/images/logos/win40.png +%%NAGIOSWWWDIR%%/images/logos/workstation.gd2 +%%NAGIOSWWWDIR%%/images/logos/workstation.gif +%%NAGIOSWWWDIR%%/images/logos/workstation.png +%%NAGIOSWWWDIR%%/images/logos/workstation_locked.png +%%NAGIOSWWWDIR%%/images/logos/yellowdog.gd2 +%%NAGIOSWWWDIR%%/images/logos/yellowdog.gif +%%NAGIOSWWWDIR%%/images/logos/yellowdog.jpg +%%NAGIOSWWWDIR%%/images/logos/yellowdog.png +%%NAGIOSWWWDIR%%/images/logrotate.png +%%NAGIOSWWWDIR%%/images/ndisabled.gif +%%NAGIOSWWWDIR%%/images/noack.gif +%%NAGIOSWWWDIR%%/images/notes.gif +%%NAGIOSWWWDIR%%/images/notify.gif +%%NAGIOSWWWDIR%%/images/orangedot.gif +%%NAGIOSWWWDIR%%/images/passiveonly.gif +%%NAGIOSWWWDIR%%/images/recovery.png +%%NAGIOSWWWDIR%%/images/redudancy.png +%%NAGIOSWWWDIR%%/images/redundancy.png +%%NAGIOSWWWDIR%%/images/restart.gif +%%NAGIOSWWWDIR%%/images/right.gif +%%NAGIOSWWWDIR%%/images/sblogo.png +%%NAGIOSWWWDIR%%/images/serviceevent.gif +%%NAGIOSWWWDIR%%/images/sflogo.png +%%NAGIOSWWWDIR%%/images/splunk1.gif +%%NAGIOSWWWDIR%%/images/splunk2.gif +%%NAGIOSWWWDIR%%/images/start.gif +%%NAGIOSWWWDIR%%/images/status.gif +%%NAGIOSWWWDIR%%/images/status2.gif +%%NAGIOSWWWDIR%%/images/status3.gif +%%NAGIOSWWWDIR%%/images/status4.gif +%%NAGIOSWWWDIR%%/images/stop.gif +%%NAGIOSWWWDIR%%/images/tacdisabled.jpg +%%NAGIOSWWWDIR%%/images/tacdisabled.png +%%NAGIOSWWWDIR%%/images/tacenabled.jpg +%%NAGIOSWWWDIR%%/images/tacenabled.png +%%NAGIOSWWWDIR%%/images/thermcrit.png +%%NAGIOSWWWDIR%%/images/thermok.png +%%NAGIOSWWWDIR%%/images/thermwarn.png +%%NAGIOSWWWDIR%%/images/trends.gif +%%NAGIOSWWWDIR%%/images/trendshost.png +%%NAGIOSWWWDIR%%/images/trendssvc.png +%%NAGIOSWWWDIR%%/images/unknown.png +%%NAGIOSWWWDIR%%/images/up.gif +%%NAGIOSWWWDIR%%/images/warning.png +%%NAGIOSWWWDIR%%/images/weblogo1.png +%%NAGIOSWWWDIR%%/images/zoom1.gif +%%NAGIOSWWWDIR%%/images/zoom2.gif +%%NAGIOSWWWDIR%%/includes/rss/extlib/Snoopy.class.inc +%%NAGIOSWWWDIR%%/includes/rss/rss_cache.inc +%%NAGIOSWWWDIR%%/includes/rss/rss_fetch.inc +%%NAGIOSWWWDIR%%/includes/rss/rss_parse.inc +%%NAGIOSWWWDIR%%/includes/rss/rss_utils.inc +%%NAGIOSWWWDIR%%/includes/jquery-1.7.1.min.js +%%NAGIOSWWWDIR%%/includes/utils.inc.php +%%NAGIOSWWWDIR%%/index.php +%%NAGIOSWWWDIR%%/js/jquery-1.7.1.min.js +%%NAGIOSWWWDIR%%/main.php +%%NAGIOSWWWDIR%%/robots.txt +%%NAGIOSWWWDIR%%/rss-corefeed.php +%%NAGIOSWWWDIR%%/rss-newsfeed.php +%%NAGIOSWWWDIR%%/side.php +%%NAGIOSWWWDIR%%/stylesheets/avail.css +%%NAGIOSWWWDIR%%/stylesheets/checksanity.css +%%NAGIOSWWWDIR%%/stylesheets/cmd.css +%%NAGIOSWWWDIR%%/stylesheets/common.css +%%NAGIOSWWWDIR%%/stylesheets/config.css +%%NAGIOSWWWDIR%%/stylesheets/extinfo.css +%%NAGIOSWWWDIR%%/stylesheets/histogram.css +%%NAGIOSWWWDIR%%/stylesheets/history.css +%%NAGIOSWWWDIR%%/stylesheets/ministatus.css +%%NAGIOSWWWDIR%%/stylesheets/notifications.css +%%NAGIOSWWWDIR%%/stylesheets/outages.css +%%NAGIOSWWWDIR%%/stylesheets/showlog.css +%%NAGIOSWWWDIR%%/stylesheets/status.css +%%NAGIOSWWWDIR%%/stylesheets/statusmap.css +%%NAGIOSWWWDIR%%/stylesheets/summary.css +%%NAGIOSWWWDIR%%/stylesheets/tac.css +%%NAGIOSWWWDIR%%/stylesheets/trends.css +@dir libexec/nagios +@dir %%NAGIOSWWWDIR%%/ssi +@dir(%%NAGIOSUSER%%,%%NAGIOSGROUP%%,775) %%NAGIOSDIR%%/archives +@dir(%%NAGIOSUSER%%,%%NAGIOSGROUP%%,775) %%NAGIOSDIR%%/checkresults +@dir(%%NAGIOSUSER%%,%%WWWGRP%%,775) %%NAGIOSDIR%%/rw +@dir(%%NAGIOSUSER%%,%%NAGIOSGROUP%%,775) %%NAGIOSDIR%% +@postunexec if [ -d %%NAGIOSDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%NAGIOSDIR%%`` to remove any files left behind."; fi +@postunexec if [ -d %%ETCDIR%% ]; then echo "==> If you are permanently removing this port, you should do a ``rm -rf %%ETCDIR%%`` to remove any configuration files."; fi diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile new file mode 100644 index 0000000..24fcfe8 --- /dev/null +++ b/net-mgmt/nrpe/Makefile @@ -0,0 +1,72 @@ +PORTNAME= nrpe +DISTVERSION= 4.1.1 +DISTVERSIONPREFIX= nrpe- +CATEGORIES= net-mgmt + +MAINTAINER= bofh@FreeBSD.org +COMMENT?= Nagios Remote Plugin Executor +WWW= https://www.nagios.org/ + +LICENSE= GPLv2+ +LICENSE_FILE= ${WRKSRC}/LICENSE.md + +USES= perl5 +USE_GITHUB= yes +GH_ACCOUNT= NagiosEnterprises +USE_PERL5= build +USE_RC_SUBR= nrpe + +GNU_CONFIGURE= yes +CONFIGURE_ARGS+=--bindir=${PREFIX}/sbin \ + --libexecdir=${PREFIX}/libexec/nagios \ + --sysconfdir=${PREFIX}/etc \ + --with-inetd-type=inetd \ + --with-nrpe-user=${NAGIOSUSER} \ + --with-nrpe-group=${NAGIOSGROUP} \ + --with-piddir=${NRPE_PIDDIR} + +SUB_FILES= pkg-message +SUB_LIST+= PIDDIR=${NRPE_PIDDIR} + +USERS= ${NAGIOSUSER} +GROUPS= ${NAGIOSGROUP} + +PLIST_SUB= NAGIOSUSER=${NAGIOSUSER} \ + NAGIOSGROUP=${NAGIOSGROUP} \ + NRPE_PIDDIR=${NRPE_PIDDIR} + +OPTIONS_DEFINE= SSL ARGS +OPTIONS_DEFAULT=NAGPLUGINS SSL +OPTIONS_RADIO= PLUGINS +OPTIONS_RADIO_PLUGINS= MONPLUGINS NAGPLUGINS + +ARGS_DESC= Enable command argument processing +MONPLUGINS_DESC=Use net-mgmt/monitoring-plugins +NAGPLUGINS_DESC=Use net-mgmt/nagios-plugins + +ARGS_CONFIGURE_ENABLE= command-args +MONPLUGINS_RUN_DEPENDS= ${LOCALBASE}/libexec/nagios/check_nagios:net-mgmt/monitoring-plugins +NAGPLUGINS_RUN_DEPENDS= ${LOCALBASE}/libexec/nagios/check_nagios:net-mgmt/nagios-plugins +SSL_USES= ssl +SSL_CONFIGURE_ENABLE= ssl +SSL_CONFIGURE_WITH= ssl=${OPENSSLBASE} ssl-inc=${OPENSSLINC} ssl-lib=${OPENSSLLIB} +SSL_CFLAGS= -I${OPENSSLINC} + +NAGIOSUSER?= nagios +NAGIOSGROUP?= nagios + +NRPE_PIDDIR?= /var/run/nrpe + +post-patch: + @${REINPLACE_CMD} -e 's|/var/run/nrpe.pid|${NRPE_PIDDIR}/nrpe.pid|g' \ + -e 's|/usr/lib/nagios/plugins/|${LOCALBASE}/libexec/nagios/|g' \ + -e 's|/usr/bin/sudo|${LOCALBASE}/bin/sudo|g' \ + ${WRKSRC}/sample-config/nrpe.cfg.in + +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/src/nrpe ${STAGEDIR}${PREFIX}/sbin/nrpe + ${MKDIR} ${STAGEDIR}${PREFIX}/libexec/nagios + ${INSTALL_PROGRAM} ${WRKSRC}/src/check_nrpe ${STAGEDIR}${PREFIX}/libexec/nagios/check_nrpe + ${INSTALL_DATA} ${WRKSRC}/sample-config/nrpe.cfg ${STAGEDIR}${PREFIX}/etc/nrpe.cfg.sample + +.include diff --git a/net-mgmt/nrpe/distinfo b/net-mgmt/nrpe/distinfo new file mode 100644 index 0000000..a9c2087 --- /dev/null +++ b/net-mgmt/nrpe/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1722626850 +SHA256 (NagiosEnterprises-nrpe-nrpe-4.1.1_GH0.tar.gz) = ba97734d39cf67a70a7c517d7d62c57df08395df643984cac827819b5d179dae +SIZE (NagiosEnterprises-nrpe-nrpe-4.1.1_GH0.tar.gz) = 528280 diff --git a/net-mgmt/nrpe/files/nrpe.in b/net-mgmt/nrpe/files/nrpe.in new file mode 100644 index 0000000..50be3d8 --- /dev/null +++ b/net-mgmt/nrpe/files/nrpe.in @@ -0,0 +1,51 @@ +#!/bin/sh + +# PROVIDE: nrpe +# REQUIRE: LOGIN +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf to enable nrpe: +# nrpe_enable (bool): Set to "NO" by default. +# Set it to "YES" to enable nrpe. +# nrpe_flags (str): Not set by default. +# nrpe_configfile (str): Set to "%%PREFIX%%/etc/nrpe.cfg" by default. + +. /etc/rc.subr + +name=nrpe +rcvar=nrpe_enable + +load_rc_config "${name}" + +: ${nrpe_enable:=NO} +: ${nrpe_configfile:=%%PREFIX%%/etc/nrpe.cfg} + +required_files="${nrpe_configfile}" + +command="%%PREFIX%%/sbin/nrpe" +command_args="-c ${nrpe_configfile} -d" +extra_commands=reload +sig_reload=HUP + +start_precmd=nrpe_prestart +stop_precmd=find_pidfile + +find_pidfile() +{ + [ -n "$nrpe_pidfile" ] && + warn "No longer necessary to set nrpe_pidfile in rc.conf[.local]" + + if get_pidfile_from_conf pid_file ${nrpe_configfile}; then + pidfile="$_pidfile_from_conf" + else + pidfile='%%PIDDIR%%/nrpe.pid' + fi +} + +nrpe_prestart() +{ + find_pidfile + install -d -o ${nrpe_user:-nagios} ${pidfile%/*} +} + +run_rc_command "$1" diff --git a/net-mgmt/nrpe/files/patch-include_common.h.in b/net-mgmt/nrpe/files/patch-include_common.h.in new file mode 100644 index 0000000..0061680 --- /dev/null +++ b/net-mgmt/nrpe/files/patch-include_common.h.in @@ -0,0 +1,18 @@ +--- include/common.h.in.orig 2022-07-18 19:27:53 UTC ++++ include/common.h.in +@@ -34,10 +34,15 @@ + # define OPENSSL_NO_DEPRECATED + #endif + #include <@SSL_INC_PREFIX@@SSL_HDR@> ++#include <@SSL_INC_PREFIX@crypto.h> + # ifdef SSL_TYPE_openssl + # include <@SSL_INC_PREFIX@err.h> + # include <@SSL_INC_PREFIX@rand.h> + # include <@SSL_INC_PREFIX@engine.h> ++# include <@SSL_INC_PREFIX@crypto.h> ++# if defined (LIBRESSL_VERSION_NUMBER) ++# include <@SSL_INC_PREFIX@opensslfeatures.h> ++# endif + # endif + #endif + diff --git a/net-mgmt/nrpe/files/patch-src_check__nrpe.c b/net-mgmt/nrpe/files/patch-src_check__nrpe.c new file mode 100644 index 0000000..4e3fe94 --- /dev/null +++ b/net-mgmt/nrpe/files/patch-src_check__nrpe.c @@ -0,0 +1,11 @@ +--- src/check_nrpe.c.orig 2022-07-18 19:27:53 UTC ++++ src/check_nrpe.c +@@ -899,7 +899,7 @@ void setup_ssl() + exit(timeout_return_code); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) + + SSL_CTX_set_max_proto_version(ctx, 0); + diff --git a/net-mgmt/nrpe/files/patch-src_nrpe.c b/net-mgmt/nrpe/files/patch-src_nrpe.c new file mode 100644 index 0000000..912e70f --- /dev/null +++ b/net-mgmt/nrpe/files/patch-src_nrpe.c @@ -0,0 +1,11 @@ +--- src/nrpe.c.orig 2022-07-18 19:27:53 UTC ++++ src/nrpe.c +@@ -357,7 +357,7 @@ void init_ssl(void) + exit(STATE_CRITICAL); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) + + SSL_CTX_set_max_proto_version(ctx, 0); + diff --git a/net-mgmt/nrpe/files/pkg-message.in b/net-mgmt/nrpe/files/pkg-message.in new file mode 100644 index 0000000..ac998ea --- /dev/null +++ b/net-mgmt/nrpe/files/pkg-message.in @@ -0,0 +1,12 @@ +[ +{ type: install + message: < - -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex - -# Must add this patch before HPN due to conflicts -.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. -. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -# Needed glue for applying HPN patch without conflict -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue -. endif -# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to -# pull from. -GSSAPI_DEBIAN_VERSION= 9.9p1 -GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 -# - Debian does not use a versioned filename so we trick fetch to make one for -# us with the ?=/ trick. -PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex -# Bump this when updating the patch location -GSSAPI_DISTVERSION= 9.9p1 -PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c -.endif - -.if ${PORT_OPTIONS:MBLACKLISTD} -CONFIGURE_LIBS+= -lblacklist -.endif - -# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. -PORTDOCS+= HPN-README -HPN_VERSION= 14v15 -HPN_DISTVERSION= 7.7p1 -#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn -#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 -.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} -# Apply compatibility patch -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat -.endif - -CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog - -# Keep this last -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum - -.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} -BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently -.endif - -.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) -IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base -.endif - -.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} -. if ${PORT_OPTIONS:MHEIMDAL_BASE} -CONFIGURE_LIBS+= -lgssapi_krb5 -CONFIGURE_ARGS+= --with-kerberos5=/usr -. else -CONFIGURE_LIBS+= -lgssapi_krb5 -CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} -. endif -. if ${OPENSSLBASE} == "/usr" -CONFIGURE_ARGS+= --without-rpath -LDFLAGS= # empty -. endif -.else -. if ${PORT_OPTIONS:MKERB_GSSAPI} -IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE -. endif -.endif - -.if ${OPENSSLBASE} != "/usr" -CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} -.endif - -EMPTYDIR= /var/empty - -USE_RC_SUBR= openssh - -# After all -CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} -.if !empty(CONFIGURE_LIBS) -CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' -.endif - -CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth - -RC_SCRIPT_NAME= openssh -VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} - -CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} -CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow - -SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass - -post-patch: - @${REINPLACE_CMD} \ - -e 's|install: \(.*\) host-key check-config|install: \1|g' \ - ${WRKSRC}/Makefile.in - @${REINPLACE_CMD} \ - -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \ - ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac - @${REINPLACE_CMD} \ - -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ - ${WRKSRC}/sshd_config - @${REINPLACE_CMD} \ - -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ - ${WRKSRC}/sshd_config.5 - @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ - ${WRKSRC}/version.h - -post-configure-XMSS-on: - @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h - -post-configure-BLACKLISTD-on: - @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h - -post-install: - ${MV} ${STAGEDIR}${ETCDIR}/moduli \ - ${STAGEDIR}${ETCDIR}/moduli.sample - ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ - ${STAGEDIR}${ETCDIR}/ssh_config.sample - ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ - ${STAGEDIR}${ETCDIR}/sshd_config.sample -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} - ${MKDIR} ${STAGEDIR}${DOCSDIR} - ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} -.endif - -test: build - cd ${WRKSRC} && ${SETENV} -i \ - OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ - TEST_SHELL=${SH} \ - SUDO="${SUDO}" \ - LOGNAME="${LOGNAME}" \ - HOME="${HOME}" \ - TEST_SSH_TRACE=yes \ - PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ - ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests - -.include diff --git a/security/openssh-portable.OTHER/distinfo b/security/openssh-portable.OTHER/distinfo deleted file mode 100644 index 41138b4..0000000 --- a/security/openssh-portable.OTHER/distinfo +++ /dev/null @@ -1,5 +0,0 @@ -TIMESTAMP = 1728410939 -SHA256 (openssh-9.9p1.tar.gz) = b343fbcdbff87f15b1986e6e15d6d4fc9a7d36066be6b7fb507087ba8f966c02 -SIZE (openssh-9.9p1.tar.gz) = 1964864 -SHA256 (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = b8b590024137d54394fd46ebfe32f2b081d0744abdcdcacf6dd30d1c91339864 -SIZE (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = 125233 diff --git a/security/openssh-portable.OTHER/files/extra-patch-blacklistd b/security/openssh-portable.OTHER/files/extra-patch-blacklistd deleted file mode 100644 index a7145e4..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-blacklistd +++ /dev/null @@ -1,419 +0,0 @@ ---- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 -+++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 -@@ -0,0 +1,92 @@ -+/*- -+ * Copyright (c) 2015 The NetBSD Foundation, Inc. -+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. -+ * All rights reserved. -+ * -+ * Portions of this software were developed by Kurt Lidl -+ * under sponsorship from the FreeBSD Foundation. -+ * -+ * This code is derived from software contributed to The NetBSD Foundation -+ * by Christos Zoulas. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS -+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS -+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "includes.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "ssh.h" -+#include "packet.h" -+#include "log.h" -+#include "misc.h" -+#include -+#include "blacklist_client.h" -+ -+static struct blacklist *blstate = NULL; -+ -+/* internal definition from bl.h */ -+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); -+ -+/* impedence match vsyslog() to sshd's internal logging levels */ -+void -+im_log(int priority, const char *message, va_list args) -+{ -+ LogLevel imlevel; -+ -+ switch (priority) { -+ case LOG_ERR: -+ imlevel = SYSLOG_LEVEL_ERROR; -+ break; -+ case LOG_DEBUG: -+ imlevel = SYSLOG_LEVEL_DEBUG1; -+ break; -+ case LOG_INFO: -+ imlevel = SYSLOG_LEVEL_INFO; -+ break; -+ default: -+ imlevel = SYSLOG_LEVEL_DEBUG2; -+ } -+ do_log2(imlevel, message, args); -+} -+ -+void -+blacklist_init(void) -+{ -+ -+ blstate = bl_create(false, NULL, im_log); -+} -+ -+void -+blacklist_notify(int action, struct ssh *ssh, const char *msg) -+{ -+ -+ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) -+ (void)blacklist_r(blstate, action, -+ ssh_packet_get_connection_in(ssh), msg); -+} ---- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 -+++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 -@@ -0,0 +1,61 @@ -+/*- -+ * Copyright (c) 2015 The NetBSD Foundation, Inc. -+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. -+ * All rights reserved. -+ * -+ * Portions of this software were developed by Kurt Lidl -+ * under sponsorship from the FreeBSD Foundation. -+ * -+ * This code is derived from software contributed to The NetBSD Foundation -+ * by Christos Zoulas. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS -+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS -+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#ifndef BLACKLIST_CLIENT_H -+#define BLACKLIST_CLIENT_H -+ -+#ifndef BLACKLIST_API_ENUM -+enum { -+ BLACKLIST_AUTH_OK = 0, -+ BLACKLIST_AUTH_FAIL, -+ BLACKLIST_ABUSIVE_BEHAVIOR, -+ BLACKLIST_BAD_USER -+}; -+#endif -+ -+#ifdef USE_BLACKLIST -+void blacklist_init(void); -+void blacklist_notify(int, struct ssh *, const char *); -+ -+#define BLACKLIST_INIT() blacklist_init() -+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) -+ -+#else -+ -+#define BLACKLIST_INIT() -+#define BLACKLIST_NOTIFY(x, ssh, msg) -+ -+#endif -+ -+ -+#endif /* BLACKLIST_CLIENT_H */ ---- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ servconf.c 2021-04-28 13:36:19.591999000 -0700 -@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) - options->max_sessions = -1; - options->banner = NULL; - options->use_dns = -1; -+ options->use_blacklist = -1; - options->client_alive_interval = -1; - options->client_alive_count_max = -1; - options->num_authkeys_files = 0; -@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) - options->max_sessions = DEFAULT_SESSIONS_MAX; - if (options->use_dns == -1) - options->use_dns = 0; -+ if (options->use_blacklist == -1) -+ options->use_blacklist = 0; - if (options->client_alive_interval == -1) - options->client_alive_interval = 0; - if (options->client_alive_count_max == -1) -@@ -506,6 +509,7 @@ typedef enum { - sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, - sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, - sBanner, sUseDNS, sHostbasedAuthentication, -+ sUseBlacklist, - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, - sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, - sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, -@@ -642,6 +646,8 @@ static struct { - { "maxsessions", sMaxSessions, SSHCFG_ALL }, - { "banner", sBanner, SSHCFG_ALL }, - { "usedns", sUseDNS, SSHCFG_GLOBAL }, -+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, -+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */, - { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, - { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, - { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, -@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option - intptr = &options->use_dns; - goto parse_flag; - -+ case sUseBlacklist: -+ intptr = &options->use_blacklist; -+ goto parse_flag; -+ - case sLogFacility: - log_facility_ptr = &options->log_facility; - arg = strdelim(&cp); -@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sCompression, o->compression); - dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); - dump_cfg_fmtint(sUseDNS, o->use_dns); -+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); - dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); - dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); - dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); ---- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 -+++ servconf.h 2020-11-16 15:51:02.962173000 -0800 -@@ -179,6 +179,7 @@ typedef struct { - int max_sessions; - char *banner; /* SSH-2 banner message */ - int use_dns; -+ int use_blacklist; - int client_alive_interval; /* - * poke the client this often to - * see if it's still there ---- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 -+++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 -@@ -105,6 +105,7 @@ extern char *__progname; - #include "ssh-gss.h" - #endif - #include "monitor_wrap.h" -+#include "blacklist_client.h" - - extern ServerOptions options; - extern struct sshbuf *loginmsg; -@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, - sshbuf_free(buffer); - return (0); - } -+ /* XXX: ssh context unavailable here, unclear if this is even needed. -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, -+ the_active_state, sshpam_authctxt->user); -+ */ - error("PAM: %s for %s%.100s from %.100s", msg, - sshpam_authctxt->valid ? "" : "illegal user ", - sshpam_authctxt->user, sshpam_rhost); ---- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 -+++ auth.c 2020-11-16 15:57:51.091969000 -0800 -@@ -76,6 +76,7 @@ - #include "ssherr.h" - #include "compat.h" - #include "channels.h" -+#include "blacklist_client.h" - - /* import */ - extern ServerOptions options; -@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti - authmsg = "Postponed"; - else if (partial) - authmsg = "Partial"; -- else -+ else { - authmsg = authenticated ? "Accepted" : "Failed"; -+ if (authenticated) -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); -+ } - - if ((extra = format_method_key(authctxt)) == NULL) { - if (authctxt->auth_method_info != NULL) -@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) - aix_restoreauthdb(); - #endif - if (pw == NULL) { -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); - logit("Invalid user %.100s from %.100s port %d", - user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); - #ifdef CUSTOM_FAILED_LOGIN ---- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 -+++ auth2.c 2020-11-16 17:12:04.852943000 -0800 -@@ -58,6 +58,7 @@ - #include "monitor_wrap.h" - #include "digest.h" - #include "kex.h" -+#include "blacklist_client.h" - - /* import */ - extern ServerOptions options; -@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct - } else { - /* Invalid user, fake password information */ - authctxt->pw = fakepw(); -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); - #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); - #endif -@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co - } else { - /* Allow initial try of "none" auth without failure penalty */ - if (!partial && !authctxt->server_caused_failure && -- (authctxt->attempt > 1 || strcmp(method, "none") != 0)) -+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { - authctxt->failures++; -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); -+ } - if (authctxt->failures >= options.max_authtries) { - #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); ---- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 -+++ packet.c 2020-11-16 15:56:09.285418000 -0800 -@@ -96,6 +96,7 @@ - #include "packet.h" - #include "ssherr.h" - #include "sshbuf.h" -+#include "blacklist_client.h" - - #ifdef PACKET_DEBUG - #define DBG(x) x -@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, - case SSH_ERR_NO_KEX_ALG_MATCH: - case SSH_ERR_NO_HOSTKEY_ALG_MATCH: - if (ssh->kex && ssh->kex->failed_choice) { -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); - ssh_packet_clear_keys(ssh); - errno = oerrno; - logdie("Unable to negotiate with %s: %s. " ---- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd.c 2021-09-10 10:37:17.926747000 -0700 -@@ -123,6 +123,7 @@ - #include "version.h" - #include "ssherr.h" - #include "sk-api.h" -+#include "blacklist_client.h" - #include "srclimit.h" - #include "dh.h" - -@@ -2225,6 +2228,9 @@ main(int ac, char **av) - if ((loginmsg = sshbuf_new()) == NULL) - fatal_f("sshbuf_new failed"); - auth_debug_reset(); -+ -+ if (options.use_blacklist) -+ BLACKLIST_INIT(); - - if (use_privsep) { - if (privsep_preauth(ssh) == 1) ---- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 -+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 -@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S - FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ - @UNSUPPORTED_ALGORITHMS@ - -+LIBSSH_OBJS+= blacklist.o -+ - all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) - - $(LIBSSH_OBJS): Makefile.in config.h ---- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 -+++ sshd_config 2020-11-16 16:57:42.183846000 -0800 -@@ -94,6 +94,7 @@ - #PrintLastLog yes - #TCPKeepAlive yes - #PermitUserEnvironment no -+#UseBlacklist no - #Compression delayed - #ClientAliveInterval 0 - #ClientAliveCountMax 3 ---- sshd_config.5.orig 2023-12-18 15:59:50.000000000 +0100 -+++ sshd_config.5 2024-01-06 16:36:17.025742000 +0100 -@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with - is to never expire connections for having no open channels. - This option may be useful in conjunction with - .Cm ChannelTimeout . -+.It Cm UseBlacklist -+Specifies whether -+.Xr sshd 8 -+attempts to send authentication success and failure messages -+to the -+.Xr blacklistd 8 -+daemon. -+The default is -+.Cm no . -+For forward compatibility with an upcoming -+.Xr blacklistd -+rename, the -+.Cm UseBlocklist -+alias can be used instead. - .It Cm UseDNS - Specifies whether - .Xr sshd 8 ---- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 -+++ monitor.c 2020-11-16 17:25:57.642510000 -0800 -@@ -96,6 +96,7 @@ - #include "match.h" - #include "ssherr.h" - #include "sk-api.h" -+#include "blacklist_client.h" - - #ifdef GSSAPI - static Gssctxt *gsscontext = NULL; -@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor - if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { - auth_log(ssh, authenticated, partial, - auth_method, auth_submethod); -- if (!partial && !authenticated) -+ if (!partial && !authenticated) { - authctxt->failures++; -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, -+ ssh, "ssh"); -+ } - if (authenticated || partial) { - auth2_update_session_info(authctxt, - auth_method, auth_submethod); -@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct - } else { - /* Log failed attempt */ - auth_log(ssh, 0, 0, auth_method, NULL); -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); - free(cuser); - free(chost); - } diff --git a/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgssc.c b/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgssc.c deleted file mode 100644 index 40be181..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgssc.c +++ /dev/null @@ -1,14 +0,0 @@ -Fix prototype for DH_get0_key() in kexgssgex_client(). - ---- kexgssc.c.orig 2020-11-24 12:26:37.222092000 -0800 -+++ kexgssc.c 2020-11-24 12:26:54.801490000 -0800 -@@ -31,6 +31,9 @@ - #include - #include - -+#include -+#include "openbsd-compat/openssl-compat.h" -+ - #include - - #include "xmalloc.h" diff --git a/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgsss.c b/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgsss.c deleted file mode 100644 index 073b30d..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-gssapi-kexgsss.c +++ /dev/null @@ -1,14 +0,0 @@ -Fix prototype for DH_get0_key() in kexgssgex_server(). - ---- kexgsss.c.orig 2020-11-24 12:39:25.548427000 -0800 -+++ kexgsss.c 2020-11-24 12:39:47.591119000 -0800 -@@ -31,6 +31,9 @@ - #include - #include - -+#include -+#include "openbsd-compat/openssl-compat.h" -+ - #include "xmalloc.h" - #include "sshbuf.h" - #include "ssh2.h" diff --git a/security/openssh-portable.OTHER/files/extra-patch-hpn b/security/openssh-portable.OTHER/files/extra-patch-hpn deleted file mode 100644 index c41368a..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-hpn +++ /dev/null @@ -1,1300 +0,0 @@ -diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README ---- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600 -+++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 -@@ -0,0 +1,129 @@ -+Notes: -+ -+MULTI-THREADED CIPHER: -+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations -+on hosts with multiple cores to use more than one processing core during encryption. -+Tests have show significant throughput performance increases when using MTR-AES-CTR up -+to and including a full gigabit per second on quad core systems. It should be possible to -+achieve full line rate on dual core systems but OS and data management overhead makes this -+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single -+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal -+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. -+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same -+nomenclature. -+Use examples: ssh -caes128-ctr you@host.com -+ scp -oCipher=aes256-ctr file you@host.com:~/file -+ -+NONE CIPHER: -+To use the NONE option you must have the NoneEnabled switch set on the server and -+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE -+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not -+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will -+be disabled. -+ -+The performance increase will only be as good as the network and TCP stack tuning -+on the reciever side of the connection allows. As a rule of thumb a user will need -+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The -+HPN-SSH home page describes this in greater detail. -+ -+http://www.psc.edu/networking/projects/hpn-ssh -+ -+BUFFER SIZES: -+ -+If HPN is disabled the receive buffer size will be set to the -+OpenSSH default of 64K. -+ -+If an HPN system connects to a nonHPN system the receive buffer will -+be set to the HPNBufferSize value. The default is 2MB but user adjustable. -+ -+If an HPN to HPN connection is established a number of different things might -+happen based on the user options and conditions. -+ -+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set -+HPN Buffer Size = up to 64MB -+This is the default state. The HPN buffer size will grow to a maximum of 64MB -+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is -+geared towards 10GigE transcontinental connections. -+ -+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set -+HPN Buffer Size = TCP receive buffer value. -+Users on non-autotuning systesm should disable TCPRcvBufPoll in the -+ssh_cofig and sshd_config -+ -+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set -+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. -+This would be the system defined TCP receive buffer (RWIN). -+ -+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET -+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. -+Generally there is no need to set both. -+ -+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set -+HPN Buffer Size = grows to HPNBufferSize -+The buffer will grow up to the maximum size specified here. -+ -+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET -+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. -+Generally there is no need to set both of these, especially on autotuning -+systems. However, if the users wishes to override the autotuning this would be -+one way to do it. -+ -+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET -+HPN Buffer Size = TCPRcvBuf. -+This will override autotuning and set the TCP recieve buffer to the user defined -+value. -+ -+ -+HPN Specific Configuration options -+ -+TcpRcvBuf=[int]KB client -+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the -+maximum socket size allowed by the system. This is useful in situations where -+the tcp receive window is set low but the maximum buffer size is set -+higher (as is typical). This works on a per TCP connection basis. You can also -+use this to artifically limit the transfer rate of the connection. In these -+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. -+Default is the current system wide tcp receive buffer size. -+ -+TcpRcvBufPoll=[yes/no] client/server -+ enable of disable the polling of the tcp receive buffer through the life -+of the connection. You would want to make sure that this option is enabled -+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) -+default is yes. -+ -+NoneEnabled=[yes/no] client/server -+ enable or disable the use of the None cipher. Care must always be used -+when enabling this as it will allow users to send data in the clear. However, -+it is important to note that authentication information remains encrypted -+even if this option is enabled. Set to no by default. -+ -+NoneSwitch=[yes/no] client -+ Switch the encryption cipher being used to the None cipher after -+authentication takes place. NoneEnabled must be enabled on both the client -+and server side of the connection. When the connection switches to the NONE -+cipher a warning is sent to STDERR. The connection attempt will fail with an -+error if a client requests a NoneSwitch from the server that does not explicitly -+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in -+interactive (shell) sessions and it will fail silently. Set to no by default. -+ -+HPNDisabled=[yes/no] client/server -+ In some situations, such as transfers on a local area network, the impact -+of the HPN code produces a net decrease in performance. In these cases it is -+helpful to disable the HPN functionality. By default HPNDisabled is set to no. -+ -+HPNBufferSize=[int]KB client/server -+ This is the default buffer size the HPN functionality uses when interacting -+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf -+option as applied to the internal SSH flow control. This value can range from -+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance -+problems depending on the length of the network path. The default size of this buffer -+is 2MB. -+ -+ -+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) -+ The majority of the actual coding for versions up to HPN12v1 was performed -+ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was -+ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota -+ (tasota@gmail.com) an NSF REU grant recipient for 2013. -+ This work was financed, in part, by Cisco System, Inc., the National -+ Library of Medicine, and the National Science Foundation. ---- channels.c.orig 2023-02-02 04:21:54.000000000 -0800 -+++ channels.c 2023-02-03 10:45:34.136793000 -0800 -@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels * - /* Setup helper */ - static void channel_handler_init(struct ssh_channels *sc); - -+ -+#ifdef HPN_ENABLED -+static int hpn_disabled = 0; -+static int hpn_buffer_size = 2 * 1024 * 1024; -+#endif -+ - /* -- channel core */ - - void -@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in - c->local_window = window; - c->local_window_max = window; - c->local_maxpacket = maxpack; -+#ifdef HPN_ENABLED -+ c->dynamic_window = 0; -+#endif - c->remote_name = xstrdup(remote_name); - c->ctl_chan = -1; - c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int - fatal_fr(r, "channel %i", c->self); - } - -+#ifdef HPN_ENABLED -+static int -+channel_tcpwinsz(struct ssh *ssh) -+{ -+ u_int32_t tcpwinsz = 0; -+ socklen_t optsz = sizeof(tcpwinsz); -+ int ret = -1; -+ -+ /* if we aren't on a socket return 128KB */ -+ if (!ssh_packet_connection_is_on_socket(ssh)) -+ return 128 * 1024; -+ -+ ret = getsockopt(ssh_packet_get_connection_in(ssh), -+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); -+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ -+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) -+ tcpwinsz = SSHBUF_SIZE_MAX; -+ -+ debug2("tcpwinsz: tcp connection %d, Receive window: %d", -+ ssh_packet_get_connection_in(ssh), tcpwinsz); -+ return tcpwinsz; -+} -+#endif -+ - static void - channel_pre_listener(struct ssh *ssh, Channel *c) - { -@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c) - c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { -+ u_int addition = 0; -+#ifdef HPN_ENABLED -+ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); -+ /* adjust max window size if we are in a dynamic environment */ -+ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { -+ /* grow the window somewhat aggressively to maintain pressure */ -+ addition = 1.5 * (tcpwinsz - c->local_window_max); -+ c->local_window_max += addition; -+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); -+ } -+#endif - if (!c->have_remote_id) - fatal_f("channel %d: no remote id", c->self); - if ((r = sshpkt_start(ssh, - SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || -- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || -+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || - (r = sshpkt_send(ssh)) != 0) { - fatal_fr(r, "channel %i", c->self); - } - debug2("channel %d: window %d sent adjust %d", c->self, -- c->local_window, c->local_consumed); -- c->local_window += c->local_consumed; -+ c->local_window, c->local_consumed + addition); -+ c->local_window += c->local_consumed + addition; - c->local_consumed = 0; - } - return 1; -@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis - return addr; - } - -+#ifdef HPN_ENABLED -+void -+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) -+{ -+ hpn_disabled = external_hpn_disabled; -+ hpn_buffer_size = external_hpn_buffer_size; -+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, -+ hpn_buffer_size); -+} -+#endif -+ - static int - channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, - struct Forward *fwd, int *allocated_listen_port, -@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int - } - - /* Allocate a channel number for the socket. */ -+#ifdef HPN_ENABLED -+ /* -+ * explicitly test for hpn disabled option. if true use smaller -+ * window size. -+ */ -+ if (!hpn_disabled) -+ c = channel_new(ssh, "port listener", type, sock, sock, -+ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, -+ 0, "port listener", 1); -+ else -+#endif - c = channel_new(ssh, "port-listener", type, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, - 0, "port listener", 1); -@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ - *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); - for (n = 0; n < num_socks; n++) { - sock = socks[n]; -+#ifdef HPN_ENABLED -+ if (!hpn_disabled) -+ nc = channel_new(ssh, "x11 listener", -+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1, -+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, -+ 0, "X11 inet listener", 1); -+ else -+#endif - nc = channel_new(ssh, "x11-listener", - SSH_CHANNEL_X11_LISTENER, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, ---- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700 -@@ -143,6 +143,9 @@ struct Channel { - u_int local_maxpacket; - int extended_usage; - int single_connection; -+#ifdef HPN_ENABLED -+ int dynamic_window; -+#endif - - char *ctype; /* type */ - -@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *); - void chan_rcvd_ieof(struct ssh *, Channel *); - void chan_write_failed(struct ssh *, Channel *); - void chan_obuf_empty(struct ssh *, Channel *); -+ -+#ifdef HPN_ENABLED -+/* hpn handler */ -+void channel_set_hpn(int, int); -+#endif - - #endif ---- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700 -@@ -212,7 +212,12 @@ ciphers_valid(const char *names) - for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; - (p = strsep(&cp, CIPHER_SEP))) { - c = cipher_by_name(p); -+#ifdef NONE_CIPHER_ENABLED -+ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 && -+ (c->flags & CFLAG_NONE) != 0)) { -+#else - if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { -+#endif - free(cipher_list); - return 0; - } ---- work/openssh/clientloop.c.orig 2023-12-18 06:59:50.000000000 -0800 -+++ work/openssh/clientloop.c 2024-01-08 16:27:47.806586000 -0800 -@@ -1813,6 +1813,15 @@ client_request_x11(struct ssh *ssh, const char *reques - sock = x11_connect_display(ssh); - if (sock < 0) - return NULL; -+#ifdef HPN_ENABLED -+ /* again is this really necessary for X11? */ -+ if (!options.hpn_disabled) -+ c = channel_new(ssh, "x11-connection", -+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, -+ options.hpn_buffer_size, -+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -+ else -+#endif - c = channel_new(ssh, "x11-connection", - SSH_CHANNEL_X11_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1848,6 +1857,14 @@ client_request_agent(struct ssh *ssh, const char *requ - else - debug2_fr(r, "ssh_agent_bind_hostkey"); - -+#ifdef HPN_ENABLED -+ if (!options.hpn_disabled) -+ c = channel_new(ssh, "agent-connection", -+ SSH_CHANNEL_OPEN, sock, sock, -1, -+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, -+ "authentication agent connection", 1); -+ else -+#endif - c = channel_new(ssh, "agent-connection", - SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1876,6 +1893,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, - } - debug("Tunnel forwarding using interface %s", ifname); - -+#ifdef HPN_ENABLED -+ if (!options.hpn_disabled) -+ c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1, -+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); -+ else -+#endif - c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); - c->datagram = 1; ---- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/compat.c 2021-04-28 14:37:33.129317000 -0700 -@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) - debug_f("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); - ssh->compat = check[i].bugs; -+#ifdef HPN_ENABLED -+ /* Check to see if the remote side is OpenSSH and not HPN */ -+ if (strstr(version,"OpenSSH") != NULL && -+ strstr(version,"hpn") == NULL) { -+ ssh->compat |= SSH_BUG_LARGEWINDOW; -+ debug("Remote is NON-HPN aware"); -+ } -+#endif - return; - } - } ---- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 -+++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 -@@ -62,6 +62,9 @@ - #define SSH_BUG_CURVE25519PAD 0x10000000 - #define SSH_BUG_HOSTKEYS 0x20000000 - #define SSH_BUG_DHGEX_LARGE 0x40000000 -+#ifdef HPN_ENABLED -+#define SSH_BUG_LARGEWINDOW 0x80000000 -+#endif - - void enable_compat13(void); - void enable_compat20(void); ---- work/openssh/configure.ac.orig 2020-03-22 11:06:53.034550000 -0700 -+++ work/openssh/configure.ac 2020-03-22 11:07:10.017487000 -0700 -@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir], - ] - ) # maildir - -+#check whether user wants HPN support -+HPN_MSG="no" -+AC_ARG_WITH(hpn, -+ [ --with-hpn Enable HPN support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) -+ HPN_MSG="yes" -+ fi ] -+) -+#check whether user wants NONECIPHER support -+NONECIPHER_MSG="no" -+AC_ARG_WITH(nonecipher, -+ [ --with-nonecipher Enable NONECIPHER support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.]) -+ NONECIPHER_MSG="yes" -+ fi ] -+) -+ - if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then - AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) - disable_ptmx_check=yes -@@ -5459,6 +5478,8 @@ echo " Random number source: $RAND_MSG" - echo " Privsep sandbox style: $SANDBOX_STYLE" - echo " PKCS#11 support: $enable_pkcs11" - echo " U2F/FIDO support: $enable_sk" -+echo " HPN support: $HPN_MSG" -+echo " NONECIPHER support: $NONECIPHER_MSG" - - echo "" - ---- work/openssh/kex.c.orig 2023-12-18 06:59:50.000000000 -0800 -+++ work/openssh/kex.c 2024-01-08 16:24:07.547292000 -0800 -@@ -1252,6 +1252,20 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq) - peer[ncomp] = NULL; - goto out; - } -+#ifdef NONE_CIPHER_ENABLED -+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); -+ if (strcmp(newkeys->enc.name, "none") == 0) { -+ int auth_flag; -+ -+ auth_flag = ssh_packet_authentication_state(ssh); -+ debug("Requesting NONE. Authflag is %d", auth_flag); -+ if (auth_flag == 1) { -+ debug("None requested post authentication."); -+ } else { -+ fatal("Pre-authentication none cipher requests are not allowed."); -+ } -+ } -+#endif - debug("kex: %s cipher: %s MAC: %s compression: %s", - ctos ? "client->server" : "server->client", - newkeys->enc.name, -@@ -1462,7 +1476,7 @@ kex_exchange_identification(struct ssh *ssh, int timeo - */ - int - kex_exchange_identification(struct ssh *ssh, int timeout_ms, -- const char *version_addendum) -+ const char *version_addendum, int hpn_disabled) - { - int remote_major, remote_minor, mismatch, oerrno = 0; - size_t len, n; -@@ -1479,8 +1493,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo - sshbuf_reset(our_version); - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; -- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n", -+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+#ifdef HPN_ENABLED -+ hpn_disabled ? "" : SSH_HPN, -+#else -+ "", -+#endif - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - oerrno = errno; ---- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 -@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - -+#ifdef NONE_CIPHER_ENABLED -+/* this supports the forced rekeying required for the NONE cipher */ -+int rekey_requested = 0; -+void -+packet_request_rekeying(void) -+{ -+ rekey_requested = 1; -+} -+ -+int -+ssh_packet_authentication_state(struct ssh *ssh) -+{ -+ struct session_state *state = ssh->state; -+ -+ return(state->after_authentication); -+} -+#endif -+ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou - /* Peer can't rekey */ - if (ssh->compat & SSH_BUG_NOREKEY) - return 0; -+#ifdef NONE_CIPHER_ENABLED -+ /* used to force rekeying when called for by the none -+ * cipher switch methods -cjr */ -+ if (rekey_requested == 1) { -+ rekey_requested = 0; -+ return 1; -+ } -+#endif - - /* - * Permit one packet in or out per rekey - this allows us to ---- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 -@@ -206,6 +206,11 @@ int sshpkt_get_end(struct ssh *ssh); - void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l); - const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); - -+#ifdef NONE_CIPHER_ENABLED -+void packet_request_rekeying(void); -+int ssh_packet_authentication_state(struct ssh *ssh); -+#endif -+ - #if !defined(WITH_OPENSSL) - # undef BIGNUM - # undef EC_KEY ---- work/openssh/readconf.c.orig 2021-09-08 09:56:20.567664000 -0700 -+++ work/openssh/readconf.c 2021-09-08 09:57:31.560617000 -0700 -@@ -67,6 +67,9 @@ - #include "uidswap.h" - #include "myproposal.h" - #include "digest.h" -+#ifdef HPN_ENABLED -+#include "sshbuf.h" -+#endif - - /* Format of the configuration file: - -@@ -168,6 +171,12 @@ typedef enum { - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull, -+#ifdef HPN_ENABLED -+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, -+#endif -+#ifdef NONE_CIPHER_ENABLED -+ oNoneSwitch, oNoneEnabled, -+#endif - oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass, - oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, -@@ -316,6 +325,16 @@ static struct { - { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ - { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, - { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ -+#ifdef NONE_CIPHER_ENABLED -+ { "noneenabled", oNoneEnabled }, -+ { "noneswitch", oNoneSwitch }, -+#endif -+#ifdef HPN_ENABLED -+ { "tcprcvbufpoll", oTcpRcvBufPoll }, -+ { "tcprcvbuf", oTcpRcvBuf }, -+ { "hpndisabled", oHPNDisabled }, -+ { "hpnbuffersize", oHPNBufferSize }, -+#endif - { "ignoreunknown", oIgnoreUnknown }, - { "proxyjump", oProxyJump }, - { "securitykeyprovider", oSecurityKeyProvider }, -@@ -1125,6 +1144,44 @@ parse_time: - intptr = &options->check_host_ip; - goto parse_flag; - -+#ifdef HPN_ENABLED -+ case oHPNDisabled: -+ intptr = &options->hpn_disabled; -+ goto parse_flag; -+ -+ case oHPNBufferSize: -+ intptr = &options->hpn_buffer_size; -+ goto parse_int; -+ -+ case oTcpRcvBufPoll: -+ intptr = &options->tcp_rcv_buf_poll; -+ goto parse_flag; -+ -+ case oTcpRcvBuf: -+ intptr = &options->tcp_rcv_buf; -+ goto parse_int; -+#endif -+ -+#ifdef NONE_CIPHER_ENABLED -+ case oNoneEnabled: -+ intptr = &options->none_enabled; -+ goto parse_flag; -+ -+ /* we check to see if the command comes from the */ -+ /* command line or not. If it does then enable it */ -+ /* otherwise fail. NONE should never be a default configuration */ -+ case oNoneSwitch: -+ if(strcmp(filename,"command-line") == 0) { -+ intptr = &options->none_switch; -+ goto parse_flag; -+ } else { -+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); -+ error("Continuing..."); -+ debug("NoneSwitch directive found in %.200s.", filename); -+ return 0; -+ } -+#endif -+ - case oVerifyHostKeyDNS: - intptr = &options->verify_host_key_dns; - multistate_ptr = multistate_yesnoask; -@@ -2386,6 +2443,16 @@ initialize_options(Options * options) - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; - options->request_tty = -1; -+#ifdef NONE_CIPHER_ENABLED -+ options->none_switch = -1; -+ options->none_enabled = -1; -+#endif -+#ifdef HPN_ENABLED -+ options->hpn_disabled = -1; -+ options->hpn_buffer_size = -1; -+ options->tcp_rcv_buf_poll = -1; -+ options->tcp_rcv_buf = -1; -+#endif - options->session_type = -1; - options->stdin_null = -1; - options->fork_after_authentication = -1; -@@ -2557,6 +2624,34 @@ fill_default_options(Options * options) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) - options->server_alive_count_max = 3; -+#ifdef NONE_CIPHER_ENABLED -+ if (options->none_switch == -1) -+ options->none_switch = 0; -+ if (options->none_enabled == -1) -+ options->none_enabled = 0; -+#endif -+#ifdef HPN_ENABLED -+ if (options->hpn_disabled == -1) -+ options->hpn_disabled = 0; -+ if (options->hpn_buffer_size > -1) { -+ /* if a user tries to set the size to 0 set it to 1KB */ -+ if (options->hpn_buffer_size == 0) -+ options->hpn_buffer_size = 1; -+ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */ -+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { -+ options->hpn_buffer_size = SSHBUF_SIZE_MAX; -+ debug("User requested buffer larger than 256MB. Request reverted to 256MB"); -+ } else -+ options->hpn_buffer_size *= 1024; -+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size); -+ } -+ if (options->tcp_rcv_buf == 0) -+ options->tcp_rcv_buf = 1; -+ if (options->tcp_rcv_buf > -1) -+ options->tcp_rcv_buf *=1024; -+ if (options->tcp_rcv_buf_poll == -1) -+ options->tcp_rcv_buf_poll = 1; -+#endif - if (options->control_master == -1) - options->control_master = 0; - if (options->control_persist == -1) { ---- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 -@@ -105,6 +105,16 @@ - int clear_forwardings; - - int enable_ssh_keysign; -+#ifdef NONE_CIPHER_ENABLED -+ int none_switch; /* Use none cipher */ -+ int none_enabled; /* Allow none to be used */ -+#endif -+#ifdef HPN_ENABLED -+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */ -+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ -+ int hpn_disabled; /* Switch to disable HPN buffer management */ -+ int hpn_buffer_size; /* User definable size for HPN buffer window */ -+#endif - int64_t rekey_limit; - int rekey_interval; - int no_host_authentication_for_localhost; ---- work/openssh/scp.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ work/openssh/scp.c 2020-11-10 10:31:03.060729000 -0800 -@@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src) - off_t size, statbytes; - unsigned long long ull; - int setimes, targisdir, wrerr; -- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; -+ char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN]; - char **patterns = NULL; - size_t n, npatterns = 0; - struct timeval tv[2]; ---- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700 -@@ -63,6 +63,9 @@ - #include "auth.h" - #include "myproposal.h" - #include "digest.h" -+#ifdef HPN_ENABLED -+#include "sshbuf.h" -+#endif - - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); -@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options) - options->authorized_principals_file = NULL; - options->authorized_principals_command = NULL; - options->authorized_principals_command_user = NULL; -+#ifdef NONE_CIPHER_ENABLED -+ options->none_enabled = -1; -+#endif -+#ifdef HPN_ENABLED -+ options->tcp_rcv_buf_poll = -1; -+ options->hpn_disabled = -1; -+ options->hpn_buffer_size = -1; -+#endif - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; - options->version_addendum = NULL; -@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options) - } - if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+#ifdef NONE_CIPHER_ENABLED -+ if (options->none_enabled == -1) -+ options->none_enabled = 0; -+#endif -+#ifdef HPN_ENABLED -+ if (options->hpn_disabled == -1) -+ options->hpn_disabled = 0; -+ -+ if (options->hpn_buffer_size == -1) { -+ /* -+ * option not explicitly set. Now we have to figure out -+ * what value to use. -+ */ -+ if (options->hpn_disabled == 1) { -+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; -+ } else { -+ int sock, socksize; -+ socklen_t socksizelen = sizeof(socksize); -+ -+ /* -+ * get the current RCV size and set it to that -+ * create a socket but don't connect it -+ * we use that the get the rcv socket size -+ */ -+ sock = socket(AF_INET, SOCK_STREAM, 0); -+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); -+ close(sock); -+ options->hpn_buffer_size = socksize; -+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size); -+ } -+ } else { -+ /* -+ * we have to do this incase the user sets both values in a -+ * contradictory manner. hpn_disabled overrrides -+ * hpn_buffer_size -+ */ -+ if (options->hpn_disabled <= 0) { -+ if (options->hpn_buffer_size == 0) -+ options->hpn_buffer_size = 1; -+ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */ -+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { -+ options->hpn_buffer_size = SSHBUF_SIZE_MAX; -+ } else { -+ options->hpn_buffer_size *= 1024; -+ } -+ } else -+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; -+ } -+#endif -+ - if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) -@@ -466,6 +528,12 @@ typedef enum { - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, -+#ifdef NONE_CIPHER_ENABLED -+ sNoneEnabled, -+#endif -+#ifdef HPN_ENABLED -+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, -+#endif - sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, - sKexAlgorithms, sIPQoS, sVersionAddendum, - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, -@@ -603,6 +671,14 @@ static struct { - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, -+#ifdef NONE_CIPHER_ENABLED -+ { "noneenabled", sNoneEnabled, SSHCFG_ALL }, -+#endif -+#ifdef HPN_ENABLED -+ { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, -+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, -+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, -+#endif - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, - { "ipqos", sIPQoS, SSHCFG_ALL }, - { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha - case sIgnoreUserKnownHosts: - intptr = &options->ignore_user_known_hosts; - goto parse_flag; -+ -+#ifdef NONE_CIPHER_ENABLED -+ case sNoneEnabled: -+ intptr = &options->none_enabled; -+ goto parse_flag; -+#endif -+#ifdef HPN_ENABLED -+ case sTcpRcvBufPoll: -+ intptr = &options->tcp_rcv_buf_poll; -+ goto parse_flag; -+ -+ case sHPNDisabled: -+ intptr = &options->hpn_disabled; -+ goto parse_flag; -+ -+ case sHPNBufferSize: -+ intptr = &options->hpn_buffer_size; -+ goto parse_int; -+#endif - - case sHostbasedAuthentication: - intptr = &options->hostbased_authentication; ---- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 -@@ -169,6 +169,15 @@ - - int use_pam; /* Enable auth via PAM */ - -+#ifdef NONE_CIPHER_ENABLED -+ int none_enabled; /* enable NONE cipher switch */ -+#endif -+#ifdef HPN_ENABLED -+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ -+ int hpn_disabled; /* disable hpn functionality. false by default */ -+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ -+#endif -+ - int permit_tun; - - int num_permitted_opens; ---- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700 -@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh) - goto done; - debug("Tunnel forwarding using interface %s", ifname); - -+#ifdef HPN_ENABLED -+ if (!options.hpn_disabled) -+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, -+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); -+ else -+#endif - c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); - c->datagram = 1; -@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh) - c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL, - -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, - 0, "server-session", 1); -+#ifdef HPN_ENABLED -+ if (options.tcp_rcv_buf_poll && !options.hpn_disabled) -+ c->dynamic_window = 1; -+#endif - if (session_open(the_authctxt, c->self) != 1) { - debug("session open failed, free channel %d", c->self); - channel_free(ssh, c); ---- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700 -@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s, - */ - if (s->chanid == -1) - fatal("no channel for session %d", s->self); -+#ifdef HPN_ENABLED -+ if (!options.hpn_disabled) -+ channel_set_fds(ssh, s->chanid, -+ fdout, fdin, fderr, -+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, -+ 1, is_tty, options.hpn_buffer_size); -+ else -+#endif - channel_set_fds(ssh, s->chanid, - fdout, fdin, fderr, - ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, ---- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500 -@@ -263,7 +263,8 @@ - Specify how many requests may be outstanding at any one time. - Increasing this may slightly improve file transfer speed - but will increase memory usage. --The default is 64 outstanding requests. -+The default is 256 outstanding requests providing for 8MB -+of outstanding data with a 32KB buffer. - .It Fl r - Recursively copy entire directories when uploading and downloading. - Note that ---- work/openssh/ssh.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ work/openssh/ssh.c 2024-07-01 13:58:31.555859000 -0700 -@@ -1070,6 +1070,14 @@ main(int ac, char **av) - break; - case 'T': - options.request_tty = REQUEST_TTY_NO; -+#ifdef NONE_CIPHER_ENABLED -+ /* -+ * ensure that the user doesn't try to backdoor a -+ * null cipher switch on an interactive session -+ * so explicitly disable it no matter what. -+ */ -+ options.none_switch = 0; -+#endif - break; - case 'o': - line = xstrdup(optarg); -@@ -2159,6 +2167,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes - NULL, fileno(stdin), command, environ); - } - -+static void -+hpn_options_init(struct ssh *ssh) -+{ -+ /* -+ * We need to check to see if what they want to do about buffer -+ * sizes here. In a hpn to nonhpn connection we want to limit -+ * the window size to something reasonable in case the far side -+ * has the large window bug. In hpn to hpn connection we want to -+ * use the max window size but allow the user to override it -+ * lastly if they disabled hpn then use the ssh std window size. -+ * -+ * So why don't we just do a getsockopt() here and set the -+ * ssh window to that? In the case of a autotuning receive -+ * window the window would get stuck at the initial buffer -+ * size generally less than 96k. Therefore we need to set the -+ * maximum ssh window size to the maximum hpn buffer size -+ * unless the user has specifically set the tcprcvbufpoll -+ * to no. In which case we *can* just set the window to the -+ * minimum of the hpn buffer size and tcp receive buffer size. -+ */ -+ -+ if (tty_flag) -+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; -+ else -+ options.hpn_buffer_size = 2 * 1024 * 1024; -+ -+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -+ debug("HPN to Non-HPN Connection"); -+ } else { -+ int sock, socksize; -+ socklen_t socksizelen; -+ if (options.tcp_rcv_buf_poll <= 0) { -+ sock = socket(AF_INET, SOCK_STREAM, 0); -+ socksizelen = sizeof(socksize); -+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); -+ close(sock); -+ debug("socksize %d", socksize); -+ options.hpn_buffer_size = socksize; -+ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); -+ } else { -+ if (options.tcp_rcv_buf > 0) { -+ /* -+ * Create a socket but don't connect it: -+ * we use that the get the rcv socket size -+ */ -+ sock = socket(AF_INET, SOCK_STREAM, 0); -+ /* -+ * If they are using the tcp_rcv_buf option, -+ * attempt to set the buffer size to that. -+ */ -+ if (options.tcp_rcv_buf) { -+ socksizelen = sizeof(options.tcp_rcv_buf); -+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &options.tcp_rcv_buf, socksizelen); -+ } -+ socksizelen = sizeof(socksize); -+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); -+ close(sock); -+ debug("socksize %d", socksize); -+ options.hpn_buffer_size = socksize; -+ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); -+ } -+ } -+ } -+ -+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); -+ -+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); -+} -+ - /* open new channel for a session */ - static int - ssh_session2_open(struct ssh *ssh) -@@ -2177,9 +2257,17 @@ ssh_session2_open(struct ssh *ssh) - if (in == -1 || out == -1 || err == -1) - fatal("dup() in/out/err failed"); - -+#ifdef HPN_ENABLED -+ window = options.hpn_buffer_size; -+#else - window = CHAN_SES_WINDOW_DEFAULT; -+#endif -+ - packetmax = CHAN_SES_PACKET_DEFAULT; - if (tty_flag) { -+#ifdef HPN_ENABLED -+ window = CHAN_SES_WINDOW_DEFAULT; -+#endif - window >>= 1; - packetmax >>= 1; - } -@@ -2188,6 +2276,12 @@ ssh_session2_open(struct ssh *ssh) - window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", CHANNEL_NONBLOCK_STDIO); - -+#ifdef HPN_ENABLED -+ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { -+ c->dynamic_window = 1; -+ debug ("Enabled Dynamic Window Scaling"); -+ } -+#endif - debug3_f("channel_new: %d", c->self); - - channel_send_open(ssh, c->self); -@@ -2203,6 +2297,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in - { - int r, interactive, id = -1; - char *cp, *tun_fwd_ifname = NULL; -+ -+#ifdef HPN_ENABLED -+ /* -+ * We need to initialize this early because the forwarding logic below -+ * might open channels that use the hpn buffer sizes. We can't send a -+ * window of -1 (the default) to the server as it breaks things. -+ */ -+ hpn_options_init(ssh); -+#endif - - /* XXX should be pre-session */ - if (!options.control_persist) ---- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700 -+++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700 -@@ -28,7 +28,11 @@ - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ - -+#ifdef HPN_ENABLED -+#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */ -+#else - #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */ -+#endif - #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ - #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ - #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ ---- work/openssh/sshconnect.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ work/openssh/sshconnect.c 2020-11-10 21:35:40.945330000 -0800 -@@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct - } - #endif - -+#ifdef HPN_ENABLED - /* -+ * Set TCP receive buffer if requested. -+ * Note: tuning needs to happen after the socket is -+ * created but before the connection happens -+ * so winscale is negotiated properly -cjr -+ */ -+static void -+ssh_set_socket_recvbuf(int sock) -+{ -+ void *buf = (void *)&options.tcp_rcv_buf; -+ int sz = sizeof(options.tcp_rcv_buf); -+ int socksize; -+ socklen_t socksizelen = sizeof(socksize); -+ -+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); -+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { -+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); -+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); -+ } else -+ error("Couldn't set socket receive buffer to %d: %.100s", -+ options.tcp_rcv_buf, strerror(errno)); -+} -+#endif -+ -+/* - * Creates a socket for use as the ssh connection. - */ - static int -@@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai) - } - fcntl(sock, F_SETFD, FD_CLOEXEC); - -+#ifdef HPN_ENABLED -+ if (options.tcp_rcv_buf > 0) -+ ssh_set_socket_recvbuf(sock); -+#endif -+ - /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && options.bind_interface == NULL) - return sock; -@@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const - lowercase(host); - - /* Exchange protocol version identification strings with the server. */ -- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) -+ if ((r = kex_exchange_identification(ssh, timeout_ms, NULL, -+ options.hpn_disabled)) != 0) - sshpkt_fatal(ssh, r, "banner exchange"); - - /* Put the connection into non-blocking mode. */ ---- work/openssh/sshconnect2.c.orig 2023-03-15 14:28:19.000000000 -0700 -+++ work/openssh/sshconnect2.c 2023-05-19 14:20:01.965073000 -0700 -@@ -83,7 +83,13 @@ extern Options options; - extern char *client_version_string; - extern char *server_version_string; - extern Options options; -+#ifdef NONE_CIPHER_ENABLED -+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ -+/* if it is set then prevent the switch to the null cipher */ - -+extern int tty_flag; -+#endif -+ - /* - * SSH2 key exchange - */ -@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, - - if (!authctxt.success) - fatal("Authentication failed."); -+#ifdef NONE_CIPHER_ENABLED -+ /* -+ * if the user wants to use the none cipher do it -+ * post authentication and only if the right conditions are met -+ * both of the NONE commands must be true and there must be no -+ * tty allocated. -+ */ -+ if ((options.none_switch == 1) && (options.none_enabled == 1)) { -+ char *myproposal[PROPOSAL_MAX]; -+ char *s = NULL; -+ const char *none_cipher = "none"; -+ -+ if (!tty_flag) { /* no null on tty sessions */ -+ debug("Requesting none rekeying..."); -+ kex_proposal_populate_entries(ssh, myproposal, s, none_cipher, -+ options.macs, -+ compression_alg_list(options.compression), -+ options.hostkeyalgorithms); -+ kex_prop2buf(ssh->kex->my, myproposal); -+ packet_request_rekeying(); -+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); -+ } else { -+ /* requested NONE cipher when in a tty */ -+ debug("Cannot switch to NONE cipher with tty allocated"); -+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); -+ } -+ } -+#endif - if (ssh_packet_connection_is_on_socket(ssh)) { - verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, - ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ---- work/openssh/sshd.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ work/openssh/sshd.c 2024-07-01 14:03:40.471948000 -0700 -@@ -75,6 +75,9 @@ - #include "log.h" - #include "sshbuf.h" - #include "misc.h" -+#ifdef HPN_ENABLED -+#include "channels.h" -+#endif - #include "servconf.h" - #include "compat.h" - #include "digest.h" -@@ -742,6 +742,10 @@ listen_on_addrs(struct listenaddr *la) - int ret, listen_sock; - struct addrinfo *ai; - char ntop[NI_MAXHOST], strport[NI_MAXSERV]; -+#ifdef HPN_ENABLED -+ int socksize; -+ socklen_t socksizelen = sizeof(socksize); -+#endif - - for (ai = la->addrs; ai; ai = ai->ai_next) { - if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -786,6 +790,13 @@ listen_on_addrs(struct listenaddr *la) - sock_set_v6only(listen_sock); - - debug("Bind to port %s on %s.", strport, ntop); -+ -+#ifdef HPN_ENABLED -+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, -+ &socksize, &socksizelen); -+ debug("Server TCP RWIN socket size: %d", socksize); -+ debug("HPN Buffer Size: %d", options.hpn_buffer_size); -+#endif - - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { -@@ -1409,6 +1420,15 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); - -+#ifdef NONE_CIPHER_ENABLED -+ if (options.none_enabled == 1) { -+ char *old_ciphers = options.ciphers; -+ -+ xasprintf(&options.ciphers, "%s,none", old_ciphers); -+ free(old_ciphers); -+ } -+#endif -+ - /* Check that options are sensible */ - if (options.authorized_keys_command_user == NULL && - (options.authorized_keys_command != NULL && -@@ -1742,6 +1762,11 @@ main(int ac, char **av) - /* This is the child processing a new connection. */ - setproctitle("%s", "[accepted]"); - -+#ifdef HPN_ENABLED -+ /* set the HPN options for the child */ -+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); -+#endif -+ - /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. We don't ---- work.clean/openssh-9.8p1/sshd-session.c.orig 2024-07-01 13:54:25.745441000 -0700 -+++ work/openssh-9.8p1/sshd-session.c 2024-07-01 13:54:57.335695000 -0700 -@@ -1305,7 +1305,7 @@ main(int ac, char **av) - alarm(options.login_grace_time); - - if ((r = kex_exchange_identification(ssh, -1, -- options.version_addendum)) != 0) -+ options.version_addendum, options.hpn_disabled)) != 0) - sshpkt_fatal(ssh, r, "banner exchange"); - - ssh_packet_set_nonblocking(ssh); -@@ -1444,6 +1444,10 @@ do_ssh2_kex(struct ssh *ssh) - struct kex *kex; - int r; - -+#ifdef NONE_CIPHER_ENABLED -+ if (options.none_enabled == 1) -+ debug ("WARNING: None cipher enabled"); -+#endif - if (options.rekey_limit || options.rekey_interval) - ssh_packet_set_rekey_limits(ssh, options.rekey_limit, - options.rekey_interval); ---- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 -+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 -@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -+# the following are HPN related configuration options -+# tcp receive buffer polling. disable in non autotuning kernels -+#TcpRcvBufPoll yes -+ -+# disable hpn performance boosts -+#HPNDisabled no -+ -+# buffer size for hpn to non-hpn connections -+#HPNBufferSize 2048 -+ -+ -+# allow the use of the none cipher -+#NoneEnabled no -+ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no ---- work/openssh/version.h.orig 2023-12-18 06:59:50.000000000 -0800 -+++ work/openssh/version.h 2024-01-08 16:22:25.632475000 -0800 -@@ -4,3 +4,4 @@ - - #define SSH_PORTABLE "p1" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -+#define SSH_HPN "-hpn14v15" ---- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 -+++ work/openssh/kex.h 2019-07-10 17:35:41.997522000 -0700 -@@ -178,7 +178,7 @@ char *kex_alg_list(char); - char *kex_names_cat(const char *, const char *); - int kex_assemble_names(char **, const char *, const char *); - --int kex_exchange_identification(struct ssh *, int, const char *); -+int kex_exchange_identification(struct ssh *, int, const char *, int); - - struct kex *kex_new(void); - int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); diff --git a/security/openssh-portable.OTHER/files/extra-patch-hpn-compat b/security/openssh-portable.OTHER/files/extra-patch-hpn-compat deleted file mode 100644 index ab76176..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-hpn-compat +++ /dev/null @@ -1,46 +0,0 @@ ------------------------------------------------------------------------- -r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines -Changed paths: - M /head/crypto/openssh/servconf.c - -Instead of removing the NoneEnabled option, mark it as unsupported. -(should have done this in r291198, but didn't think of it until now) - ------------------------------------------------------------------------- ------------------------------------------------------------------------- -r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines -Changed paths: - M /head/crypto/openssh/readconf.c - -r294563 was incomplete; re-add the client-side options as well. - ------------------------------------------------------------------------- - ---- readconf.c.orig 2023-12-19 17:09:41.366788000 -0800 -+++ readconf.c 2023-12-19 17:10:24.155247000 -0800 -@@ -329,6 +329,12 @@ - { "enableescapecommandline", oEnableEscapeCommandline }, - { "obscurekeystroketiming", oObscureKeystrokeTiming }, - { "channeltimeout", oChannelTimeout }, -+ { "hpndisabled", oDeprecated }, -+ { "hpnbuffersize", oDeprecated }, -+ { "tcprcvbufpoll", oDeprecated }, -+ { "tcprcvbuf", oDeprecated }, -+ { "noneenabled", oUnsupported }, -+ { "noneswitch", oUnsupported }, - - { NULL, oBadOption } - }; ---- servconf.c.orig 2024-09-19 15:20:48.000000000 -0700 -+++ servconf.c 2024-10-07 20:18:18.259726000 -0700 -@@ -746,6 +746,10 @@ static struct { - { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, - { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, - { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, -+ { "noneenabled", sUnsupported, SSHCFG_ALL }, -+ { "hpndisabled", sDeprecated, SSHCFG_ALL }, -+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, -+ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, - { NULL, sBadOption, 0 } - }; - diff --git a/security/openssh-portable.OTHER/files/extra-patch-hpn-gss-glue b/security/openssh-portable.OTHER/files/extra-patch-hpn-gss-glue deleted file mode 100644 index 57b47e8..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-hpn-gss-glue +++ /dev/null @@ -1,57 +0,0 @@ ---- sshconnect2.c.orig 2019-07-19 11:53:14.918867000 -0700 -+++ sshconnect2.c 2019-07-19 11:53:16.911086000 -0700 -@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr - char *s, *all_key; - int r; - --#if defined(GSSAPI) && defined(WITH_OPENSSL) -- char *orig = NULL, *gss = NULL; -- char *gss_host = NULL; --#endif -- - xxx_host = host; - xxx_hostaddr = hostaddr; - -@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr - } - - #if defined(GSSAPI) && defined(WITH_OPENSSL) -+ char *orig = NULL, *gss = NULL; -+ char *gss_host = NULL; -+ - if (options.gss_keyex) { - /* Add the GSSAPI mechanisms currently supported on this - * client to the key exchange algorithm proposal */ ---- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700 -+++ readconf.c 2019-07-19 12:13:29.614552000 -0700 -@@ -63,11 +63,11 @@ - #include "readconf.h" - #include "match.h" - #include "kex.h" -+#include "ssh-gss.h" - #include "mac.h" - #include "uidswap.h" - #include "myproposal.h" - #include "digest.h" --#include "ssh-gss.h" - - /* Format of the configuration file: - ---- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700 -+++ servconf.c 2019-07-19 12:14:43.543687000 -0700 -@@ -54,6 +54,7 @@ - #include "sshkey.h" - #include "kex.h" - #include "mac.h" -+#include "ssh-gss.h" - #include "match.h" - #include "channels.h" - #include "groupaccess.h" -@@ -64,7 +65,6 @@ - #include "auth.h" - #include "myproposal.h" - #include "digest.h" --#include "ssh-gss.h" - - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); diff --git a/security/openssh-portable.OTHER/files/extra-patch-ldns b/security/openssh-portable.OTHER/files/extra-patch-ldns deleted file mode 100644 index 2d06f10..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-ldns +++ /dev/null @@ -1,51 +0,0 @@ -r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines -Changed paths: - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/ssh_config - M /head/crypto/openssh/ssh_config.5 - -Change the default value of VerifyHostKeyDNS to "yes" if compiled with -LDNS. With that setting, OpenSSH will silently accept host keys that -match verified SSHFP records. If an SSHFP record exists but could not -be verified, OpenSSH will print a message and prompt the user as usual. - ---- readconf.c 2013-10-03 08:15:03.496131082 -0500 -+++ readconf.c 2013-10-03 08:15:22.716134315 -0500 -@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) - options->rekey_limit = 0; - if (options->rekey_interval == -1) - options->rekey_interval = 0; -+#if HAVE_LDNS -+ if (options->verify_host_key_dns == -1) -+ /* automatically trust a verified SSHFP record */ -+ options->verify_host_key_dns = 1; -+#else - if (options->verify_host_key_dns == -1) - options->verify_host_key_dns = 0; -+#endif - if (options->server_alive_interval == -1) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) ---- ssh_config 2013-10-03 08:15:03.537131330 -0500 -+++ ssh_config 2013-10-03 08:15:22.755131175 -0500 -@@ -44,5 +44,6 @@ - # TunnelDevice any:any - # PermitLocalCommand no - # VisualHostKey no -+# VerifyHostKeyDNS yes - # ProxyCommand ssh -q -W %h:%p gateway.example.com - # RekeyLimit 1G 1h ---- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800 -+++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800 -@@ -1635,7 +1635,10 @@ need to confirm new host keys according - .Cm StrictHostKeyChecking - option. - The default is --.Cm no . -+.Cm yes -+if compiled with LDNS and -+.Cm no -+otherwise. - .Pp - See also - .Sx VERIFYING HOST KEYS diff --git a/security/openssh-portable.OTHER/files/extra-patch-pam-sshd_config b/security/openssh-portable.OTHER/files/extra-patch-pam-sshd_config deleted file mode 100644 index 9b6b261..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-pam-sshd_config +++ /dev/null @@ -1,31 +0,0 @@ ---- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 -+++ sshd_config 2022-02-11 19:20:45.334738000 +0000 -@@ -55,8 +55,8 @@ - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -72,7 +72,7 @@ - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -81,7 +81,7 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes diff --git a/security/openssh-portable.OTHER/files/extra-patch-tcpwrappers b/security/openssh-portable.OTHER/files/extra-patch-tcpwrappers deleted file mode 100644 index 5d9e8ac..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-tcpwrappers +++ /dev/null @@ -1,151 +0,0 @@ -Revert TCPWRAPPER removal -bdrewery - -commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 -Author: Damien Miller -Date: Sun Apr 20 13:22:18 2014 +1000 - - - tedu@cvs.openbsd.org 2014/03/26 19:58:37 - [sshd.8 sshd.c] - remove libwrap support. ok deraadt djm mfriedl - -diff --git sshd.8 sshd.8 -index 289e13d..e6a900b 100644 ---- sshd.8 -+++ sshd.8 -@@ -851,6 +851,12 @@ the user's home directory becomes accessible. - This file should be writable only by the user, and need not be - readable by anyone else. - .Pp -+.It Pa /etc/hosts.allow -+.It Pa /etc/hosts.deny -+Access controls that should be enforced by tcp-wrappers are defined here. -+Further details are described in -+.Xr hosts_access 5 . -+.Pp - .It Pa /etc/hosts.equiv - This file is for host-based authentication (see - .Xr ssh 1 ) . -@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. - .Xr ssh-keygen 1 , - .Xr ssh-keyscan 1 , - .Xr chroot 2 , -+.Xr hosts_access 5 , - .Xr login.conf 5 , - .Xr moduli 5 , - .Xr sshd_config 5 , ---- sshd-session.c.orig 2024-07-01 13:26:10.677919000 -0700 -+++ sshd-session.c 2024-07-01 13:26:58.873906000 -0700 -@@ -110,6 +110,13 @@ - #include "srclimit.h" - #include "dh.h" - -+#ifdef LIBWRAP -+#include -+#include -+int allow_severity; -+int deny_severity; -+#endif /* LIBWRAP */ -+ - /* Re-exec fds */ - #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) - #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -1256,7 +1263,26 @@ main(int ac, char **av) - #endif - - rdomain = ssh_packet_rdomain_in(ssh); -+ -+#ifdef LIBWRAP -+ allow_severity = options.log_facility|LOG_INFO; -+ deny_severity = options.log_facility|LOG_WARNING; -+ /* Check whether logins are denied from this host. */ -+ if (ssh_packet_connection_is_on_socket(ssh)) { -+ struct request_info req; - -+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); -+ fromhost(&req); -+ -+ if (!hosts_access(&req)) { -+ debug("Connection refused by tcp wrapper"); -+ refuse(&req); -+ /* NOTREACHED */ -+ fatal("libwrap refuse returns"); -+ } -+ } -+#endif /* LIBWRAP */ -+ - /* Log the connection. */ - laddr = get_local_ipaddr(sock_in); - verbose("Connection from %s port %d on %s port %d%s%s%s", ---- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 -+++ configure.ac 2022-03-02 12:47:49.958341000 -0800 -@@ -1599,6 +1599,62 @@ else - AC_MSG_RESULT([no]) - fi - -+# Check whether user wants TCP wrappers support -+TCPW_MSG="no" -+AC_ARG_WITH([tcp-wrappers], -+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], -+ [ -+ if test "x$withval" != "xno" ; then -+ saved_LIBS="$LIBS" -+ saved_LDFLAGS="$LDFLAGS" -+ saved_CPPFLAGS="$CPPFLAGS" -+ if test -n "${withval}" && \ -+ test "x${withval}" != "xyes"; then -+ if test -d "${withval}/lib"; then -+ if test -n "${need_dash_r}"; then -+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" -+ else -+ LDFLAGS="-L${withval}/lib ${LDFLAGS}" -+ fi -+ else -+ if test -n "${need_dash_r}"; then -+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" -+ else -+ LDFLAGS="-L${withval} ${LDFLAGS}" -+ fi -+ fi -+ if test -d "${withval}/include"; then -+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" -+ else -+ CPPFLAGS="-I${withval} ${CPPFLAGS}" -+ fi -+ fi -+ LIBS="-lwrap $LIBS" -+ AC_MSG_CHECKING([for libwrap]) -+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ -+#include -+#include -+#include -+#include -+int deny_severity = 0, allow_severity = 0; -+ ]], [[ -+ hosts_access(0); -+ ]])], [ -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE([LIBWRAP], [1], -+ [Define if you want -+ TCP Wrappers support]) -+ SSHDLIBS="$SSHDLIBS -lwrap" -+ TCPW_MSG="yes" -+ ], [ -+ AC_MSG_ERROR([*** libwrap missing]) -+ -+ ]) -+ LIBS="$saved_LIBS" -+ fi -+ ] -+) -+ - # Check whether user wants to use ldns - LDNS_MSG="no" - AC_ARG_WITH(ldns, -@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG" - echo " OSF SIA support: $SIA_MSG" - echo " KerberosV support: $KRB5_MSG" - echo " SELinux support: $SELINUX_MSG" -+echo " TCP Wrappers support: $TCPW_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " libldns support: $LDNS_MSG" - echo " Solaris process contract support: $SPC_MSG" diff --git a/security/openssh-portable.OTHER/files/extra-patch-version-addendum b/security/openssh-portable.OTHER/files/extra-patch-version-addendum deleted file mode 100644 index b10e1c6..0000000 --- a/security/openssh-portable.OTHER/files/extra-patch-version-addendum +++ /dev/null @@ -1,5 +0,0 @@ ---- servconf.c.orig 2015-03-28 23:08:41.296700000 -0500 -+++ servconf.c 2015-03-28 23:08:54.016291000 -0500 -@@ -318 +318 @@ -- options->version_addendum = xstrdup(""); -+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD_PORT); diff --git a/security/openssh-portable.OTHER/files/openssh.in b/security/openssh-portable.OTHER/files/openssh.in deleted file mode 100644 index 9526a70..0000000 --- a/security/openssh-portable.OTHER/files/openssh.in +++ /dev/null @@ -1,179 +0,0 @@ -#!/bin/sh - -# PROVIDE: openssh -# REQUIRE: DAEMON -# KEYWORD: shutdown -# -# Add the following lines to /etc/rc.conf to enable openssh: -# -# openssh_enable (bool): Set it to "YES" to enable openssh. -# Default is "NO". -# openssh_flags (flags): Set extra flags to openssh. -# Default is "". see sshd(1). -# openssh_pidfile (file): Set full path to pid file. - -. /etc/rc.subr - -name="openssh" -rcvar=openssh_enable - -load_rc_config ${name} - -: ${openssh_enable:="NO"} -: ${openssh_skipportscheck="NO"} - -# These only control ssh-keygen automatically generating host keys. -: ${openssh_dsa_enable="YES"} -: ${openssh_dsa_flags=""} -: ${openssh_rsa_enable="YES"} -: ${openssh_rsa_flags=""} -: ${openssh_ecdsa_enable="YES"} -: ${openssh_ecdsa_flags=""} -: ${openssh_ed25519_enable="YES"} -: ${openssh_ed25519_flags=""} - -command=%%PREFIX%%/sbin/sshd -extra_commands="configtest reload keygen" -start_precmd="${name}_checks" -reload_precmd="${name}_checks" -restart_precmd="${name}_checks" -configtest_cmd="${name}_configtest" -keygen_cmd="${name}_keygen" -pidfile=${openssh_pidfile:="/var/run/sshd.pid"} - -openssh_keygen() -{ - local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= - checkyesno openssh_dsa_enable || skip_dsa=y - checkyesno openssh_rsa_enable || skip_rsa=y - checkyesno openssh_ecdsa_enable || skip_ecdsa=y - checkyesno openssh_ed25519_enable || skip_ed25519=y - - if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ - \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ - \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ - \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then - return 0 - fi - - umask 022 - - # Can't do anything if ssh is not installed - [ -x %%PREFIX%%/bin/ssh-keygen ] || - err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." - - if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in %%ETCDIR%%/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - elif checkyesno openssh_dsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ - -f %%ETCDIR%%/ssh_host_dsa_key -N '' - fi - - if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then - echo "You already have a RSA host key" \ - "in %%ETCDIR%%/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" - elif checkyesno openssh_rsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \ - -f %%ETCDIR%%/ssh_host_rsa_key -N '' - fi - - if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then - echo "You already have a Elliptic Curve DSA host key" \ - "in %%ETCDIR%%/ssh_host_ecdsa_key" - echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - elif checkyesno openssh_ecdsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \ - -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' - fi - - if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then - echo "You already have a Elliptic Curve ED25519 host key" \ - "in %%ETCDIR%%/ssh_host_ed25519_key" - echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - elif checkyesno openssh_ed25519_enable; then - %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \ - -f %%ETCDIR%%/ssh_host_ed25519_key -N '' - fi -} - -openssh_check_same_ports(){ - # check if opensshd don't use base system sshd's port - # - # openssh binds ports in priority (lowest first): - # Port from sshd_config - # -p option from command line - # ListenAddress addr:port from sshd_config - - - #check if opensshd-portable installed in replacement of base sshd - if [ "%%ETCDIR%%" = "/etc/ssh" ]; then - return 1 - fi - - self_port=$(awk '$1~/^ListenAddress/ \ - {mlen=match($0,":[0-9]*$"); print \ - substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config) - if [ -z "$self_port" ]; then - self_port=$(echo $openssh_flags | awk \ - '{for (i = 1; i <= NF; i++) if ($i == "-p") \ - {i++; printf "%s", $i; break; }; }') - if [ -z "$self_port" ]; then - self_port=$(awk '$1~/^Port/ {print $2}' \ - %%ETCDIR%%/sshd_config) - fi - fi - # assume default 22 port - if [ -z "$self_port" ]; then - self_port=22 - fi - - load_rc_config "sshd" - - base_sshd_port=$(awk '$1~/^ListenAddress/ \ - {mlen=match($0,":[0-9]*$"); print \ - substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config) - if [ -z "$base_sshd_port" ]; then - base_sshd_port=$(echo $sshd_flags | awk \ - '{for (i = 1; i <= NF; i++) if ($i == "-p") \ - {i++; printf "%s", $i; break; }; }') - if [ -z "$base_sshd_port" ]; then - base_sshd_port=$(awk '$1~/^Port/ {print $2}' \ - /etc/ssh/sshd_config) - fi - fi - if [ -z "$base_sshd_port" ]; then - base_sshd_port=22 - fi - - # self_port and base_sshd_port may have multiple values. Compare them all - for sport in ${self_port}; do - for bport in ${base_sshd_port}; do - [ ${sport} -eq ${bport} ] && return 0 - done - done - - return 1 -} - -openssh_configtest() -{ - echo "Performing sanity check on ${name} configuration." - eval ${command} ${openssh_flags} -t -} - -openssh_checks() -{ - if checkyesno sshd_enable ; then - if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then - err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port" - fi - fi - - openssh_keygen - openssh_configtest -} - -run_rc_command "$1" diff --git a/security/openssh-portable.OTHER/files/patch-regress__test-exec.sh b/security/openssh-portable.OTHER/files/patch-regress__test-exec.sh deleted file mode 100644 index 0213e8c..0000000 --- a/security/openssh-portable.OTHER/files/patch-regress__test-exec.sh +++ /dev/null @@ -1,10 +0,0 @@ ---- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC -+++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500 -@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config - LogLevel DEBUG3 - AcceptEnv _XXX_TEST_* - AcceptEnv _XXX_TEST -+ PermitRootLogin yes - Subsystem sftp $SFTPSERVER - EOF - diff --git a/security/openssh-portable.OTHER/files/patch-servconf.c b/security/openssh-portable.OTHER/files/patch-servconf.c deleted file mode 100644 index 33ead18..0000000 --- a/security/openssh-portable.OTHER/files/patch-servconf.c +++ /dev/null @@ -1,52 +0,0 @@ -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ---- servconf.c.orig 2024-07-01 13:30:30.284417000 -0700 -+++ servconf.c 2024-07-01 13:31:20.040132000 -0700 -@@ -46,6 +46,7 @@ - # include "openbsd-compat/glob.h" - #endif - -+#include "version.h" - #include "openbsd-compat/sys-queue.h" - #include "xmalloc.h" - #include "ssh.h" -@@ -295,7 +296,11 @@ fill_default_server_options(ServerOptions *options) - - /* Portable-specific options */ - if (options->use_pam == -1) -- options->use_pam = 0; -+#ifdef USE_PAM -+ options->use_pam = 1; -+#else -+ options->use_pam = 0; -+#endif - if (options->pam_service_name == NULL) - options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); - -@@ -339,7 +344,7 @@ fill_default_server_options(ServerOptions *options) - if (options->print_lastlog == -1) - options->print_lastlog = 1; - if (options->x11_forwarding == -1) -- options->x11_forwarding = 0; -+ options->x11_forwarding = 1; - if (options->x11_display_offset == -1) - options->x11_display_offset = 10; - if (options->x11_use_localhost == -1) -@@ -381,7 +386,11 @@ fill_default_server_options(ServerOptions *options) - if (options->gss_strict_acceptor == -1) - options->gss_strict_acceptor = 1; - if (options->password_authentication == -1) -+#ifdef USE_PAM -+ options->password_authentication = 0; -+#else - options->password_authentication = 1; -+#endif - if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 1; - if (options->permit_empty_passwd == -1) diff --git a/security/openssh-portable.OTHER/files/patch-session.c b/security/openssh-portable.OTHER/files/patch-session.c deleted file mode 100644 index b0b9e08..0000000 --- a/security/openssh-portable.OTHER/files/patch-session.c +++ /dev/null @@ -1,78 +0,0 @@ -bdrewery: - - Refactor and simplify original commit. - - Stop setting TERM=su without a term. - ------------------------------------------------------------------------- -r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines -Changed paths: - M /head/crypto/openssh/session.c - -Make sure the environment variables set by setusercontext() are passed on -to the child process. - -Reviewed by: ache -Sponsored by: DARPA, NAI Labs - ---- session.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ session.c 2021-04-27 13:11:13.515917000 -0700 -@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui - } - #endif /* HAVE_ETC_DEFAULT_LOGIN */ - --#if defined(USE_PAM) || defined(HAVE_CYGWIN) -+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP) - static void - copy_environment_denylist(char **source, char ***env, u_int *envsize, - const char *denylist) -@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * - # endif /* HAVE_CYGWIN */ - #endif /* HAVE_LOGIN_CAP */ - -- if (!options.use_pam) { -+ /* FreeBSD PAM doesn't set default "MAIL" */ -+ if (1 || !options.use_pam) { - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); -@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * - - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+#ifdef HAVE_LOGIN_CAP -+ /* Load environment from /etc/login.conf setenv directives. */ -+ { -+ extern char **environ; -+ char **senv, **var; -+ -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV); -+ copy_environment_denylist(environ, &env, &envsize, NULL); -+ for (var = environ; *var != NULL; ++var) -+ free(*var); -+ free(environ); -+ environ = senv; -+ } -+#endif - if (s->term) - child_set_env(&env, &envsize, "TERM", s->term); - if (s->display) -@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw) - #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) - return; -- nl = login_getcapstr(lc, "nologin", def_nl, def_nl); -+ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); - #else - if (pw->pw_uid == 0) - return; -@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw) - if (platform_privileged_uidswap()) { - #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { - perror("unable to set user context"); - exit(1); - } diff --git a/security/openssh-portable.OTHER/files/patch-ssh-agent.1 b/security/openssh-portable.OTHER/files/patch-ssh-agent.1 deleted file mode 100644 index 8e5a977..0000000 --- a/security/openssh-portable.OTHER/files/patch-ssh-agent.1 +++ /dev/null @@ -1,26 +0,0 @@ ---- UTC -r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines - -Add a -x option that causes ssh-agent(1) to exit when all clients have -disconnected. - ---- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800 -+++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700 -@@ -43,7 +43,7 @@ - .Sh SYNOPSIS - .Nm ssh-agent - .Op Fl c | s --.Op Fl \&Dd -+.Op Fl \&Ddx - .Op Fl a Ar bind_address - .Op Fl E Ar fingerprint_hash - .Op Fl P Ar provider_whitelist -@@ -125,6 +125,8 @@ A lifetime specified for an identity with - .Xr ssh-add 1 - overrides this value. - Without this option the default maximum lifetime is forever. -+.It Fl x -+Exit after the last client has disconnected. - .It Ar command Op Ar arg ... - If a command (and optional arguments) is given, - this is executed as a subprocess of the agent. diff --git a/security/openssh-portable.OTHER/files/patch-ssh-agent.c b/security/openssh-portable.OTHER/files/patch-ssh-agent.c deleted file mode 100644 index cd85012..0000000 --- a/security/openssh-portable.OTHER/files/patch-ssh-agent.c +++ /dev/null @@ -1,97 +0,0 @@ ---- UTC -r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines - -Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. - -r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines - -Add a -x option that causes ssh-agent(1) to exit when all clients have -disconnected. - ---- ssh-agent.c.orig 2023-12-18 06:59:50.000000000 -0800 -+++ ssh-agent.c 2023-12-19 17:16:22.128981000 -0800 -@@ -196,11 +196,28 @@ - /* Refuse signing of non-SSH messages for web-origin FIDO keys */ - static int restrict_websafe = 1; - -+/* -+ * Client connection count; incremented in new_socket() and decremented in -+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is -+ * normally initialized to 1, it will never reach 0. However, if the -x -+ * option is specified, it is initialized to 0 in main(); in that case, -+ * ssh-agent will exit as soon as it has had at least one client but no -+ * longer has any. -+ */ -+static int xcount = 1; -+ - static void - close_socket(SocketEntry *e) - { - size_t i; -+ int last = 0; - -+ if (e->type == AUTH_CONNECTION) { -+ debug("xcount %d -> %d", xcount, xcount - 1); -+ if (--xcount == 0) -+ last = 1; -+ } -+ - close(e->fd); - sshbuf_free(e->input); - sshbuf_free(e->output); -@@ -213,6 +230,8 @@ - memset(e, '\0', sizeof(*e)); - e->fd = -1; - e->type = AUTH_UNUSED; -+ if (last) -+ cleanup_exit(0); - } - - static void -@@ -1893,6 +1912,10 @@ - - debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : - (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); -+ if (type == AUTH_CONNECTION) { -+ debug("xcount %d -> %d", xcount, xcount + 1); -+ ++xcount; -+ } - set_nonblock(fd); - - if (fd > max_fd) -@@ -2184,7 +2207,7 @@ - usage(void) - { - fprintf(stderr, -- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" -+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-O option] [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" - " [-P allowed_providers] [-t life] command [arg ...]\n" -@@ -2218,6 +2241,7 @@ - /* drop */ - (void)setegid(getgid()); - (void)setgid(getgid()); -+ (void)setuid(geteuid()); - - platform_disable_tracing(0); /* strict=no */ - -@@ -2229,7 +2253,7 @@ - __progname = ssh_get_progname(av[0]); - seed_rng(); - -- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { - switch (ch) { - case 'E': - fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2280,6 +2304,9 @@ - fprintf(stderr, "Invalid lifetime\n"); - usage(); - } -+ break; -+ case 'x': -+ xcount = 0; - break; - default: - usage(); diff --git a/security/openssh-portable.OTHER/files/patch-ssh.c b/security/openssh-portable.OTHER/files/patch-ssh.c deleted file mode 100644 index c49535d..0000000 --- a/security/openssh-portable.OTHER/files/patch-ssh.c +++ /dev/null @@ -1,33 +0,0 @@ ---- UTC -r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/ssh.c - -Canonicize the host name before looking it up in the host file. - ---- ssh.c.orig 2018-04-02 05:38:28 UTC -+++ ssh.c -@@ -1281,6 +1281,23 @@ main(int ac, char **av) - ssh_digest_free(md); - conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); - -+ /* Find canonic host name. */ -+ if (strchr(host, '.') == 0) { -+ struct addrinfo hints; -+ struct addrinfo *ai = NULL; -+ int errgai; -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = options.address_family; -+ hints.ai_flags = AI_CANONNAME; -+ hints.ai_socktype = SOCK_STREAM; -+ errgai = getaddrinfo(host, NULL, &hints, &ai); -+ if (errgai == 0) { -+ if (ai->ai_canonname != NULL) -+ host = xstrdup(ai->ai_canonname); -+ freeaddrinfo(ai); -+ } -+ } -+ - /* - * Expand tokens in arguments. NB. LocalCommand is expanded later, - * after port-forwarding is set up, so it may pick up any local diff --git a/security/openssh-portable.OTHER/files/patch-ssh_config.5 b/security/openssh-portable.OTHER/files/patch-ssh_config.5 deleted file mode 100644 index 8c0e2bf..0000000 --- a/security/openssh-portable.OTHER/files/patch-ssh_config.5 +++ /dev/null @@ -1,13 +0,0 @@ ---- UTC - ---- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 -+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 -@@ -434,6 +433,8 @@ in the process, regardless of the setting of - If the option is set to - .Cm no , - the check will not be executed. -+The default is -+.Cm no . - .It Cm Ciphers - Specifies the ciphers allowed and their order of preference. - Multiple ciphers must be comma-separated. diff --git a/security/openssh-portable.OTHER/files/patch-sshd.8 b/security/openssh-portable.OTHER/files/patch-sshd.8 deleted file mode 100644 index 4d2a477..0000000 --- a/security/openssh-portable.OTHER/files/patch-sshd.8 +++ /dev/null @@ -1,26 +0,0 @@ ---- UTC -Document FreeBSD/port-specific paths - ---- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600 -+++ sshd.8 2010-09-14 16:14:14.000000000 -0600 -@@ -70,7 +70,7 @@ - .Nm - listens for connections from clients. - It is normally started at boot from --.Pa /etc/rc . -+.Pa /usr/local/etc/rc.d/openssh . - It forks a new - daemon for each incoming connection. - The forked daemons handle -@@ -384,8 +384,9 @@ - If the login is on a tty, records login time. - .It - Checks --.Pa /etc/nologin ; --if it exists, prints contents and quits -+.Pa /etc/nologin and -+.Pa /var/run/nologin ; -+if one exists, it prints the contents and quits - (unless root). - .It - Changes to run with normal user privileges. diff --git a/security/openssh-portable.OTHER/files/patch-sshd.c b/security/openssh-portable.OTHER/files/patch-sshd.c deleted file mode 100644 index 6d522d5..0000000 --- a/security/openssh-portable.OTHER/files/patch-sshd.c +++ /dev/null @@ -1,101 +0,0 @@ ---- UTC -r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines -Changed paths: - M /head/crypto/openssh/sshd.c - -Force early initialization of the resolver library, since the resolver -configuration files will no longer be available once sshd is chrooted. - -PR: 39953, 40894 -Submitted by: dinoex - -r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines -Changed paths: - M /head/crypto/openssh/sshd.c - M /head/usr.sbin/cron/cron/cron.c - M /head/usr.sbin/inetd/inetd.c - M /head/usr.sbin/syslogd/syslogd.c - -Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap -environments. -Please note that this can't be done while such processes run in jails. - -Note: in future it would be interesting to find a way to do that -selectively for any desired proccess (choosen by user himself), probabilly -via a ptrace interface or whatever. - -r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines -Changed paths: - M /head/crypto/openssh/sshd.c - -Enhance r199804 by marking the daemonised child as immune to OOM instead -of short-living parent. Only mark the master process that accepts -connections, do not protect connection handlers spawned from inetd. - - ---- sshd.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ sshd.c 2024-07-01 13:44:05.739756000 -0700 -@@ -28,6 +28,7 @@ - - #include - #include -+#include - #include - #ifdef HAVE_SYS_STAT_H - # include -@@ -69,6 +70,13 @@ - #include - #endif - -+#ifdef __FreeBSD__ -+#include -+#ifdef GSSAPI -+#include "ssh-gss.h" -+#endif -+#endif -+ - #include "xmalloc.h" - #include "ssh.h" - #include "sshpty.h" -@@ -1671,7 +1679,30 @@ main(int ac, char **av) - for (i = 0; i < options.num_log_verbose; i++) - log_verbose_add(options.log_verbose[i]); - -+#ifdef __FreeBSD__ - /* -+ * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). -+ */ -+ if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); -+ } -+#ifdef GSSAPI -+ /* -+ * Force GSS-API to parse its configuration and load any -+ * mechanism plugins. -+ */ -+ { -+ gss_OID_set mechs; -+ OM_uint32 minor_status; -+ gss_indicate_mechs(&minor_status, &mechs); -+ gss_release_oid_set(&minor_status, &mechs); -+ } -+#endif -+#endif -+ -+ /* - * If not in debugging mode, not started from inetd and not already - * daemonized (eg re-exec via SIGHUP), disconnect from the controlling - * terminal, and fork. The original process exits. -@@ -1687,6 +1718,10 @@ main(int ac, char **av) - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); -+ - /* - * Chdir to the root directory so that the current disk can be - * unmounted if desired. diff --git a/security/openssh-portable.OTHER/files/patch-sshd_config b/security/openssh-portable.OTHER/files/patch-sshd_config deleted file mode 100644 index c194964..0000000 --- a/security/openssh-portable.OTHER/files/patch-sshd_config +++ /dev/null @@ -1,34 +0,0 @@ -!!! -!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. -!!! ---- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 -+++ sshd_config 2022-02-11 18:52:31.639435000 +0000 -@@ -10,6 +10,9 @@ - # possible, but leave them commented. Uncommented options override the - # default value. - -+# Note that some of FreeBSD's defaults differ from OpenBSD's, and -+# FreeBSD has a few additional options. -+ - #Port 22 - #AddressFamily any - #ListenAddress 0.0.0.0 -@@ -37,8 +40,7 @@ - #PubkeyAuthentication yes - - # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 --# but this is overridden so installations will only check .ssh/authorized_keys --AuthorizedKeysFile .ssh/authorized_keys -+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - - #AuthorizedPrincipalsFile none - -@@ -84,7 +86,7 @@ - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no --#X11Forwarding no -+#X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes diff --git a/security/openssh-portable.OTHER/files/patch-sshd_config.5 b/security/openssh-portable.OTHER/files/patch-sshd_config.5 deleted file mode 100644 index 15d3ff7..0000000 --- a/security/openssh-portable.OTHER/files/patch-sshd_config.5 +++ /dev/null @@ -1,57 +0,0 @@ ---- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 -+++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 -@@ -701,7 +701,9 @@ - .Qq ssh -Q HostbasedAcceptedAlgorithms . - This was formerly named HostbasedAcceptedKeyTypes. - .It Cm HostbasedAuthentication --Specifies whether rhosts or /etc/hosts.equiv authentication together -+Specifies whether rhosts or -+.Pa /etc/hosts.equiv -+authentication together - with successful public key client host authentication is allowed - (host-based authentication). - The default is -@@ -1416,6 +1434,13 @@ - .Cm ethernet . - The default is - .Cm no . -+Note that if -+.Cm ChallengeResponseAuthentication -+is -+.Cm yes , -+the root user may be allowed in with its password even if -+.Cm PermitRootLogin is set to -+.Cm without-password . - .Pp - Independent of this setting, the permissions of the selected - .Xr tun 4 -@@ -1774,12 +1799,19 @@ - .Xr sshd 8 - as a non-root user. - The default is -+.Cm yes , -+unless -+.Nm sshd -+was built without PAM support, in which case the default is - .Cm no . - .It Cm VersionAddendum - Optionally specifies additional text to append to the SSH protocol banner - sent by the server upon connection. - The default is --.Cm none . -+.Cm %%SSH_VERSION_FREEBSD_PORT%% . -+The value -+.Cm none -+may be used to disable this. - .It Cm X11DisplayOffset - Specifies the first display number available for - .Xr sshd 8 Ns 's -@@ -1793,7 +1825,7 @@ - or - .Cm no . - The default is --.Cm no . -+.Cm yes . - .Pp - When X11 forwarding is enabled, there may be additional exposure to - the server and to client displays if the diff --git a/security/openssh-portable.OTHER/pkg-descr b/security/openssh-portable.OTHER/pkg-descr deleted file mode 100644 index d9dee49..0000000 --- a/security/openssh-portable.OTHER/pkg-descr +++ /dev/null @@ -1,13 +0,0 @@ -OpenBSD's OpenSSH portable version - -Normal OpenSSH development produces a very small, secure, and easy to maintain -version for the OpenBSD project. The OpenSSH Portability Team takes that pure -version and adds portability code so that OpenSSH can run on many other -operating systems (Unfortunately, in particular since OpenSSH does -authentication, it runs into a *lot* of differences between Unix operating -systems). - -The portable OpenSSH follows development of the official version, but releases -are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). -The official OpenBSD source will never use the 'p' suffix, but will instead -increment the version number when they hit 'stable spots' in their development. diff --git a/security/openssh-portable.OTHER/pkg-message b/security/openssh-portable.OTHER/pkg-message deleted file mode 100644 index 0349c92..0000000 --- a/security/openssh-portable.OTHER/pkg-message +++ /dev/null @@ -1,22 +0,0 @@ -[ -{ type: install - message: <