kiwi/klara-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Openssh is back

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-23 15:20:21 +02:00
parent f3b44ec049
commit dd20e2937d
28 changed files with 3108 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
security/openssh-portable/Makefile Normal file
View File

@ -0,0 +1,242 @@
PORTNAME= openssh
DISTVERSION= 9.9p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
PKGNAMESUFFIX?= -portable
MAINTAINER= bdrewery@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
WWW= https://www.openssh.com/portable.html
LICENSE= OPENSSH
LICENSE_NAME= OpenSSH Licenses
LICENSE_FILE= ${WRKSRC}/LICENCE
LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
USES= alias autoreconf compiler:c11 cpe localbase ncurses \
pkgconfig ssl
GNU_CONFIGURE= yes
GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share
CONFIGURE_ARGS= --prefix=${PREFIX} \
--without-zlib-version-check \
--with-ssl-engine \
--with-mantype=man
ETCOLD= ${PREFIX}/etc
CPE_VENDOR= openbsd
FLAVORS= default hpn gssapi
default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \
openssh-portable-x509
hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \
openssh-portable-x509
hpn_PKGNAMESUFFIX= -portable-hpn
gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \
openssh-portable-x509
gssapi_PKGNAMESUFFIX= -portable-gssapi
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
HPN KERB_GSSAPI \
LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
.if ${FLAVOR:U} == gssapi
OPTIONS_DEFAULT+= KERB_GSSAPI MIT
.endif
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
BSM_DESC= OpenBSM Auditing
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= HPN-SSH patch
LDNS_DESC= SSHFP/LDNS support
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
NONECIPHER_DESC= NONE Cipher support
XMSS_DESC= XMSS key support (experimental)
FIDO_U2F_DESC= FIDO/U2F support (security/libfido2)
BLACKLISTD_DESC= FreeBSD blacklistd(8) support
OPTIONS_SUB= yes
PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config
TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
LDNS_LIB_DEPENDS= libldns.so:dns/ldns
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal
PAM_CONFIGURE_WITH= pam
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
LIBEDIT_CONFIGURE_WITH= libedit
LIBEDIT_USES= libedit
BSM_CONFIGURE_ON= --with-audit=bsm
FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2
FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin
FIDO_U2F_CONFIGURE_OFF= --disable-security-key
BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd
ETCDIR?= ${PREFIX}/etc/ssh
.include <bsd.port.pre.mk>
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
# pull from.
GSSAPI_DEBIAN_VERSION= 9.9p1
GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
# - Debian does not use a versioned filename so we trick fetch to make one for
# us with the ?<anything>=/ trick.
PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
# Bump this when updating the patch location
GSSAPI_DISTVERSION= 9.9p1
PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c
.endif
.if ${PORT_OPTIONS:MBLACKLISTD}
CONFIGURE_LIBS+= -lblacklist
.endif
# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet.
PORTDOCS+= HPN-README
HPN_VERSION= 14v15
HPN_DISTVERSION= 7.7p1
#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
# Apply compatibility patch
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat
.endif
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
# Keep this last
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
. if ${PORT_OPTIONS:MHEIMDAL_BASE}
CONFIGURE_LIBS+= -lgssapi_krb5
CONFIGURE_ARGS+= --with-kerberos5=/usr
. else
CONFIGURE_LIBS+= -lgssapi_krb5
CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
. endif
. if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS= # empty
. endif
.else
. if ${PORT_OPTIONS:MKERB_GSSAPI}
IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
. endif
.endif
.if ${OPENSSLBASE} != "/usr"
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
EMPTYDIR= /var/empty
USE_RC_SUBR= openssh
# After all
CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
.if !empty(CONFIGURE_LIBS)
CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}'
.endif
CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth
RC_SCRIPT_NAME= openssh
VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME}
CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}}
CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow
SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass
post-patch:
@${REINPLACE_CMD} \
-e 's|install: \(.*\) host-key check-config|install: \1|g' \
${WRKSRC}/Makefile.in
@${REINPLACE_CMD} \
-e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
@${REINPLACE_CMD} \
-e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
${WRKSRC}/sshd_config
@${REINPLACE_CMD} \
-e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
${WRKSRC}/sshd_config.5
@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \
${WRKSRC}/version.h
post-configure-XMSS-on:
@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
post-configure-BLACKLISTD-on:
@${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h
post-install:
${MV} ${STAGEDIR}${ETCDIR}/moduli \
${STAGEDIR}${ETCDIR}/moduli.sample
${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
${STAGEDIR}${ETCDIR}/ssh_config.sample
${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
${STAGEDIR}${ETCDIR}/sshd_config.sample
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
.endif
test: build
cd ${WRKSRC} && ${SETENV} -i \
OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
TEST_SHELL=${SH} \
SUDO="${SUDO}" \
LOGNAME="${LOGNAME}" \
HOME="${HOME}" \
TEST_SSH_TRACE=yes \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
.include <bsd.port.post.mk>

5
security/openssh-portable/distinfo Normal file
View File

@ -0,0 +1,5 @@
TIMESTAMP = 1728410939
SHA256 (openssh-9.9p1.tar.gz) = b343fbcdbff87f15b1986e6e15d6d4fc9a7d36066be6b7fb507087ba8f966c02
SIZE (openssh-9.9p1.tar.gz) = 1964864
SHA256 (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = b8b590024137d54394fd46ebfe32f2b081d0744abdcdcacf6dd30d1c91339864
SIZE (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = 125233

419
security/openssh-portable/files/extra-patch-blacklistd Normal file
View File

@ -0,0 +1,419 @@
--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700
+++ blacklist.c 2021-04-28 13:56:45.677805000 -0700
@@ -0,0 +1,92 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include <blacklist.h>
+#include "blacklist_client.h"
+
+static struct blacklist *blstate = NULL;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+ LogLevel imlevel;
+
+ switch (priority) {
+ case LOG_ERR:
+ imlevel = SYSLOG_LEVEL_ERROR;
+ break;
+ case LOG_DEBUG:
+ imlevel = SYSLOG_LEVEL_DEBUG1;
+ break;
+ case LOG_INFO:
+ imlevel = SYSLOG_LEVEL_INFO;
+ break;
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
+ do_log2(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+ blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action, struct ssh *ssh, const char *msg)
+{
+
+ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
+ (void)blacklist_r(blstate, action,
+ ssh_packet_get_connection_in(ssh), msg);
+}
--- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800
+++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+#ifndef BLACKLIST_API_ENUM
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+#endif
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
+void blacklist_notify(int, struct ssh *, const char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, ssh, msg)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ servconf.c 2021-04-28 13:36:19.591999000 -0700
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
options->max_sessions = -1;
options->banner = NULL;
options->use_dns = -1;
+ options->use_blacklist = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
options->use_dns = 0;
+ if (options->use_blacklist == -1)
+ options->use_blacklist = 0;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@@ -506,6 +509,7 @@ typedef enum {
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
+ sUseBlacklist,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -642,6 +646,8 @@ static struct {
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */,
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
intptr = &options->use_dns;
goto parse_flag;
+ case sUseBlacklist:
+ intptr = &options->use_blacklist;
+ goto parse_flag;
+
case sLogFacility:
log_facility_ptr = &options->log_facility;
arg = strdelim(&cp);
@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
--- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800
+++ servconf.h 2020-11-16 15:51:02.962173000 -0800
@@ -179,6 +179,7 @@ typedef struct {
int max_sessions;
char *banner; /* SSH-2 banner message */
int use_dns;
+ int use_blacklist;
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
--- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800
+++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800
@@ -105,6 +105,7 @@ extern char *__progname;
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "blacklist_client.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
sshbuf_free(buffer);
return (0);
}
+ /* XXX: ssh context unavailable here, unclear if this is even needed.
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ the_active_state, sshpam_authctxt->user);
+ */
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
--- auth.c.orig 2020-11-16 15:52:45.824171000 -0800
+++ auth.c 2020-11-16 15:57:51.091969000 -0800
@@ -76,6 +76,7 @@
#include "ssherr.h"
#include "compat.h"
#include "channels.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
+ }
if ((extra = format_method_key(authctxt)) == NULL) {
if (authctxt->auth_method_info != NULL)
@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
aix_restoreauthdb();
#endif
if (pw == NULL) {
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
--- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800
+++ auth2.c 2020-11-16 17:12:04.852943000 -0800
@@ -58,6 +58,7 @@
#include "monitor_wrap.h"
#include "digest.h"
#include "kex.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
#endif
@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
} else {
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
--- packet.c.orig 2020-11-16 15:52:45.839070000 -0800
+++ packet.c 2020-11-16 15:56:09.285418000 -0800
@@ -96,6 +96,7 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
--- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700
+++ sshd.c 2021-09-10 10:37:17.926747000 -0700
@@ -123,6 +123,7 @@
#include "version.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
#include "srclimit.h"
#include "dh.h"
@@ -2225,6 +2228,9 @@ main(int ac, char **av)
if ((loginmsg = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
auth_debug_reset();
+
+ if (options.use_blacklist)
+ BLACKLIST_INIT();
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700
+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700
@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
+LIBSSH_OBJS+= blacklist.o
+
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h
--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800
+++ sshd_config 2020-11-16 16:57:42.183846000 -0800
@@ -94,6 +94,7 @@
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
+#UseBlacklist no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
--- sshd_config.5.orig 2023-12-18 15:59:50.000000000 +0100
+++ sshd_config.5 2024-01-06 16:36:17.025742000 +0100
@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
is to never expire connections for having no open channels.
This option may be useful in conjunction with
.Cm ChannelTimeout .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8
+attempts to send authentication success and failure messages
+to the
+.Xr blacklistd 8
+daemon.
+The default is
+.Cm no .
+For forward compatibility with an upcoming
+.Xr blacklistd
+rename, the
+.Cm UseBlocklist
+alias can be used instead.
.It Cm UseDNS
Specifies whether
.Xr sshd 8
--- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800
+++ monitor.c 2020-11-16 17:25:57.642510000 -0800
@@ -96,6 +96,7 @@
#include "match.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(ssh, authenticated, partial,
auth_method, auth_submethod);
- if (!partial && !authenticated)
+ if (!partial && !authenticated) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
+ ssh, "ssh");
+ }
if (authenticated || partial) {
auth2_update_session_info(authctxt,
auth_method, auth_submethod);
@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
} else {
/* Log failed attempt */
auth_log(ssh, 0, 0, auth_method, NULL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
free(cuser);
free(chost);
}

14
security/openssh-portable/files/extra-patch-gssapi-kexgssc.c Normal file
View File

@ -0,0 +1,14 @@
Fix prototype for DH_get0_key() in kexgssgex_client().
--- kexgssc.c.orig 2020-11-24 12:26:37.222092000 -0800
+++ kexgssc.c 2020-11-24 12:26:54.801490000 -0800
@@ -31,6 +31,9 @@
#include <openssl/crypto.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include "openbsd-compat/openssl-compat.h"
+
#include <string.h>
#include "xmalloc.h"

14
security/openssh-portable/files/extra-patch-gssapi-kexgsss.c Normal file
View File

@ -0,0 +1,14 @@
Fix prototype for DH_get0_key() in kexgssgex_server().
--- kexgsss.c.orig 2020-11-24 12:39:25.548427000 -0800
+++ kexgsss.c 2020-11-24 12:39:47.591119000 -0800
@@ -31,6 +31,9 @@
#include <openssl/crypto.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include "openbsd-compat/openssl-compat.h"
+
#include "xmalloc.h"
#include "sshbuf.h"
#include "ssh2.h"

1300
security/openssh-portable/files/extra-patch-hpn Normal file
View File

File diff suppressed because it is too large Load Diff

46
security/openssh-portable/files/extra-patch-hpn-compat Normal file
View File

@ -0,0 +1,46 @@
------------------------------------------------------------------------
r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
Changed paths:
M /head/crypto/openssh/servconf.c
Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
------------------------------------------------------------------------
------------------------------------------------------------------------
r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
Changed paths:
M /head/crypto/openssh/readconf.c
r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
--- readconf.c.orig 2023-12-19 17:09:41.366788000 -0800
+++ readconf.c 2023-12-19 17:10:24.155247000 -0800
@@ -329,6 +329,12 @@
{ "enableescapecommandline", oEnableEscapeCommandline },
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
+ { "tcprcvbuf", oDeprecated },
+ { "noneenabled", oUnsupported },
+ { "noneswitch", oUnsupported },
{ NULL, oBadOption }
};
--- servconf.c.orig 2024-09-19 15:20:48.000000000 -0700
+++ servconf.c 2024-10-07 20:18:18.259726000 -0700
@@ -746,6 +746,10 @@ static struct {
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
+ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};

57
security/openssh-portable/files/extra-patch-hpn-gss-glue Normal file
View File

@ -0,0 +1,57 @@
--- sshconnect2.c.orig 2019-07-19 11:53:14.918867000 -0700
+++ sshconnect2.c 2019-07-19 11:53:16.911086000 -0700
@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
char *s, *all_key;
int r;
-#if defined(GSSAPI) && defined(WITH_OPENSSL)
- char *orig = NULL, *gss = NULL;
- char *gss_host = NULL;
-#endif
-
xxx_host = host;
xxx_hostaddr = hostaddr;
@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
}
#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ char *orig = NULL, *gss = NULL;
+ char *gss_host = NULL;
+
if (options.gss_keyex) {
/* Add the GSSAPI mechanisms currently supported on this
* client to the key exchange algorithm proposal */
--- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700
+++ readconf.c 2019-07-19 12:13:29.614552000 -0700
@@ -63,11 +63,11 @@
#include "readconf.h"
#include "match.h"
#include "kex.h"
+#include "ssh-gss.h"
#include "mac.h"
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
-#include "ssh-gss.h"
/* Format of the configuration file:
--- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700
+++ servconf.c 2019-07-19 12:14:43.543687000 -0700
@@ -54,6 +54,7 @@
#include "sshkey.h"
#include "kex.h"
#include "mac.h"
+#include "ssh-gss.h"
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
@@ -64,7 +65,6 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
-#include "ssh-gss.h"
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);

51
security/openssh-portable/files/extra-patch-ldns Normal file
View File

@ -0,0 +1,51 @@
r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
Changed paths:
M /head/crypto/openssh/readconf.c
M /head/crypto/openssh/ssh_config
M /head/crypto/openssh/ssh_config.5
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
--- readconf.c 2013-10-03 08:15:03.496131082 -0500
+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
options->rekey_limit = 0;
if (options->rekey_interval == -1)
options->rekey_interval = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
--- ssh_config 2013-10-03 08:15:03.537131330 -0500
+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
@@ -44,5 +44,6 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
+++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
@@ -1635,7 +1635,10 @@ need to confirm new host keys according
.Cm StrictHostKeyChecking
option.
The default is
-.Cm no .
+.Cm yes
+if compiled with LDNS and
+.Cm no
+otherwise.
.Pp
See also
.Sx VERIFYING HOST KEYS

31
security/openssh-portable/files/extra-patch-pam-sshd_config Normal file
View File

@ -0,0 +1,31 @@
--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000
+++ sshd_config 2022-02-11 19:20:45.334738000 +0000
@@ -55,8 +55,8 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -72,7 +72,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
@@ -81,7 +81,7 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes

151
security/openssh-portable/files/extra-patch-tcpwrappers Normal file
View File

@ -0,0 +1,151 @@
Revert TCPWRAPPER removal -bdrewery
commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
Author: Damien Miller <djm@mindrot.org>
Date: Sun Apr 20 13:22:18 2014 +1000
- tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl
diff --git sshd.8 sshd.8
index 289e13d..e6a900b 100644
--- sshd.8
+++ sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
--- sshd-session.c.orig 2024-07-01 13:26:10.677919000 -0700
+++ sshd-session.c 2024-07-01 13:26:58.873906000 -0700
@@ -110,6 +110,13 @@
#include "srclimit.h"
#include "dh.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -1256,7 +1263,26 @@ main(int ac, char **av)
#endif
rdomain = ssh_packet_rdomain_in(ssh);
+
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
+
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
verbose("Connection from %s port %d on %s port %d%s%s%s",
--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800
+++ configure.ac 2022-03-02 12:47:49.958341000 -0800
@@ -1599,6 +1599,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"

5
security/openssh-portable/files/extra-patch-version-addendum Normal file
View File

@ -0,0 +1,5 @@
--- servconf.c.orig 2015-03-28 23:08:41.296700000 -0500
+++ servconf.c 2015-03-28 23:08:54.016291000 -0500
@@ -318 +318 @@
- options->version_addendum = xstrdup("");
+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD_PORT);

179
security/openssh-portable/files/openssh.in Normal file
View File

@ -0,0 +1,179 @@
#!/bin/sh
# PROVIDE: openssh
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable openssh:
#
# openssh_enable (bool): Set it to "YES" to enable openssh.
# Default is "NO".
# openssh_flags (flags): Set extra flags to openssh.
# Default is "". see sshd(1).
# openssh_pidfile (file): Set full path to pid file.
. /etc/rc.subr
name="openssh"
rcvar=openssh_enable
load_rc_config ${name}
: ${openssh_enable:="NO"}
: ${openssh_skipportscheck="NO"}
# These only control ssh-keygen automatically generating host keys.
: ${openssh_dsa_enable="YES"}
: ${openssh_dsa_flags=""}
: ${openssh_rsa_enable="YES"}
: ${openssh_rsa_flags=""}
: ${openssh_ecdsa_enable="YES"}
: ${openssh_ecdsa_flags=""}
: ${openssh_ed25519_enable="YES"}
: ${openssh_ed25519_flags=""}
command=%%PREFIX%%/sbin/sshd
extra_commands="configtest reload keygen"
start_precmd="${name}_checks"
reload_precmd="${name}_checks"
restart_precmd="${name}_checks"
configtest_cmd="${name}_configtest"
keygen_cmd="${name}_keygen"
pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
openssh_keygen()
{
local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
checkyesno openssh_dsa_enable || skip_dsa=y
checkyesno openssh_rsa_enable || skip_rsa=y
checkyesno openssh_ecdsa_enable || skip_ecdsa=y
checkyesno openssh_ed25519_enable || skip_ed25519=y
if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
\( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
\( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
\( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
return 0
fi
umask 022
# Can't do anything if ssh is not installed
[ -x %%PREFIX%%/bin/ssh-keygen ] ||
err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
echo "You already have a DSA host key" \
"in %%ETCDIR%%/ssh_host_dsa_key"
echo "Skipping protocol version 2 DSA Key Generation"
elif checkyesno openssh_dsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
-f %%ETCDIR%%/ssh_host_dsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
echo "You already have a RSA host key" \
"in %%ETCDIR%%/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
elif checkyesno openssh_rsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
-f %%ETCDIR%%/ssh_host_rsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
echo "You already have a Elliptic Curve DSA host key" \
"in %%ETCDIR%%/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
elif checkyesno openssh_ecdsa_enable; then
%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
echo "You already have a Elliptic Curve ED25519 host key" \
"in %%ETCDIR%%/ssh_host_ed25519_key"
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
elif checkyesno openssh_ed25519_enable; then
%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
fi
}
openssh_check_same_ports(){
# check if opensshd don't use base system sshd's port
#
# openssh binds ports in priority (lowest first):
# Port from sshd_config
# -p option from command line
# ListenAddress addr:port from sshd_config
#check if opensshd-portable installed in replacement of base sshd
if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
return 1
fi
self_port=$(awk '$1~/^ListenAddress/ \
{mlen=match($0,":[0-9]*$"); print \
substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
if [ -z "$self_port" ]; then
self_port=$(echo $openssh_flags | awk \
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
{i++; printf "%s", $i; break; }; }')
if [ -z "$self_port" ]; then
self_port=$(awk '$1~/^Port/ {print $2}' \
%%ETCDIR%%/sshd_config)
fi
fi
# assume default 22 port
if [ -z "$self_port" ]; then
self_port=22
fi
load_rc_config "sshd"
base_sshd_port=$(awk '$1~/^ListenAddress/ \
{mlen=match($0,":[0-9]*$"); print \
substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
if [ -z "$base_sshd_port" ]; then
base_sshd_port=$(echo $sshd_flags | awk \
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
{i++; printf "%s", $i; break; }; }')
if [ -z "$base_sshd_port" ]; then
base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
/etc/ssh/sshd_config)
fi
fi
if [ -z "$base_sshd_port" ]; then
base_sshd_port=22
fi
# self_port and base_sshd_port may have multiple values. Compare them all
for sport in ${self_port}; do
for bport in ${base_sshd_port}; do
[ ${sport} -eq ${bport} ] && return 0
done
done
return 1
}
openssh_configtest()
{
echo "Performing sanity check on ${name} configuration."
eval ${command} ${openssh_flags} -t
}
openssh_checks()
{
if checkyesno sshd_enable ; then
if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port"
fi
fi
openssh_keygen
openssh_configtest
}
run_rc_command "$1"

10
security/openssh-portable/files/patch-regress__test-exec.sh Normal file
View File

@ -0,0 +1,10 @@
--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC
+++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500
@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
LogLevel DEBUG3
AcceptEnv _XXX_TEST_*
AcceptEnv _XXX_TEST
+ PermitRootLogin yes
Subsystem sftp $SFTPSERVER
EOF

52
security/openssh-portable/files/patch-servconf.c Normal file
View File

@ -0,0 +1,52 @@
r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/myproposal.h
M /head/crypto/openssh/readconf.c
M /head/crypto/openssh/servconf.c
Apply FreeBSD's configuration defaults.
--- servconf.c.orig 2024-07-01 13:30:30.284417000 -0700
+++ servconf.c 2024-07-01 13:31:20.040132000 -0700
@@ -46,6 +46,7 @@
# include "openbsd-compat/glob.h"
#endif
+#include "version.h"
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "ssh.h"
@@ -295,7 +296,11 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
+#ifdef USE_PAM
+ options->use_pam = 1;
+#else
+ options->use_pam = 0;
+#endif
if (options->pam_service_name == NULL)
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
@@ -339,7 +344,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 0;
+ options->x11_forwarding = 1;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -381,7 +386,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)
+#ifdef USE_PAM
+ options->password_authentication = 0;
+#else
options->password_authentication = 1;
+#endif
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 1;
if (options->permit_empty_passwd == -1)

78
security/openssh-portable/files/patch-session.c Normal file
View File

@ -0,0 +1,78 @@
bdrewery:
- Refactor and simplify original commit.
- Stop setting TERM=su without a term.
------------------------------------------------------------------------
r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
Changed paths:
M /head/crypto/openssh/session.c
Make sure the environment variables set by setusercontext() are passed on
to the child process.
Reviewed by: ache
Sponsored by: DARPA, NAI Labs
--- session.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ session.c 2021-04-27 13:11:13.515917000 -0700
@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
-#if defined(USE_PAM) || defined(HAVE_CYGWIN)
+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
static void
copy_environment_denylist(char **source, char ***env, u_int *envsize,
const char *denylist)
@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
- if (!options.use_pam) {
+ /* FreeBSD PAM doesn't set default "MAIL" */
+ if (1 || !options.use_pam) {
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
child_set_env(&env, &envsize, "MAIL", buf);
@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+#ifdef HAVE_LOGIN_CAP
+ /* Load environment from /etc/login.conf setenv directives. */
+ {
+ extern char **environ;
+ char **senv, **var;
+
+ senv = environ;
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
+ copy_environment_denylist(environ, &env, &envsize, NULL);
+ for (var = environ; *var != NULL; ++var)
+ free(*var);
+ free(environ);
+ environ = senv;
+ }
+#endif
if (s->term)
child_set_env(&env, &envsize, "TERM", s->term);
if (s->display)
@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
return;
- nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
+ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl);
#else
if (pw->pw_uid == 0)
return;
@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}

26
security/openssh-portable/files/patch-ssh-agent.1 Normal file
View File

@ -0,0 +1,26 @@
--- UTC
r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800
+++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700
@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
-.Op Fl \&Dd
+.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl P Ar provider_whitelist
@@ -125,6 +125,8 @@ A lifetime specified for an identity with
.Xr ssh-add 1
overrides this value.
Without this option the default maximum lifetime is forever.
+.It Fl x
+Exit after the last client has disconnected.
.It Ar command Op Ar arg ...
If a command (and optional arguments) is given,
this is executed as a subprocess of the agent.

97
security/openssh-portable/files/patch-ssh-agent.c Normal file
View File

@ -0,0 +1,97 @@
--- UTC
r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.c.orig 2023-12-18 06:59:50.000000000 -0800
+++ ssh-agent.c 2023-12-19 17:16:22.128981000 -0800
@@ -196,11 +196,28 @@
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
+/*
+ * Client connection count; incremented in new_socket() and decremented in
+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
+ * normally initialized to 1, it will never reach 0. However, if the -x
+ * option is specified, it is initialized to 0 in main(); in that case,
+ * ssh-agent will exit as soon as it has had at least one client but no
+ * longer has any.
+ */
+static int xcount = 1;
+
static void
close_socket(SocketEntry *e)
{
size_t i;
+ int last = 0;
+ if (e->type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount - 1);
+ if (--xcount == 0)
+ last = 1;
+ }
+
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
@@ -213,6 +230,8 @@
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
+ if (last)
+ cleanup_exit(0);
}
static void
@@ -1893,6 +1912,10 @@
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+ if (type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount + 1);
+ ++xcount;
+ }
set_nonblock(fd);
if (fd > max_fd)
@@ -2184,7 +2207,7 @@
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-O option] [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
" [-P allowed_providers] [-t life] command [arg ...]\n"
@@ -2218,6 +2241,7 @@
/* drop */
(void)setegid(getgid());
(void)setgid(getgid());
+ (void)setuid(geteuid());
platform_disable_tracing(0); /* strict=no */
@@ -2229,7 +2253,7 @@
__progname = ssh_get_progname(av[0]);
seed_rng();
- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -2280,6 +2304,9 @@
fprintf(stderr, "Invalid lifetime\n");
usage();
}
+ break;
+ case 'x':
+ xcount = 0;
break;
default:
usage();

33
security/openssh-portable/files/patch-ssh.c Normal file
View File

@ -0,0 +1,33 @@
--- UTC
r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/ssh.c
Canonicize the host name before looking it up in the host file.
--- ssh.c.orig 2018-04-02 05:38:28 UTC
+++ ssh.c
@@ -1281,6 +1281,23 @@ main(int ac, char **av)
ssh_digest_free(md);
conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
+ struct addrinfo hints;
+ struct addrinfo *ai = NULL;
+ int errgai;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = options.address_family;
+ hints.ai_flags = AI_CANONNAME;
+ hints.ai_socktype = SOCK_STREAM;
+ errgai = getaddrinfo(host, NULL, &hints, &ai);
+ if (errgai == 0) {
+ if (ai->ai_canonname != NULL)
+ host = xstrdup(ai->ai_canonname);
+ freeaddrinfo(ai);
+ }
+ }
+
/*
* Expand tokens in arguments. NB. LocalCommand is expanded later,
* after port-forwarding is set up, so it may pick up any local

13
security/openssh-portable/files/patch-ssh_config.5 Normal file
View File

@ -0,0 +1,13 @@
--- UTC
--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800
+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800
@@ -434,6 +433,8 @@ in the process, regardless of the setting of
If the option is set to
.Cm no ,
the check will not be executed.
+The default is
+.Cm no .
.It Cm Ciphers
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.

26
security/openssh-portable/files/patch-sshd.8 Normal file
View File

@ -0,0 +1,26 @@
--- UTC
Document FreeBSD/port-specific paths
--- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600
+++ sshd.8 2010-09-14 16:14:14.000000000 -0600
@@ -70,7 +70,7 @@
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /usr/local/etc/rc.d/openssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -384,8 +384,9 @@
If the login is on a tty, records login time.
.It
Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
(unless root).
.It
Changes to run with normal user privileges.

101
security/openssh-portable/files/patch-sshd.c Normal file
View File

@ -0,0 +1,101 @@
--- UTC
r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines
Changed paths:
M /head/crypto/openssh/sshd.c
Force early initialization of the resolver library, since the resolver
configuration files will no longer be available once sshd is chrooted.
PR: 39953, 40894
Submitted by: dinoex
r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines
Changed paths:
M /head/crypto/openssh/sshd.c
M /head/usr.sbin/cron/cron/cron.c
M /head/usr.sbin/inetd/inetd.c
M /head/usr.sbin/syslogd/syslogd.c
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap
environments.
Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.
r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines
Changed paths:
M /head/crypto/openssh/sshd.c
Enhance r199804 by marking the daemonised child as immune to OOM instead
of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
--- sshd.c.orig 2024-06-30 21:36:28.000000000 -0700
+++ sshd.c 2024-07-01 13:44:05.739756000 -0700
@@ -28,6 +28,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/mman.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@@ -69,6 +70,13 @@
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "sshpty.h"
@@ -1671,7 +1679,30 @@ main(int ac, char **av)
for (i = 0; i < options.num_log_verbose; i++)
log_verbose_add(options.log_verbose[i]);
+#ifdef __FreeBSD__
/*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
+#ifdef GSSAPI
+ /*
+ * Force GSS-API to parse its configuration and load any
+ * mechanism plugins.
+ */
+ {
+ gss_OID_set mechs;
+ OM_uint32 minor_status;
+ gss_indicate_mechs(&minor_status, &mechs);
+ gss_release_oid_set(&minor_status, &mechs);
+ }
+#endif
+#endif
+
+ /*
* If not in debugging mode, not started from inetd and not already
* daemonized (eg re-exec via SIGHUP), disconnect from the controlling
* terminal, and fork. The original process exits.
@@ -1687,6 +1718,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ /* Avoid killing the process in high-pressure swapping environments. */
+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
+ debug("madvise(): %.200s", strerror(errno));
+
/*
* Chdir to the root directory so that the current disk can be
* unmounted if desired.

34
security/openssh-portable/files/patch-sshd_config Normal file
View File

@ -0,0 +1,34 @@
!!!
!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
!!!
--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000
+++ sshd_config 2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -37,8 +40,7 @@
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
@@ -84,7 +86,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

57
security/openssh-portable/files/patch-sshd_config.5 Normal file
View File

@ -0,0 +1,57 @@
--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000
+++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000
@@ -701,7 +701,9 @@
.Qq ssh -Q HostbasedAcceptedAlgorithms .
This was formerly named HostbasedAcceptedKeyTypes.
.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
with successful public key client host authentication is allowed
(host-based authentication).
The default is
@@ -1416,6 +1434,13 @@
.Cm ethernet .
The default is
.Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Cm yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Cm without-password .
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
@@ -1774,12 +1799,19 @@
.Xr sshd 8
as a non-root user.
The default is
+.Cm yes ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
.Cm no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Cm none .
+.Cm %%SSH_VERSION_FREEBSD_PORT%% .
+The value
+.Cm none
+may be used to disable this.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
@@ -1793,7 +1825,7 @@
or
.Cm no .
The default is
-.Cm no .
+.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the

13
security/openssh-portable/pkg-descr Normal file
View File

@ -0,0 +1,13 @@
OpenBSD's OpenSSH portable version
Normal OpenSSH development produces a very small, secure, and easy to maintain
version for the OpenBSD project. The OpenSSH Portability Team takes that pure
version and adds portability code so that OpenSSH can run on many other
operating systems (Unfortunately, in particular since OpenSSH does
authentication, it runs into a *lot* of differences between Unix operating
systems).
The portable OpenSSH follows development of the official version, but releases
are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
The official OpenBSD source will never use the 'p' suffix, but will instead
increment the version number when they hit 'stable spots' in their development.

22
security/openssh-portable/pkg-message Normal file
View File

@ -0,0 +1,22 @@
[
{ type: install
message: <<EOM
To enable this port, add openssh_enable="YES" in your rc.conf. To
prevent conflict with openssh in the base system add sshd_enable="NO"
in your rc.conf. Also you can configure openssh at another TCP port (via
sshd_config 'Port' and 'Listen' options or via 'openssh_flags'
variable in rc.conf) and run it in same time with base sshd.
'PermitRootLogin no' is the default for the OpenSSH port.
This now matches the PermitRootLogin configuration of OpenSSH in
the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys, disable
Password authentication by setting 'PasswordAuthentication no' and
'ChallengeResponseAuthentication no', and to define very narrow sudo
privileges instead of using root for automated tasks.
EOM
}
]

32
security/openssh-portable/pkg-plist Normal file
View File

@ -0,0 +1,32 @@
bin/scp
bin/sftp
bin/ssh
bin/ssh-add
bin/ssh-agent
bin/ssh-keygen
bin/ssh-keyscan
@sample %%ETCDIR%%/moduli.sample
@sample %%ETCDIR%%/ssh_config.sample
@sample %%ETCDIR%%/sshd_config.sample
@postexec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
libexec/ssh-sk-helper
libexec/sshd-session
share/man/man1/sftp.1.gz
share/man/man1/ssh-add.1.gz
share/man/man1/ssh-agent.1.gz
share/man/man1/ssh-keygen.1.gz
share/man/man1/ssh-keyscan.1.gz
share/man/man1/scp.1.gz
share/man/man1/ssh.1.gz
share/man/man5/moduli.5.gz
share/man/man5/ssh_config.5.gz
share/man/man5/sshd_config.5.gz
share/man/man8/sftp-server.8.gz
share/man/man8/ssh-keysign.8.gz
share/man/man8/ssh-pkcs11-helper.8.gz
share/man/man8/ssh-sk-helper.8.gz
share/man/man8/sshd.8.gz

1
www/py-frappe-bench/Makefile
View File

@ -4,7 +4,6 @@ DISTVERSION= 5.22.9
CATEGORIES= www python CATEGORIES= www python
MASTER_SITES= PYPI MASTER_SITES= PYPI
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
PORTREVISION= 1
MAINTAINER= kiwi@oav.net MAINTAINER= kiwi@oav.net
COMMENT= Frappe / ERPNext apps setup tool COMMENT= Frappe / ERPNext apps setup tool