diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 2df0729..b77a243 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,8 @@ +# Created by: dwcjr@inethouston.net + PORTNAME= openssh -DISTVERSION= 9.3p2 -PORTREVISION= 2 +DISTVERSION= 8.8p1 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -8,7 +10,6 @@ PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH -WWW= https://www.openssh.com/portable.html LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses @@ -66,8 +67,6 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes -PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config - TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} @@ -101,22 +100,21 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_VERSION= 9.4p1 -GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 +GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location -GSSAPI_DISTVERSION= 9.4p1 -PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c +GSSAPI_UPDATE_DATE= 20200607 +PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 244080a..f08db16 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1695396338 -SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8 -SIZE (openssh-9.3p2.tar.gz) = 1835850 -SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14 -SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674 +TIMESTAMP = 1634059537 +SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 +SIZE (openssh-8.8p1.tar.gz) = 1815060 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index 7bb88b2..a8e9505 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -351,15 +351,15 @@ if (use_privsep) { if (privsep_preauth(ssh) == 1) ---- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 -+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 -@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S +--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 ++++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 +@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ +LIBSSH_OBJS+= blacklist.o + - all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) + all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 diff --git a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c deleted file mode 100644 index 3f9694c..0000000 --- a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c +++ /dev/null @@ -1,19 +0,0 @@ ---- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800 -+++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800 -@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct - * The 'gssapi_keyex' userauth mechanism. - */ - static int --userauth_gsskeyex(struct ssh *ssh) -+userauth_gsskeyex(struct ssh *ssh, const char *method) - { - Authctxt *authctxt = ssh->authctxt; - int r, authenticated = 0; -@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh - - Authmethod method_gsskeyex = { - "gssapi-keyex", -+ NULL, - userauth_gsskeyex, - &options.gss_authentication - }; diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c new file mode 100644 index 0000000..7cb08ee --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c @@ -0,0 +1,12 @@ +Avoid free(const char*) +--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 ++++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 +@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) + /* Fall back to specified host if we are using proxy command + * and can not use DNS on that socket */ + if (strcmp(gss_host, "UNKNOWN") == 0) { +- gss_host = authctxt->host; ++ gss_host = xstrdup(authctxt->host); + } + } else { + gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 5dd34d2..ed7a78a 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- channels.c.orig 2023-02-02 04:21:54.000000000 -0800 -+++ channels.c 2023-02-03 10:45:34.136793000 -0800 -@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels * +--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 +@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* -- channel core */ void -@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int - fatal_fr(r, "channel %i", c->self); +@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, + FD_SET(c->sock, writeset); } +#ifdef HPN_ENABLED @@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + static void - channel_pre_listener(struct ssh *ssh, Channel *c) - { -@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c) + channel_pre_open(struct ssh *ssh, Channel *c, + fd_set *readset, fd_set *writeset) +@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->local_consumed = 0; } return 1; -@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * window size. + */ + if (!hpn_disabled) -+ c = channel_new(ssh, "port listener", type, sock, sock, -+ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ c = channel_new(ssh, "port listener", type, sock, sock, -1, ++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif - c = channel_new(ssh, "port-listener", type, sock, sock, -1, + c = channel_new(ssh, "port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + 0, "X11 inet listener", 1); + else +#endif - nc = channel_new(ssh, "x11-listener", + nc = channel_new(ssh, "x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 @@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o free(cipher_list); return 0; } ---- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800 -+++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800 -@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques +--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 +@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques sock = x11_connect_display(ssh); if (sock < 0) return NULL; @@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ - else - debug2_fr(r, "ssh_agent_bind_hostkey"); - +@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ + __func__, ssh_err(r)); + return NULL; + } +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "authentication agent connection", @@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, +@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); @@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ ---- work/openssh/sshconnect2.c.orig 2023-03-15 14:28:19.000000000 -0700 -+++ work/openssh/sshconnect2.c 2023-05-19 14:20:01.965073000 -0700 -@@ -83,7 +83,13 @@ extern Options options; +--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700 ++++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700 +@@ -84,7 +84,13 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; @@ -1135,7 +1135,29 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * SSH2 key exchange */ -@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, +@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd + return ret; + } + ++static char *myproposal[PROPOSAL_MAX]; ++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; + void + ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + const struct ssh_conn_info *cinfo) + { +- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s, *all_key; + int r, use_known_hosts_order = 0; + +@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + fatal_fr(r, "kex_assemble_namelist"); + free(all_key); + ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); +@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); @@ -1147,16 +1169,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * tty allocated. + */ + if ((options.none_switch == 1) && (options.none_enabled == 1)) { -+ char *myproposal[PROPOSAL_MAX]; -+ char *s = NULL; -+ const char *none_cipher = "none"; -+ + if (!tty_flag) { /* no null on tty sessions */ + debug("Requesting none rekeying..."); -+ kex_proposal_populate_entries(ssh, myproposal, s, none_cipher, -+ options.macs, -+ compression_alg_list(options.compression), -+ options.hostkeyalgorithms); ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; + kex_prop2buf(ssh->kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); @@ -1269,11 +1286,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no ---- version.h.orig 2023-07-18 23:31:34.000000000 -0700 -+++ version.h 2023-07-21 07:27:08.311422000 -0700 +--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700 @@ -4,3 +4,4 @@ - #define SSH_PORTABLE "p2" + #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" --- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index 6f6a0e1..c47d0a1 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800 -+++ readconf.c 2023-02-03 11:30:14.894959000 -0800 -@@ -323,6 +323,12 @@ static struct { +--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 ++++ readconf.c 2021-04-27 11:25:24.222034000 -0700 +@@ -316,6 +316,12 @@ static struct { + { "proxyjump", oProxyJump }, + { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, - { "requiredrsasize", oRequiredRSASize }, - { "enableescapecommandline", oEnableEscapeCommandline }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800 -+++ servconf.c 2023-02-03 11:31:00.387624000 -0800 +--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 ++++ servconf.c 2020-03-21 17:01:18.011062000 -0700 @@ -695,6 +695,10 @@ static struct { - { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, - { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, - { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, + { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, + { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config deleted file mode 100644 index 9b6b261..0000000 --- a/security/openssh-portable/files/extra-patch-pam-sshd_config +++ /dev/null @@ -1,31 +0,0 @@ ---- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 -+++ sshd_config 2022-02-11 19:20:45.334738000 +0000 -@@ -55,8 +55,8 @@ - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -72,7 +72,7 @@ - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -81,7 +81,7 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ba7d283..ba8cc71 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -83,9 +83,11 @@ index 0ade557..045f149 100644 /* Log the connection. */ laddr = get_local_ipaddr(sock_in); ---- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 -+++ configure.ac 2022-03-02 12:47:49.958341000 -0800 -@@ -1599,6 +1599,62 @@ else +diff --git configure.ac configure.ac +index f48ba4a..66fbe82 100644 +--- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 ++++ configure.ac 2019-07-02 20:58:48.627832000 -0700 +@@ -1494,6 +1494,62 @@ else AC_MSG_RESULT([no]) fi @@ -148,11 +150,11 @@ index 0ade557..045f149 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG" +@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" - echo " Solaris process contract support: $SPC_MSG" diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index 9526a70..a8c0043 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -22,16 +22,6 @@ load_rc_config ${name} : ${openssh_enable:="NO"} : ${openssh_skipportscheck="NO"} -# These only control ssh-keygen automatically generating host keys. -: ${openssh_dsa_enable="YES"} -: ${openssh_dsa_flags=""} -: ${openssh_rsa_enable="YES"} -: ${openssh_rsa_flags=""} -: ${openssh_ecdsa_enable="YES"} -: ${openssh_ecdsa_flags=""} -: ${openssh_ed25519_enable="YES"} -: ${openssh_ed25519_flags=""} - command=%%PREFIX%%/sbin/sshd extra_commands="configtest reload keygen" start_precmd="${name}_checks" @@ -43,16 +33,10 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= - checkyesno openssh_dsa_enable || skip_dsa=y - checkyesno openssh_rsa_enable || skip_rsa=y - checkyesno openssh_ecdsa_enable || skip_ecdsa=y - checkyesno openssh_ed25519_enable || skip_ed25519=y - - if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ - \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ - \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ - \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then + if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \ + -f %%ETCDIR%%/ssh_host_rsa_key -a \ + -f %%ETCDIR%%/ssh_host_ecdsa_key -a \ + -f %%ETCDIR%%/ssh_host_ed25519_key ]; then return 0 fi @@ -66,8 +50,8 @@ openssh_keygen() echo "You already have a DSA host key" \ "in %%ETCDIR%%/ssh_host_dsa_key" echo "Skipping protocol version 2 DSA Key Generation" - elif checkyesno openssh_dsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ + else + %%PREFIX%%/bin/ssh-keygen -t dsa \ -f %%ETCDIR%%/ssh_host_dsa_key -N '' fi @@ -75,8 +59,8 @@ openssh_keygen() echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" echo "Skipping protocol version 2 RSA Key Generation" - elif checkyesno openssh_rsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \ + else + %%PREFIX%%/bin/ssh-keygen -t rsa \ -f %%ETCDIR%%/ssh_host_rsa_key -N '' fi @@ -84,8 +68,8 @@ openssh_keygen() echo "You already have a Elliptic Curve DSA host key" \ "in %%ETCDIR%%/ssh_host_ecdsa_key" echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - elif checkyesno openssh_ecdsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \ + else + %%PREFIX%%/bin/ssh-keygen -t ecdsa \ -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' fi @@ -93,8 +77,8 @@ openssh_keygen() echo "You already have a Elliptic Curve ED25519 host key" \ "in %%ETCDIR%%/ssh_host_ed25519_key" echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - elif checkyesno openssh_ed25519_enable; then - %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \ + else + %%PREFIX%%/bin/ssh-keygen -t ed25519 \ -f %%ETCDIR%%/ssh_host_ed25519_key -N '' fi } @@ -172,7 +156,7 @@ openssh_checks() fi fi - openssh_keygen + run_rc_command keygen openssh_configtest } diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap deleted file mode 100644 index 78d772e..0000000 --- a/security/openssh-portable/files/patch-FreeBSD-logincap +++ /dev/null @@ -1,69 +0,0 @@ -(pulled from the PR) - -commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 -Author: Ed Maste -Date: Tue Aug 31 15:30:50 2021 -0400 - - openssh: simplify login class restrictions - - Login class-based restrictions were introduced in 5b400a39b8ad. The - code was adapted for sshd's Capsicum sandbox and received many changes - over time, including at least fc3c19a9fcee, bd393de91cc3, and - e8c56fba2926. - - During an attempt to upstream the work a much simpler approach was - suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with - future updates. - - Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) - Obtained from: https://github.com/openssh/openssh-portable/pull/262 - Reviewed by: allanjude, kevans - MFC after: 2 weeks - Differential Revision: https://reviews.freebsd.org/D31760 - - ---- auth.c -+++ auth.c -@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) - { - #ifdef HAVE_LOGIN_CAP - extern login_cap_t *lc; -+#ifdef HAVE_AUTH_HOSTOK -+ const char *from_host, *from_ip; -+#endif - #ifdef BSD_AUTH - auth_session_t *as; - #endif -@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) - debug("unable to get login class: %s", user); - return (NULL); - } -+#ifdef HAVE_AUTH_HOSTOK -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ debug("Denied connection for %.200s from %.200s [%.200s].", -+ pw->pw_name, from_host, from_ip); -+ return (NULL); -+ } -+#endif /* HAVE_AUTH_HOSTOK */ -+#ifdef HAVE_AUTH_TIMEOK -+ if (!auth_timeok(lc, time(NULL))) { -+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); -+ return (NULL); -+ } -+#endif /* HAVE_AUTH_TIMEOK */ - #ifdef BSD_AUTH - if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || - auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { ---- configure.ac -+++ configure.ac -@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) - - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS([ \ -+ auth_hostok \ -+ auth_timeok \ - Blowfish_initstate \ - Blowfish_expandstate \ - Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-SA-23:19 b/security/openssh-portable/files/patch-SA-23:19 deleted file mode 100644 index 6240578..0000000 --- a/security/openssh-portable/files/patch-SA-23:19 +++ /dev/null @@ -1,425 +0,0 @@ ---- kex.c.orig -+++ kex.c -@@ -65,7 +65,7 @@ - #include "xmalloc.h" - - /* prototype */ --static int kex_choose_conf(struct ssh *); -+static int kex_choose_conf(struct ssh *, uint32_t seq); - static int kex_input_newkeys(int, u_int32_t, struct ssh *); - - static const char * const proposal_names[PROPOSAL_MAX] = { -@@ -177,6 +177,18 @@ - return 1; - } - -+/* returns non-zero if proposal contains any algorithm from algs */ -+static int -+has_any_alg(const char *proposal, const char *algs) -+{ -+ char *cp; -+ -+ if ((cp = match_list(proposal, algs, NULL)) == NULL) -+ return 0; -+ free(cp); -+ return 1; -+} -+ - /* - * Concatenate algorithm names, avoiding duplicates in the process. - * Caller must free returned string. -@@ -184,7 +196,7 @@ - char * - kex_names_cat(const char *a, const char *b) - { -- char *ret = NULL, *tmp = NULL, *cp, *p, *m; -+ char *ret = NULL, *tmp = NULL, *cp, *p; - size_t len; - - if (a == NULL || *a == '\0') -@@ -201,10 +213,8 @@ - } - strlcpy(ret, a, len); - for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { -- if ((m = match_list(ret, p, NULL)) != NULL) { -- free(m); -+ if (has_any_alg(ret, p)) - continue; /* Algorithm already present */ -- } - if (strlcat(ret, ",", len) >= len || - strlcat(ret, p, len) >= len) { - free(tmp); -@@ -334,15 +344,23 @@ - const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT }; - const char **defprop = ssh->kex->server ? defpropserver : defpropclient; - u_int i; -+ char *cp; - - if (prop == NULL) - fatal_f("proposal missing"); - -+ /* Append EXT_INFO signalling to KexAlgorithms */ -+ if (kexalgos == NULL) -+ kexalgos = defprop[PROPOSAL_KEX_ALGS]; -+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ? -+ "kex-strict-s-v00@openssh.com" : -+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) -+ fatal_f("kex_names_cat"); -+ - for (i = 0; i < PROPOSAL_MAX; i++) { - switch(i) { - case PROPOSAL_KEX_ALGS: -- prop[i] = compat_kex_proposal(ssh, -- kexalgos ? kexalgos : defprop[i]); -+ prop[i] = compat_kex_proposal(ssh, cp); - break; - case PROPOSAL_ENC_ALGS_CTOS: - case PROPOSAL_ENC_ALGS_STOC: -@@ -363,6 +381,7 @@ - prop[i] = xstrdup(defprop[i]); - } - } -+ free(cp); - } - - void -@@ -466,7 +485,12 @@ - { - int r; - -- error("kex protocol error: type %d seq %u", type, seq); -+ /* If in strict mode, any unexpected message is an error */ -+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { -+ ssh_packet_disconnect(ssh, "strict KEX violation: " -+ "unexpected packet type %u (seqnr %u)", type, seq); -+ } -+ error_f("type %u seq %u", type, seq); - if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || - (r = sshpkt_put_u32(ssh, seq)) != 0 || - (r = sshpkt_send(ssh)) != 0) -@@ -563,7 +587,7 @@ - if (ninfo >= 1024) { - error("SSH2_MSG_EXT_INFO with too many entries, expected " - "<=1024, received %u", ninfo); -- return SSH_ERR_INVALID_FORMAT; -+ return dispatch_protocol_error(type, seq, ssh); - } - for (i = 0; i < ninfo; i++) { - if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) -@@ -681,7 +705,7 @@ - error_f("no kex"); - return SSH_ERR_INTERNAL_ERROR; - } -- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r; -@@ -717,7 +741,7 @@ - if (!(kex->flags & KEX_INIT_SENT)) - if ((r = kex_send_kexinit(ssh)) != 0) - return r; -- if ((r = kex_choose_conf(ssh)) != 0) -+ if ((r = kex_choose_conf(ssh, seq)) != 0) - return r; - - if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) -@@ -981,20 +1005,14 @@ - return (1); - } - --/* returns non-zero if proposal contains any algorithm from algs */ - static int --has_any_alg(const char *proposal, const char *algs) -+kexalgs_contains(char **peer, const char *ext) - { -- char *cp; -- -- if ((cp = match_list(proposal, algs, NULL)) == NULL) -- return 0; -- free(cp); -- return 1; -+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); - } - - static int --kex_choose_conf(struct ssh *ssh) -+kex_choose_conf(struct ssh *ssh, uint32_t seq) - { - struct kex *kex = ssh->kex; - struct newkeys *newkeys; -@@ -1019,13 +1037,23 @@ - sprop=peer; - } - -- /* Check whether client supports ext_info_c */ -- if (kex->server && (kex->flags & KEX_INITIAL)) { -- char *ext; -- -- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); -- kex->ext_info_c = (ext != NULL); -- free(ext); -+ /* Check whether peer supports ext_info/kex_strict */ -+ if ((kex->flags & KEX_INITIAL) != 0) { -+ if (kex->server) { -+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); -+ kex->kex_strict = kexalgs_contains(peer, -+ "kex-strict-c-v00@openssh.com"); -+ } else { -+ kex->kex_strict = kexalgs_contains(peer, -+ "kex-strict-s-v00@openssh.com"); -+ } -+ if (kex->kex_strict) { -+ debug3_f("will use strict KEX ordering"); -+ if (seq != 0) -+ ssh_packet_disconnect(ssh, -+ "strict KEX violation: " -+ "KEXINIT was not the first packet"); -+ } - } - - /* Check whether client supports rsa-sha2 algorithms */ ---- kex.h.orig -+++ kex.h -@@ -149,6 +149,7 @@ - u_int kex_type; - char *server_sig_algs; - int ext_info_c; -+ int kex_strict; - struct sshbuf *my; - struct sshbuf *peer; - struct sshbuf *client_version; ---- packet.c.orig -+++ packet.c -@@ -1208,8 +1208,13 @@ - sshbuf_dump(state->output, stderr); - #endif - /* increment sequence number for outgoing packets */ -- if (++state->p_send.seqnr == 0) -+ if (++state->p_send.seqnr == 0) { -+ if ((ssh->kex->flags & KEX_INITIAL) != 0) { -+ ssh_packet_disconnect(ssh, "outgoing sequence number " -+ "wrapped during initial key exchange"); -+ } - logit("outgoing seqnr wraps around"); -+ } - if (++state->p_send.packets == 0) - if (!(ssh->compat & SSH_BUG_NOREKEY)) - return SSH_ERR_NEED_REKEY; -@@ -1217,6 +1222,11 @@ - state->p_send.bytes += len; - sshbuf_reset(state->outgoing_packet); - -+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { -+ debug_f("resetting send seqnr %u", state->p_send.seqnr); -+ state->p_send.seqnr = 0; -+ } -+ - if (type == SSH2_MSG_NEWKEYS) - r = ssh_set_newkeys(ssh, MODE_OUT); - else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) -@@ -1345,8 +1355,7 @@ - /* Stay in the loop until we have received a complete packet. */ - for (;;) { - /* Try to read a packet from the buffer. */ -- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); -- if (r != 0) -+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) - break; - /* If we got a packet, return it. */ - if (*typep != SSH_MSG_NONE) -@@ -1417,29 +1426,6 @@ - return type; - } - --/* -- * Waits until a packet has been received, verifies that its type matches -- * that given, and gives a fatal error and exits if there is a mismatch. -- */ -- --int --ssh_packet_read_expect(struct ssh *ssh, u_int expected_type) --{ -- int r; -- u_char type; -- -- if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0) -- return r; -- if (type != expected_type) { -- if ((r = sshpkt_disconnect(ssh, -- "Protocol error: expected packet type %d, got %d", -- expected_type, type)) != 0) -- return r; -- return SSH_ERR_PROTOCOL_ERROR; -- } -- return 0; --} -- - static int - ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - { -@@ -1630,10 +1616,16 @@ - if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) - goto out; - } -+ - if (seqnr_p != NULL) - *seqnr_p = state->p_read.seqnr; -- if (++state->p_read.seqnr == 0) -+ if (++state->p_read.seqnr == 0) { -+ if ((ssh->kex->flags & KEX_INITIAL) != 0) { -+ ssh_packet_disconnect(ssh, "incoming sequence number " -+ "wrapped during initial key exchange"); -+ } - logit("incoming seqnr wraps around"); -+ } - if (++state->p_read.packets == 0) - if (!(ssh->compat & SSH_BUG_NOREKEY)) - return SSH_ERR_NEED_REKEY; -@@ -1699,6 +1691,10 @@ - #endif - /* reset for next packet */ - state->packlen = 0; -+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { -+ debug_f("resetting read seqnr %u", state->p_read.seqnr); -+ state->p_read.seqnr = 0; -+ } - - if ((r = ssh_packet_check_rekey(ssh)) != 0) - return r; -@@ -1721,10 +1717,39 @@ - r = ssh_packet_read_poll2(ssh, typep, seqnr_p); - if (r != 0) - return r; -- if (*typep) { -- state->keep_alive_timeouts = 0; -- DBG(debug("received packet type %d", *typep)); -+ if (*typep == 0) { -+ /* no message ready */ -+ return 0; - } -+ state->keep_alive_timeouts = 0; -+ DBG(debug("received packet type %d", *typep)); -+ -+ /* Always process disconnect messages */ -+ if (*typep == SSH2_MSG_DISCONNECT) { -+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || -+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) -+ return r; -+ /* Ignore normal client exit notifications */ -+ do_log2(ssh->state->server_side && -+ reason == SSH2_DISCONNECT_BY_APPLICATION ? -+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, -+ "Received disconnect from %s port %d:" -+ "%u: %.400s", ssh_remote_ipaddr(ssh), -+ ssh_remote_port(ssh), reason, msg); -+ free(msg); -+ return SSH_ERR_DISCONNECTED; -+ } -+ -+ /* -+ * Do not implicitly handle any messages here during initial -+ * KEX when in strict mode. They will be need to be allowed -+ * explicitly by the KEX dispatch table or they will generate -+ * protocol errors. -+ */ -+ if (ssh->kex != NULL && -+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) -+ return 0; -+ /* Implicitly handle transport-level messages */ - switch (*typep) { - case SSH2_MSG_IGNORE: - debug3("Received SSH2_MSG_IGNORE"); -@@ -1739,19 +1764,6 @@ - debug("Remote: %.900s", msg); - free(msg); - break; -- case SSH2_MSG_DISCONNECT: -- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || -- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) -- return r; -- /* Ignore normal client exit notifications */ -- do_log2(ssh->state->server_side && -- reason == SSH2_DISCONNECT_BY_APPLICATION ? -- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, -- "Received disconnect from %s port %d:" -- "%u: %.400s", ssh_remote_ipaddr(ssh), -- ssh_remote_port(ssh), reason, msg); -- free(msg); -- return SSH_ERR_DISCONNECTED; - case SSH2_MSG_UNIMPLEMENTED: - if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) - return r; -@@ -2244,6 +2256,7 @@ - (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || - (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || - (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || -+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || - (r = sshbuf_put_stringb(m, kex->my)) != 0 || - (r = sshbuf_put_stringb(m, kex->peer)) != 0 || - (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || -@@ -2406,6 +2419,7 @@ - (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || - (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || - (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || -+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || - (r = sshbuf_get_stringb(m, kex->my)) != 0 || - (r = sshbuf_get_stringb(m, kex->peer)) != 0 || - (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || -@@ -2734,6 +2748,7 @@ - vsnprintf(buf, sizeof(buf), fmt, args); - va_end(args); - -+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf); - if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || - (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || - (r = sshpkt_put_cstring(ssh, buf)) != 0 || ---- packet.h.orig -+++ packet.h -@@ -124,7 +124,6 @@ - int ssh_packet_send2(struct ssh *); - - int ssh_packet_read(struct ssh *); --int ssh_packet_read_expect(struct ssh *, u_int type); - int ssh_packet_read_poll(struct ssh *); - int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p); - int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len); ---- sshconnect2.c.orig -+++ sshconnect2.c -@@ -358,7 +358,6 @@ - }; - - static int input_userauth_service_accept(int, u_int32_t, struct ssh *); --static int input_userauth_ext_info(int, u_int32_t, struct ssh *); - static int input_userauth_success(int, u_int32_t, struct ssh *); - static int input_userauth_failure(int, u_int32_t, struct ssh *); - static int input_userauth_banner(int, u_int32_t, struct ssh *); -@@ -472,7 +471,7 @@ - - ssh->authctxt = &authctxt; - ssh_dispatch_init(ssh, &input_userauth_error); -- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); -+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info); - ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); - ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ - pubkey_cleanup(ssh); -@@ -523,12 +522,6 @@ - return r; - } - --static int --input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) --{ -- return kex_input_ext_info(type, seqnr, ssh); --} -- - void - userauth(struct ssh *ssh, char *authlist) - { -@@ -607,6 +600,7 @@ - free(authctxt->methoddata); - authctxt->methoddata = NULL; - authctxt->success = 1; /* break out */ -+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error); - return 0; - } diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c new file mode 100644 index 0000000..38d366a --- /dev/null +++ b/security/openssh-portable/files/patch-auth2.c @@ -0,0 +1,47 @@ +--- UTC +r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/auth2.c + +Apply class-imposed login restrictions. + +--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ auth2.c 2020-11-16 13:55:25.222771000 -0800 +@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct + char *user = NULL, *service = NULL, *method = NULL, *style = NULL; + int r, authenticated = 0; + double tstart = monotime_double(); ++#ifdef HAVE_LOGIN_CAP ++ login_cap_t *lc; ++ const char *from_host, *from_ip; ++#endif + + if (authctxt == NULL) + fatal("input_userauth_request: no authctxt"); +@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct + "not allowed: (%s,%s) -> (%s,%s)", + authctxt->user, authctxt->service, user, service); + } ++ ++#ifdef HAVE_LOGIN_CAP ++ if (authctxt->pw != NULL && ++ (lc = login_getpwclass(authctxt->pw)) != NULL) { ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ ssh_packet_disconnect(ssh, "Logins not available right now."); ++ } ++ login_close(lc); ++ } ++#endif /* HAVE_LOGIN_CAP */ ++ + /* reset state */ + auth2_challenge_stop(ssh); + diff --git a/security/openssh-portable/files/patch-log.c b/security/openssh-portable/files/patch-log.c deleted file mode 100644 index bf28237..0000000 --- a/security/openssh-portable/files/patch-log.c +++ /dev/null @@ -1,17 +0,0 @@ ---- log.c.orig 2023-07-19 08:31:34.000000000 +0200 -+++ log.c 2024-10-07 17:44:12.049091000 +0200 -@@ -451,12 +451,14 @@ - sshsigdie(const char *file, const char *func, int line, int showfunc, - LogLevel level, const char *suffix, const char *fmt, ...) - { -+#ifdef SYSLOG_R_SAFE_IN_SIGHAND - va_list args; - - va_start(args, fmt); - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, - suffix, fmt, args); - va_end(args); -+#endif - _exit(1); - } - diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c new file mode 100644 index 0000000..54f6db4 --- /dev/null +++ b/security/openssh-portable/files/patch-platform-tracing.c @@ -0,0 +1,25 @@ +--- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700 ++++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700 +@@ -16,6 +16,10 @@ + + #include "includes.h" + ++#if defined(HAVE_PROCCTL) ++#include ++#include ++#endif + #include + #ifdef HAVE_SYS_PROCCTL_H + #include +@@ -40,8 +44,9 @@ platform_disable_tracing(int strict) + /* On FreeBSD, we should make this process untraceable */ + int disable_trace = PROC_TRACE_CTL_DISABLE; + +- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) +- fatal("unable to make the process untraceable"); ++ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) ++ fatal("unable to make the process untraceable: %s for pid %d", ++ strerror(errno), (int)getpid()); + #endif + #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 9fc1abc..de53881 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800 -+++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800 -@@ -188,11 +188,28 @@ static int restrict_websafe = 1; +--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 +@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -27,19 +27,17 @@ disconnected. static void close_socket(SocketEntry *e) { - size_t i; + int last = 0; - ++ + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } -+ close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -205,6 +222,8 @@ close_socket(SocketEntry *e) +@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -48,7 +46,7 @@ disconnected. } static void -@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd) +@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -59,16 +57,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1990,7 +2013,7 @@ usage(void) +@@ -1360,7 +1383,7 @@ static void usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-O option] [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" - " [-P allowed_providers] [-t life] command [arg ...]\n" -@@ -2024,6 +2047,7 @@ main(int ac, char **av) + " [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" + " [-t life] command [arg ...]\n" +@@ -1394,6 +1417,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -76,7 +74,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -2035,7 +2059,7 @@ main(int ac, char **av) +@@ -1405,7 +1429,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -85,7 +83,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2084,6 +2108,9 @@ main(int ac, char **av) +@@ -1454,6 +1478,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index c194964..b582ac8 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,8 +1,5 @@ -!!! -!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. -!!! ---- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 -+++ sshd_config 2022-02-11 18:52:31.639435000 +0000 +--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 ++++ sshd_config 2021-09-07 12:34:49.372652000 -0700 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -23,7 +20,33 @@ #AuthorizedPrincipalsFile none -@@ -84,7 +86,7 @@ +@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 2936c7c..4422251 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,8 @@ ---- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 -+++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 -@@ -701,7 +701,9 @@ - .Qq ssh -Q HostbasedAcceptedAlgorithms . - This was formerly named HostbasedAcceptedKeyTypes. +--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 ++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 +@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa + The list of available key types may also be obtained using + .Qq ssh -Q key . .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -11,7 +11,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1277,7 +1279,23 @@ +@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -20,7 +20,6 @@ +.Nm sshd +was built without PAM support, in which case the default is .Cm yes . -+.Pp +Note that if +.Cm ChallengeResponseAuthentication +is @@ -35,7 +34,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1416,6 +1434,13 @@ +@@ -1232,6 +1251,13 @@ and .Cm ethernet . The default is .Cm no . @@ -49,15 +48,12 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1774,12 +1799,19 @@ +@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is -+.Cm yes , -+unless -+.Nm sshd -+was built without PAM support, in which case the default is - .Cm no . +-.Cm no . ++.Cm yes . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. @@ -70,7 +66,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1793,7 +1825,7 @@ +@@ -1512,7 +1541,7 @@ The argument must be or .Cm no . The default is diff --git a/security/openssh-portable/files/patch-version.h b/security/openssh-portable/files/patch-version.h deleted file mode 100644 index 73d0119..0000000 --- a/security/openssh-portable/files/patch-version.h +++ /dev/null @@ -1,9 +0,0 @@ ---- version.h.orig 2024-10-07 17:49:30.883030000 +0200 -+++ version.h 2024-10-07 17:49:42.221944000 +0200 -@@ -2,5 +2,5 @@ - - #define SSH_VERSION "OpenSSH_9.3" - --#define SSH_PORTABLE "p2" -+#define SSH_PORTABLE "klara-p2" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr index d9dee49..2a378e7 100644 --- a/security/openssh-portable/pkg-descr +++ b/security/openssh-portable/pkg-descr @@ -11,3 +11,5 @@ The portable OpenSSH follows development of the official version, but releases are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). The official OpenBSD source will never use the 'p' suffix, but will instead increment the version number when they hit 'stable spots' in their development. + +WWW: https://www.openssh.com/portable.html