diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index b77a243..6d3a77d 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,8 +1,8 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh -DISTVERSION= 8.8p1 -PORTREVISION= 1 +DISTVERSION= 9.0p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -67,6 +67,8 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes +PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config + TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} @@ -100,21 +102,21 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 +GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-1 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location -GSSAPI_UPDATE_DATE= 20200607 +GSSAPI_UPDATE_DATE= 20220203 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-auth2-gss.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index f08db16..9f50039 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1634059537 -SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 -SIZE (openssh-8.8p1.tar.gz) = 1815060 +TIMESTAMP = 1654549050 +SHA256 (openssh-9.0p1.tar.gz) = 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a +SIZE (openssh-9.0p1.tar.gz) = 1822183 +SHA256 (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = d2f4c7bb1bc33540605a3bb0c9517d7b4ed2f5d77c24f7afcd64891be59f4ed2 +SIZE (openssh-9.0p1-gsskex-all-20141021-debian-rh-20220203.patch) = 127245 diff --git a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c new file mode 100644 index 0000000..3f9694c --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c @@ -0,0 +1,19 @@ +--- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800 ++++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800 +@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct + * The 'gssapi_keyex' userauth mechanism. + */ + static int +-userauth_gsskeyex(struct ssh *ssh) ++userauth_gsskeyex(struct ssh *ssh, const char *method) + { + Authctxt *authctxt = ssh->authctxt; + int r, authenticated = 0; +@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh + + Authmethod method_gsskeyex = { + "gssapi-keyex", ++ NULL, + userauth_gsskeyex, + &options.gss_authentication + }; diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c deleted file mode 100644 index 7cb08ee..0000000 --- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c +++ /dev/null @@ -1,12 +0,0 @@ -Avoid free(const char*) ---- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 -+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 -@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) - /* Fall back to specified host if we are using proxy command - * and can not use DNS on that socket */ - if (strcmp(gss_host, "UNKNOWN") == 0) { -- gss_host = authctxt->host; -+ gss_host = xstrdup(authctxt->host); - } - } else { - gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index ed7a78a..907775d 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o free(cipher_list); return 0; } ---- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 -@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques +--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800 ++++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800 +@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques sock = x11_connect_display(ssh); if (sock < 0) return NULL; @@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ - __func__, ssh_err(r)); - return NULL; - } +@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ + else + debug2_fr(r, "ssh_agent_bind_hostkey"); + +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "authentication agent connection", @@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, +@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config new file mode 100644 index 0000000..9b6b261 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-pam-sshd_config @@ -0,0 +1,31 @@ +--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 ++++ sshd_config 2022-02-11 19:20:45.334738000 +0000 +@@ -55,8 +55,8 @@ + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -72,7 +72,7 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -81,7 +81,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ba8cc71..ba7d283 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -83,11 +83,9 @@ index 0ade557..045f149 100644 /* Log the connection. */ laddr = get_local_ipaddr(sock_in); -diff --git configure.ac configure.ac -index f48ba4a..66fbe82 100644 ---- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 -+++ configure.ac 2019-07-02 20:58:48.627832000 -0700 -@@ -1494,6 +1494,62 @@ else +--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 ++++ configure.ac 2022-03-02 12:47:49.958341000 -0800 +@@ -1599,6 +1599,62 @@ else AC_MSG_RESULT([no]) fi @@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" +@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " TCP Wrappers support: $TCPW_MSG" - echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index a8c0043..9526a70 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -22,6 +22,16 @@ load_rc_config ${name} : ${openssh_enable:="NO"} : ${openssh_skipportscheck="NO"} +# These only control ssh-keygen automatically generating host keys. +: ${openssh_dsa_enable="YES"} +: ${openssh_dsa_flags=""} +: ${openssh_rsa_enable="YES"} +: ${openssh_rsa_flags=""} +: ${openssh_ecdsa_enable="YES"} +: ${openssh_ecdsa_flags=""} +: ${openssh_ed25519_enable="YES"} +: ${openssh_ed25519_flags=""} + command=%%PREFIX%%/sbin/sshd extra_commands="configtest reload keygen" start_precmd="${name}_checks" @@ -33,10 +43,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \ - -f %%ETCDIR%%/ssh_host_rsa_key -a \ - -f %%ETCDIR%%/ssh_host_ecdsa_key -a \ - -f %%ETCDIR%%/ssh_host_ed25519_key ]; then + local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= + checkyesno openssh_dsa_enable || skip_dsa=y + checkyesno openssh_rsa_enable || skip_rsa=y + checkyesno openssh_ecdsa_enable || skip_ecdsa=y + checkyesno openssh_ed25519_enable || skip_ed25519=y + + if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ + \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ + \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ + \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then return 0 fi @@ -50,8 +66,8 @@ openssh_keygen() echo "You already have a DSA host key" \ "in %%ETCDIR%%/ssh_host_dsa_key" echo "Skipping protocol version 2 DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t dsa \ + elif checkyesno openssh_dsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ -f %%ETCDIR%%/ssh_host_dsa_key -N '' fi @@ -59,8 +75,8 @@ openssh_keygen() echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" echo "Skipping protocol version 2 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa \ + elif checkyesno openssh_rsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \ -f %%ETCDIR%%/ssh_host_rsa_key -N '' fi @@ -68,8 +84,8 @@ openssh_keygen() echo "You already have a Elliptic Curve DSA host key" \ "in %%ETCDIR%%/ssh_host_ecdsa_key" echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ecdsa \ + elif checkyesno openssh_ecdsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \ -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' fi @@ -77,8 +93,8 @@ openssh_keygen() echo "You already have a Elliptic Curve ED25519 host key" \ "in %%ETCDIR%%/ssh_host_ed25519_key" echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + elif checkyesno openssh_ed25519_enable; then + %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \ -f %%ETCDIR%%/ssh_host_ed25519_key -N '' fi } @@ -156,7 +172,7 @@ openssh_checks() fi fi - run_rc_command keygen + openssh_keygen openssh_configtest } diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata new file mode 100644 index 0000000..bf38892 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata @@ -0,0 +1,43 @@ +commit fc3c19a9fceeea48a9259ac3833a125804342c0e +Author: Ed Maste +Date: Sat Oct 6 21:32:55 2018 +0000 + + sshd: address capsicum issues + + * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in + capability mode. + * Cache timezone data via caph_cache_tzdata() as we cannot access the + timezone file. + * Reverse resolve hostname before entering capability mode. + + PR: 231172 + Submitted by: naito.yuichiro@gmail.com + Reviewed by: cem, des + Approved by: re (rgrimes) + MFC after: 3 weeks + Differential Revision: https://reviews.freebsd.org/D17128 + +Notes: + svn path=/head/; revision=339216 + +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c +index 5f41d526292b..f728abd18250 100644 +--- sandbox-capsicum.c ++++ sandbox-capsicum.c +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); + #include + #include + #include ++#include + + #include "log.h" + #include "monitor.h" +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) + struct rlimit rl_zero; + cap_rights_t rights; + ++ caph_cache_tzdata(); ++ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap new file mode 100644 index 0000000..78d772e --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-logincap @@ -0,0 +1,69 @@ +(pulled from the PR) + +commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 +Author: Ed Maste +Date: Tue Aug 31 15:30:50 2021 -0400 + + openssh: simplify login class restrictions + + Login class-based restrictions were introduced in 5b400a39b8ad. The + code was adapted for sshd's Capsicum sandbox and received many changes + over time, including at least fc3c19a9fcee, bd393de91cc3, and + e8c56fba2926. + + During an attempt to upstream the work a much simpler approach was + suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with + future updates. + + Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) + Obtained from: https://github.com/openssh/openssh-portable/pull/262 + Reviewed by: allanjude, kevans + MFC after: 2 weeks + Differential Revision: https://reviews.freebsd.org/D31760 + + +--- auth.c ++++ auth.c +@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) + { + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; ++#ifdef HAVE_AUTH_HOSTOK ++ const char *from_host, *from_ip; ++#endif + #ifdef BSD_AUTH + auth_session_t *as; + #endif +@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) + debug("unable to get login class: %s", user); + return (NULL); + } ++#ifdef HAVE_AUTH_HOSTOK ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ debug("Denied connection for %.200s from %.200s [%.200s].", ++ pw->pw_name, from_host, from_ip); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_HOSTOK */ ++#ifdef HAVE_AUTH_TIMEOK ++ if (!auth_timeok(lc, time(NULL))) { ++ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_TIMEOK */ + #ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { +--- configure.ac ++++ configure.ac +@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) + + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ ++ auth_hostok \ ++ auth_timeok \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c deleted file mode 100644 index 38d366a..0000000 --- a/security/openssh-portable/files/patch-auth2.c +++ /dev/null @@ -1,47 +0,0 @@ ---- UTC -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ auth2.c 2020-11-16 13:55:25.222771000 -0800 -@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct - "not allowed: (%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL && -+ (lc = login_getpwclass(authctxt->pw)) != NULL) { -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ ssh_packet_disconnect(ssh, "Logins not available right now."); -+ } -+ login_close(lc); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(ssh); - diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c index 54f6db4..160def2 100644 --- a/security/openssh-portable/files/patch-platform-tracing.c +++ b/security/openssh-portable/files/patch-platform-tracing.c @@ -1,25 +1,21 @@ ---- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700 -+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700 -@@ -16,6 +16,10 @@ - - #include "includes.h" - +--- platform-tracing.c.orig 2022-03-07 14:48:27.152541000 -0800 ++++ platform-tracing.c 2022-03-07 14:56:33.402458000 -0800 +@@ -32,6 +32,9 @@ + #include + #include + #include +#if defined(HAVE_PROCCTL) -+#include +#include +#endif - #include - #ifdef HAVE_SYS_PROCCTL_H - #include -@@ -40,8 +44,9 @@ platform_disable_tracing(int strict) + + #include "log.h" + +@@ -42,7 +45,7 @@ platform_disable_tracing(int strict) /* On FreeBSD, we should make this process untraceable */ int disable_trace = PROC_TRACE_CTL_DISABLE; - if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) -- fatal("unable to make the process untraceable"); + if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) -+ fatal("unable to make the process untraceable: %s for pid %d", -+ strerror(errno), (int)getpid()); + fatal("unable to make the process untraceable: %s", + strerror(errno)); #endif - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index de53881..2937b4a 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 -@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2022-02-23 03:31:11.000000000 -0800 ++++ ssh-agent.c 2022-03-02 12:50:47.745853000 -0800 +@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -27,17 +27,19 @@ disconnected. static void close_socket(SocketEntry *e) { + size_t i; + int last = 0; -+ + + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } ++ close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) +@@ -206,6 +223,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -46,7 +48,7 @@ disconnected. } static void -@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) +@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -57,7 +59,7 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1360,7 +1383,7 @@ static void +@@ -1999,7 +2022,7 @@ static void usage(void) { fprintf(stderr, @@ -66,7 +68,7 @@ disconnected. " [-P allowed_providers] [-t life]\n" " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " [-t life] command [arg ...]\n" -@@ -1394,6 +1417,7 @@ main(int ac, char **av) +@@ -2033,6 +2056,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -74,7 +76,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -1405,7 +1429,7 @@ main(int ac, char **av) +@@ -2044,7 +2068,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -83,7 +85,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1454,6 +1478,9 @@ main(int ac, char **av) +@@ -2093,6 +2117,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index b582ac8..c194964 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,5 +1,8 @@ ---- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd_config 2021-09-07 12:34:49.372652000 -0700 +!!! +!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. +!!! +--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 ++++ sshd_config 2022-02-11 18:52:31.639435000 +0000 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -20,33 +23,7 @@ #AuthorizedPrincipalsFile none -@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - +@@ -84,7 +86,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 4422251..2936c7c 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,8 @@ ---- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 -+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 -@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa - The list of available key types may also be obtained using - .Qq ssh -Q key . +--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 ++++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 +@@ -701,7 +701,9 @@ + .Qq ssh -Q HostbasedAcceptedAlgorithms . + This was formerly named HostbasedAcceptedKeyTypes. .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -11,7 +11,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic +@@ -1277,7 +1279,23 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -20,6 +20,7 @@ +.Nm sshd +was built without PAM support, in which case the default is .Cm yes . ++.Pp +Note that if +.Cm ChallengeResponseAuthentication +is @@ -34,7 +35,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1232,6 +1251,13 @@ and +@@ -1416,6 +1434,13 @@ .Cm ethernet . The default is .Cm no . @@ -48,12 +49,15 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run +@@ -1774,12 +1799,19 @@ .Xr sshd 8 as a non-root user. The default is --.Cm no . -+.Cm yes . ++.Cm yes , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Cm no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. @@ -66,7 +70,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1512,7 +1541,7 @@ The argument must be +@@ -1793,7 +1825,7 @@ or .Cm no . The default is