From 713b5d7dbb92ede5e1a33f5c4a4404be5b332923 Mon Sep 17 00:00:00 2001 From: Xavier Beaudouin Date: Tue, 8 Oct 2024 15:12:26 +0200 Subject: [PATCH] 9.3 --- security/openssh-portable/distinfo | 8 +- .../files/extra-patch-blacklistd | 8 +- .../files/extra-patch-gssapi-auth2-gss.c | 19 ++++ .../files/extra-patch-gssapi-sshconnect2.c | 12 --- .../openssh-portable/files/extra-patch-hpn | 95 ++++++++----------- .../files/extra-patch-hpn-compat | 20 ++-- .../files/extra-patch-pam-sshd_config | 31 ++++++ .../files/extra-patch-tcpwrappers | 12 +-- security/openssh-portable/files/openssh.in | 42 +++++--- .../files/patch-FreeBSD-logincap | 69 ++++++++++++++ security/openssh-portable/files/patch-auth2.c | 47 --------- security/openssh-portable/files/patch-log.c | 17 ---- .../files/patch-platform-tracing.c | 25 ----- .../openssh-portable/files/patch-ssh-agent.c | 28 +++--- .../openssh-portable/files/patch-sshd_config | 35 ++----- .../files/patch-sshd_config.5 | 26 ++--- security/openssh-portable/pkg-descr | 2 - 17 files changed, 247 insertions(+), 249 deletions(-) create mode 100644 security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c delete mode 100644 security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c create mode 100644 security/openssh-portable/files/extra-patch-pam-sshd_config create mode 100644 security/openssh-portable/files/patch-FreeBSD-logincap delete mode 100644 security/openssh-portable/files/patch-auth2.c delete mode 100644 security/openssh-portable/files/patch-log.c delete mode 100644 security/openssh-portable/files/patch-platform-tracing.c diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index f08db16..244080a 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1634059537 -SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 -SIZE (openssh-8.8p1.tar.gz) = 1815060 +TIMESTAMP = 1695396338 +SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8 +SIZE (openssh-9.3p2.tar.gz) = 1835850 +SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14 +SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index a8e9505..7bb88b2 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -351,15 +351,15 @@ if (use_privsep) { if (privsep_preauth(ssh) == 1) ---- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 -+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 -@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) +--- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 ++++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 +@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ @UNSUPPORTED_ALGORITHMS@ +LIBSSH_OBJS+= blacklist.o + - all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) + all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h --- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 diff --git a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c new file mode 100644 index 0000000..3f9694c --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c @@ -0,0 +1,19 @@ +--- auth2-gss.c.orig 2022-03-03 10:56:35.668672000 -0800 ++++ auth2-gss.c 2022-03-03 11:03:16.048838000 -0800 +@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct + * The 'gssapi_keyex' userauth mechanism. + */ + static int +-userauth_gsskeyex(struct ssh *ssh) ++userauth_gsskeyex(struct ssh *ssh, const char *method) + { + Authctxt *authctxt = ssh->authctxt; + int r, authenticated = 0; +@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh + + Authmethod method_gsskeyex = { + "gssapi-keyex", ++ NULL, + userauth_gsskeyex, + &options.gss_authentication + }; diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c deleted file mode 100644 index 7cb08ee..0000000 --- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c +++ /dev/null @@ -1,12 +0,0 @@ -Avoid free(const char*) ---- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 -+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 -@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) - /* Fall back to specified host if we are using proxy command - * and can not use DNS on that socket */ - if (strcmp(gss_host, "UNKNOWN") == 0) { -- gss_host = authctxt->host; -+ gss_host = xstrdup(authctxt->host); - } - } else { - gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index ed7a78a..5dd34d2 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -131,9 +131,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. ---- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 -@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann +--- channels.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ channels.c 2023-02-03 10:45:34.136793000 -0800 +@@ -229,6 +229,12 @@ static void channel_handler_init(struct ssh_channels * /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* -- channel core */ void -@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -495,6 +501,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,8 +156,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, - FD_SET(c->sock, writeset); +@@ -1190,6 +1199,30 @@ channel_set_fds(struct ssh *ssh, int id, int rfd, int + fatal_fr(r, "channel %i", c->self); } +#ifdef HPN_ENABLED @@ -185,9 +185,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) -@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) + channel_pre_listener(struct ssh *ssh, Channel *c) + { +@@ -2301,18 +2334,29 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { @@ -220,7 +220,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c->local_consumed = 0; } return 1; -@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis +@@ -3709,6 +3753,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -238,7 +238,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3848,6 +3903,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -248,15 +248,15 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * window size. + */ + if (!hpn_disabled) -+ c = channel_new(ssh, "port listener", type, sock, sock, -1, -+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ c = channel_new(ssh, "port listener", type, sock, sock, ++ -1, hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif - c = channel_new(ssh, "port listener", type, sock, sock, -1, + c = channel_new(ssh, "port-listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -5016,6 +5082,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -268,7 +268,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + 0, "X11 inet listener", 1); + else +#endif - nc = channel_new(ssh, "x11 listener", + nc = channel_new(ssh, "x11-listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 @@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o free(cipher_list); return 0; } ---- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 -@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques +--- work/openssh/clientloop.c.orig 2022-02-23 03:31:11.000000000 -0800 ++++ work/openssh/clientloop.c 2022-03-02 12:53:47.624273000 -0800 +@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques sock = x11_connect_display(ssh); if (sock < 0) return NULL; @@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ - __func__, ssh_err(r)); - return NULL; - } +@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ + else + debug2_fr(r, "ssh_agent_bind_hostkey"); + +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new(ssh, "authentication agent connection", @@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o c = channel_new(ssh, "authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, -@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, +@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, } debug("Tunnel forwarding using interface %s", ifname); @@ -1119,9 +1119,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ ---- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700 -+++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700 -@@ -84,7 +84,13 @@ +--- work/openssh/sshconnect2.c.orig 2023-03-15 14:28:19.000000000 -0700 ++++ work/openssh/sshconnect2.c 2023-05-19 14:20:01.965073000 -0700 +@@ -83,7 +83,13 @@ extern Options options; extern char *client_version_string; extern char *server_version_string; extern Options options; @@ -1135,29 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * SSH2 key exchange */ -@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd - return ret; - } - -+static char *myproposal[PROPOSAL_MAX]; -+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; - void - ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - const struct ssh_conn_info *cinfo) - { -- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; - char *s, *all_key; - int r, use_known_hosts_order = 0; - -@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr - fatal_fr(r, "kex_assemble_namelist"); - free(all_key); - -+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); - if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) - fatal_f("kex_names_cat"); - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); -@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, +@@ -482,6 +488,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); @@ -1169,11 +1147,16 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + * tty allocated. + */ + if ((options.none_switch == 1) && (options.none_enabled == 1)) { ++ char *myproposal[PROPOSAL_MAX]; ++ char *s = NULL; ++ const char *none_cipher = "none"; ++ + if (!tty_flag) { /* no null on tty sessions */ + debug("Requesting none rekeying..."); -+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; ++ kex_proposal_populate_entries(ssh, myproposal, s, none_cipher, ++ options.macs, ++ compression_alg_list(options.compression), ++ options.hostkeyalgorithms); + kex_prop2buf(ssh->kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); @@ -1286,11 +1269,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no ---- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700 -+++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700 +--- version.h.orig 2023-07-18 23:31:34.000000000 -0700 ++++ version.h 2023-07-21 07:27:08.311422000 -0700 @@ -4,3 +4,4 @@ - #define SSH_PORTABLE "p1" + #define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" --- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index c47d0a1..6f6a0e1 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 -+++ readconf.c 2021-04-27 11:25:24.222034000 -0700 -@@ -316,6 +316,12 @@ static struct { - { "proxyjump", oProxyJump }, - { "securitykeyprovider", oSecurityKeyProvider }, +--- readconf.c.orig 2023-02-03 11:17:45.506822000 -0800 ++++ readconf.c 2023-02-03 11:30:14.894959000 -0800 +@@ -323,6 +323,12 @@ static struct { { "knownhostscommand", oKnownHostsCommand }, + { "requiredrsasize", oRequiredRSASize }, + { "enableescapecommandline", oEnableEscapeCommandline }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ servconf.c 2020-03-21 17:01:18.011062000 -0700 +--- servconf.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ servconf.c 2023-02-03 11:31:00.387624000 -0800 @@ -695,6 +695,10 @@ static struct { - { "rdomain", sRDomain, SSHCFG_ALL }, - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, - { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, + { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, + { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config new file mode 100644 index 0000000..9b6b261 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-pam-sshd_config @@ -0,0 +1,31 @@ +--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 ++++ sshd_config 2022-02-11 19:20:45.334738000 +0000 +@@ -55,8 +55,8 @@ + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -72,7 +72,7 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -81,7 +81,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ba8cc71..ba7d283 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -83,11 +83,9 @@ index 0ade557..045f149 100644 /* Log the connection. */ laddr = get_local_ipaddr(sock_in); -diff --git configure.ac configure.ac -index f48ba4a..66fbe82 100644 ---- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 -+++ configure.ac 2019-07-02 20:58:48.627832000 -0700 -@@ -1494,6 +1494,62 @@ else +--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 ++++ configure.ac 2022-03-02 12:47:49.958341000 -0800 +@@ -1599,6 +1599,62 @@ else AC_MSG_RESULT([no]) fi @@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" +@@ -5593,6 +5649,7 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " TCP Wrappers support: $TCPW_MSG" - echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index a8c0043..9526a70 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -22,6 +22,16 @@ load_rc_config ${name} : ${openssh_enable:="NO"} : ${openssh_skipportscheck="NO"} +# These only control ssh-keygen automatically generating host keys. +: ${openssh_dsa_enable="YES"} +: ${openssh_dsa_flags=""} +: ${openssh_rsa_enable="YES"} +: ${openssh_rsa_flags=""} +: ${openssh_ecdsa_enable="YES"} +: ${openssh_ecdsa_flags=""} +: ${openssh_ed25519_enable="YES"} +: ${openssh_ed25519_flags=""} + command=%%PREFIX%%/sbin/sshd extra_commands="configtest reload keygen" start_precmd="${name}_checks" @@ -33,10 +43,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \ - -f %%ETCDIR%%/ssh_host_rsa_key -a \ - -f %%ETCDIR%%/ssh_host_ecdsa_key -a \ - -f %%ETCDIR%%/ssh_host_ed25519_key ]; then + local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= + checkyesno openssh_dsa_enable || skip_dsa=y + checkyesno openssh_rsa_enable || skip_rsa=y + checkyesno openssh_ecdsa_enable || skip_ecdsa=y + checkyesno openssh_ed25519_enable || skip_ed25519=y + + if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ + \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ + \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ + \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then return 0 fi @@ -50,8 +66,8 @@ openssh_keygen() echo "You already have a DSA host key" \ "in %%ETCDIR%%/ssh_host_dsa_key" echo "Skipping protocol version 2 DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t dsa \ + elif checkyesno openssh_dsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ -f %%ETCDIR%%/ssh_host_dsa_key -N '' fi @@ -59,8 +75,8 @@ openssh_keygen() echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" echo "Skipping protocol version 2 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa \ + elif checkyesno openssh_rsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \ -f %%ETCDIR%%/ssh_host_rsa_key -N '' fi @@ -68,8 +84,8 @@ openssh_keygen() echo "You already have a Elliptic Curve DSA host key" \ "in %%ETCDIR%%/ssh_host_ecdsa_key" echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ecdsa \ + elif checkyesno openssh_ecdsa_enable; then + %%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \ -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' fi @@ -77,8 +93,8 @@ openssh_keygen() echo "You already have a Elliptic Curve ED25519 host key" \ "in %%ETCDIR%%/ssh_host_ed25519_key" echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + elif checkyesno openssh_ed25519_enable; then + %%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \ -f %%ETCDIR%%/ssh_host_ed25519_key -N '' fi } @@ -156,7 +172,7 @@ openssh_checks() fi fi - run_rc_command keygen + openssh_keygen openssh_configtest } diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap new file mode 100644 index 0000000..78d772e --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-logincap @@ -0,0 +1,69 @@ +(pulled from the PR) + +commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 +Author: Ed Maste +Date: Tue Aug 31 15:30:50 2021 -0400 + + openssh: simplify login class restrictions + + Login class-based restrictions were introduced in 5b400a39b8ad. The + code was adapted for sshd's Capsicum sandbox and received many changes + over time, including at least fc3c19a9fcee, bd393de91cc3, and + e8c56fba2926. + + During an attempt to upstream the work a much simpler approach was + suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with + future updates. + + Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) + Obtained from: https://github.com/openssh/openssh-portable/pull/262 + Reviewed by: allanjude, kevans + MFC after: 2 weeks + Differential Revision: https://reviews.freebsd.org/D31760 + + +--- auth.c ++++ auth.c +@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) + { + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; ++#ifdef HAVE_AUTH_HOSTOK ++ const char *from_host, *from_ip; ++#endif + #ifdef BSD_AUTH + auth_session_t *as; + #endif +@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) + debug("unable to get login class: %s", user); + return (NULL); + } ++#ifdef HAVE_AUTH_HOSTOK ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ debug("Denied connection for %.200s from %.200s [%.200s].", ++ pw->pw_name, from_host, from_ip); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_HOSTOK */ ++#ifdef HAVE_AUTH_TIMEOK ++ if (!auth_timeok(lc, time(NULL))) { ++ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_TIMEOK */ + #ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { +--- configure.ac ++++ configure.ac +@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) + + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ ++ auth_hostok \ ++ auth_timeok \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c deleted file mode 100644 index 38d366a..0000000 --- a/security/openssh-portable/files/patch-auth2.c +++ /dev/null @@ -1,47 +0,0 @@ ---- UTC -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ auth2.c 2020-11-16 13:55:25.222771000 -0800 -@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct - "not allowed: (%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL && -+ (lc = login_getpwclass(authctxt->pw)) != NULL) { -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ ssh_packet_disconnect(ssh, "Logins not available right now."); -+ } -+ login_close(lc); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(ssh); - diff --git a/security/openssh-portable/files/patch-log.c b/security/openssh-portable/files/patch-log.c deleted file mode 100644 index bf28237..0000000 --- a/security/openssh-portable/files/patch-log.c +++ /dev/null @@ -1,17 +0,0 @@ ---- log.c.orig 2023-07-19 08:31:34.000000000 +0200 -+++ log.c 2024-10-07 17:44:12.049091000 +0200 -@@ -451,12 +451,14 @@ - sshsigdie(const char *file, const char *func, int line, int showfunc, - LogLevel level, const char *suffix, const char *fmt, ...) - { -+#ifdef SYSLOG_R_SAFE_IN_SIGHAND - va_list args; - - va_start(args, fmt); - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, - suffix, fmt, args); - va_end(args); -+#endif - _exit(1); - } - diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c deleted file mode 100644 index 54f6db4..0000000 --- a/security/openssh-portable/files/patch-platform-tracing.c +++ /dev/null @@ -1,25 +0,0 @@ ---- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700 -+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700 -@@ -16,6 +16,10 @@ - - #include "includes.h" - -+#if defined(HAVE_PROCCTL) -+#include -+#include -+#endif - #include - #ifdef HAVE_SYS_PROCCTL_H - #include -@@ -40,8 +44,9 @@ platform_disable_tracing(int strict) - /* On FreeBSD, we should make this process untraceable */ - int disable_trace = PROC_TRACE_CTL_DISABLE; - -- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) -- fatal("unable to make the process untraceable"); -+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) -+ fatal("unable to make the process untraceable: %s for pid %d", -+ strerror(errno), (int)getpid()); - #endif - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index de53881..9fc1abc 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 -@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +--- ssh-agent.c.orig 2023-02-02 04:21:54.000000000 -0800 ++++ ssh-agent.c 2023-02-03 10:55:34.277561000 -0800 +@@ -188,11 +188,28 @@ static int restrict_websafe = 1; /* Refuse signing of non-SSH messages for web-origin FIDO keys */ static int restrict_websafe = 1; @@ -27,17 +27,19 @@ disconnected. static void close_socket(SocketEntry *e) { + size_t i; + int last = 0; -+ + + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } ++ close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) +@@ -205,6 +222,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -46,7 +48,7 @@ disconnected. } static void -@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) +@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -57,16 +59,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1360,7 +1383,7 @@ static void +@@ -1990,7 +2013,7 @@ usage(void) usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" - " [-t life] command [arg ...]\n" -@@ -1394,6 +1417,7 @@ main(int ac, char **av) + " [-O option] [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " [-P allowed_providers] [-t life] command [arg ...]\n" +@@ -2024,6 +2047,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -74,7 +76,7 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -1405,7 +1429,7 @@ main(int ac, char **av) +@@ -2035,7 +2059,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -83,7 +85,7 @@ disconnected. switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1454,6 +1478,9 @@ main(int ac, char **av) +@@ -2084,6 +2108,9 @@ main(int ac, char **av) fprintf(stderr, "Invalid lifetime\n"); usage(); } diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index b582ac8..c194964 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,5 +1,8 @@ ---- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd_config 2021-09-07 12:34:49.372652000 -0700 +!!! +!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. +!!! +--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 ++++ sshd_config 2022-02-11 18:52:31.639435000 +0000 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -20,33 +23,7 @@ #AuthorizedPrincipalsFile none -@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - +@@ -84,7 +86,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 4422251..2936c7c 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,8 @@ ---- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 -+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 -@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa - The list of available key types may also be obtained using - .Qq ssh -Q key . +--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 ++++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 +@@ -701,7 +701,9 @@ + .Qq ssh -Q HostbasedAcceptedAlgorithms . + This was formerly named HostbasedAcceptedKeyTypes. .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -11,7 +11,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic +@@ -1277,7 +1279,23 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -20,6 +20,7 @@ +.Nm sshd +was built without PAM support, in which case the default is .Cm yes . ++.Pp +Note that if +.Cm ChallengeResponseAuthentication +is @@ -34,7 +35,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1232,6 +1251,13 @@ and +@@ -1416,6 +1434,13 @@ .Cm ethernet . The default is .Cm no . @@ -48,12 +49,15 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run +@@ -1774,12 +1799,19 @@ .Xr sshd 8 as a non-root user. The default is --.Cm no . -+.Cm yes . ++.Cm yes , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Cm no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. @@ -66,7 +70,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1512,7 +1541,7 @@ The argument must be +@@ -1793,7 +1825,7 @@ or .Cm no . The default is diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr index 2a378e7..d9dee49 100644 --- a/security/openssh-portable/pkg-descr +++ b/security/openssh-portable/pkg-descr @@ -11,5 +11,3 @@ The portable OpenSSH follows development of the official version, but releases are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). The official OpenBSD source will never use the 'p' suffix, but will instead increment the version number when they hit 'stable spots' in their development. - -WWW: https://www.openssh.com/portable.html