From f035f378a62c169c4abeb827827a2e1d585e06c9 Mon Sep 17 00:00:00 2001 From: Xavier Beaudouin Date: Mon, 7 Oct 2024 15:15:06 +0200 Subject: [PATCH] openssh 8.8 --- security/openssh-portable/Makefile | 239 +++ security/openssh-portable/distinfo | 3 + .../files/extra-patch-blacklistd | 428 ++++++ .../files/extra-patch-gssapi-kexgssc.c | 14 + .../files/extra-patch-gssapi-kexgsss.c | 14 + .../files/extra-patch-gssapi-sshconnect2.c | 12 + .../openssh-portable/files/extra-patch-hpn | 1306 +++++++++++++++++ .../files/extra-patch-hpn-compat | 46 + .../files/extra-patch-hpn-gss-glue | 57 + .../openssh-portable/files/extra-patch-ldns | 51 + .../files/extra-patch-tcpwrappers | 160 ++ .../files/extra-patch-version-addendum | 5 + security/openssh-portable/files/openssh.in | 163 ++ security/openssh-portable/files/patch-auth2.c | 47 + .../files/patch-platform-tracing.c | 25 + .../files/patch-regress__test-exec.sh | 10 + .../openssh-portable/files/patch-servconf.c | 51 + .../openssh-portable/files/patch-serverloop.c | 52 + .../openssh-portable/files/patch-session.c | 78 + .../openssh-portable/files/patch-ssh-agent.1 | 26 + .../openssh-portable/files/patch-ssh-agent.c | 95 ++ security/openssh-portable/files/patch-ssh.c | 33 + .../openssh-portable/files/patch-ssh_config | 17 + .../openssh-portable/files/patch-ssh_config.5 | 13 + security/openssh-portable/files/patch-sshd.8 | 26 + security/openssh-portable/files/patch-sshd.c | 101 ++ .../openssh-portable/files/patch-sshd_config | 57 + .../files/patch-sshd_config.5 | 77 + security/openssh-portable/pkg-descr | 15 + security/openssh-portable/pkg-message | 22 + security/openssh-portable/pkg-plist | 31 + 31 files changed, 3274 insertions(+) create mode 100644 security/openssh-portable/Makefile create mode 100644 security/openssh-portable/distinfo create mode 100644 security/openssh-portable/files/extra-patch-blacklistd create mode 100644 security/openssh-portable/files/extra-patch-gssapi-kexgssc.c create mode 100644 security/openssh-portable/files/extra-patch-gssapi-kexgsss.c create mode 100644 security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c create mode 100644 security/openssh-portable/files/extra-patch-hpn create mode 100644 security/openssh-portable/files/extra-patch-hpn-compat create mode 100644 security/openssh-portable/files/extra-patch-hpn-gss-glue create mode 100644 security/openssh-portable/files/extra-patch-ldns create mode 100644 security/openssh-portable/files/extra-patch-tcpwrappers create mode 100644 security/openssh-portable/files/extra-patch-version-addendum create mode 100644 security/openssh-portable/files/openssh.in create mode 100644 security/openssh-portable/files/patch-auth2.c create mode 100644 security/openssh-portable/files/patch-platform-tracing.c create mode 100644 security/openssh-portable/files/patch-regress__test-exec.sh create mode 100644 security/openssh-portable/files/patch-servconf.c create mode 100644 security/openssh-portable/files/patch-serverloop.c create mode 100644 security/openssh-portable/files/patch-session.c create mode 100644 security/openssh-portable/files/patch-ssh-agent.1 create mode 100644 security/openssh-portable/files/patch-ssh-agent.c create mode 100644 security/openssh-portable/files/patch-ssh.c create mode 100644 security/openssh-portable/files/patch-ssh_config create mode 100644 security/openssh-portable/files/patch-ssh_config.5 create mode 100644 security/openssh-portable/files/patch-sshd.8 create mode 100644 security/openssh-portable/files/patch-sshd.c create mode 100644 security/openssh-portable/files/patch-sshd_config create mode 100644 security/openssh-portable/files/patch-sshd_config.5 create mode 100644 security/openssh-portable/pkg-descr create mode 100644 security/openssh-portable/pkg-message create mode 100644 security/openssh-portable/pkg-plist diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile new file mode 100644 index 0000000..b77a243 --- /dev/null +++ b/security/openssh-portable/Makefile @@ -0,0 +1,239 @@ +# Created by: dwcjr@inethouston.net + +PORTNAME= openssh +DISTVERSION= 8.8p1 +PORTREVISION= 1 +PORTEPOCH= 1 +CATEGORIES= security +MASTER_SITES= OPENBSD/OpenSSH/portable +PKGNAMESUFFIX?= -portable + +MAINTAINER= bdrewery@FreeBSD.org +COMMENT= The portable version of OpenBSD's OpenSSH + +LICENSE= OPENSSH +LICENSE_NAME= OpenSSH Licenses +LICENSE_FILE= ${WRKSRC}/LICENCE +LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept + +CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel + +USES= alias autoreconf compiler:c11 cpe localbase ncurses \ + pkgconfig ssl +GNU_CONFIGURE= yes +CONFIGURE_ARGS= --prefix=${PREFIX} \ + --with-ssl-engine \ + --with-mantype=man \ + --with-Werror + +ETCOLD= ${PREFIX}/etc + +CPE_VENDOR= openbsd + +FLAVORS= default hpn gssapi +default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ + openssh-portable-x509 +hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ + openssh-portable-x509 +hpn_PKGNAMESUFFIX= -portable-hpn +gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ + openssh-portable-x509 +gssapi_PKGNAMESUFFIX= -portable-gssapi + +OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ + HPN KERB_GSSAPI \ + LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F +.if ${FLAVOR:U} == hpn +OPTIONS_DEFAULT+= HPN NONECIPHER +.endif +.if ${FLAVOR:U} == gssapi +OPTIONS_DEFAULT+= KERB_GSSAPI MIT +.endif +OPTIONS_RADIO= KERBEROS +OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE +TCP_WRAPPERS_DESC= tcp_wrappers support +BSM_DESC= OpenBSM Auditing +KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) +HPN_DESC= HPN-SSH patch +LDNS_DESC= SSHFP/LDNS support +HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) +HEIMDAL_BASE_DESC= Heimdal Kerberos (base) +MIT_DESC= MIT Kerberos (security/krb5) +NONECIPHER_DESC= NONE Cipher support +XMSS_DESC= XMSS key support (experimental) +FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) +BLACKLISTD_DESC= FreeBSD blacklistd(8) support + +OPTIONS_SUB= yes + +TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers + +LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} +LDNS_LIB_DEPENDS= libldns.so:dns/ldns +LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns + +HPN_CONFIGURE_WITH= hpn +NONECIPHER_CONFIGURE_WITH= nonecipher + +MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 +HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal + +PAM_CONFIGURE_WITH= pam +TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers + +LIBEDIT_CONFIGURE_WITH= libedit +LIBEDIT_USES= libedit +BSM_CONFIGURE_ON= --with-audit=bsm + +FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 +FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin +FIDO_U2F_CONFIGURE_OFF= --disable-security-key + +BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd + +ETCDIR?= ${PREFIX}/etc/ssh + +.include + +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex + +# Must add this patch before HPN due to conflicts +.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} +# Needed glue for applying HPN patch without conflict +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue +. endif +# - See https://sources.debian.org/data/main/o/openssh/ for which subdir to +# pull from. +GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 +# - Debian does not use a versioned filename so we trick fetch to make one for +# us with the ?=/ trick. +PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex +# Bump this when updating the patch location +GSSAPI_UPDATE_DATE= 20200607 +PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c +.endif + +.if ${PORT_OPTIONS:MBLACKLISTD} +CONFIGURE_LIBS+= -lblacklist +.endif + +# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} +#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. +PORTDOCS+= HPN-README +HPN_VERSION= 14v15 +HPN_DISTVERSION= 7.7p1 +#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn +#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 +.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} +# Apply compatibility patch +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat +.endif + +CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog + +# Keep this last +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum + +.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently +.endif + +.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) +IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base +.endif + +.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} +. if ${PORT_OPTIONS:MHEIMDAL_BASE} +CONFIGURE_LIBS+= -lgssapi_krb5 +CONFIGURE_ARGS+= --with-kerberos5=/usr +. else +CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} +. endif +. if ${OPENSSLBASE} == "/usr" +CONFIGURE_ARGS+= --without-rpath +LDFLAGS= # empty +. endif +.else +. if ${PORT_OPTIONS:MKERB_GSSAPI} +IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE +. endif +.endif + +.if ${OPENSSLBASE} != "/usr" +CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} +.endif + +EMPTYDIR= /var/empty + +USE_RC_SUBR= openssh + +# After all +CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} +.if !empty(CONFIGURE_LIBS) +CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' +.endif + +CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth + +RC_SCRIPT_NAME= openssh +VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} + +CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} +CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow + +SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass + +post-patch: + @${REINPLACE_CMD} \ + -e 's|install: \(.*\) host-key check-config|install: \1|g' \ + ${WRKSRC}/Makefile.in + @${REINPLACE_CMD} \ + -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \ + ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac + @${REINPLACE_CMD} \ + -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ + ${WRKSRC}/sshd_config + @${REINPLACE_CMD} \ + -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ + ${WRKSRC}/sshd_config.5 + @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ + ${WRKSRC}/version.h + +post-configure-XMSS-on: + @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h + +post-configure-BLACKLISTD-on: + @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h + +post-install: + ${MV} ${STAGEDIR}${ETCDIR}/moduli \ + ${STAGEDIR}${ETCDIR}/moduli.sample + ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ + ${STAGEDIR}${ETCDIR}/ssh_config.sample + ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ + ${STAGEDIR}${ETCDIR}/sshd_config.sample +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} + ${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} +.endif + +test: build + cd ${WRKSRC} && ${SETENV} -i \ + OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ + TEST_SHELL=${SH} \ + SUDO="${SUDO}" \ + LOGNAME="${LOGNAME}" \ + HOME="${HOME}" \ + TEST_SSH_TRACE=yes \ + PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ + ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests + +.include diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo new file mode 100644 index 0000000..f08db16 --- /dev/null +++ b/security/openssh-portable/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1634059537 +SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 +SIZE (openssh-8.8p1.tar.gz) = 1815060 diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd new file mode 100644 index 0000000..a8e9505 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -0,0 +1,428 @@ +--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 ++++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 +@@ -0,0 +1,92 @@ ++/*- ++ * Copyright (c) 2015 The NetBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * All rights reserved. ++ * ++ * Portions of this software were developed by Kurt Lidl ++ * under sponsorship from the FreeBSD Foundation. ++ * ++ * This code is derived from software contributed to The NetBSD Foundation ++ * by Christos Zoulas. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS ++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "includes.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "ssh.h" ++#include "packet.h" ++#include "log.h" ++#include "misc.h" ++#include ++#include "blacklist_client.h" ++ ++static struct blacklist *blstate = NULL; ++ ++/* internal definition from bl.h */ ++struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); ++ ++/* impedence match vsyslog() to sshd's internal logging levels */ ++void ++im_log(int priority, const char *message, va_list args) ++{ ++ LogLevel imlevel; ++ ++ switch (priority) { ++ case LOG_ERR: ++ imlevel = SYSLOG_LEVEL_ERROR; ++ break; ++ case LOG_DEBUG: ++ imlevel = SYSLOG_LEVEL_DEBUG1; ++ break; ++ case LOG_INFO: ++ imlevel = SYSLOG_LEVEL_INFO; ++ break; ++ default: ++ imlevel = SYSLOG_LEVEL_DEBUG2; ++ } ++ do_log2(imlevel, message, args); ++} ++ ++void ++blacklist_init(void) ++{ ++ ++ blstate = bl_create(false, NULL, im_log); ++} ++ ++void ++blacklist_notify(int action, struct ssh *ssh, const char *msg) ++{ ++ ++ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) ++ (void)blacklist_r(blstate, action, ++ ssh_packet_get_connection_in(ssh), msg); ++} +--- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 ++++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 +@@ -0,0 +1,61 @@ ++/*- ++ * Copyright (c) 2015 The NetBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * All rights reserved. ++ * ++ * Portions of this software were developed by Kurt Lidl ++ * under sponsorship from the FreeBSD Foundation. ++ * ++ * This code is derived from software contributed to The NetBSD Foundation ++ * by Christos Zoulas. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ++ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ++ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS ++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef BLACKLIST_CLIENT_H ++#define BLACKLIST_CLIENT_H ++ ++#ifndef BLACKLIST_API_ENUM ++enum { ++ BLACKLIST_AUTH_OK = 0, ++ BLACKLIST_AUTH_FAIL, ++ BLACKLIST_ABUSIVE_BEHAVIOR, ++ BLACKLIST_BAD_USER ++}; ++#endif ++ ++#ifdef USE_BLACKLIST ++void blacklist_init(void); ++void blacklist_notify(int, struct ssh *, const char *); ++ ++#define BLACKLIST_INIT() blacklist_init() ++#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) ++ ++#else ++ ++#define BLACKLIST_INIT() ++#define BLACKLIST_NOTIFY(x, ssh, msg) ++ ++#endif ++ ++ ++#endif /* BLACKLIST_CLIENT_H */ +--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ servconf.c 2021-04-28 13:36:19.591999000 -0700 +@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) + options->max_sessions = -1; + options->banner = NULL; + options->use_dns = -1; ++ options->use_blacklist = -1; + options->client_alive_interval = -1; + options->client_alive_count_max = -1; + options->num_authkeys_files = 0; +@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) + options->max_sessions = DEFAULT_SESSIONS_MAX; + if (options->use_dns == -1) + options->use_dns = 0; ++ if (options->use_blacklist == -1) ++ options->use_blacklist = 0; + if (options->client_alive_interval == -1) + options->client_alive_interval = 0; + if (options->client_alive_count_max == -1) +@@ -506,6 +509,7 @@ typedef enum { + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, + sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, + sBanner, sUseDNS, sHostbasedAuthentication, ++ sUseBlacklist, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, +@@ -642,6 +646,8 @@ static struct { + { "maxsessions", sMaxSessions, SSHCFG_ALL }, + { "banner", sBanner, SSHCFG_ALL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, ++ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL }, ++ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, + { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, +@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option + intptr = &options->use_dns; + goto parse_flag; + ++ case sUseBlacklist: ++ intptr = &options->use_blacklist; ++ goto parse_flag; ++ + case sLogFacility: + log_facility_ptr = &options->log_facility; + arg = strdelim(&cp); +@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sCompression, o->compression); + dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); + dump_cfg_fmtint(sUseDNS, o->use_dns); ++ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); + dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); + dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); +--- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 ++++ servconf.h 2020-11-16 15:51:02.962173000 -0800 +@@ -179,6 +179,7 @@ typedef struct { + int max_sessions; + char *banner; /* SSH-2 banner message */ + int use_dns; ++ int use_blacklist; + int client_alive_interval; /* + * poke the client this often to + * see if it's still there +--- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 ++++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 +@@ -105,6 +105,7 @@ extern char *__progname; + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" ++#include "blacklist_client.h" + + extern ServerOptions options; + extern struct sshbuf *loginmsg; +@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, + sshbuf_free(buffer); + return (0); + } ++ /* XXX: ssh context unavailable here, unclear if this is even needed. ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ++ the_active_state, sshpam_authctxt->user); ++ */ + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, sshpam_rhost); +--- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 ++++ auth.c 2020-11-16 15:57:51.091969000 -0800 +@@ -76,6 +76,7 @@ + #include "ssherr.h" + #include "compat.h" + #include "channels.h" ++#include "blacklist_client.h" + + /* import */ + extern ServerOptions options; +@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti + authmsg = "Postponed"; + else if (partial) + authmsg = "Partial"; +- else ++ else { + authmsg = authenticated ? "Accepted" : "Failed"; ++ if (authenticated) ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); ++ } + + if ((extra = format_method_key(authctxt)) == NULL) { + if (authctxt->auth_method_info != NULL) +@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) + aix_restoreauthdb(); + #endif + if (pw == NULL) { ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); + logit("Invalid user %.100s from %.100s port %d", + user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); + #ifdef CUSTOM_FAILED_LOGIN +--- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 ++++ auth2.c 2020-11-16 17:12:04.852943000 -0800 +@@ -58,6 +58,7 @@ + #endif + #include "monitor_wrap.h" + #include "digest.h" ++#include "blacklist_client.h" + + /* import */ + extern ServerOptions options; +@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct + } else { + /* Invalid user, fake password information */ + authctxt->pw = fakepw(); ++ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); + #endif +@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co + } else { + /* Allow initial try of "none" auth without failure penalty */ + if (!partial && !authctxt->server_caused_failure && +- (authctxt->attempt > 1 || strcmp(method, "none") != 0)) ++ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { + authctxt->failures++; ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); ++ } + if (authctxt->failures >= options.max_authtries) { + #ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); +--- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 ++++ packet.c 2020-11-16 15:56:09.285418000 -0800 +@@ -96,6 +96,7 @@ + #include "packet.h" + #include "ssherr.h" + #include "sshbuf.h" ++#include "blacklist_client.h" + + #ifdef PACKET_DEBUG + #define DBG(x) x +@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, + case SSH_ERR_NO_KEX_ALG_MATCH: + case SSH_ERR_NO_HOSTKEY_ALG_MATCH: + if (ssh && ssh->kex && ssh->kex->failed_choice) { ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + ssh_packet_clear_keys(ssh); + errno = oerrno; + logdie("Unable to negotiate with %s: %s. " +--- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700 ++++ sshd.c 2021-09-10 10:37:17.926747000 -0700 +@@ -123,6 +123,7 @@ + #include "version.h" + #include "ssherr.h" + #include "sk-api.h" ++#include "blacklist_client.h" + #include "srclimit.h" + #include "dh.h" + +@@ -366,6 +367,8 @@ grace_alarm_handler(int sig) + kill(0, SIGTERM); + } + ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh"); ++ + /* Log error and exit. */ + if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0) + cleanup_exit(255); /* don't log in privsep child */ +@@ -2225,6 +2228,9 @@ main(int ac, char **av) + if ((loginmsg = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + auth_debug_reset(); ++ ++ if (options.use_blacklist) ++ BLACKLIST_INIT(); + + if (use_privsep) { + if (privsep_preauth(ssh) == 1) +--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800 ++++ Makefile.in 2020-11-16 16:28:28.083007000 -0800 +@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS) + FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ + ++LIBSSH_OBJS+= blacklist.o ++ + all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS) + + $(LIBSSH_OBJS): Makefile.in config.h +--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 ++++ sshd_config 2020-11-16 16:57:42.183846000 -0800 +@@ -94,6 +94,7 @@ + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no ++#UseBlacklist no + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 +--- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800 ++++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800 +@@ -1703,6 +1703,20 @@ for authentication using + .Cm TrustedUserCAKeys . + For more details on certificates, see the CERTIFICATES section in + .Xr ssh-keygen 1 . ++.It Cm UseBlacklist ++Specifies whether ++.Xr sshd 8 ++attempts to send authentication success and failure messages ++to the ++.Xr blacklistd 8 ++daemon. ++The default is ++.Cm no . ++For forward compatibility with an upcoming ++.Xr blacklistd ++rename, the ++.Cm UseBlocklist ++alias can be used instead. + .It Cm UseDNS + Specifies whether + .Xr sshd 8 +--- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 ++++ monitor.c 2020-11-16 17:25:57.642510000 -0800 +@@ -96,6 +96,7 @@ + #include "match.h" + #include "ssherr.h" + #include "sk-api.h" ++#include "blacklist_client.h" + + #ifdef GSSAPI + static Gssctxt *gsscontext = NULL; +@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor + if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { + auth_log(ssh, authenticated, partial, + auth_method, auth_submethod); +- if (!partial && !authenticated) ++ if (!partial && !authenticated) { + authctxt->failures++; ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ++ ssh, "ssh"); ++ } + if (authenticated || partial) { + auth2_update_session_info(authctxt, + auth_method, auth_submethod); +@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct + } else { + /* Log failed attempt */ + auth_log(ssh, 0, 0, auth_method, NULL); ++ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); + free(cuser); + free(chost); + } diff --git a/security/openssh-portable/files/extra-patch-gssapi-kexgssc.c b/security/openssh-portable/files/extra-patch-gssapi-kexgssc.c new file mode 100644 index 0000000..40be181 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-kexgssc.c @@ -0,0 +1,14 @@ +Fix prototype for DH_get0_key() in kexgssgex_client(). + +--- kexgssc.c.orig 2020-11-24 12:26:37.222092000 -0800 ++++ kexgssc.c 2020-11-24 12:26:54.801490000 -0800 +@@ -31,6 +31,9 @@ + #include + #include + ++#include ++#include "openbsd-compat/openssl-compat.h" ++ + #include + + #include "xmalloc.h" diff --git a/security/openssh-portable/files/extra-patch-gssapi-kexgsss.c b/security/openssh-portable/files/extra-patch-gssapi-kexgsss.c new file mode 100644 index 0000000..073b30d --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-kexgsss.c @@ -0,0 +1,14 @@ +Fix prototype for DH_get0_key() in kexgssgex_server(). + +--- kexgsss.c.orig 2020-11-24 12:39:25.548427000 -0800 ++++ kexgsss.c 2020-11-24 12:39:47.591119000 -0800 +@@ -31,6 +31,9 @@ + #include + #include + ++#include ++#include "openbsd-compat/openssl-compat.h" ++ + #include "xmalloc.h" + #include "sshbuf.h" + #include "ssh2.h" diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c new file mode 100644 index 0000000..7cb08ee --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c @@ -0,0 +1,12 @@ +Avoid free(const char*) +--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 ++++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 +@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) + /* Fall back to specified host if we are using proxy command + * and can not use DNS on that socket */ + if (strcmp(gss_host, "UNKNOWN") == 0) { +- gss_host = authctxt->host; ++ gss_host = xstrdup(authctxt->host); + } + } else { + gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn new file mode 100644 index 0000000..ed7a78a --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn @@ -0,0 +1,1306 @@ +diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README +--- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600 ++++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 +@@ -0,0 +1,129 @@ ++Notes: ++ ++MULTI-THREADED CIPHER: ++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations ++on hosts with multiple cores to use more than one processing core during encryption. ++Tests have show significant throughput performance increases when using MTR-AES-CTR up ++to and including a full gigabit per second on quad core systems. It should be possible to ++achieve full line rate on dual core systems but OS and data management overhead makes this ++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single ++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal ++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. ++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same ++nomenclature. ++Use examples: ssh -caes128-ctr you@host.com ++ scp -oCipher=aes256-ctr file you@host.com:~/file ++ ++NONE CIPHER: ++To use the NONE option you must have the NoneEnabled switch set on the server and ++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE ++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not ++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will ++be disabled. ++ ++The performance increase will only be as good as the network and TCP stack tuning ++on the reciever side of the connection allows. As a rule of thumb a user will need ++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The ++HPN-SSH home page describes this in greater detail. ++ ++http://www.psc.edu/networking/projects/hpn-ssh ++ ++BUFFER SIZES: ++ ++If HPN is disabled the receive buffer size will be set to the ++OpenSSH default of 64K. ++ ++If an HPN system connects to a nonHPN system the receive buffer will ++be set to the HPNBufferSize value. The default is 2MB but user adjustable. ++ ++If an HPN to HPN connection is established a number of different things might ++happen based on the user options and conditions. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set ++HPN Buffer Size = up to 64MB ++This is the default state. The HPN buffer size will grow to a maximum of 64MB ++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is ++geared towards 10GigE transcontinental connections. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set ++HPN Buffer Size = TCP receive buffer value. ++Users on non-autotuning systesm should disable TCPRcvBufPoll in the ++ssh_cofig and sshd_config ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set ++HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. ++This would be the system defined TCP receive buffer (RWIN). ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. ++Generally there is no need to set both. ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set ++HPN Buffer Size = grows to HPNBufferSize ++The buffer will grow up to the maximum size specified here. ++ ++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET ++HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. ++Generally there is no need to set both of these, especially on autotuning ++systems. However, if the users wishes to override the autotuning this would be ++one way to do it. ++ ++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET ++HPN Buffer Size = TCPRcvBuf. ++This will override autotuning and set the TCP recieve buffer to the user defined ++value. ++ ++ ++HPN Specific Configuration options ++ ++TcpRcvBuf=[int]KB client ++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the ++maximum socket size allowed by the system. This is useful in situations where ++the tcp receive window is set low but the maximum buffer size is set ++higher (as is typical). This works on a per TCP connection basis. You can also ++use this to artifically limit the transfer rate of the connection. In these ++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. ++Default is the current system wide tcp receive buffer size. ++ ++TcpRcvBufPoll=[yes/no] client/server ++ enable of disable the polling of the tcp receive buffer through the life ++of the connection. You would want to make sure that this option is enabled ++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) ++default is yes. ++ ++NoneEnabled=[yes/no] client/server ++ enable or disable the use of the None cipher. Care must always be used ++when enabling this as it will allow users to send data in the clear. However, ++it is important to note that authentication information remains encrypted ++even if this option is enabled. Set to no by default. ++ ++NoneSwitch=[yes/no] client ++ Switch the encryption cipher being used to the None cipher after ++authentication takes place. NoneEnabled must be enabled on both the client ++and server side of the connection. When the connection switches to the NONE ++cipher a warning is sent to STDERR. The connection attempt will fail with an ++error if a client requests a NoneSwitch from the server that does not explicitly ++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in ++interactive (shell) sessions and it will fail silently. Set to no by default. ++ ++HPNDisabled=[yes/no] client/server ++ In some situations, such as transfers on a local area network, the impact ++of the HPN code produces a net decrease in performance. In these cases it is ++helpful to disable the HPN functionality. By default HPNDisabled is set to no. ++ ++HPNBufferSize=[int]KB client/server ++ This is the default buffer size the HPN functionality uses when interacting ++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf ++option as applied to the internal SSH flow control. This value can range from ++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance ++problems depending on the length of the network path. The default size of this buffer ++is 2MB. ++ ++ ++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) ++ The majority of the actual coding for versions up to HPN12v1 was performed ++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was ++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota ++ (tasota@gmail.com) an NSF REU grant recipient for 2013. ++ This work was financed, in part, by Cisco System, Inc., the National ++ Library of Medicine, and the National Science Foundation. +--- work/openssh/channels.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/channels.c 2021-04-28 14:35:20.732518000 -0700 +@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann + /* Setup helper */ + static void channel_handler_init(struct ssh_channels *sc); + ++ ++#ifdef HPN_ENABLED ++static int hpn_disabled = 0; ++static int hpn_buffer_size = 2 * 1024 * 1024; ++#endif ++ + /* -- channel core */ + + void +@@ -395,6 +401,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in + c->local_window = window; + c->local_window_max = window; + c->local_maxpacket = maxpack; ++#ifdef HPN_ENABLED ++ c->dynamic_window = 0; ++#endif + c->remote_name = xstrdup(remote_name); + c->ctl_chan = -1; + c->delayed = 1; /* prevent call to channel_post handler */ +@@ -1082,6 +1091,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, + FD_SET(c->sock, writeset); + } + ++#ifdef HPN_ENABLED ++static int ++channel_tcpwinsz(struct ssh *ssh) ++{ ++ u_int32_t tcpwinsz = 0; ++ socklen_t optsz = sizeof(tcpwinsz); ++ int ret = -1; ++ ++ /* if we aren't on a socket return 128KB */ ++ if (!ssh_packet_connection_is_on_socket(ssh)) ++ return 128 * 1024; ++ ++ ret = getsockopt(ssh_packet_get_connection_in(ssh), ++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); ++ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ ++ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) ++ tcpwinsz = SSHBUF_SIZE_MAX; ++ ++ debug2("tcpwinsz: tcp connection %d, Receive window: %d", ++ ssh_packet_get_connection_in(ssh), tcpwinsz); ++ return tcpwinsz; ++} ++#endif ++ + static void + channel_pre_open(struct ssh *ssh, Channel *c, + fd_set *readset, fd_set *writeset) +@@ -2124,18 +2157,29 @@ channel_check_window(struct ssh *ssh, Channel *c) + c->local_maxpacket*3) || + c->local_window < c->local_window_max/2) && + c->local_consumed > 0) { ++ u_int addition = 0; ++#ifdef HPN_ENABLED ++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); ++ /* adjust max window size if we are in a dynamic environment */ ++ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { ++ /* grow the window somewhat aggressively to maintain pressure */ ++ addition = 1.5 * (tcpwinsz - c->local_window_max); ++ c->local_window_max += addition; ++ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); ++ } ++#endif + if (!c->have_remote_id) + fatal_f("channel %d: no remote id", c->self); + if ((r = sshpkt_start(ssh, + SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || +- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || ++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || + (r = sshpkt_send(ssh)) != 0) { + fatal_fr(r, "channel %i", c->self); + } + debug2("channel %d: window %d sent adjust %d", c->self, +- c->local_window, c->local_consumed); +- c->local_window += c->local_consumed; ++ c->local_window, c->local_consumed + addition); ++ c->local_window += c->local_consumed + addition; + c->local_consumed = 0; + } + return 1; +@@ -3302,6 +3346,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis + return addr; + } + ++#ifdef HPN_ENABLED ++void ++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) ++{ ++ hpn_disabled = external_hpn_disabled; ++ hpn_buffer_size = external_hpn_buffer_size; ++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, ++ hpn_buffer_size); ++} ++#endif ++ + static int + channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, + struct Forward *fwd, int *allocated_listen_port, +@@ -3442,6 +3497,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int + } + + /* Allocate a channel number for the socket. */ ++#ifdef HPN_ENABLED ++ /* ++ * explicitly test for hpn disabled option. if true use smaller ++ * window size. ++ */ ++ if (!hpn_disabled) ++ c = channel_new(ssh, "port listener", type, sock, sock, -1, ++ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, ++ 0, "port listener", 1); ++ else ++#endif + c = channel_new(ssh, "port listener", type, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); +@@ -4610,6 +4676,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ + *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); + for (n = 0; n < num_socks; n++) { + sock = socks[n]; ++#ifdef HPN_ENABLED ++ if (!hpn_disabled) ++ nc = channel_new(ssh, "x11 listener", ++ SSH_CHANNEL_X11_LISTENER, sock, sock, -1, ++ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, ++ 0, "X11 inet listener", 1); ++ else ++#endif + nc = channel_new(ssh, "x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, +--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700 +@@ -143,6 +143,9 @@ struct Channel { + u_int local_maxpacket; + int extended_usage; + int single_connection; ++#ifdef HPN_ENABLED ++ int dynamic_window; ++#endif + + char *ctype; /* type */ + +@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *); + void chan_rcvd_ieof(struct ssh *, Channel *); + void chan_write_failed(struct ssh *, Channel *); + void chan_obuf_empty(struct ssh *, Channel *); ++ ++#ifdef HPN_ENABLED ++/* hpn handler */ ++void channel_set_hpn(int, int); ++#endif + + #endif +--- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700 +@@ -212,7 +212,12 @@ ciphers_valid(const char *names) + for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; + (p = strsep(&cp, CIPHER_SEP))) { + c = cipher_by_name(p); ++#ifdef NONE_CIPHER_ENABLED ++ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 && ++ (c->flags & CFLAG_NONE) != 0)) { ++#else + if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { ++#endif + free(cipher_list); + return 0; + } +--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700 +@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques + sock = x11_connect_display(ssh); + if (sock < 0) + return NULL; ++#ifdef HPN_ENABLED ++ /* again is this really necessary for X11? */ ++ if (!options.hpn_disabled) ++ c = channel_new(ssh, "x11", ++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, ++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); ++ else ++#endif + c = channel_new(ssh, "x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); +@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ + __func__, ssh_err(r)); + return NULL; + } ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new(ssh, "authentication agent connection", ++ SSH_CHANNEL_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, ++ "authentication agent connection", 1); ++ else ++#endif + c = channel_new(ssh, "authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, +@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, + } + debug("Tunnel forwarding using interface %s", ifname); + ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ else ++#endif + c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; +--- work/openssh/compat.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/compat.c 2021-04-28 14:37:33.129317000 -0700 +@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) + debug_f("match: %s pat %s compat 0x%08x", + version, check[i].pat, check[i].bugs); + ssh->compat = check[i].bugs; ++#ifdef HPN_ENABLED ++ /* Check to see if the remote side is OpenSSH and not HPN */ ++ if (strstr(version,"OpenSSH") != NULL && ++ strstr(version,"hpn") == NULL) { ++ ssh->compat |= SSH_BUG_LARGEWINDOW; ++ debug("Remote is NON-HPN aware"); ++ } ++#endif + return; + } + } +--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 +@@ -62,6 +62,9 @@ + #define SSH_BUG_CURVE25519PAD 0x10000000 + #define SSH_BUG_HOSTKEYS 0x20000000 + #define SSH_BUG_DHGEX_LARGE 0x40000000 ++#ifdef HPN_ENABLED ++#define SSH_BUG_LARGEWINDOW 0x80000000 ++#endif + + void enable_compat13(void); + void enable_compat20(void); +--- work/openssh/configure.ac.orig 2020-03-22 11:06:53.034550000 -0700 ++++ work/openssh/configure.ac 2020-03-22 11:07:10.017487000 -0700 +@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir], + ] + ) # maildir + ++#check whether user wants HPN support ++HPN_MSG="no" ++AC_ARG_WITH(hpn, ++ [ --with-hpn Enable HPN support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) ++ HPN_MSG="yes" ++ fi ] ++) ++#check whether user wants NONECIPHER support ++NONECIPHER_MSG="no" ++AC_ARG_WITH(nonecipher, ++ [ --with-nonecipher Enable NONECIPHER support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.]) ++ NONECIPHER_MSG="yes" ++ fi ] ++) ++ + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +@@ -5459,6 +5478,8 @@ echo " Random number source: $RAND_MSG" + echo " Privsep sandbox style: $SANDBOX_STYLE" + echo " PKCS#11 support: $enable_pkcs11" + echo " U2F/FIDO support: $enable_sk" ++echo " HPN support: $HPN_MSG" ++echo " NONECIPHER support: $NONECIPHER_MSG" + + echo "" + +--- work/openssh/kex.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/kex.c 2021-04-28 14:38:31.761909000 -0700 +@@ -960,6 +960,20 @@ kex_choose_conf(struct ssh *ssh) + peer[ncomp] = NULL; + goto out; + } ++#ifdef NONE_CIPHER_ENABLED ++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); ++ if (strcmp(newkeys->enc.name, "none") == 0) { ++ int auth_flag; ++ ++ auth_flag = ssh_packet_authentication_state(ssh); ++ debug("Requesting NONE. Authflag is %d", auth_flag); ++ if (auth_flag == 1) { ++ debug("None requested post authentication."); ++ } else { ++ fatal("Pre-authentication none cipher requests are not allowed."); ++ } ++ } ++#endif + debug("kex: %s cipher: %s MAC: %s compression: %s", + ctos ? "client->server" : "server->client", + newkeys->enc.name, +@@ -1170,7 +1184,7 @@ send_error(struct ssh *ssh, char *msg) + */ + int + kex_exchange_identification(struct ssh *ssh, int timeout_ms, +- const char *version_addendum) ++ const char *version_addendum, int hpn_disabled) + { + int remote_major, remote_minor, mismatch, oerrno = 0; + size_t len, i, n; +@@ -1187,8 +1201,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo + sshbuf_reset(our_version); + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; +- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", ++ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++#ifdef HPN_ENABLED ++ hpn_disabled ? "" : SSH_HPN, ++#else ++ "", ++#endif + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + oerrno = errno; +--- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 +@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + ++#ifdef NONE_CIPHER_ENABLED ++/* this supports the forced rekeying required for the NONE cipher */ ++int rekey_requested = 0; ++void ++packet_request_rekeying(void) ++{ ++ rekey_requested = 1; ++} ++ ++int ++ssh_packet_authentication_state(struct ssh *ssh) ++{ ++ struct session_state *state = ssh->state; ++ ++ return(state->after_authentication); ++} ++#endif ++ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou + /* Peer can't rekey */ + if (ssh->compat & SSH_BUG_NOREKEY) + return 0; ++#ifdef NONE_CIPHER_ENABLED ++ /* used to force rekeying when called for by the none ++ * cipher switch methods -cjr */ ++ if (rekey_requested == 1) { ++ rekey_requested = 0; ++ return 1; ++ } ++#endif + + /* + * Permit one packet in or out per rekey - this allows us to +--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 +@@ -206,6 +206,11 @@ int sshpkt_get_end(struct ssh *ssh); + void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l); + const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); + ++#ifdef NONE_CIPHER_ENABLED ++void packet_request_rekeying(void); ++int ssh_packet_authentication_state(struct ssh *ssh); ++#endif ++ + #if !defined(WITH_OPENSSL) + # undef BIGNUM + # undef EC_KEY +--- work/openssh/readconf.c.orig 2021-09-08 09:56:20.567664000 -0700 ++++ work/openssh/readconf.c 2021-09-08 09:57:31.560617000 -0700 +@@ -67,6 +67,9 @@ + #include "uidswap.h" + #include "myproposal.h" + #include "digest.h" ++#ifdef HPN_ENABLED ++#include "sshbuf.h" ++#endif + + /* Format of the configuration file: + +@@ -168,6 +171,12 @@ typedef enum { + oLocalCommand, oPermitLocalCommand, oRemoteCommand, + oVisualHostKey, + oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull, ++#ifdef HPN_ENABLED ++ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, ++#endif ++#ifdef NONE_CIPHER_ENABLED ++ oNoneSwitch, oNoneEnabled, ++#endif + oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass, + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, +@@ -316,6 +325,16 @@ static struct { + { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ + { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ ++#ifdef NONE_CIPHER_ENABLED ++ { "noneenabled", oNoneEnabled }, ++ { "noneswitch", oNoneSwitch }, ++#endif ++#ifdef HPN_ENABLED ++ { "tcprcvbufpoll", oTcpRcvBufPoll }, ++ { "tcprcvbuf", oTcpRcvBuf }, ++ { "hpndisabled", oHPNDisabled }, ++ { "hpnbuffersize", oHPNBufferSize }, ++#endif + { "ignoreunknown", oIgnoreUnknown }, + { "proxyjump", oProxyJump }, + { "securitykeyprovider", oSecurityKeyProvider }, +@@ -1125,6 +1144,44 @@ parse_time: + intptr = &options->check_host_ip; + goto parse_flag; + ++#ifdef HPN_ENABLED ++ case oHPNDisabled: ++ intptr = &options->hpn_disabled; ++ goto parse_flag; ++ ++ case oHPNBufferSize: ++ intptr = &options->hpn_buffer_size; ++ goto parse_int; ++ ++ case oTcpRcvBufPoll: ++ intptr = &options->tcp_rcv_buf_poll; ++ goto parse_flag; ++ ++ case oTcpRcvBuf: ++ intptr = &options->tcp_rcv_buf; ++ goto parse_int; ++#endif ++ ++#ifdef NONE_CIPHER_ENABLED ++ case oNoneEnabled: ++ intptr = &options->none_enabled; ++ goto parse_flag; ++ ++ /* we check to see if the command comes from the */ ++ /* command line or not. If it does then enable it */ ++ /* otherwise fail. NONE should never be a default configuration */ ++ case oNoneSwitch: ++ if(strcmp(filename,"command-line") == 0) { ++ intptr = &options->none_switch; ++ goto parse_flag; ++ } else { ++ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); ++ error("Continuing..."); ++ debug("NoneSwitch directive found in %.200s.", filename); ++ return 0; ++ } ++#endif ++ + case oVerifyHostKeyDNS: + intptr = &options->verify_host_key_dns; + multistate_ptr = multistate_yesnoask; +@@ -2386,6 +2443,16 @@ initialize_options(Options * options) + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; + options->request_tty = -1; ++#ifdef NONE_CIPHER_ENABLED ++ options->none_switch = -1; ++ options->none_enabled = -1; ++#endif ++#ifdef HPN_ENABLED ++ options->hpn_disabled = -1; ++ options->hpn_buffer_size = -1; ++ options->tcp_rcv_buf_poll = -1; ++ options->tcp_rcv_buf = -1; ++#endif + options->session_type = -1; + options->stdin_null = -1; + options->fork_after_authentication = -1; +@@ -2557,6 +2624,34 @@ fill_default_options(Options * options) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; ++#ifdef NONE_CIPHER_ENABLED ++ if (options->none_switch == -1) ++ options->none_switch = 0; ++ if (options->none_enabled == -1) ++ options->none_enabled = 0; ++#endif ++#ifdef HPN_ENABLED ++ if (options->hpn_disabled == -1) ++ options->hpn_disabled = 0; ++ if (options->hpn_buffer_size > -1) { ++ /* if a user tries to set the size to 0 set it to 1KB */ ++ if (options->hpn_buffer_size == 0) ++ options->hpn_buffer_size = 1; ++ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */ ++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { ++ options->hpn_buffer_size = SSHBUF_SIZE_MAX; ++ debug("User requested buffer larger than 256MB. Request reverted to 256MB"); ++ } else ++ options->hpn_buffer_size *= 1024; ++ debug("hpn_buffer_size set to %d", options->hpn_buffer_size); ++ } ++ if (options->tcp_rcv_buf == 0) ++ options->tcp_rcv_buf = 1; ++ if (options->tcp_rcv_buf > -1) ++ options->tcp_rcv_buf *=1024; ++ if (options->tcp_rcv_buf_poll == -1) ++ options->tcp_rcv_buf_poll = 1; ++#endif + if (options->control_master == -1) + options->control_master = 0; + if (options->control_persist == -1) { +--- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 +@@ -105,6 +105,16 @@ + int clear_forwardings; + + int enable_ssh_keysign; ++#ifdef NONE_CIPHER_ENABLED ++ int none_switch; /* Use none cipher */ ++ int none_enabled; /* Allow none to be used */ ++#endif ++#ifdef HPN_ENABLED ++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */ ++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ ++ int hpn_disabled; /* Switch to disable HPN buffer management */ ++ int hpn_buffer_size; /* User definable size for HPN buffer window */ ++#endif + int64_t rekey_limit; + int rekey_interval; + int no_host_authentication_for_localhost; +--- work/openssh/scp.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ work/openssh/scp.c 2020-11-10 10:31:03.060729000 -0800 +@@ -1246,7 +1246,7 @@ sink(int argc, char **argv, const char *src) + off_t size, statbytes; + unsigned long long ull; + int setimes, targisdir, wrerr; +- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; ++ char ch, *cp, *np, *targ, *why, *vect[1], buf[COPY_BUFLEN], visbuf[COPY_BUFLEN]; + char **patterns = NULL; + size_t n, npatterns = 0; + struct timeval tv[2]; +--- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700 +@@ -63,6 +63,9 @@ + #include "auth.h" + #include "myproposal.h" + #include "digest.h" ++#ifdef HPN_ENABLED ++#include "sshbuf.h" ++#endif + + static void add_listen_addr(ServerOptions *, const char *, + const char *, int); +@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options) + options->authorized_principals_file = NULL; + options->authorized_principals_command = NULL; + options->authorized_principals_command_user = NULL; ++#ifdef NONE_CIPHER_ENABLED ++ options->none_enabled = -1; ++#endif ++#ifdef HPN_ENABLED ++ options->tcp_rcv_buf_poll = -1; ++ options->hpn_disabled = -1; ++ options->hpn_buffer_size = -1; ++#endif + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; + options->version_addendum = NULL; +@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options) + } + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; ++#ifdef NONE_CIPHER_ENABLED ++ if (options->none_enabled == -1) ++ options->none_enabled = 0; ++#endif ++#ifdef HPN_ENABLED ++ if (options->hpn_disabled == -1) ++ options->hpn_disabled = 0; ++ ++ if (options->hpn_buffer_size == -1) { ++ /* ++ * option not explicitly set. Now we have to figure out ++ * what value to use. ++ */ ++ if (options->hpn_disabled == 1) { ++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; ++ } else { ++ int sock, socksize; ++ socklen_t socksizelen = sizeof(socksize); ++ ++ /* ++ * get the current RCV size and set it to that ++ * create a socket but don't connect it ++ * we use that the get the rcv socket size ++ */ ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ options->hpn_buffer_size = socksize; ++ debug ("HPN Buffer Size: %d", options->hpn_buffer_size); ++ } ++ } else { ++ /* ++ * we have to do this incase the user sets both values in a ++ * contradictory manner. hpn_disabled overrrides ++ * hpn_buffer_size ++ */ ++ if (options->hpn_disabled <= 0) { ++ if (options->hpn_buffer_size == 0) ++ options->hpn_buffer_size = 1; ++ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */ ++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) { ++ options->hpn_buffer_size = SSHBUF_SIZE_MAX; ++ } else { ++ options->hpn_buffer_size *= 1024; ++ } ++ } else ++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; ++ } ++#endif ++ + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +@@ -466,6 +528,12 @@ typedef enum { + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, ++#ifdef NONE_CIPHER_ENABLED ++ sNoneEnabled, ++#endif ++#ifdef HPN_ENABLED ++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, ++#endif + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, +@@ -603,6 +671,14 @@ static struct { + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, ++#ifdef NONE_CIPHER_ENABLED ++ { "noneenabled", sNoneEnabled, SSHCFG_ALL }, ++#endif ++#ifdef HPN_ENABLED ++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, ++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, ++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, ++#endif + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, +@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha + case sIgnoreUserKnownHosts: + intptr = &options->ignore_user_known_hosts; + goto parse_flag; ++ ++#ifdef NONE_CIPHER_ENABLED ++ case sNoneEnabled: ++ intptr = &options->none_enabled; ++ goto parse_flag; ++#endif ++#ifdef HPN_ENABLED ++ case sTcpRcvBufPoll: ++ intptr = &options->tcp_rcv_buf_poll; ++ goto parse_flag; ++ ++ case sHPNDisabled: ++ intptr = &options->hpn_disabled; ++ goto parse_flag; ++ ++ case sHPNBufferSize: ++ intptr = &options->hpn_buffer_size; ++ goto parse_int; ++#endif + + case sHostbasedAuthentication: + intptr = &options->hostbased_authentication; +--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 +@@ -169,6 +169,15 @@ + + int use_pam; /* Enable auth via PAM */ + ++#ifdef NONE_CIPHER_ENABLED ++ int none_enabled; /* enable NONE cipher switch */ ++#endif ++#ifdef HPN_ENABLED ++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ ++ int hpn_disabled; /* disable hpn functionality. false by default */ ++ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ ++#endif ++ + int permit_tun; + + int num_permitted_opens; +--- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700 +@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh) + goto done; + debug("Tunnel forwarding using interface %s", ifname); + ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, ++ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); ++ else ++#endif + c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; +@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh) + c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL, + -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, + 0, "server-session", 1); ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf_poll && !options.hpn_disabled) ++ c->dynamic_window = 1; ++#endif + if (session_open(the_authctxt, c->self) != 1) { + debug("session open failed, free channel %d", c->self); + channel_free(ssh, c); +--- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700 +@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s, + */ + if (s->chanid == -1) + fatal("no channel for session %d", s->self); ++#ifdef HPN_ENABLED ++ if (!options.hpn_disabled) ++ channel_set_fds(ssh, s->chanid, ++ fdout, fdin, fderr, ++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, ++ 1, is_tty, options.hpn_buffer_size); ++ else ++#endif + channel_set_fds(ssh, s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, +--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 ++++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500 +@@ -263,7 +263,8 @@ + Specify how many requests may be outstanding at any one time. + Increasing this may slightly improve file transfer speed + but will increase memory usage. +-The default is 64 outstanding requests. ++The default is 256 outstanding requests providing for 8MB ++of outstanding data with a 32KB buffer. + .It Fl r + Recursively copy entire directories when uploading and downloading. + Note that +--- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700 +@@ -1027,6 +1027,14 @@ main(int ac, char **av) + break; + case 'T': + options.request_tty = REQUEST_TTY_NO; ++#ifdef NONE_CIPHER_ENABLED ++ /* ++ * ensure that the user doesn't try to backdoor a ++ * null cipher switch on an interactive session ++ * so explicitly disable it no matter what. ++ */ ++ options.none_switch = 0; ++#endif + break; + case 'o': + line = xstrdup(optarg); +@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes + NULL, fileno(stdin), command, environ); + } + ++static void ++hpn_options_init(struct ssh *ssh) ++{ ++ /* ++ * We need to check to see if what they want to do about buffer ++ * sizes here. In a hpn to nonhpn connection we want to limit ++ * the window size to something reasonable in case the far side ++ * has the large window bug. In hpn to hpn connection we want to ++ * use the max window size but allow the user to override it ++ * lastly if they disabled hpn then use the ssh std window size. ++ * ++ * So why don't we just do a getsockopt() here and set the ++ * ssh window to that? In the case of a autotuning receive ++ * window the window would get stuck at the initial buffer ++ * size generally less than 96k. Therefore we need to set the ++ * maximum ssh window size to the maximum hpn buffer size ++ * unless the user has specifically set the tcprcvbufpoll ++ * to no. In which case we *can* just set the window to the ++ * minimum of the hpn buffer size and tcp receive buffer size. ++ */ ++ ++ if (tty_flag) ++ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; ++ else ++ options.hpn_buffer_size = 2 * 1024 * 1024; ++ ++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { ++ debug("HPN to Non-HPN Connection"); ++ } else { ++ int sock, socksize; ++ socklen_t socksizelen; ++ if (options.tcp_rcv_buf_poll <= 0) { ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ socksizelen = sizeof(socksize); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ debug("socksize %d", socksize); ++ options.hpn_buffer_size = socksize; ++ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size); ++ } else { ++ if (options.tcp_rcv_buf > 0) { ++ /* ++ * Create a socket but don't connect it: ++ * we use that the get the rcv socket size ++ */ ++ sock = socket(AF_INET, SOCK_STREAM, 0); ++ /* ++ * If they are using the tcp_rcv_buf option, ++ * attempt to set the buffer size to that. ++ */ ++ if (options.tcp_rcv_buf) { ++ socksizelen = sizeof(options.tcp_rcv_buf); ++ setsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &options.tcp_rcv_buf, socksizelen); ++ } ++ socksizelen = sizeof(socksize); ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ close(sock); ++ debug("socksize %d", socksize); ++ options.hpn_buffer_size = socksize; ++ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size); ++ } ++ } ++ } ++ ++ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); ++ ++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); ++} ++ + /* open new channel for a session */ + static int + ssh_session2_open(struct ssh *ssh) +@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh) + if (!isatty(err)) + set_nonblock(err); + ++#ifdef HPN_ENABLED ++ window = options.hpn_buffer_size; ++#else + window = CHAN_SES_WINDOW_DEFAULT; ++#endif ++ + packetmax = CHAN_SES_PACKET_DEFAULT; + if (tty_flag) { ++#ifdef HPN_ENABLED ++ window = CHAN_SES_WINDOW_DEFAULT; ++#endif + window >>= 1; + packetmax >>= 1; + } +@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh) + window, packetmax, CHAN_EXTENDED_WRITE, + "client-session", /*nonblock*/0); + ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { ++ c->dynamic_window = 1; ++ debug ("Enabled Dynamic Window Scaling"); ++ } ++#endif + debug3_f("channel_new: %d", c->self); + + channel_send_open(ssh, c->self); +@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in + { + int r, id = -1; + char *cp, *tun_fwd_ifname = NULL; ++ ++#ifdef HPN_ENABLED ++ /* ++ * We need to initialize this early because the forwarding logic below ++ * might open channels that use the hpn buffer sizes. We can't send a ++ * window of -1 (the default) to the server as it breaks things. ++ */ ++ hpn_options_init(ssh); ++#endif + + /* XXX should be pre-session */ + if (!options.control_persist) +--- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700 ++++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700 +@@ -28,7 +28,11 @@ + # endif /* OPENSSL_HAS_ECC */ + #endif /* WITH_OPENSSL */ + ++#ifdef HPN_ENABLED ++#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */ ++#else + #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */ ++#endif + #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */ + #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */ + #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ +--- work/openssh/sshconnect.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ work/openssh/sshconnect.c 2020-11-10 21:35:40.945330000 -0800 +@@ -361,7 +361,32 @@ check_ifaddrs(const char *ifname, int af, const struct + } + #endif + ++#ifdef HPN_ENABLED + /* ++ * Set TCP receive buffer if requested. ++ * Note: tuning needs to happen after the socket is ++ * created but before the connection happens ++ * so winscale is negotiated properly -cjr ++ */ ++static void ++ssh_set_socket_recvbuf(int sock) ++{ ++ void *buf = (void *)&options.tcp_rcv_buf; ++ int sz = sizeof(options.tcp_rcv_buf); ++ int socksize; ++ socklen_t socksizelen = sizeof(socksize); ++ ++ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); ++ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { ++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); ++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); ++ } else ++ error("Couldn't set socket receive buffer to %d: %.100s", ++ options.tcp_rcv_buf, strerror(errno)); ++} ++#endif ++ ++/* + * Creates a socket for use as the ssh connection. + */ + static int +@@ -383,6 +408,11 @@ ssh_create_socket(struct addrinfo *ai) + } + fcntl(sock, F_SETFD, FD_CLOEXEC); + ++#ifdef HPN_ENABLED ++ if (options.tcp_rcv_buf > 0) ++ ssh_set_socket_recvbuf(sock); ++#endif ++ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && options.bind_interface == NULL) + return sock; +@@ -1289,7 +1319,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const + lowercase(host); + + /* Exchange protocol version identification strings with the server. */ +- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) ++ if ((r = kex_exchange_identification(ssh, timeout_ms, NULL, ++ options.hpn_disabled)) != 0) + sshpkt_fatal(ssh, r, "banner exchange"); + + /* Put the connection into non-blocking mode. */ +--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700 ++++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700 +@@ -84,7 +84,13 @@ + extern char *client_version_string; + extern char *server_version_string; + extern Options options; ++#ifdef NONE_CIPHER_ENABLED ++/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ ++/* if it is set then prevent the switch to the null cipher */ + ++extern int tty_flag; ++#endif ++ + /* + * SSH2 key exchange + */ +@@ -212,11 +218,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd + return ret; + } + ++static char *myproposal[PROPOSAL_MAX]; ++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; + void + ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + const struct ssh_conn_info *cinfo) + { +- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s, *all_key; + int r, use_known_hosts_order = 0; + +@@ -241,6 +248,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + fatal_fr(r, "kex_assemble_namelist"); + free(all_key); + ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); +@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + if (!authctxt.success) + fatal("Authentication failed."); ++#ifdef NONE_CIPHER_ENABLED ++ /* ++ * if the user wants to use the none cipher do it ++ * post authentication and only if the right conditions are met ++ * both of the NONE commands must be true and there must be no ++ * tty allocated. ++ */ ++ if ((options.none_switch == 1) && (options.none_enabled == 1)) { ++ if (!tty_flag) { /* no null on tty sessions */ ++ debug("Requesting none rekeying..."); ++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; ++ kex_prop2buf(ssh->kex->my, myproposal); ++ packet_request_rekeying(); ++ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); ++ } else { ++ /* requested NONE cipher when in a tty */ ++ debug("Cannot switch to NONE cipher with tty allocated"); ++ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); ++ } ++ } ++#endif + if (ssh_packet_connection_is_on_socket(ssh)) { + verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), +--- work/openssh/sshd.c.orig 2021-09-08 10:00:01.411822000 -0700 ++++ work/openssh/sshd.c 2021-09-08 10:03:02.820813000 -0700 +@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la) + int ret, listen_sock; + struct addrinfo *ai; + char ntop[NI_MAXHOST], strport[NI_MAXSERV]; ++#ifdef HPN_ENABLED ++ int socksize; ++ socklen_t socksizelen = sizeof(socksize); ++#endif + + for (ai = la->addrs; ai; ai = ai->ai_next) { + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) +@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la) + + debug("Bind to port %s on %s.", strport, ntop); + ++#ifdef HPN_ENABLED ++ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, ++ &socksize, &socksizelen); ++ debug("Server TCP RWIN socket size: %d", socksize); ++ debug("HPN Buffer Size: %d", options.hpn_buffer_size); ++#endif ++ + /* Bind the socket to the desired port. */ + if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { + error("Bind to port %s on %s failed: %.200s.", +@@ -1760,6 +1771,15 @@ main(int ac, char **av) + /* Fill in default values for those options not explicitly set. */ + fill_default_server_options(&options); + ++#ifdef NONE_CIPHER_ENABLED ++ if (options.none_enabled == 1) { ++ char *old_ciphers = options.ciphers; ++ ++ xasprintf(&options.ciphers, "%s,none", old_ciphers); ++ free(old_ciphers); ++ } ++#endif ++ + /* Check that options are sensible */ + if (options.authorized_keys_command_user == NULL && + (options.authorized_keys_command != NULL && +@@ -2216,6 +2236,11 @@ main(int ac, char **av) + rdomain == NULL ? "" : "\""); + free(laddr); + ++#ifdef HPN_ENABLED ++ /* set the HPN options for the child */ ++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); ++#endif ++ + /* + * We don't want to listen forever unless the other side + * successfully authenticates itself. So we set up an alarm which is +@@ -2229,7 +2254,7 @@ main(int ac, char **av) + alarm(options.login_grace_time); + + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) ++ options.version_addendum, options.hpn_disabled)) != 0) + sshpkt_fatal(ssh, r, "banner exchange"); + + ssh_packet_set_nonblocking(ssh); +@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh) + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; + int r; ++ ++#ifdef NONE_CIPHER_ENABLED ++ if (options.none_enabled == 1) ++ debug ("WARNING: None cipher enabled"); ++#endif + + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, + options.kex_algorithms); +--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 ++++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 +@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + ++# the following are HPN related configuration options ++# tcp receive buffer polling. disable in non autotuning kernels ++#TcpRcvBufPoll yes ++ ++# disable hpn performance boosts ++#HPNDisabled no ++ ++# buffer size for hpn to non-hpn connections ++#HPNBufferSize 2048 ++ ++ ++# allow the use of the none cipher ++#NoneEnabled no ++ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700 ++++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700 +@@ -4,3 +4,4 @@ + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++#define SSH_HPN "-hpn14v15" +--- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 ++++ work/openssh/kex.h 2019-07-10 17:35:41.997522000 -0700 +@@ -178,7 +178,7 @@ char *kex_alg_list(char); + char *kex_names_cat(const char *, const char *); + int kex_assemble_names(char **, const char *, const char *); + +-int kex_exchange_identification(struct ssh *, int, const char *); ++int kex_exchange_identification(struct ssh *, int, const char *, int); + + struct kex *kex_new(void); + int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat new file mode 100644 index 0000000..c47d0a1 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -0,0 +1,46 @@ +------------------------------------------------------------------------ +r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines +Changed paths: + M /head/crypto/openssh/servconf.c + +Instead of removing the NoneEnabled option, mark it as unsupported. +(should have done this in r291198, but didn't think of it until now) + +------------------------------------------------------------------------ +------------------------------------------------------------------------ +r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +r294563 was incomplete; re-add the client-side options as well. + +------------------------------------------------------------------------ + +--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700 ++++ readconf.c 2021-04-27 11:25:24.222034000 -0700 +@@ -316,6 +316,12 @@ static struct { + { "proxyjump", oProxyJump }, + { "securitykeyprovider", oSecurityKeyProvider }, + { "knownhostscommand", oKnownHostsCommand }, ++ { "hpndisabled", oDeprecated }, ++ { "hpnbuffersize", oDeprecated }, ++ { "tcprcvbufpoll", oDeprecated }, ++ { "tcprcvbuf", oDeprecated }, ++ { "noneenabled", oUnsupported }, ++ { "noneswitch", oUnsupported }, + + { NULL, oBadOption } + }; +--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800 ++++ servconf.c 2020-03-21 17:01:18.011062000 -0700 +@@ -695,6 +695,10 @@ static struct { + { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, + { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, ++ { "noneenabled", sUnsupported, SSHCFG_ALL }, ++ { "hpndisabled", sDeprecated, SSHCFG_ALL }, ++ { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, ++ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, + { NULL, sBadOption, 0 } + }; + diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue new file mode 100644 index 0000000..57b47e8 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue @@ -0,0 +1,57 @@ +--- sshconnect2.c.orig 2019-07-19 11:53:14.918867000 -0700 ++++ sshconnect2.c 2019-07-19 11:53:16.911086000 -0700 +@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + char *s, *all_key; + int r; + +-#if defined(GSSAPI) && defined(WITH_OPENSSL) +- char *orig = NULL, *gss = NULL; +- char *gss_host = NULL; +-#endif +- + xxx_host = host; + xxx_hostaddr = hostaddr; + +@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr + } + + #if defined(GSSAPI) && defined(WITH_OPENSSL) ++ char *orig = NULL, *gss = NULL; ++ char *gss_host = NULL; ++ + if (options.gss_keyex) { + /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ +--- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700 ++++ readconf.c 2019-07-19 12:13:29.614552000 -0700 +@@ -63,11 +63,11 @@ + #include "readconf.h" + #include "match.h" + #include "kex.h" ++#include "ssh-gss.h" + #include "mac.h" + #include "uidswap.h" + #include "myproposal.h" + #include "digest.h" +-#include "ssh-gss.h" + + /* Format of the configuration file: + +--- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700 ++++ servconf.c 2019-07-19 12:14:43.543687000 -0700 +@@ -54,6 +54,7 @@ + #include "sshkey.h" + #include "kex.h" + #include "mac.h" ++#include "ssh-gss.h" + #include "match.h" + #include "channels.h" + #include "groupaccess.h" +@@ -64,7 +65,6 @@ + #include "auth.h" + #include "myproposal.h" + #include "digest.h" +-#include "ssh-gss.h" + + static void add_listen_addr(ServerOptions *, const char *, + const char *, int); diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns new file mode 100644 index 0000000..2d06f10 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-ldns @@ -0,0 +1,51 @@ +r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines +Changed paths: + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/ssh_config + M /head/crypto/openssh/ssh_config.5 + +Change the default value of VerifyHostKeyDNS to "yes" if compiled with +LDNS. With that setting, OpenSSH will silently accept host keys that +match verified SSHFP records. If an SSHFP record exists but could not +be verified, OpenSSH will print a message and prompt the user as usual. + +--- readconf.c 2013-10-03 08:15:03.496131082 -0500 ++++ readconf.c 2013-10-03 08:15:22.716134315 -0500 +@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; ++#if HAVE_LDNS ++ if (options->verify_host_key_dns == -1) ++ /* automatically trust a verified SSHFP record */ ++ options->verify_host_key_dns = 1; ++#else + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; ++#endif + if (options->server_alive_interval == -1) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) +--- ssh_config 2013-10-03 08:15:03.537131330 -0500 ++++ ssh_config 2013-10-03 08:15:22.755131175 -0500 +@@ -44,5 +44,6 @@ + # TunnelDevice any:any + # PermitLocalCommand no + # VisualHostKey no ++# VerifyHostKeyDNS yes + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h +--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800 ++++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800 +@@ -1635,7 +1635,10 @@ need to confirm new host keys according + .Cm StrictHostKeyChecking + option. + The default is +-.Cm no . ++.Cm yes ++if compiled with LDNS and ++.Cm no ++otherwise. + .Pp + See also + .Sx VERIFYING HOST KEYS diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers new file mode 100644 index 0000000..ba8cc71 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -0,0 +1,160 @@ +Revert TCPWRAPPER removal -bdrewery + +commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 +Author: Damien Miller +Date: Sun Apr 20 13:22:18 2014 +1000 + + - tedu@cvs.openbsd.org 2014/03/26 19:58:37 + [sshd.8 sshd.c] + remove libwrap support. ok deraadt djm mfriedl + +diff --git sshd.8 sshd.8 +index 289e13d..e6a900b 100644 +--- sshd.8 ++++ sshd.8 +@@ -851,6 +851,12 @@ the user's home directory becomes accessible. + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +diff --git sshd.c sshd.c +index 0ade557..045f149 100644 +--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 ++++ sshd.c 2018-04-04 15:40:20.964130000 -0700 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ ++/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -131,6 +131,13 @@ + #include "version.h" + #include "ssherr.h" + ++#ifdef LIBWRAP ++#include ++#include ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -2072,6 +2079,25 @@ main(int ac, char **av) + #endif + + rdomain = ssh_packet_rdomain_in(ssh); ++ ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (ssh_packet_connection_is_on_socket(ssh)) { ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ + + /* Log the connection. */ + laddr = get_local_ipaddr(sock_in); +diff --git configure.ac configure.ac +index f48ba4a..66fbe82 100644 +--- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 ++++ configure.ac 2019-07-02 20:58:48.627832000 -0700 +@@ -1494,6 +1494,62 @@ else + AC_MSG_RESULT([no]) + fi + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include ++#include ++#include ++#include ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " libldns support: $LDNS_MSG" diff --git a/security/openssh-portable/files/extra-patch-version-addendum b/security/openssh-portable/files/extra-patch-version-addendum new file mode 100644 index 0000000..b10e1c6 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-version-addendum @@ -0,0 +1,5 @@ +--- servconf.c.orig 2015-03-28 23:08:41.296700000 -0500 ++++ servconf.c 2015-03-28 23:08:54.016291000 -0500 +@@ -318 +318 @@ +- options->version_addendum = xstrdup(""); ++ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD_PORT); diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in new file mode 100644 index 0000000..a8c0043 --- /dev/null +++ b/security/openssh-portable/files/openssh.in @@ -0,0 +1,163 @@ +#!/bin/sh + +# PROVIDE: openssh +# REQUIRE: DAEMON +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf to enable openssh: +# +# openssh_enable (bool): Set it to "YES" to enable openssh. +# Default is "NO". +# openssh_flags (flags): Set extra flags to openssh. +# Default is "". see sshd(1). +# openssh_pidfile (file): Set full path to pid file. + +. /etc/rc.subr + +name="openssh" +rcvar=openssh_enable + +load_rc_config ${name} + +: ${openssh_enable:="NO"} +: ${openssh_skipportscheck="NO"} + +command=%%PREFIX%%/sbin/sshd +extra_commands="configtest reload keygen" +start_precmd="${name}_checks" +reload_precmd="${name}_checks" +restart_precmd="${name}_checks" +configtest_cmd="${name}_configtest" +keygen_cmd="${name}_keygen" +pidfile=${openssh_pidfile:="/var/run/sshd.pid"} + +openssh_keygen() +{ + if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \ + -f %%ETCDIR%%/ssh_host_rsa_key -a \ + -f %%ETCDIR%%/ssh_host_ecdsa_key -a \ + -f %%ETCDIR%%/ssh_host_ed25519_key ]; then + return 0 + fi + + umask 022 + + # Can't do anything if ssh is not installed + [ -x %%PREFIX%%/bin/ssh-keygen ] || + err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." + + if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then + echo "You already have a DSA host key" \ + "in %%ETCDIR%%/ssh_host_dsa_key" + echo "Skipping protocol version 2 DSA Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t dsa \ + -f %%ETCDIR%%/ssh_host_dsa_key -N '' + fi + + if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then + echo "You already have a RSA host key" \ + "in %%ETCDIR%%/ssh_host_rsa_key" + echo "Skipping protocol version 2 RSA Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t rsa \ + -f %%ETCDIR%%/ssh_host_rsa_key -N '' + fi + + if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then + echo "You already have a Elliptic Curve DSA host key" \ + "in %%ETCDIR%%/ssh_host_ecdsa_key" + echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t ecdsa \ + -f %%ETCDIR%%/ssh_host_ecdsa_key -N '' + fi + + if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then + echo "You already have a Elliptic Curve ED25519 host key" \ + "in %%ETCDIR%%/ssh_host_ed25519_key" + echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + -f %%ETCDIR%%/ssh_host_ed25519_key -N '' + fi +} + +openssh_check_same_ports(){ + # check if opensshd don't use base system sshd's port + # + # openssh binds ports in priority (lowest first): + # Port from sshd_config + # -p option from command line + # ListenAddress addr:port from sshd_config + + + #check if opensshd-portable installed in replacement of base sshd + if [ "%%ETCDIR%%" = "/etc/ssh" ]; then + return 1 + fi + + self_port=$(awk '$1~/^ListenAddress/ \ + {mlen=match($0,":[0-9]*$"); print \ + substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config) + if [ -z "$self_port" ]; then + self_port=$(echo $openssh_flags | awk \ + '{for (i = 1; i <= NF; i++) if ($i == "-p") \ + {i++; printf "%s", $i; break; }; }') + if [ -z "$self_port" ]; then + self_port=$(awk '$1~/^Port/ {print $2}' \ + %%ETCDIR%%/sshd_config) + fi + fi + # assume default 22 port + if [ -z "$self_port" ]; then + self_port=22 + fi + + load_rc_config "sshd" + + base_sshd_port=$(awk '$1~/^ListenAddress/ \ + {mlen=match($0,":[0-9]*$"); print \ + substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config) + if [ -z "$base_sshd_port" ]; then + base_sshd_port=$(echo $sshd_flags | awk \ + '{for (i = 1; i <= NF; i++) if ($i == "-p") \ + {i++; printf "%s", $i; break; }; }') + if [ -z "$base_sshd_port" ]; then + base_sshd_port=$(awk '$1~/^Port/ {print $2}' \ + /etc/ssh/sshd_config) + fi + fi + if [ -z "$base_sshd_port" ]; then + base_sshd_port=22 + fi + + # self_port and base_sshd_port may have multiple values. Compare them all + for sport in ${self_port}; do + for bport in ${base_sshd_port}; do + [ ${sport} -eq ${bport} ] && return 0 + done + done + + return 1 +} + +openssh_configtest() +{ + echo "Performing sanity check on ${name} configuration." + eval ${command} ${openssh_flags} -t +} + +openssh_checks() +{ + if checkyesno sshd_enable ; then + if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then + err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port" + fi + fi + + run_rc_command keygen + openssh_configtest +} + +run_rc_command "$1" diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c new file mode 100644 index 0000000..38d366a --- /dev/null +++ b/security/openssh-portable/files/patch-auth2.c @@ -0,0 +1,47 @@ +--- UTC +r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/auth2.c + +Apply class-imposed login restrictions. + +--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ auth2.c 2020-11-16 13:55:25.222771000 -0800 +@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct + char *user = NULL, *service = NULL, *method = NULL, *style = NULL; + int r, authenticated = 0; + double tstart = monotime_double(); ++#ifdef HAVE_LOGIN_CAP ++ login_cap_t *lc; ++ const char *from_host, *from_ip; ++#endif + + if (authctxt == NULL) + fatal("input_userauth_request: no authctxt"); +@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct + "not allowed: (%s,%s) -> (%s,%s)", + authctxt->user, authctxt->service, user, service); + } ++ ++#ifdef HAVE_LOGIN_CAP ++ if (authctxt->pw != NULL && ++ (lc = login_getpwclass(authctxt->pw)) != NULL) { ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ ssh_packet_disconnect(ssh, "Logins not available right now."); ++ } ++ login_close(lc); ++ } ++#endif /* HAVE_LOGIN_CAP */ ++ + /* reset state */ + auth2_challenge_stop(ssh); + diff --git a/security/openssh-portable/files/patch-platform-tracing.c b/security/openssh-portable/files/patch-platform-tracing.c new file mode 100644 index 0000000..54f6db4 --- /dev/null +++ b/security/openssh-portable/files/patch-platform-tracing.c @@ -0,0 +1,25 @@ +--- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700 ++++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700 +@@ -16,6 +16,10 @@ + + #include "includes.h" + ++#if defined(HAVE_PROCCTL) ++#include ++#include ++#endif + #include + #ifdef HAVE_SYS_PROCCTL_H + #include +@@ -40,8 +44,9 @@ platform_disable_tracing(int strict) + /* On FreeBSD, we should make this process untraceable */ + int disable_trace = PROC_TRACE_CTL_DISABLE; + +- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) +- fatal("unable to make the process untraceable"); ++ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict) ++ fatal("unable to make the process untraceable: %s for pid %d", ++ strerror(errno), (int)getpid()); + #endif + #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-regress__test-exec.sh b/security/openssh-portable/files/patch-regress__test-exec.sh new file mode 100644 index 0000000..0213e8c --- /dev/null +++ b/security/openssh-portable/files/patch-regress__test-exec.sh @@ -0,0 +1,10 @@ +--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC ++++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500 +@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config + LogLevel DEBUG3 + AcceptEnv _XXX_TEST_* + AcceptEnv _XXX_TEST ++ PermitRootLogin yes + Subsystem sftp $SFTPSERVER + EOF + diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c new file mode 100644 index 0000000..5a7e9b9 --- /dev/null +++ b/security/openssh-portable/files/patch-servconf.c @@ -0,0 +1,51 @@ +r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/myproposal.h + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/servconf.c + +Apply FreeBSD's configuration defaults. + +--- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700 ++++ servconf.c 2018-06-27 17:19:38.133882000 -0700 +@@ -41,6 +41,7 @@ + #include + #endif + ++#include "version.h" + #include "openbsd-compat/sys-queue.h" + #include "xmalloc.h" + #include "ssh.h" +@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options) + + /* Portable-specific options */ + if (options->use_pam == -1) ++#ifdef USE_PAM ++ options->use_pam = 1; ++#else + options->use_pam = 0; ++#endif + + /* Standard Options */ + if (options->num_host_key_files == 0) { +@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options) + if (options->print_lastlog == -1) + options->print_lastlog = 1; + if (options->x11_forwarding == -1) +- options->x11_forwarding = 0; ++ options->x11_forwarding = 1; + if (options->x11_display_offset == -1) + options->x11_display_offset = 10; + if (options->x11_use_localhost == -1) +@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options) + if (options->gss_strict_acceptor == -1) + options->gss_strict_acceptor = 1; + if (options->password_authentication == -1) ++#ifdef USE_PAM ++ options->password_authentication = 0; ++#else + options->password_authentication = 1; ++#endif + if (options->kbd_interactive_authentication == -1) + options->kbd_interactive_authentication = 0; + if (options->challenge_response_authentication == -1) diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c new file mode 100644 index 0000000..94a4609 --- /dev/null +++ b/security/openssh-portable/files/patch-serverloop.c @@ -0,0 +1,52 @@ +------------------------------------------------------------------------ +r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. +Submitted upstream, no reaction. + +Submitted by: delphij +[rewritten for 7.4 by bdrewery] +[base removed this in 7.8 but it is still useful - bdrewery] + +--- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ serverloop.c 2020-11-16 12:58:44.823775000 -0800 +@@ -56,6 +56,8 @@ + #include + #include + ++#include ++ + #include "openbsd-compat/sys-queue.h" + #include "xmalloc.h" + #include "packet.h" +@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *); + /* requested tunnel forwarding interface(s), shared with session.c */ + char *tun_fwd_ifnames = NULL; + ++static int ++ipport_reserved(void) ++{ ++#ifdef __FreeBSD__ ++ int old; ++ size_t len = sizeof(old); ++ ++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", ++ &old, &len, NULL, 0) == 0) ++ return (old + 1); ++#endif ++ return (IPPORT_RESERVED); ++} ++ + /* returns 1 if bind to specified port by specified user is permitted */ + static int + bind_permitted(int port, uid_t uid) + { + if (use_privsep) + return 1; /* allow system to decide */ +- if (port < IPPORT_RESERVED && uid != 0) ++ if (port < ipport_reserved() && uid != 0) + return 0; + return 1; + } diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c new file mode 100644 index 0000000..b0b9e08 --- /dev/null +++ b/security/openssh-portable/files/patch-session.c @@ -0,0 +1,78 @@ +bdrewery: + - Refactor and simplify original commit. + - Stop setting TERM=su without a term. + +------------------------------------------------------------------------ +r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines +Changed paths: + M /head/crypto/openssh/session.c + +Make sure the environment variables set by setusercontext() are passed on +to the child process. + +Reviewed by: ache +Sponsored by: DARPA, NAI Labs + +--- session.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ session.c 2021-04-27 13:11:13.515917000 -0700 +@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui + } + #endif /* HAVE_ETC_DEFAULT_LOGIN */ + +-#if defined(USE_PAM) || defined(HAVE_CYGWIN) ++#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP) + static void + copy_environment_denylist(char **source, char ***env, u_int *envsize, + const char *denylist) +@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + # endif /* HAVE_CYGWIN */ + #endif /* HAVE_LOGIN_CAP */ + +- if (!options.use_pam) { ++ /* FreeBSD PAM doesn't set default "MAIL" */ ++ if (1 || !options.use_pam) { + snprintf(buf, sizeof buf, "%.200s/%.50s", + _PATH_MAILDIR, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); +@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char * + + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); ++#ifdef HAVE_LOGIN_CAP ++ /* Load environment from /etc/login.conf setenv directives. */ ++ { ++ extern char **environ; ++ char **senv, **var; ++ ++ senv = environ; ++ environ = xmalloc(sizeof(char *)); ++ *environ = NULL; ++ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV); ++ copy_environment_denylist(environ, &env, &envsize, NULL); ++ for (var = environ; *var != NULL; ++var) ++ free(*var); ++ free(environ); ++ environ = senv; ++ } ++#endif + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) +@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw) + #ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) + return; +- nl = login_getcapstr(lc, "nologin", def_nl, def_nl); ++ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); + #else + if (pw->pw_uid == 0) + return; +@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw) + if (platform_privileged_uidswap()) { + #ifdef HAVE_LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, +- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { + perror("unable to set user context"); + exit(1); + } diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 new file mode 100644 index 0000000..8e5a977 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -0,0 +1,26 @@ +--- UTC +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +--- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800 ++++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700 +@@ -43,7 +43,7 @@ + .Sh SYNOPSIS + .Nm ssh-agent + .Op Fl c | s +-.Op Fl \&Dd ++.Op Fl \&Ddx + .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash + .Op Fl P Ar provider_whitelist +@@ -125,6 +125,8 @@ A lifetime specified for an identity with + .Xr ssh-add 1 + overrides this value. + Without this option the default maximum lifetime is forever. ++.It Fl x ++Exit after the last client has disconnected. + .It Ar command Op Ar arg ... + If a command (and optional arguments) is given, + this is executed as a subprocess of the agent. diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c new file mode 100644 index 0000000..de53881 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -0,0 +1,95 @@ +--- UTC +r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines + +Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. + +r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines + +Add a -x option that causes ssh-agent(1) to exit when all clients have +disconnected. + +--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700 ++++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700 +@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; + /* Refuse signing of non-SSH messages for web-origin FIDO keys */ + static int restrict_websafe = 1; + ++/* ++ * Client connection count; incremented in new_socket() and decremented in ++ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is ++ * normally initialized to 1, it will never reach 0. However, if the -x ++ * option is specified, it is initialized to 0 in main(); in that case, ++ * ssh-agent will exit as soon as it has had at least one client but no ++ * longer has any. ++ */ ++static int xcount = 1; ++ + static void + close_socket(SocketEntry *e) + { ++ int last = 0; ++ ++ if (e->type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount - 1); ++ if (--xcount == 0) ++ last = 1; ++ } + close(e->fd); + sshbuf_free(e->input); + sshbuf_free(e->output); +@@ -181,6 +198,8 @@ close_socket(SocketEntry *e) + memset(e, '\0', sizeof(*e)); + e->fd = -1; + e->type = AUTH_UNUSED; ++ if (last) ++ cleanup_exit(0); + } + + static void +@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd) + + debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : + (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); ++ if (type == AUTH_CONNECTION) { ++ debug("xcount %d -> %d", xcount, xcount + 1); ++ ++xcount; ++ } + set_nonblock(fd); + + if (fd > max_fd) +@@ -1360,7 +1383,7 @@ static void + usage(void) + { + fprintf(stderr, +- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + " [-P allowed_providers] [-t life]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" + " [-t life] command [arg ...]\n" +@@ -1394,6 +1417,7 @@ main(int ac, char **av) + /* drop */ + setegid(getgid()); + setgid(getgid()); ++ setuid(geteuid()); + + platform_disable_tracing(0); /* strict=no */ + +@@ -1405,7 +1429,7 @@ main(int ac, char **av) + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { + switch (ch) { + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); +@@ -1454,6 +1478,9 @@ main(int ac, char **av) + fprintf(stderr, "Invalid lifetime\n"); + usage(); + } ++ break; ++ case 'x': ++ xcount = 0; + break; + default: + usage(); diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c new file mode 100644 index 0000000..c49535d --- /dev/null +++ b/security/openssh-portable/files/patch-ssh.c @@ -0,0 +1,33 @@ +--- UTC +r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines +Changed paths: + M /head/crypto/openssh/ssh.c + +Canonicize the host name before looking it up in the host file. + +--- ssh.c.orig 2018-04-02 05:38:28 UTC ++++ ssh.c +@@ -1281,6 +1281,23 @@ main(int ac, char **av) + ssh_digest_free(md); + conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); + ++ /* Find canonic host name. */ ++ if (strchr(host, '.') == 0) { ++ struct addrinfo hints; ++ struct addrinfo *ai = NULL; ++ int errgai; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = options.address_family; ++ hints.ai_flags = AI_CANONNAME; ++ hints.ai_socktype = SOCK_STREAM; ++ errgai = getaddrinfo(host, NULL, &hints, &ai); ++ if (errgai == 0) { ++ if (ai->ai_canonname != NULL) ++ host = xstrdup(ai->ai_canonname); ++ freeaddrinfo(ai); ++ } ++ } ++ + /* + * Expand tokens in arguments. NB. LocalCommand is expanded later, + * after port-forwarding is set up, so it may pick up any local diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config new file mode 100644 index 0000000..efad15f --- /dev/null +++ b/security/openssh-portable/files/patch-ssh_config @@ -0,0 +1,17 @@ +--- UTC +r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines + +Document the FreeBSD default for CheckHostIP, which was changed in +rev 1.2 of readconf.c. + +--- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700 ++++ ssh_config 2010-09-14 16:14:13.000000000 -0600 +@@ -27,7 +27,7 @@ + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no + # BatchMode no +-# CheckHostIP yes ++# CheckHostIP no + # AddressFamily any + # ConnectTimeout 0 + # StrictHostKeyChecking ask diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 new file mode 100644 index 0000000..8c0e2bf --- /dev/null +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -0,0 +1,13 @@ +--- UTC + +--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800 ++++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800 +@@ -434,6 +433,8 @@ in the process, regardless of the setting of + If the option is set to + .Cm no , + the check will not be executed. ++The default is ++.Cm no . + .It Cm Ciphers + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated. diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8 new file mode 100644 index 0000000..4d2a477 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd.8 @@ -0,0 +1,26 @@ +--- UTC +Document FreeBSD/port-specific paths + +--- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600 ++++ sshd.8 2010-09-14 16:14:14.000000000 -0600 +@@ -70,7 +70,7 @@ + .Nm + listens for connections from clients. + It is normally started at boot from +-.Pa /etc/rc . ++.Pa /usr/local/etc/rc.d/openssh . + It forks a new + daemon for each incoming connection. + The forked daemons handle +@@ -384,8 +384,9 @@ + If the login is on a tty, records login time. + .It + Checks +-.Pa /etc/nologin ; +-if it exists, prints contents and quits ++.Pa /etc/nologin and ++.Pa /var/run/nologin ; ++if one exists, it prints the contents and quits + (unless root). + .It + Changes to run with normal user privileges. diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c new file mode 100644 index 0000000..6374e22 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd.c @@ -0,0 +1,101 @@ +--- UTC +r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines +Changed paths: + M /head/crypto/openssh/sshd.c + +Force early initialization of the resolver library, since the resolver +configuration files will no longer be available once sshd is chrooted. + +PR: 39953, 40894 +Submitted by: dinoex + +r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines +Changed paths: + M /head/crypto/openssh/sshd.c + M /head/usr.sbin/cron/cron/cron.c + M /head/usr.sbin/inetd/inetd.c + M /head/usr.sbin/syslogd/syslogd.c + +Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap +environments. +Please note that this can't be done while such processes run in jails. + +Note: in future it would be interesting to find a way to do that +selectively for any desired proccess (choosen by user himself), probabilly +via a ptrace interface or whatever. + +r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines +Changed paths: + M /head/crypto/openssh/sshd.c + +Enhance r199804 by marking the daemonised child as immune to OOM instead +of short-living parent. Only mark the master process that accepts +connections, do not protect connection handlers spawned from inetd. + + +--- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700 ++++ sshd.c 2021-04-27 11:50:20.239225000 -0700 +@@ -46,6 +46,7 @@ + + #include + #include ++#include + #include + #ifdef HAVE_SYS_STAT_H + # include +@@ -85,6 +86,13 @@ + #include + #endif + ++#ifdef __FreeBSD__ ++#include ++#ifdef GSSAPI ++#include "ssh-gss.h" ++#endif ++#endif ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh2.h" +@@ -2007,7 +2015,30 @@ main(int ac, char **av) + for (i = 0; i < options.num_log_verbose; i++) + log_verbose_add(options.log_verbose[i]); + ++#ifdef __FreeBSD__ + /* ++ * Initialize the resolver. This may not happen automatically ++ * before privsep chroot(). ++ */ ++ if ((_res.options & RES_INIT) == 0) { ++ debug("res_init()"); ++ res_init(); ++ } ++#ifdef GSSAPI ++ /* ++ * Force GSS-API to parse its configuration and load any ++ * mechanism plugins. ++ */ ++ { ++ gss_OID_set mechs; ++ OM_uint32 minor_status; ++ gss_indicate_mechs(&minor_status, &mechs); ++ gss_release_oid_set(&minor_status, &mechs); ++ } ++#endif ++#endif ++ ++ /* + * If not in debugging mode, not started from inetd and not already + * daemonized (eg re-exec via SIGHUP), disconnect from the controlling + * terminal, and fork. The original process exits. +@@ -2022,6 +2053,10 @@ main(int ac, char **av) + } + /* Reinitialize the log (because of the fork above). */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); ++ ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); + + /* + * Chdir to the root directory so that the current disk can be diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config new file mode 100644 index 0000000..b582ac8 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd_config @@ -0,0 +1,57 @@ +--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 ++++ sshd_config 2021-09-07 12:34:49.372652000 -0700 +@@ -10,6 +10,9 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + ++# Note that some of FreeBSD's defaults differ from OpenBSD's, and ++# FreeBSD has a few additional options. ++ + #Port 22 + #AddressFamily any + #ListenAddress 0.0.0.0 +@@ -37,8 +40,7 @@ + #PubkeyAuthentication yes + + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + +@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++#X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 new file mode 100644 index 0000000..4422251 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -0,0 +1,77 @@ +--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 ++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 +@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa + The list of available key types may also be obtained using + .Qq ssh -Q key . + .It Cm HostbasedAuthentication +-Specifies whether rhosts or /etc/hosts.equiv authentication together ++Specifies whether rhosts or ++.Pa /etc/hosts.equiv ++authentication together + with successful public key client host authentication is allowed + (host-based authentication). + The default is +@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic + .It Cm PasswordAuthentication + Specifies whether password authentication is allowed. + The default is ++.Cm no , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Cm yes . ++Note that if ++.Cm ChallengeResponseAuthentication ++is ++.Cm yes , ++and the PAM authentication policy for ++.Nm sshd ++includes ++.Xr pam_unix 8 , ++password authentication will be allowed through the challenge-response ++mechanism regardless of the value of ++.Cm PasswordAuthentication . + .It Cm PermitEmptyPasswords + When password authentication is allowed, it specifies whether the + server allows login to accounts with empty password strings. +@@ -1232,6 +1251,13 @@ and + .Cm ethernet . + The default is + .Cm no . ++Note that if ++.Cm ChallengeResponseAuthentication ++is ++.Cm yes , ++the root user may be allowed in with its password even if ++.Cm PermitRootLogin is set to ++.Cm without-password . + .Pp + Independent of this setting, the permissions of the selected + .Xr tun 4 +@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run + .Xr sshd 8 + as a non-root user. + The default is +-.Cm no . ++.Cm yes . + .It Cm VersionAddendum + Optionally specifies additional text to append to the SSH protocol banner + sent by the server upon connection. + The default is +-.Cm none . ++.Cm %%SSH_VERSION_FREEBSD_PORT%% . ++The value ++.Cm none ++may be used to disable this. + .It Cm X11DisplayOffset + Specifies the first display number available for + .Xr sshd 8 Ns 's +@@ -1512,7 +1541,7 @@ The argument must be + or + .Cm no . + The default is +-.Cm no . ++.Cm yes . + .Pp + When X11 forwarding is enabled, there may be additional exposure to + the server and to client displays if the diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr new file mode 100644 index 0000000..2a378e7 --- /dev/null +++ b/security/openssh-portable/pkg-descr @@ -0,0 +1,15 @@ +OpenBSD's OpenSSH portable version + +Normal OpenSSH development produces a very small, secure, and easy to maintain +version for the OpenBSD project. The OpenSSH Portability Team takes that pure +version and adds portability code so that OpenSSH can run on many other +operating systems (Unfortunately, in particular since OpenSSH does +authentication, it runs into a *lot* of differences between Unix operating +systems). + +The portable OpenSSH follows development of the official version, but releases +are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1). +The official OpenBSD source will never use the 'p' suffix, but will instead +increment the version number when they hit 'stable spots' in their development. + +WWW: https://www.openssh.com/portable.html diff --git a/security/openssh-portable/pkg-message b/security/openssh-portable/pkg-message new file mode 100644 index 0000000..0349c92 --- /dev/null +++ b/security/openssh-portable/pkg-message @@ -0,0 +1,22 @@ +[ +{ type: install + message: <