kiwi/klara-ww2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssh 8.8

Browse Source
This commit is contained in:
Xavier Beaudouin
2024-10-07 15:15:06 +02:00
parent 23173ef4f8
commit f035f378a6
31 changed files with 3274 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

428
security/openssh-portable/files/extra-patch-blacklistd Normal file
View File

@ -0,0 +1,428 @@
--- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700
+++ blacklist.c 2021-04-28 13:56:45.677805000 -0700
@@ -0,0 +1,92 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include <blacklist.h>
+#include "blacklist_client.h"
+
+static struct blacklist *blstate = NULL;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+ LogLevel imlevel;
+
+ switch (priority) {
+ case LOG_ERR:
+ imlevel = SYSLOG_LEVEL_ERROR;
+ break;
+ case LOG_DEBUG:
+ imlevel = SYSLOG_LEVEL_DEBUG1;
+ break;
+ case LOG_INFO:
+ imlevel = SYSLOG_LEVEL_INFO;
+ break;
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
+ do_log2(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+ blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action, struct ssh *ssh, const char *msg)
+{
+
+ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
+ (void)blacklist_r(blstate, action,
+ ssh_packet_get_connection_in(ssh), msg);
+}
--- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800
+++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+#ifndef BLACKLIST_API_ENUM
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+#endif
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
+void blacklist_notify(int, struct ssh *, const char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x, ssh, msg)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
--- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ servconf.c 2021-04-28 13:36:19.591999000 -0700
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
options->max_sessions = -1;
options->banner = NULL;
options->use_dns = -1;
+ options->use_blacklist = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
options->use_dns = 0;
+ if (options->use_blacklist == -1)
+ options->use_blacklist = 0;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
@@ -506,6 +509,7 @@ typedef enum {
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
+ sUseBlacklist,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -642,6 +646,8 @@ static struct {
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL } /* alias */,
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
intptr = &options->use_dns;
goto parse_flag;
+ case sUseBlacklist:
+ intptr = &options->use_blacklist;
+ goto parse_flag;
+
case sLogFacility:
log_facility_ptr = &options->log_facility;
arg = strdelim(&cp);
@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
--- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800
+++ servconf.h 2020-11-16 15:51:02.962173000 -0800
@@ -179,6 +179,7 @@ typedef struct {
int max_sessions;
char *banner; /* SSH-2 banner message */
int use_dns;
+ int use_blacklist;
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
--- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800
+++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800
@@ -105,6 +105,7 @@ extern char *__progname;
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "blacklist_client.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
sshbuf_free(buffer);
return (0);
}
+ /* XXX: ssh context unavailable here, unclear if this is even needed.
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ the_active_state, sshpam_authctxt->user);
+ */
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
--- auth.c.orig 2020-11-16 15:52:45.824171000 -0800
+++ auth.c 2020-11-16 15:57:51.091969000 -0800
@@ -76,6 +76,7 @@
#include "ssherr.h"
#include "compat.h"
#include "channels.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
+ }
if ((extra = format_method_key(authctxt)) == NULL) {
if (authctxt->auth_method_info != NULL)
@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
aix_restoreauthdb();
#endif
if (pw == NULL) {
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
--- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800
+++ auth2.c 2020-11-16 17:12:04.852943000 -0800
@@ -58,6 +58,7 @@
#endif
#include "monitor_wrap.h"
#include "digest.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
#endif
@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
} else {
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
--- packet.c.orig 2020-11-16 15:52:45.839070000 -0800
+++ packet.c 2020-11-16 15:56:09.285418000 -0800
@@ -96,6 +96,7 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
--- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700
+++ sshd.c 2021-09-10 10:37:17.926747000 -0700
@@ -123,6 +123,7 @@
#include "version.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
#include "srclimit.h"
#include "dh.h"
@@ -366,6 +367,8 @@ grace_alarm_handler(int sig)
kill(0, SIGTERM);
}
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, the_active_state, "ssh");
+
/* Log error and exit. */
if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
cleanup_exit(255); /* don't log in privsep child */
@@ -2225,6 +2228,9 @@ main(int ac, char **av)
if ((loginmsg = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
auth_debug_reset();
+
+ if (options.use_blacklist)
+ BLACKLIST_INIT();
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
--- Makefile.in.orig 2020-11-16 16:27:13.408700000 -0800
+++ Makefile.in 2020-11-16 16:28:28.083007000 -0800
@@ -180,6 +180,8 @@ FIXPATHSCMD = $(SED) $(PATHSUBS)
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
@UNSUPPORTED_ALGORITHMS@
+LIBSSH_OBJS+= blacklist.o
+
all: configure-check $(CONFIGFILES) $(MANPAGES) $(TARGETS)
$(LIBSSH_OBJS): Makefile.in config.h
--- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800
+++ sshd_config 2020-11-16 16:57:42.183846000 -0800
@@ -94,6 +94,7 @@
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
+#UseBlacklist no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
--- sshd_config.5.orig 2020-11-16 16:57:58.533307000 -0800
+++ sshd_config.5 2020-11-16 17:00:02.635070000 -0800
@@ -1703,6 +1703,20 @@ for authentication using
.Cm TrustedUserCAKeys .
For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8
+attempts to send authentication success and failure messages
+to the
+.Xr blacklistd 8
+daemon.
+The default is
+.Cm no .
+For forward compatibility with an upcoming
+.Xr blacklistd
+rename, the
+.Cm UseBlocklist
+alias can be used instead.
.It Cm UseDNS
Specifies whether
.Xr sshd 8
--- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800
+++ monitor.c 2020-11-16 17:25:57.642510000 -0800
@@ -96,6 +96,7 @@
#include "match.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(ssh, authenticated, partial,
auth_method, auth_submethod);
- if (!partial && !authenticated)
+ if (!partial && !authenticated) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
+ ssh, "ssh");
+ }
if (authenticated || partial) {
auth2_update_session_info(authctxt,
auth_method, auth_submethod);
@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
} else {
/* Log failed attempt */
auth_log(ssh, 0, 0, auth_method, NULL);
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
free(cuser);
free(chost);
}

14
security/openssh-portable/files/extra-patch-gssapi-kexgssc.c Normal file
View File

@ -0,0 +1,14 @@
Fix prototype for DH_get0_key() in kexgssgex_client().
--- kexgssc.c.orig 2020-11-24 12:26:37.222092000 -0800
+++ kexgssc.c 2020-11-24 12:26:54.801490000 -0800
@@ -31,6 +31,9 @@
#include <openssl/crypto.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include "openbsd-compat/openssl-compat.h"
+
#include <string.h>
#include "xmalloc.h"

14
security/openssh-portable/files/extra-patch-gssapi-kexgsss.c Normal file
View File

@ -0,0 +1,14 @@
Fix prototype for DH_get0_key() in kexgssgex_server().
--- kexgsss.c.orig 2020-11-24 12:39:25.548427000 -0800
+++ kexgsss.c 2020-11-24 12:39:47.591119000 -0800
@@ -31,6 +31,9 @@
#include <openssl/crypto.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include "openbsd-compat/openssl-compat.h"
+
#include "xmalloc.h"
#include "sshbuf.h"
#include "ssh2.h"

12
security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c Normal file
View File

@ -0,0 +1,12 @@
Avoid free(const char*)
--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800
+++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800
@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
/* Fall back to specified host if we are using proxy command
* and can not use DNS on that socket */
if (strcmp(gss_host, "UNKNOWN") == 0) {
- gss_host = authctxt->host;
+ gss_host = xstrdup(authctxt->host);
}
} else {
gss_host = xstrdup(authctxt->host);

1306
security/openssh-portable/files/extra-patch-hpn Normal file
View File

File diff suppressed because it is too large Load Diff

46
security/openssh-portable/files/extra-patch-hpn-compat Normal file
View File

@ -0,0 +1,46 @@
------------------------------------------------------------------------
r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
Changed paths:
M /head/crypto/openssh/servconf.c
Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
------------------------------------------------------------------------
------------------------------------------------------------------------
r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
Changed paths:
M /head/crypto/openssh/readconf.c
r294563 was incomplete; re-add the client-side options as well.
------------------------------------------------------------------------
--- readconf.c.orig 2021-04-27 11:24:15.916596000 -0700
+++ readconf.c 2021-04-27 11:25:24.222034000 -0700
@@ -316,6 +316,12 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
+ { "tcprcvbuf", oDeprecated },
+ { "noneenabled", oUnsupported },
+ { "noneswitch", oUnsupported },
{ NULL, oBadOption }
};
--- servconf.c.orig 2020-02-13 16:40:54.000000000 -0800
+++ servconf.c 2020-03-21 17:01:18.011062000 -0700
@@ -695,6 +695,10 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
+ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};

57
security/openssh-portable/files/extra-patch-hpn-gss-glue Normal file
View File

@ -0,0 +1,57 @@
--- sshconnect2.c.orig 2019-07-19 11:53:14.918867000 -0700
+++ sshconnect2.c 2019-07-19 11:53:16.911086000 -0700
@@ -159,11 +159,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
char *s, *all_key;
int r;
-#if defined(GSSAPI) && defined(WITH_OPENSSL)
- char *orig = NULL, *gss = NULL;
- char *gss_host = NULL;
-#endif
-
xxx_host = host;
xxx_hostaddr = hostaddr;
@@ -197,6 +192,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr
}
#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ char *orig = NULL, *gss = NULL;
+ char *gss_host = NULL;
+
if (options.gss_keyex) {
/* Add the GSSAPI mechanisms currently supported on this
* client to the key exchange algorithm proposal */
--- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700
+++ readconf.c 2019-07-19 12:13:29.614552000 -0700
@@ -63,11 +63,11 @@
#include "readconf.h"
#include "match.h"
#include "kex.h"
+#include "ssh-gss.h"
#include "mac.h"
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
-#include "ssh-gss.h"
/* Format of the configuration file:
--- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700
+++ servconf.c 2019-07-19 12:14:43.543687000 -0700
@@ -54,6 +54,7 @@
#include "sshkey.h"
#include "kex.h"
#include "mac.h"
+#include "ssh-gss.h"
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
@@ -64,7 +65,6 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
-#include "ssh-gss.h"
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);

51
security/openssh-portable/files/extra-patch-ldns Normal file
View File

@ -0,0 +1,51 @@
r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
Changed paths:
M /head/crypto/openssh/readconf.c
M /head/crypto/openssh/ssh_config
M /head/crypto/openssh/ssh_config.5
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
--- readconf.c 2013-10-03 08:15:03.496131082 -0500
+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
options->rekey_limit = 0;
if (options->rekey_interval == -1)
options->rekey_interval = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
--- ssh_config 2013-10-03 08:15:03.537131330 -0500
+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
@@ -44,5 +44,6 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
+++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
@@ -1635,7 +1635,10 @@ need to confirm new host keys according
.Cm StrictHostKeyChecking
option.
The default is
-.Cm no .
+.Cm yes
+if compiled with LDNS and
+.Cm no
+otherwise.
.Pp
See also
.Sx VERIFYING HOST KEYS

160
security/openssh-portable/files/extra-patch-tcpwrappers Normal file
View File

@ -0,0 +1,160 @@
Revert TCPWRAPPER removal -bdrewery
commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
Author: Damien Miller <djm@mindrot.org>
Date: Sun Apr 20 13:22:18 2014 +1000
- tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl
diff --git sshd.8 sshd.8
index 289e13d..e6a900b 100644
--- sshd.8
+++ sshd.8
@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff --git sshd.c sshd.c
index 0ade557..045f149 100644
--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700
+++ sshd.c 2018-04-04 15:40:20.964130000 -0700
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -131,6 +131,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2072,6 +2079,25 @@ main(int ac, char **av)
#endif
rdomain = ssh_packet_rdomain_in(ssh);
+
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700
+++ configure.ac 2019-07-02 20:58:48.627832000 -0700
@@ -1494,6 +1494,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"

5
security/openssh-portable/files/extra-patch-version-addendum Normal file
View File

@ -0,0 +1,5 @@
--- servconf.c.orig 2015-03-28 23:08:41.296700000 -0500
+++ servconf.c 2015-03-28 23:08:54.016291000 -0500
@@ -318 +318 @@
- options->version_addendum = xstrdup("");
+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD_PORT);

163
security/openssh-portable/files/openssh.in Normal file
View File

@ -0,0 +1,163 @@
#!/bin/sh
# PROVIDE: openssh
# REQUIRE: DAEMON
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable openssh:
#
# openssh_enable (bool): Set it to "YES" to enable openssh.
# Default is "NO".
# openssh_flags (flags): Set extra flags to openssh.
# Default is "". see sshd(1).
# openssh_pidfile (file): Set full path to pid file.
. /etc/rc.subr
name="openssh"
rcvar=openssh_enable
load_rc_config ${name}
: ${openssh_enable:="NO"}
: ${openssh_skipportscheck="NO"}
command=%%PREFIX%%/sbin/sshd
extra_commands="configtest reload keygen"
start_precmd="${name}_checks"
reload_precmd="${name}_checks"
restart_precmd="${name}_checks"
configtest_cmd="${name}_configtest"
keygen_cmd="${name}_keygen"
pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
openssh_keygen()
{
if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-f %%ETCDIR%%/ssh_host_rsa_key -a \
-f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-f %%ETCDIR%%/ssh_host_ed25519_key ]; then
return 0
fi
umask 022
# Can't do anything if ssh is not installed
[ -x %%PREFIX%%/bin/ssh-keygen ] ||
err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
echo "You already have a DSA host key" \
"in %%ETCDIR%%/ssh_host_dsa_key"
echo "Skipping protocol version 2 DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t dsa \
-f %%ETCDIR%%/ssh_host_dsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
echo "You already have a RSA host key" \
"in %%ETCDIR%%/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t rsa \
-f %%ETCDIR%%/ssh_host_rsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
echo "You already have a Elliptic Curve DSA host key" \
"in %%ETCDIR%%/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ecdsa \
-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
fi
if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
echo "You already have a Elliptic Curve ED25519 host key" \
"in %%ETCDIR%%/ssh_host_ed25519_key"
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ed25519 \
-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
fi
}
openssh_check_same_ports(){
# check if opensshd don't use base system sshd's port
#
# openssh binds ports in priority (lowest first):
# Port from sshd_config
# -p option from command line
# ListenAddress addr:port from sshd_config
#check if opensshd-portable installed in replacement of base sshd
if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
return 1
fi
self_port=$(awk '$1~/^ListenAddress/ \
{mlen=match($0,":[0-9]*$"); print \
substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
if [ -z "$self_port" ]; then
self_port=$(echo $openssh_flags | awk \
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
{i++; printf "%s", $i; break; }; }')
if [ -z "$self_port" ]; then
self_port=$(awk '$1~/^Port/ {print $2}' \
%%ETCDIR%%/sshd_config)
fi
fi
# assume default 22 port
if [ -z "$self_port" ]; then
self_port=22
fi
load_rc_config "sshd"
base_sshd_port=$(awk '$1~/^ListenAddress/ \
{mlen=match($0,":[0-9]*$"); print \
substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
if [ -z "$base_sshd_port" ]; then
base_sshd_port=$(echo $sshd_flags | awk \
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
{i++; printf "%s", $i; break; }; }')
if [ -z "$base_sshd_port" ]; then
base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
/etc/ssh/sshd_config)
fi
fi
if [ -z "$base_sshd_port" ]; then
base_sshd_port=22
fi
# self_port and base_sshd_port may have multiple values. Compare them all
for sport in ${self_port}; do
for bport in ${base_sshd_port}; do
[ ${sport} -eq ${bport} ] && return 0
done
done
return 1
}
openssh_configtest()
{
echo "Performing sanity check on ${name} configuration."
eval ${command} ${openssh_flags} -t
}
openssh_checks()
{
if checkyesno sshd_enable ; then
if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port"
fi
fi
run_rc_command keygen
openssh_configtest
}
run_rc_command "$1"

47
security/openssh-portable/files/patch-auth2.c Normal file
View File

@ -0,0 +1,47 @@
--- UTC
r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/auth2.c
Apply class-imposed login restrictions.
--- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ auth2.c 2020-11-16 13:55:25.222771000 -0800
@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
"not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL &&
+ (lc = login_getpwclass(authctxt->pw)) != NULL) {
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ ssh_packet_disconnect(ssh, "Logins not available right now.");
+ }
+ login_close(lc);
+ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
auth2_challenge_stop(ssh);

25
security/openssh-portable/files/patch-platform-tracing.c Normal file
View File

@ -0,0 +1,25 @@
--- platform-tracing.c.orig 2021-09-26 07:03:19.000000000 -0700
+++ platform-tracing.c 2021-10-15 10:08:20.537813000 -0700
@@ -16,6 +16,10 @@
#include "includes.h"
+#if defined(HAVE_PROCCTL)
+#include <string.h>
+#include <unistd.h>
+#endif
#include <sys/types.h>
#ifdef HAVE_SYS_PROCCTL_H
#include <sys/procctl.h>
@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
- fatal("unable to make the process untraceable");
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
+ fatal("unable to make the process untraceable: %s for pid %d",
+ strerror(errno), (int)getpid());
#endif
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */

10
security/openssh-portable/files/patch-regress__test-exec.sh Normal file
View File

@ -0,0 +1,10 @@
--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC
+++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500
@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
LogLevel DEBUG3
AcceptEnv _XXX_TEST_*
AcceptEnv _XXX_TEST
+ PermitRootLogin yes
Subsystem sftp $SFTPSERVER
EOF

51
security/openssh-portable/files/patch-servconf.c Normal file
View File

@ -0,0 +1,51 @@
r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/myproposal.h
M /head/crypto/openssh/readconf.c
M /head/crypto/openssh/servconf.c
Apply FreeBSD's configuration defaults.
--- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700
+++ servconf.c 2018-06-27 17:19:38.133882000 -0700
@@ -41,6 +41,7 @@
#include <util.h>
#endif
+#include "version.h"
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "ssh.h"
@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
+#ifdef USE_PAM
+ options->use_pam = 1;
+#else
options->use_pam = 0;
+#endif
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 0;
+ options->x11_forwarding = 1;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)
+#ifdef USE_PAM
+ options->password_authentication = 0;
+#else
options->password_authentication = 1;
+#endif
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)

52
security/openssh-portable/files/patch-serverloop.c Normal file
View File

@ -0,0 +1,52 @@
------------------------------------------------------------------------
r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
Changed paths:
M /head/crypto/openssh/readconf.c
Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
Submitted upstream, no reaction.
Submitted by: delphij
[rewritten for 7.4 by bdrewery]
[base removed this in 7.8 but it is still useful - bdrewery]
--- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700
+++ serverloop.c 2020-11-16 12:58:44.823775000 -0800
@@ -56,6 +56,8 @@
#include <unistd.h>
#include <stdarg.h>
+#include <sys/sysctl.h>
+
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "packet.h"
@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *);
/* requested tunnel forwarding interface(s), shared with session.c */
char *tun_fwd_ifnames = NULL;
+static int
+ipport_reserved(void)
+{
+#ifdef __FreeBSD__
+ int old;
+ size_t len = sizeof(old);
+
+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
+ &old, &len, NULL, 0) == 0)
+ return (old + 1);
+#endif
+ return (IPPORT_RESERVED);
+}
+
/* returns 1 if bind to specified port by specified user is permitted */
static int
bind_permitted(int port, uid_t uid)
{
if (use_privsep)
return 1; /* allow system to decide */
- if (port < IPPORT_RESERVED && uid != 0)
+ if (port < ipport_reserved() && uid != 0)
return 0;
return 1;
}

78
security/openssh-portable/files/patch-session.c Normal file
View File

@ -0,0 +1,78 @@
bdrewery:
- Refactor and simplify original commit.
- Stop setting TERM=su without a term.
------------------------------------------------------------------------
r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
Changed paths:
M /head/crypto/openssh/session.c
Make sure the environment variables set by setusercontext() are passed on
to the child process.
Reviewed by: ache
Sponsored by: DARPA, NAI Labs
--- session.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ session.c 2021-04-27 13:11:13.515917000 -0700
@@ -942,7 +942,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui
}
#endif /* HAVE_ETC_DEFAULT_LOGIN */
-#if defined(USE_PAM) || defined(HAVE_CYGWIN)
+#if defined(USE_PAM) || defined(HAVE_CYGWIN) || defined(HAVE_LOGIN_CAP)
static void
copy_environment_denylist(char **source, char ***env, u_int *envsize,
const char *denylist)
@@ -1052,7 +1052,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
- if (!options.use_pam) {
+ /* FreeBSD PAM doesn't set default "MAIL" */
+ if (1 || !options.use_pam) {
snprintf(buf, sizeof buf, "%.200s/%.50s",
_PATH_MAILDIR, pw->pw_name);
child_set_env(&env, &envsize, "MAIL", buf);
@@ -1063,6 +1064,23 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+#ifdef HAVE_LOGIN_CAP
+ /* Load environment from /etc/login.conf setenv directives. */
+ {
+ extern char **environ;
+ char **senv, **var;
+
+ senv = environ;
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
+ copy_environment_denylist(environ, &env, &envsize, NULL);
+ for (var = environ; *var != NULL; ++var)
+ free(*var);
+ free(environ);
+ environ = senv;
+ }
+#endif
if (s->term)
child_set_env(&env, &envsize, "TERM", s->term);
if (s->display)
@@ -1281,7 +1299,7 @@ do_nologin(struct passwd *pw)
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
return;
- nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
+ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl);
#else
if (pw->pw_uid == 0)
return;
@@ -1365,7 +1383,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}

26
security/openssh-portable/files/patch-ssh-agent.1 Normal file
View File

@ -0,0 +1,26 @@
--- UTC
r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800
+++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700
@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
-.Op Fl \&Dd
+.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl P Ar provider_whitelist
@@ -125,6 +125,8 @@ A lifetime specified for an identity with
.Xr ssh-add 1
overrides this value.
Without this option the default maximum lifetime is forever.
+.It Fl x
+Exit after the last client has disconnected.
.It Ar command Op Ar arg ...
If a command (and optional arguments) is given,
this is executed as a subprocess of the agent.

95
security/openssh-portable/files/patch-ssh-agent.c Normal file
View File

@ -0,0 +1,95 @@
--- UTC
r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
--- ssh-agent.c.orig 2021-04-15 20:55:25.000000000 -0700
+++ ssh-agent.c 2021-04-27 11:47:59.362589000 -0700
@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
+/*
+ * Client connection count; incremented in new_socket() and decremented in
+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
+ * normally initialized to 1, it will never reach 0. However, if the -x
+ * option is specified, it is initialized to 0 in main(); in that case,
+ * ssh-agent will exit as soon as it has had at least one client but no
+ * longer has any.
+ */
+static int xcount = 1;
+
static void
close_socket(SocketEntry *e)
{
+ int last = 0;
+
+ if (e->type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount - 1);
+ if (--xcount == 0)
+ last = 1;
+ }
close(e->fd);
sshbuf_free(e->input);
sshbuf_free(e->output);
@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
memset(e, '\0', sizeof(*e));
e->fd = -1;
e->type = AUTH_UNUSED;
+ if (last)
+ cleanup_exit(0);
}
static void
@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+ if (type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount + 1);
+ ++xcount;
+ }
set_nonblock(fd);
if (fd > max_fd)
@@ -1360,7 +1383,7 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
@@ -1394,6 +1417,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
+ setuid(geteuid());
platform_disable_tracing(0); /* strict=no */
@@ -1405,7 +1429,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1454,6 +1478,9 @@ main(int ac, char **av)
fprintf(stderr, "Invalid lifetime\n");
usage();
}
+ break;
+ case 'x':
+ xcount = 0;
break;
default:
usage();

33
security/openssh-portable/files/patch-ssh.c Normal file
View File

@ -0,0 +1,33 @@
--- UTC
r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/ssh.c
Canonicize the host name before looking it up in the host file.
--- ssh.c.orig 2018-04-02 05:38:28 UTC
+++ ssh.c
@@ -1281,6 +1281,23 @@ main(int ac, char **av)
ssh_digest_free(md);
conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
+ struct addrinfo hints;
+ struct addrinfo *ai = NULL;
+ int errgai;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = options.address_family;
+ hints.ai_flags = AI_CANONNAME;
+ hints.ai_socktype = SOCK_STREAM;
+ errgai = getaddrinfo(host, NULL, &hints, &ai);
+ if (errgai == 0) {
+ if (ai->ai_canonname != NULL)
+ host = xstrdup(ai->ai_canonname);
+ freeaddrinfo(ai);
+ }
+ }
+
/*
* Expand tokens in arguments. NB. LocalCommand is expanded later,
* after port-forwarding is set up, so it may pick up any local

17
security/openssh-portable/files/patch-ssh_config Normal file
View File

@ -0,0 +1,17 @@
--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.
--- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700
+++ ssh_config 2010-09-14 16:14:13.000000000 -0600
@@ -27,7 +27,7 @@
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
-# CheckHostIP yes
+# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask

13
security/openssh-portable/files/patch-ssh_config.5 Normal file
View File

@ -0,0 +1,13 @@
--- UTC
--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800
+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800
@@ -434,6 +433,8 @@ in the process, regardless of the setting of
If the option is set to
.Cm no ,
the check will not be executed.
+The default is
+.Cm no .
.It Cm Ciphers
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.

26
security/openssh-portable/files/patch-sshd.8 Normal file
View File

@ -0,0 +1,26 @@
--- UTC
Document FreeBSD/port-specific paths
--- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600
+++ sshd.8 2010-09-14 16:14:14.000000000 -0600
@@ -70,7 +70,7 @@
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /usr/local/etc/rc.d/openssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -384,8 +384,9 @@
If the login is on a tty, records login time.
.It
Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
(unless root).
.It
Changes to run with normal user privileges.

101
security/openssh-portable/files/patch-sshd.c Normal file
View File

@ -0,0 +1,101 @@
--- UTC
r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines
Changed paths:
M /head/crypto/openssh/sshd.c
Force early initialization of the resolver library, since the resolver
configuration files will no longer be available once sshd is chrooted.
PR: 39953, 40894
Submitted by: dinoex
r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines
Changed paths:
M /head/crypto/openssh/sshd.c
M /head/usr.sbin/cron/cron/cron.c
M /head/usr.sbin/inetd/inetd.c
M /head/usr.sbin/syslogd/syslogd.c
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap
environments.
Please note that this can't be done while such processes run in jails.
Note: in future it would be interesting to find a way to do that
selectively for any desired proccess (choosen by user himself), probabilly
via a ptrace interface or whatever.
r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines
Changed paths:
M /head/crypto/openssh/sshd.c
Enhance r199804 by marking the daemonised child as immune to OOM instead
of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
--- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700
+++ sshd.c 2021-04-27 11:50:20.239225000 -0700
@@ -46,6 +46,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/mman.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@@ -85,6 +86,13 @@
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -2007,7 +2015,30 @@ main(int ac, char **av)
for (i = 0; i < options.num_log_verbose; i++)
log_verbose_add(options.log_verbose[i]);
+#ifdef __FreeBSD__
/*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
+#ifdef GSSAPI
+ /*
+ * Force GSS-API to parse its configuration and load any
+ * mechanism plugins.
+ */
+ {
+ gss_OID_set mechs;
+ OM_uint32 minor_status;
+ gss_indicate_mechs(&minor_status, &mechs);
+ gss_release_oid_set(&minor_status, &mechs);
+ }
+#endif
+#endif
+
+ /*
* If not in debugging mode, not started from inetd and not already
* daemonized (eg re-exec via SIGHUP), disconnect from the controlling
* terminal, and fork. The original process exits.
@@ -2022,6 +2053,10 @@ main(int ac, char **av)
}
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+ /* Avoid killing the process in high-pressure swapping environments. */
+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
+ debug("madvise(): %.200s", strerror(errno));
/*
* Chdir to the root directory so that the current disk can be

57
security/openssh-portable/files/patch-sshd_config Normal file
View File

@ -0,0 +1,57 @@
--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700
+++ sshd_config 2021-09-07 12:34:49.372652000 -0700
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -37,8 +40,7 @@
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

77
security/openssh-portable/files/patch-sshd_config.5 Normal file
View File

@ -0,0 +1,77 @@
--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .
.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
with successful public key client host authentication is allowed
(host-based authentication).
The default is
@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
+.Cm no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
.Cm yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Cm yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1232,6 +1251,13 @@ and
.Cm ethernet .
The default is
.Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Cm yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Cm without-password .
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Cm none .
+.Cm %%SSH_VERSION_FREEBSD_PORT%% .
+The value
+.Cm none
+may be used to disable this.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
@@ -1512,7 +1541,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm no .
+.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the