[Midnightbsd-cvs] mports [16340] openssh 6.6p1
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Apr 20 11:51:17 EDT 2014
Revision: 16340
http://svnweb.midnightbsd.org/mports/?rev=16340
Author: laffer1
Date: 2014-04-20 11:51:15 -0400 (Sun, 20 Apr 2014)
Log Message:
-----------
openssh 6.6p1
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-hpn-build-options
trunk/security/openssh-portable/files/openssh.in
trunk/security/openssh-portable/files/patch-readconf.c
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-ssh.c
trunk/security/openssh-portable/files/patch-sshd.c
trunk/security/openssh-portable/files/patch-sshd_config
trunk/security/openssh-portable/pkg-message
trunk/security/openssh-portable/pkg-plist
Property Changed:
----------------
trunk/security/openssh-portable/pkg-descr
trunk/security/openssh-portable/pkg-message
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/Makefile 2014-04-20 15:51:15 UTC (rev 16340)
@@ -1,30 +1,21 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 6.4p1
+DISTVERSION= 6.6p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
MASTER_SITE_SUBDIR= OpenSSH/portable
-PKGNAMESUFFIX= -portable
+PKGNAMESUFFIX?= -portable
MAINTAINER= ports at MidnightBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
-LICENSE= agg
+LICENSE= agg
+LICENSE_FILE= ${WRKSRC}/LICENCE
-MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1
-MLINKS= ssh.1 slogin.1
-MAN5= moduli.5 ssh_config.5 sshd_config.5
-MAN8= sftp-server.8 sshd.8 ssh-keysign.8 ssh-pkcs11-helper.8
-
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
-# XXX: ports/52706 will allow using DEFAULT,x509 here.
-PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/ \
- http://mirror.shatow.net/freebsd/${PORTNAME}/:x509
-
-USE_PERL5_BUILD= yes
USE_AUTOTOOLS= autoconf autoheader
USE_OPENSSL= yes
GNU_CONFIGURE= yes
@@ -40,27 +31,80 @@
MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
- HPN LPK X509 KERB_GSSAPI \
- OVERWRITE_BASE SCTP AES_THREADED
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
+ LPK X509 KERB_GSSAPI \
+ OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS NONECIPHER
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
-TCP_WRAPPERS_DESC= Enable tcp_wrappers support
-BSM_DESC= Enable OpenBSM Auditing
-KERB_GSSAPI_DESC= Enable Kerberos/GSSAPI patch (req: GSSAPI)
-HPN_DESC= Enable HPN-SSH patch
-LPK_DESC= Enable LDAP Public Key (LPK) [OBSOLETE]
-X509_DESC= Enable x509 certificate patch
-SCTP_DESC= Enable SCTP support
+TCP_WRAPPERS_DESC= tcp_wrappers support
+BSM_DESC= OpenBSM Auditing
+KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
+LPK_DESC= LDAP Public Key (LPK) [OBSOLETE]
+LDNS_DESC= SSHFP/LDNS support
+X509_DESC= x509 certificate patch
+SCTP_DESC= SCTP support
OVERWRITE_BASE_DESC= OpenSSH overwrite base
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
-AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
+AES_THREADED_DESC= Threaded AES-CTR
+NONECIPHER_DESC= NONE Cipher support
+OPTIONS_SUB= yes
+PLIST_SUB+= MANPREFIX=${MANPREFIX}
+
+LDNS_CONFIGURE_WITH= ldns
+LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
+LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
+LDNS_CFLAGS= -I${LOCALBASE}/include
+LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
+
+NONECIPHER_CONFIGURE_WITH= nonecipher
+AES_THREADED_CONFIGURE_WITH= aes-threaded
+
+# See http://code.google.com/p/openssh-lpk/wiki/Main
+# and svn repo described here:
+# http://code.google.com/p/openssh-lpk/source/checkout
+# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
+LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz
+LPK_CPPFLAGS= -I${LOCALBASE}/include
+LPK_CONFIGURE_ON= --with-ldap=yes \
+ --with-ldflags='-L${LOCALBASE}/lib' \
+ --with-cppflags='${CPPFLAGS}'
+LPK_USE= OPENLDAP=yes
+
+# See http://www.roumenpetrov.info/openssh/
+X509_VERSION= 7.9
+X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
+X509_PATCHFILES= ${PORTNAME}-6.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+
+# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+SCTP_PATCHFILES= ${PORTNAME}-6.6p1-sctp-2329.patch.gz
+SCTP_CONFIGURE_WITH= sctp
+
+# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
+KERB_GSSAPI_PATCHFILES= openssh-6.5p1-gsskex-all-20110125.patch.gz
+
+
+MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
+HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal
+
+PAM_CONFIGURE_WITH= pam
+TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
+
+LIBEDIT_CONFIGURE_WITH= libedit
+BSM_CONFIGURE_ON= --with-audit=bsm
+
+
.include <bsd.port.pre.mk>
-.if ${OSVERSION} >= 4004
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN= KERB_GSSAPI Patch is not updated for 6.5 and upstream has not been active since 2001.
+.endif
+
+PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
+
+.if ${OSVERSION} >= 4016
CONFIGURE_LIBS+= -lutil
.endif
@@ -72,14 +116,10 @@
.endif
.if ${PORT_OPTIONS:MX509}
-. if ${PORT_OPTIONS:MHPN}
+. if ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MAES_THREADED}
-BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
-. endif
-
. if ${PORT_OPTIONS:MSCTP}
BROKEN= X509 patch and SCTP patch do not apply cleanly together
. endif
@@ -98,102 +138,47 @@
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
-.if defined(OPENSSH_OVERWRITE_BASE)
-PORT_OPTIONS+= OVERWRITE_BASE
+.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
+IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
-.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h)
-CONFIGURE_ARGS+= --with-pam
+.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
+IGNORE= Pam must be installed in base
.endif
-.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h)
-CONFIGURE_ARGS+= --with-tcp-wrappers
+.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
+IGNORE= Required /usr/include/tcpd.h missing
.endif
-.if ${PORT_OPTIONS:MLIBEDIT}
-CONFIGURE_ARGS+= --with-libedit
+.if defined(OPENSSH_OVERWRITE_BASE)
+PORT_OPTIONS+= OVERWRITE_BASE
.endif
-.if ${PORT_OPTIONS:MBSM}
-CONFIGURE_ARGS+= --with-audit=bsm
-.endif
-
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
-CONFIGURE_ARGS+= --with-kerberos5
-. if ${PORT_OPTIONS:MMIT}
-LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
-. elif ${PORT_OPTIONS:MHEIMDAL}
-LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal
-. elif ${PORT_OPTIONS:MHEIMDAL_BASE}
-. if !exists(/usr/lib/libkrb5.so)
-IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
+. if ${PORT_OPTIONS:MHEIMDAL_BASE}
+CONFIGURE_LIBS+= -lgssapi_krb5
+CONFIGURE_ARGS+= --with-kerberos5=/usr
. else
-CONFIGURE_LIBS+= -lgssapi_krb5
+CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
. endif
-. endif
-
-# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-PATCHFILES+= openssh-6.2p2-gsskex-all-20110125.patch.gz
-PATCH_DIST_STRIP=
-.endif
-.if ${OPENSSLBASE} == "/usr"
+. if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS= # empty
+. endif
+.else
+. if ${PORT_OPTIONS:MKERB_GSSAPI}
+IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
+. endif
.endif
-.endif
.if ${OPENSSLBASE} != "/usr"
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MHPN}
-HPN_VERSION= 13v14
-PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
-PATCH_DIST_STRIP=
-.endif
-
-# http://www.psc.edu/index.php/hpn-ssh
-.if ${PORT_OPTIONS:MAES_THREADED}
-AES_THREADED_VERSION= v14
-PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
-PATCH_DIST_STRIP=
-.endif
-
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
.if ${PORT_OPTIONS:MLPK}
-PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
-USE_OPENLDAP= yes
-CPPFLAGS+= -I${LOCALBASE}/include
-CONFIGURE_ARGS+= --with-ldap=yes \
- --with-ldflags='-L${LOCALBASE}/lib' \
- --with-cppflags='${CPPFLAGS}'
CONFIGURE_LIBS+= -lldap
.endif
-# See http://www.roumenpetrov.info/openssh/
-.if ${PORT_OPTIONS:MX509}
-X509_VERSION= 7.4.1
-PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
-PATCH_DIST_STRIP= -p1
-PLIST_SUB+= X509=""
-MAN5+= ssh_engine.5
-.else
-PLIST_SUB+= X509="@comment "
-.endif
-
-# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-.if ${PORT_OPTIONS:MSCTP}
-PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz
-CONFIGURE_ARGS+= --with-sctp
-.endif
-
EMPTYDIR= /var/empty
.if ${PORT_OPTIONS:MOVERWRITE_BASE}
@@ -200,16 +185,15 @@
WITH_OPENSSL_BASE= yes
CONFIGURE_ARGS+= --localstatedir=/var
PREFIX= /usr
+NO_MTREE= yes
ETCSSH= /etc/ssh
USE_RCORDER= openssh
PLIST_SUB+= NOTBASE="@comment "
-PLIST_SUB+= BASE=""
PLIST_SUB+= BASEPREFIX="${PREFIX}"
.else
ETCSSH= ${PREFIX}/etc/ssh
USE_RC_SUBR= openssh
PLIST_SUB+= NOTBASE=""
-PLIST_SUB+= BASE="@comment "
.endif
# After all
@@ -223,12 +207,17 @@
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
- @${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
+ @${REINPLACE_CMD} \
+ -e 's|install: \(.*\) host-key check-config|install: \1|g' \
+ -e 's|-lpthread|${PTHREAD_LIBS}|' \
+ ${WRKSRC}/Makefile.in
@${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
${WRKSRC}/ssh_config.5
+.if !${PORT_OPTIONS:MOVERWRITE_BASE}
@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.endif
@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
@${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \
@@ -237,28 +226,17 @@
${WRKSRC}/version.h
@${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
${WRKSRC}/version.h
-.if ${PORT_OPTIONS:MHPN}
- @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
- ${WRKSRC}/version.h
-.endif
-pre-su-install:
-.if !exists(${ETCSSH})
- @${MKDIR} ${ETCSSH}
+pre-install:
+# Workaround not running mtree BSD.root.dist on / since PREFIX=/usr
+.if ${PORT_OPTIONS:MOVERWRITE_BASE}
+ ${MKDIR} ${STAGEDIR}/etc/rc.d
.endif
-.for i in ${PRECIOUS}
-.if exists(${ETCOLD}/${i}) && !exists(${ETCSSH}/${i})
- @${ECHO_MSG} "==> Linking ${ETCSSH}/${i} from old layout."
- ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i}
-.endif
-.endfor
post-install:
- ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist
- ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist
+ ${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
+ ${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
- @${CAT} ${PKGMESSAGE}
-
test: build
(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/distinfo 2014-04-20 15:51:15 UTC (rev 16340)
@@ -1,14 +1,12 @@
-SHA256 (openssh-6.4p1.tar.gz) = 5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2
-SIZE (openssh-6.4p1.tar.gz) = 1201402
-SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
-SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
-SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
-SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
-SHA256 (openssh-6.4-x509-glue.patch) = 8a199b3e6fe031775531c82e7a2d18fe468c1193c9d90ba17554ba9de2834876
-SIZE (openssh-6.4-x509-glue.patch) = 1219
-SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
-SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
+SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
+SIZE (openssh-6.6p1.tar.gz) = 1282502
+SHA256 (openssh-6.6p1-hpnssh14v2.diff.gz) = 2a1b34dc3bf922e12cbca687e57b1fad2a0b087e38022e6782e99b45fcc1a315
+SIZE (openssh-6.6p1-hpnssh14v2.diff.gz) = 24469
+SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34
+SIZE (openssh-6.6p1+x509-7.9.diff.gz) = 224691
+SHA256 (openssh-6.5p1-gsskex-all-20110125.patch.gz) = dd3b0f383a58e490f735646ae27f3dd05db96446e2e4ae8e753b64eee7f46582
+SIZE (openssh-6.5p1-gsskex-all-20110125.patch.gz) = 23516
SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
-SIZE (openssh-sctp-2329.patch.gz) = 8706
+SHA256 (openssh-6.6p1-sctp-2329.patch.gz) = e054529810815d63f7de5d1c6cc76fccb7766e1b2d1b62438ca83770afac9bfa
+SIZE (openssh-6.6p1-sctp-2329.patch.gz) = 8695
Modified: trunk/security/openssh-portable/files/extra-patch-hpn-build-options
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-build-options 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-build-options 2014-04-20 15:51:15 UTC (rev 16340)
@@ -36,13 +36,13 @@
--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
+++ readconf.c 2013-10-11 09:19:12.295135966 -0500
-@@ -251,12 +251,16 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
- { "requesttty", oRequestTTY },
+@@ -268,12 +268,16 @@ static struct {
+ { "canonicalizehostname", oCanonicalizeHostname },
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+#ifdef NONECIPHER
{ "noneenabled", oNoneEnabled },
- { "noneswitch", oNoneSwitch },
+ { "noneswitch", oNoneSwitch },
+#endif
+#ifdef HPN
{ "tcprcvbufpoll", oTcpRcvBufPoll },
@@ -53,7 +53,7 @@
{ "ignoreunknown", oIgnoreUnknown },
{ NULL, oBadOption }
-@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
+@@ -1739,12 +1743,20 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -76,10 +76,10 @@
/* if a user tries to set the size to 0 set it to 1KB */
--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
+++ servconf.c 2013-10-11 09:25:50.777137928 -0500
-@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
+@@ -303,10 +303,16 @@
+ }
+ if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
- if (options->zero_knowledge_password_authentication == -1)
- options->zero_knowledge_password_authentication = 0;
+#ifdef NONECIPHER
if (options->none_enabled == -1)
+#endif
Modified: trunk/security/openssh-portable/files/openssh.in
===================================================================
--- trunk/security/openssh-portable/files/openssh.in 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/openssh.in 2014-04-20 15:51:15 UTC (rev 16340)
@@ -1,6 +1,6 @@
#!/bin/sh
-# $FreeBSD$
+# $FreeBSD: head/security/openssh-portable/files/openssh.in 342628 2014-02-05 03:06:08Z bdrewery $
#
# PROVIDE: openssh
# REQUIRE: DAEMON
@@ -38,7 +38,8 @@
if [ -f %%ETCSSH%%/ssh_host_key -a \
-f %%ETCSSH%%/ssh_host_dsa_key -a \
-f %%ETCSSH%%/ssh_host_rsa_key -a \
- -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then
+ -f %%ETCSSH%%/ssh_host_ecdsa_key -a \
+ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
return 0
fi
@@ -83,6 +84,15 @@
%%PREFIX%%/bin/ssh-keygen -t ecdsa \
-f %%ETCSSH%%/ssh_host_ecdsa_key -N ''
fi
+
+ if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
+ echo "You already have a Elliptic Curve ED25519 host key" \
+ "in %%ETCSSH%%/ssh_host_ed25519_key"
+ echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
+ else
+ %%PREFIX%%/bin/ssh-keygen -t ed25519 \
+ -f %%ETCSSH%%/ssh_host_ed25519_key -N ''
+ fi
}
openssh_check_same_ports(){
Modified: trunk/security/openssh-portable/files/patch-readconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-readconf.c 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/patch-readconf.c 2014-04-20 15:51:15 UTC (rev 16340)
@@ -26,10 +26,10 @@
#include <sys/stat.h>
#include <sys/socket.h>
+#include <sys/sysctl.h>
+ #include <sys/wait.h>
#include <netinet/in.h>
- #include <netinet/in_systm.h>
-@@ -265,7 +266,19 @@ add_local_forward(Options *options, cons
+@@ -282,7 +283,19 @@
Forward *fwd;
#ifndef NO_IPPORT_RESERVED_CONCEPT
extern uid_t original_real_uid;
@@ -50,7 +50,7 @@
fatal("Privileged ports can only be forwarded by root.");
#endif
options->local_forwards = xrealloc(options->local_forwards,
-@@ -1281,7 +1294,7 @@ fill_default_options(Options * options)
+@@ -1607,7 +1620,7 @@
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2014-04-20 15:51:15 UTC (rev 16340)
@@ -39,3 +39,12 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
+@@ -335,7 +339,7 @@
+ options->version_addendum = xstrdup("");
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+- use_privsep = PRIVSEP_NOSANDBOX;
++ use_privsep = PRIVSEP_ON;
+
+ #ifndef HAVE_MMAP
+ if (use_privsep && options->compression == 1) {
Modified: trunk/security/openssh-portable/files/patch-ssh.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh.c 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/patch-ssh.c 2014-04-20 15:51:15 UTC (rev 16340)
@@ -1,4 +1,4 @@
-$FreeBSD$
+$FreeBSD: head/security/openssh-portable/files/patch-ssh.c 340725 2014-01-22 17:40:44Z mat $
r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
Modified: trunk/security/openssh-portable/files/patch-sshd.c
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd.c 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/patch-sshd.c 2014-04-20 15:51:15 UTC (rev 16340)
@@ -42,7 +42,7 @@
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
-@@ -83,6 +83,13 @@
+@@ -83,6 +84,13 @@
#include <prot.h>
#endif
@@ -56,18 +56,18 @@
#include "xmalloc.h"
#include "ssh.h"
#include "ssh1.h"
-@@ -1823,6 +1824,10 @@
+@@ -1877,6 +1885,10 @@
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+ /* Avoid killing the process in high-pressure swapping environments. */
-+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
-+ debug("madvise(): %.200s", strerror(errno));
++ /* Avoid killing the process in high-pressure swapping environments. */
++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
++ debug("madvise(): %.200s", strerror(errno));
+
- /* Initialize the random number generator. */
- arc4random_stir();
-
-@@ -1864,6 +1871,29 @@
+ /* Chdir to the root directory so that the current disk can be
+ unmounted if desired. */
+ if (chdir("/") == -1)
+@@ -1995,6 +2007,29 @@
signal(SIGCHLD, SIG_DFL);
signal(SIGINT, SIG_DFL);
Modified: trunk/security/openssh-portable/files/patch-sshd_config
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/files/patch-sshd_config 2014-04-20 15:51:15 UTC (rev 16340)
@@ -10,7 +10,7 @@
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
-@@ -37,7 +40,7 @@
+@@ -41,7 +44,7 @@
# Authentication:
#LoginGraceTime 2m
@@ -19,7 +19,7 @@
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-@@ -46,8 +49,7 @@
+@@ -50,8 +53,7 @@
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -29,7 +29,7 @@
#AuthorizedPrincipalsFile none
-@@ -64,11 +66,11 @@
+@@ -68,11 +70,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -44,16 +44,16 @@
#ChallengeResponseAuthentication yes
# Kerberos options
-@@ -81,7 +83,7 @@
+@@ -85,7 +87,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
--# Set this to 'yes' to enable PAM authentication, account processing,
+-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
+ # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -90,19 +92,19 @@
+@@ -94,12 +96,12 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
@@ -67,12 +67,13 @@
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
- #PrintMotd yes
+ #PermitTTY yes
+@@ -107,7 +109,7 @@
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-UsePrivilegeSeparation sandbox # Default for new installations.
-+#UsePrivilegeSeparation yes
++#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
Index: trunk/security/openssh-portable/pkg-descr
===================================================================
--- trunk/security/openssh-portable/pkg-descr 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/pkg-descr 2014-04-20 15:51:15 UTC (rev 16340)
Property changes on: trunk/security/openssh-portable/pkg-descr
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Modified: trunk/security/openssh-portable/pkg-message
===================================================================
--- trunk/security/openssh-portable/pkg-message 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/pkg-message 2014-04-20 15:51:15 UTC (rev 16340)
@@ -10,6 +10,6 @@
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
-Users are encouraged to create single-purpose users with ssh keys
-and very narrowly defined sudo privileges instead of using root
-for automated tasks.
+Users are encouraged to create single-purpose users with ssh keys, disable
+Password auth with 'PasswordAuthentication no' and define very narrow sudo
+privileges instead of using root for automated tasks.
Property changes on: trunk/security/openssh-portable/pkg-message
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Modified: trunk/security/openssh-portable/pkg-plist
===================================================================
--- trunk/security/openssh-portable/pkg-plist 2014-04-14 01:42:37 UTC (rev 16339)
+++ trunk/security/openssh-portable/pkg-plist 2014-04-20 15:51:15 UTC (rev 16340)
@@ -12,15 +12,33 @@
%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
-%%BASE%%@cwd /
+%%OVERWRITE_BASE%%@cwd /
etc/ssh/ssh_config-dist
etc/ssh/sshd_config-dist
-%%BASE%%@cwd %%BASEPREFIX%%
+%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
%%NOTBASE%%@dirrmtry etc/ssh
+ at exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
+ at cwd %%MANPREFIX%%
+man/man1/sftp.1.gz
+man/man1/ssh-add.1.gz
+man/man1/ssh-agent.1.gz
+man/man1/ssh-keygen.1.gz
+man/man1/ssh-keyscan.1.gz
+man/man1/scp.1.gz
+man/man1/ssh.1.gz
+man/man1/slogin.1.gz
+man/man5/moduli.5.gz
+man/man5/ssh_config.5.gz
+man/man5/sshd_config.5.gz
+%%X509%%man/man5/ssh_engine.5.gz
+man/man8/sftp-server.8.gz
+man/man8/sshd.8.gz
+man/man8/ssh-keysign.8.gz
+man/man8/ssh-pkcs11-helper.8.gz
More information about the Midnightbsd-cvs
mailing list