[Midnightbsd-cvs] mports [19655] trunk/security/openssh-portable: OpenSSH 6.9p1
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Aug 1 09:35:30 EDT 2015
Revision: 19655
http://svnweb.midnightbsd.org/mports/?rev=19655
Author: laffer1
Date: 2015-08-01 09:35:29 -0400 (Sat, 01 Aug 2015)
Log Message:
-----------
OpenSSH 6.9p1
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size
trunk/security/openssh-portable/files/extra-patch-tcpwrappers
trunk/security/openssh-portable/files/openssh.in
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-ssh-agent.1
trunk/security/openssh-portable/files/patch-ssh-agent.c
trunk/security/openssh-portable/files/patch-ssh.c
trunk/security/openssh-portable/files/patch-sshd_config
trunk/security/openssh-portable/files/patch-sshd_config.5
trunk/security/openssh-portable/pkg-plist
Removed Paths:
-------------
trunk/security/openssh-portable/files/extra-patch-hpn-build-options
trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn
trunk/security/openssh-portable/files/extra-patch-hpn-window-size
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/Makefile 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,21 +1,23 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 6.7p1
+DISTVERSION= 6.9p1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security ipv6
-MASTER_SITES= ${MASTER_SITE_OPENBSD}
-MASTER_SITE_SUBDIR= OpenSSH/portable
+MASTER_SITES= OPENBSD/OpenSSH/portable
PKGNAMESUFFIX?= -portable
MAINTAINER= ports at MidnightBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
-LICENSE= agg
+LICENSE= bsd2 bsd3 mit publicdom
+LICENSE_COMB= multi
LICENSE_FILE= ${WRKSRC}/LICENCE
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
+USES= alias
USE_AUTOTOOLS= autoconf autoheader
USE_OPENSSL= yes
GNU_CONFIGURE= yes
@@ -22,37 +24,31 @@
CONFIGURE_ENV= ac_cv_func_strnvis=no
CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \
--without-zlib-version-check --with-ssl-engine
-PRECIOUS= ssh_config sshd_config ssh_host_key ssh_host_key.pub \
- ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \
- ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
-SUDO?= # empty
-MAKE_ENV+= SUDO="${SUDO}"
-
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
- LPK X509 KERB_GSSAPI \
- OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS NONECIPHER
+ HPN X509 KERB_GSSAPI \
+ OVERWRITE_BASE SCTP LDNS NONECIPHER
+OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
BSM_DESC= OpenBSM Auditing
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
-LPK_DESC= LDAP Public Key (LPK) [OBSOLETE]
+HPN_DESC= HPN-SSH patch
LDNS_DESC= SSHFP/LDNS support
X509_DESC= x509 certificate patch
SCTP_DESC= SCTP support
-OVERWRITE_BASE_DESC= OpenSSH overwrite base
+OVERWRITE_BASE_DESC= EOL, No longer supported.
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
-AES_THREADED_DESC= Threaded AES-CTR
NONECIPHER_DESC= NONE Cipher support
OPTIONS_SUB= yes
-PLIST_SUB+= MANPREFIX=${MANPREFIX}
+TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
+
LDNS_CONFIGURE_WITH= ldns
LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
@@ -59,33 +55,20 @@
LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
+# http://www.psc.edu/index.php/hpn-ssh
+HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
-AES_THREADED_CONFIGURE_WITH= aes-threaded
-# See http://code.google.com/p/openssh-lpk/wiki/Main
-# and svn repo described here:
-# http://code.google.com/p/openssh-lpk/source/checkout
-# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
-LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz
-LPK_CPPFLAGS= -I${LOCALBASE}/include
-LPK_CONFIGURE_ON= --with-ldap=yes \
- --with-ldflags='-L${LOCALBASE}/lib' \
- --with-cppflags='${CPPFLAGS}'
-LPK_USE= OPENLDAP=yes
-
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 7.9
+X509_VERSION= 8.4
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-6.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-SCTP_PATCHFILES= ${PORTNAME}-6.6p1-sctp-2329.patch.gz
+# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
+SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
-# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
-KERB_GSSAPI_PATCHFILES= openssh-6.5p1-gsskex-all-20110125.patch.gz
-
-
MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal
@@ -93,16 +76,39 @@
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
LIBEDIT_CONFIGURE_WITH= libedit
+LIBEDIT_USES= libedit
BSM_CONFIGURE_ON= --with-audit=bsm
+ETCDIR?= ${PREFIX}/etc/ssh
.include <bsd.port.pre.mk>
+PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
+
+# X509 patch includes TCP Wrapper support already
+.if ${PORT_OPTIONS:MX509}
+EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
+.endif
+
+# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+PORTDOCS+= HPN-README
+HPN_VERSION= 14v5
+HPN_DISTVERSION= 6.7p1
+#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
+#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
+.endif
+
+# Must add this patch after HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN= KERB_GSSAPI Patch is not updated for 6.5 and upstream has not been active since 2001.
+# 6.7 patch taken from
+# http://sources.debian.net/data/main/o/openssh/1:6.7p1-3/debian/patches/gssapi.patch
+# which was originally based on 5.7 patch from
+# http://www.sxw.org.uk/computing/patches/
+PATCHFILES+= openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz:-p1:gsskex
.endif
-PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
.if ${OSVERSION} >= 4016
CONFIGURE_LIBS+= -lutil
@@ -115,8 +121,11 @@
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
.endif
+# Keep this last
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
+
.if ${PORT_OPTIONS:MX509}
-. if ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
+. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
@@ -124,10 +133,6 @@
BROKEN= X509 patch and SCTP patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MLPK}
-BROKEN= X509 patch and LPK patch do not apply cleanly together
-. endif
-
. if ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= X509 patch incompatible with KERB_GSSAPI patch
. endif
@@ -134,26 +139,18 @@
.endif
+. if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN= Does not apply to 6.8
+. endif
+
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
-IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
+IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
-.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
-IGNORE= Pam must be installed in base
-.endif
-
-.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
-IGNORE= Required /usr/include/tcpd.h missing
-.endif
-
-.if defined(OPENSSH_OVERWRITE_BASE)
-PORT_OPTIONS+= OVERWRITE_BASE
-.endif
-
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
. if ${PORT_OPTIONS:MHEIMDAL_BASE}
CONFIGURE_LIBS+= -lgssapi_krb5
@@ -175,71 +172,57 @@
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
-.if ${PORT_OPTIONS:MLPK}
-CONFIGURE_LIBS+= -lldap
-.endif
-
EMPTYDIR= /var/empty
-.if ${PORT_OPTIONS:MOVERWRITE_BASE}
-WITH_OPENSSL_BASE= yes
-CONFIGURE_ARGS+= --localstatedir=/var
-PREFIX= /usr
-NO_MTREE= yes
-ETCSSH= /etc/ssh
-USE_RCORDER= openssh
-PLIST_SUB+= NOTBASE="@comment "
-PLIST_SUB+= BASEPREFIX="${PREFIX}"
-.else
-ETCSSH= ${PREFIX}/etc/ssh
-USE_RC_SUBR= openssh
-PLIST_SUB+= NOTBASE=""
+.if ${PORT_OPTIONS:MOVERWRITE_BASE} || defined(OPENSSH_OVERWRITE_BASE)
+IGNORE= Overwrite base option is no longer supported.
.endif
+USE_RC_SUBR= openssh
+
# After all
-SUB_LIST+= ETCSSH="${ETCSSH}"
-CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
+CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
.if !empty(CONFIGURE_LIBS)
CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}'
.endif
+CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth
+
RC_SCRIPT_NAME= openssh
+VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME}
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@${REINPLACE_CMD} \
-e 's|install: \(.*\) host-key check-config|install: \1|g' \
- -e 's|-lpthread|${PTHREAD_LIBS}|' \
${WRKSRC}/Makefile.in
- @${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
- ${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
- ${WRKSRC}/ssh_config.5
-.if !${PORT_OPTIONS:MOVERWRITE_BASE}
@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
-.endif
- @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
- -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
- @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \
+ @${REINPLACE_CMD} \
+ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
+ ${WRKSRC}/sshd_config
+ @${REINPLACE_CMD} \
+ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
+ ${WRKSRC}/sshd_config.5
+ @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \
${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
- ${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
- ${WRKSRC}/version.h
-pre-install:
-# Workaround not running mtree BSD.root.dist on / since PREFIX=/usr
-.if ${PORT_OPTIONS:MOVERWRITE_BASE}
- ${MKDIR} ${STAGEDIR}/etc/rc.d
+post-install:
+ ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
+ ${STAGEDIR}${ETCDIR}//ssh_config.sample
+ ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
+ ${STAGEDIR}${ETCDIR}/sshd_config.sample
+.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}
+ ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
.endif
-post-install:
- ${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
- ${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
-
-test: build
- (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
+test: build
+ cd ${WRKSRC} && ${SETENV} -i \
+ OBJ=${WRKDIR} ${MAKE_ENV} \
+ TEST_SHELL=${SH} \
+ SUDO="${SUDO}" \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
- ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS})
+ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
.include <bsd.port.post.mk>
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/distinfo 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,12 +1,8 @@
-SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507
-SIZE (openssh-6.7p1.tar.gz) = 1351367
-SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) = 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
-SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326
-SHA256 (openssh-6.7p1+x509-8.2.diff.gz) = 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f
-SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798
+SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe
+SIZE (openssh-6.9p1.tar.gz) = 1487617
+SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb
+SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687
SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
-SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
-SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
-SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db
-SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052
+SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
+SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
Deleted: trunk/security/openssh-portable/files/extra-patch-hpn-build-options
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-build-options 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-build-options 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,142 +0,0 @@
---- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
-+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
-@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
- }
- }
-
-+#ifdef AES_THREADED
- /* if we are using aes-ctr there can be issues in either a fork or sandbox
- * so the initial aes-ctr is defined to point to the original single process
- * evp. After authentication we'll be past the fork and the sandboxed privsep
-@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
- cipher_reset_multithreaded();
- packet_request_rekeying();
- }
-+#endif
-
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
---- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
-+++ sshd.c 2013-10-11 08:53:25.929132033 -0500
-@@ -2186,6 +2186,7 @@ main(int ac, char **av)
-
- /* Start session. */
-
-+#ifdef AES_THREADED
- /* if we are using aes-ctr there can be issues in either a fork or sandbox
- * so the initial aes-ctr is defined to point ot the original single process
- * evp. After authentication we'll be past the fork and the sandboxed privsep
-@@ -2201,6 +2202,7 @@ main(int ac, char **av)
- cipher_reset_multithreaded();
- packet_request_rekeying();
- }
-+#endif
-
- do_authenticated(authctxt);
-
---- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
-+++ readconf.c 2013-10-11 09:19:12.295135966 -0500
-@@ -268,12 +268,16 @@ static struct {
- { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
- { "streamlocalbindmask", oStreamLocalBindMask },
- { "streamlocalbindunlink", oStreamLocalBindUnlink },
-+#ifdef NONECIPHER
- { "noneenabled", oNoneEnabled },
- { "noneswitch", oNoneSwitch },
-+#endif
-+#ifdef HPN
- { "tcprcvbufpoll", oTcpRcvBufPoll },
- { "tcprcvbuf", oTcpRcvBuf },
- { "hpndisabled", oHPNDisabled },
- { "hpnbuffersize", oHPNBufferSize },
-+#endif
- { "ignoreunknown", oIgnoreUnknown },
-
- { NULL, oBadOption }
-@@ -1819,12 +1823,20 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
- options->server_alive_count_max = 3;
-+#ifdef NONECIPHER
- if (options->none_switch == -1)
-+#endif
- options->none_switch = 0;
-+#ifdef NONECIPHER
- if (options->none_enabled == -1)
-+#endif
- options->none_enabled = 0;
-+#ifdef HPN
- if (options->hpn_disabled == -1)
- options->hpn_disabled = 0;
-+#else
-+ options->hpn_disabled = 1;
-+#endif
- if (options->hpn_buffer_size > -1)
- {
- /* if a user tries to set the size to 0 set it to 1KB */
---- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
-+++ servconf.c 2013-10-11 09:25:50.777137928 -0500
-@@ -303,10 +303,16 @@
- }
- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+#ifdef NONECIPHER
- if (options->none_enabled == -1)
-+#endif
- options->none_enabled = 0;
-+#ifdef HPN
- if (options->hpn_disabled == -1)
- options->hpn_disabled = 0;
-+#else
-+ options->hpn_disabled = 1;
-+#endif
-
- if (options->hpn_buffer_size == -1) {
- /* option not explicitly set. Now we have to figure out */
---- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
-+++ configure.ac 2013-10-12 17:18:35.610130039 -0500
-@@ -3968,6 +3968,34 @@
- ]
- ) # maildir
-
-+#check whether user wants HPN support
-+HPN_MSG="no"
-+AC_ARG_WITH(hpn,
-+ [ --with-hpn Enable HPN support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(HPN,1,[Define if you want HPN support.])
-+ HPN_MSG="yes"
-+ fi ]
-+)
-+#check whether user wants NONECIPHER support
-+NONECIPHER_MSG="no"
-+AC_ARG_WITH(nonecipher,
-+ [ --with-nonecipher Enable NONECIPHER support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
-+ NONECIPHER_MSG="yes"
-+ fi ]
-+)
-+#check whether user wants AES_THREADED support
-+AES_THREADED_MSG="no"
-+AC_ARG_WITH(aes-threaded,
-+ [ --with-aes-threaded Enable AES_THREADED support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
-+ AES_THREADED_MSG="yes"
-+ fi ]
-+)
-+
- if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
- AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
- disable_ptmx_check=yes
-@@ -4636,6 +4664,9 @@
- echo " BSD Auth support: $BSD_AUTH_MSG"
- echo " Random number source: $RAND_MSG"
- echo " Privsep sandbox style: $SANDBOX_STYLE"
-+echo " HPN support: $HPN_MSG"
-+echo " NONECIPHER support: $NONECIPHER_MSG"
-+echo " AES_THREADED support: $AES_THREADED_MSG"
-
- echo ""
-
Deleted: trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-no-hpn 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,32 +0,0 @@
---- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
-+++ sshd_config 2013-10-12 06:40:06.646129924 -0500
-@@ -125,20 +125,6 @@
- # override default of no subsystems
- Subsystem sftp /usr/libexec/sftp-server
-
--# the following are HPN related configuration options
--# tcp receive buffer polling. disable in non autotuning kernels
--#TcpRcvBufPoll yes
--
--# disable hpn performance boosts
--#HPNDisabled no
--
--# buffer size for hpn to non-hpn connections
--#HPNBufferSize 2048
--
--
--# allow the use of the none cipher
--#NoneEnabled no
--
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
---- version.h.orig 2013-10-12 06:42:19.578133368 -0500
-+++ version.h 2013-10-12 06:42:28.581136160 -0500
-@@ -3,5 +3,4 @@
- #define SSH_VERSION "OpenSSH_6.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_HPN "-hpn14v2"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
Deleted: trunk/security/openssh-portable/files/extra-patch-hpn-window-size
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-window-size 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-window-size 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,24 +0,0 @@
-r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines
-Changed paths:
- M /user/brooks/openssh-hpn/channels.h
-
-It looks like the HPN patch didn't track the window size bump in OpenBSD
-rev 1.89 back in 2007. Chase the updates to reduce diffs to head
-
-Index: channels.h
-===================================================================
---- channels.h (revision 223212)
-+++ channels.h (revision 223213)
-@@ -163,10 +163,10 @@
-
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT (32*1024)
--#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
-+#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
-
- #define CHAN_TCP_PACKET_DEFAULT (32*1024)
--#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
-+#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
-
- #define CHAN_X11_PACKET_DEFAULT (16*1024)
- #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
Modified: trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size 2015-08-01 13:35:29 UTC (rev 19655)
@@ -15,21 +15,21 @@
Index: sshd.c
===================================================================
---- sshd.c (revision 184121)
-+++ sshd.c (revision 184122)
+--- sshd.c.orig 2015-04-04 11:40:24.175508000 -0500
++++ sshd.c 2015-04-04 11:40:38.082324000 -0500
@@ -72,6 +72,7 @@
- #include <stdlib.h>
#include <string.h>
#include <unistd.h>
+ #include <limits.h>
+#include <utmp.h>
+ #ifdef WITH_OPENSSL
#include <openssl/dh.h>
- #include <openssl/bn.h>
-@@ -238,7 +239,7 @@
+@@ -229,7 +230,7 @@ u_char *session_id2 = NULL;
u_int session_id2_len = 0;
/* record remote hostname or ip */
--u_int utmp_len = MAXHOSTNAMELEN;
+-u_int utmp_len = HOST_NAME_MAX+1;
+u_int utmp_len = UT_HOSTSIZE;
/* options.max_startup sized array of fd ints */
Modified: trunk/security/openssh-portable/files/extra-patch-tcpwrappers
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2015-08-01 13:35:29 UTC (rev 19655)
@@ -83,25 +83,6 @@
/* Log the connection. */
verbose("Connection from %s port %d on %s port %d",
-commit f9696566fb41320820f3b257ab564fa321bb3751
-Author: Darren Tucker <dtucker at zip.com.au>
-Date: Fri Jun 13 11:06:04 2014 +1000
-
- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
- been removed from sshd.c.
-
-diff --git ChangeLog ChangeLog
-index f4c6ea6..1c043ae 100644
---- ChangeLog
-+++ ChangeLog
-@@ -1,7 +1,3 @@
--20140612
-- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
-- been removed from sshd.c.
--
- 20140611
- - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
- openbsd-compat/bsd-asprintf.c.
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac
Modified: trunk/security/openssh-portable/files/openssh.in
===================================================================
--- trunk/security/openssh-portable/files/openssh.in 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/openssh.in 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,6 +1,6 @@
#!/bin/sh
-# $FreeBSD: head/security/openssh-portable/files/openssh.in 369931 2014-10-03 19:23:03Z bdrewery $
+# $FreeBSD: head/security/openssh-portable/files/openssh.in 381823 2015-03-21 19:28:40Z bdrewery $
#
# PROVIDE: openssh
# REQUIRE: DAEMON
@@ -35,11 +35,11 @@
openssh_keygen()
{
- if [ -f %%ETCSSH%%/ssh_host_key -a \
- -f %%ETCSSH%%/ssh_host_dsa_key -a \
- -f %%ETCSSH%%/ssh_host_rsa_key -a \
- -f %%ETCSSH%%/ssh_host_ecdsa_key -a \
- -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_key -a \
+ -f %%ETCDIR%%/ssh_host_dsa_key -a \
+ -f %%ETCDIR%%/ssh_host_rsa_key -a \
+ -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
+ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
return 0
fi
@@ -49,49 +49,49 @@
[ -x %%PREFIX%%/bin/ssh-keygen ] ||
err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
- if [ -f %%ETCSSH%%/ssh_host_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_key ]; then
echo "You already have an RSA host key" \
- "in %%ETCSSH%%/ssh_host_key"
+ "in %%ETCDIR%%/ssh_host_key"
echo "Skipping protocol version 1 RSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \
- -f %%ETCSSH%%/ssh_host_key -N ''
+ -f %%ETCDIR%%/ssh_host_key -N ''
fi
- if [ -f %%ETCSSH%%/ssh_host_dsa_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
echo "You already have a DSA host key" \
- "in %%ETCSSH%%/ssh_host_dsa_key"
+ "in %%ETCDIR%%/ssh_host_dsa_key"
echo "Skipping protocol version 2 DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t dsa \
- -f %%ETCSSH%%/ssh_host_dsa_key -N ''
+ -f %%ETCDIR%%/ssh_host_dsa_key -N ''
fi
- if [ -f %%ETCSSH%%/ssh_host_rsa_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
echo "You already have a RSA host key" \
- "in %%ETCSSH%%/ssh_host_rsa_key"
+ "in %%ETCDIR%%/ssh_host_rsa_key"
echo "Skipping protocol version 2 RSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t rsa \
- -f %%ETCSSH%%/ssh_host_rsa_key -N ''
+ -f %%ETCDIR%%/ssh_host_rsa_key -N ''
fi
- if [ -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
echo "You already have a Elliptic Curve DSA host key" \
- "in %%ETCSSH%%/ssh_host_ecdsa_key"
+ "in %%ETCDIR%%/ssh_host_ecdsa_key"
echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ecdsa \
- -f %%ETCSSH%%/ssh_host_ecdsa_key -N ''
+ -f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
fi
- if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then
+ if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
echo "You already have a Elliptic Curve ED25519 host key" \
- "in %%ETCSSH%%/ssh_host_ed25519_key"
+ "in %%ETCDIR%%/ssh_host_ed25519_key"
echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
else
%%PREFIX%%/bin/ssh-keygen -t ed25519 \
- -f %%ETCSSH%%/ssh_host_ed25519_key -N ''
+ -f %%ETCDIR%%/ssh_host_ed25519_key -N ''
fi
}
@@ -105,13 +105,13 @@
#check if opensshd-portable installed in replacement of base sshd
- if [ "%%ETCSSH%%" = "/etc/ssh" ]; then
+ if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
return 1
fi
self_port=$(awk '$1~/^ListenAddress/ \
{mlen=match($0,":[0-9]*$"); print \
- substr($0,mlen+1,length($0)-mlen)}' %%ETCSSH%%/sshd_config)
+ substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
if [ -z "$self_port" ]; then
self_port=$(echo $openssh_flags | awk \
'{for (i = 1; i <= NF; i++) if ($i == "-p") \
@@ -118,7 +118,7 @@
{i++; printf "%s", $i; break; }; }')
if [ -z "$self_port" ]; then
self_port=$(awk '$1~/^Port/ {print $2}' \
- %%ETCSSH%%/sshd_config)
+ %%ETCDIR%%/sshd_config)
fi
fi
# assume default 22 port
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,15 +1,23 @@
---- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500
-+++ servconf.c 2013-05-12 21:52:43.069625377 -0500
-@@ -162,7 +162,7 @@
+--- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500
++++ servconf.c 2015-03-22 23:59:46.645390000 -0500
+@@ -81,6 +81,7 @@
+ #include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#include "version.h"
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption
+
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
+ options->use_pam = 1;
- /* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -197,7 +197,7 @@
+ /* X.509 Standard Options */
+ #ifdef OPENSSL_FIPS
+@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,7 +26,7 @@
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -207,7 +207,7 @@
+@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -27,7 +35,7 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -245,7 +245,11 @@
+@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -39,12 +47,12 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -335,7 +339,7 @@
- options->version_addendum = xstrdup("");
+@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
/* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
+ use_privsep = PRIVSEP_ON;
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
+ #define CLEAR_ON_NONE(v) \
+ do { \
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.1
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.1 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.1 2015-08-01 13:35:29 UTC (rev 19655)
@@ -3,20 +3,18 @@
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
-Index: ssh-agent.1
-===================================================================
---- ssh-agent.1 (revision 226102)
-+++ ssh-agent.1 (revision 226103)
-@@ -44,7 +44,7 @@
+--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500
+@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
--.Op Fl d
-+.Op Fl dx
+-.Op Fl Dd
++.Op Fl Ddx
.Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
- .Op Ar command Op Ar arg ...
-@@ -103,6 +103,8 @@
+@@ -128,6 +128,8 @@
.Xr ssh-add 1
overrides this value.
Without this option the default maximum lifetime is forever.
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.c 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.c 2015-08-01 13:35:29 UTC (rev 19655)
@@ -7,12 +7,12 @@
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
---- ssh-agent.c.orig 2014-07-29 21:32:46.000000000 -0500
-+++ ssh-agent.c 2014-11-03 16:48:03.930786112 -0600
-@@ -142,15 +142,34 @@ extern char *__progname;
- /* Default lifetime in seconds (0 == forever) */
- static long lifetime = 0;
+--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500
++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500
+@@ -157,15 +157,34 @@ static long lifetime = 0;
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+
+/*
+ * Client connection count; incremented in new_socket() and decremented in
+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
@@ -36,15 +36,15 @@
close(e->fd);
e->fd = -1;
e->type = AUTH_UNUSED;
- buffer_free(&e->input);
- buffer_free(&e->output);
- buffer_free(&e->request);
+ sshbuf_free(e->input);
+ sshbuf_free(e->output);
+ sshbuf_free(e->request);
+ if (last)
+ cleanup_exit(0);
}
static void
-@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd)
+@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd)
{
u_int i, old_alloc, new_alloc;
@@ -55,16 +55,16 @@
set_nonblock(fd);
if (fd > max_fd)
-@@ -1026,7 +1049,7 @@ usage(void)
+@@ -1166,7 +1189,7 @@ static void
+ usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
-- " [command [arg ...]]\n"
-+ " [-x] [command [arg ...]]\n"
+- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
+ " [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
- }
-@@ -1056,6 +1079,7 @@ main(int ac, char **av)
+@@ -1197,6 +1220,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -72,16 +72,16 @@
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-@@ -1069,7 +1093,7 @@ main(int ac, char **av)
+@@ -1210,7 +1234,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
-- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
-+ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) {
+- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
switch (ch) {
- case 'c':
- if (s_flag)
-@@ -1098,6 +1122,9 @@ main(int ac, char **av)
+ case 'E':
+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1249,6 +1273,9 @@ main(int ac, char **av)
usage();
}
break;
Modified: trunk/security/openssh-portable/files/patch-ssh.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh.c 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-ssh.c 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,5 +1,3 @@
-$FreeBSD: head/security/openssh-portable/files/patch-ssh.c 340725 2014-01-22 17:40:44Z mat $
-
r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/ssh.c
Modified: trunk/security/openssh-portable/files/patch-sshd_config
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-sshd_config 2015-08-01 13:35:29 UTC (rev 19655)
@@ -10,15 +10,6 @@
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
-@@ -41,7 +44,7 @@
- # Authentication:
-
- #LoginGraceTime 2m
--#PermitRootLogin yes
-+#PermitRootLogin no
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
@@ -50,8 +53,7 @@
#PubkeyAuthentication yes
@@ -68,12 +59,3 @@
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-@@ -107,7 +109,7 @@
- #PrintLastLog yes
- #TCPKeepAlive yes
- #UseLogin no
--UsePrivilegeSeparation sandbox # Default for new installations.
-+#UsePrivilegeSeparation sandbox
- #PermitUserEnvironment no
- #Compression delayed
- #ClientAliveInterval 0
Modified: trunk/security/openssh-portable/files/patch-sshd_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config.5 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/files/patch-sshd_config.5 2015-08-01 13:35:29 UTC (rev 19655)
@@ -1,6 +1,6 @@
---- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500
-+++ sshd_config.5 2014-11-03 16:49:35.943778119 -0600
-@@ -304,7 +304,9 @@
+--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500
++++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500
+@@ -375,7 +375,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or through authentication styles supported in
@@ -11,16 +11,7 @@
The default is
.Dq yes .
.It Cm ChrootDirectory
-@@ -615,7 +617,7 @@
- .Pp
- .Pa /etc/hosts.equiv
- and
--.Pa /etc/shosts.equiv
-+.Pa /etc/ssh/shosts.equiv
- are still used.
- The default is
- .Dq yes .
-@@ -977,7 +979,22 @@
+@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -43,12 +34,10 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1023,7 +1040,14 @@
- or
+@@ -1158,6 +1175,13 @@ or
.Dq no .
The default is
--.Dq yes .
-+.Dq no .
+ .Dq no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
@@ -59,7 +48,7 @@
.Pp
If this option is set to
.Dq without-password ,
-@@ -1178,7 +1202,9 @@
+@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
.It Cm RhostsRSAAuthentication
@@ -70,7 +59,7 @@
with successful RSA host authentication is allowed.
The default is
.Dq no .
-@@ -1343,7 +1369,7 @@
+@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
@@ -79,7 +68,19 @@
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1379,7 +1405,7 @@
+@@ -1520,7 +1546,10 @@ restrictions.
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Dq none .
++.Dq %%SSH_VERSION_FREEBSD_PORT%% .
++The value
++.Dq none
++may be used to disable this.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
+@@ -1534,7 +1563,7 @@ The argument must be
or
.Dq no .
The default is
Modified: trunk/security/openssh-portable/pkg-plist
===================================================================
--- trunk/security/openssh-portable/pkg-plist 2015-08-01 13:32:27 UTC (rev 19654)
+++ trunk/security/openssh-portable/pkg-plist 2015-08-01 13:35:29 UTC (rev 19655)
@@ -7,25 +7,15 @@
bin/ssh-agent
bin/ssh-keygen
bin/ssh-keyscan
-%%NOTBASE%%etc/ssh/moduli
-%%NOTBASE%%@exec if [ -f %D/etc/ssh_config -a ! -f %D/etc/ssh/ssh_config ]; then ln %D/etc/ssh_config %D/etc/ssh/ssh_config ; fi
-%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
-%%OVERWRITE_BASE%%@cwd /
-etc/ssh/ssh_config-dist
-etc/ssh/sshd_config-dist
-%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
-%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
-%%NOTBASE%%@dirrmtry etc/ssh
- at exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
+%%ETCDIR%%/moduli
+ at sample %%ETCDIR%%/ssh_config.sample
+ at sample %%ETCDIR%%/sshd_config.sample
+%%X509%%@dir %%ETCDIR%%/ca
+ at exec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
- at cwd %%MANPREFIX%%
man/man1/sftp.1.gz
man/man1/ssh-add.1.gz
man/man1/ssh-agent.1.gz
More information about the Midnightbsd-cvs
mailing list