[Midnightbsd-cvs] mports [20908] trunk/security/openssh-portable: OpenSSH 7.1p2
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Jan 14 21:09:51 EST 2016
Revision: 20908
http://svnweb.midnightbsd.org/mports/?rev=20908
Author: laffer1
Date: 2016-01-14 21:09:50 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
OpenSSH 7.1p2
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-hpn
trunk/security/openssh-portable/files/extra-patch-tcpwrappers
trunk/security/openssh-portable/files/openssh.in
trunk/security/openssh-portable/files/patch-auth.c
trunk/security/openssh-portable/files/patch-auth2.c
trunk/security/openssh-portable/files/patch-readconf.c
trunk/security/openssh-portable/files/patch-regress__test-exec.sh
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-session.c
trunk/security/openssh-portable/files/patch-ssh-agent.1
trunk/security/openssh-portable/files/patch-ssh-agent.c
trunk/security/openssh-portable/files/patch-ssh.c
trunk/security/openssh-portable/files/patch-ssh_config
trunk/security/openssh-portable/files/patch-ssh_config.5
trunk/security/openssh-portable/files/patch-sshconnect.c
trunk/security/openssh-portable/files/patch-sshd.8
trunk/security/openssh-portable/files/patch-sshd.c
trunk/security/openssh-portable/files/patch-sshd_config
trunk/security/openssh-portable/files/patch-sshd_config.5
trunk/security/openssh-portable/pkg-message
Added Paths:
-----------
trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus
Removed Paths:
-------------
trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size
trunk/security/openssh-portable/files/patch-auth2-chall.c
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/Makefile 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,8 +1,8 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 6.9p1
-PORTREVISION= 2
+DISTVERSION= 7.1p2
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -60,9 +60,9 @@
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 8.4
+X509_VERSION= 8.5
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-7.0p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@@ -109,22 +109,17 @@
PATCHFILES+= openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz:-p1:gsskex
.endif
-
-.if ${OSVERSION} >= 4016
CONFIGURE_LIBS+= -lutil
-.endif
-# 900007 is when utmp(5) was removed and utmpx(3) added
-.if ${OSVERSION} >= 4016
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
-.else
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
-.endif
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hostkeyalg_plus:-p1
+
# Keep this last
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MX509}
+BROKEN= Patch does not apply with 7.1
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/distinfo 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,8 +1,8 @@
-SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe
-SIZE (openssh-6.9p1.tar.gz) = 1487617
-SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb
-SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687
+SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
+SIZE (openssh-7.1p2.tar.gz) = 1475829
+SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
+SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
+SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e
+SIZE (openssh-7.0p1+x509-8.5.diff.gz) = 411960
SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
-SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
-SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
Added: trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus 2016-01-15 02:09:50 UTC (rev 20908)
@@ -0,0 +1,51 @@
+Author: djm at mindrot.org
+
+Fix HostKeyAlgorithms `+' support.
+
+diff --git a/readconf.c b/readconf.c
+index 374e741..23d74fb 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
+ int i;
+ char vbuf[5];
+
++ /* This is normally prepared in ssh_kex2 */
++ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
++ fatal("%s: kex_assemble_names failed", __func__);
++
+ /* Most interesting options first: user, host, port */
+ dump_cfg_string(oUser, o->user);
+ dump_cfg_string(oHostName, host);
+@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
+ dump_cfg_string(oBindAddress, o->bind_address);
+ dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
+ dump_cfg_string(oControlPath, o->control_path);
+- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
++ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
+ dump_cfg_string(oHostKeyAlias, o->host_key_alias);
+ dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
+ dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
+diff --git a/servconf.c b/servconf.c
+index 04404a4..08c8139 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
+ options->hostbased_authentication = 0;
+ if (options->hostbased_uses_name_from_packet_only == -1)
+ options->hostbased_uses_name_from_packet_only = 0;
+- if (options->hostkeyalgorithms == NULL)
+- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ if (options->rsa_authentication == -1)
+ options->rsa_authentication = 1;
+ if (options->pubkey_authentication == -1)
+@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
+ kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
+ kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
++ &options->hostkeyalgorithms) != 0 ||
++ kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &options->hostbased_key_types) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &options->pubkey_key_types) != 0)
+
Property changes on: trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/extra-patch-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/extra-patch-hpn 2016-01-15 02:09:50 UTC (rev 20908)
@@ -447,9 +447,9 @@
echo ""
---- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500
-@@ -587,6 +587,13 @@
+--- work.clean/openssh-6.8p1/kex.c.orig 2015-08-11 01:57:29.000000000 -0700
++++ work.clean/openssh-6.8p1/kex.c 2015-08-17 17:02:06.770901000 -0700
+@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
int r, first_kex_follows;
@@ -463,10 +463,10 @@
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
(r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
-@@ -635,6 +642,17 @@
- if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
- sprop[ncomp])) != 0)
+@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh)
+ peer[ncomp] = NULL;
goto out;
+ }
+#ifdef NONE_CIPHER_ENABLED
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -481,19 +481,6 @@
debug("kex: %s %s %s %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
---- work.clean/openssh-6.8p1/myproposal.h 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/myproposal.h 2015-04-03 16:43:33.747402000 -0500
-@@ -171,6 +171,10 @@
- #define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
- #define KEX_DEFAULT_LANG ""
-
-+#ifdef NONE_CIPHER_ENABLED
-+#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none"
-+#endif
-+
- #define KEX_CLIENT \
- KEX_CLIENT_KEX, \
- KEX_DEFAULT_PK_ALG, \
--- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500
@@ -2199,6 +2199,24 @@
@@ -548,9 +535,9 @@
/* OLD API */
extern struct ssh *active_state;
#include "opacket.h"
---- work.clean/openssh-6.8p1/readconf.c 2015-04-01 22:07:18.135435000 -0500
-+++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500
-@@ -154,6 +154,12 @@
+--- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500
++++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500
+@@ -153,6 +153,12 @@ typedef enum {
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
@@ -563,10 +550,10 @@
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -276,6 +282,16 @@
- { "fingerprinthash", oFingerprintHash },
+@@ -277,6 +283,16 @@ static struct {
{ "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes },
+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+#ifdef NONE_CIPHER_ENABLED
+ { "noneenabled", oNoneEnabled },
+ { "noneswitch", oNoneSwitch },
@@ -580,7 +567,7 @@
{ "ignoreunknown", oIgnoreUnknown },
{ NULL, oBadOption }
-@@ -917,6 +933,44 @@
+@@ -906,6 +922,44 @@ parse_time:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -625,7 +612,7 @@
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
-@@ -1678,6 +1732,16 @@
+@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@@ -642,7 +629,7 @@
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
-@@ -1838,6 +1902,35 @@
+@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -1199,9 +1186,9 @@
debug("Authentication succeeded (%s).", authctxt.method->name);
}
---- work.clean/openssh-6.8p1/sshd.c.orig 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sshd.c 2015-05-06 13:29:02.129507000 -0500
-@@ -430,8 +430,13 @@ sshd_exchange_identification(int sock_in
+--- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700
++++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800
+@@ -431,8 +431,13 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
}
@@ -1216,7 +1203,7 @@
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1149,6 +1154,10 @@ server_listen(void)
+@@ -1155,6 +1160,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1227,7 +1214,7 @@
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1189,6 +1198,13 @@ server_listen(void)
+@@ -1195,6 +1204,13 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1241,10 +1228,26 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -2132,6 +2148,11 @@ main(int ac, char **av)
- remote_ip, remote_port,
- get_local_ipaddr(sock_in), get_local_port());
+@@ -1693,6 +1709,15 @@ main(int ac, char **av)
+ /* Fill in default values for those options not explicitly set. */
+ fill_default_server_options(&options);
++#ifdef NONE_CIPHER_ENABLED
++ if (options.none_enabled == 1) {
++ char *old_ciphers = options.ciphers;
++
++ xasprintf(&options.ciphers, "%s,none", old_ciphers);
++ free(old_ciphers);
++ }
++#endif
++
+ /* challenge-response is implemented via keyboard interactive */
+ if (options.challenge_response_authentication)
+ options.kbd_interactive_authentication = 1;
+@@ -2123,6 +2148,11 @@ main(int ac, char **av)
+ cleanup_exit(255);
+ }
+
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
@@ -1251,21 +1254,20 @@
+#endif
+
/*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
-@@ -2531,6 +2552,12 @@ do_ssh2_kex(void)
- if (options.ciphers != NULL) {
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ * We use get_canonical_hostname with usedns = 0 instead of
+ * get_remote_ipaddr here so IP options will be checked.
+@@ -2539,6 +2569,11 @@ do_ssh2_kex(void)
+ struct kex *kex;
+ int r;
+
+#ifdef NONE_CIPHER_ENABLED
-+ } else if (options.none_enabled == 1) {
++ if (options.none_enabled == 1)
+ debug ("WARNING: None cipher enabled");
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
+#endif
- }
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
++
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ options.kex_algorithms);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -127,6 +127,20 @@
Deleted: trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/extra-patch-sshd-utmp-size 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,36 +0,0 @@
-r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines
-Changed paths:
- M /head/crypto/openssh/loginrec.c
- M /head/crypto/openssh/sshd.c
-
-At some point, construct_utmp() was changed to use realhostname() to fill
-in the struct utmp due to concerns about the length of the hostname buffer.
-However, this breaks the UseDNS option. There is a simpler and better
-solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of
-MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the
-buffer.
-
-PR: bin/97499
-Submitted by: Bruce Cran <bruce at cran.org.uk>
-
-Index: sshd.c
-===================================================================
---- sshd.c.orig 2015-04-04 11:40:24.175508000 -0500
-+++ sshd.c 2015-04-04 11:40:38.082324000 -0500
-@@ -72,6 +72,7 @@
- #include <string.h>
- #include <unistd.h>
- #include <limits.h>
-+#include <utmp.h>
-
- #ifdef WITH_OPENSSL
- #include <openssl/dh.h>
-@@ -229,7 +230,7 @@ u_char *session_id2 = NULL;
- u_int session_id2_len = 0;
-
- /* record remote hostname or ip */
--u_int utmp_len = HOST_NAME_MAX+1;
-+u_int utmp_len = UT_HOSTSIZE;
-
- /* options.max_startup sized array of fd ints */
- int *startup_pipes = NULL;
Modified: trunk/security/openssh-portable/files/extra-patch-tcpwrappers
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,5 +1,4 @@
Revert TCPWRAPPER removal -bdrewery
-$FreeBSD$
commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
Author: Damien Miller <djm at mindrot.org>
Modified: trunk/security/openssh-portable/files/openssh.in
===================================================================
--- trunk/security/openssh-portable/files/openssh.in 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/openssh.in 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,6 +1,6 @@
#!/bin/sh
-# $FreeBSD: head/security/openssh-portable/files/openssh.in 381823 2015-03-21 19:28:40Z bdrewery $
+# $FreeBSD: head/security/openssh-portable/files/openssh.in 397771 2015-09-24 21:54:40Z bdrewery $
#
# PROVIDE: openssh
# REQUIRE: DAEMON
@@ -35,8 +35,7 @@
openssh_keygen()
{
- if [ -f %%ETCDIR%%/ssh_host_key -a \
- -f %%ETCDIR%%/ssh_host_dsa_key -a \
+ if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-f %%ETCDIR%%/ssh_host_rsa_key -a \
-f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-f %%ETCDIR%%/ssh_host_ed25519_key ]; then
@@ -49,15 +48,6 @@
[ -x %%PREFIX%%/bin/ssh-keygen ] ||
err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
- if [ -f %%ETCDIR%%/ssh_host_key ]; then
- echo "You already have an RSA host key" \
- "in %%ETCDIR%%/ssh_host_key"
- echo "Skipping protocol version 1 RSA Key Generation"
- else
- %%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \
- -f %%ETCDIR%%/ssh_host_key -N ''
- fi
-
if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
echo "You already have a DSA host key" \
"in %%ETCDIR%%/ssh_host_dsa_key"
Modified: trunk/security/openssh-portable/files/patch-auth.c
===================================================================
--- trunk/security/openssh-portable/files/patch-auth.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-auth.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines
Changed paths:
M /head/crypto/openssh/auth.c
Deleted: trunk/security/openssh-portable/files/patch-auth2-chall.c
===================================================================
--- trunk/security/openssh-portable/files/patch-auth2-chall.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-auth2-chall.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,52 +0,0 @@
-From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
-From: "djm at openbsd.org" <djm at openbsd.org>
-Date: Sat, 18 Jul 2015 07:57:14 +0000
-Subject: upstream commit
-
-only query each keyboard-interactive device once per
- authentication request regardless of how many times it is listed; ok markus@
-
-Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
----
- auth2-chall.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/auth2-chall.c b/auth2-chall.c
-index ddabe1a..4aff09d 100644
---- auth2-chall.c
-+++ auth2-chall.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
-+/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
- /*
- * Copyright (c) 2001 Markus Friedl. All rights reserved.
- * Copyright (c) 2001 Per Allansson. All rights reserved.
-@@ -83,6 +83,7 @@ struct KbdintAuthctxt
- void *ctxt;
- KbdintDevice *device;
- u_int nreq;
-+ u_int devices_done;
- };
-
- #ifdef USE_PAM
-@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
- if (len == 0)
- break;
- for (i = 0; devices[i]; i++) {
-- if (!auth2_method_allowed(authctxt,
-+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-+ !auth2_method_allowed(authctxt,
- "keyboard-interactive", devices[i]->name))
- continue;
-- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-+ if (strncmp(kbdintctxt->devices, devices[i]->name,
-+ len) == 0) {
- kbdintctxt->device = devices[i];
-+ kbdintctxt->devices_done |= 1 << i;
-+ }
- }
- t = kbdintctxt->devices;
- kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
---
-cgit v0.11.2
-
Modified: trunk/security/openssh-portable/files/patch-auth2.c
===================================================================
--- trunk/security/openssh-portable/files/patch-auth2.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-auth2.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/auth2.c
Modified: trunk/security/openssh-portable/files/patch-readconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-readconf.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-readconf.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
base defaults
r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
Modified: trunk/security/openssh-portable/files/patch-regress__test-exec.sh
===================================================================
--- trunk/security/openssh-portable/files/patch-regress__test-exec.sh 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-regress__test-exec.sh 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,4 +1,4 @@
---- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 -0500
+--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC
+++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500
@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
LogLevel DEBUG3
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,6 +1,6 @@
---- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500
-+++ servconf.c 2015-03-22 23:59:46.645390000 -0500
-@@ -81,6 +81,7 @@
+--- servconf.c.orig 2015-08-17 20:37:29.913831000 UTC
++++ servconf.c 2015-08-17 20:37:29.950132000 -0700
+@@ -57,6 +57,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@@ -8,7 +8,7 @@
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption
+@@ -193,7 +194,7 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
@@ -15,18 +15,9 @@
- options->use_pam = 0;
+ options->use_pam = 1;
- /* X.509 Standard Options */
- #ifdef OPENSSL_FIPS
-@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption
- if (options->key_regeneration_time == -1)
- options->key_regeneration_time = 3600;
- if (options->permit_root_login == PERMIT_NOT_SET)
-- options->permit_root_login = PERMIT_YES;
-+ options->permit_root_login = PERMIT_NO;
- if (options->ignore_rhosts == -1)
- options->ignore_rhosts = 1;
- if (options->ignore_user_known_hosts == -1)
-@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption
+ /* Standard Options */
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+@@ -242,7 +243,7 @@ fill_default_server_options(ServerOption
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -35,9 +26,9 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption
- if (options->gss_cleanup_creds == -1)
- options->gss_cleanup_creds = 1;
+@@ -288,7 +289,11 @@ fill_default_server_options(ServerOption
+ if (options->gss_strict_acceptor == -1)
+ options->gss_strict_acceptor = 0;
if (options->password_authentication == -1)
+#ifdef USE_PAM
+ options->password_authentication = 0;
@@ -47,8 +38,8 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
Modified: trunk/security/openssh-portable/files/patch-session.c
===================================================================
--- trunk/security/openssh-portable/files/patch-session.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-session.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,5 +1,5 @@
---- session.c 2013-03-14 19:22:37.000000000 -0500
-+++ session.c 2013-04-12 21:10:44.510757912 -0500
+--- session.c 2013-03-14 19:22:37 UTC
++++ session.c
@@ -1131,6 +1136,9 @@
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.1
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.1 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.1 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
Add a -x option that causes ssh-agent(1) to exit when all clients have
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
Modified: trunk/security/openssh-portable/files/patch-ssh.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-ssh.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
M /head/crypto/openssh/ssh.c
Modified: trunk/security/openssh-portable/files/patch-ssh_config
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh_config 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-ssh_config 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
Document the FreeBSD default for CheckHostIP, which was changed in
Modified: trunk/security/openssh-portable/files/patch-ssh_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh_config.5 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-ssh_config.5 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
Document the FreeBSD default for CheckHostIP, which was changed in
Modified: trunk/security/openssh-portable/files/patch-sshconnect.c
===================================================================
--- trunk/security/openssh-portable/files/patch-sshconnect.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-sshconnect.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
Added for bindresvport_sa(3)
--- sshconnect.c.orig 2015-04-02 15:04:24.482112000 -0500
Modified: trunk/security/openssh-portable/files/patch-sshd.8
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd.8 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-sshd.8 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
Document FreeBSD/port-specific paths
--- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600
Modified: trunk/security/openssh-portable/files/patch-sshd.c
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd.c 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-sshd.c 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,3 +1,4 @@
+--- UTC
r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines
Changed paths:
M /head/crypto/openssh/sshd.c
Modified: trunk/security/openssh-portable/files/patch-sshd_config
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-sshd_config 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,4 +1,4 @@
---- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600
+--- sshd_config.orig 2013-02-11 18:02:09.000000000 UTC
+++ sshd_config 2013-05-13 06:46:45.153627197 -0500
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
Modified: trunk/security/openssh-portable/files/patch-sshd_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config.5 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/files/patch-sshd_config.5 2016-01-15 02:09:50 UTC (rev 20908)
@@ -1,4 +1,4 @@
---- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500
+--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 UTC
+++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500
@@ -375,7 +375,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Modified: trunk/security/openssh-portable/pkg-message
===================================================================
--- trunk/security/openssh-portable/pkg-message 2016-01-10 21:06:10 UTC (rev 20907)
+++ trunk/security/openssh-portable/pkg-message 2016-01-15 02:09:50 UTC (rev 20908)
@@ -11,5 +11,6 @@
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys, disable
-Password auth with 'PasswordAuthentication no' and define very narrow sudo
+Password authentication by setting 'PasswordAuthentication no' and
+'ChallengeResponseAuthentication no', and to define very narrow sudo
privileges instead of using root for automated tasks.
More information about the Midnightbsd-cvs
mailing list