[Midnightbsd-cvs] mports [22068] trunk/security/openssh-portable: openssh portable 7.3
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Nov 4 18:06:21 EDT 2016
Revision: 22068
http://svnweb.midnightbsd.org/mports/?rev=22068
Author: laffer1
Date: 2016-11-04 18:06:21 -0400 (Fri, 04 Nov 2016)
Log Message:
-----------
openssh portable 7.3
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-hpn
trunk/security/openssh-portable/files/extra-patch-ldns
trunk/security/openssh-portable/files/patch-auth2.c
trunk/security/openssh-portable/files/patch-readconf.c
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-ssh-agent.1
trunk/security/openssh-portable/pkg-descr
trunk/security/openssh-portable/pkg-message
trunk/security/openssh-portable/pkg-plist
Added Paths:
-----------
trunk/security/openssh-portable/files/extra-patch-hpn-gss-glue
trunk/security/openssh-portable/files/patch-configure.ac
trunk/security/openssh-portable/files/patch-kex.c
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/Makefile 2016-11-04 22:06:21 UTC (rev 22068)
@@ -1,8 +1,8 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 7.1p2
-PORTREVISION= 0
+DISTVERSION= 7.3p1
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -17,7 +17,7 @@
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
-USES= alias
+USES= alias ncurses
USE_AUTOTOOLS= autoconf autoheader
USE_OPENSSL= yes
GNU_CONFIGURE= yes
@@ -60,14 +60,15 @@
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 8.5
+X509_VERSION= 9.0
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-7.0p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-7.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
+SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
+SCTP_BROKEN= does not apply to 7.3+
MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal
@@ -90,6 +91,20 @@
EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
.endif
+# Must add this patch before HPN due to conflicts
+.if ${PORT_OPTIONS:MKERB_GSSAPI}
+# 7.3 patch taken from
+# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
+# which was originally based on 5.7 patch from
+# http://www.sxw.org.uk/computing/patches/
+# It is mirrored simply to apply gzip -9.
+. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+# Needed glue for applying HPN patch without conflict
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
+. endif
+PATCHFILES+= openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz:-p1:gsskex
+.endif
+
# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
PORTDOCS+= HPN-README
@@ -100,26 +115,14 @@
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
.endif
-# Must add this patch after HPN due to conflicts
-.if ${PORT_OPTIONS:MKERB_GSSAPI}
-# 6.7 patch taken from
-# http://sources.debian.net/data/main/o/openssh/1:6.7p1-3/debian/patches/gssapi.patch
-# which was originally based on 5.7 patch from
-# http://www.sxw.org.uk/computing/patches/
-PATCHFILES+= openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz:-p1:gsskex
-.endif
-
CONFIGURE_LIBS+= -lutil
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hostkeyalg_plus:-p1
-
# Keep this last
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MX509}
-BROKEN= Patch does not apply with 7.1
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
@@ -134,10 +137,6 @@
.endif
-. if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN= Does not apply to 6.8
-. endif
-
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/distinfo 2016-11-04 22:06:21 UTC (rev 22068)
@@ -1,8 +1,9 @@
-SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
-SIZE (openssh-7.1p2.tar.gz) = 1475829
-SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
-SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
-SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e
-SIZE (openssh-7.0p1+x509-8.5.diff.gz) = 411960
-SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
-SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
+TIMESTAMP = 1470675521
+SHA256 (openssh-7.3p1.tar.gz) = 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
+SIZE (openssh-7.3p1.tar.gz) = 1522617
+SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
+SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
+SHA256 (openssh-7.3p1+x509-9.0.diff.gz) = ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900
+SIZE (openssh-7.3p1+x509-9.0.diff.gz) = 571918
+SHA256 (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 83698da23a7d4dd24be9bc15ea7e801890dfc9303815135552c8ddfd158f1a95
+SIZE (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 26818
Modified: trunk/security/openssh-portable/files/extra-patch-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/extra-patch-hpn 2016-11-04 22:06:21 UTC (rev 22068)
@@ -447,23 +447,9 @@
echo ""
---- work.clean/openssh-6.8p1/kex.c.orig 2015-08-11 01:57:29.000000000 -0700
-+++ work.clean/openssh-6.8p1/kex.c 2015-08-17 17:02:06.770901000 -0700
-@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
-+#ifdef NONE_CIPHER_ENABLED
-+ /* XXX: Could this move into the lower block? */
-+ int auth_flag;
-+
-+ auth_flag = ssh_packet_authentication_state(ssh);
-+ debug ("AUTH STATE IS %d", auth_flag);
-+#endif
-
- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
- (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
-@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh)
+--- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800
+@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
peer[ncomp] = NULL;
goto out;
}
@@ -470,6 +456,9 @@
+#ifdef NONE_CIPHER_ENABLED
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
++ int auth_flag;
++
++ auth_flag = ssh_packet_authentication_state(ssh);
+ debug("Requesting NONE. Authflag is %d", auth_flag);
+ if (auth_flag == 1) {
+ debug("None requested post authentication.");
@@ -478,13 +467,13 @@
+ }
+ }
+#endif
- debug("kex: %s %s %s %s",
+ debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
---- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500
-@@ -2199,6 +2199,24 @@
- }
+--- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800
+@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+ return 0;
}
+#ifdef NONE_CIPHER_ENABLED
@@ -506,10 +495,10 @@
+#endif
+
#define MAX_PACKETS (1U<<31)
- int
- ssh_packet_need_rekeying(struct ssh *ssh)
-@@ -2207,6 +2225,12 @@
-
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+ /* Peer can't rekey */
if (ssh->compat & SSH_BUG_NOREKEY)
return 0;
+#ifdef NONE_CIPHER_ENABLED
@@ -518,9 +507,9 @@
+ return 1;
+ }
+#endif
- return
- (state->p_send.packets > MAX_PACKETS) ||
- (state->p_read.packets > MAX_PACKETS) ||
+
+ /*
+ * Permit one packet in or out per rekey - this allows us to
--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500
@@ -188,6 +188,11 @@
@@ -686,7 +675,7 @@
int no_host_authentication_for_localhost;
--- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500
-@@ -750,7 +750,7 @@
+@@ -764,7 +764,7 @@ source(int argc, char **argv)
off_t i, statbytes;
size_t amt, nr;
int fd = -1, haderr, indx;
@@ -695,12 +684,12 @@
int len;
for (indx = 0; indx < argc; ++indx) {
-@@ -919,7 +919,7 @@
+@@ -932,7 +932,7 @@ sink(int argc, char **argv)
off_t size, statbytes;
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
+- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
struct timeval tv[2];
#define atime tv[0]
@@ -1110,8 +1099,8 @@
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
---- work.clean/openssh-6.8p1/sshconnect2.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sshconnect2.c 2015-04-03 16:54:23.936298000 -0500
+--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
@@ -80,6 +80,14 @@
extern char *client_version_string;
extern char *server_version_string;
@@ -1127,7 +1116,7 @@
/*
* SSH2 key exchange
-@@ -153,13 +161,16 @@
+@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@@ -1137,6 +1126,7 @@
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ char *s;
struct kex *kex;
int r;
@@ -1145,20 +1135,19 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -222,6 +233,10 @@
- kex->server_version_string=server_version_string;
- kex->verify_host_key=&verify_host_key_callback;
-
+@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+ packet_send();
+ packet_write_wait();
+ #endif
+#ifdef NONE_CIPHER_ENABLED
+ xxx_kex = kex;
+#endif
-+
- dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
+ }
- if (options.use_roaming && !kex->roaming) {
-@@ -423,6 +438,29 @@
+ /*
+@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
pubkey_cleanup(&authctxt);
- dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+ ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+#ifdef NONE_CIPHER_ENABLED
+ /*
Added: trunk/security/openssh-portable/files/extra-patch-hpn-gss-glue
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-gss-glue (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-gss-glue 2016-11-04 22:06:21 UTC (rev 22068)
@@ -0,0 +1,24 @@
+--- sshconnect2.c.orig 2016-01-19 18:10:12.550854000 -0800
++++ sshconnect2.c 2016-01-19 18:10:27.290409000 -0800
+@@ -160,11 +160,6 @@ ssh_kex2(char *host, struct sockaddr *ho
+ struct kex *kex;
+ int r;
+
+-#ifdef GSSAPI
+- char *orig = NULL, *gss = NULL;
+- char *gss_host = NULL;
+-#endif
+-
+ xxx_host = host;
+ xxx_hostaddr = hostaddr;
+
+@@ -199,6 +194,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+
+ #ifdef GSSAPI
++ char *orig = NULL, *gss = NULL;
++ char *gss_host = NULL;
++
+ if (options.gss_keyex) {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
Property changes on: trunk/security/openssh-portable/files/extra-patch-hpn-gss-glue
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/extra-patch-ldns
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-ldns 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/extra-patch-ldns 2016-11-04 22:06:21 UTC (rev 22068)
@@ -35,9 +35,9 @@
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
---- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
-+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
-@@ -1246,7 +1246,10 @@ The argument must be
+--- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800
++++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800
+@@ -1715,7 +1715,10 @@
or
.Dq ask .
The default is
@@ -46,6 +46,6 @@
+if compiled with LDNS and
+.Dq no
+otherwise.
- Note that this option applies to protocol version 2 only.
.Pp
See also VERIFYING HOST KEYS in
+ .Xr ssh 1 .
Modified: trunk/security/openssh-portable/files/patch-auth2.c
===================================================================
--- trunk/security/openssh-portable/files/patch-auth2.c 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/patch-auth2.c 2016-11-04 22:06:21 UTC (rev 22068)
@@ -15,21 +15,22 @@
#include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
-@@ -219,6 +220,13 @@
+@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
++ struct ssh *ssh = active_state; /* XXX */
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+
-+ from_host = get_canonical_hostname(options.use_dns);
-+ from_ip = get_remote_ipaddr();
++ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++ from_ip = ssh_remote_ipaddr(ssh);
+#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -265,6 +273,27 @@
+@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
@@ -56,4 +57,4 @@
+
/* reset state */
auth2_challenge_stop(authctxt);
- #ifdef JPAKE
+
Added: trunk/security/openssh-portable/files/patch-configure.ac
===================================================================
--- trunk/security/openssh-portable/files/patch-configure.ac (rev 0)
+++ trunk/security/openssh-portable/files/patch-configure.ac 2016-11-04 22:06:21 UTC (rev 22068)
@@ -0,0 +1,11 @@
+--- configure.ac.intermediate 2016-02-03 22:06:00 UTC
++++ configure.ac
+@@ -1543,7 +1543,7 @@ AC_ARG_WITH([libedit],
+ LIBEDIT=`$PKGCONFIG --libs libedit`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
+ else
+- LIBEDIT="-ledit -lcurses"
++ LIBEDIT="-ledit -lncurses"
+ fi
+ OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
+ AC_CHECK_LIB([edit], [el_init],
Property changes on: trunk/security/openssh-portable/files/patch-configure.ac
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/security/openssh-portable/files/patch-kex.c
===================================================================
--- trunk/security/openssh-portable/files/patch-kex.c (rev 0)
+++ trunk/security/openssh-portable/files/patch-kex.c 2016-11-04 22:06:21 UTC (rev 22068)
@@ -0,0 +1,33 @@
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus at openbsd.org" <markus at openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git kex.c kex.c
+index 3f97f8c..6a94bc5 100644
+--- kex.c
++++ kex.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
+ /*
+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
+ *
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
Property changes on: trunk/security/openssh-portable/files/patch-kex.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/patch-readconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-readconf.c 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/patch-readconf.c 2016-11-04 22:06:21 UTC (rev 22068)
@@ -29,10 +29,11 @@
#include <sys/wait.h>
#include <sys/un.h>
-@@ -281,7 +282,19 @@ add_local_forward(Options *options, cons
+@@ -311,8 +312,19 @@ add_local_forward(Options *options, cons
struct Forward *fwd;
- #ifndef NO_IPPORT_RESERVED_CONCEPT
extern uid_t original_real_uid;
+ int i;
+-
- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+ int ipport_reserved;
+#ifdef __FreeBSD__
@@ -49,8 +50,8 @@
+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
newfwd->listen_path == NULL)
fatal("Privileged ports can only be forwarded by root.");
- #endif
-@@ -1674,7 +1687,7 @@ fill_default_options(Options * options)
+ /* Don't add duplicates */
+@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2016-11-04 22:06:21 UTC (rev 22068)
@@ -38,12 +38,3 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption
-
- /* Turn privilege separation on by default */
- if (use_privsep == -1)
-- use_privsep = PRIVSEP_NOSANDBOX;
-+ use_privsep = PRIVSEP_ON;
-
- #define CLEAR_ON_NONE(v) \
- do { \
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.1
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.1 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.1 2016-11-04 22:06:21 UTC (rev 22068)
@@ -10,8 +10,8 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
--.Op Fl Dd
-+.Op Fl Ddx
+-.Op Fl \&Dd
++.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
Modified: trunk/security/openssh-portable/pkg-descr
===================================================================
--- trunk/security/openssh-portable/pkg-descr 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/pkg-descr 2016-11-04 22:06:21 UTC (rev 22068)
@@ -5,11 +5,11 @@
version and adds portability code so that OpenSSH can run on many other
operating systems (Unfortunately, in particular since OpenSSH does
authentication, it runs into a *lot* of differences between Unix operating
-systems).
+systems).
The portable OpenSSH follows development of the official version, but releases
are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
The official OpenBSD source will never use the 'p' suffix, but will instead
-increment the version number when they hit 'stable spots' in their development.
+increment the version number when they hit 'stable spots' in their development.
WWW: http://www.openssh.org/portable.html
Modified: trunk/security/openssh-portable/pkg-message
===================================================================
--- trunk/security/openssh-portable/pkg-message 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/pkg-message 2016-11-04 22:06:21 UTC (rev 22068)
@@ -11,6 +11,6 @@
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys, disable
-Password authentication by setting 'PasswordAuthentication no' and
+Password authentication by setting 'PasswordAuthentication no' and
'ChallengeResponseAuthentication no', and to define very narrow sudo
privileges instead of using root for automated tasks.
Modified: trunk/security/openssh-portable/pkg-plist
===================================================================
--- trunk/security/openssh-portable/pkg-plist 2016-11-02 16:28:03 UTC (rev 22067)
+++ trunk/security/openssh-portable/pkg-plist 2016-11-04 22:06:21 UTC (rev 22068)
@@ -1,5 +1,3 @@
- at comment slogin must be deleted first
-bin/slogin
bin/scp
bin/sftp
bin/ssh
@@ -23,7 +21,6 @@
man/man1/ssh-keyscan.1.gz
man/man1/scp.1.gz
man/man1/ssh.1.gz
-man/man1/slogin.1.gz
man/man5/moduli.5.gz
man/man5/ssh_config.5.gz
man/man5/sshd_config.5.gz
More information about the Midnightbsd-cvs
mailing list