[Midnightbsd-cvs] mports [22423] trunk/security/openssh-portable: openssh 7.4p1
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri May 12 16:06:40 EDT 2017
Revision: 22423
http://svnweb.midnightbsd.org/mports/?rev=22423
Author: laffer1
Date: 2017-05-12 16:06:40 -0400 (Fri, 12 May 2017)
Log Message:
-----------
openssh 7.4p1
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-hpn
trunk/security/openssh-portable/files/extra-patch-ldns
trunk/security/openssh-portable/files/extra-patch-tcpwrappers
trunk/security/openssh-portable/files/patch-readconf.c
trunk/security/openssh-portable/files/patch-session.c
trunk/security/openssh-portable/files/patch-ssh-agent.c
trunk/security/openssh-portable/files/patch-ssh_config.5
trunk/security/openssh-portable/files/patch-sshd_config.5
Added Paths:
-----------
trunk/security/openssh-portable/files/extra-patch-sctp
trunk/security/openssh-portable/files/extra-patch-x509-glue
trunk/security/openssh-portable/files/patch-misc.c
Removed Paths:
-------------
trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus
trunk/security/openssh-portable/files/patch-kex.c
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/Makefile 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,7 +1,7 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 7.3p1
+DISTVERSION= 7.4p1
PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= security ipv6
@@ -60,18 +60,19 @@
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 9.0
+X509_VERSION= 9.3
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES= ${PORTNAME}-7.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue
+X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
+#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
-SCTP_BROKEN= does not apply to 7.3+
+SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1
-MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
-HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal
+MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5
+HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal
PAM_CONFIGURE_WITH= pam
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
@@ -93,8 +94,8 @@
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
-# 7.3 patch taken from
-# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
+# Patch from:
+# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
# http://www.sxw.org.uk/computing/patches/
# It is mirrored simply to apply gzip -9.
@@ -102,7 +103,7 @@
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
-PATCHFILES+= openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz:-p1:gsskex
+PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
.endif
# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/distinfo 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,9 +1,9 @@
-TIMESTAMP = 1470675521
-SHA256 (openssh-7.3p1.tar.gz) = 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
-SIZE (openssh-7.3p1.tar.gz) = 1522617
+TIMESTAMP = 1484161900
+SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
+SIZE (openssh-7.4p1.tar.gz) = 1511780
SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.3p1+x509-9.0.diff.gz) = ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900
-SIZE (openssh-7.3p1+x509-9.0.diff.gz) = 571918
-SHA256 (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 83698da23a7d4dd24be9bc15ea7e801890dfc9303815135552c8ddfd158f1a95
-SIZE (openssh-7.3p1-gsskex-all-20141021-debian-rh-20160808.patch.gz) = 26818
+SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
+SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
+SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
+SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
Deleted: trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/extra-patch-hostkeyalg_plus 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,51 +0,0 @@
-Author: djm at mindrot.org
-
-Fix HostKeyAlgorithms `+' support.
-
-diff --git a/readconf.c b/readconf.c
-index 374e741..23d74fb 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
- int i;
- char vbuf[5];
-
-+ /* This is normally prepared in ssh_kex2 */
-+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
-+ fatal("%s: kex_assemble_names failed", __func__);
-+
- /* Most interesting options first: user, host, port */
- dump_cfg_string(oUser, o->user);
- dump_cfg_string(oHostName, host);
-@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
- dump_cfg_string(oBindAddress, o->bind_address);
- dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
- dump_cfg_string(oControlPath, o->control_path);
-- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
-+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
- dump_cfg_string(oHostKeyAlias, o->host_key_alias);
- dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
- dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
-diff --git a/servconf.c b/servconf.c
-index 04404a4..08c8139 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
- options->hostbased_authentication = 0;
- if (options->hostbased_uses_name_from_packet_only == -1)
- options->hostbased_uses_name_from_packet_only = 0;
-- if (options->hostkeyalgorithms == NULL)
-- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
- if (options->rsa_authentication == -1)
- options->rsa_authentication = 1;
- if (options->pubkey_authentication == -1)
-@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
- kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
-+ &options->hostkeyalgorithms) != 0 ||
-+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->pubkey_key_types) != 0)
-
Modified: trunk/security/openssh-portable/files/extra-patch-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/extra-patch-hpn 2017-05-12 20:06:40 UTC (rev 22423)
@@ -300,7 +300,7 @@
#endif
--- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500
-@@ -244,7 +244,13 @@
+@@ -273,7 +273,13 @@ ciphers_valid(const char *names)
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
@@ -315,7 +315,7 @@
free(cipher_list);
return 0;
}
-@@ -545,6 +551,9 @@
+@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
switch (c->number) {
#ifdef WITH_OPENSSL
@@ -325,7 +325,7 @@
case SSH_CIPHER_SSH2:
case SSH_CIPHER_DES:
case SSH_CIPHER_BLOWFISH:
-@@ -593,6 +602,9 @@
+@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
switch (c->number) {
#ifdef WITH_OPENSSL
@@ -695,7 +695,7 @@
#define atime tv[0]
--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500
+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500
-@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions
+@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions
options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL;
@@ -710,7 +710,7 @@
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
-@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption
+@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
}
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
@@ -768,7 +768,7 @@
if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
-@@ -406,6 +465,12 @@ typedef enum {
+@@ -412,6 +471,12 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -781,7 +781,7 @@
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -537,6 +602,14 @@ static struct {
+@@ -548,6 +613,14 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -796,7 +796,7 @@
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions
+@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
@@ -819,8 +819,8 @@
+ goto parse_int;
+#endif
+
- case sRhostsRSAAuthentication:
- intptr = &options->rhosts_rsa_authentication;
+ case sHostbasedAuthentication:
+ intptr = &options->hostbased_authentication;
goto parse_flag;
--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
@@ -842,7 +842,7 @@
int num_permitted_opens;
--- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500
-@@ -1051,6 +1051,12 @@
+@@ -526,6 +526,12 @@ server_request_tun(void)
sock = tun_open(tun, mode);
if (sock < 0)
goto done;
@@ -855,7 +855,7 @@
c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
-@@ -1088,6 +1094,10 @@
+@@ -563,6 +569,10 @@ server_request_session(void)
c = channel_new("session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
@@ -1101,7 +1101,7 @@
strlen(client_version_string)) != strlen(client_version_string))
--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
-@@ -80,6 +80,14 @@
+@@ -81,6 +81,14 @@
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
@@ -1116,7 +1116,7 @@
/*
* SSH2 key exchange
-@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
+@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@@ -1145,10 +1145,10 @@
}
/*
-@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
- pubkey_cleanup(&authctxt);
- ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
+ if (!authctxt.success)
+ fatal("Authentication failed.");
+#ifdef NONE_CIPHER_ENABLED
+ /*
+ * if the user wants to use the none cipher do it
@@ -1177,13 +1177,13 @@
--- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700
+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800
-@@ -431,8 +431,13 @@ sshd_exchange_identification(int sock_in
- minor = PROTOCOL_MINOR_1;
- }
+@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh
+ char buf[256]; /* Must not be larger than remote_version. */
+ char remote_version[256]; /* Must be at least as big as buf. */
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
- major, minor, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN,
+#else
@@ -1192,7 +1192,7 @@
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1155,6 +1160,10 @@ server_listen(void)
+@@ -1027,6 +1032,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1203,7 +1203,7 @@
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1195,6 +1204,13 @@ server_listen(void)
+@@ -1067,6 +1076,13 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1217,7 +1217,7 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1693,6 +1709,15 @@ main(int ac, char **av)
+@@ -1591,6 +1607,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1233,9 +1233,9 @@
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2123,6 +2148,11 @@ main(int ac, char **av)
- cleanup_exit(255);
+@@ -2085,6 +2110,11 @@ main(int ac, char **av)
}
+ #endif
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
@@ -1243,9 +1243,9 @@
+#endif
+
/*
- * We use get_canonical_hostname with usedns = 0 instead of
- * get_remote_ipaddr here so IP options will be checked.
-@@ -2539,6 +2569,11 @@ do_ssh2_kex(void)
+ * In privilege separation, we fork another child and prepare
+ * file descriptor passing.
+@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
struct kex *kex;
int r;
@@ -1259,7 +1259,7 @@
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
-@@ -127,6 +127,20 @@
+@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Modified: trunk/security/openssh-portable/files/extra-patch-ldns
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-ldns 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/extra-patch-ldns 2017-05-12 20:06:40 UTC (rev 22423)
@@ -35,17 +35,17 @@
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
---- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800
-+++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800
-@@ -1715,7 +1715,10 @@
- or
- .Dq ask .
+--- ssh_config.5.orig 2016-12-18 20:59:41.000000000 -0800
++++ ssh_config.5 2017-01-11 11:24:25.573200000 -0800
+@@ -1635,7 +1635,10 @@ need to confirm new host keys according
+ .Cm StrictHostKeyChecking
+ option.
The default is
--.Dq no .
-+.Dq yes
+-.Cm no .
++.Cm yes
+if compiled with LDNS and
-+.Dq no
++.Cm no
+otherwise.
.Pp
- See also VERIFYING HOST KEYS in
- .Xr ssh 1 .
+ See also
+ .Sx VERIFYING HOST KEYS
Added: trunk/security/openssh-portable/files/extra-patch-sctp
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-sctp (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-sctp 2017-05-12 20:06:40 UTC (rev 22423)
@@ -0,0 +1,873 @@
+From 9ee55407a8a0fbaa0be5b5a70c6907f7a3fd061f Mon Sep 17 00:00:00 2001
+From: rse <seggelmann at fh-muenster.de>
+Date: Thu, 19 Mar 2015 20:08:09 -0400
+Subject: [PATCH] add sctp support
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=1604
+https://bugzilla.mindrot.org/show_bug.cgi?id=2016
+
+People who have helped out:
+Jan F. Chadima <jchadima at redhat.com>
+rse <seggelmann at fh-muenster.de>
+<openssh at ml.breakpoint.cc>
+Joshua Kinard <kumba at gentoo.org>
+Mike Frysinger <vapier at gentoo.org>
+---
+ configure.ac | 14 ++++++
+ misc.c | 39 +++++++++++++---
+ readconf.c | 23 ++++++++++
+ readconf.h | 5 +++
+ scp.1 | 5 ++-
+ scp.c | 7 +++
+ servconf.c | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ servconf.h | 8 ++++
+ ssh.1 | 5 ++-
+ ssh.c | 14 +++++-
+ ssh_config.5 | 6 +++
+ sshconnect.c | 55 +++++++++++++++++++++++
+ sshd.c | 140 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ sshd_config.5 | 11 +++++
+ 14 files changed, 445 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7258cc0..2cb034b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4054,6 +4054,19 @@ AC_ARG_WITH([selinux],
+ AC_SUBST([SSHLIBS])
+ AC_SUBST([SSHDLIBS])
+
++#check whether user wants SCTP support
++SCTP_MSG="no"
++AC_ARG_WITH(sctp,
++ [ --with-sctp Enable SCTP support],
++ [ if test "x$withval" != "xno" ; then
++ AC_DEFINE(SCTP,1,[Define if you want SCTP support.])
++ AC_CHECK_FUNCS(sctp_recvmsg, , AC_CHECK_LIB(sctp, sctp_recvmsg, ,
++ [AC_MSG_ERROR([*** Can not use SCTP - maybe libsctp-dev is missing ***])]
++ ))
++ SCTP_MSG="yes"
++ fi ]
++)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH([kerberos5],
+@@ -4977,6 +4990,7 @@ echo " PAM support: $PAM_MSG"
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " SCTP support: $SCTP_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
+ echo " MD5 password support: $MD5_MSG"
+diff --git a/misc.c b/misc.c
+index de7e1fa..17973d0 100644
+--- a/misc.c
++++ b/misc.c
+@@ -62,6 +62,10 @@
+ #include "log.h"
+ #include "ssh.h"
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ /* remove newline at end of string */
+ char *
+ chop(char *s)
+@@ -140,21 +144,46 @@ void
+ set_nodelay(int fd)
+ {
+ int opt;
++ int is_tcp = 1;
++ int ret;
+ socklen_t optlen;
+
+ optlen = sizeof opt;
+ if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) {
+- debug("getsockopt TCP_NODELAY: %.100s", strerror(errno));
++#ifdef SCTP
++ /* TCP_NODELAY failed, try SCTP_NODELAY */
++ if (getsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt, &optlen) == -1) {
++ debug("getsockopt TCP_NODELAY/SCTP_NODELAY: %.100s", strerror(errno));
++ return;
++ }
++ is_tcp = 0;
++#else
+ return;
++#endif
+ }
+ if (opt == 1) {
+- debug2("fd %d is TCP_NODELAY", fd);
++ debug2("fd %d is TCP_NODELAY/SCTP_NODELAY", fd);
+ return;
+ }
+ opt = 1;
+- debug2("fd %d setting TCP_NODELAY", fd);
+- if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1)
+- error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
++ debug2("fd %d setting TCP_NODELAY/SCTP_NODELAY", fd);
++
++ if (is_tcp) {
++ ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt,
++ sizeof(opt));
++ if (ret < 0)
++ error("setsockopt TCP_NODELAY: %.100s",
++ strerror(errno));
++ }
++#ifdef SCTP
++ else {
++ ret = setsockopt(fd, IPPROTO_SCTP, SCTP_NODELAY, &opt,
++ sizeof(opt));
++ if (ret < 0)
++ error("setsockopt SCTP_NODELAY: %.100s",
++ strerror(errno));
++ }
++#endif
+ }
+
+ /* Characters considered whitespace in strsep calls. */
+diff --git a/readconf.c b/readconf.c
+index 69d4553..83a2c06 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -136,6 +136,7 @@ typedef enum {
+ oChallengeResponseAuthentication, oXAuthLocation,
+ oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
+ oCertificateFile, oAddKeysToAgent, oIdentityAgent,
++ oTransport,
+ oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
+ oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
+ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
+@@ -208,6 +209,11 @@ static struct {
+ { "hostname", oHostName },
+ { "hostkeyalias", oHostKeyAlias },
+ { "proxycommand", oProxyCommand },
++#ifdef SCTP
++ { "transport", oTransport },
++#else
++ { "transport", oUnsupported },
++#endif
+ { "port", oPort },
+ { "cipher", oCipher },
+ { "ciphers", oCiphers },
+@@ -1094,6 +1100,20 @@ parse_command:
+ *charptr = xstrdup(s + len);
+ return 0;
+
++ case oTransport:
++ arg = strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing transport protocol specification",
++ filename, linenum);
++ if (strcasecmp(arg, "tcp") == 0)
++ options->transport = TRANSPORT_TCP;
++ else if (strcasecmp(arg, "sctp") == 0)
++ options->transport = TRANSPORT_SCTP;
++ else
++ fatal("%s line %d: unknown transport protocol specified",
++ filename, linenum);
++ break;
++
+ case oPort:
+ intptr = &options->port;
+ parse_int:
+@@ -1660,6 +1680,7 @@ initialize_options(Options * options)
+ options->compression = -1;
+ options->tcp_keep_alive = -1;
+ options->compression_level = -1;
++ options->transport = -1;
+ options->port = -1;
+ options->address_family = -1;
+ options->connection_attempts = -1;
+@@ -1799,6 +1820,8 @@ fill_default_options(Options * options)
+ options->tcp_keep_alive = 1;
+ if (options->compression_level == -1)
+ options->compression_level = 6;
++ if (options->transport == -1)
++ options->transport = TRANSPORT_TCP;
+ if (options->port == -1)
+ options->port = 0; /* Filled in ssh_connect. */
+ if (options->address_family == -1)
+diff --git a/readconf.h b/readconf.h
+index c84d068..28fa3ec 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -28,6 +28,10 @@ struct allowed_cname {
+ char *target_list;
+ };
+
++/* Transport protocols */
++#define TRANSPORT_TCP 1
++#define TRANSPORT_SCTP 2
++
+ typedef struct {
+ int forward_agent; /* Forward authentication agent. */
+ int forward_x11; /* Forward X11 display. */
+@@ -61,6 +65,7 @@ typedef struct {
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
+ LogLevel log_level; /* Level for logging. */
+
++ int transport; /* Transport protocol used. */
+ int port; /* Port to connect. */
+ int address_family;
+ int connection_attempts; /* Max attempts (seconds) before
+diff --git a/scp.1 b/scp.1
+index 54ea352..d12802e 100644
+--- a/scp.1
++++ b/scp.1
+@@ -19,7 +19,7 @@
+ .Sh SYNOPSIS
+ .Nm scp
+ .Bk -words
+-.Op Fl 12346BCpqrv
++.Op Fl 12346BCpqrvz
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see
+ .It ServerAliveCountMax
+ .It StrictHostKeyChecking
+ .It TCPKeepAlive
++.It Transport
+ .It UpdateHostKeys
+ .It UsePrivilegedPort
+ .It User
+@@ -222,6 +223,8 @@ and
+ to print debugging messages about their progress.
+ This is helpful in
+ debugging connection, authentication, and configuration problems.
++.It Fl z
++Use the SCTP protocol for connection instead of TCP which is the default.
+ .El
+ .Sh EXIT STATUS
+ .Ex -std scp
+diff --git a/scp.c b/scp.c
+index 0bdd7cb..8c456d4 100644
+--- a/scp.c
++++ b/scp.c
+@@ -396,7 +396,11 @@ main(int argc, char **argv)
+ addargs(&args, "-oClearAllForwardings=yes");
+
+ fflag = tflag = 0;
++#ifdef SCTP
++ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:z")) != -1)
++#else
+ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++#endif
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -404,6 +408,9 @@ main(int argc, char **argv)
+ case '4':
+ case '6':
+ case 'C':
++#ifdef SCTP
++ case 'z':
++#endif
+ addargs(&args, "-%c", ch);
+ addargs(&remote_remote_args, "-%c", ch);
+ break;
+diff --git a/servconf.c b/servconf.c
+index b19d30e..14b0a0f 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options)
+ options->ciphers = NULL;
+ options->macs = NULL;
+ options->kex_algorithms = NULL;
++ options->transport = -1;
+ options->fwd_opts.gateway_ports = -1;
+ options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+ options->fwd_opts.streamlocal_bind_unlink = -1;
+@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+ options->allow_streamlocal_forwarding = FORWARD_ALLOW;
+ if (options->allow_agent_forwarding == -1)
+ options->allow_agent_forwarding = 1;
++ if (options->transport == -1)
++ options->transport = TRANSPORT_TCP;
+ if (options->fwd_opts.gateway_ports == -1)
+ options->fwd_opts.gateway_ports = 0;
+ if (options->max_startups == -1)
+@@ -406,6 +409,7 @@ typedef enum {
+ sKerberosTgtPassing, sChallengeResponseAuthentication,
+ sPasswordAuthentication, sKbdInteractiveAuthentication,
+ sListenAddress, sAddressFamily,
++ sTransport, sListenMultipleAddresses,
+ sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+@@ -504,6 +508,13 @@ static struct {
+ { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "checkmail", sDeprecated, SSHCFG_GLOBAL },
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
++#ifdef SCTP
++ { "listenmultipleaddresses", sListenMultipleAddresses, SSHCFG_GLOBAL },
++ { "transport", sTransport, SSHCFG_GLOBAL },
++#else
++ { "listenmultipleaddresses", sUnsupported, SSHCFG_GLOBAL },
++ { "transport", sUnsupported, SSHCFG_GLOBAL },
++#endif
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
+ #ifdef DISABLE_LASTLOG
+@@ -717,6 +728,79 @@ get_connection_info(int populate, int use_dns)
+ return &ci;
+ }
+
++#ifdef SCTP
++static void
++add_one_listen_multiple_addr(ServerOptions *options, char *addr, int port, int last)
++{
++ struct addrinfo hints, *ai, *aitop;
++ char strport[NI_MAXSERV];
++ int gaierr;
++
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = options->address_family;
++ hints.ai_socktype = SOCK_STREAM;
++ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++ snprintf(strport, sizeof strport, "%d", port);
++ if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
++ fatal("bad addr or host: %s (%s)",
++ addr ? addr : "<NULL>",
++ ssh_gai_strerror(gaierr));
++ /* Mark addresses as multihomed */
++ for (ai = aitop; ai->ai_next; ai = ai->ai_next)
++ ai->ai_flags = IS_MULTIPLE_ADDR;
++ ai->ai_flags = IS_MULTIPLE_ADDR;
++ ai->ai_next = options->listen_addrs;
++ options->listen_addrs = aitop;
++
++ if (last) {
++ aitop->ai_flags = 0;
++ }
++}
++
++static void
++add_listen_multiple_addrs(ServerOptions *options, char *addrs, int port)
++{
++ u_int i, num_addrs;
++ char **addrsptr, *p;
++
++ if (options->num_ports == 0)
++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
++ if (options->address_family == -1)
++ options->address_family = AF_UNSPEC;
++
++ num_addrs = 1;
++ p = addrs;
++ while ((p = strchr(p, ',')) != NULL) {
++ num_addrs++;
++ p++;
++ }
++ debug("found %d addresses for multi-homing", num_addrs);
++
++ addrsptr = xmalloc(num_addrs * sizeof(char*));
++ p = addrs;
++ for (i = 0; i < num_addrs; i++) {
++ addrsptr[i] = p;
++ p = strchr(p+1, ',');
++ if (p != NULL)
++ *(p++) = '\0';
++ }
++
++ if (port == 0)
++ for (i = 0; i < options->num_ports; i++) {
++ while (--num_addrs)
++ add_one_listen_multiple_addr(options, addrsptr[num_addrs], options->ports[i], 0);
++ add_one_listen_multiple_addr(options, addrs, options->ports[i], 1);
++ }
++ else {
++ while (--num_addrs)
++ add_one_listen_multiple_addr(options, addrsptr[num_addrs], port, 0);
++ add_one_listen_multiple_addr(options, addrs, port, 1);
++ }
++
++ free(addrsptr);
++}
++#endif
++
+ /*
+ * The strategy for the Match blocks is that the config file is parsed twice.
+ *
+@@ -1061,6 +1145,25 @@ process_server_config_line(ServerOptions *options, char *line,
+ intptr = &options->key_regeneration_time;
+ goto parse_time;
+
++#ifdef SCTP
++ case sListenMultipleAddresses:
++ arg = strdelim(&cp);
++ if (arg == NULL || *arg == '\0')
++ fatal("%s line %d: missing addresses",
++ filename, linenum);
++
++ /* Check for appended port */
++ p = strchr(arg, ';');
++ if (p != NULL) {
++ if ((port = a2port(p + 1)) <= 0)
++ fatal("%s line %d: bad port number", filename, linenum);
++ *p = '\0';
++ } else
++ port = 0;
++ add_listen_multiple_addrs(options, arg, port);
++ break;
++#endif
++
+ case sListenAddress:
+ arg = strdelim(&cp);
+ if (arg == NULL || *arg == '\0')
+@@ -1478,6 +1581,22 @@ process_server_config_line(ServerOptions *options, char *line,
+ options->kex_algorithms = xstrdup(arg);
+ break;
+
++ case sTransport:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing transport protocol specification",
++ filename, linenum);
++ if (strcasecmp(arg, "all") == 0)
++ options->transport = TRANSPORT_ALL;
++ else if (strcasecmp(arg, "tcp") == 0)
++ options->transport = TRANSPORT_TCP;
++ else if (strcasecmp(arg, "sctp") == 0)
++ options->transport = TRANSPORT_SCTP;
++ else
++ fatal("%s line %d: unknown transport protocol specified",
++ filename, linenum);
++ break;
++
+ case sSubsystem:
+ if (options->num_subsystems >= MAX_SUBSYSTEMS) {
+ fatal("%s line %d: too many subsystems defined.",
+@@ -1992,6 +2111,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ M_CP_INTOPT(allow_streamlocal_forwarding);
+ M_CP_INTOPT(allow_agent_forwarding);
+ M_CP_INTOPT(permit_tun);
++ M_CP_INTOPT(transport);
+ M_CP_INTOPT(fwd_opts.gateway_ports);
+ M_CP_INTOPT(x11_display_offset);
+ M_CP_INTOPT(x11_forwarding);
+@@ -2286,6 +2406,9 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
+ dump_cfg_fmtint(sUseLogin, o->use_login);
+ dump_cfg_fmtint(sCompression, o->compression);
++#ifdef SCTP
++ dump_cfg_fmtint(sTransport, o->transport);
++#endif
+ dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+diff --git a/servconf.h b/servconf.h
+index f4137af..63a0637 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -54,6 +54,13 @@
+ /* Magic name for internal sftp-server */
+ #define INTERNAL_SFTP_NAME "internal-sftp"
+
++/* Transport protocols */
++#define TRANSPORT_TCP 1
++#define TRANSPORT_SCTP 2
++#define TRANSPORT_ALL (TRANSPORT_TCP | TRANSPORT_SCTP)
++
++#define IS_MULTIPLE_ADDR 0x1000
++
+ typedef struct {
+ u_int num_ports;
+ u_int ports_from_cmdline;
+@@ -93,6 +100,7 @@ typedef struct {
+ char *ciphers; /* Supported SSH2 ciphers. */
+ char *macs; /* Supported SSH2 macs. */
+ char *kex_algorithms; /* SSH2 kex methods in order of preference. */
++ int transport; /* Transport protocol(s) used */
+ struct ForwardOptions fwd_opts; /* forwarding options */
+ SyslogFacility log_facility; /* Facility for system logging. */
+ LogLevel log_level;<--->/* Level for system logging. */
+diff --git a/ssh.1 b/ssh.1
+index cc53343..b1a45e8 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -43,7 +43,7 @@
+ .Sh SYNOPSIS
+ .Nm ssh
+ .Bk -words
+-.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+ .Op Fl b Ar bind_address
+ .Op Fl c Ar cipher_spec
+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see
+ .It StreamLocalBindUnlink
+ .It StrictHostKeyChecking
+ .It TCPKeepAlive
++.It Transport
+ .It Tunnel
+ .It TunnelDevice
+ .It UpdateHostKeys
+@@ -770,6 +771,8 @@ controls.
+ .Pp
+ .It Fl y
+ Send log information using the
++.It Fl z
++Use the SCTP protocol for connection instead of TCP which is the default.
+ .Xr syslog 3
+ system module.
+ By default this information is sent to stderr.
+diff --git a/ssh.c b/ssh.c
+index f9ff91f..d0d92ce 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -195,12 +195,17 @@ extern int muxserver_sock;
+ extern u_int muxclient_command;
+
+ /* Prints a help message to the user. This function never returns. */
++#ifdef SCTP
++#define SCTP_OPT "z"
++#else
++#define SCTP_OPT ""
++#endif
+
+ static void
+ usage(void)
+ {
+ fprintf(stderr,
+-"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+ " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
+ " [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n"
+ " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
+@@ -605,7 +610,7 @@ main(int ac, char **av)
+ argv0 = av[0];
+
+ again:
+- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ switch (opt) {
+ case '1':
+@@ -845,6 +850,11 @@ main(int ac, char **av)
+ else
+ options.control_master = SSHCTL_MASTER_YES;
+ break;
++#ifdef SCTP
++ case 'z':
++ options.transport = TRANSPORT_SCTP;
++ break;
++#endif
+ case 'p':
+ options.port = a2port(optarg);
+ if (options.port <= 0) {
+diff --git a/ssh_config.5 b/ssh_config.5
+index caf13a6..a088f30 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1597,6 +1597,12 @@ This is important in scripts, and many users want it too.
+ .Pp
+ To disable TCP keepalive messages, the value should be set to
+ .Cm no .
++.It Cm Transport
++Specifies the transport protocol while connecting. Valid values are
++.Dq TCP
++and
++.Dq SCTP .
++The default is TCP.
+ .It Cm Tunnel
+ Request
+ .Xr tun 4
+diff --git a/sshconnect.c b/sshconnect.c
+index 356ec79..21b3f54 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -66,6 +66,10 @@
+ #include "ssherr.h"
+ #include "authfd.h"
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ char *client_version_string = NULL;
+ char *server_version_string = NULL;
+ Key *previous_host_key = NULL;
+@@ -275,6 +279,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+ {
+ int sock, r, gaierr;
+ struct addrinfo hints, *res = NULL;
++#ifdef SCTP
++ char *more_addrs, *next_addr;
++#endif
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (sock < 0) {
+@@ -288,10 +295,21 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+ return sock;
+
+ if (options.bind_address) {
++#ifdef SCTP
++ /* Check if multiple addresses have been specified */
++ if ((more_addrs = strchr(options.bind_address, ',')) != NULL) {
++ *(more_addrs++) = '\0';
++ }
++#endif
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = ai->ai_family;
+ hints.ai_socktype = ai->ai_socktype;
++#ifndef SCTP
++ /* Only specify protocol if SCTP is not used, due
++ * to the lack of SCTP support for getaddrinfo()
++ */
+ hints.ai_protocol = ai->ai_protocol;
++#endif
+ hints.ai_flags = AI_PASSIVE;
+ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ if (gaierr) {
+@@ -324,6 +342,34 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+ return -1;
+ }
+ }
++#ifdef SCTP
++ /* If there are multiple addresses, bind them too */
++ if (more_addrs) {
++ do {
++ next_addr = strchr(more_addrs, ',');
++ if (next_addr != NULL) {
++ *(next_addr++) = '\0';
++ }
++
++ gaierr = getaddrinfo(more_addrs, NULL, &hints, &res);
++ if (gaierr) {
++ error("getaddrinfo: %s: %s", more_addrs,
++ ssh_gai_strerror(gaierr));
++ close(sock);
++ return -1;
++ }
++ if (sctp_bindx(sock, (struct sockaddr *)res->ai_addr,
++ 1, SCTP_BINDX_ADD_ADDR) != 0) {
++ error("bind: %s: %s", options.bind_address, strerror(errno));
++ close(sock);
++ freeaddrinfo(res);
++ return -1;
++ }
++
++ more_addrs = next_addr;
++ } while (next_addr != NULL);
++ }
++#endif
+ if (res != NULL)
+ freeaddrinfo(res);
+ return sock;
+@@ -437,6 +483,15 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
+ memset(ntop, 0, sizeof(ntop));
+ memset(strport, 0, sizeof(strport));
+
++#ifdef SCTP
++ /* Use SCTP if requested */
++ if (options.transport == TRANSPORT_SCTP) {
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ ai->ai_protocol = IPPROTO_SCTP;
++ }
++ }
++#endif
++
+ for (attempt = 0; attempt < connection_attempts; attempt++) {
+ if (attempt > 0) {
+ /* Sleep a moment before retrying. */
+diff --git a/sshd.c b/sshd.c
+index 430569c..4ca58ed 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -125,6 +125,10 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef SCTP
++#include <netinet/sctp.h>
++#endif
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -1164,6 +1168,12 @@ server_listen(void)
+ for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
+ continue;
++#ifdef SCTP
++ /* Ignore multi-homing addresses for TCP */
++ if (ai->ai_flags & IS_MULTIPLE_ADDR ||
++ (ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR))
++ continue;
++#endif
+ if (num_listen_socks >= MAX_LISTEN_SOCKS)
+ fatal("Too many listen sockets. "
+ "Enlarge MAX_LISTEN_SOCKS");
+@@ -1222,6 +1232,127 @@ server_listen(void)
+ fatal("Cannot bind any address.");
+ }
+
++#ifdef SCTP
++/*
++ * Listen for SCTP connections
++ */
++static void
++server_listen_sctp(void)
++{
++ int ret, listen_sock, on = 1;
++ struct addrinfo *ai, *aiv6;
++ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
++
++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
++ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
++ continue;
++ /* Ignore multi-homing addresses at this point */
++ if (ai->ai_flags & IS_MULTIPLE_ADDR)
++ continue;
++ if (num_listen_socks >= MAX_LISTEN_SOCKS)
++ fatal("Too many listen sockets. "
++ "Enlarge MAX_LISTEN_SOCKS");
++ if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
++ error("getnameinfo failed: %.100s",
++ ssh_gai_strerror(ret));
++ continue;
++ }
++ /* Check for multi-homed IPv6 addresses if family is IPv4 */
++ if (ai->ai_family == AF_INET) {
++ aiv6 = ai->ai_next;
++ while (aiv6 != NULL && aiv6->ai_flags & IS_MULTIPLE_ADDR) {
++ if (aiv6->ai_family == AF_INET6) {
++ ai->ai_family = AF_INET6;
++ break;
++ }
++ aiv6 = aiv6->ai_next;
++ }
++ }
++
++ /* Create socket for listening. */
++ listen_sock = socket(ai->ai_family, ai->ai_socktype,
++ IPPROTO_SCTP);
++ if (listen_sock < 0) {
++ /* kernel may not support ipv6 */
++ verbose("SCTP socket: %.100s", strerror(errno));
++ continue;
++ }
++ if (set_nonblock(listen_sock) == -1) {
++ close(listen_sock);
++ continue;
++ }
++ /*
++ * Set socket options.
++ * Allow local port reuse in TIME_WAIT.
++ */
++ if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
++ &on, sizeof(on)) == -1)
++ error("SCTP setsockopt SO_REUSEADDR: %s", strerror(errno));
++
++ /* Only communicate in IPv6 over AF_INET6 sockets if not multi-homed. */
++ if (ai->ai_family == AF_INET6 && (ai->ai_next == NULL ||
++ (ai->ai_next != NULL && ai->ai_next->ai_flags == 0)))
++ sock_set_v6only(listen_sock);
++
++ if (ai->ai_next != NULL && ai->ai_next->ai_flags & IS_MULTIPLE_ADDR)
++ debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
++ else
++ debug("Bind to SCTP port %s on %s.", strport, ntop);
++
++ /* Bind the socket to the desired port. */
++ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
++ error("Bind to SCTP port %s on %s failed: %.200s.",
++ strport, ntop, strerror(errno));
++ close(listen_sock);
++ continue;
++ }
++
++ /* Bind multi-homing addresses */
++ while (ai->ai_next != NULL &&
++ ai->ai_next->ai_flags & IS_MULTIPLE_ADDR) {
++ ai = ai->ai_next;
++
++ if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
++ error("getnameinfo failed: %.100s",
++ ssh_gai_strerror(ret));
++ continue;
++ }
++
++ debug("Bind multi-homed to SCTP port %s on %s.", strport, ntop);
++
++ if (sctp_bindx(listen_sock, (struct sockaddr *)ai->ai_addr, 1, SCTP_BINDX_ADD_ADDR) != 0) {
++ error("Bind to SCTP port %s on %s failed: %.200s.",
++ strport, ntop, strerror(errno));
++ close(listen_sock);
++ continue;
++ }
++ }
++
++ listen_socks[num_listen_socks] = listen_sock;
++ num_listen_socks++;
++
++ /* Start listening on the port. */
++ if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
++ fatal("SCTP listen on [%s]:%s: %.100s",
++ ntop, strport, strerror(errno));
++ if (ai->ai_flags & IS_MULTIPLE_ADDR)
++ logit("Server listening multi-homed with SCTP on port %s.", strport);
++ else
++ logit("Server listening with SCTP on %s port %s.", ntop, strport);
++ }
++ /* Only free addresses if SCTP is the only used protocol */
++ if (options.transport == TRANSPORT_SCTP)
++ freeaddrinfo(options.listen_addrs);
++
++ if (!num_listen_socks)
++ fatal("Cannot bind any address for SCTP.");
++}
++#endif
++
+ /*
+ * The main TCP accept loop. Note that, for the non-debug case, returns
+ * from this function are in a forked subprocess.
+@@ -2007,7 +2138,14 @@ main(int ac, char **av)
+ server_accept_inetd(&sock_in, &sock_out);
+ } else {
+ platform_pre_listen();
+- server_listen();
++
++#ifdef SCTP
++ if (options.transport & TRANSPORT_SCTP)
++ server_listen_sctp();
++
++ if (options.transport & TRANSPORT_TCP)
++#endif
++ server_listen();
+
+ if (options.protocol & SSH_PROTO_1)
+ generate_ephemeral_server_key();
+diff --git a/sshd_config.5 b/sshd_config.5
+index a37a3ac..24e3826 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -1508,6 +1508,17 @@ This avoids infinitely hanging sessions.
+ .Pp
+ To disable TCP keepalive messages, the value should be set to
+ .Cm no .
++.It Cm Transport
++Specifies the transport protocol that should be used by
++.Xr sshd 8 .
++Valid values are
++.Dq TCP ,
++.Dq SCTP ,
++.Dq all.
++The value
++.Dq all
++means to listen on TCP and SCTP sockets. The default is to listen only on
++TCP sockets.
+ .It Cm TrustedUserCAKeys
+ Specifies a file containing public keys of certificate authorities that are
+ trusted to sign user certificates for authentication, or
+--
+2.6.2
+
Property changes on: trunk/security/openssh-portable/files/extra-patch-sctp
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/extra-patch-tcpwrappers
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2017-05-12 20:06:40 UTC (rev 22423)
@@ -43,9 +43,9 @@
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -122,6 +122,13 @@
- #include "ssh-sandbox.h"
+@@ -123,6 +123,13 @@
#include "version.h"
+ #include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
@@ -54,10 +54,10 @@
+int deny_severity;
+#endif /* LIBWRAP */
+
- #ifndef O_NOCTTY
- #define O_NOCTTY 0
- #endif
-@@ -2027,6 +2034,24 @@ main(int ac, char **av)
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -1971,6 +1978,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
@@ -81,7 +81,7 @@
+#endif /* LIBWRAP */
/* Log the connection. */
- verbose("Connection from %s port %d on %s port %d",
+ laddr = get_local_ipaddr(sock_in);
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
--- configure.ac
Added: trunk/security/openssh-portable/files/extra-patch-x509-glue
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-x509-glue (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-x509-glue 2017-05-12 20:06:40 UTC (rev 22423)
@@ -0,0 +1,39 @@
+--- session.c.orig 2017-01-12 11:58:30.754769000 -0800
++++ session.c 2017-01-12 11:58:35.360654000 -0800
+@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+-#ifdef __ANDROID__
+-{
+-#define COPY_ANDROID_ENV(name) { \
+- char *s = getenv(name); \
+- if (s) child_set_env(&env, &envsize, name, s); }
+-
+- /* from /init.rc */
+- COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
+- COPY_ANDROID_ENV("ANDROID_ROOT");
+- COPY_ANDROID_ENV("ANDROID_ASSETS");
+- COPY_ANDROID_ENV("ANDROID_DATA");
+- COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
+- COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
+- COPY_ANDROID_ENV("BOOTCLASSPATH");
+-
+- /* FIXME: keep android property workspace open
+- * (see openbsd-compat/bsd-closefrom.c)
+- */
+- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
+-
+- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */
+- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */
+- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */
+-
+- /* may contain path to custom libraries */
+- COPY_ANDROID_ENV("LD_LIBRARY_PATH");
+-#undef COPY_ANDROID_ENV
+-}
+-#endif
+-
+ /* Set custom environment options from RSA authentication. */
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
Property changes on: trunk/security/openssh-portable/files/extra-patch-x509-glue
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Deleted: trunk/security/openssh-portable/files/patch-kex.c
===================================================================
--- trunk/security/openssh-portable/files/patch-kex.c 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-kex.c 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,33 +0,0 @@
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus at openbsd.org" <markus at openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git kex.c kex.c
-index 3f97f8c..6a94bc5 100644
---- kex.c
-+++ kex.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */
-+/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
- /*
- * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
- *
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- if (kex == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- ptr = sshpkt_ptr(ssh, &dlen);
- if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- return r;
Added: trunk/security/openssh-portable/files/patch-misc.c
===================================================================
--- trunk/security/openssh-portable/files/patch-misc.c (rev 0)
+++ trunk/security/openssh-portable/files/patch-misc.c 2017-05-12 20:06:40 UTC (rev 22423)
@@ -0,0 +1,43 @@
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by: delphij@
+[rewritten for 7.4 by bdrewery@]
+
+--- misc.c.orig 2017-01-12 11:54:41.058558000 -0800
++++ misc.c 2017-01-12 11:55:16.531356000 -0800
+@@ -56,6 +56,8 @@
+ #include <net/if.h>
+ #endif
+
++#include <sys/sysctl.h>
++
+ #include "xmalloc.h"
+ #include "misc.h"
+ #include "log.h"
+@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a,
+ int
+ bind_permitted(int port, uid_t uid)
+ {
+- if (port < IPPORT_RESERVED && uid != 0)
++ int ipport_reserved;
++#ifdef __FreeBSD__
++ size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++ ipport_reserved = IPPORT_RESERVED;
++ else
++ ipport_reserved++;
++#else
++ ipport_reserved = IPPORT_RESERVED;
++#endif
++ if (port < ipport_reserved && uid != 0)
+ return 0;
+ return 1;
+ }
Property changes on: trunk/security/openssh-portable/files/patch-misc.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/patch-readconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-readconf.c 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-readconf.c 2017-05-12 20:06:40 UTC (rev 22423)
@@ -9,48 +9,8 @@
Apply FreeBSD's configuration defaults.
-------------------------------------------------------------------------
-r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
-Changed paths:
- M /head/crypto/openssh/readconf.c
-
-Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
-Submitted upstream, no reaction.
-
-Submitted by: delphij@
-
--- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500
+++ readconf.c 2014-11-03 16:45:05.188796445 -0600
-@@ -17,6 +17,7 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
-+#include <sys/sysctl.h>
- #include <sys/wait.h>
- #include <sys/un.h>
-
-@@ -311,8 +312,19 @@ add_local_forward(Options *options, cons
- struct Forward *fwd;
- extern uid_t original_real_uid;
- int i;
--
-- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
-+ int ipport_reserved;
-+#ifdef __FreeBSD__
-+ size_t len_ipport_reserved = sizeof(ipport_reserved);
-+
-+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+ ipport_reserved = IPPORT_RESERVED;
-+ else
-+ ipport_reserved++;
-+#else
-+ ipport_reserved = IPPORT_RESERVED;
-+#endif
-+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 &&
- newfwd->listen_path == NULL)
- fatal("Privileged ports can only be forwarded by root.");
- /* Don't add duplicates */
@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
if (options->batch_mode == -1)
options->batch_mode = 0;
Modified: trunk/security/openssh-portable/files/patch-session.c
===================================================================
--- trunk/security/openssh-portable/files/patch-session.c 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-session.c 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,6 +1,18 @@
+------------------------------------------------------------------------
+r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/session.c
+
+Make sure the environment variables set by setusercontext() are passed on
+to the child process.
+
+Reviewed by: ache
+Sponsored by: DARPA, NAI Labs
+
+
--- session.c 2013-03-14 19:22:37 UTC
+++ session.c
-@@ -1131,6 +1136,9 @@
+@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -10,7 +22,7 @@
#endif
/* Initialize the environment. */
-@@ -1152,6 +1160,9 @@
+@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she
}
#endif
@@ -20,50 +32,49 @@
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1171,11 +1182,22 @@
- child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she
+ child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
- child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-+ snprintf(buf, sizeof buf, "%.200s/%.50s",
-+ _PATH_MAILDIR, pw->pw_name);
-+ child_set_env(&env, &envsize, "MAIL", buf);
+ child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
++ child_set_env(&env, &envsize, "MAIL", buf);
#ifdef HAVE_LOGIN_CAP
-- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-- else
-- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
-+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-+ child_set_env(&env, &envsize, "TERM", "su");
-+ senv = environ;
-+ environ = xmalloc(sizeof(char *));
-+ *environ = NULL;
-+ (void) setusercontext(lc, pw, pw->pw_uid,
-+ LOGIN_SETENV|LOGIN_SETPATH);
-+ copy_environment(environ, &env, &envsize);
-+ for (var = environ; *var != NULL; ++var)
-+ free(*var);
-+ free(environ);
-+ environ = senv;
+- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+- else
+- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++ child_set_env(&env, &envsize, "TERM", "su");
++ senv = environ;
++ environ = xmalloc(sizeof(char *));
++ *environ = NULL;
++ (void) setusercontext(lc, pw, pw->pw_uid,
++ LOGIN_SETENV|LOGIN_SETPATH);
++ copy_environment(environ, &env, &envsize);
++ for (var = environ; *var != NULL; ++var)
++ free(*var);
++ free(environ);
++ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
- /*
-@@ -1196,15 +1218,9 @@
+ /*
+@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
-- snprintf(buf, sizeof buf, "%.200s/%.50s",
-- _PATH_MAILDIR, pw->pw_name);
-- child_set_env(&env, &envsize, "MAIL", buf);
+- snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
+- child_set_env(&env, &envsize, "MAIL", buf);
-
- /* Normal systems set SHELL by default. */
- child_set_env(&env, &envsize, "SHELL", shell);
- }
+ /* Normal systems set SHELL by default. */
+ child_set_env(&env, &envsize, "SHELL", shell);
+
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-
+-
/* Set custom environment options from RSA authentication. */
- if (!options.use_login) {
-@@ -1483,7 +1499,7 @@
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
+@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.c 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.c 2017-05-12 20:06:40 UTC (rev 22423)
@@ -45,7 +45,7 @@
}
static void
-@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd)
+@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
{
u_int i, old_alloc, new_alloc;
@@ -56,33 +56,33 @@
set_nonblock(fd);
if (fd > max_fd)
-@@ -1166,7 +1189,7 @@ static void
+@@ -1190,7 +1213,7 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
- " [-t life] [command [arg ...]]\n"
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
-@@ -1197,6 +1220,7 @@ main(int ac, char **av)
+@@ -1222,6 +1245,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
+ setuid(geteuid());
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /* Disable ptrace on Linux without sgid bit */
-@@ -1210,7 +1234,7 @@ main(int ac, char **av)
+ platform_disable_tracing(0); /* strict=no */
+
+@@ -1232,7 +1256,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
-- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
-+ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
+- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1249,6 +1273,9 @@ main(int ac, char **av)
+@@ -1276,6 +1300,9 @@ main(int ac, char **av)
usage();
}
break;
Modified: trunk/security/openssh-portable/files/patch-ssh_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh_config.5 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-ssh_config.5 2017-05-12 20:06:40 UTC (rev 22423)
@@ -6,12 +6,21 @@
--- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600
+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600
-@@ -164,7 +164,7 @@
- .Dq no ,
+@@ -377,8 +377,7 @@ or
+ .Cm no .
+ .It Cm CheckHostIP
+ If set to
+-.Cm yes
+-(the default),
++.Cm yes ,
+ .Xr ssh 1
+ will additionally check the host IP address in the
+ .Pa known_hosts
+@@ -390,6 +389,7 @@ in the process, regardless of the settin
+ .Cm StrictHostKeyChecking .
+ If the option is set to
+ .Cm no ,
++(the default),
the check will not be executed.
- The default is
--.Dq yes .
-+.Dq no .
.It Cm Cipher
Specifies the cipher to use for encrypting the session
- in protocol version 1.
Modified: trunk/security/openssh-portable/files/patch-sshd_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config.5 2017-03-26 16:46:43 UTC (rev 22422)
+++ trunk/security/openssh-portable/files/patch-sshd_config.5 2017-05-12 20:06:40 UTC (rev 22423)
@@ -1,6 +1,6 @@
---- sshd_config.5.orig 2015-05-29 03:27:21.000000000 UTC
-+++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500
-@@ -375,7 +375,9 @@ By default, no banner is displayed.
+--- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800
++++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800
+@@ -373,7 +373,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or through authentication styles supported in
@@ -9,21 +9,32 @@
+See also
+.Cm UsePAM .
The default is
- .Dq yes .
+ .Cm yes .
.It Cm ChrootDirectory
-@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic
+@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+ The list of available key types may also be obtained using
+ .Qq ssh -Q key .
+ .It Cm HostbasedAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful public key client host authentication is allowed
+ (host-based authentication).
+ The default is
+@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-+.Dq no ,
++.Cm no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
- .Dq yes .
+ .Cm yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
-+.Dq yes ,
++.Cm yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
@@ -34,58 +45,47 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1158,6 +1175,13 @@ or
- .Dq no .
+@@ -1216,6 +1235,13 @@ and
+ .Cm ethernet .
The default is
- .Dq no .
+ .Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
-+.Dq yes ,
++.Cm yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
-+.Dq without-password .
++.Cm without-password .
.Pp
- If this option is set to
- .Dq without-password ,
-@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as
- For more information on KRLs, see the KEY REVOCATION LISTS section in
- .Xr ssh-keygen 1 .
- .It Cm RhostsRSAAuthentication
--Specifies whether rhosts or /etc/hosts.equiv authentication together
-+Specifies whether rhosts or
-+.Pa /etc/hosts.equiv
-+authentication together
- with successful RSA host authentication is allowed.
- The default is
- .Dq no .
-@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run
+ Independent of this setting, the permissions of the selected
+ .Xr tun 4
+@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -1520,7 +1546,10 @@ restrictions.
+@@ -1500,7 +1526,10 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
--.Dq none .
-+.Dq %%SSH_VERSION_FREEBSD_PORT%% .
+-.Cm none .
++.Cm %%SSH_VERSION_FREEBSD_PORT%% .
+The value
-+.Dq none
++.Cm none
+may be used to disable this.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
-@@ -1534,7 +1563,7 @@ The argument must be
+@@ -1514,7 +1543,7 @@ The argument must be
or
- .Dq no .
+ .Cm no .
The default is
--.Dq no .
-+.Dq yes .
+-.Cm no .
++.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
More information about the Midnightbsd-cvs
mailing list