[Midnightbsd-cvs] mports [24804] trunk/security/openssh-portable: update openssh port to 7.9p1
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Jan 18 15:36:17 EST 2019
Revision: 24804
http://svnweb.midnightbsd.org/mports/?rev=24804
Author: laffer1
Date: 2019-01-18 15:36:16 -0500 (Fri, 18 Jan 2019)
Log Message:
-----------
update openssh port to 7.9p1
Modified Paths:
--------------
trunk/security/openssh-portable/Makefile
trunk/security/openssh-portable/distinfo
trunk/security/openssh-portable/files/extra-patch-hpn
trunk/security/openssh-portable/files/extra-patch-tcpwrappers
trunk/security/openssh-portable/files/extra-patch-x509-glue
trunk/security/openssh-portable/files/patch-auth2.c
trunk/security/openssh-portable/files/patch-configure.ac
trunk/security/openssh-portable/files/patch-servconf.c
trunk/security/openssh-portable/files/patch-session.c
trunk/security/openssh-portable/files/patch-ssh-agent.c
trunk/security/openssh-portable/files/patch-ssh.c
trunk/security/openssh-portable/files/patch-sshd_config.5
trunk/security/openssh-portable/pkg-plist
Added Paths:
-----------
trunk/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
trunk/security/openssh-portable/files/extra-patch-hpn-compat
trunk/security/openssh-portable/files/patch-serverloop.c
Removed Paths:
-------------
trunk/security/openssh-portable/files/patch-misc.c
Modified: trunk/security/openssh-portable/Makefile
===================================================================
--- trunk/security/openssh-portable/Makefile 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/Makefile 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,8 +1,7 @@
# $MidnightBSD$
PORTNAME= openssh
-DISTVERSION= 7.4p1
-PORTREVISION= 2
+DISTVERSION= 7.9p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -17,12 +16,13 @@
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
-USES= alias ncurses ssl
-USE_AUTOTOOLS= autoconf autoheader
+USES= alias autoreconf ncurses ssl
GNU_CONFIGURE= yes
CONFIGURE_ENV= ac_cv_func_strnvis=no
CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \
- --without-zlib-version-check --with-ssl-engine
+ --without-zlib-version-check --with-ssl-engine \
+ --with-mantype=man
+
ETCOLD= ${PREFIX}/etc
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
@@ -48,8 +48,8 @@
TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
-LDNS_CONFIGURE_WITH= ldns
-LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
+LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
+LDNS_LIB_DEPENDS= libldns.so:dns/ldns
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
@@ -59,17 +59,11 @@
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 9.3
+X509_VERSION= 11.5
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
-# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
-# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
-SCTP_CONFIGURE_WITH= sctp
-SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1
-
MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal
@@ -86,15 +80,20 @@
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
+# Upstream OpenSSL fix but does not apply for x509 patch.
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
+
# X509 patch includes TCP Wrapper support already
.if ${PORT_OPTIONS:MX509}
EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
+EXTRA_PATCHES:= ${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969}
.endif
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
+#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
# Patch from:
-# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
+# https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
# http://www.sxw.org.uk/computing/patches/
# It is mirrored simply to apply gzip -9.
@@ -102,17 +101,21 @@
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
. endif
-PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
+PATCHFILES+= openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex
.endif
-# http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
+# https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+#BROKEN= HPN: Not yet updated for ${DISTVERSION} yet.
PORTDOCS+= HPN-README
-HPN_VERSION= 14v5
-HPN_DISTVERSION= 6.7p1
+HPN_VERSION= 14v15
+HPN_DISTVERSION= 7.7p1
#PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
#PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2
+.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
+# Apply compatibility patch
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat
.endif
CONFIGURE_LIBS+= -lutil
@@ -127,10 +130,6 @@
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
-. if ${PORT_OPTIONS:MSCTP}
-BROKEN= X509 patch and SCTP patch do not apply cleanly together
-. endif
-
. if ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= X509 patch incompatible with KERB_GSSAPI patch
. endif
@@ -168,10 +167,6 @@
EMPTYDIR= /var/empty
-.if ${PORT_OPTIONS:MOVERWRITE_BASE} || defined(OPENSSH_OVERWRITE_BASE)
-IGNORE= Overwrite base option is no longer supported.
-.endif
-
USE_RC_SUBR= openssh
# After all
@@ -201,6 +196,9 @@
@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \
${WRKSRC}/version.h
+post-configure-XMSS-on:
+ @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
+
post-install:
${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
${STAGEDIR}${ETCDIR}//ssh_config.sample
@@ -216,6 +214,8 @@
OBJ=${WRKDIR} ${MAKE_ENV} \
TEST_SHELL=${SH} \
SUDO="${SUDO}" \
+ LOGNAME="${LOGNAME}" \
+ TEST_SSH_TRACE=yes \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
Modified: trunk/security/openssh-portable/distinfo
===================================================================
--- trunk/security/openssh-portable/distinfo 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/distinfo 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,9 +1,7 @@
-TIMESTAMP = 1484161900
-SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
-SIZE (openssh-7.4p1.tar.gz) = 1511780
-SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
-SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
-SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
-SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
-SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
+TIMESTAMP = 1541877994
+SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
+SIZE (openssh-7.9p1.tar.gz) = 1565384
+SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
+SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
+SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc
+SIZE (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = 27612
Added: trunk/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 2019-01-18 20:36:16 UTC (rev 24804)
@@ -0,0 +1,19 @@
+commit c0a35265907533be10ca151ac797f34ae0d68969
+Author: Damien Miller <djm at mindrot.org>
+Date: Mon Oct 22 11:22:50 2018 +1100
+
+ fix compile for openssl 1.0.x w/ --with-ssl-engine
+
+ bz#2921, patch from cotequeiroz
+
+--- openbsd-compat/openssl-compat.c.orig 2018-11-12 12:52:26 UTC
++++ openbsd-compat/openssl-compat.c
+@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
+-#if OPENSSL_VERSION_NUMBER < 0x10001000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OPENSSL_config(NULL);
+ #else
+ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
Property changes on: trunk/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/extra-patch-hpn
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/extra-patch-hpn 2019-01-18 20:36:16 UTC (rev 24804)
@@ -131,11 +131,11 @@
+ (tasota at gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
---- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500
-@@ -183,8 +183,14 @@
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
+--- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
+@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
+ /* Setup helper */
+ static void channel_handler_init(struct ssh_channels *sc);
+
+#ifdef HPN_ENABLED
@@ -145,25 +145,23 @@
+
/* -- channel core */
- Channel *
- channel_by_id(int id)
- {
-@@ -333,6 +339,9 @@
+ void
+@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+ c->local_window = window;
c->local_window_max = window;
- c->local_consumed = 0;
c->local_maxpacket = maxpack;
+#ifdef HPN_ENABLED
+ c->dynamic_window = 0;
+#endif
- c->remote_id = -1;
c->remote_name = xstrdup(remote_name);
- c->remote_window = 0;
-@@ -837,11 +846,41 @@
- FD_SET(c->sock, writeset);
+ c->ctl_chan = -1;
+ c->delayed = 1; /* prevent call to channel_post handler */
+@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+ FD_SET(c->sock, writeset);
}
+#ifdef HPN_ENABLED
-+static u_int
++static int
+channel_tcpwinsz(void)
+{
+ u_int32_t tcpwinsz = 0;
@@ -172,56 +170,60 @@
+
+ /* if we aren't on a socket return 128KB */
+ if (!packet_connection_is_on_socket())
-+ return (128*1024);
++ return 128 * 1024;
++
+ ret = getsockopt(packet_get_connection_in(),
-+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+ /* return no more than SSHBUF_SIZE_MAX */
-+ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
++ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
++ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+ tcpwinsz = SSHBUF_SIZE_MAX;
-+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
-+ packet_get_connection_in());
-+ return (tcpwinsz);
++
++ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
++ packet_get_connection_in(), tcpwinsz);
++ return tcpwinsz;
+}
+#endif
+
static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
-
-+#ifdef HPN_ENABLED
-+ /* check buffer limits */
-+ if (!c->tcpwinsz || c->dynamic_window > 0)
-+ c->tcpwinsz = channel_tcpwinsz();
-+
-+ limit = MIN(limit, 2 * c->tcpwinsz);
-+#endif
-+
- if (c->istate == CHAN_INPUT_OPEN &&
- limit > 0 &&
- buffer_len(&c->input) < limit &&
-@@ -1846,6 +1885,20 @@
+ channel_pre_open(struct ssh *ssh, Channel *c,
+ fd_set *readset, fd_set *writeset)
+@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
++ u_int addition = 0;
+#ifdef HPN_ENABLED
++ u_int32_t tcpwinsz = channel_tcpwinsz();
+ /* adjust max window size if we are in a dynamic environment */
-+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
-+ u_int addition = 0;
-+
-+ /*
-+ * grow the window somewhat aggressively to maintain
-+ * pressure
-+ */
-+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
++ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
++ /* grow the window somewhat aggressively to maintain pressure */
++ addition = 1.5 * (tcpwinsz - c->local_window_max);
+ c->local_window_max += addition;
-+ c->local_consumed += addition;
++ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ }
+#endif
- packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- packet_put_int(c->remote_id);
- packet_put_int(c->local_consumed);
-@@ -2794,6 +2847,17 @@
+ if (!c->have_remote_id)
+ fatal(":%s: channel %d: no remote id",
+ __func__, c->self);
+ if ((r = sshpkt_start(ssh,
+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
+- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) {
+ fatal("%s: channel %i: %s", __func__,
+ c->self, ssh_err(r));
+ }
+ debug2("channel %d: window %d sent adjust %d",
+ c->self, c->local_window,
+- c->local_consumed);
+- c->local_window += c->local_consumed;
++ c->local_consumed + addition);
++ c->local_window += c->local_consumed + addition;
+ c->local_consumed = 0;
+ }
+ return 1;
+@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
return addr;
}
@@ -237,9 +239,9 @@
+#endif
+
static int
- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
- int *allocated_listen_port, struct ForwardOptions *fwd_opts)
-@@ -2918,9 +2982,20 @@
+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
+ struct Forward *fwd, int *allocated_listen_port,
+@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
}
/* Allocate a channel number for the socket. */
@@ -249,136 +251,111 @@
+ * window size.
+ */
+ if (!hpn_disabled)
-+ c = channel_new("port listener", type, sock, sock, -1,
++ c = channel_new(ssh, "port listener", type, sock, sock, -1,
+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 0, "port listener", 1);
+ else
+#endif
- c = channel_new("port listener", type, sock, sock, -1,
+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
0, "port listener", 1);
- c->path = xstrdup(host);
- c->host_port = fwd->connect_port;
- c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-@@ -3952,6 +4027,14 @@
+@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
for (n = 0; n < num_socks; n++) {
sock = socks[n];
+#ifdef HPN_ENABLED
+ if (!hpn_disabled)
-+ nc = channel_new("x11 listener",
++ nc = channel_new(ssh, "x11 listener",
+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+ 0, "X11 inet listener", 1);
+ else
+#endif
- nc = channel_new("x11 listener",
+ nc = channel_new(ssh, "x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
---- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500
-@@ -136,6 +136,10 @@
+--- work/openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700
+@@ -143,6 +143,9 @@ struct Channel {
u_int local_maxpacket;
int extended_usage;
int single_connection;
+#ifdef HPN_ENABLED
+ int dynamic_window;
-+ u_int tcpwinsz;
+#endif
char *ctype; /* type */
-@@ -311,4 +315,9 @@
- void chan_write_failed(Channel *);
- void chan_obuf_empty(Channel *);
-
+@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *);
+ void chan_rcvd_ieof(struct ssh *, Channel *);
+ void chan_write_failed(struct ssh *, Channel *);
+ void chan_obuf_empty(struct ssh *, Channel *);
++
+#ifdef HPN_ENABLED
+/* hpn handler */
+void channel_set_hpn(int, int);
+#endif
-+
+
#endif
---- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500
-@@ -273,7 +273,13 @@ ciphers_valid(const char *names)
+--- work/openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700
+@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
-- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
+#ifdef NONE_CIPHER_ENABLED
-+ c->number != SSH_CIPHER_NONE
++ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
++ (c->flags & CFLAG_NONE) != 0)) {
+#else
-+ 1
+ if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
+#endif
-+ )) {
free(cipher_list);
return 0;
}
-@@ -605,6 +611,9 @@ cipher_get_keyiv(struct sshcipher_ctx *c
-
- switch (c->number) {
- #ifdef WITH_OPENSSL
-+#ifdef NONE_CIPHER_ENABLED
-+ case SSH_CIPHER_NONE:
-+#endif
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
-@@ -653,6 +662,9 @@ cipher_set_keyiv(struct sshcipher_ctx *c
-
- switch (c->number) {
- #ifdef WITH_OPENSSL
-+#ifdef NONE_CIPHER_ENABLED
-+ case SSH_CIPHER_NONE:
-+#endif
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
---- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500
-@@ -1909,6 +1909,15 @@
- sock = x11_connect_display();
+--- work/openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
+@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+ sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
+#ifdef HPN_ENABLED
+ /* again is this really necessary for X11? */
+ if (!options.hpn_disabled)
-+ c = channel_new("x11",
++ c = channel_new(ssh, "x11",
+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+ options.hpn_buffer_size,
+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+ else
+#endif
- c = channel_new("x11",
+ c = channel_new(ssh, "x11",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1934,6 +1943,14 @@
+@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
__func__, ssh_err(r));
return NULL;
}
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
-+ c = channel_new("authentication agent connection",
++ c = channel_new(ssh, "authentication agent connection",
+ SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
+ "authentication agent connection", 1);
+ else
+#endif
- c = channel_new("authentication agent connection",
+ c = channel_new(ssh, "authentication agent connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1964,6 +1981,12 @@
- return -1;
+@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
+ debug("Tunnel forwarding using interface %s", ifname);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
@@ -470,9 +447,9 @@
debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
---- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800
-@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+--- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
+@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
@@ -497,11 +474,13 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
/* Peer can't rekey */
if (ssh->compat & SSH_BUG_NOREKEY)
return 0;
+#ifdef NONE_CIPHER_ENABLED
++ /* used to force rekeying when called for by the none
++ * cipher switch methods -cjr */
+ if (rekey_requested == 1) {
+ rekey_requested = 0;
+ return 1;
@@ -524,11 +503,21 @@
/* OLD API */
extern struct ssh *active_state;
#include "opacket.h"
---- work/openssh-6.9p1/readconf.c.orig 2015-07-27 13:32:13.169218000 -0500
-+++ work/openssh-6.9p1/readconf.c 2015-07-27 13:33:00.429332000 -0500
-@@ -153,6 +153,12 @@ typedef enum {
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming,
+--- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
+@@ -66,6 +66,9 @@
+ #include "uidswap.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#ifdef HPN_ENABLED
++#include "sshbuf.h"
++#endif
+
+ /* Format of the configuration file:
+
+@@ -167,6 +170,12 @@ typedef enum {
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+#ifdef HPN_ENABLED
+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
@@ -539,7 +528,7 @@
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -277,6 +283,16 @@ static struct {
+@@ -304,6 +313,16 @@ static struct {
{ "updatehostkeys", oUpdateHostkeys },
{ "hostbasedkeytypes", oHostbasedKeyTypes },
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
@@ -554,9 +543,9 @@
+ { "hpnbuffersize", oHPNBufferSize },
+#endif
{ "ignoreunknown", oIgnoreUnknown },
+ { "proxyjump", oProxyJump },
- { NULL, oBadOption }
-@@ -906,6 +922,44 @@ parse_time:
+@@ -962,6 +981,44 @@ parse_time:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -601,7 +590,7 @@
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
-@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
+@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@@ -618,7 +607,7 @@
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
-@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
+@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -635,11 +624,10 @@
+ /* if a user tries to set the size to 0 set it to 1KB */
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
-+ /* limit the buffer to 64MB */
-+ if (options->hpn_buffer_size > 64*1024) {
-+ options->hpn_buffer_size = 64*1024*1024;
-+ debug("User requested buffer larger than 64MB. Request"
-+ " reverted to 64MB");
++ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
++ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
+ } else
+ options->hpn_buffer_size *= 1024;
+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
@@ -693,9 +681,19 @@
struct timeval tv[2];
#define atime tv[0]
---- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500
-+++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500
-@@ -159,6 +159,14 @@ initialize_server_options(ServerOptions
+--- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700
+@@ -63,6 +63,9 @@
+ #include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#ifdef HPN_ENABLED
++#include "sshbuf.h"
++#endif
+
+ static void add_listen_addr(ServerOptions *, const char *,
+ const char *, int);
+@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL;
@@ -710,7 +708,7 @@
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
-@@ -319,6 +327,57 @@ fill_default_server_options(ServerOption
+@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
}
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
@@ -754,9 +752,9 @@
+ if (options->hpn_disabled <= 0) {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
-+ /* limit the maximum buffer to 64MB */
-+ if (options->hpn_buffer_size > 64*1024) {
-+ options->hpn_buffer_size = 64*1024*1024;
++ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+ } else {
+ options->hpn_buffer_size *= 1024;
+ }
@@ -768,7 +766,7 @@
if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
-@@ -412,6 +471,12 @@ typedef enum {
+@@ -466,6 +528,12 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
@@ -781,7 +779,7 @@
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-@@ -548,6 +613,14 @@ static struct {
+@@ -603,6 +671,14 @@ static struct {
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
@@ -796,10 +794,11 @@
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
-@@ -1153,6 +1226,25 @@ process_server_config_line(ServerOptions
+@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
+ case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
-
++
+#ifdef NONE_CIPHER_ENABLED
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
@@ -818,10 +817,9 @@
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+#endif
-+
+
case sHostbasedAuthentication:
intptr = &options->hostbased_authentication;
- goto parse_flag;
--- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
@@ -169,6 +169,15 @@
@@ -840,23 +838,23 @@
int permit_tun;
int num_permitted_opens;
---- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500
-@@ -526,6 +526,12 @@ server_request_tun(void)
- sock = tun_open(tun, mode);
- if (sock < 0)
+--- work/openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700
+@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
goto done;
+ debug("Tunnel forwarding using interface %s", ifname);
+
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
-+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ else
+#endif
- c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;
-@@ -563,6 +569,10 @@ server_request_session(void)
- c = channel_new("session", SSH_CHANNEL_LARVAL,
+@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
+ c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
-1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
+#ifdef HPN_ENABLED
@@ -865,22 +863,22 @@
+#endif
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
- channel_free(c);
---- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500
-+++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500
-@@ -2340,6 +2340,14 @@
+ channel_free(ssh, c);
+--- work/openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700
+@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
*/
if (s->chanid == -1)
fatal("no channel for session %d", s->self);
+#ifdef HPN_ENABLED
+ if (!options.hpn_disabled)
-+ channel_set_fds(s->chanid,
++ channel_set_fds(ssh, s->chanid,
+ fdout, fdin, fderr,
+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+ 1, is_tty, options.hpn_buffer_size);
+ else
+#endif
- channel_set_fds(s->chanid,
+ channel_set_fds(ssh, s->chanid,
fdout, fdin, fderr,
ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
--- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
@@ -909,9 +907,9 @@
/* File to read commands from */
FILE* infile;
---- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500
-+++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500
-@@ -885,6 +885,14 @@
+--- work/openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
+@@ -954,6 +954,14 @@ main(int ac, char **av)
break;
case 'T':
options.request_tty = REQUEST_TTY_NO;
@@ -926,20 +924,22 @@
break;
case 'o':
line = xstrdup(optarg);
-@@ -1848,9 +1856,85 @@
- if (!isatty(err))
- set_nonblock(err);
+@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+ NULL, fileno(stdin), &command, environ);
+ }
-+#ifdef HPN_ENABLED
++static void
++hpn_options_init(void)
++{
+ /*
-+ * we need to check to see if what they want to do about buffer
++ * We need to check to see if what they want to do about buffer
+ * sizes here. In a hpn to nonhpn connection we want to limit
+ * the window size to something reasonable in case the far side
+ * has the large window bug. In hpn to hpn connection we want to
+ * use the max window size but allow the user to override it
-+ * lastly if they disabled hpn then use the ssh std window size
-+
-+ * so why don't we just do a getsockopt() here and set the
++ * lastly if they disabled hpn then use the ssh std window size.
++ *
++ * So why don't we just do a getsockopt() here and set the
+ * ssh window to that? In the case of a autotuning receive
+ * window the window would get stuck at the initial buffer
+ * size generally less than 96k. Therefore we need to set the
@@ -946,51 +946,51 @@
+ * maximum ssh window size to the maximum hpn buffer size
+ * unless the user has specifically set the tcprcvbufpoll
+ * to no. In which case we *can* just set the window to the
-+ * minimum of the hpn buffer size and tcp receive buffer size
++ * minimum of the hpn buffer size and tcp receive buffer size.
+ */
+
+ if (tty_flag)
+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+ else
-+ options.hpn_buffer_size = 2*1024*1024;
++ options.hpn_buffer_size = 2 * 1024 * 1024;
+
+ if (datafellows & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
-+ socklen_t socksizelen = sizeof(socksize);
-+
++ socklen_t socksizelen;
+ if (options.tcp_rcv_buf_poll <= 0) {
+ sock = socket(AF_INET, SOCK_STREAM, 0);
++ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
++ &socksize, &socksizelen);
+ close(sock);
+ debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize;
-+ debug ("HPNBufferSize set to TCP RWIN: %d",
-+ options.hpn_buffer_size);
++ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+ } else {
+ if (options.tcp_rcv_buf > 0) {
+ /*
-+ * create a socket but don't connect it.
++ * Create a socket but don't connect it:
+ * we use that the get the rcv socket size
+ */
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ /*
-+ * if they are using the tcp_rcv_buf option
-+ * attempt to set the buffer size to that
++ * If they are using the tcp_rcv_buf option,
++ * attempt to set the buffer size to that.
+ */
-+ if (options.tcp_rcv_buf)
++ if (options.tcp_rcv_buf) {
++ socksizelen = sizeof(options.tcp_rcv_buf);
+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ (void *)&options.tcp_rcv_buf,
-+ sizeof(options.tcp_rcv_buf));
++ &options.tcp_rcv_buf, socksizelen);
++ }
++ socksizelen = sizeof(socksize);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
-+ &socksize, &socksizelen);
++ &socksize, &socksizelen);
+ close(sock);
+ debug("socksize %d", socksize);
+ options.hpn_buffer_size = socksize;
-+ debug ("HPNBufferSize set to user TCPRcvBuf: "
-+ "%d", options.hpn_buffer_size);
++ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+ }
+ }
+ }
@@ -997,9 +997,18 @@
+
+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+
++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
++}
++
+ /* open new channel for a session */
+ static int
+ ssh_session2_open(struct ssh *ssh)
+@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
+ if (!isatty(err))
+ set_nonblock(err);
+
++#ifdef HPN_ENABLED
+ window = options.hpn_buffer_size;
-+
-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+#else
window = CHAN_SES_WINDOW_DEFAULT;
+#endif
@@ -1012,7 +1021,7 @@
window >>= 1;
packetmax >>= 1;
}
-@@ -1859,6 +1943,12 @@
+@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
@@ -1022,17 +1031,47 @@
+ debug ("Enabled Dynamic Window Scaling");
+ }
+#endif
- debug3("ssh_session2_open: channel_new: %d", c->self);
+ debug3("%s: channel_new: %d", __func__, c->self);
- channel_send_open(c->self);
---- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500
-@@ -266,6 +266,31 @@
- kill(proxy_command_pid, SIGHUP);
+ channel_send_open(ssh, c->self);
+@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
+ {
+ int devnull, id = -1;
+ char *cp, *tun_fwd_ifname = NULL;
++
++#ifdef HPN_ENABLED
++ /*
++ * We need to initialize this early because the forwarding logic below
++ * might open channels that use the hpn buffer sizes. We can't send a
++ * window of -1 (the default) to the server as it breaks things.
++ */
++ hpn_options_init();
++#endif
+
+ /* XXX should be pre-session */
+ if (!options.control_persist)
+--- work/openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700
++++ work/openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700
+@@ -28,7 +28,11 @@
+ # endif /* OPENSSL_HAS_ECC */
+ #endif /* WITH_OPENSSL */
+
++#ifdef HPN_ENABLED
++#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
++#else
+ #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
++#endif
+ #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
+ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
+ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
+--- work/openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700
++++ work/openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800
+@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct
}
+ #endif
+#ifdef HPN_ENABLED
-+/*
+ /*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
@@ -1056,10 +1095,11 @@
+}
+#endif
+
- /*
- * Creates a (possibly privileged) socket for use as the ssh connection.
++/*
+ * Creates a socket for use as the ssh connection.
*/
-@@ -282,6 +307,11 @@
+ static int
+@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai)
}
fcntl(sock, F_SETFD, FD_CLOEXEC);
@@ -1069,54 +1109,42 @@
+#endif
+
/* Bind the socket to an alternative local IP address */
- if (options.bind_address == NULL && !privileged)
+ if (options.bind_address == NULL && options.bind_interface == NULL)
return sock;
-@@ -523,11 +553,23 @@ send_client_banner(int connection_out, i
+@@ -608,8 +638,14 @@ static void
+ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
- if (compat20) {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
-+ options.hpn_disabled ? "" : SSH_HPN
++ options.hpn_disabled ? "" : SSH_HPN
+#else
-+ ""
++ ""
+#endif
-+ );
- } else {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
-- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n",
-+ PROTOCOL_MAJOR_1, minor1, SSH_VERSION,
-+#ifdef HPN_ENABLED
-+ options.hpn_disabled ? "" : SSH_HPN
-+#else
-+ ""
-+#endif
-+ );
- }
- if (roaming_atomicio(vwrite, connection_out, client_version_string,
++ );
+ if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
---- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
-+++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
-@@ -81,6 +81,14 @@
+ fatal("write: %.100s", strerror(errno));
+--- work/openssh/sshconnect2.c.orig 2018-10-16 17:01:20.000000000 -0700
++++ work/openssh/sshconnect2.c 2018-11-12 09:06:06.338515000 -0800
+@@ -81,7 +81,13 @@
extern char *client_version_string;
extern char *server_version_string;
extern Options options;
+#ifdef NONE_CIPHER_ENABLED
-+struct kex *xxx_kex;
-+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
-+
+
+extern int tty_flag;
+#endif
-
++
/*
* SSH2 key exchange
-@@ -154,14 +162,17 @@ order_hostkeyalgs(char *host, struct soc
+ */
+@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
return ret;
}
@@ -1126,27 +1154,19 @@
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
- char *s;
+ char *s, *all_key;
struct kex *kex;
int r;
-
-+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
-+
+@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
- packet_send();
- packet_write_wait();
- #endif
-+#ifdef NONE_CIPHER_ENABLED
-+ xxx_kex = kex;
-+#endif
- }
++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ fatal("%s: kex_names_cat", __func__);
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv
- /*
-@@ -407,6 +421,29 @@ ssh_userauth2(const char *local_user, co
-
if (!authctxt.success)
fatal("Authentication failed.");
+#ifdef NONE_CIPHER_ENABLED
@@ -1159,9 +1179,10 @@
+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
+ if (!tty_flag) { /* no null on tty sessions */
+ debug("Requesting none rekeying...");
++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+ kex_prop2buf(xxx_kex->my, myproposal);
++ kex_prop2buf(active_state->kex->my, myproposal);
+ packet_request_rekeying();
+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
+ } else {
@@ -1175,14 +1196,14 @@
debug("Authentication succeeded (%s).", authctxt.method->name);
}
---- work.clean/openssh-7.1p1/sshd.c.orig 2015-08-20 21:49:03.000000000 -0700
-+++ work.clean/openssh-7.1p1/sshd.c 2015-11-11 12:45:48.202186000 -0800
-@@ -373,8 +373,13 @@ sshd_exchange_identification(struct ssh
+--- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700
+@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN,
@@ -1190,10 +1211,10 @@
+ "",
+#endif
*options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
+ options.version_addendum);
-@@ -1027,6 +1032,10 @@ server_listen(void)
- int ret, listen_sock, on = 1;
+@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
+ int ret, listen_sock;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+#ifdef HPN_ENABLED
@@ -1201,9 +1222,9 @@
+ socklen_t socksizelen = sizeof(socksize);
+#endif
- for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
+ for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1067,6 +1076,13 @@ server_listen(void)
+@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1217,7 +1238,7 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1591,6 +1607,15 @@ main(int ac, char **av)
+@@ -1634,6 +1650,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1233,9 +1254,9 @@
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2085,6 +2110,11 @@ main(int ac, char **av)
- }
- #endif
+@@ -2047,6 +2072,11 @@ main(int ac, char **av)
+ rdomain == NULL ? "" : "\"");
+ free(laddr);
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
@@ -1243,20 +1264,20 @@
+#endif
+
/*
- * In privilege separation, we fork another child and prepare
- * file descriptor passing.
-@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
+ * We don't want to listen forever unless the other side
+ * successfully authenticates itself. So we set up an alarm which is
+@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
+ char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
int r;
-
++
+#ifdef NONE_CIPHER_ENABLED
+ if (options.none_enabled == 1)
+ debug ("WARNING: None cipher enabled");
+#endif
-+
+
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
options.kex_algorithms);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -1280,11 +1301,10 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
---- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500
-+++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_6.8"
+--- work/openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
++++ work/openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
+@@ -4,3 +4,4 @@
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v5"
++#define SSH_HPN "-hpn14v15"
Added: trunk/security/openssh-portable/files/extra-patch-hpn-compat
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-hpn-compat (rev 0)
+++ trunk/security/openssh-portable/files/extra-patch-hpn-compat 2019-01-18 20:36:16 UTC (rev 24804)
@@ -0,0 +1,46 @@
+------------------------------------------------------------------------
+r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
+Changed paths:
+ M /head/crypto/openssh/servconf.c
+
+Instead of removing the NoneEnabled option, mark it as unsupported.
+(should have done this in r291198, but didn't think of it until now)
+
+------------------------------------------------------------------------
+------------------------------------------------------------------------
+r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+r294563 was incomplete; re-add the client-side options as well.
+
+------------------------------------------------------------------------
+
+--- readconf.c.orig 2017-10-12 12:18:59.927293000 -0700
++++ readconf.c 2017-10-12 12:19:45.048532000 -0700
+@@ -305,6 +305,12 @@ static struct {
+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+ { "ignoreunknown", oIgnoreUnknown },
+ { "proxyjump", oProxyJump },
++ { "hpndisabled", oDeprecated },
++ { "hpnbuffersize", oDeprecated },
++ { "tcprcvbufpoll", oDeprecated },
++ { "tcprcvbuf", oDeprecated },
++ { "noneenabled", oUnsupported },
++ { "noneswitch", oUnsupported },
+
+ { NULL, oBadOption }
+ };
+--- servconf.c.orig 2018-10-16 17:01:20.000000000 -0700
++++ servconf.c 2018-11-10 11:32:09.835817000 -0800
+@@ -645,6 +645,10 @@ static struct {
+ { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+ { "rdomain", sRDomain, SSHCFG_ALL },
+ { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
++ { "noneenabled", sUnsupported, SSHCFG_ALL },
++ { "hpndisabled", sDeprecated, SSHCFG_ALL },
++ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
++ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
+ { NULL, sBadOption, 0 }
+ };
+
Property changes on: trunk/security/openssh-portable/files/extra-patch-hpn-compat
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/extra-patch-tcpwrappers
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/extra-patch-tcpwrappers 2019-01-18 20:36:16 UTC (rev 24804)
@@ -35,15 +35,15 @@
.Xr sshd_config 5 ,
diff --git sshd.c sshd.c
index 0ade557..045f149 100644
---- sshd.c
-+++ sshd.c
+--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700
++++ sshd.c 2018-04-04 15:40:20.964130000 -0700
@@ -1,4 +1,4 @@
--/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */
+-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -123,6 +123,13 @@
+@@ -131,6 +131,13 @@
#include "version.h"
#include "ssherr.h"
@@ -57,10 +57,11 @@
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-@@ -1971,6 +1978,24 @@ main(int ac, char **av)
- #ifdef SSH_AUDIT_EVENTS
- audit_connection_from(remote_ip, remote_port);
+@@ -2072,6 +2079,25 @@ main(int ac, char **av)
#endif
+
+ rdomain = ssh_packet_rdomain_in(ssh);
++
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
@@ -84,11 +85,11 @@
laddr = get_local_ipaddr(sock_in);
diff --git configure.ac configure.ac
index f48ba4a..66fbe82 100644
---- configure.ac
-+++ configure.ac
-@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey],
- ]
- )
+--- configure.ac.orig 2018-10-16 17:01:20.000000000 -0700
++++ configure.ac 2018-11-10 11:29:32.626326000 -0800
+@@ -1493,6 +1493,62 @@ else
+ AC_MSG_RESULT([no])
+ fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
@@ -149,11 +150,11 @@
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG"
+@@ -5305,6 +5361,7 @@ echo " PAM support: $PAM_MSG"
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
- echo " Smartcard support: $SCARD_MSG"
- echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
- echo " Solaris process contract support: $SPC_MSG"
+ echo " libldns support: $LDNS_MSG"
Modified: trunk/security/openssh-portable/files/extra-patch-x509-glue
===================================================================
--- trunk/security/openssh-portable/files/extra-patch-x509-glue 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/extra-patch-x509-glue 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,39 +1,152 @@
---- session.c.orig 2017-01-12 11:58:30.754769000 -0800
-+++ session.c 2017-01-12 11:58:35.360654000 -0800
-@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+--- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700
++++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700
+@@ -1682,7 +1682,57 @@ is set to
+ then the pre-authentication unprivileged process is subject to additional
+ restrictions.
+ The default is
+-.Cm sandbox .
++.Cm no .
++.It Cm VersionAddendum
++Optionally specifies additional text to append to the SSH protocol banner
++sent by the server upon connection.
++The default is
++.Cm none .
++.It Cm X11DisplayOffset
++Specifies the first display number available for
++.Xr sshd 8 Ns 's
++X11 forwarding.
++This prevents sshd from interfering with real X11 servers.
++The default is 10.
++.It Cm X11Forwarding
++Specifies whether X11 forwarding is permitted.
++The argument must be
++.Cm yes
++or
++.Cm no .
++The default is
++.Cm no .
++.Pp
++When X11 forwarding is enabled, there may be additional exposure to
++the server and to client displays if the
++.Xr sshd 8
++proxy display is configured to listen on the wildcard address (see
++.Cm X11UseLocalhost ) ,
++though this is not the default.
++Additionally, the authentication spoofing and authentication data
++verification and substitution occur on the client side.
++The security risk of using X11 forwarding is that the client's X11
++display server may be exposed to attack when the SSH client requests
++forwarding (see the warnings for
++.Cm ForwardX11
++in
++.Xr ssh_config 5 ) .
++A system administrator may have a stance in which they want to
++protect clients that may expose themselves to attack by unwittingly
++requesting X11 forwarding, which can warrant a
++.Cm no
++setting.
++.Pp
++Note that disabling X11 forwarding does not prevent users from
++forwarding X11 traffic, as users can always install their own forwarders.
++.It Cm X11UseLocalhost
++Specifies whether
++.Xr sshd 8
++should bind the X11 forwarding server to the loopback address or to
++the wildcard address.
++By default,
++sshd binds the forwarding server to the loopback address and sets the
++hostname part of the
+ .It Cm VACertificateFile
+ File with X.509 certificates in PEM format concatenated together.
+ In use when
+@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when
+ .Cm VAType
+ is set to
+ .Cm ocspspec .
+-.It Cm VersionAddendum
+-Optionally specifies additional text to append to the SSH protocol banner
+-sent by the server upon connection.
+-The default is
+-.Cm none .
+-.It Cm X11DisplayOffset
+-Specifies the first display number available for
+-.Xr sshd 8 Ns 's
+-X11 forwarding.
+-This prevents sshd from interfering with real X11 servers.
+-The default is 10.
+-.It Cm X11Forwarding
+-Specifies whether X11 forwarding is permitted.
+-The argument must be
+-.Cm yes
+-or
+-.Cm no .
+-The default is
+-.Cm no .
+-.Pp
+-When X11 forwarding is enabled, there may be additional exposure to
+-the server and to client displays if the
+-.Xr sshd 8
+-proxy display is configured to listen on the wildcard address (see
+-.Cm X11UseLocalhost ) ,
+-though this is not the default.
+-Additionally, the authentication spoofing and authentication data
+-verification and substitution occur on the client side.
+-The security risk of using X11 forwarding is that the client's X11
+-display server may be exposed to attack when the SSH client requests
+-forwarding (see the warnings for
+-.Cm ForwardX11
+-in
+-.Xr ssh_config 5 ) .
+-A system administrator may have a stance in which they want to
+-protect clients that may expose themselves to attack by unwittingly
+-requesting X11 forwarding, which can warrant a
+-.Cm no
+-setting.
+-.Pp
+-Note that disabling X11 forwarding does not prevent users from
+-forwarding X11 traffic, as users can always install their own forwarders.
+-.It Cm X11UseLocalhost
+-Specifies whether
+-.Xr sshd 8
+-should bind the X11 forwarding server to the loopback address or to
+-the wildcard address.
+-By default,
+-sshd binds the forwarding server to the loopback address and sets the
+-hostname part of the
+ .Ev DISPLAY
+ environment variable to
+ .Cm localhost .
+--- openbsd-compat/port-net.c 2018-06-26 15:18:43.551904000 -0700
++++ openbsd-compat/port-net.c.orig 2018-04-01 22:38:28.000000000 -0700
+@@ -186,8 +185,8 @@ sys_tun_open(int tun, int mode, char **ifname)
+ else
+ debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
--#ifdef __ANDROID__
--{
--#define COPY_ANDROID_ENV(name) { \
-- char *s = getenv(name); \
-- if (s) child_set_env(&env, &envsize, name, s); }
--
-- /* from /init.rc */
-- COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
-- COPY_ANDROID_ENV("ANDROID_ROOT");
-- COPY_ANDROID_ENV("ANDROID_ASSETS");
-- COPY_ANDROID_ENV("ANDROID_DATA");
-- COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
-- COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
-- COPY_ANDROID_ENV("BOOTCLASSPATH");
--
-- /* FIXME: keep android property workspace open
-- * (see openbsd-compat/bsd-closefrom.c)
-- */
-- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
--
-- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */
-- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */
-- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */
--
-- /* may contain path to custom libraries */
-- COPY_ANDROID_ENV("LD_LIBRARY_PATH");
--#undef COPY_ANDROID_ENV
--}
--#endif
--
- /* Set custom environment options from RSA authentication. */
- while (custom_environment) {
- struct envstring *ce = custom_environment;
+- if (ifname != NULL)
+- *ifname = xstrdup(ifr.ifr_name);
++ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++ goto failed;
+
+ return (fd);
+
+@@ -273,8 +272,8 @@ sys_tun_open(int tun, int mode, char **ifname)
+ goto failed;
+ }
+
+- if (ifname != NULL)
+- *ifname = xstrdup(ifr.ifr_name);
++ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++ goto failed;
+
+ close(sock);
+ return (fd);
+--- ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
++++ ssh.c 2018-06-26 15:22:02.947595000 -0700
+@@ -1411,6 +1323,7 @@ main(int ac, char **av)
+ (char *)NULL);
+ free(cp);
+ }
++ free(conn_hash_hex);
+
+ if (config_test) {
+ dump_client_config(&options, host);
Modified: trunk/security/openssh-portable/files/patch-auth2.c
===================================================================
--- trunk/security/openssh-portable/files/patch-auth2.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-auth2.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -5,32 +5,32 @@
Apply class-imposed login restrictions.
---- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600
-+++ auth2.c 2013-05-22 17:21:37.979631466 -0500
-@@ -46,6 +46,7 @@
- #include "key.h"
+--- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700
++++ auth2.c 2018-11-10 11:35:07.816193000 -0800
+@@ -48,6 +48,7 @@
+ #include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
+#include "canohost.h"
#include "dispatch.h"
#include "pathnames.h"
- #include "buffer.h"
-@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32
- Authmethod *m = NULL;
+ #include "sshbuf.h"
+@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+ double tstart = monotime_double();
+#ifdef HAVE_LOGIN_CAP
-+ struct ssh *ssh = active_state; /* XXX */
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
-+
+
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+#endif
-
++
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32
+
+@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
@@ -56,5 +56,5 @@
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
- auth2_challenge_stop(authctxt);
+ auth2_challenge_stop(ssh);
Modified: trunk/security/openssh-portable/files/patch-configure.ac
===================================================================
--- trunk/security/openssh-portable/files/patch-configure.ac 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-configure.ac 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,6 +1,6 @@
---- configure.ac.intermediate 2016-02-03 22:06:00 UTC
+--- configure.ac.orig 2017-04-08 02:15:16 UTC
+++ configure.ac
-@@ -1543,7 +1543,7 @@ AC_ARG_WITH([libedit],
+@@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit],
LIBEDIT=`$PKGCONFIG --libs libedit`
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
else
Deleted: trunk/security/openssh-portable/files/patch-misc.c
===================================================================
--- trunk/security/openssh-portable/files/patch-misc.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-misc.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,43 +0,0 @@
-------------------------------------------------------------------------
-r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
-Changed paths:
- M /head/crypto/openssh/readconf.c
-
-Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
-Submitted upstream, no reaction.
-
-Submitted by: delphij@
-[rewritten for 7.4 by bdrewery@]
-
---- misc.c.orig 2017-01-12 11:54:41.058558000 -0800
-+++ misc.c 2017-01-12 11:55:16.531356000 -0800
-@@ -56,6 +56,8 @@
- #include <net/if.h>
- #endif
-
-+#include <sys/sysctl.h>
-+
- #include "xmalloc.h"
- #include "misc.h"
- #include "log.h"
-@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a,
- int
- bind_permitted(int port, uid_t uid)
- {
-- if (port < IPPORT_RESERVED && uid != 0)
-+ int ipport_reserved;
-+#ifdef __FreeBSD__
-+ size_t len_ipport_reserved = sizeof(ipport_reserved);
-+
-+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+ ipport_reserved = IPPORT_RESERVED;
-+ else
-+ ipport_reserved++;
-+#else
-+ ipport_reserved = IPPORT_RESERVED;
-+#endif
-+ if (port < ipport_reserved && uid != 0)
- return 0;
- return 1;
- }
Modified: trunk/security/openssh-portable/files/patch-servconf.c
===================================================================
--- trunk/security/openssh-portable/files/patch-servconf.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-servconf.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,23 +1,34 @@
---- servconf.c.orig 2015-08-17 20:37:29.913831000 UTC
-+++ servconf.c 2015-08-17 20:37:29.950132000 -0700
-@@ -57,6 +57,7 @@
- #include "auth.h"
- #include "myproposal.h"
- #include "digest.h"
+r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
+Changed paths:
+ M /head/crypto/openssh/myproposal.h
+ M /head/crypto/openssh/readconf.c
+ M /head/crypto/openssh/servconf.c
+
+Apply FreeBSD's configuration defaults.
+
+--- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700
++++ servconf.c 2018-06-27 17:19:38.133882000 -0700
+@@ -41,6 +41,7 @@
+ #include <util.h>
+ #endif
+
+#include "version.h"
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+ #include "ssh.h"
+@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
- static void add_listen_addr(ServerOptions *, char *, int);
- static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -193,7 +194,7 @@ fill_default_server_options(ServerOption
-
/* Portable-specific options */
if (options->use_pam == -1)
-- options->use_pam = 0;
++#ifdef USE_PAM
+ options->use_pam = 1;
++#else
+ options->use_pam = 0;
++#endif
/* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -242,7 +243,7 @@ fill_default_server_options(ServerOption
+ if (options->num_host_key_files == 0) {
+@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -26,9 +37,9 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -288,7 +289,11 @@ fill_default_server_options(ServerOption
+@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1)
- options->gss_strict_acceptor = 0;
+ options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)
+#ifdef USE_PAM
+ options->password_authentication = 0;
Added: trunk/security/openssh-portable/files/patch-serverloop.c
===================================================================
--- trunk/security/openssh-portable/files/patch-serverloop.c (rev 0)
+++ trunk/security/openssh-portable/files/patch-serverloop.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -0,0 +1,43 @@
+------------------------------------------------------------------------
+r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
+Changed paths:
+ M /head/crypto/openssh/readconf.c
+
+Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
+Submitted upstream, no reaction.
+
+Submitted by: delphij@
+[rewritten for 7.4 by bdrewery@]
+
+--- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800
++++ serverloop.c 2018-11-10 11:38:19.497300000 -0800
+@@ -55,6 +55,8 @@
+ #include <unistd.h>
+ #include <stdarg.h>
+
++#include <sys/sysctl.h>
++
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+ #include "packet.h"
+@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
+ {
+ if (use_privsep)
+ return 1; /* allow system to decide */
+- if (port < IPPORT_RESERVED && uid != 0)
++ int ipport_reserved;
++#ifdef __FreeBSD__
++ size_t len_ipport_reserved = sizeof(ipport_reserved);
++
++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
++ ipport_reserved = IPPORT_RESERVED;
++ else
++ ipport_reserved++;
++#else
++ ipport_reserved = IPPORT_RESERVED;
++#endif
++ if (port < ipport_reserved && uid != 0)
+ return 0;
+ return 1;
+ }
Property changes on: trunk/security/openssh-portable/files/patch-serverloop.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/security/openssh-portable/files/patch-session.c
===================================================================
--- trunk/security/openssh-portable/files/patch-session.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-session.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -10,9 +10,9 @@
Sponsored by: DARPA, NAI Labs
---- session.c 2013-03-14 19:22:37 UTC
-+++ session.c
-@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she
+--- session.c.orig 2018-10-16 17:01:20.000000000 -0700
++++ session.c 2018-11-10 11:45:14.645263000 -0800
+@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -22,7 +22,7 @@
#endif
/* Initialize the environment. */
-@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she
+@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
}
#endif
@@ -32,7 +32,7 @@
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the childs environment as they see fit
-@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she
+@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -50,7 +50,7 @@
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid,
+ LOGIN_SETENV|LOGIN_SETPATH);
-+ copy_environment(environ, &env, &envsize);
++ copy_environment_blacklist(environ, &env, &envsize, NULL);
+ for (var = environ; *var != NULL; ++var)
+ free(*var);
+ free(environ);
@@ -58,7 +58,7 @@
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
-@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she
+@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -70,11 +70,7 @@
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
--
- /* Set custom environment options from RSA authentication. */
- while (custom_environment) {
- struct envstring *ce = custom_environment;
-@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw)
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
Modified: trunk/security/openssh-portable/files/patch-ssh-agent.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh-agent.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-ssh-agent.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -8,9 +8,9 @@
Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.
---- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500
-@@ -157,15 +157,34 @@ static long lifetime = 0;
+--- ssh-agent.c.orig 2017-10-02 12:34:26.000000000 -0700
++++ ssh-agent.c 2017-10-12 11:31:40.908737000 -0700
+@@ -162,15 +162,34 @@ static long lifetime = 0;
static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -45,7 +45,7 @@
}
static void
-@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
+@@ -745,6 +764,10 @@ new_socket(sock_type type, int fd)
{
u_int i, old_alloc, new_alloc;
@@ -56,7 +56,7 @@
set_nonblock(fd);
if (fd > max_fd)
-@@ -1190,7 +1213,7 @@ static void
+@@ -1007,7 +1030,7 @@ static void
usage(void)
{
fprintf(stderr,
@@ -65,7 +65,7 @@
" [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
-@@ -1222,6 +1245,7 @@ main(int ac, char **av)
+@@ -1039,6 +1062,7 @@ main(int ac, char **av)
/* drop */
setegid(getgid());
setgid(getgid());
@@ -73,7 +73,7 @@
platform_disable_tracing(0); /* strict=no */
-@@ -1232,7 +1256,7 @@ main(int ac, char **av)
+@@ -1049,7 +1073,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
@@ -82,13 +82,13 @@
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1276,6 +1300,9 @@ main(int ac, char **av)
+@@ -1092,6 +1116,9 @@ main(int ac, char **av)
+ fprintf(stderr, "Invalid lifetime\n");
usage();
}
- break;
++ break;
+ case 'x':
+ xcount = 0;
-+ break;
+ break;
default:
usage();
- }
Modified: trunk/security/openssh-portable/files/patch-ssh.c
===================================================================
--- trunk/security/openssh-portable/files/patch-ssh.c 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-ssh.c 2019-01-18 20:36:16 UTC (rev 24804)
@@ -5,11 +5,11 @@
Canonicize the host name before looking it up in the host file.
---- ssh.c.orig 2010-08-16 09:59:31.000000000 -0600
-+++ ssh.c 2010-08-25 17:55:01.000000000 -0600
-@@ -699,6 +699,23 @@
- "h", host, (char *)NULL);
- }
+--- ssh.c.orig 2018-04-02 05:38:28 UTC
++++ ssh.c
+@@ -1281,6 +1281,23 @@ main(int ac, char **av)
+ ssh_digest_free(md);
+ conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
@@ -28,6 +28,6 @@
+ }
+ }
+
- if (options.local_command != NULL) {
- char thishost[NI_MAXHOST];
-
+ /*
+ * Expand tokens in arguments. NB. LocalCommand is expanded later,
+ * after port-forwarding is set up, so it may pick up any local
Modified: trunk/security/openssh-portable/files/patch-sshd_config.5
===================================================================
--- trunk/security/openssh-portable/files/patch-sshd_config.5 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/files/patch-sshd_config.5 2019-01-18 20:36:16 UTC (rev 24804)
@@ -1,5 +1,5 @@
---- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800
-+++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800
+--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
@@ -373,7 +373,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
@@ -11,7 +11,7 @@
The default is
.Cm yes .
.It Cm ChrootDirectory
-@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .
.It Cm HostbasedAuthentication
@@ -22,7 +22,7 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
-@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
+@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -45,7 +45,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1216,6 +1235,13 @@ and
+@@ -1232,6 +1251,13 @@ and
.Cm ethernet .
The default is
.Cm no .
@@ -59,16 +59,13 @@
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
-@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
+@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
- .It Cm UsePrivilegeSeparation
- Specifies whether
- .Xr sshd 8
-@@ -1500,7 +1526,10 @@ The default is
+ .It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
@@ -80,7 +77,7 @@
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
-@@ -1514,7 +1543,7 @@ The argument must be
+@@ -1512,7 +1541,7 @@ The argument must be
or
.Cm no .
The default is
Modified: trunk/security/openssh-portable/pkg-plist
===================================================================
--- trunk/security/openssh-portable/pkg-plist 2019-01-17 19:35:06 UTC (rev 24803)
+++ trunk/security/openssh-portable/pkg-plist 2019-01-18 20:36:16 UTC (rev 24804)
@@ -9,7 +9,7 @@
@sample %%ETCDIR%%/ssh_config.sample
@sample %%ETCDIR%%/sshd_config.sample
%%X509%%@dir %%ETCDIR%%/ca
- at exec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
+ at postexec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign
More information about the Midnightbsd-cvs
mailing list