diff options
| author | Rene Ladan <rene@FreeBSD.org> | 2015-02-02 22:22:23 +0000 |
|---|---|---|
| committer | Rene Ladan <rene@FreeBSD.org> | 2015-02-02 22:22:23 +0000 |
| commit | 1869512c530c341f3d7b5c93bd4a99c2c2351026 (patch) | |
| tree | 3fee54311989845cbdd93360c9f407379f8431de /security/openssh-portable66/files | |
| parent | eff5b121fc9f0fb088376f868c677d284ea7ef0b (diff) | |
Notes
Diffstat (limited to 'security/openssh-portable66/files')
21 files changed, 0 insertions, 1373 deletions
diff --git a/security/openssh-portable66/files/extra-patch-hpn-build-options b/security/openssh-portable66/files/extra-patch-hpn-build-options deleted file mode 100644 index 233aaf8cce7c..000000000000 --- a/security/openssh-portable66/files/extra-patch-hpn-build-options +++ /dev/null @@ -1,142 +0,0 @@ ---- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500 -+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500 -@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co - } - } - -+#ifdef AES_THREADED - /* if we are using aes-ctr there can be issues in either a fork or sandbox - * so the initial aes-ctr is defined to point to the original single process - * evp. After authentication we'll be past the fork and the sandboxed privsep -@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co - cipher_reset_multithreaded(); - packet_request_rekeying(); - } -+#endif - - debug("Authentication succeeded (%s).", authctxt.method->name); - } ---- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500 -+++ sshd.c 2013-10-11 08:53:25.929132033 -0500 -@@ -2186,6 +2186,7 @@ main(int ac, char **av) - - /* Start session. */ - -+#ifdef AES_THREADED - /* if we are using aes-ctr there can be issues in either a fork or sandbox - * so the initial aes-ctr is defined to point ot the original single process - * evp. After authentication we'll be past the fork and the sandboxed privsep -@@ -2201,6 +2202,7 @@ main(int ac, char **av) - cipher_reset_multithreaded(); - packet_request_rekeying(); - } -+#endif - - do_authenticated(authctxt); - ---- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 -+++ readconf.c 2013-10-11 09:19:12.295135966 -0500 -@@ -268,12 +268,16 @@ static struct { - { "canonicalizehostname", oCanonicalizeHostname }, - { "canonicalizemaxdots", oCanonicalizeMaxDots }, - { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, -+#ifdef NONECIPHER - { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, -+#endif -+#ifdef HPN - { "tcprcvbufpoll", oTcpRcvBufPoll }, - { "tcprcvbuf", oTcpRcvBuf }, - { "hpndisabled", oHPNDisabled }, - { "hpnbuffersize", oHPNBufferSize }, -+#endif - { "ignoreunknown", oIgnoreUnknown }, - - { NULL, oBadOption } -@@ -1739,12 +1743,20 @@ fill_default_options(Options * options) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) - options->server_alive_count_max = 3; -+#ifdef NONECIPHER - if (options->none_switch == -1) -+#endif - options->none_switch = 0; -+#ifdef NONECIPHER - if (options->none_enabled == -1) -+#endif - options->none_enabled = 0; -+#ifdef HPN - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; -+#else -+ options->hpn_disabled = 1; -+#endif - if (options->hpn_buffer_size > -1) - { - /* if a user tries to set the size to 0 set it to 1KB */ ---- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500 -+++ servconf.c 2013-10-11 09:25:50.777137928 -0500 -@@ -303,10 +303,16 @@ - } - if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+#ifdef NONECIPHER - if (options->none_enabled == -1) -+#endif - options->none_enabled = 0; -+#ifdef HPN - if (options->hpn_disabled == -1) - options->hpn_disabled = 0; -+#else -+ options->hpn_disabled = 1; -+#endif - - if (options->hpn_buffer_size == -1) { - /* option not explicitly set. Now we have to figure out */ ---- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500 -+++ configure.ac 2013-10-12 17:18:35.610130039 -0500 -@@ -3968,6 +3968,34 @@ - ] - ) # maildir - -+#check whether user wants HPN support -+HPN_MSG="no" -+AC_ARG_WITH(hpn, -+ [ --with-hpn Enable HPN support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HPN,1,[Define if you want HPN support.]) -+ HPN_MSG="yes" -+ fi ] -+) -+#check whether user wants NONECIPHER support -+NONECIPHER_MSG="no" -+AC_ARG_WITH(nonecipher, -+ [ --with-nonecipher Enable NONECIPHER support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.]) -+ NONECIPHER_MSG="yes" -+ fi ] -+) -+#check whether user wants AES_THREADED support -+AES_THREADED_MSG="no" -+AC_ARG_WITH(aes-threaded, -+ [ --with-aes-threaded Enable AES_THREADED support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.]) -+ AES_THREADED_MSG="yes" -+ fi ] -+) -+ - if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then - AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) - disable_ptmx_check=yes -@@ -4636,6 +4664,9 @@ - echo " BSD Auth support: $BSD_AUTH_MSG" - echo " Random number source: $RAND_MSG" - echo " Privsep sandbox style: $SANDBOX_STYLE" -+echo " HPN support: $HPN_MSG" -+echo " NONECIPHER support: $NONECIPHER_MSG" -+echo " AES_THREADED support: $AES_THREADED_MSG" - - echo "" - diff --git a/security/openssh-portable66/files/extra-patch-hpn-no-hpn b/security/openssh-portable66/files/extra-patch-hpn-no-hpn deleted file mode 100644 index dc3b112a2fee..000000000000 --- a/security/openssh-portable66/files/extra-patch-hpn-no-hpn +++ /dev/null @@ -1,32 +0,0 @@ ---- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500 -+++ sshd_config 2013-10-12 06:40:06.646129924 -0500 -@@ -125,20 +125,6 @@ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - --# the following are HPN related configuration options --# tcp receive buffer polling. disable in non autotuning kernels --#TcpRcvBufPoll yes -- --# disable hpn performance boosts --#HPNDisabled no -- --# buffer size for hpn to non-hpn connections --#HPNBufferSize 2048 -- -- --# allow the use of the none cipher --#NoneEnabled no -- - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no ---- version.h.orig 2013-10-12 06:42:19.578133368 -0500 -+++ version.h 2013-10-12 06:42:28.581136160 -0500 -@@ -3,5 +3,4 @@ - #define SSH_VERSION "OpenSSH_6.3" - - #define SSH_PORTABLE "p1" --#define SSH_HPN "-hpn14v2" --#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/security/openssh-portable66/files/extra-patch-hpn-window-size b/security/openssh-portable66/files/extra-patch-hpn-window-size deleted file mode 100644 index 76f50a43eccb..000000000000 --- a/security/openssh-portable66/files/extra-patch-hpn-window-size +++ /dev/null @@ -1,24 +0,0 @@ -r223213 | brooks | 2011-06-17 17:01:10 -0500 (Fri, 17 Jun 2011) | 3 lines -Changed paths: - M /user/brooks/openssh-hpn/channels.h - -It looks like the HPN patch didn't track the window size bump in OpenBSD -rev 1.89 back in 2007. Chase the updates to reduce diffs to head - -Index: channels.h -=================================================================== ---- channels.h (revision 223212) -+++ channels.h (revision 223213) -@@ -163,10 +163,10 @@ - - /* default window/packet sizes for tcp/x11-fwd-channel */ - #define CHAN_SES_PACKET_DEFAULT (32*1024) --#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) -+#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) - - #define CHAN_TCP_PACKET_DEFAULT (32*1024) --#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) -+#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) - - #define CHAN_X11_PACKET_DEFAULT (16*1024) - #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) diff --git a/security/openssh-portable66/files/extra-patch-ldns b/security/openssh-portable66/files/extra-patch-ldns deleted file mode 100644 index 162d8686a33c..000000000000 --- a/security/openssh-portable66/files/extra-patch-ldns +++ /dev/null @@ -1,51 +0,0 @@ -r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines -Changed paths: - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/ssh_config - M /head/crypto/openssh/ssh_config.5 - -Change the default value of VerifyHostKeyDNS to "yes" if compiled with -LDNS. With that setting, OpenSSH will silently accept host keys that -match verified SSHFP records. If an SSHFP record exists but could not -be verified, OpenSSH will print a message and prompt the user as usual. - ---- readconf.c 2013-10-03 08:15:03.496131082 -0500 -+++ readconf.c 2013-10-03 08:15:22.716134315 -0500 -@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) - options->rekey_limit = 0; - if (options->rekey_interval == -1) - options->rekey_interval = 0; -+#if HAVE_LDNS -+ if (options->verify_host_key_dns == -1) -+ /* automatically trust a verified SSHFP record */ -+ options->verify_host_key_dns = 1; -+#else - if (options->verify_host_key_dns == -1) - options->verify_host_key_dns = 0; -+#endif - if (options->server_alive_interval == -1) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) ---- ssh_config 2013-10-03 08:15:03.537131330 -0500 -+++ ssh_config 2013-10-03 08:15:22.755131175 -0500 -@@ -44,5 +44,6 @@ - # TunnelDevice any:any - # PermitLocalCommand no - # VisualHostKey no -+# VerifyHostKeyDNS yes - # ProxyCommand ssh -q -W %h:%p gateway.example.com - # RekeyLimit 1G 1h ---- ssh_config.5 2013-10-03 08:15:03.621130815 -0500 -+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500 -@@ -1246,7 +1246,10 @@ The argument must be - or - .Dq ask . - The default is --.Dq no . -+.Dq yes -+if compiled with LDNS and -+.Dq no -+otherwise. - Note that this option applies to protocol version 2 only. - .Pp - See also VERIFYING HOST KEYS in diff --git a/security/openssh-portable66/files/extra-patch-openssh661 b/security/openssh-portable66/files/extra-patch-openssh661 deleted file mode 100644 index d11c14f610f3..000000000000 --- a/security/openssh-portable66/files/extra-patch-openssh661 +++ /dev/null @@ -1,162 +0,0 @@ -From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Sun, 20 Apr 2014 13:44:47 +1000 -Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c - version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the - curve25519 key exchange incorrectly, causing connection failures about - 0.2% of the time when this method is used against a peer that implements - the method properly. - - Fix the problem and disable the curve25519 KEX when speaking to - OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 - to enable the compatability code. ---- - ChangeLog | 11 +++++++++++ - bufaux.c | 5 ++++- - compat.c | 17 ++++++++++++++++- - compat.h | 2 ++ - sshconnect2.c | 2 ++ - sshd.c | 3 +++ - version.h | 2 +- - 7 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 9c59cc4..60f181a 100644 ---- ChangeLog -+++ ChangeLog -@@ -1,3 +1,14 @@ -+20140420 -+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h] -+ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 -+ key exchange incorrectly, causing connection failures about 0.2% of -+ the time when this method is used against a peer that implements -+ the method properly. -+ -+ Fix the problem and disable the curve25519 KEX when speaking to -+ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 -+ to enable the compatability code. -+ - 20140313 - - (djm) Release OpenSSH 6.6 - -diff --git a/bufaux.c b/bufaux.c -index e24b5fc..f6a6f2a 100644 ---- bufaux.c -+++ bufaux.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ -+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ - /* - * Author: Tatu Ylonen <ylo@cs.hut.fi> - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland -@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) - - if (l > 8 * 1024) - fatal("%s: length %u too long", __func__, l); -+ /* Skip leading zero bytes */ -+ for (; l > 0 && *s == 0; l--, s++) -+ ; - p = buf = xmalloc(l + 1); - /* - * If most significant bit is set then prepend a zero byte to -diff --git a/compat.c b/compat.c -index 9d9fabe..2709dc5 100644 ---- compat.c -+++ compat.c -@@ -95,6 +95,9 @@ compat_datafellows(const char *version) - { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, - { "OpenSSH_4*", 0 }, - { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, -+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, -+ { "OpenSSH_6.5*," -+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, - { "OpenSSH*", SSH_NEW_OPENSSH }, - { "*MindTerm*", 0 }, - { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| -@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) - return cipher_prop; - } - -- - char * - compat_pkalg_proposal(char *pkalg_prop) - { -@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) - return pkalg_prop; - } - -+char * -+compat_kex_proposal(char *kex_prop) -+{ -+ if (!(datafellows & SSH_BUG_CURVE25519PAD)) -+ return kex_prop; -+ debug2("%s: original KEX proposal: %s", __func__, kex_prop); -+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); -+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); -+ if (*kex_prop == '\0') -+ fatal("No supported key exchange algorithms found"); -+ return kex_prop; -+} -+ -diff --git a/compat.h b/compat.h -index b174fa1..a6c3f3d 100644 ---- compat.h -+++ compat.h -@@ -59,6 +59,7 @@ - #define SSH_BUG_RFWD_ADDR 0x02000000 - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 -+#define SSH_BUG_CURVE25519PAD 0x10000000 - - void enable_compat13(void); - void enable_compat20(void); -@@ -66,6 +67,7 @@ void compat_datafellows(const char *); - int proto_spec(const char *); - char *compat_cipher_proposal(char *); - char *compat_pkalg_proposal(char *); -+char *compat_kex_proposal(char *); - - extern int compat13; - extern int compat20; -diff --git a/sshconnect2.c b/sshconnect2.c -index 7f4ff41..ec3ad6a 100644 ---- sshconnect2.c -+++ sshconnect2.c -@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); - - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, -diff --git a/sshd.c b/sshd.c -index 7523de9..e9084b7 100644 ---- sshd.c -+++ sshd.c -@@ -2462,6 +2462,9 @@ do_ssh2_kex(void) - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); -+ - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, - (time_t)options.rekey_interval); -diff --git a/version.h b/version.h -index a1579ac..a33e77c 100644 ---- version.h -+++ version.h -@@ -1,6 +1,6 @@ - /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ - --#define SSH_VERSION "OpenSSH_6.6" -+#define SSH_VERSION "OpenSSH_6.6.1" - - #define SSH_PORTABLE "p1" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE --- -1.9.1 - diff --git a/security/openssh-portable66/files/extra-patch-sshd-utmp-size b/security/openssh-portable66/files/extra-patch-sshd-utmp-size deleted file mode 100644 index d72985ff7768..000000000000 --- a/security/openssh-portable66/files/extra-patch-sshd-utmp-size +++ /dev/null @@ -1,36 +0,0 @@ -r184122 | des | 2008-10-21 06:58:26 -0500 (Tue, 21 Oct 2008) | 11 lines -Changed paths: - M /head/crypto/openssh/loginrec.c - M /head/crypto/openssh/sshd.c - -At some point, construct_utmp() was changed to use realhostname() to fill -in the struct utmp due to concerns about the length of the hostname buffer. -However, this breaks the UseDNS option. There is a simpler and better -solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of -MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the -buffer. - -PR: bin/97499 -Submitted by: Bruce Cran <bruce@cran.org.uk> - -Index: sshd.c -=================================================================== ---- sshd.c (revision 184121) -+++ sshd.c (revision 184122) -@@ -72,6 +72,7 @@ - #include <stdlib.h> - #include <string.h> - #include <unistd.h> -+#include <utmp.h> - - #include <openssl/dh.h> - #include <openssl/bn.h> -@@ -238,7 +239,7 @@ - u_int session_id2_len = 0; - - /* record remote hostname or ip */ --u_int utmp_len = MAXHOSTNAMELEN; -+u_int utmp_len = UT_HOSTSIZE; - - /* options.max_startup sized array of fd ints */ - int *startup_pipes = NULL; diff --git a/security/openssh-portable66/files/openssh.in b/security/openssh-portable66/files/openssh.in deleted file mode 100644 index 215095098a9f..000000000000 --- a/security/openssh-portable66/files/openssh.in +++ /dev/null @@ -1,175 +0,0 @@ -#!/bin/sh - -# $FreeBSD$ -# -# PROVIDE: openssh -# REQUIRE: DAEMON -# KEYWORD: shutdown -# -# Add the following lines to /etc/rc.conf to enable openssh: -# -# openssh_enable (bool): Set it to "YES" to enable openssh. -# Default is "NO". -# openssh_flags (flags): Set extra flags to openssh. -# Default is "". see sshd(1). -# openssh_pidfile (file): Set full path to pid file. - -. /etc/rc.subr - -name="openssh" -rcvar=openssh_enable - -load_rc_config ${name} - -: ${openssh_enable:="NO"} -: ${openssh_skipportscheck="NO"} - -command=%%PREFIX%%/sbin/sshd -extra_commands="configtest reload keygen" -start_precmd="${name}_checks" -reload_precmd="${name}_checks" -restart_precmd="${name}_checks" -configtest_cmd="${name}_configtest" -keygen_cmd="${name}_keygen" -pidfile=${openssh_pidfile:="/var/run/sshd.pid"} - -openssh_keygen() -{ - if [ -f %%ETCSSH%%/ssh_host_key -a \ - -f %%ETCSSH%%/ssh_host_dsa_key -a \ - -f %%ETCSSH%%/ssh_host_rsa_key -a \ - -f %%ETCSSH%%/ssh_host_ecdsa_key -a \ - -f %%ETCSSH%%/ssh_host_ed25519_key ]; then - return 0 - fi - - umask 022 - - # Can't do anything if ssh is not installed - [ -x %%PREFIX%%/bin/ssh-keygen ] || - err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." - - if [ -f %%ETCSSH%%/ssh_host_key ]; then - echo "You already have an RSA host key" \ - "in %%ETCSSH%%/ssh_host_key" - echo "Skipping protocol version 1 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \ - -f %%ETCSSH%%/ssh_host_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in %%ETCSSH%%/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t dsa \ - -f %%ETCSSH%%/ssh_host_dsa_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_rsa_key ]; then - echo "You already have a RSA host key" \ - "in %%ETCSSH%%/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa \ - -f %%ETCSSH%%/ssh_host_rsa_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then - echo "You already have a Elliptic Curve DSA host key" \ - "in %%ETCSSH%%/ssh_host_ecdsa_key" - echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ecdsa \ - -f %%ETCSSH%%/ssh_host_ecdsa_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then - echo "You already have a Elliptic Curve ED25519 host key" \ - "in %%ETCSSH%%/ssh_host_ed25519_key" - echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t ed25519 \ - -f %%ETCSSH%%/ssh_host_ed25519_key -N '' - fi -} - -openssh_check_same_ports(){ - # check if opensshd don't use base system sshd's port - # - # openssh binds ports in priority (lowest first): - # Port from sshd_config - # -p option from command line - # ListenAddress addr:port from sshd_config - - - #check if opensshd-portable installed in replacement of base sshd - if [ "%%ETCSSH%%" = "/etc/ssh" ]; then - return 1 - fi - - self_port=$(awk '$1~/^ListenAddress/ \ - {mlen=match($0,":[0-9]*$"); print \ - substr($0,mlen+1,length($0)-mlen)}' %%ETCSSH%%/sshd_config) - if [ -z "$self_port" ]; then - self_port=$(echo $openssh_flags | awk \ - '{for (i = 1; i <= NF; i++) if ($i == "-p") \ - {i++; printf "%s", $i; break; }; }') - if [ -z "$self_port" ]; then - self_port=$(awk '$1~/^Port/ {print $2}' \ - %%ETCSSH%%/sshd_config) - fi - fi - # assume default 22 port - if [ -z "$self_port" ]; then - self_port=22 - fi - - load_rc_config "sshd" - - base_sshd_port=$(awk '$1~/^ListenAddress/ \ - {mlen=match($0,":[0-9]*$"); print \ - substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config) - if [ -z "$base_sshd_port" ]; then - base_sshd_port=$(echo $sshd_flags | awk \ - '{for (i = 1; i <= NF; i++) if ($i == "-p") \ - {i++; printf "%s", $i; break; }; }') - if [ -z "$base_sshd_port" ]; then - base_sshd_port=$(awk '$1~/^Port/ {print $2}' \ - /etc/ssh/sshd_config) - fi - fi - if [ -z "$base_sshd_port" ]; then - base_sshd_port=22 - fi - - # self_port and base_sshd_port may have multiple values. Compare them all - for sport in ${self_port}; do - for bport in ${base_sshd_port}; do - [ ${sport} -eq ${bport} ] && return 0 - done - done - - return 1 -} - -openssh_configtest() -{ - echo "Performing sanity check on ${name} configuration." - eval ${command} ${openssh_flags} -t -} - -openssh_checks() -{ - if checkyesno sshd_enable ; then - if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then - err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port" - fi - fi - - run_rc_command keygen - openssh_configtest -} - -run_rc_command "$1" diff --git a/security/openssh-portable66/files/patch-auth.c b/security/openssh-portable66/files/patch-auth.c deleted file mode 100644 index a12017191b5d..000000000000 --- a/security/openssh-portable66/files/patch-auth.c +++ /dev/null @@ -1,20 +0,0 @@ -r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines -Changed paths: - M /head/crypto/openssh/auth.c - -Use login_getpwclass() instead of login_getclass() so that the root -vs. default login class distinction is made correctly. - -PR: 37416 - ---- auth.c.orig 2010-08-12 11:33:01.000000000 -0600 -+++ auth.c 2010-09-14 16:14:12.000000000 -0600 -@@ -594,7 +594,7 @@ - if (!allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/openssh-portable66/files/patch-auth2.c b/security/openssh-portable66/files/patch-auth2.c deleted file mode 100644 index eb8ecef10d36..000000000000 --- a/security/openssh-portable66/files/patch-auth2.c +++ /dev/null @@ -1,58 +0,0 @@ -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600 -+++ auth2.c 2013-05-22 17:21:37.979631466 -0500 -@@ -46,6 +46,7 @@ - #include "key.h" - #include "hostfile.h" - #include "auth.h" -+#include "canohost.h" - #include "dispatch.h" - #include "pathnames.h" - #include "buffer.h" -@@ -219,6 +220,13 @@ - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; - int authenticated = 0; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -265,6 +273,27 @@ - "(%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(authctxt); - #ifdef JPAKE diff --git a/security/openssh-portable66/files/patch-readconf.c b/security/openssh-portable66/files/patch-readconf.c deleted file mode 100644 index 9f2b6369dd66..000000000000 --- a/security/openssh-portable66/files/patch-readconf.c +++ /dev/null @@ -1,61 +0,0 @@ -base defaults - -r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/myproposal.h - M /head/crypto/openssh/readconf.c - M /head/crypto/openssh/servconf.c - -Apply FreeBSD's configuration defaults. - ------------------------------------------------------------------------- -r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines -Changed paths: - M /head/crypto/openssh/readconf.c - -Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. -Submitted upstream, no reaction. - -Submitted by: delphij@ - - ---- readconf.c.orig 2013-10-03 06:56:21.649139613 -0500 -+++ readconf.c 2013-10-03 06:56:50.961467272 -0500 -@@ -17,6 +17,7 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/socket.h> -+#include <sys/sysctl.h> - #include <sys/wait.h> - - #include <netinet/in.h> -@@ -282,7 +283,19 @@ - Forward *fwd; - #ifndef NO_IPPORT_RESERVED_CONCEPT - extern uid_t original_real_uid; -- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) -+ int ipport_reserved; -+#ifdef __FreeBSD__ -+ size_t len_ipport_reserved = sizeof(ipport_reserved); -+ -+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) -+ ipport_reserved = IPPORT_RESERVED; -+ else -+ ipport_reserved++; -+#else -+ ipport_reserved = IPPORT_RESERVED; -+#endif -+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0) - fatal("Privileged ports can only be forwarded by root."); - #endif - options->local_forwards = xrealloc(options->local_forwards, -@@ -1607,7 +1620,7 @@ - if (options->batch_mode == -1) - options->batch_mode = 0; - if (options->check_host_ip == -1) -- options->check_host_ip = 1; -+ options->check_host_ip = 0; - if (options->strict_host_key_checking == -1) - options->strict_host_key_checking = 2; /* 2 is default */ - if (options->compression == -1) diff --git a/security/openssh-portable66/files/patch-servconf.c b/security/openssh-portable66/files/patch-servconf.c deleted file mode 100644 index 67e45e98a1fe..000000000000 --- a/security/openssh-portable66/files/patch-servconf.c +++ /dev/null @@ -1,50 +0,0 @@ ---- servconf.c.orig 2013-05-12 21:26:30.642630751 -0500 -+++ servconf.c 2013-05-12 21:52:43.069625377 -0500 -@@ -162,7 +162,7 @@ - - /* Portable-specific options */ - if (options->use_pam == -1) -- options->use_pam = 0; -+ options->use_pam = 1; - - /* Standard Options */ - if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -197,7 +197,7 @@ - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) -@@ -207,7 +207,7 @@ - if (options->print_lastlog == -1) - options->print_lastlog = 1; - if (options->x11_forwarding == -1) -- options->x11_forwarding = 0; -+ options->x11_forwarding = 1; - if (options->x11_display_offset == -1) - options->x11_display_offset = 10; - if (options->x11_use_localhost == -1) -@@ -245,7 +245,11 @@ - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; - if (options->password_authentication == -1) -+#ifdef USE_PAM -+ options->password_authentication = 0; -+#else - options->password_authentication = 1; -+#endif - if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) -@@ -335,7 +339,7 @@ - options->version_addendum = xstrdup(""); - /* Turn privilege separation on by default */ - if (use_privsep == -1) -- use_privsep = PRIVSEP_NOSANDBOX; -+ use_privsep = PRIVSEP_ON; - - #ifndef HAVE_MMAP - if (use_privsep && options->compression == 1) { diff --git a/security/openssh-portable66/files/patch-session.c b/security/openssh-portable66/files/patch-session.c deleted file mode 100644 index b91928b93483..000000000000 --- a/security/openssh-portable66/files/patch-session.c +++ /dev/null @@ -1,74 +0,0 @@ ---- session.c 2013-03-14 19:22:37.000000000 -0500 -+++ session.c 2013-04-12 21:10:44.510757912 -0500 -@@ -1131,6 +1136,9 @@ - struct passwd *pw = s->pw; - #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) - char *path = NULL; -+#else -+ extern char **environ; -+ char **senv, **var; - #endif - - /* Initialize the environment. */ -@@ -1152,6 +1160,9 @@ - } - #endif - -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+ - #ifdef GSSAPI - /* Allow any GSSAPI methods that we've used to alter - * the childs environment as they see fit -@@ -1171,11 +1182,22 @@ - child_set_env(&env, &envsize, "LOGIN", pw->pw_name); - #endif - child_set_env(&env, &envsize, "HOME", pw->pw_dir); -+ snprintf(buf, sizeof buf, "%.200s/%.50s", -+ _PATH_MAILDIR, pw->pw_name); -+ child_set_env(&env, &envsize, "MAIL", buf); - #ifdef HAVE_LOGIN_CAP -- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) -- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -- else -- child_set_env(&env, &envsize, "PATH", getenv("PATH")); -+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -+ child_set_env(&env, &envsize, "TERM", "su"); -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ (void) setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH); -+ copy_environment(environ, &env, &envsize); -+ for (var = environ; *var != NULL; ++var) -+ free(*var); -+ free(environ); -+ environ = senv; - #else /* HAVE_LOGIN_CAP */ - # ifndef HAVE_CYGWIN - /* -@@ -1196,15 +1218,9 @@ - # endif /* HAVE_CYGWIN */ - #endif /* HAVE_LOGIN_CAP */ - -- snprintf(buf, sizeof buf, "%.200s/%.50s", -- _PATH_MAILDIR, pw->pw_name); -- child_set_env(&env, &envsize, "MAIL", buf); -- - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); - } -- if (getenv("TZ")) -- child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { -@@ -1483,7 +1499,7 @@ - if (platform_privileged_uidswap()) { - #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { - perror("unable to set user context"); - exit(1); - } diff --git a/security/openssh-portable66/files/patch-ssh-agent.1 b/security/openssh-portable66/files/patch-ssh-agent.1 deleted file mode 100644 index 7d1e2a68ddf0..000000000000 --- a/security/openssh-portable66/files/patch-ssh-agent.1 +++ /dev/null @@ -1,27 +0,0 @@ -r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines - -Add a -x option that causes ssh-agent(1) to exit when all clients have -disconnected. - -Index: ssh-agent.1 -=================================================================== ---- ssh-agent.1 (revision 226102) -+++ ssh-agent.1 (revision 226103) -@@ -44,7 +44,7 @@ - .Sh SYNOPSIS - .Nm ssh-agent - .Op Fl c | s --.Op Fl d -+.Op Fl dx - .Op Fl a Ar bind_address - .Op Fl t Ar life - .Op Ar command Op Ar arg ... -@@ -103,6 +103,8 @@ - .Xr ssh-add 1 - overrides this value. - Without this option the default maximum lifetime is forever. -+.It Fl x -+Exit after the last client has disconnected. - .El - .Pp - If a commandline is given, this is executed as a subprocess of the agent. diff --git a/security/openssh-portable66/files/patch-ssh-agent.c b/security/openssh-portable66/files/patch-ssh-agent.c deleted file mode 100644 index a7f6af9a6f27..000000000000 --- a/security/openssh-portable66/files/patch-ssh-agent.c +++ /dev/null @@ -1,92 +0,0 @@ -r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines - -Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. - -r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines - -Add a -x option that causes ssh-agent(1) to exit when all clients have -disconnected. - ---- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500 -+++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500 -@@ -137,15 +137,34 @@ - /* Default lifetime (0 == forever) */ - static int lifetime = 0; - -+/* -+ * Client connection count; incremented in new_socket() and decremented in -+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is -+ * normally initialized to 1, it will never reach 0. However, if the -x -+ * option is specified, it is initialized to 0 in main(); in that case, -+ * ssh-agent will exit as soon as it has had at least one client but no -+ * longer has any. -+ */ -+static int xcount = 1; -+ - static void - close_socket(SocketEntry *e) - { -+ int last = 0; -+ -+ if (e->type == AUTH_CONNECTION) { -+ debug("xcount %d -> %d", xcount, xcount - 1); -+ if (--xcount == 0) -+ last = 1; -+ } - close(e->fd); - e->fd = -1; - e->type = AUTH_UNUSED; - buffer_free(&e->input); - buffer_free(&e->output); - buffer_free(&e->request); -+ if (last) -+ cleanup_exit(0); - } - - static void -@@ -900,6 +919,10 @@ - { - u_int i, old_alloc, new_alloc; - -+ if (type == AUTH_CONNECTION) { -+ debug("xcount %d -> %d", xcount, xcount + 1); -+ ++xcount; -+ } - set_nonblock(fd); - - if (fd > max_fd) -@@ -1120,6 +1143,7 @@ - fprintf(stderr, " -d Debug mode.\n"); - fprintf(stderr, " -a socket Bind agent socket to given name.\n"); - fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); -+ fprintf(stderr, " -x Exit when the last client disconnects.\n"); - exit(1); - } - -@@ -1149,6 +1173,7 @@ - /* drop */ - setegid(getgid()); - setgid(getgid()); -+ setuid(geteuid()); - - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ -@@ -1160,7 +1185,7 @@ - __progname = ssh_get_progname(av[0]); - seed_rng(); - -- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksa:t:x")) != -1) { - switch (ch) { - case 'c': - if (s_flag) -@@ -1189,6 +1214,9 @@ - usage(); - } - break; -+ case 'x': -+ xcount = 0; -+ break; - default: - usage(); - } diff --git a/security/openssh-portable66/files/patch-ssh.c b/security/openssh-portable66/files/patch-ssh.c deleted file mode 100644 index b0d67498a75f..000000000000 --- a/security/openssh-portable66/files/patch-ssh.c +++ /dev/null @@ -1,34 +0,0 @@ -$FreeBSD$ - -r99054 | des | 2002-06-29 05:57:53 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/ssh.c - -Canonicize the host name before looking it up in the host file. - ---- ssh.c.orig 2010-08-16 09:59:31.000000000 -0600 -+++ ssh.c 2010-08-25 17:55:01.000000000 -0600 -@@ -699,6 +699,23 @@ - "h", host, (char *)NULL); - } - -+ /* Find canonic host name. */ -+ if (strchr(host, '.') == 0) { -+ struct addrinfo hints; -+ struct addrinfo *ai = NULL; -+ int errgai; -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = options.address_family; -+ hints.ai_flags = AI_CANONNAME; -+ hints.ai_socktype = SOCK_STREAM; -+ errgai = getaddrinfo(host, NULL, &hints, &ai); -+ if (errgai == 0) { -+ if (ai->ai_canonname != NULL) -+ host = xstrdup(ai->ai_canonname); -+ freeaddrinfo(ai); -+ } -+ } -+ - if (options.local_command != NULL) { - char thishost[NI_MAXHOST]; - diff --git a/security/openssh-portable66/files/patch-ssh_config b/security/openssh-portable66/files/patch-ssh_config deleted file mode 100644 index 7a4a16f40530..000000000000 --- a/security/openssh-portable66/files/patch-ssh_config +++ /dev/null @@ -1,16 +0,0 @@ -r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines - -Document the FreeBSD default for CheckHostIP, which was changed in -rev 1.2 of readconf.c. - ---- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700 -+++ ssh_config 2010-09-14 16:14:13.000000000 -0600 -@@ -27,7 +27,7 @@ - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no - # BatchMode no --# CheckHostIP yes -+# CheckHostIP no - # AddressFamily any - # ConnectTimeout 0 - # StrictHostKeyChecking ask diff --git a/security/openssh-portable66/files/patch-ssh_config.5 b/security/openssh-portable66/files/patch-ssh_config.5 deleted file mode 100644 index 764515076a63..000000000000 --- a/security/openssh-portable66/files/patch-ssh_config.5 +++ /dev/null @@ -1,16 +0,0 @@ -r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines - -Document the FreeBSD default for CheckHostIP, which was changed in -rev 1.2 of readconf.c. - ---- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600 -+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600 -@@ -164,7 +164,7 @@ - .Dq no , - the check will not be executed. - The default is --.Dq yes . -+.Dq no . - .It Cm Cipher - Specifies the cipher to use for encrypting the session - in protocol version 1. diff --git a/security/openssh-portable66/files/patch-sshd.8 b/security/openssh-portable66/files/patch-sshd.8 deleted file mode 100644 index 4bab7b855567..000000000000 --- a/security/openssh-portable66/files/patch-sshd.8 +++ /dev/null @@ -1,35 +0,0 @@ -Document FreeBSD/port-specific paths - ---- sshd.8.orig 2010-08-04 21:03:13.000000000 -0600 -+++ sshd.8 2010-09-14 16:14:14.000000000 -0600 -@@ -70,7 +70,7 @@ - .Nm - listens for connections from clients. - It is normally started at boot from --.Pa /etc/rc . -+.Pa /usr/local/etc/rc.d/openssh . - It forks a new - daemon for each incoming connection. - The forked daemons handle -@@ -384,8 +384,9 @@ - If the login is on a tty, records login time. - .It - Checks --.Pa /etc/nologin ; --if it exists, prints contents and quits -+.Pa /etc/nologin and -+.Pa /var/run/nologin ; -+if one exists, it prints the contents and quits - (unless root). - .It - Changes to run with normal user privileges. -@@ -407,7 +408,8 @@ - exists, runs it; else if - .Pa /etc/ssh/sshrc - exists, runs --it; otherwise runs xauth. -+it; otherwise runs -+.Xr xauth 1 . - The - .Dq rc - files are given the X11 diff --git a/security/openssh-portable66/files/patch-sshd.c b/security/openssh-portable66/files/patch-sshd.c deleted file mode 100644 index 9f4c84f4d88d..000000000000 --- a/security/openssh-portable66/files/patch-sshd.c +++ /dev/null @@ -1,99 +0,0 @@ -r109683 | des | 2003-01-22 08:12:59 -0600 (Wed, 22 Jan 2003) | 7 lines -Changed paths: - M /head/crypto/openssh/sshd.c - -Force early initialization of the resolver library, since the resolver -configuration files will no longer be available once sshd is chrooted. - -PR: 39953, 40894 -Submitted by: dinoex - -r199804 | attilio | 2009-11-25 09:12:24 -0600 (Wed, 25 Nov 2009) | 13 lines -Changed paths: - M /head/crypto/openssh/sshd.c - M /head/usr.sbin/cron/cron/cron.c - M /head/usr.sbin/inetd/inetd.c - M /head/usr.sbin/syslogd/syslogd.c - -Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap -environments. -Please note that this can't be done while such processes run in jails. - -Note: in future it would be interesting to find a way to do that -selectively for any desired proccess (choosen by user himself), probabilly -via a ptrace interface or whatever. - -r206397 | kib | 2010-04-08 07:07:40 -0500 (Thu, 08 Apr 2010) | 8 lines -Changed paths: - M /head/crypto/openssh/sshd.c - -Enhance r199804 by marking the daemonised child as immune to OOM instead -of short-living parent. Only mark the master process that accepts -connections, do not protect connection handlers spawned from inetd. - - ---- sshd.c.orig 2010-04-15 23:56:22.000000000 -0600 -+++ sshd.c 2010-09-14 16:14:13.000000000 -0600 -@@ -46,6 +46,7 @@ - - #include <sys/types.h> - #include <sys/ioctl.h> -+#include <sys/mman.h> - #include <sys/socket.h> - #ifdef HAVE_SYS_STAT_H - # include <sys/stat.h> -@@ -83,6 +84,13 @@ - #include <prot.h> - #endif - -+#ifdef __FreeBSD__ -+#include <resolv.h> -+#ifdef GSSAPI -+#include "ssh-gss.h" -+#endif -+#endif -+ - #include "xmalloc.h" - #include "ssh.h" - #include "ssh1.h" -@@ -1877,6 +1885,10 @@ - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); -+ - /* Chdir to the root directory so that the current disk can be - unmounted if desired. */ - if (chdir("/") == -1) -@@ -1995,6 +2007,29 @@ - signal(SIGCHLD, SIG_DFL); - signal(SIGINT, SIG_DFL); - -+#ifdef __FreeBSD__ -+ /* -+ * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). -+ */ -+ if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); -+ } -+#ifdef GSSAPI -+ /* -+ * Force GSS-API to parse its configuration and load any -+ * mechanism plugins. -+ */ -+ { -+ gss_OID_set mechs; -+ OM_uint32 minor_status; -+ gss_indicate_mechs(&minor_status, &mechs); -+ gss_release_oid_set(&minor_status, &mechs); -+ } -+#endif -+#endif -+ - /* - * Register our connection. This turns encryption off because we do - * not have a key. diff --git a/security/openssh-portable66/files/patch-sshd_config b/security/openssh-portable66/files/patch-sshd_config deleted file mode 100644 index 773f90d667f0..000000000000 --- a/security/openssh-portable66/files/patch-sshd_config +++ /dev/null @@ -1,79 +0,0 @@ ---- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600 -+++ sshd_config 2013-05-13 06:46:45.153627197 -0500 -@@ -10,6 +10,9 @@ - # possible, but leave them commented. Uncommented options override the - # default value. - -+# Note that some of FreeBSD's defaults differ from OpenBSD's, and -+# FreeBSD has a few additional options. -+ - #Port 22 - #AddressFamily any - #ListenAddress 0.0.0.0 -@@ -41,7 +44,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin yes -+#PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 -@@ -50,8 +53,7 @@ - #PubkeyAuthentication yes - - # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 --# but this is overridden so installations will only check .ssh/authorized_keys --AuthorizedKeysFile .ssh/authorized_keys -+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - - #AuthorizedPrincipalsFile none - -@@ -68,11 +70,11 @@ - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# Change to yes to enable built-in password authentication. -+#PasswordAuthentication no - #PermitEmptyPasswords no - --# Change to no to disable s/key passwords -+# Change to no to disable PAM authentication - #ChallengeResponseAuthentication yes - - # Kerberos options -@@ -85,7 +87,7 @@ - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the ChallengeResponseAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -94,12 +96,12 @@ - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no --#X11Forwarding no -+#X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes -@@ -107,7 +109,7 @@ - #PrintLastLog yes - #TCPKeepAlive yes - #UseLogin no --UsePrivilegeSeparation sandbox # Default for new installations. -+#UsePrivilegeSeparation sandbox - #PermitUserEnvironment no - #Compression delayed - #ClientAliveInterval 0 diff --git a/security/openssh-portable66/files/patch-sshd_config.5 b/security/openssh-portable66/files/patch-sshd_config.5 deleted file mode 100644 index 096631d0df3d..000000000000 --- a/security/openssh-portable66/files/patch-sshd_config.5 +++ /dev/null @@ -1,90 +0,0 @@ ---- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600 -+++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500 -@@ -277,7 +277,9 @@ - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or though authentication styles supported in --.Xr login.conf 5 ) -+.Xr login.conf 5 ) . -+See also -+.Cm UsePAM . - The default is - .Dq yes . - .It Cm ChrootDirectory -@@ -555,7 +557,7 @@ - .Pp - .Pa /etc/hosts.equiv - and --.Pa /etc/shosts.equiv -+.Pa /etc/ssh/shosts.equiv - are still used. - The default is - .Dq yes . -@@ -841,7 +843,22 @@ - .It Cm PasswordAuthentication - Specifies whether password authentication is allowed. - The default is -+.Dq no , -+unless -+.Nm sshd -+was built without PAM support, in which case the default is - .Dq yes . -+Note that if -+.Cm ChallengeResponseAuthentication -+is -+.Dq yes , -+and the PAM authentication policy for -+.Nm sshd -+includes -+.Xr pam_unix 8 , -+password authentication will be allowed through the challenge-response -+mechanism regardless of the value of -+.Cm PasswordAuthentication . - .It Cm PermitEmptyPasswords - When password authentication is allowed, it specifies whether the - server allows login to accounts with empty password strings. -@@ -887,7 +904,14 @@ - or - .Dq no . - The default is --.Dq yes . -+.Dq no . -+Note that if -+.Cm ChallengeResponseAuthentication -+is -+.Dq yes , -+the root user may be allowed in with its password even if -+.Cm PermitRootLogin is set to -+.Dq without-password . - .Pp - If this option is set to - .Dq without-password , -@@ -1006,7 +1030,9 @@ - section in - .Xr ssh-keygen 1 . - .It Cm RhostsRSAAuthentication --Specifies whether rhosts or /etc/hosts.equiv authentication together -+Specifies whether rhosts or -+.Pa /etc/hosts.equiv -+authentication together - with successful RSA host authentication is allowed. - The default is - .Dq no . -@@ -1146,7 +1172,7 @@ - .Xr sshd 8 - as a non-root user. - The default is --.Dq no . -+.Dq yes . - .It Cm UsePrivilegeSeparation - Specifies whether - .Xr sshd 8 -@@ -1182,7 +1208,7 @@ - or - .Dq no . - The default is --.Dq no . -+.Dq yes . - .Pp - When X11 forwarding is enabled, there may be additional exposure to - the server and to client displays if the |