diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2017-04-01 01:59:25 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2017-04-01 01:59:25 +0000 |
commit | 9051821be1207e1e1177b48d5a08fb425bcd658e (patch) | |
tree | d378bb1f92c7d7f36e58470a9d5f181920f8a66d /security/openssh-portable | |
parent | c451c8c9fd836e426f174a01e9ed7eb7ab1d7d13 (diff) | |
download | ports-9051821be1207e1e1177b48d5a08fb425bcd658e.tar.gz ports-9051821be1207e1e1177b48d5a08fb425bcd658e.zip |
Notes
Diffstat (limited to 'security/openssh-portable')
-rw-r--r-- | security/openssh-portable/Makefile | 10 | ||||
-rw-r--r-- | security/openssh-portable/distinfo | 8 | ||||
-rw-r--r-- | security/openssh-portable/files/extra-patch-hpn | 14 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-auth2.c | 11 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-sshd_config.5 | 19 |
5 files changed, 30 insertions, 32 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index aa4589244e4d..5fd07db8c05b 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.4p1 -PORTREVISION= 1 +DISTVERSION= 7.5p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -58,10 +58,10 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 9.3 +X509_VERSION= 10.1 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 @@ -92,6 +92,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= No patch for 7.5 yet. # Patch from: # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -215,6 +216,7 @@ test: build OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ + LOGNAME="${LOGNAME}" \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index d634e474f732..0af7af217ca8 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,9 +1,9 @@ TIMESTAMP = 1484161900 -SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 -SIZE (openssh-7.4p1.tar.gz) = 1511780 +SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 +SIZE (openssh-7.5p1.tar.gz) = 1510857 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee -SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572 +SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 +SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721 SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 83462934c1a2..8bc9308322d9 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -1181,8 +1181,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n", PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN, @@ -1190,7 +1190,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o + "", +#endif *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); + options.version_addendum); @@ -1027,6 +1032,10 @@ server_listen(void) int ret, listen_sock, on = 1; @@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1067,6 +1076,13 @@ server_listen(void) +@@ -1072,6 +1081,13 @@ server_listen(void) debug("Bind to port %s on %s.", strport, ntop); @@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -1591,6 +1607,15 @@ main(int ac, char **av) +@@ -1596,6 +1612,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1233,7 +1233,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; -@@ -2085,6 +2110,11 @@ main(int ac, char **av) +@@ -2099,6 +2124,11 @@ main(int ac, char **av) } #endif @@ -1245,7 +1245,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * In privilege separation, we fork another child and prepare * file descriptor passing. -@@ -2163,6 +2193,11 @@ do_ssh2_kex(void) +@@ -2177,6 +2207,11 @@ do_ssh2_kex(void) struct kex *kex; int r; diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c index 8aebcb214487..39d6b12e44c2 100644 --- a/security/openssh-portable/files/patch-auth2.c +++ b/security/openssh-portable/files/patch-auth2.c @@ -5,9 +5,9 @@ Changed paths: Apply class-imposed login restrictions. ---- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600 -+++ auth2.c 2013-05-22 17:21:37.979631466 -0500 -@@ -46,6 +46,7 @@ +--- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700 ++++ auth2.c 2017-03-20 11:52:27.960733000 -0700 +@@ -47,6 +47,7 @@ #include "key.h" #include "hostfile.h" #include "auth.h" @@ -15,12 +15,11 @@ Apply class-imposed login restrictions. #include "dispatch.h" #include "pathnames.h" #include "buffer.h" -@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32 +@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32 Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP -+ struct ssh *ssh = active_state; /* XXX */ + login_cap_t *lc; + const char *from_host, *from_ip; + @@ -30,7 +29,7 @@ Apply class-imposed login restrictions. if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32 +@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32 "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 41e8a6283bd0..90c3940cf02c 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,5 +1,5 @@ ---- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800 -+++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800 +--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 ++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 @@ -373,7 +373,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via @@ -11,7 +11,7 @@ The default is .Cm yes . .It Cm ChrootDirectory -@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa +@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa The list of available key types may also be obtained using .Qq ssh -Q key . .It Cm HostbasedAuthentication @@ -22,7 +22,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic +@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -45,7 +45,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1216,6 +1235,13 @@ and +@@ -1232,6 +1251,13 @@ and .Cm ethernet . The default is .Cm no . @@ -59,16 +59,13 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run +@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is -.Cm no . +.Cm yes . - .It Cm UsePrivilegeSeparation - Specifies whether - .Xr sshd 8 -@@ -1500,7 +1526,10 @@ The default is + .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is @@ -80,7 +77,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1514,7 +1543,7 @@ The argument must be +@@ -1512,7 +1541,7 @@ The argument must be or .Cm no . The default is |