aboutsummaryrefslogtreecommitdiff
path: root/security/openssh-portable
diff options
context:
space:
mode:
authorBryan Drewery <bdrewery@FreeBSD.org>2017-04-01 01:59:25 +0000
committerBryan Drewery <bdrewery@FreeBSD.org>2017-04-01 01:59:25 +0000
commit9051821be1207e1e1177b48d5a08fb425bcd658e (patch)
treed378bb1f92c7d7f36e58470a9d5f181920f8a66d /security/openssh-portable
parentc451c8c9fd836e426f174a01e9ed7eb7ab1d7d13 (diff)
downloadports-9051821be1207e1e1177b48d5a08fb425bcd658e.tar.gz
ports-9051821be1207e1e1177b48d5a08fb425bcd658e.zip
Notes
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile10
-rw-r--r--security/openssh-portable/distinfo8
-rw-r--r--security/openssh-portable/files/extra-patch-hpn14
-rw-r--r--security/openssh-portable/files/patch-auth2.c11
-rw-r--r--security/openssh-portable/files/patch-sshd_config.519
5 files changed, 30 insertions, 32 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index aa4589244e4d..5fd07db8c05b 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 7.4p1
-PORTREVISION= 1
+DISTVERSION= 7.5p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -58,10 +58,10 @@ HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
-X509_VERSION= 9.3
+X509_VERSION= 10.1
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES= ${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@@ -92,6 +92,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN= No patch for 7.5 yet.
# Patch from:
# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
@@ -215,6 +216,7 @@ test: build
OBJ=${WRKDIR} ${MAKE_ENV} \
TEST_SHELL=${SH} \
SUDO="${SUDO}" \
+ LOGNAME="${LOGNAME}" \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index d634e474f732..0af7af217ca8 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,9 +1,9 @@
TIMESTAMP = 1484161900
-SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
-SIZE (openssh-7.4p1.tar.gz) = 1511780
+SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
+SIZE (openssh-7.5p1.tar.gz) = 1510857
SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
-SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
+SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2
+SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721
SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 83462934c1a2..8bc9308322d9 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -1181,8 +1181,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN,
@@ -1190,7 +1190,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ "",
+#endif
*options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
+ options.version_addendum);
@@ -1027,6 +1032,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
@@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1067,6 +1076,13 @@ server_listen(void)
+@@ -1072,6 +1081,13 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1591,6 +1607,15 @@ main(int ac, char **av)
+@@ -1596,6 +1612,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1233,7 +1233,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2085,6 +2110,11 @@ main(int ac, char **av)
+@@ -2099,6 +2124,11 @@ main(int ac, char **av)
}
#endif
@@ -1245,7 +1245,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
-@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
+@@ -2177,6 +2207,11 @@ do_ssh2_kex(void)
struct kex *kex;
int r;
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 8aebcb214487..39d6b12e44c2 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -5,9 +5,9 @@ Changed paths:
Apply class-imposed login restrictions.
---- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600
-+++ auth2.c 2013-05-22 17:21:37.979631466 -0500
-@@ -46,6 +46,7 @@
+--- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700
++++ auth2.c 2017-03-20 11:52:27.960733000 -0700
+@@ -47,6 +47,7 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
@@ -15,12 +15,11 @@ Apply class-imposed login restrictions.
#include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
-@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32
+@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
-+ struct ssh *ssh = active_state; /* XXX */
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+
@@ -30,7 +29,7 @@ Apply class-imposed login restrictions.
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32
+@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 41e8a6283bd0..90c3940cf02c 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,5 +1,5 @@
---- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800
-+++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800
+--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
++++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
@@ -373,7 +373,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
@@ -11,7 +11,7 @@
The default is
.Cm yes .
.It Cm ChrootDirectory
-@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .
.It Cm HostbasedAuthentication
@@ -22,7 +22,7 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
-@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
+@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -45,7 +45,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1216,6 +1235,13 @@ and
+@@ -1232,6 +1251,13 @@ and
.Cm ethernet .
The default is
.Cm no .
@@ -59,16 +59,13 @@
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
-@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
+@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
- .It Cm UsePrivilegeSeparation
- Specifies whether
- .Xr sshd 8
-@@ -1500,7 +1526,10 @@ The default is
+ .It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
@@ -80,7 +77,7 @@
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
-@@ -1514,7 +1543,7 @@ The argument must be
+@@ -1512,7 +1541,7 @@ The argument must be
or
.Cm no .
The default is