diff options
Diffstat (limited to 'security/openssh-portable/files')
7 files changed, 132 insertions, 72 deletions
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 6fec82f1fc2e..412cc576fb7c 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -905,9 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o .It Fl r Recursively copy entire directories when uploading and downloading. Note that ---- work/openssh/ssh.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ work/openssh/ssh.c 2024-07-01 13:58:31.555859000 -0700 -@@ -1070,6 +1070,14 @@ main(int ac, char **av) +--- work/openssh/ssh.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ work/openssh/ssh.c 2025-10-06 08:20:57.445863000 -0700 +@@ -1092,6 +1092,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; @@ -922,7 +922,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o break; case 'o': line = xstrdup(optarg); -@@ -2159,6 +2167,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes +@@ -2235,6 +2243,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes NULL, fileno(stdin), command, environ); } @@ -1001,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* open new channel for a session */ static int ssh_session2_open(struct ssh *ssh) -@@ -2177,9 +2257,17 @@ ssh_session2_open(struct ssh *ssh) +@@ -2253,9 +2333,17 @@ ssh_session2_open(struct ssh *ssh) if (in == -1 || out == -1 || err == -1) fatal("dup() in/out/err failed"); @@ -1019,22 +1019,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o window >>= 1; packetmax >>= 1; } -@@ -2188,6 +2276,12 @@ ssh_session2_open(struct ssh *ssh) - window, packetmax, CHAN_EXTENDED_WRITE, +@@ -2265,6 +2353,12 @@ ssh_session2_open(struct ssh *ssh) "client-session", CHANNEL_NONBLOCK_STDIO); - + if (tty_flag) + channel_set_tty(ssh, c); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { + c->dynamic_window = 1; + debug ("Enabled Dynamic Window Scaling"); + } +#endif - debug3_f("channel_new: %d", c->self); + debug3_f("channel_new: %d%s", c->self, tty_flag ? " (tty)" : ""); channel_send_open(ssh, c->self); -@@ -2203,6 +2297,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in +@@ -2280,6 +2374,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in { - int r, interactive, id = -1; + int r, id = -1; char *cp, *tun_fwd_ifname = NULL; + +#ifdef HPN_ENABLED @@ -1267,11 +1267,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no ---- work/openssh/version.h.orig 2025-02-18 00:15:08.000000000 -0800 -+++ work/openssh/version.h 2025-02-19 07:59:36.425254000 -0800 +--- work/openssh/version.h.orig 2025-10-05 19:25:16.000000000 -0700 ++++ work/openssh/version.h 2025-10-06 08:19:38.217160000 -0700 @@ -4,3 +4,4 @@ - #define SSH_PORTABLE "p2" + #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" --- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index ef6542e0e64a..58c2d7a0e0e7 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2025-04-09 00:02:43.000000000 -0700 -+++ readconf.c 2025-04-10 21:55:30.974643000 -0700 -@@ -332,6 +332,12 @@ static struct { - { "obscurekeystroketiming", oObscureKeystrokeTiming }, - { "channeltimeout", oChannelTimeout }, +--- readconf.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ readconf.c 2025-10-06 08:47:03.024775000 -0700 +@@ -328,6 +328,12 @@ static struct { { "versionaddendum", oVersionAddendum }, + { "refuseconnection", oRefuseConnection }, + { "warnweakcrypto", oWarnWeakCrypto }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue index 57b47e8b023a..3924a57f9d67 100644 --- a/security/openssh-portable/files/extra-patch-hpn-gss-glue +++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue @@ -22,9 +22,9 @@ if (options.gss_keyex) { /* Add the GSSAPI mechanisms currently supported on this * client to the key exchange algorithm proposal */ ---- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700 -+++ readconf.c 2019-07-19 12:13:29.614552000 -0700 -@@ -63,11 +63,11 @@ +--- readconf.c.orig 2025-10-08 15:36:47.220504000 -0700 ++++ readconf.c 2025-10-08 15:38:09.729314000 -0700 +@@ -60,11 +60,11 @@ #include "readconf.h" #include "match.h" #include "kex.h" @@ -34,12 +34,12 @@ #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" + #include "version.h" /* Format of the configuration file: - ---- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700 -+++ servconf.c 2019-07-19 12:14:43.543687000 -0700 -@@ -54,6 +54,7 @@ +--- servconf.c.orig 2025-10-08 15:36:47.223017000 -0700 ++++ servconf.c 2025-10-08 15:38:32.182178000 -0700 +@@ -56,6 +56,7 @@ #include "sshkey.h" #include "kex.h" #include "mac.h" @@ -47,11 +47,11 @@ #include "match.h" #include "channels.h" #include "groupaccess.h" -@@ -64,7 +65,6 @@ +@@ -66,7 +67,6 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" + #include "version.h" - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); + #if !defined(SSHD_PAM_SERVICE) diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index 9526a70b0d07..1818d0bf0984 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -23,8 +23,6 @@ load_rc_config ${name} : ${openssh_skipportscheck="NO"} # These only control ssh-keygen automatically generating host keys. -: ${openssh_dsa_enable="YES"} -: ${openssh_dsa_flags=""} : ${openssh_rsa_enable="YES"} : ${openssh_rsa_flags=""} : ${openssh_ecdsa_enable="YES"} @@ -43,14 +41,12 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= - checkyesno openssh_dsa_enable || skip_dsa=y + local skip_rsa= skip_ecdsa= skip_ed25519= checkyesno openssh_rsa_enable || skip_rsa=y checkyesno openssh_ecdsa_enable || skip_ecdsa=y checkyesno openssh_ed25519_enable || skip_ed25519=y - if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ - \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ + if [ \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then return 0 @@ -62,15 +58,6 @@ openssh_keygen() [ -x %%PREFIX%%/bin/ssh-keygen ] || err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." - if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in %%ETCDIR%%/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - elif checkyesno openssh_dsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ - -f %%ETCDIR%%/ssh_host_dsa_key -N '' - fi - if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 index 8e5a9777519f..d44465be3124 100644 --- a/security/openssh-portable/files/patch-ssh-agent.1 +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -4,21 +4,21 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800 -+++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700 +--- ssh-agent.1.orig 2025-10-05 19:25:16.000000000 -0700 ++++ ssh-agent.1 2025-10-06 08:30:26.521757000 -0700 @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl \&Dd -+.Op Fl \&Ddx +-.Op Fl \&DdTU ++.Op Fl \&DdTUx .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash - .Op Fl P Ar provider_whitelist -@@ -125,6 +125,8 @@ A lifetime specified for an identity with - .Xr ssh-add 1 - overrides this value. - Without this option the default maximum lifetime is forever. + .Op Fl O Ar option +@@ -203,6 +203,8 @@ will delete stale agent sockets regardless of the host + If this option is given twice, + .Nm + will delete stale agent sockets regardless of the host name that created them. +.It Fl x +Exit after the last client has disconnected. .It Ar command Op Ar arg ... diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index cd85012d883f..b17027d0e340 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,11 +8,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2023-12-18 06:59:50.000000000 -0800 -+++ ssh-agent.c 2023-12-19 17:16:22.128981000 -0800 -@@ -196,11 +196,28 @@ - /* Refuse signing of non-SSH messages for web-origin FIDO keys */ +--- ssh-agent.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ ssh-agent.c 2025-10-06 08:33:47.247562000 -0700 +@@ -193,11 +193,28 @@ static char *websafe_allowlist; static int restrict_websafe = 1; + static char *websafe_allowlist; +/* + * Client connection count; incremented in new_socket() and decremented in @@ -39,7 +39,7 @@ disconnected. close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -213,6 +230,8 @@ +@@ -210,6 +227,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -48,7 +48,7 @@ disconnected. } static void -@@ -1893,6 +1912,10 @@ +@@ -1887,6 +1906,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -59,16 +59,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -2184,7 +2207,7 @@ +@@ -2177,7 +2200,7 @@ usage(void) usage(void) { fprintf(stderr, -- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" -+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" +- "usage: ssh-agent [-c | -s] [-DdTU] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-DdTUx] [-a bind_address] [-E fingerprint_hash]\n" " [-O option] [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " ssh-agent [-TU] [-a bind_address] [-E fingerprint_hash] [-O option]\n" " [-P allowed_providers] [-t life] command [arg ...]\n" -@@ -2218,6 +2241,7 @@ +@@ -2218,6 +2241,7 @@ main(int ac, char **av) /* drop */ (void)setegid(getgid()); (void)setgid(getgid()); @@ -76,22 +76,22 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -2229,7 +2253,7 @@ +@@ -2229,7 +2253,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksTuUE:a:O:P:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksTuUE:a:O:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2280,6 +2304,9 @@ - fprintf(stderr, "Invalid lifetime\n"); +@@ -2286,6 +2310,9 @@ main(int ac, char **av) usage(); } -+ break; + break; + case 'x': + xcount = 0; ++ break; + case 'T': + T_flag++; break; - default: - usage(); diff --git a/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 b/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 new file mode 100644 index 000000000000..e9cb994331ab --- /dev/null +++ b/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 @@ -0,0 +1,73 @@ +From beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Tue, 7 Oct 2025 08:02:32 +0000 +Subject: [PATCH] upstream: don't reuse c->isatty for signalling that the + remote channel + +has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). +bz3872 + +ok markus@ + +OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 +--- + channels.c | 9 +++++---- + channels.h | 3 ++- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/channels.c b/channels.c +index f1d7bcf345b..80014ff341f 100644 +--- channels.c ++++ channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) + { + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; +- const char *classifier = c->isatty ? ++ const char *classifier = (c->isatty || c->remote_has_tty) ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, + void + channel_set_tty(struct ssh *ssh, Channel *c) + { +- c->isatty = 1; ++ c->remote_has_tty = 1; + channel_classify(ssh, c); + } + +@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) + c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, + c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, + c->io_want, c->io_ready, +- c->isatty ? "T" : "", c->bulk ? "B" : "I"); ++ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), ++ c->bulk ? "B" : "I"); + return ret; + } + +diff --git a/channels.h b/channels.h +index df7c7f364d2..7456541f8ce 100644 +--- channels.h ++++ channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ + + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> +@@ -145,6 +145,7 @@ struct Channel { + int ctl_chan; /* control channel (multiplexed connections) */ + uint32_t ctl_child_id; /* child session for mux controllers */ + int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ ++ int remote_has_tty; /* remote side has a tty */ + int isatty; /* rfd is a tty */ + #ifdef _AIX + int wfd_isatty; /* wfd is a tty */ |