- Update to 7.5p1.

- Update X509 to 10.1. - Disable KERB_GSSAPI for now as it does not build. Changes: https://www.openssh.com/txt/release-7.5
svn path=/head/; revision=437391
2017-04-01 01:59:25 +00:00 · 2017-04-01 01:59:25 +00:00 · 9051821be1 · 2021-03-31 03:12:20 +00:00
commit 9051821be1
parent c451c8c9fd
6 changed files with 47 additions and 32 deletions
--- a/17
+++ b/17
@ -5,6 +5,23 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.

+20170331:
+  AFFECTS: users of security/openssh-portable
+  AUTHOR: bdrewery@FreeBSD.org
+
+  The format of several log messages emitted by the packet code has
+  changed to include additional information about the user and
+  their authentication state. Software that monitors ssh/sshd logs
+  may need to account for these changes. For example:
+
+  Connection closed by user x 1.1.1.1 port 1234 [preauth]
+  Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
+  Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
+
+  Affected messages include connection closure, timeout, remote
+  disconnection, negotiation failure and some other fatal messages
+  generated by the packet code.
+
 20170326:
  AFFECTS: users of samba43
  AUTHOR: antoine@FreeBSD.org
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -2,8 +2,8 @@
 # $FreeBSD$

 PORTNAME=	openssh
-DISTVERSION=	7.4p1
-PORTREVISION=	1
+DISTVERSION=	7.5p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -58,10 +58,10 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher

 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		9.3
+X509_VERSION=		10.1
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509

 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@ -92,6 +92,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}

 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=	No patch for 7.5 yet.
 # Patch from:
 # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
@ -215,6 +216,7 @@ test: build
 		OBJ=${WRKDIR} ${MAKE_ENV} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
+		LOGNAME="${LOGNAME}" \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests

--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,9 +1,9 @@
 TIMESTAMP = 1484161900
-SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
-SIZE (openssh-7.4p1.tar.gz) = 1511780
+SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
+SIZE (openssh-7.5p1.tar.gz) = 1510857
 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
 SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
-SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
+SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2
+SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721
 SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
 SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -1181,8 +1181,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	char buf[256];			/* Must not be larger than remote_version. */
 	char remote_version[256];	/* Must be at least as big as buf. */
 
-	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-+	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+-	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +#ifdef HPN_ENABLED
 +	    options.hpn_disabled ? "" : SSH_HPN,
@ -1190,7 +1190,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	    "",
 +#endif
 	    *options.version_addendum == '\0' ? "" : " ",
- 	    options.version_addendum, newline);
+ 	    options.version_addendum);
 
@@ -1027,6 +1032,10 @@ server_listen(void)
 	int ret, listen_sock, on = 1;
@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 
 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1067,6 +1076,13 @@ server_listen(void)
+@@ -1072,6 +1081,13 @@ server_listen(void)
 
 		debug("Bind to port %s on %s.", strport, ntop);
 
@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 			error("Bind to port %s on %s failed: %.200s.",
-@@ -1591,6 +1607,15 @@ main(int ac, char **av)
+@@ -1596,6 +1612,15 @@ main(int ac, char **av)
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 
@ -1233,7 +1233,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/* challenge-response is implemented via keyboard interactive */
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
-@@ -2085,6 +2110,11 @@ main(int ac, char **av)
+@@ -2099,6 +2124,11 @@ main(int ac, char **av)
 	}
 #endif
 
@ -1245,7 +1245,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	/*
 	 * In privilege separation, we fork another child and prepare
 	 * file descriptor passing.
-@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
+@@ -2177,6 +2207,11 @@ do_ssh2_kex(void)
 	struct kex *kex;
 	int r;
 
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@ -5,9 +5,9 @@ Changed paths:

 Apply class-imposed login restrictions.

--- auth2.c.orig	2012-12-02 16:53:20.000000000 -0600
-+++ auth2.c	2013-05-22 17:21:37.979631466 -0500
-@@ -46,6 +46,7 @@
+--- auth2.c.orig	2017-03-19 19:39:27.000000000 -0700
+++ auth2.c	2017-03-20 11:52:27.960733000 -0700
+@@ -47,6 +47,7 @@
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
@ -15,12 +15,11 @@ Apply class-imposed login restrictions.
 #include "dispatch.h"
 #include "pathnames.h"
 #include "buffer.h"
-@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32
+@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 	int authenticated = 0;
 +#ifdef HAVE_LOGIN_CAP
-+	struct ssh *ssh = active_state; /* XXX */
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
 +
@ -30,7 +29,7 @@ Apply class-imposed login restrictions.
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
-@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32
+@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@ -1,5 +1,5 @@
--- sshd_config.5.orig	2016-12-18 20:59:41.000000000 -0800
-+++ sshd_config.5	2017-01-11 13:35:46.496538000 -0800
+--- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
@@ -373,7 +373,9 @@ By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
@ -11,7 +11,7 @@
 The default is
 .Cm yes .
 .It Cm ChrootDirectory
-@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
+@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
 The list of available key types may also be obtained using
 .Qq ssh -Q key .
 .It Cm HostbasedAuthentication
@ -22,7 +22,7 @@
 with successful public key client host authentication is allowed
 (host-based authentication).
 The default is
-@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
+@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
@ -45,7 +45,7 @@
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
-@@ -1216,6 +1235,13 @@ and
+@@ -1232,6 +1251,13 @@ and
 .Cm ethernet .
 The default is
 .Cm no .
@ -59,16 +59,13 @@
 .Pp
 Independent of this setting, the permissions of the selected
 .Xr tun 4
-@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
+@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
 .Xr sshd 8
 as a non-root user.
 The default is
 -.Cm no .
 +.Cm yes .
- .It Cm UsePrivilegeSeparation
- Specifies whether
- .Xr sshd 8
-@@ -1500,7 +1526,10 @@ The default is
+ .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
@ -80,7 +77,7 @@
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
-@@ -1514,7 +1543,7 @@ The argument must be
+@@ -1512,7 +1541,7 @@ The argument must be
 or
 .Cm no .
 The default is