- Update to 6.3p1

Changelog: http://www.openssh.org/txt/release-6.3
- Use options helpers where possible
- Use upstream patch mirror for x509 and HPN
- Update HPN patch to v14 and use upstream version
- Add option NONECIPHER to allow disabling NONE in HPN patch
- Update x509 patch from 7.4.1 to 7.6
- Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default.
  See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html
  which describes this change, but is supported on releases before 10 as well
  with LDNS option.
- Update SCTP to patchlevel 2329
- Update recommendation on secure usage of SSH
- Add pkg-message warning about ECDSA key possibly being incorrect due to
  previously being written as DSA by the rc script and fixed in r299902 in
  2012
This commit is contained in:
Bryan Drewery 2013-10-13 02:20:07 +00:00
parent 5504410d20
commit 9a7dab4b5a
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=330200
9 changed files with 342 additions and 119 deletions

View file

@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= openssh
DISTVERSION= 6.2p2
PORTREVISION= 5
DISTVERSION= 6.3p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@ -33,8 +32,8 @@ MAKE_ENV+= SUDO="${SUDO}"
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN LPK X509 KERB_GSSAPI \
OVERWRITE_BASE SCTP AES_THREADED
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
OPTIONS_RADIO= KERBEROS
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
TCP_WRAPPERS_DESC= tcp_wrappers support
@ -42,18 +41,84 @@ BSM_DESC= OpenBSM Auditing
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
HPN_DESC= HPN-SSH patch
LPK_DESC= LDAP Public Key (LPK) [OBSOLETE]
LDNS_DESC= SSHFP/LDNS support
X509_DESC= x509 certificate patch
SCTP_DESC= SCTP support
OVERWRITE_BASE_DESC= OpenSSH overwrite base
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
MIT_DESC= MIT Kerberos (security/krb5)
AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
AES_THREADED_DESC= Threaded AES-CTR
NONECIPHER_DESC= NONE Cipher support
OPTIONS_SUB= yes
PLIST_SUB+= MANPREFIX=${MANPREFIX}
LDNS_CONFIGURE_WITH= ldns
LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
LDNS_CFLAGS= -I${LOCALBASE}/include
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
# http://www.psc.edu/index.php/hpn-ssh
HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size
HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
AES_THREADED_CONFIGURE_WITH= aes-threaded
# See http://code.google.com/p/openssh-lpk/wiki/Main
# and svn repo described here:
# http://code.google.com/p/openssh-lpk/source/checkout
# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz
LPK_CPPFLAGS= -I${LOCALBASE}/include
LPK_CONFIGURE_ON= --with-ldap=yes \
--with-ldflags='-L${LOCALBASE}/lib' \
--with-cppflags='${CPPFLAGS}'
LPK_USE= OPENLDAP=yes
# See http://www.roumenpetrov.info/openssh/
X509_VERSION= 7.6
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
X509_PATCHFILES= ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz
SCTP_CONFIGURE_WITH= sctp
# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz
MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5
HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal
PAM_CONFIGURE_WITH= pam
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
LIBEDIT_CONFIGURE_WITH= libedit
BSM_CONFIGURE_ON= --with-audit=bsm
PORTDOCS= *
.include <bsd.port.pre.mk>
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
HPN_VERSION= 14v2
PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${DISTVERSION}/:hpn
PATCHFILES+= ${PORTNAME}-${DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options
# Remove HPN if only AES requested
. if !${PORT_OPTIONS:MHPN}
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn
. endif
.endif
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
.if ${OSVERSION} >= 900000
CONFIGURE_LIBS+= -lutil
.endif
@ -66,14 +131,10 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
.endif
.if ${PORT_OPTIONS:MX509}
. if ${PORT_OPTIONS:MHPN}
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
. if ${PORT_OPTIONS:MAES_THREADED}
BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
. endif
. if ${PORT_OPTIONS:MSCTP}
BROKEN= X509 patch and SCTP patch do not apply cleanly together
. endif
@ -92,44 +153,30 @@ BROKEN= X509 patch incompatible with KERB_GSSAPI patch
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
.endif
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
IGNORE= Pam must be installed in base
.endif
.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
IGNORE= Required /usr/include/tcpd.h missing
.endif
.if defined(OPENSSH_OVERWRITE_BASE)
PORT_OPTIONS+= OVERWRITE_BASE
.endif
.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h)
CONFIGURE_ARGS+= --with-pam
.endif
.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h)
CONFIGURE_ARGS+= --with-tcp-wrappers
.endif
.if ${PORT_OPTIONS:MLIBEDIT}
CONFIGURE_ARGS+= --with-libedit
.endif
.if ${PORT_OPTIONS:MBSM}
CONFIGURE_ARGS+= --with-audit=bsm
.endif
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
CONFIGURE_ARGS+= --with-kerberos5
. if ${PORT_OPTIONS:MMIT}
LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
. elif ${PORT_OPTIONS:MHEIMDAL}
LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal
. elif ${PORT_OPTIONS:MHEIMDAL_BASE}
. if !exists(/usr/lib/libkrb5.so)
IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
. else
. if ${PORT_OPTIONS:MHEIMDAL_BASE}
. if ${PORT_OPTIONS:MKERB_GSSAPI}
CONFIGURE_LIBS+= -lgssapi_krb5
. endif
. endif
# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
. if ${PORT_OPTIONS:MKERB_GSSAPI}
PATCHFILES+= openssh-6.2p2-gsskex-all-20110125-2.patch.gz
PATCH_DIST_STRIP=
. endif
CONFIGURE_ARGS+= --with-kerberos5=/usr
. else
CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
. endif
. if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
@ -145,52 +192,10 @@ IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.endif
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MHPN}
HPN_VERSION= 13v14
PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
PATCH_DIST_STRIP=
.endif
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MAES_THREADED}
AES_THREADED_VERSION= v14
PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
PATCH_DIST_STRIP=
.endif
# See http://code.google.com/p/openssh-lpk/wiki/Main
# and svn repo described here:
# http://code.google.com/p/openssh-lpk/source/checkout
# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
.if ${PORT_OPTIONS:MLPK}
PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
USE_OPENLDAP= yes
CPPFLAGS+= -I${LOCALBASE}/include
CONFIGURE_ARGS+= --with-ldap=yes \
--with-ldflags='-L${LOCALBASE}/lib' \
--with-cppflags='${CPPFLAGS}'
CONFIGURE_LIBS+= -lldap
.endif
# See http://www.roumenpetrov.info/openssh/
.if ${PORT_OPTIONS:MX509}
X509_VERSION= 7.4.1
PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
PATCH_DIST_STRIP= -p1
PLIST_SUB+= X509=""
.else
PLIST_SUB+= X509="@comment "
.endif
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
.if ${PORT_OPTIONS:MSCTP}
PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz
CONFIGURE_ARGS+= --with-sctp
.endif
EMPTYDIR= /var/empty
.if ${PORT_OPTIONS:MOVERWRITE_BASE}
@ -201,17 +206,14 @@ NO_MTREE= yes
ETCSSH= /etc/ssh
USE_RCORDER= openssh
PLIST_SUB+= NOTBASE="@comment "
PLIST_SUB+= BASE=""
PLIST_SUB+= BASEPREFIX="${PREFIX}"
.else
ETCSSH= ${PREFIX}/etc/ssh
USE_RC_SUBR= openssh
PLIST_SUB+= NOTBASE=""
PLIST_SUB+= BASE="@comment "
.endif
# After all
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509
SUB_LIST+= ETCSSH="${ETCSSH}"
CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
.if !empty(CONFIGURE_LIBS)
@ -222,7 +224,10 @@ RC_SCRIPT_NAME= openssh
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
@${REINPLACE_CMD} \
-e 's|install: \(.*\) host-key check-config|install: \1|g' \
-e 's|-lpthread|${PTHREAD_LIBS}|' \
${WRKSRC}/Makefile.in
@${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
${WRKSRC}/ssh_config.5
@ -252,6 +257,10 @@ pre-install:
post-install:
${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
.endif
test: build
(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \

View file

@ -1,14 +1,12 @@
SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
SIZE (openssh-6.2p2.tar.gz) = 1182922
SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
SHA256 (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 597634f1a9e624b928f0ae647ec2ffba641f94a3ecad1161bce8fb2512c476b8
SIZE (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 24205
SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
SIZE (openssh-sctp-2163.patch.gz) = 6764
SHA256 (openssh-6.3p1.tar.gz) = aea575ededd3ebd45c05d42d0a87af22c79131a847ea440c54e3fdd223f5a420
SIZE (openssh-6.3p1.tar.gz) = 1201101
SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
SIZE (openssh-sctp-2329.patch.gz) = 8706

View file

@ -0,0 +1,142 @@
--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
}
}
+#ifdef AES_THREADED
/* if we are using aes-ctr there can be issues in either a fork or sandbox
* so the initial aes-ctr is defined to point to the original single process
* evp. After authentication we'll be past the fork and the sandboxed privsep
@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
cipher_reset_multithreaded();
packet_request_rekeying();
}
+#endif
debug("Authentication succeeded (%s).", authctxt.method->name);
}
--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
+++ sshd.c 2013-10-11 08:53:25.929132033 -0500
@@ -2186,6 +2186,7 @@ main(int ac, char **av)
/* Start session. */
+#ifdef AES_THREADED
/* if we are using aes-ctr there can be issues in either a fork or sandbox
* so the initial aes-ctr is defined to point ot the original single process
* evp. After authentication we'll be past the fork and the sandboxed privsep
@@ -2201,6 +2202,7 @@ main(int ac, char **av)
cipher_reset_multithreaded();
packet_request_rekeying();
}
+#endif
do_authenticated(authctxt);
--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
+++ readconf.c 2013-10-11 09:19:12.295135966 -0500
@@ -251,12 +251,16 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
+#ifdef NONECIPHER
{ "noneenabled", oNoneEnabled },
{ "noneswitch", oNoneSwitch },
+#endif
+#ifdef HPN
{ "tcprcvbufpoll", oTcpRcvBufPoll },
{ "tcprcvbuf", oTcpRcvBuf },
{ "hpndisabled", oHPNDisabled },
{ "hpnbuffersize", oHPNBufferSize },
+#endif
{ "ignoreunknown", oIgnoreUnknown },
{ NULL, oBadOption }
@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
+#ifdef NONECIPHER
if (options->none_switch == -1)
+#endif
options->none_switch = 0;
+#ifdef NONECIPHER
if (options->none_enabled == -1)
+#endif
options->none_enabled = 0;
+#ifdef HPN
if (options->hpn_disabled == -1)
options->hpn_disabled = 0;
+#else
+ options->hpn_disabled = 1;
+#endif
if (options->hpn_buffer_size > -1)
{
/* if a user tries to set the size to 0 set it to 1KB */
--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
+++ servconf.c 2013-10-11 09:25:50.777137928 -0500
@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
options->permit_tun = SSH_TUNMODE_NO;
if (options->zero_knowledge_password_authentication == -1)
options->zero_knowledge_password_authentication = 0;
+#ifdef NONECIPHER
if (options->none_enabled == -1)
+#endif
options->none_enabled = 0;
+#ifdef HPN
if (options->hpn_disabled == -1)
options->hpn_disabled = 0;
+#else
+ options->hpn_disabled = 1;
+#endif
if (options->hpn_buffer_size == -1) {
/* option not explicitly set. Now we have to figure out */
--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
+++ configure.ac 2013-10-12 17:18:35.610130039 -0500
@@ -3968,6 +3968,34 @@
]
) # maildir
+#check whether user wants HPN support
+HPN_MSG="no"
+AC_ARG_WITH(hpn,
+ [ --with-hpn Enable HPN support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HPN,1,[Define if you want HPN support.])
+ HPN_MSG="yes"
+ fi ]
+)
+#check whether user wants NONECIPHER support
+NONECIPHER_MSG="no"
+AC_ARG_WITH(nonecipher,
+ [ --with-nonecipher Enable NONECIPHER support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
+ NONECIPHER_MSG="yes"
+ fi ]
+)
+#check whether user wants AES_THREADED support
+AES_THREADED_MSG="no"
+AC_ARG_WITH(aes-threaded,
+ [ --with-aes-threaded Enable AES_THREADED support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
+ AES_THREADED_MSG="yes"
+ fi ]
+)
+
if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
disable_ptmx_check=yes
@@ -4636,6 +4664,9 @@
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
+echo " HPN support: $HPN_MSG"
+echo " NONECIPHER support: $NONECIPHER_MSG"
+echo " AES_THREADED support: $AES_THREADED_MSG"
echo ""

View file

@ -0,0 +1,32 @@
--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
+++ sshd_config 2013-10-12 06:40:06.646129924 -0500
@@ -125,20 +125,6 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
-# the following are HPN related configuration options
-# tcp receive buffer polling. disable in non autotuning kernels
-#TcpRcvBufPoll yes
-
-# disable hpn performance boosts
-#HPNDisabled no
-
-# buffer size for hpn to non-hpn connections
-#HPNBufferSize 2048
-
-
-# allow the use of the none cipher
-#NoneEnabled no
-
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
--- version.h.orig 2013-10-12 06:42:19.578133368 -0500
+++ version.h 2013-10-12 06:42:28.581136160 -0500
@@ -3,5 +3,4 @@
#define SSH_VERSION "OpenSSH_6.3"
#define SSH_PORTABLE "p1"
-#define SSH_HPN "-hpn14v2"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE

View file

@ -0,0 +1,51 @@
r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
Changed paths:
M /head/crypto/openssh/readconf.c
M /head/crypto/openssh/ssh_config
M /head/crypto/openssh/ssh_config.5
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
LDNS. With that setting, OpenSSH will silently accept host keys that
match verified SSHFP records. If an SSHFP record exists but could not
be verified, OpenSSH will print a message and prompt the user as usual.
--- readconf.c 2013-10-03 08:15:03.496131082 -0500
+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
options->rekey_limit = 0;
if (options->rekey_interval == -1)
options->rekey_interval = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
--- ssh_config 2013-10-03 08:15:03.537131330 -0500
+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
@@ -44,5 +44,6 @@
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
@@ -1246,7 +1246,10 @@ The argument must be
or
.Dq ask .
The default is
-.Dq no .
+.Dq yes
+if compiled with LDNS and
+.Dq no
+otherwise.
Note that this option applies to protocol version 2 only.
.Pp
See also VERIFYING HOST KEYS in

View file

@ -41,8 +41,8 @@
+ LOGIN_SETENV|LOGIN_SETPATH);
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
+ xfree(*var);
+ xfree(environ);
+ free(*var);
+ free(environ);
+ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN

View file

@ -90,13 +90,3 @@ disconnected.
default:
usage();
}
@@ -1348,8 +1376,7 @@
if (ac > 0)
parent_alive_interval = 10;
idtab_init();
- if (!d_flag)
- signal(SIGINT, SIG_IGN);
+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
signal(SIGPIPE, SIG_IGN);
signal(SIGHUP, cleanup_handler);
signal(SIGTERM, cleanup_handler);

View file

@ -10,6 +10,6 @@ the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys
and very narrowly defined sudo privileges instead of using root
for automated tasks.
Users are encouraged to create single-purpose users with ssh keys, disable
Password auth with 'PasswordAuthentication no' and define very narrow sudo
privileges instead of using root for automated tasks.

View file

@ -12,14 +12,15 @@ bin/ssh-keyscan
%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
%%BASE%%@cwd /
%%OVERWRITE_BASE%%@cwd /
etc/ssh/ssh_config-dist
etc/ssh/sshd_config-dist
%%BASE%%@cwd %%BASEPREFIX%%
%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
%%NOTBASE%%@dirrmtry etc/ssh
@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
sbin/sshd
libexec/sftp-server
libexec/ssh-keysign