- Update to 6.3p1
Changelog: http://www.openssh.org/txt/release-6.3 - Use options helpers where possible - Use upstream patch mirror for x509 and HPN - Update HPN patch to v14 and use upstream version - Add option NONECIPHER to allow disabling NONE in HPN patch - Update x509 patch from 7.4.1 to 7.6 - Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default. See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html which describes this change, but is supported on releases before 10 as well with LDNS option. - Update SCTP to patchlevel 2329 - Update recommendation on secure usage of SSH - Add pkg-message warning about ECDSA key possibly being incorrect due to previously being written as DSA by the rc script and fixed in r299902 in 2012
This commit is contained in:
parent
5504410d20
commit
9a7dab4b5a
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=330200
9 changed files with 342 additions and 119 deletions
|
@ -2,8 +2,7 @@
|
|||
# $FreeBSD$
|
||||
|
||||
PORTNAME= openssh
|
||||
DISTVERSION= 6.2p2
|
||||
PORTREVISION= 5
|
||||
DISTVERSION= 6.3p1
|
||||
PORTEPOCH= 1
|
||||
CATEGORIES= security ipv6
|
||||
MASTER_SITES= ${MASTER_SITE_OPENBSD}
|
||||
|
@ -33,8 +32,8 @@ MAKE_ENV+= SUDO="${SUDO}"
|
|||
|
||||
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
|
||||
HPN LPK X509 KERB_GSSAPI \
|
||||
OVERWRITE_BASE SCTP AES_THREADED
|
||||
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN
|
||||
OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
|
||||
OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER
|
||||
OPTIONS_RADIO= KERBEROS
|
||||
OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE
|
||||
TCP_WRAPPERS_DESC= tcp_wrappers support
|
||||
|
@ -42,18 +41,84 @@ BSM_DESC= OpenBSM Auditing
|
|||
KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI)
|
||||
HPN_DESC= HPN-SSH patch
|
||||
LPK_DESC= LDAP Public Key (LPK) [OBSOLETE]
|
||||
LDNS_DESC= SSHFP/LDNS support
|
||||
X509_DESC= x509 certificate patch
|
||||
SCTP_DESC= SCTP support
|
||||
OVERWRITE_BASE_DESC= OpenSSH overwrite base
|
||||
HEIMDAL_DESC= Heimdal Kerberos (security/heimdal)
|
||||
HEIMDAL_BASE_DESC= Heimdal Kerberos (base)
|
||||
MIT_DESC= MIT Kerberos (security/krb5)
|
||||
AES_THREADED_DESC= Threaded AES-CTR [HPN/Experimental]
|
||||
AES_THREADED_DESC= Threaded AES-CTR
|
||||
NONECIPHER_DESC= NONE Cipher support
|
||||
|
||||
OPTIONS_SUB= yes
|
||||
PLIST_SUB+= MANPREFIX=${MANPREFIX}
|
||||
|
||||
LDNS_CONFIGURE_WITH= ldns
|
||||
LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns
|
||||
LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns
|
||||
LDNS_CFLAGS= -I${LOCALBASE}/include
|
||||
LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib'
|
||||
|
||||
# http://www.psc.edu/index.php/hpn-ssh
|
||||
HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size
|
||||
HPN_CONFIGURE_WITH= hpn
|
||||
NONECIPHER_CONFIGURE_WITH= nonecipher
|
||||
AES_THREADED_CONFIGURE_WITH= aes-threaded
|
||||
|
||||
# See http://code.google.com/p/openssh-lpk/wiki/Main
|
||||
# and svn repo described here:
|
||||
# http://code.google.com/p/openssh-lpk/source/checkout
|
||||
# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
|
||||
LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz
|
||||
LPK_CPPFLAGS= -I${LOCALBASE}/include
|
||||
LPK_CONFIGURE_ON= --with-ldap=yes \
|
||||
--with-ldflags='-L${LOCALBASE}/lib' \
|
||||
--with-cppflags='${CPPFLAGS}'
|
||||
LPK_USE= OPENLDAP=yes
|
||||
|
||||
# See http://www.roumenpetrov.info/openssh/
|
||||
X509_VERSION= 7.6
|
||||
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
|
||||
X509_PATCHFILES= ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509
|
||||
|
||||
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
|
||||
SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz
|
||||
SCTP_CONFIGURE_WITH= sctp
|
||||
|
||||
# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
|
||||
KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz
|
||||
|
||||
|
||||
MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5
|
||||
HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal
|
||||
|
||||
PAM_CONFIGURE_WITH= pam
|
||||
TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
|
||||
|
||||
LIBEDIT_CONFIGURE_WITH= libedit
|
||||
BSM_CONFIGURE_ON= --with-audit=bsm
|
||||
|
||||
|
||||
PORTDOCS= *
|
||||
|
||||
.include <bsd.port.pre.mk>
|
||||
|
||||
# http://www.psc.edu/index.php/hpn-ssh
|
||||
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
|
||||
HPN_VERSION= 14v2
|
||||
PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
|
||||
PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${DISTVERSION}/:hpn
|
||||
PATCHFILES+= ${PORTNAME}-${DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options
|
||||
# Remove HPN if only AES requested
|
||||
. if !${PORT_OPTIONS:MHPN}
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn
|
||||
. endif
|
||||
.endif
|
||||
|
||||
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn
|
||||
|
||||
.if ${OSVERSION} >= 900000
|
||||
CONFIGURE_LIBS+= -lutil
|
||||
.endif
|
||||
|
@ -66,14 +131,10 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size
|
|||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MX509}
|
||||
. if ${PORT_OPTIONS:MHPN}
|
||||
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
|
||||
BROKEN= X509 patch and HPN patch do not apply cleanly together
|
||||
. endif
|
||||
|
||||
. if ${PORT_OPTIONS:MAES_THREADED}
|
||||
BROKEN= X509 patch and AES_THREADED patch do not apply cleanly together
|
||||
. endif
|
||||
|
||||
. if ${PORT_OPTIONS:MSCTP}
|
||||
BROKEN= X509 patch and SCTP patch do not apply cleanly together
|
||||
. endif
|
||||
|
@ -92,44 +153,30 @@ BROKEN= X509 patch incompatible with KERB_GSSAPI patch
|
|||
BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
|
||||
IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
|
||||
IGNORE= Pam must be installed in base
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
|
||||
IGNORE= Required /usr/include/tcpd.h missing
|
||||
.endif
|
||||
|
||||
.if defined(OPENSSH_OVERWRITE_BASE)
|
||||
PORT_OPTIONS+= OVERWRITE_BASE
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MPAM} && exists(/usr/include/security/pam_modules.h)
|
||||
CONFIGURE_ARGS+= --with-pam
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MTCP_WRAPPERS} && exists(/usr/include/tcpd.h)
|
||||
CONFIGURE_ARGS+= --with-tcp-wrappers
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MLIBEDIT}
|
||||
CONFIGURE_ARGS+= --with-libedit
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MBSM}
|
||||
CONFIGURE_ARGS+= --with-audit=bsm
|
||||
.endif
|
||||
|
||||
.if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
|
||||
CONFIGURE_ARGS+= --with-kerberos5
|
||||
. if ${PORT_OPTIONS:MMIT}
|
||||
LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
|
||||
. elif ${PORT_OPTIONS:MHEIMDAL}
|
||||
LIB_DEPENDS+= krb5.26:${PORTSDIR}/security/heimdal
|
||||
. elif ${PORT_OPTIONS:MHEIMDAL_BASE}
|
||||
. if !exists(/usr/lib/libkrb5.so)
|
||||
IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
|
||||
. else
|
||||
. if ${PORT_OPTIONS:MHEIMDAL_BASE}
|
||||
. if ${PORT_OPTIONS:MKERB_GSSAPI}
|
||||
CONFIGURE_LIBS+= -lgssapi_krb5
|
||||
. endif
|
||||
. endif
|
||||
|
||||
# Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/
|
||||
. if ${PORT_OPTIONS:MKERB_GSSAPI}
|
||||
PATCHFILES+= openssh-6.2p2-gsskex-all-20110125-2.patch.gz
|
||||
PATCH_DIST_STRIP=
|
||||
. endif
|
||||
CONFIGURE_ARGS+= --with-kerberos5=/usr
|
||||
. else
|
||||
CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE}
|
||||
. endif
|
||||
. if ${OPENSSLBASE} == "/usr"
|
||||
CONFIGURE_ARGS+= --without-rpath
|
||||
|
@ -145,52 +192,10 @@ IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
|
|||
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
|
||||
.endif
|
||||
|
||||
# http://www.psc.edu/index.php/hpn-ssh
|
||||
.if ${PORT_OPTIONS:MHPN}
|
||||
HPN_VERSION= 13v14
|
||||
PATCHFILES+= ${PORTNAME}-6.2p1-hpn${HPN_VERSION}.diff.gz
|
||||
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-window-size
|
||||
PATCH_DIST_STRIP=
|
||||
.endif
|
||||
|
||||
# http://www.psc.edu/index.php/hpn-ssh
|
||||
.if ${PORT_OPTIONS:MAES_THREADED}
|
||||
AES_THREADED_VERSION= v14
|
||||
PATCHFILES+= ${PORTNAME}-6.2p1-CTR-threaded-${AES_THREADED_VERSION}.diff.gz
|
||||
PATCH_DIST_STRIP=
|
||||
.endif
|
||||
|
||||
# See http://code.google.com/p/openssh-lpk/wiki/Main
|
||||
# and svn repo described here:
|
||||
# http://code.google.com/p/openssh-lpk/source/checkout
|
||||
# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1
|
||||
.if ${PORT_OPTIONS:MLPK}
|
||||
PATCHFILES+= ${PORTNAME}-lpk-6.2p1.patch.gz
|
||||
USE_OPENLDAP= yes
|
||||
CPPFLAGS+= -I${LOCALBASE}/include
|
||||
CONFIGURE_ARGS+= --with-ldap=yes \
|
||||
--with-ldflags='-L${LOCALBASE}/lib' \
|
||||
--with-cppflags='${CPPFLAGS}'
|
||||
CONFIGURE_LIBS+= -lldap
|
||||
.endif
|
||||
|
||||
# See http://www.roumenpetrov.info/openssh/
|
||||
.if ${PORT_OPTIONS:MX509}
|
||||
X509_VERSION= 7.4.1
|
||||
PATCH_SITES+= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
|
||||
PATCHFILES+= ${PORTNAME}-6.2p1+x509-${X509_VERSION}.diff.gz:x509
|
||||
PATCH_DIST_STRIP= -p1
|
||||
PLIST_SUB+= X509=""
|
||||
.else
|
||||
PLIST_SUB+= X509="@comment "
|
||||
.endif
|
||||
|
||||
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
|
||||
.if ${PORT_OPTIONS:MSCTP}
|
||||
PATCHFILES+= ${PORTNAME}-sctp-2163.patch.gz
|
||||
CONFIGURE_ARGS+= --with-sctp
|
||||
.endif
|
||||
|
||||
EMPTYDIR= /var/empty
|
||||
|
||||
.if ${PORT_OPTIONS:MOVERWRITE_BASE}
|
||||
|
@ -201,17 +206,14 @@ NO_MTREE= yes
|
|||
ETCSSH= /etc/ssh
|
||||
USE_RCORDER= openssh
|
||||
PLIST_SUB+= NOTBASE="@comment "
|
||||
PLIST_SUB+= BASE=""
|
||||
PLIST_SUB+= BASEPREFIX="${PREFIX}"
|
||||
.else
|
||||
ETCSSH= ${PREFIX}/etc/ssh
|
||||
USE_RC_SUBR= openssh
|
||||
PLIST_SUB+= NOTBASE=""
|
||||
PLIST_SUB+= BASE="@comment "
|
||||
.endif
|
||||
|
||||
# After all
|
||||
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509
|
||||
SUB_LIST+= ETCSSH="${ETCSSH}"
|
||||
CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
|
||||
.if !empty(CONFIGURE_LIBS)
|
||||
|
@ -222,7 +224,10 @@ RC_SCRIPT_NAME= openssh
|
|||
|
||||
post-patch:
|
||||
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
|
||||
@${REINPLACE_CMD} -e 's|install: \(.*\) host-key check-config|install: \1|g' ${WRKSRC}/Makefile.in
|
||||
@${REINPLACE_CMD} \
|
||||
-e 's|install: \(.*\) host-key check-config|install: \1|g' \
|
||||
-e 's|-lpthread|${PTHREAD_LIBS}|' \
|
||||
${WRKSRC}/Makefile.in
|
||||
@${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \
|
||||
${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \
|
||||
${WRKSRC}/ssh_config.5
|
||||
|
@ -252,6 +257,10 @@ pre-install:
|
|||
post-install:
|
||||
${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
|
||||
${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
|
||||
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
|
||||
${MKDIR} ${STAGEDIR}${DOCSDIR}
|
||||
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
|
||||
.endif
|
||||
|
||||
test: build
|
||||
(cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
SHA256 (openssh-6.2p2.tar.gz) = 7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b
|
||||
SIZE (openssh-6.2p2.tar.gz) = 1182922
|
||||
SHA256 (openssh-6.2p1-hpn13v14.diff.gz) = 586d1c74aa4c79b9c11b206eebb316c9a9d68a7a4031b5b3b2139f464f2dc03b
|
||||
SIZE (openssh-6.2p1-hpn13v14.diff.gz) = 13984
|
||||
SHA256 (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4d2fefd8a415c76d761ffe3a8fda7dfbbd62a118bc1e8799483e9bb8e575a2a9
|
||||
SIZE (openssh-6.2p1-CTR-threaded-v14.diff.gz) = 4908
|
||||
SHA256 (openssh-6.2p1+x509-7.4.1.diff.gz) = cdfa0ac38184062de7e0af36eeda7713095fbcffffb598d785047f6f47e48eae
|
||||
SIZE (openssh-6.2p1+x509-7.4.1.diff.gz) = 215496
|
||||
SHA256 (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 597634f1a9e624b928f0ae647ec2ffba641f94a3ecad1161bce8fb2512c476b8
|
||||
SIZE (openssh-6.2p2-gsskex-all-20110125-2.patch.gz) = 24205
|
||||
SHA256 (openssh-lpk-6.2p1.patch.gz) = 96c7a5435f3fd7d83875ee06c4a3c83ee6172c7d9de31b9ffdeb18118f285a24
|
||||
SIZE (openssh-lpk-6.2p1.patch.gz) = 17881
|
||||
SHA256 (openssh-sctp-2163.patch.gz) = 86ac3a59119c9c26193334d8ba7c3be9f143209080e4f8a2a00577c24c0c9e03
|
||||
SIZE (openssh-sctp-2163.patch.gz) = 6764
|
||||
SHA256 (openssh-6.3p1.tar.gz) = aea575ededd3ebd45c05d42d0a87af22c79131a847ea440c54e3fdd223f5a420
|
||||
SIZE (openssh-6.3p1.tar.gz) = 1201101
|
||||
SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca
|
||||
SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450
|
||||
SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460
|
||||
SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962
|
||||
SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767
|
||||
SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486
|
||||
SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1
|
||||
SIZE (openssh-lpk-6.3p1.patch.gz) = 17815
|
||||
SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb
|
||||
SIZE (openssh-sctp-2329.patch.gz) = 8706
|
||||
|
|
142
security/openssh-portable/files/extra-patch-hpn-build-options
Normal file
142
security/openssh-portable/files/extra-patch-hpn-build-options
Normal file
|
@ -0,0 +1,142 @@
|
|||
--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500
|
||||
+++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500
|
||||
@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef AES_THREADED
|
||||
/* if we are using aes-ctr there can be issues in either a fork or sandbox
|
||||
* so the initial aes-ctr is defined to point to the original single process
|
||||
* evp. After authentication we'll be past the fork and the sandboxed privsep
|
||||
@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co
|
||||
cipher_reset_multithreaded();
|
||||
packet_request_rekeying();
|
||||
}
|
||||
+#endif
|
||||
|
||||
debug("Authentication succeeded (%s).", authctxt.method->name);
|
||||
}
|
||||
--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500
|
||||
+++ sshd.c 2013-10-11 08:53:25.929132033 -0500
|
||||
@@ -2186,6 +2186,7 @@ main(int ac, char **av)
|
||||
|
||||
/* Start session. */
|
||||
|
||||
+#ifdef AES_THREADED
|
||||
/* if we are using aes-ctr there can be issues in either a fork or sandbox
|
||||
* so the initial aes-ctr is defined to point ot the original single process
|
||||
* evp. After authentication we'll be past the fork and the sandboxed privsep
|
||||
@@ -2201,6 +2202,7 @@ main(int ac, char **av)
|
||||
cipher_reset_multithreaded();
|
||||
packet_request_rekeying();
|
||||
}
|
||||
+#endif
|
||||
|
||||
do_authenticated(authctxt);
|
||||
|
||||
--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500
|
||||
+++ readconf.c 2013-10-11 09:19:12.295135966 -0500
|
||||
@@ -251,12 +251,16 @@ static struct {
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
{ "ipqos", oIPQoS },
|
||||
{ "requesttty", oRequestTTY },
|
||||
+#ifdef NONECIPHER
|
||||
{ "noneenabled", oNoneEnabled },
|
||||
{ "noneswitch", oNoneSwitch },
|
||||
+#endif
|
||||
+#ifdef HPN
|
||||
{ "tcprcvbufpoll", oTcpRcvBufPoll },
|
||||
{ "tcprcvbuf", oTcpRcvBuf },
|
||||
{ "hpndisabled", oHPNDisabled },
|
||||
{ "hpnbuffersize", oHPNBufferSize },
|
||||
+#endif
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
|
||||
{ NULL, oBadOption }
|
||||
@@ -1417,12 +1421,20 @@ fill_default_options(Options * options)
|
||||
options->server_alive_interval = 0;
|
||||
if (options->server_alive_count_max == -1)
|
||||
options->server_alive_count_max = 3;
|
||||
+#ifdef NONECIPHER
|
||||
if (options->none_switch == -1)
|
||||
+#endif
|
||||
options->none_switch = 0;
|
||||
+#ifdef NONECIPHER
|
||||
if (options->none_enabled == -1)
|
||||
+#endif
|
||||
options->none_enabled = 0;
|
||||
+#ifdef HPN
|
||||
if (options->hpn_disabled == -1)
|
||||
options->hpn_disabled = 0;
|
||||
+#else
|
||||
+ options->hpn_disabled = 1;
|
||||
+#endif
|
||||
if (options->hpn_buffer_size > -1)
|
||||
{
|
||||
/* if a user tries to set the size to 0 set it to 1KB */
|
||||
--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500
|
||||
+++ servconf.c 2013-10-11 09:25:50.777137928 -0500
|
||||
@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
if (options->zero_knowledge_password_authentication == -1)
|
||||
options->zero_knowledge_password_authentication = 0;
|
||||
+#ifdef NONECIPHER
|
||||
if (options->none_enabled == -1)
|
||||
+#endif
|
||||
options->none_enabled = 0;
|
||||
+#ifdef HPN
|
||||
if (options->hpn_disabled == -1)
|
||||
options->hpn_disabled = 0;
|
||||
+#else
|
||||
+ options->hpn_disabled = 1;
|
||||
+#endif
|
||||
|
||||
if (options->hpn_buffer_size == -1) {
|
||||
/* option not explicitly set. Now we have to figure out */
|
||||
--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500
|
||||
+++ configure.ac 2013-10-12 17:18:35.610130039 -0500
|
||||
@@ -3968,6 +3968,34 @@
|
||||
]
|
||||
) # maildir
|
||||
|
||||
+#check whether user wants HPN support
|
||||
+HPN_MSG="no"
|
||||
+AC_ARG_WITH(hpn,
|
||||
+ [ --with-hpn Enable HPN support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HPN,1,[Define if you want HPN support.])
|
||||
+ HPN_MSG="yes"
|
||||
+ fi ]
|
||||
+)
|
||||
+#check whether user wants NONECIPHER support
|
||||
+NONECIPHER_MSG="no"
|
||||
+AC_ARG_WITH(nonecipher,
|
||||
+ [ --with-nonecipher Enable NONECIPHER support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.])
|
||||
+ NONECIPHER_MSG="yes"
|
||||
+ fi ]
|
||||
+)
|
||||
+#check whether user wants AES_THREADED support
|
||||
+AES_THREADED_MSG="no"
|
||||
+AC_ARG_WITH(aes-threaded,
|
||||
+ [ --with-aes-threaded Enable AES_THREADED support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.])
|
||||
+ AES_THREADED_MSG="yes"
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
|
||||
AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
|
||||
disable_ptmx_check=yes
|
||||
@@ -4636,6 +4664,9 @@
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
+echo " HPN support: $HPN_MSG"
|
||||
+echo " NONECIPHER support: $NONECIPHER_MSG"
|
||||
+echo " AES_THREADED support: $AES_THREADED_MSG"
|
||||
|
||||
echo ""
|
||||
|
32
security/openssh-portable/files/extra-patch-hpn-no-hpn
Normal file
32
security/openssh-portable/files/extra-patch-hpn-no-hpn
Normal file
|
@ -0,0 +1,32 @@
|
|||
--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500
|
||||
+++ sshd_config 2013-10-12 06:40:06.646129924 -0500
|
||||
@@ -125,20 +125,6 @@
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
-# the following are HPN related configuration options
|
||||
-# tcp receive buffer polling. disable in non autotuning kernels
|
||||
-#TcpRcvBufPoll yes
|
||||
-
|
||||
-# disable hpn performance boosts
|
||||
-#HPNDisabled no
|
||||
-
|
||||
-# buffer size for hpn to non-hpn connections
|
||||
-#HPNBufferSize 2048
|
||||
-
|
||||
-
|
||||
-# allow the use of the none cipher
|
||||
-#NoneEnabled no
|
||||
-
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
--- version.h.orig 2013-10-12 06:42:19.578133368 -0500
|
||||
+++ version.h 2013-10-12 06:42:28.581136160 -0500
|
||||
@@ -3,5 +3,4 @@
|
||||
#define SSH_VERSION "OpenSSH_6.3"
|
||||
|
||||
#define SSH_PORTABLE "p1"
|
||||
-#define SSH_HPN "-hpn14v2"
|
||||
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
||||
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
51
security/openssh-portable/files/extra-patch-ldns
Normal file
51
security/openssh-portable/files/extra-patch-ldns
Normal file
|
@ -0,0 +1,51 @@
|
|||
r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines
|
||||
Changed paths:
|
||||
M /head/crypto/openssh/readconf.c
|
||||
M /head/crypto/openssh/ssh_config
|
||||
M /head/crypto/openssh/ssh_config.5
|
||||
|
||||
Change the default value of VerifyHostKeyDNS to "yes" if compiled with
|
||||
LDNS. With that setting, OpenSSH will silently accept host keys that
|
||||
match verified SSHFP records. If an SSHFP record exists but could not
|
||||
be verified, OpenSSH will print a message and prompt the user as usual.
|
||||
|
||||
--- readconf.c 2013-10-03 08:15:03.496131082 -0500
|
||||
+++ readconf.c 2013-10-03 08:15:22.716134315 -0500
|
||||
@@ -1414,8 +1414,14 @@ fill_default_options(Options * options)
|
||||
options->rekey_limit = 0;
|
||||
if (options->rekey_interval == -1)
|
||||
options->rekey_interval = 0;
|
||||
+#if HAVE_LDNS
|
||||
+ if (options->verify_host_key_dns == -1)
|
||||
+ /* automatically trust a verified SSHFP record */
|
||||
+ options->verify_host_key_dns = 1;
|
||||
+#else
|
||||
if (options->verify_host_key_dns == -1)
|
||||
options->verify_host_key_dns = 0;
|
||||
+#endif
|
||||
if (options->server_alive_interval == -1)
|
||||
options->server_alive_interval = 0;
|
||||
if (options->server_alive_count_max == -1)
|
||||
--- ssh_config 2013-10-03 08:15:03.537131330 -0500
|
||||
+++ ssh_config 2013-10-03 08:15:22.755131175 -0500
|
||||
@@ -44,5 +44,6 @@
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
+# VerifyHostKeyDNS yes
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
|
||||
+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
|
||||
@@ -1246,7 +1246,10 @@ The argument must be
|
||||
or
|
||||
.Dq ask .
|
||||
The default is
|
||||
-.Dq no .
|
||||
+.Dq yes
|
||||
+if compiled with LDNS and
|
||||
+.Dq no
|
||||
+otherwise.
|
||||
Note that this option applies to protocol version 2 only.
|
||||
.Pp
|
||||
See also VERIFYING HOST KEYS in
|
|
@ -41,8 +41,8 @@
|
|||
+ LOGIN_SETENV|LOGIN_SETPATH);
|
||||
+ copy_environment(environ, &env, &envsize);
|
||||
+ for (var = environ; *var != NULL; ++var)
|
||||
+ xfree(*var);
|
||||
+ xfree(environ);
|
||||
+ free(*var);
|
||||
+ free(environ);
|
||||
+ environ = senv;
|
||||
#else /* HAVE_LOGIN_CAP */
|
||||
# ifndef HAVE_CYGWIN
|
||||
|
|
|
@ -90,13 +90,3 @@ disconnected.
|
|||
default:
|
||||
usage();
|
||||
}
|
||||
@@ -1348,8 +1376,7 @@
|
||||
if (ac > 0)
|
||||
parent_alive_interval = 10;
|
||||
idtab_init();
|
||||
- if (!d_flag)
|
||||
- signal(SIGINT, SIG_IGN);
|
||||
+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
|
||||
signal(SIGPIPE, SIG_IGN);
|
||||
signal(SIGHUP, cleanup_handler);
|
||||
signal(SIGTERM, cleanup_handler);
|
||||
|
|
|
@ -10,6 +10,6 @@ the base system. Please be aware of this when upgrading your
|
|||
OpenSSH port, and if truly necessary, re-enable remote root login
|
||||
by readjusting this option in your sshd_config.
|
||||
|
||||
Users are encouraged to create single-purpose users with ssh keys
|
||||
and very narrowly defined sudo privileges instead of using root
|
||||
for automated tasks.
|
||||
Users are encouraged to create single-purpose users with ssh keys, disable
|
||||
Password auth with 'PasswordAuthentication no' and define very narrow sudo
|
||||
privileges instead of using root for automated tasks.
|
||||
|
|
|
@ -12,14 +12,15 @@ bin/ssh-keyscan
|
|||
%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
|
||||
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
|
||||
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
|
||||
%%BASE%%@cwd /
|
||||
%%OVERWRITE_BASE%%@cwd /
|
||||
etc/ssh/ssh_config-dist
|
||||
etc/ssh/sshd_config-dist
|
||||
%%BASE%%@cwd %%BASEPREFIX%%
|
||||
%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
|
||||
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
|
||||
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
|
||||
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
|
||||
%%NOTBASE%%@dirrmtry etc/ssh
|
||||
@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
|
||||
sbin/sshd
|
||||
libexec/sftp-server
|
||||
libexec/ssh-keysign
|
||||
|
|
Loading…
Reference in a new issue