Several patches do not currently apply. Use security/openssh-portable66 for:
HPN, NONECIPHER, KERB_GSSAPI, X509.
- Add a TCP_WRAPPER patch to re-enable support after it was removed upstream.
Alias is a new USES tool that allows DragonFly to masquerade as FreeBSD
by setting CFLAGS+= -D__FreeBSD__. For some ports, this fixes the build
without the need for additional patches.
Approved by: portmgr (bapt, blanket)
These will be removed on January 1 2015.
Really ports should not be touching the base system at all.
This option is a big foot-shoot problem:
1. Recent versions of FreeBSD such as 9.3, 10.0, 10.1+, now remove all ssh
files from /usr if you 'make delete-old' with WITHOUT_SSH. This results in
removing the overwrite base files.
2. Uninstalling the package leaves the system with no ssh.
3. Running installworld without WITHOUT_SSH results in overwriting the
package, or giving false-positive 'pkg check -s' errors.
4. The port fails to pass QA checks because it removes system files.
- Switch to using @sample keyword, fixing orphans.
Upstream note on "6.6.1" [1]:
OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
key exchange incorrectly, causing connection failures about 0.2% of
the time when this method is used against a peer that implements
the method properly.
Fix the problem and disable the curve25519 KEX when speaking to
OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
to enable the compatability code.
[1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
ChangeLog: http://www.openssh.org/txt/release-6.5
- Update X509 patch to 7.8
- Update LIB_DEPENDS to new format
- Revert r328706 and re-enable privilege separation sandboxing by default
as the issue causing crashes has been fixed upstream
- capsicum(4) is now enabled upstream. A local patch is added to fix an issue
with it [1]
- KERB_GSSAPI is marked BROKEN. It does not build.
This patch lacks an upstream and I have no way to test it. It needs
a non-trivial amount of refactoring for 6.5 as the key handling API
has changed quite a bit.
Submitted by: pjd@ [1]
Changelog: http://www.openssh.org/txt/release-6.3
- Use options helpers where possible
- Use upstream patch mirror for x509 and HPN
- Update HPN patch to v14 and use upstream version
- Add option NONECIPHER to allow disabling NONE in HPN patch
- Update x509 patch from 7.4.1 to 7.6
- Add support for LDNS and enable by it and VerifyHostKeyDNS/SSHFP by default.
See http://lists.freebsd.org/pipermail/freebsd-security/2013-September/007180.html
which describes this change, but is supported on releases before 10 as well
with LDNS option.
- Update SCTP to patchlevel 2329
- Update recommendation on secure usage of SSH
- Add pkg-message warning about ECDSA key possibly being incorrect due to
previously being written as DSA by the rc script and fixed in r299902 in
2012
This was due to a mistake in r319062 when porting the patch from 5.8 to 6.2
There is no active upstream for this patch. For reference here are the
changes made in the patch:
--- - 2013-10-03 11:07:21.262913573 -0500
+++ /tmp/zdiff.XXXXXXXXXX.STScEeSI 2013-10-03 11:07:21.000000000 -0500
@@ -183,7 +183,7 @@
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
-+#ifdef USE_CCAPI
++#ifndef USE_CCAPI
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
oerrno = errno;
PR: ports/180419
Reported by: Garrett Wollman <wollman@khavrinen.csail.mit.edu>
privilege separation as it causes crashes when using AES crypto devices.
This now uses 'yes' for UsePrivilegeSeparation instead of 'sandbox' by
default
Reminded by: Garrett Wollman
I did very minor porting of the upstream patch to make
it apply.
Note that this currently does not build with base heimdal, but
does build with port MIT or port HEIMDAL.
- Bump PORTREVISION in case someone built the update, expecting
this option to work and now have a broken ssh.
PR: ports/178885
Reported by: Garrett Wollman <wollman@csail.mit.edu>
This was due to not including the canohost.h header for our
base customization to respect class login restrictions. I had
missed this as I was only tested with the default (HPN enabled)
which already was including this header.
Reported by: runelind in ##freenode
Tested by: runelind, myself
Reported by: Krzysztof Stryjek
- The LPK patch has been updated but is obsolete, deprecated and
untested. It has been replaced by AuthorizedKeysCommand
- The upstream HPN's last update was for 6.1 and is mostly
abandoned. The patch has had bugs since 5.9. I have reworked
it and split into into HPN and AES_THREADED options. The
debugging/logging part of the patch is incomplete. I may
change the patch to more closely match our base version
eventually.
- The KERB_GSSAPI option has been removed as the patch has not
been updated by upstream since 5.7
- sshd VersionAddendum is currently not working as intended;
it will be fixed later to allow removing the port/pkg version.
- Update our patchset to match latest base version
- Bring in ssh-agent -x support from base
- I incrementally updated the port from 5.8 up to 6.2p2 along
with patches. You can find all of the versions at
https://github.com/bdrewery/openssh
Changes:
http://www.openssh.com/txt/release-5.9http://www.openssh.org/txt/release-6.0http://www.openssh.org/txt/release-6.1http://www.openssh.org/txt/release-6.2http://www.openssh.org/txt/release-6.2p2
* /var/empty has been in hier(7) since 4.x
* User sshd has been in base since 4.x
* Simplify a patch for realhostname_sa(3) usage
- Remove SUID_SSH - It was removed from ssh in 2002
- Fix 'make test'
- Add some hints into the patches on where they came from
- Mirror all patches
- Move LPK patch out of files/
- Remove the need for 2 patches
* Removal of 'host-key check-config' in install phase
* Adding -lutil
- Add SCTP support [1]
- Remove FILECONTROL as it has not been supported since the 5.8
update
- Replace tab with space pkg-descr
- Remove default WRKSRC
- Add 'configtest' command to rc script
- Mark X509 broken with other patches due to PATCH_DIST_STRIP=-p1
PR: ports/174570 [1]
Submitted by: oleg <proler@gmail.com> [1]
Obtained from: https://bugzilla.mindrot.org/show_bug.cgi?id=2016 (upstream) [1]
Feature safe: yes
