ssh_encode_{array_alloc,buffer}() calls as appropriate in order to
fix argument size problems on 64-bit platforms and that manifest
themselves on amd64 and ia64. [1]
- Allow the tcsetattr(3) calls in ssh_rl_{restore,set}_tty_modes_for_fd()
to be interrupted by signal. This fixes occasional problems when
connecting to a host for the first time.
- Use the base zlib instead of the one shipping with SSH; although the
latter has an enhancement allowing a minor SSH-specific optimization,
using the base one has the benefit of not needing to track security
vulnerabilities of zlib in this port (SSH 3.2.9.1 ships with zlib
1.1.4 which is not know to be vulnerable though).
- Try to make the description of the WITHOUT_X11 option of the port
Makefile to be more sentence-like.
PR: 98016 [1]
Approved by: netchild
Obtained from: NetBSD [1]
- Move the generation of the host key (if not present) from the package/
port installation to the startup script in order to be in line with
what the base OpenSSH and the OpenSSH-portable port do.
- Flush stdout when updating the transfer progress bar of sftp2 and scp2
so the info displayed is up to date. [1]
- Remove obsolete USE_REINPLACE, remove trailing white space in Makefile.
PR: 91262 [1]
Approved by: netchild
and make XFREE86_VERSION map to it. XFREE86_VERSION is now deprecated.
- Make xorg the default X_WINDOW_SYSTEM on -current.
- Add several new X_*_PORT variables which point to various pieces of X11 based
on the setting of X_WINDOW_SYSTEM, and make ports use them.
- Add information to CHANGES about how to handle the transition.
PR: ports/68763
Approved by: portmgr (marcus)
Approved by: re (scottl)
- Make configure explicitly look in X11BASE/bin for xauth(1) in order to
also catch non-standard locations.
Submitted by: maintainer (marius)
Approved by: portmgr (marcus)
- Remove the autodetection for X11 support and the WITH_X11 knob, instead
always build with X11 support and add a WITHOUT_X11 knob. Together with
an additional ssh2-nox11 slave port this allows easier handling of these
two variants and to have pre-compiled packages for both (ssh2 with X11
support depends on X11 libraries).
Submitted by: maintainer (marius)
Improve Kerberos support in ssh2:
- Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized
ssh2 automatically is built when MIT Kerberos is installed, unless the
WITHOUT_KERBEROS knob is defined.
- Check for a library unique to MIT Kerberos to make sure it's not Heimdal
that KRB5_HOME accidentally points to.
- Add dependency on security/krb5 when built with Kerberos support.
- When compiled with Kerberos support also turn it on by default in client
and server config files and set "PermitRootLogin" to "nopwd" to only allow
those with root tickets declared in ~root/.k5login" to login as root. [1]
Ssh2 now should work out of the box in an environment using MIT Kerberos.
Submitted by: Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*)
Tested by: Peter Losher <Peter_Losher@isc.org>
---snip---
Submitted by: maintainer
Strange commit log formatting to prevent
ambiguous "Submitted by" lines by: committer
sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
are three ways to automatically start sshd2 and /etc/rc.conf is the
simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
fixed to not be tailored to the base sshd) this version of the port
is the last one to do so. Beginning with next version it will only
install a sample start-up script. To prevent foot shooting when
updating to the next version this port won't remove an existing
start-up scripting on deinstall. Please see also the pkg-message that
gets displayed on installation.
- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
version the only change worth mentioning since 3.2.5 is the addition of the
config option "DisableVersionFallback", see sshd2_config(5) for further
details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
external (static) one is much simpler to set up and maintain (using the
external one requires to install a copy of it in the home directory of the
anonymous sftp user which has to be manually updated when installing a newer
version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
and buggy but it's enough to e.g. do a bit of speed comparison when building
with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
the library search path when compiling, etc.).
Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
prority and shell, get motd, copyright, hushlogin and nologin, respect
ignorenologin and requirehome. This changes are roughly based on former
patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.
Submitted by: maintainer
* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
Update MASTER_SITES, remove sites that are down or no langer carry ssh2
and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
found in the post-install target in the Makefile of the port, this is
already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
package versus installing the port. I.e. make the package create the host
key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
the examples if not already existent and create the directories for the
global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
i.e. configuration files that don't differ from the corresponding examples
and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
"/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
- Change MAINTAINER.
- Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.
Submitted by: Marius Strobl <marius@alchemy.franken.de>
Approved by: maintainer
2.) If libX11.a exists and xauth not, the build of ssh2 fails. This
patch fix this.
3.) ssh2/files/sshd.sh looks for the wrong pid file in /var/run.
This patch fix this and adds 2> /dev/null to the sshd2 startup
PR: 46012
Submitted by: maintainer
Note: The PR includes diffs to cope with WITHOUT_X11 env,
but this was already committed by knu-san.
So I just added CONFIGURE_ARGS line, please verify it.
PR: ports/35385
Submitted by: maintainer
stopping the server.
Martti's submission did not include -h, which I added because if I had
added the scripts the way he submitted them, the server wouldn't be
started on startup.
PR: 10196
Submitted by: Martti Kuparinen <martti.kuparinen@ericsson.com>
Reviewed by: kris (partially)
No response: maintainers (PR opened February 22, 1999)
