Stop forcing the port version string into the server banner.

The port now uses VersionAddendum in the sshd_config to allow overriding this value. Using "none" allows disabling the default of the port version string. The default is kept to show the port version string to remain close to the base version. Support for the client VersionAddendum may be added soon as well to better match base and not give surprises when switching from base to the port. PR: 193127 Requested by: many, including myself when this was broken years ago.
svn path=/head/; revision=381981
2024-11-23 00:43:28 +00:00 · 2015-03-23 04:23:08 +00:00 · 2015-03-23 04:23:08 +00:00 · 258fa75735 · 2021-03-31 03:12:20 +00:00
commit 258fa75735
parent b9673a0c84
4 changed files with 61 additions and 28 deletions
--- a/8
+++ b/8
@ -5,6 +5,14 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.

+20150322:
+  AFFECTS: Users of security/openssh-portable
+  AUTHOR: bdrewery@FreeBSD.org
+
+  The port now uses VersionAddendum for the port version string. Setting
+  the value to "none" in your sshd_config and restarting openssh will allow
+  removing the version from the banner.
+
 20150321:
  AFFECTS: Users of x11-servers/xorg-server and other X servers
  AUTHOR: bapt@FreeBSD.org
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	openssh
 DISTVERSION=	6.7p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@ -200,6 +200,8 @@ CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif

 RC_SCRIPT_NAME=		openssh
+VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
+VERSION_ADDENDUM_SERVCONF_GREP=	"		options->version_addendum = xstrdup"

 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@ -212,18 +214,21 @@ post-patch:
 			${WRKSRC}/ssh_config.5
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
-	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	" FreeBSD-${PKGNAME}"' >> \
+# Making this a patch conflicts with the X509 option. Use grep to force failure.
+	@${ECHO_CMD} "===> Applying VersionAddendum patch to servconf.c" && \
+	    ${GREP} -q ${VERSION_ADDENDUM_SERVCONF_GREP} \
+	    ${WRKSRC}/servconf.c && \
+	    ${REINPLACE_CMD} \
+	    -e 's|\(		${VERSION_ADDENDUM_SERVCONF_GREP}\).*);|\1(SSH_VERSION_FREEBSD_PORT);|' \
+	    ${WRKSRC}/servconf.c
+	@${REINPLACE_CMD} \
+	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config
+	@${REINPLACE_CMD} \
+	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config.5
+	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-.if ${PORT_OPTIONS:MHPN}
-	@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
-		${WRKSRC}/version.h
-.endif

 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@ -1,6 +1,14 @@
--- servconf.c.orig	2013-05-12 21:26:30.642630751 -0500
-+++ servconf.c	2013-05-12 21:52:43.069625377 -0500
-@@ -162,7 +162,7 @@
+--- servconf.c.orig	2015-03-22 22:16:53.563005000 -0500
+++ servconf.c	2015-03-22 22:19:39.207917000 -0500
+@@ -54,6 +54,7 @@
+ #include "packet.h"
+ #include "hostfile.h"
+ #include "auth.h"
+#include "version.h"
+ 
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption
 
 	/* Portable-specific options */
 	if (options->use_pam == -1)
@ -9,7 +17,7 @@
 
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -197,7 +197,7 @@
+@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption
 	if (options->key_regeneration_time == -1)
 		options->key_regeneration_time = 3600;
 	if (options->permit_root_login == PERMIT_NOT_SET)
@ -18,7 +26,7 @@
 	if (options->ignore_rhosts == -1)
 		options->ignore_rhosts = 1;
 	if (options->ignore_user_known_hosts == -1)
-@@ -207,7 +207,7 @@
+@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 	if (options->x11_forwarding == -1)
@ -27,7 +35,7 @@
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
 	if (options->x11_use_localhost == -1)
-@@ -245,7 +245,11 @@
+@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->password_authentication == -1)
@ -39,8 +47,8 @@
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)
-@@ -335,7 +339,7 @@
- 		options->version_addendum = xstrdup("");
+@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption
+ 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 -		use_privsep = PRIVSEP_NOSANDBOX;
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@ -1,6 +1,6 @@
 --- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
-+++ sshd_config.5	2014-11-03 16:49:35.943778119 -0600
-@@ -304,7 +304,9 @@
+++ sshd_config.5	2015-03-22 21:57:45.538655000 -0500
+@@ -304,7 +304,9 @@ By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or through authentication styles supported in
@ -11,7 +11,7 @@
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
-@@ -615,7 +617,7 @@
+@@ -615,7 +617,7 @@ or
 .Pp
 .Pa /etc/hosts.equiv
 and
@ -20,7 +20,7 @@
 are still used.
 The default is
 .Dq yes .
-@@ -977,7 +979,22 @@
+@@ -977,7 +979,22 @@ are refused if the number of unauthentic
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
@ -43,7 +43,7 @@
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
-@@ -1023,7 +1040,14 @@
+@@ -1023,7 +1040,14 @@ The argument must be
 or
 .Dq no .
 The default is
@ -59,7 +59,7 @@
 .Pp
 If this option is set to
 .Dq without-password ,
-@@ -1178,7 +1202,9 @@
+@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as 
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
@ -70,7 +70,7 @@
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
-@@ -1343,7 +1369,7 @@
+@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run
 .Xr sshd 8
 as a non-root user.
 The default is
@ -79,7 +79,19 @@
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8
-@@ -1379,7 +1405,7 @@
+@@ -1365,7 +1391,10 @@ restrictions.
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Dq none .
+.Dq %%SSH_VERSION_FREEBSD_PORT%% .
+The value
+.Dq none
+may be used to disable this.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
+@@ -1379,7 +1408,7 @@ The argument must be
 or
 .Dq no .
 The default is