mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-13 07:34:50 +00:00
Code Issues Releases Activity

Remove the hpn-ssh port. The functionality is now an option when

Browse Source 
building the openssh-portable port.
This commit is contained in:
Brooks Davis 2006-03-15 06:30:35 +00:00
parent 2b28001487
commit 57fc0bd011
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=157131
20 changed files with 1 additions and 925 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MOVED
View File

@ -2209,3 +2209,4 @@ graphics/libgrass5||2006-02-22|Remove expired port
devel/libtool13||2006-02-23|Remove defunct libtool
japanese/squirrelmail|mail/squirrelmail|2006-03-05|Integrated to mail/squirrelmail
japanese/vje30-trial||2006-03-07|no longer distributed
security/hpn-ssh|security/openssh-portable|2006-03-15|Now an option in security/openssh-portable

162
security/hpn-ssh/Makefile
View File

@ -1,162 +0,0 @@
# New ports collection makefile for: openssh
# Date created: 18 Mar 1999
# Whom: dwcjr@inethouston.net
#
# $FreeBSD$
#
PORTNAME= hpn-ssh
PORTVERSION= 3.9.0.1.${HPNVERSION}
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/
PKGNAMESUFFIX?= ${GSSAPI_SUFFIX}${BASE_SUFFIX}
DISTNAME= openssh-${OPENSSHVERSION}
PATCHFILES+= openssh-${OPENSSHVERSION}-hpn${HPNVERSION}.diff
.if defined(WITH_NONE_CIPHER)
PATCHFILES+= openssh-${OPENSSHVERSION}-hpn${HPNVERSION}-none.diff
.endif
PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/
PATCH_DIST_STRIP=-p1
MAINTAINER= brooks@FreeBSD.org
COMMENT= High Performance Enabled SSH/SCP
BROKEN= Checksum mismatch
HPNVERSION= 11
OPENSSHVERSION= 3.9p1
WRKSRC= ${WRKDIR}/openssh-${OPENSSHVERSION}
MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1
MLINKS= ssh.1 slogin.1
MAN5= ssh_config.5 sshd_config.5
MAN8= sftp-server.8 sshd.8 ssh-keysign.8
CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.*
USE_OPENSSL= yes
CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto
GNU_CONFIGURE= yes
USE_REINPLACE= yes
USE_PERL5_BUILD= yes
CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords
PRECIOUS= ssh_config sshd_config \
ssh_host_key ssh_host_key.pub \
ssh_host_rsa_key ssh_host_rsa_key.pub \
ssh_host_dsa_key ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
.if exists(/usr/include/security/pam_modules.h)
CONFIGURE_ARGS+= --with-pam
.endif
.if exists(/usr/include/tcpd.h)
CONFIGURE_ARGS+= --with-tcp-wrappers
.endif
.if !defined(ENABLE_SUID_SSH)
CONFIGURE_ARGS+= --disable-suid-ssh
.endif
CONFLICTS+= openssh-*
.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
GSSAPI_SUFFIX= -gssapi
CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME}
.else
.if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h)
CONFIGURE_ARGS+= --with-kerberos5
EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch
.endif
.endif
.if defined(BATCH)
EXTRA_PATCHES+= ${FILESDIR}/batch.patch
.endif
.if defined(WITH_OPENSSH_CHROOT)
CFLAGS+= -DCHROOT
.endif
.if defined(OPENSSH_OVERWRITE_BASE)
WITH_OPENSSL_BASE= yes
BASE_SUFFIX= -overwrite-base
PREFIX= /usr
MANPREFIX= ${PREFIX}/share
CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var
EMPTYDIR= /var/empty
ETCSSH= /etc/ssh
PLIST_SUB+= NOTBASE="@comment "
PLIST_SUB+= BASE=""
PKGMESSAGE= pkg-message.empty
.else
.if exists(/var/empty)
EMPTYDIR= /var/empty
.else
EMPTYDIR= ${PREFIX}/empty
.endif
ETCSSH= ${PREFIX}/etc/ssh
PLIST_SUB+= NOTBASE=""
PLIST_SUB+= BASE="@comment "
.endif
PLIST_SUB+= EMPTYDIR=${EMPTYDIR}
CONFIGURE_ARGS+= --sysconfdir=${ETCSSH}
CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR}
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
post-configure:
${SED} -e 's:__PREFIX__:${PREFIX}:g' \
${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh
pre-install:
.if defined(OPENSSH_OVERWRITE_BASE)
-${MKDIR} ${EMPTYDIR}
.else
-${MKDIR} ${PREFIX}/empty
.endif
if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi
if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \
-h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi
-@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH}
.for i in ${PRECIOUS}
-@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \
${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \
${LN} ${ETCOLD}/${i} ${ETCSSH}/${i}
.endfor
post-install:
.if !defined(OPENSSH_OVERWRITE_BASE)
${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample
.endif
${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist
${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist
.if !defined(OPENSSH_OVERWRITE_BASE)
@${CAT} ${PKGMESSAGE}
.endif
test:
(cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \
TEST_SHELL=/bin/sh \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} )
.include <bsd.port.pre.mk>
SUDO?=
MAKE_ENV+= SUDO="${SUDO}"
.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
.if ${OPENSSLBASE} == "/usr"
CONFIGURE_ARGS+= --without-rpath
LDFLAGS=
.endif
.else
CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH}
.endif
CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
.include <bsd.port.post.mk>

6
security/hpn-ssh/distinfo
View File

@ -1,6 +0,0 @@
MD5 (openssh-3.9p1.tar.gz) = 8e1774d0b52aff08f817f3987442a16e
SIZE (openssh-3.9p1.tar.gz) = 854027
MD5 (openssh-3.9p1-hpn11.diff) = b91d73e58e2b72aecb3025ee550411fb
SIZE (openssh-3.9p1-hpn11.diff) = 13237
MD5 (openssh-3.9p1-hpn11-none.diff) = 227acfa1c17ec49f43e85a3ee98e0e8a
SIZE (openssh-3.9p1-hpn11-none.diff) = 19146

11
security/hpn-ssh/files/batch.patch
View File

@ -1,11 +0,0 @@
--- Makefile.in.orig Mon Sep 22 03:00:12 2003
+++ Makefile.in Sun Sep 28 05:02:19 2003
@@ -224,7 +224,7 @@
$(AUTORECONF)
(cd scard && $(MAKE) -f Makefile.in distprep)
-install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config
+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config
install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
check-config:

18
security/hpn-ssh/files/gss-serv.c.patch
View File

@ -1,18 +0,0 @@
--- gss-serv.c.DIST Tue Sep 2 14:56:42 2003
+++ gss-serv.c Mon Oct 6 17:56:23 2003
@@ -138,6 +138,15 @@
OM_uint32 offset;
OM_uint32 oidl;
+#if defined(HEIMDAL)
+ if (strcmp(heimdal_version, "Heimdal 0.6") < 0) {
+ name->length = ename->length;
+ name->value = xmalloc(name->length+1);
+ memcpy(name->value,ename->value,name->length);
+ ((char *)name->value)[name->length] = 0;
+ return GSS_S_COMPLETE;
+ }
+#endif
tok=ename->value;
/*

29
security/hpn-ssh/files/patch-auth.c
View File

@ -1,29 +0,0 @@
--- auth.c.orig Thu Aug 12 14:40:25 2004
+++ auth.c Mon Sep 20 05:04:48 2004
@@ -208,6 +208,17 @@
return 0;
#endif
+#ifdef __FreeBSD__
+ /* Fail if the account's expiration time has passed. */
+ if (pw->pw_expire != 0) {
+ struct timeval tv;
+
+ (void)gettimeofday(&tv, NULL);
+ if (tv.tv_sec >= pw->pw_expire)
+ return 0;
+ }
+#endif /* __FreeBSD__ */
+
/* We found no reason not to let this user try to log on... */
return 1;
}
@@ -472,7 +483,7 @@
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}

64
security/hpn-ssh/files/patch-auth1.c
View File

@ -1,64 +0,0 @@
--- auth1.c.orig Thu Aug 12 14:40:25 2004
+++ auth1.c Tue Aug 17 05:40:29 2004
@@ -25,6 +25,7 @@
#include "session.h"
#include "uidswap.h"
#include "monitor_wrap.h"
+#include "canohost.h"
/* import */
extern ServerOptions options;
@@ -69,6 +70,18 @@
u_int dlen;
u_int ulen;
int prev, type = 0;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+#endif
+#ifdef USE_PAM
+ struct inverted_pam_cookie *pam_cookie;
+#endif /* USE_PAM */
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
@@ -217,6 +230,34 @@
logit("Unknown message during authentication: type %d", type);
break;
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL) {
+ lc = login_getpwclass(authctxt->pw);
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
+ login_close(lc);
+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+#endif /* LOGIN_ACCESS */
+
#ifdef BSD_AUTH
if (authctxt->as) {
auth_close(authctxt->as);

68
security/hpn-ssh/files/patch-auth2.c
View File

@ -1,68 +0,0 @@
--- auth2.c.orig Thu Aug 12 14:40:25 2004
+++ auth2.c Mon Sep 20 05:04:48 2004
@@ -35,6 +35,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "canohost.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -134,6 +135,15 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+#endif /* HAVE_LOGIN_CAP */
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -178,6 +188,41 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL) {
+ lc = login_getpwclass(authctxt->pw);
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
+ login_close(lc);
+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL &&
+ !login_access(authctxt->pw->pw_name, from_host)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+#endif /* LOGIN_ACCESS */
+#ifdef BSD_AUTH
+ if (authctxt->as) {
+ auth_close(authctxt->as);
+ authctxt->as = NULL;
+ }
+#endif
+
/* reset state */
auth2_challenge_stop(authctxt);

11
security/hpn-ssh/files/patch-clientloop.c
View File

@ -1,11 +0,0 @@
--- clientloop.c.orig Fri Aug 13 13:18:01 2004
+++ clientloop.c Mon Sep 20 05:04:48 2004
@@ -1581,7 +1581,7 @@
if (strcmp(ctype, "forwarded-tcpip") == 0) {
c = client_request_forwarded_tcpip(ctype, rchan);
- } else if (strcmp(ctype, "x11") == 0) {
+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
c = client_request_x11(ctype, rchan);
} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
c = client_request_agent(ctype, rchan);

25
security/hpn-ssh/files/patch-loginrec.c
View File

@ -1,25 +0,0 @@
--- loginrec.c.orig Sun Aug 15 11:12:52 2004
+++ loginrec.c Mon Sep 20 05:04:48 2004
@@ -167,6 +167,9 @@
#ifdef HAVE_LIBUTIL_H
# include <libutil.h>
#endif
+#ifdef __FreeBSD__
+#include <osreldate.h>
+#endif
/**
** prototypes for helper functions in this file
@@ -657,7 +660,12 @@
/* Use strncpy because we don't necessarily want null termination */
strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000
strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname));
+# else
+ realhostname_sa(ut->ut_host, sizeof ut->ut_host,
+ &li->hostaddr.sa, li->hostaddr.sa.sa_len);
+# endif
# endif
# ifdef HAVE_ADDR_IN_UTMP
/* this is just a 32-bit IP address */

11
security/hpn-ssh/files/patch-regress-test-exec.sh
View File

@ -1,11 +0,0 @@
--- regress/test-exec.sh.orig Fri Jun 25 05:46:09 2004
+++ regress/test-exec.sh Tue Aug 17 05:27:49 2004
@@ -178,6 +178,8 @@
AcceptEnv _XXX_TEST_*
AcceptEnv _XXX_TEST
Subsystem sftp $SFTPSERVER
+ PermitRootLogin yes
+ UsePrivilegeSeparation no
EOF
if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then

349
security/hpn-ssh/files/patch-session.c
View File

@ -1,349 +0,0 @@
--- session.c.orig Thu Aug 12 14:40:25 2004
+++ session.c Tue Sep 21 19:48:42 2004
@@ -66,6 +66,11 @@
#include "ssh-gss.h"
#endif
+#ifdef __FreeBSD__
+#include <syslog.h>
+#define _PATH_CHPASS "/usr/bin/passwd"
+#endif /* __FreeBSD__ */
+
/* func */
Session *session_new(void);
@@ -410,6 +415,13 @@
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/*
+ * Using login and executing a specific "command" are mutually
+ * exclusive, so turn off use_login if there's a command.
+ */
+ if (command != NULL)
+ options.use_login = 0;
+
+ /*
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group.
*/
@@ -526,6 +538,9 @@
{
int fdout, ptyfd, ttyfd, ptymaster;
pid_t pid;
+#if defined(USE_PAM)
+ const char *shorttty;
+#endif
if (s == NULL)
fatal("do_exec_pty: no session");
@@ -546,6 +561,14 @@
/* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+
+ /*
+ * Using login and executing a specific "command" are mutually
+ * exclusive, so turn off use_login if there's a command.
+ */
+ if (command != NULL)
+ options.use_login = 0;
+
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -692,6 +715,18 @@
struct sockaddr_storage from;
struct passwd * pw = s->pw;
pid_t pid = getpid();
+#ifdef HAVE_LOGIN_CAP
+ FILE *f;
+ char buf[256];
+ char *fname;
+ const char *shorttty;
+#endif /* HAVE_LOGIN_CAP */
+#ifdef __FreeBSD__
+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
+ char *newcommand;
+ struct timeval tv;
+ time_t warntime = DEFAULT_WARN;
+#endif /* __FreeBSD__ */
/*
* Get IP address of client. If the connection is not a socket, let
@@ -727,12 +762,101 @@
}
#endif
+#ifdef __FreeBSD__
+ if (pw->pw_change || pw->pw_expire)
+ (void)gettimeofday(&tv, NULL);
+#ifdef HAVE_LOGIN_CAP
+ warntime = login_getcaptime(lc, "warnpassword",
+ DEFAULT_WARN, DEFAULT_WARN);
+#endif /* HAVE_LOGIN_CAP */
+ /*
+ * If the password change time is set and has passed, give the
+ * user a password expiry notice and chance to change it.
+ */
+ if (pw->pw_change != 0) {
+ if (tv.tv_sec >= pw->pw_change) {
+ (void)printf(
+ "Sorry -- your password has expired.\n");
+ logit("%s Password expired - forcing change",
+ pw->pw_name);
+ if (newcommand != NULL)
+ xfree(newcommand);
+ newcommand = xstrdup(_PATH_CHPASS);
+ } else if (pw->pw_change - tv.tv_sec < warntime &&
+ !check_quietlogin(s, command))
+ (void)printf(
+ "Warning: your password expires on %s",
+ ctime(&pw->pw_change));
+ }
+
+#ifndef USE_PAM
+ if (pw->pw_expire) {
+ if (tv.tv_sec >= pw->pw_expire) {
+ (void)printf(
+ "Sorry -- your account has expired.\n");
+ logit(
+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.use_dns), s->tty);
+ exit(254);
+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
+ !check_quietlogin(s, command))
+ (void)printf(
+ "Warning: your account expires on %s",
+ ctime(&pw->pw_expire));
+ }
+#endif /* !USE_PAM */
+#endif /* __FreeBSD__ */
+
+#ifdef HAVE_LOGIN_CAP
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ if (!auth_ttyok(lc, shorttty)) {
+ (void)printf("Permission denied.\n");
+ logit(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
+ options.use_dns), s->tty);
+ exit(254);
+ }
+#endif /* HAVE_LOGIN_CAP */
+
if (check_quietlogin(s, command))
return;
display_loginmsg();
- do_motd();
+#ifdef HAVE_LOGIN_CAP
+ if (command == NULL &&
+ !options.use_login) {
+ fname = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+ while (fgets(buf, sizeof(buf), f) != NULL)
+ fputs(buf, stdout);
+ fclose(f);
+ } else
+ (void)printf("%s\n\t%s %s\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
+#endif /* HAVE_LOGIN_CAP */
+
+ /*
+ * Print /etc/motd unless a command was specified or printing
+ * it was disabled in server options or login(1) will be
+ * used. Note that some machines appear to print it in
+ * /etc/profile or similar.
+ */
+ if (command == NULL && !options.use_login)
+ do_motd();
}
/*
@@ -748,9 +872,9 @@
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
-#else
+#else /* !HAVE_LOGIN_CAP */
f = fopen("/etc/motd", "r");
-#endif
+#endif /* HAVE_LOGIN_CAP */
if (f) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
@@ -777,10 +901,10 @@
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
return 1;
-#else
+#else /* HAVE_LOGIN_CAP */
if (stat(buf, &st) >= 0)
return 1;
-#endif
+#endif /* HAVE_LOGIN_CAP */
return 0;
}
@@ -967,6 +1091,10 @@
char buf[256];
u_int i, envsize;
char **env, *laddr, *path = NULL;
+#ifdef HAVE_LOGIN_CAP
+ extern char **environ;
+ char **senv, **var;
+#endif /* HAVE_LOGIN_CAP */
struct passwd *pw = s->pw;
/* Initialize the environment. */
@@ -974,6 +1102,9 @@
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+ /* Moved up to resove confict with gsssapi patches */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
#ifdef HAVE_CYGWIN
/*
* The Windows environment contains some setting which are
@@ -1032,9 +1163,21 @@
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
+#ifdef HAVE_LOGIN_CAP
+ senv = environ;
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
+ if (setusercontext(lc, pw, pw->pw_uid,
+ LOGIN_SETENV|LOGIN_SETPATH) < 0) {
+ perror("unable to set user context enviroment");
+ }
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
+ xfree(*var);
+ xfree(environ);
+ environ = senv;
+#endif /* HAVE_LOGIN_CAP */
}
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
@@ -1234,6 +1377,12 @@
void
do_setusercontext(struct passwd *pw)
{
+
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
+
#ifndef HAVE_CYGWIN
if (getuid() == 0 || geteuid() == 0)
#endif /* HAVE_CYGWIN */
@@ -1254,10 +1403,30 @@
}
# endif /* USE_PAM */
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}
+#ifdef CHROOT
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if(strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if(chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory %s", user_dir);
+ pw->pw_dir = new_root;
+ break;
+ }
+
+ new_root += 2;
+ }
+#endif /* CHROOT */
+ permanently_set_uid(pw);
#else
# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
/* Sets login uid for accounting */
@@ -1284,7 +1453,16 @@
* Reestablish them here.
*/
if (options.use_pam) {
- do_pam_session();
+ /* check if we have a pathname in the ttyname */
+ shorttty = rindex( s->tty, '/' );
+ if (shorttty != NULL ) {
+ /* use only the short filename to check */
+ shorttty ++;
+ } else {
+ /* nothing found, use the whole name found */
+ shorttty = s->tty;
+ }
+ do_pam_session(s->pw->pw_name, shorttty);
do_pam_setcred(0);
}
# endif /* USE_PAM */
@@ -1374,7 +1552,7 @@
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
*/
- for (i = 3; i < 64; i++)
+ for (i = 3; i < getdtablesize(); i++)
close(i);
}
@@ -1503,6 +1681,31 @@
exit(1);
#endif
}
+
+#ifdef __FreeBSD__
+ if (!options.use_login) {
+ /*
+ * If the password change time is set and has passed, give the
+ * user a password expiry notice and chance to change it.
+ */
+ if (pw->pw_change != 0) {
+ struct timeval tv;
+
+ (void)gettimeofday(&tv, NULL);
+ if (tv.tv_sec >= pw->pw_change) {
+ (void)printf(
+ "Sorry -- your password has expired.\n");
+ syslog(LOG_INFO,
+ "%s Password expired - forcing change",
+ pw->pw_name);
+ if (system("/usr/bin/passwd") != 0) {
+ perror("/usr/bin/passwd");
+ exit(1);
+ }
+ }
+ }
+ }
+#endif /* __FreeBSD__ */
if (!options.use_login)
do_rc_files(s, shell);

31
security/hpn-ssh/files/patch-sshd.c
View File

@ -1,31 +0,0 @@
--- sshd.c.orig Wed Jun 26 01:24:19 2002
+++ sshd.c Thu Jul 25 06:32:37 2002
@@ -53,6 +53,10 @@
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
+#endif
+
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
@@ -1409,6 +1413,17 @@
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
+#endif
/*
* Register our connection. This turns encryption off because we do

18
security/hpn-ssh/files/patch-sshd_config
View File

@ -1,18 +0,0 @@
--- sshd_config.orig Mon May 24 02:36:24 2004
+++ sshd_config Mon Sep 20 05:04:48 2004
@@ -34,6 +34,7 @@
#LoginGraceTime 2m
#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
@@ -57,6 +58,7 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no

12
security/hpn-ssh/files/patch-sshpty.c
View File

@ -1,12 +0,0 @@
--- sshpty.c.orig Wed Jan 21 07:07:17 2004
+++ sshpty.c Wed Feb 25 11:58:54 2004
@@ -17,6 +17,9 @@
#ifdef HAVE_UTIL_H
# include <util.h>
#endif /* HAVE_UTIL_H */
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
#include "sshpty.h"
#include "log.h"

17
security/hpn-ssh/files/servconf.c.patch
View File

@ -1,17 +0,0 @@
--- servconf.c.orig Sat Mar 23 11:02:41 2002
+++ servconf.c Sat Mar 23 11:07:39 2002
@@ -17,12 +17,12 @@
#endif
#if defined(KRB5)
#ifdef HEIMDAL
-#include <krb.h>
+#include <krb5.h>
#else
/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
* keytab */
-#define KEYFILE "/etc/krb5.keytab"
#endif
+#define KEYFILE "/etc/krb5.keytab"
#endif
#ifdef AFS
#include <kafs.h>

24
security/hpn-ssh/files/sshd.sh
View File

@ -1,24 +0,0 @@
#!/bin/sh
case "$1" in
start)
__PREFIX__/sbin/sshd
echo -n ' sshd'
;;
stop)
if [ -f /var/run/sshd.pid ]; then
kill -TERM `cat /var/run/sshd.pid`
rm -f /var/run/sshd.pid
echo -n ' sshd'
fi
;;
restart)
if [ -f /var/run/sshd.pid ]; then
kill -HUP `cat /var/run/sshd.pid`
echo 'sshd restarted'
fi
;;
*)
echo "Usage: ${0##*/}: { start | stop | restart }" >&2
exit 64
;;
esac

14
security/hpn-ssh/pkg-descr
View File

@ -1,14 +0,0 @@
High Performance Enabled SSH/SCP
from the Pittsburgh Supercomputing Center
hpn-ssh is a version of OpenSSH modified to support high-performance
bulk transfers (such as with scp or rsync). These modifications are
required because:
SCP and the underlying SSH protocol is network performance limited by
statically defined internal flow control buffers. These buffers often
end up acting as a brake on the network throughput of SCP especially
on long and wide paths. Modifying the ssh code to allow the flow
control buffers to be defined at run time eliminates this bottleneck.
WWW: http://www.psc.edu/networking/projects/hpn-ssh/

17
security/hpn-ssh/pkg-message
View File

@ -1,17 +0,0 @@
To enable this port, please add sshd_program=/usr/local/sbin/sshd and make
sure sshd_enable is set to YES in your /etc/rc.conf
You may also want to put NO_OPENSSH= true in your /etc/make.conf
and make sure your path is setup to /usr/local/bin before /usr/bin so that
you are running the port version of openssh and not the version that comes
with FreeBSD
'PermitRootLogin no' is the new default for the OpenSSH port.
This now matches the PermitRootLogin configuration of OpenSSH in
the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys
and very narrowly defined sudo privileges instead of using root
for automated tasks.

38
security/hpn-ssh/pkg-plist
View File

@ -1,38 +0,0 @@
@comment slogin must be deleted first
bin/slogin
bin/scp
bin/sftp
bin/ssh
bin/ssh-add
bin/ssh-agent
bin/ssh-keygen
bin/ssh-keyscan
%%NOTBASE%%etc/rc.d/sshd.sh.sample
%%NOTBASE%%etc/ssh/moduli
%%NOTBASE%%@exec [ -f %D/etc/ssh_config ] && [ ! -f %D/etc/ssh/ssh_config ] && ln %D/etc/ssh_config %D/etc/ssh/ssh_config
%%NOTBASE%%@exec [ -f %D/etc/sshd_config ] && [ ! -f %D/etc/ssh/sshd_config ] && ln %D/etc/sshd_config %D/etc/ssh/sshd_config
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key ] && [ ! -f %D/etc/ssh/ssh_host_key ] && ln %D/etc/ssh_host_key %D/etc/ssh/ssh_host_key
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_key.pub ] && ln %D/etc/ssh_host_key.pub %D/etc/ssh/ssh_host_key.pub
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key ] && ln %D/etc/ssh_host_rsa_key %D/etc/ssh/ssh_host_rsa_key
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key.pub ] && ln %D/etc/ssh_host_rsa_key.pub %D/etc/ssh/ssh_host_rsa_key.pub
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key ] && ln %D/etc/ssh_host_dsa_key %D/etc/ssh/ssh_host_dsa_key
%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key.pub ] && ln %D/etc/ssh_host_dsa_key.pub %D/etc/ssh/ssh_host_dsa_key.pub
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
%%NOTBASE%%etc/ssh/ssh_config-dist
%%NOTBASE%%etc/ssh/sshd_config-dist
%%NOTBASE%%@exec [ ! -f %D/etc/ssh/ssh_config ] && cp %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config
%%NOTBASE%%@exec [ ! -f %D/etc/ssh/sshd_config ] && cp %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config
%%NOTBASE%%@dirrm etc/ssh
sbin/sshd
share/Ssh.bin
libexec/sftp-server
libexec/ssh-keysign
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_key ]; then echo ">> Generating a secret RSA1 host key."; %D/bin/ssh-keygen -t rsa1 -N "" -f %D/etc/ssh/ssh_host_key; fi
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_rsa_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -t rsa -N "" -f %D/etc/ssh/ssh_host_rsa_key; fi
%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -t dsa -N "" -f %D/etc/ssh/ssh_host_dsa_key; fi
%%NOTBASE%%@exec mkdir -p %D/empty
%%NOTBASE%%@dirrm empty
%%BASE%%@exec mkdir -p %%EMPTYDIR%%
@exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi
@exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi