diff --git a/MOVED b/MOVED index 9faf60abac09..0f8d0371a2ff 100644 --- a/MOVED +++ b/MOVED @@ -2209,3 +2209,4 @@ graphics/libgrass5||2006-02-22|Remove expired port devel/libtool13||2006-02-23|Remove defunct libtool japanese/squirrelmail|mail/squirrelmail|2006-03-05|Integrated to mail/squirrelmail japanese/vje30-trial||2006-03-07|no longer distributed +security/hpn-ssh|security/openssh-portable|2006-03-15|Now an option in security/openssh-portable diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile deleted file mode 100644 index d20d93f758a7..000000000000 --- a/security/hpn-ssh/Makefile +++ /dev/null @@ -1,162 +0,0 @@ -# New ports collection makefile for: openssh -# Date created: 18 Mar 1999 -# Whom: dwcjr@inethouston.net -# -# $FreeBSD$ -# - -PORTNAME= hpn-ssh -PORTVERSION= 3.9.0.1.${HPNVERSION} -PORTEPOCH= 1 -CATEGORIES= security ipv6 -MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ - ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ -PKGNAMESUFFIX?= ${GSSAPI_SUFFIX}${BASE_SUFFIX} -DISTNAME= openssh-${OPENSSHVERSION} - -PATCHFILES+= openssh-${OPENSSHVERSION}-hpn${HPNVERSION}.diff -.if defined(WITH_NONE_CIPHER) -PATCHFILES+= openssh-${OPENSSHVERSION}-hpn${HPNVERSION}-none.diff -.endif -PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ -PATCH_DIST_STRIP=-p1 - -MAINTAINER= brooks@FreeBSD.org -COMMENT= High Performance Enabled SSH/SCP - -BROKEN= Checksum mismatch - -HPNVERSION= 11 -OPENSSHVERSION= 3.9p1 -WRKSRC= ${WRKDIR}/openssh-${OPENSSHVERSION} - -MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 -MLINKS= ssh.1 slogin.1 -MAN5= ssh_config.5 sshd_config.5 -MAN8= sftp-server.8 sshd.8 ssh-keysign.8 - -CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* -USE_OPENSSL= yes -CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto -GNU_CONFIGURE= yes -USE_REINPLACE= yes -USE_PERL5_BUILD= yes -CONFIGURE_ARGS+= --prefix=${PREFIX} --with-md5-passwords -PRECIOUS= ssh_config sshd_config \ - ssh_host_key ssh_host_key.pub \ - ssh_host_rsa_key ssh_host_rsa_key.pub \ - ssh_host_dsa_key ssh_host_dsa_key.pub -ETCOLD= ${PREFIX}/etc - -.if exists(/usr/include/security/pam_modules.h) -CONFIGURE_ARGS+= --with-pam -.endif - -.if exists(/usr/include/tcpd.h) -CONFIGURE_ARGS+= --with-tcp-wrappers -.endif - -.if !defined(ENABLE_SUID_SSH) -CONFIGURE_ARGS+= --disable-suid-ssh -.endif - -CONFLICTS+= openssh-* - -.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) -GSSAPI_SUFFIX= -gssapi -CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} -.else -.if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h) -CONFIGURE_ARGS+= --with-kerberos5 -EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch -.endif -.endif - -.if defined(BATCH) -EXTRA_PATCHES+= ${FILESDIR}/batch.patch -.endif - -.if defined(WITH_OPENSSH_CHROOT) -CFLAGS+= -DCHROOT -.endif - -.if defined(OPENSSH_OVERWRITE_BASE) -WITH_OPENSSL_BASE= yes -BASE_SUFFIX= -overwrite-base -PREFIX= /usr -MANPREFIX= ${PREFIX}/share -CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man --localstatedir=/var -EMPTYDIR= /var/empty -ETCSSH= /etc/ssh -PLIST_SUB+= NOTBASE="@comment " -PLIST_SUB+= BASE="" -PKGMESSAGE= pkg-message.empty -.else -.if exists(/var/empty) -EMPTYDIR= /var/empty -.else -EMPTYDIR= ${PREFIX}/empty -.endif -ETCSSH= ${PREFIX}/etc/ssh -PLIST_SUB+= NOTBASE="" -PLIST_SUB+= BASE="@comment " -.endif -PLIST_SUB+= EMPTYDIR=${EMPTYDIR} -CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} -CONFIGURE_ARGS+= --with-privsep-path=${EMPTYDIR} - -post-patch: - @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure - -post-configure: - ${SED} -e 's:__PREFIX__:${PREFIX}:g' \ - ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh - -pre-install: -.if defined(OPENSSH_OVERWRITE_BASE) - -${MKDIR} ${EMPTYDIR} -.else - -${MKDIR} ${PREFIX}/empty -.endif - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ - -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi - -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH} -.for i in ${PRECIOUS} - -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ - ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ - ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} -.endfor - -post-install: -.if !defined(OPENSSH_OVERWRITE_BASE) - ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample -.endif - ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist - ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist -.if !defined(OPENSSH_OVERWRITE_BASE) - @${CAT} ${PKGMESSAGE} -.endif - -test: - (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \ - TEST_SHELL=/bin/sh \ - PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ - ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ) - -.include - -SUDO?= -MAKE_ENV+= SUDO="${SUDO}" - -.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) -.if ${OPENSSLBASE} == "/usr" -CONFIGURE_ARGS+= --without-rpath -LDFLAGS= -.endif -.else -CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH} -.endif -CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} - -.include diff --git a/security/hpn-ssh/distinfo b/security/hpn-ssh/distinfo deleted file mode 100644 index 97be5c580e09..000000000000 --- a/security/hpn-ssh/distinfo +++ /dev/null @@ -1,6 +0,0 @@ -MD5 (openssh-3.9p1.tar.gz) = 8e1774d0b52aff08f817f3987442a16e -SIZE (openssh-3.9p1.tar.gz) = 854027 -MD5 (openssh-3.9p1-hpn11.diff) = b91d73e58e2b72aecb3025ee550411fb -SIZE (openssh-3.9p1-hpn11.diff) = 13237 -MD5 (openssh-3.9p1-hpn11-none.diff) = 227acfa1c17ec49f43e85a3ee98e0e8a -SIZE (openssh-3.9p1-hpn11-none.diff) = 19146 diff --git a/security/hpn-ssh/files/batch.patch b/security/hpn-ssh/files/batch.patch deleted file mode 100644 index 6d5f60af0470..000000000000 --- a/security/hpn-ssh/files/batch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.in.orig Mon Sep 22 03:00:12 2003 -+++ Makefile.in Sun Sep 28 05:02:19 2003 -@@ -224,7 +224,7 @@ - $(AUTORECONF) - (cd scard && $(MAKE) -f Makefile.in distprep) - --install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config -+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config - install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files - - check-config: diff --git a/security/hpn-ssh/files/gss-serv.c.patch b/security/hpn-ssh/files/gss-serv.c.patch deleted file mode 100644 index 434f71e6d057..000000000000 --- a/security/hpn-ssh/files/gss-serv.c.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- gss-serv.c.DIST Tue Sep 2 14:56:42 2003 -+++ gss-serv.c Mon Oct 6 17:56:23 2003 -@@ -138,6 +138,15 @@ - OM_uint32 offset; - OM_uint32 oidl; - -+#if defined(HEIMDAL) -+ if (strcmp(heimdal_version, "Heimdal 0.6") < 0) { -+ name->length = ename->length; -+ name->value = xmalloc(name->length+1); -+ memcpy(name->value,ename->value,name->length); -+ ((char *)name->value)[name->length] = 0; -+ return GSS_S_COMPLETE; -+ } -+#endif - tok=ename->value; - - /* diff --git a/security/hpn-ssh/files/patch-auth.c b/security/hpn-ssh/files/patch-auth.c deleted file mode 100644 index e15f33234d56..000000000000 --- a/security/hpn-ssh/files/patch-auth.c +++ /dev/null @@ -1,29 +0,0 @@ ---- auth.c.orig Thu Aug 12 14:40:25 2004 -+++ auth.c Mon Sep 20 05:04:48 2004 -@@ -208,6 +208,17 @@ - return 0; - #endif - -+#ifdef __FreeBSD__ -+ /* Fail if the account's expiration time has passed. */ -+ if (pw->pw_expire != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_expire) -+ return 0; -+ } -+#endif /* __FreeBSD__ */ -+ - /* We found no reason not to let this user try to log on... */ - return 1; - } -@@ -472,7 +483,7 @@ - if (!allowed_user(pw)) - return (NULL); - #ifdef HAVE_LOGIN_CAP -- if ((lc = login_getclass(pw->pw_class)) == NULL) { -+ if ((lc = login_getpwclass(pw)) == NULL) { - debug("unable to get login class: %s", user); - return (NULL); - } diff --git a/security/hpn-ssh/files/patch-auth1.c b/security/hpn-ssh/files/patch-auth1.c deleted file mode 100644 index 2308a0db7d27..000000000000 --- a/security/hpn-ssh/files/patch-auth1.c +++ /dev/null @@ -1,64 +0,0 @@ ---- auth1.c.orig Thu Aug 12 14:40:25 2004 -+++ auth1.c Tue Aug 17 05:40:29 2004 -@@ -25,6 +25,7 @@ - #include "session.h" - #include "uidswap.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - /* import */ - extern ServerOptions options; -@@ -69,6 +70,18 @@ - u_int dlen; - u_int ulen; - int prev, type = 0; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif -+#ifdef USE_PAM -+ struct inverted_pam_cookie *pam_cookie; -+#endif /* USE_PAM */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - debug("Attempting authentication for %s%.100s.", - authctxt->valid ? "" : "invalid user ", authctxt->user); -@@ -217,6 +230,34 @@ - logit("Unknown message during authentication: type %d", type); - break; - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+ - #ifdef BSD_AUTH - if (authctxt->as) { - auth_close(authctxt->as); diff --git a/security/hpn-ssh/files/patch-auth2.c b/security/hpn-ssh/files/patch-auth2.c deleted file mode 100644 index a7e9b703181d..000000000000 --- a/security/hpn-ssh/files/patch-auth2.c +++ /dev/null @@ -1,68 +0,0 @@ ---- auth2.c.orig Thu Aug 12 14:40:25 2004 -+++ auth2.c Mon Sep 20 05:04:48 2004 -@@ -35,6 +35,7 @@ - #include "dispatch.h" - #include "pathnames.h" - #include "monitor_wrap.h" -+#include "canohost.h" - - #ifdef GSSAPI - #include "ssh-gss.h" -@@ -134,6 +135,15 @@ - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; - int authenticated = 0; -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+#endif /* HAVE_LOGIN_CAP */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) -+ const char *from_host, *from_ip; -+ -+ from_host = get_canonical_hostname(options.use_dns); -+ from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -178,6 +188,41 @@ - "(%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && -+ !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+#ifdef BSD_AUTH -+ if (authctxt->as) { -+ auth_close(authctxt->as); -+ authctxt->as = NULL; -+ } -+#endif -+ - /* reset state */ - auth2_challenge_stop(authctxt); - diff --git a/security/hpn-ssh/files/patch-clientloop.c b/security/hpn-ssh/files/patch-clientloop.c deleted file mode 100644 index 78fba1757228..000000000000 --- a/security/hpn-ssh/files/patch-clientloop.c +++ /dev/null @@ -1,11 +0,0 @@ ---- clientloop.c.orig Fri Aug 13 13:18:01 2004 -+++ clientloop.c Mon Sep 20 05:04:48 2004 -@@ -1581,7 +1581,7 @@ - - if (strcmp(ctype, "forwarded-tcpip") == 0) { - c = client_request_forwarded_tcpip(ctype, rchan); -- } else if (strcmp(ctype, "x11") == 0) { -+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - c = client_request_x11(ctype, rchan); - } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { - c = client_request_agent(ctype, rchan); diff --git a/security/hpn-ssh/files/patch-loginrec.c b/security/hpn-ssh/files/patch-loginrec.c deleted file mode 100644 index 6a294b39a70f..000000000000 --- a/security/hpn-ssh/files/patch-loginrec.c +++ /dev/null @@ -1,25 +0,0 @@ ---- loginrec.c.orig Sun Aug 15 11:12:52 2004 -+++ loginrec.c Mon Sep 20 05:04:48 2004 -@@ -167,6 +167,9 @@ - #ifdef HAVE_LIBUTIL_H - # include - #endif -+#ifdef __FreeBSD__ -+#include -+#endif - - /** - ** prototypes for helper functions in this file -@@ -657,7 +660,12 @@ - /* Use strncpy because we don't necessarily want null termination */ - strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); - # ifdef HAVE_HOST_IN_UTMP -+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 - strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); -+# else -+ realhostname_sa(ut->ut_host, sizeof ut->ut_host, -+ &li->hostaddr.sa, li->hostaddr.sa.sa_len); -+# endif - # endif - # ifdef HAVE_ADDR_IN_UTMP - /* this is just a 32-bit IP address */ diff --git a/security/hpn-ssh/files/patch-regress-test-exec.sh b/security/hpn-ssh/files/patch-regress-test-exec.sh deleted file mode 100644 index 5fbf834f3c0c..000000000000 --- a/security/hpn-ssh/files/patch-regress-test-exec.sh +++ /dev/null @@ -1,11 +0,0 @@ ---- regress/test-exec.sh.orig Fri Jun 25 05:46:09 2004 -+++ regress/test-exec.sh Tue Aug 17 05:27:49 2004 -@@ -178,6 +178,8 @@ - AcceptEnv _XXX_TEST_* - AcceptEnv _XXX_TEST - Subsystem sftp $SFTPSERVER -+ PermitRootLogin yes -+ UsePrivilegeSeparation no - EOF - - if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then diff --git a/security/hpn-ssh/files/patch-session.c b/security/hpn-ssh/files/patch-session.c deleted file mode 100644 index 2d9a901c2519..000000000000 --- a/security/hpn-ssh/files/patch-session.c +++ /dev/null @@ -1,349 +0,0 @@ ---- session.c.orig Thu Aug 12 14:40:25 2004 -+++ session.c Tue Sep 21 19:48:42 2004 -@@ -66,6 +66,11 @@ - #include "ssh-gss.h" - #endif - -+#ifdef __FreeBSD__ -+#include -+#define _PATH_CHPASS "/usr/bin/passwd" -+#endif /* __FreeBSD__ */ -+ - /* func */ - - Session *session_new(void); -@@ -410,6 +415,13 @@ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - - /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ -+ /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. - */ -@@ -526,6 +538,9 @@ - { - int fdout, ptyfd, ttyfd, ptymaster; - pid_t pid; -+#if defined(USE_PAM) -+ const char *shorttty; -+#endif - - if (s == NULL) - fatal("do_exec_pty: no session"); -@@ -546,6 +561,14 @@ - - /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ -+ /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ - /* Close the master side of the pseudo tty. */ - close(ptyfd); - -@@ -692,6 +715,18 @@ - struct sockaddr_storage from; - struct passwd * pw = s->pw; - pid_t pid = getpid(); -+#ifdef HAVE_LOGIN_CAP -+ FILE *f; -+ char buf[256]; -+ char *fname; -+ const char *shorttty; -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef __FreeBSD__ -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ char *newcommand; -+ struct timeval tv; -+ time_t warntime = DEFAULT_WARN; -+#endif /* __FreeBSD__ */ - - /* - * Get IP address of client. If the connection is not a socket, let -@@ -727,12 +762,101 @@ - } - #endif - -+#ifdef __FreeBSD__ -+ if (pw->pw_change || pw->pw_expire) -+ (void)gettimeofday(&tv, NULL); -+#ifdef HAVE_LOGIN_CAP -+ warntime = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+#endif /* HAVE_LOGIN_CAP */ -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ logit("%s Password expired - forcing change", -+ pw->pw_name); -+ if (newcommand != NULL) -+ xfree(newcommand); -+ newcommand = xstrdup(_PATH_CHPASS); -+ } else if (pw->pw_change - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your password expires on %s", -+ ctime(&pw->pw_change)); -+ } -+ -+#ifndef USE_PAM -+ if (pw->pw_expire) { -+ if (tv.tv_sec >= pw->pw_expire) { -+ (void)printf( -+ "Sorry -- your account has expired.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } else if (pw->pw_expire - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your account expires on %s", -+ ctime(&pw->pw_expire)); -+ } -+#endif /* !USE_PAM */ -+#endif /* __FreeBSD__ */ -+ -+#ifdef HAVE_LOGIN_CAP -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ if (!auth_ttyok(lc, shorttty)) { -+ (void)printf("Permission denied.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - if (check_quietlogin(s, command)) - return; - - display_loginmsg(); - -- do_motd(); -+#ifdef HAVE_LOGIN_CAP -+ if (command == NULL && -+ !options.use_login) { -+ fname = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { -+ while (fgets(buf, sizeof(buf), f) != NULL) -+ fputs(buf, stdout); -+ fclose(f); -+ } else -+ (void)printf("%s\n\t%s %s\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ -+ /* -+ * Print /etc/motd unless a command was specified or printing -+ * it was disabled in server options or login(1) will be -+ * used. Note that some machines appear to print it in -+ * /etc/profile or similar. -+ */ -+ if (command == NULL && !options.use_login) -+ do_motd(); - } - - /* -@@ -748,9 +872,9 @@ - #ifdef HAVE_LOGIN_CAP - f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", - "/etc/motd"), "r"); --#else -+#else /* !HAVE_LOGIN_CAP */ - f = fopen("/etc/motd", "r"); --#endif -+#endif /* HAVE_LOGIN_CAP */ - if (f) { - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); -@@ -777,10 +901,10 @@ - #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) - return 1; --#else -+#else /* HAVE_LOGIN_CAP */ - if (stat(buf, &st) >= 0) - return 1; --#endif -+#endif /* HAVE_LOGIN_CAP */ - return 0; - } - -@@ -967,6 +1091,10 @@ - char buf[256]; - u_int i, envsize; - char **env, *laddr, *path = NULL; -+#ifdef HAVE_LOGIN_CAP -+ extern char **environ; -+ char **senv, **var; -+#endif /* HAVE_LOGIN_CAP */ - struct passwd *pw = s->pw; - - /* Initialize the environment. */ -@@ -974,6 +1102,9 @@ - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; - -+ /* Moved up to resove confict with gsssapi patches */ -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); - #ifdef HAVE_CYGWIN - /* - * The Windows environment contains some setting which are -@@ -1032,9 +1163,21 @@ - - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); -+#ifdef HAVE_LOGIN_CAP -+ senv = environ; -+ environ = xmalloc(sizeof(char *)); -+ *environ = NULL; -+ if (setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH) < 0) { -+ perror("unable to set user context enviroment"); -+ } -+ copy_environment(environ, &env, &envsize); -+ for (var = environ; *var != NULL; ++var) -+ xfree(*var); -+ xfree(environ); -+ environ = senv; -+#endif /* HAVE_LOGIN_CAP */ - } -- if (getenv("TZ")) -- child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - if (!options.use_login) { -@@ -1234,6 +1377,12 @@ - void - do_setusercontext(struct passwd *pw) - { -+ -+#ifdef CHROOT -+ char *user_dir; -+ char *new_root; -+#endif /* CHROOT */ -+ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1254,10 +1403,30 @@ - } - # endif /* USE_PAM */ - if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { - perror("unable to set user context"); - exit(1); - } -+#ifdef CHROOT -+ user_dir = xstrdup(pw->pw_dir); -+ new_root = user_dir + 1; -+ -+ while((new_root = strchr(new_root, '.')) != NULL) { -+ new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { -+ *new_root = '\0'; -+ new_root += 2; -+ -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; -+ break; -+ } -+ -+ new_root += 2; -+ } -+#endif /* CHROOT */ -+ permanently_set_uid(pw); - #else - # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) - /* Sets login uid for accounting */ -@@ -1284,7 +1453,16 @@ - * Reestablish them here. - */ - if (options.use_pam) { -- do_pam_session(); -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ do_pam_session(s->pw->pw_name, shorttty); - do_pam_setcred(0); - } - # endif /* USE_PAM */ -@@ -1374,7 +1552,7 @@ - * initgroups, because at least on Solaris 2.3 it leaves file - * descriptors open. - */ -- for (i = 3; i < 64; i++) -+ for (i = 3; i < getdtablesize(); i++) - close(i); - } - -@@ -1503,6 +1681,31 @@ - exit(1); - #endif - } -+ -+#ifdef __FreeBSD__ -+ if (!options.use_login) { -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ syslog(LOG_INFO, -+ "%s Password expired - forcing change", -+ pw->pw_name); -+ if (system("/usr/bin/passwd") != 0) { -+ perror("/usr/bin/passwd"); -+ exit(1); -+ } -+ } -+ } -+ } -+#endif /* __FreeBSD__ */ - - if (!options.use_login) - do_rc_files(s, shell); diff --git a/security/hpn-ssh/files/patch-sshd.c b/security/hpn-ssh/files/patch-sshd.c deleted file mode 100644 index 09665a42d7bd..000000000000 --- a/security/hpn-ssh/files/patch-sshd.c +++ /dev/null @@ -1,31 +0,0 @@ ---- sshd.c.orig Wed Jun 26 01:24:19 2002 -+++ sshd.c Thu Jul 25 06:32:37 2002 -@@ -53,6 +53,10 @@ - #include - #endif - -+#ifdef __FreeBSD__ -+#include -+#endif -+ - #include "ssh.h" - #include "ssh1.h" - #include "ssh2.h" -@@ -1409,6 +1413,17 @@ - setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); -+ -+#ifdef __FreeBSD__ -+ /* -+ * Initialize the resolver. This may not happen automatically -+ * before privsep chroot(). -+ */ -+ if ((_res.options & RES_INIT) == 0) { -+ debug("res_init()"); -+ res_init(); -+ } -+#endif - - /* - * Register our connection. This turns encryption off because we do diff --git a/security/hpn-ssh/files/patch-sshd_config b/security/hpn-ssh/files/patch-sshd_config deleted file mode 100644 index 0d7486dcb83b..000000000000 --- a/security/hpn-ssh/files/patch-sshd_config +++ /dev/null @@ -1,18 +0,0 @@ ---- sshd_config.orig Mon May 24 02:36:24 2004 -+++ sshd_config Mon Sep 20 05:04:48 2004 -@@ -34,6 +34,7 @@ - - #LoginGraceTime 2m - #PermitRootLogin yes -+PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - -@@ -57,6 +58,7 @@ - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no diff --git a/security/hpn-ssh/files/patch-sshpty.c b/security/hpn-ssh/files/patch-sshpty.c deleted file mode 100644 index d8cd703dcec7..000000000000 --- a/security/hpn-ssh/files/patch-sshpty.c +++ /dev/null @@ -1,12 +0,0 @@ ---- sshpty.c.orig Wed Jan 21 07:07:17 2004 -+++ sshpty.c Wed Feb 25 11:58:54 2004 -@@ -17,6 +17,9 @@ - #ifdef HAVE_UTIL_H - # include - #endif /* HAVE_UTIL_H */ -+#ifdef HAVE_LIBUTIL_H -+#include -+#endif - - #include "sshpty.h" - #include "log.h" diff --git a/security/hpn-ssh/files/servconf.c.patch b/security/hpn-ssh/files/servconf.c.patch deleted file mode 100644 index dde0a6947e60..000000000000 --- a/security/hpn-ssh/files/servconf.c.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- servconf.c.orig Sat Mar 23 11:02:41 2002 -+++ servconf.c Sat Mar 23 11:07:39 2002 -@@ -17,12 +17,12 @@ - #endif - #if defined(KRB5) - #ifdef HEIMDAL --#include -+#include - #else - /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V - * keytab */ --#define KEYFILE "/etc/krb5.keytab" - #endif -+#define KEYFILE "/etc/krb5.keytab" - #endif - #ifdef AFS - #include diff --git a/security/hpn-ssh/files/sshd.sh b/security/hpn-ssh/files/sshd.sh deleted file mode 100644 index a08d61e67a6d..000000000000 --- a/security/hpn-ssh/files/sshd.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -case "$1" in -start) - __PREFIX__/sbin/sshd - echo -n ' sshd' - ;; -stop) - if [ -f /var/run/sshd.pid ]; then - kill -TERM `cat /var/run/sshd.pid` - rm -f /var/run/sshd.pid - echo -n ' sshd' - fi - ;; -restart) - if [ -f /var/run/sshd.pid ]; then - kill -HUP `cat /var/run/sshd.pid` - echo 'sshd restarted' - fi - ;; -*) - echo "Usage: ${0##*/}: { start | stop | restart }" >&2 - exit 64 - ;; -esac diff --git a/security/hpn-ssh/pkg-descr b/security/hpn-ssh/pkg-descr deleted file mode 100644 index b63506daa5fb..000000000000 --- a/security/hpn-ssh/pkg-descr +++ /dev/null @@ -1,14 +0,0 @@ -High Performance Enabled SSH/SCP -from the Pittsburgh Supercomputing Center - -hpn-ssh is a version of OpenSSH modified to support high-performance -bulk transfers (such as with scp or rsync). These modifications are -required because: - - SCP and the underlying SSH protocol is network performance limited by - statically defined internal flow control buffers. These buffers often - end up acting as a brake on the network throughput of SCP especially - on long and wide paths. Modifying the ssh code to allow the flow - control buffers to be defined at run time eliminates this bottleneck. - -WWW: http://www.psc.edu/networking/projects/hpn-ssh/ diff --git a/security/hpn-ssh/pkg-message b/security/hpn-ssh/pkg-message deleted file mode 100644 index b0908ddd4486..000000000000 --- a/security/hpn-ssh/pkg-message +++ /dev/null @@ -1,17 +0,0 @@ -To enable this port, please add sshd_program=/usr/local/sbin/sshd and make -sure sshd_enable is set to YES in your /etc/rc.conf - -You may also want to put NO_OPENSSH= true in your /etc/make.conf -and make sure your path is setup to /usr/local/bin before /usr/bin so that -you are running the port version of openssh and not the version that comes -with FreeBSD - -'PermitRootLogin no' is the new default for the OpenSSH port. -This now matches the PermitRootLogin configuration of OpenSSH in -the base system. Please be aware of this when upgrading your -OpenSSH port, and if truly necessary, re-enable remote root login -by readjusting this option in your sshd_config. - -Users are encouraged to create single-purpose users with ssh keys -and very narrowly defined sudo privileges instead of using root -for automated tasks. diff --git a/security/hpn-ssh/pkg-plist b/security/hpn-ssh/pkg-plist deleted file mode 100644 index a20e02c1426b..000000000000 --- a/security/hpn-ssh/pkg-plist +++ /dev/null @@ -1,38 +0,0 @@ -@comment slogin must be deleted first -bin/slogin -bin/scp -bin/sftp -bin/ssh -bin/ssh-add -bin/ssh-agent -bin/ssh-keygen -bin/ssh-keyscan -%%NOTBASE%%etc/rc.d/sshd.sh.sample -%%NOTBASE%%etc/ssh/moduli -%%NOTBASE%%@exec [ -f %D/etc/ssh_config ] && [ ! -f %D/etc/ssh/ssh_config ] && ln %D/etc/ssh_config %D/etc/ssh/ssh_config -%%NOTBASE%%@exec [ -f %D/etc/sshd_config ] && [ ! -f %D/etc/ssh/sshd_config ] && ln %D/etc/sshd_config %D/etc/ssh/sshd_config -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key ] && [ ! -f %D/etc/ssh/ssh_host_key ] && ln %D/etc/ssh_host_key %D/etc/ssh/ssh_host_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_key.pub ] && ln %D/etc/ssh_host_key.pub %D/etc/ssh/ssh_host_key.pub -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key ] && ln %D/etc/ssh_host_rsa_key %D/etc/ssh/ssh_host_rsa_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_rsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_rsa_key.pub ] && ln %D/etc/ssh_host_rsa_key.pub %D/etc/ssh/ssh_host_rsa_key.pub -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key ] && ln %D/etc/ssh_host_dsa_key %D/etc/ssh/ssh_host_dsa_key -%%NOTBASE%%@exec [ -f %D/etc/ssh_host_dsa_key.pub ] && [ ! -f %D/etc/ssh/ssh_host_dsa_key.pub ] && ln %D/etc/ssh_host_dsa_key.pub %D/etc/ssh/ssh_host_dsa_key.pub -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi -%%NOTBASE%%etc/ssh/ssh_config-dist -%%NOTBASE%%etc/ssh/sshd_config-dist -%%NOTBASE%%@exec [ ! -f %D/etc/ssh/ssh_config ] && cp %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config -%%NOTBASE%%@exec [ ! -f %D/etc/ssh/sshd_config ] && cp %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config -%%NOTBASE%%@dirrm etc/ssh -sbin/sshd -share/Ssh.bin -libexec/sftp-server -libexec/ssh-keysign -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_key ]; then echo ">> Generating a secret RSA1 host key."; %D/bin/ssh-keygen -t rsa1 -N "" -f %D/etc/ssh/ssh_host_key; fi -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_rsa_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -t rsa -N "" -f %D/etc/ssh/ssh_host_rsa_key; fi -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -t dsa -N "" -f %D/etc/ssh/ssh_host_dsa_key; fi -%%NOTBASE%%@exec mkdir -p %D/empty -%%NOTBASE%%@dirrm empty -%%BASE%%@exec mkdir -p %%EMPTYDIR%% -@exec if ! pw groupshow sshd 2>/dev/null; then pw groupadd sshd -g 22; fi -@exec if ! pw usershow sshd 2>/dev/null; then pw useradd sshd -g sshd -u 22 -h - -d %%EMPTYDIR%% -s /nonexistent -c "sshd privilege separation"; fi