From 8543a6a9209b05db87930e8fb6b2a77c837c399c Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Wed, 5 Feb 2014 01:40:46 +0000 Subject: [PATCH] - Update to 6.5 ChangeLog: http://www.openssh.org/txt/release-6.5 - Update X509 patch to 7.8 - Update LIB_DEPENDS to new format - Revert r328706 and re-enable privilege separation sandboxing by default as the issue causing crashes has been fixed upstream - capsicum(4) is now enabled upstream. A local patch is added to fix an issue with it [1] - KERB_GSSAPI is marked BROKEN. It does not build. This patch lacks an upstream and I have no way to test it. It needs a non-trivial amount of refactoring for 6.5 as the key handling API has changed quite a bit. Submitted by: pjd@ [1] --- security/openssh-portable/Makefile | 25 +++++++++++-------- security/openssh-portable/distinfo | 22 ++++++++-------- .../files/extra-patch-hpn-build-options | 12 ++++----- security/openssh-portable/files/openssh.in | 12 ++++++++- .../openssh-portable/files/patch-readconf.c | 6 ++--- .../files/patch-sandbox-capsicum.c | 17 +++++++++++++ .../openssh-portable/files/patch-servconf.c | 9 +++++++ security/openssh-portable/files/patch-sshd.c | 18 ++++++------- .../openssh-portable/files/patch-sshd_config | 19 +++++++------- 9 files changed, 89 insertions(+), 51 deletions(-) create mode 100644 security/openssh-portable/files/patch-sandbox-capsicum.c diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 4636e7cd7e57..d0cb8e91cd1a 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.4p1 +DISTVERSION= 6.5p1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -12,8 +12,8 @@ PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH -#LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style -#LICENSE_FILE= ${WRKSRC}/LICENCE +#LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style +#LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* @@ -79,21 +79,20 @@ LPK_CONFIGURE_ON= --with-ldap=yes \ LPK_USE= OPENLDAP=yes # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 7.6 +X509_VERSION= 7.8 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= openssh-6.4-x509-glue.patch \ - ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz +SCTP_PATCHFILES= ${PORTNAME}-6.5p1-sctp-2329.patch.gz SCTP_CONFIGURE_WITH= sctp # Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/ -KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz +KERB_GSSAPI_PATCHFILES= openssh-6.5p1-gsskex-all-20110125.patch.gz -MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 -HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal +MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 +HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers @@ -104,11 +103,15 @@ BSM_CONFIGURE_ON= --with-audit=bsm .include +.if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= KERB_GSSAPI Patch is not updated for 6.5 and upstream has not been active since 2001. +.endif + # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README HPN_VERSION= 14v2 -HPN_DISTVERSION= 6.3p1 +HPN_DISTVERSION= 6.5p1 PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index e02e3181a283..2112530b0ea0 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,14 +1,12 @@ -SHA256 (openssh-6.4p1.tar.gz) = 5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 -SIZE (openssh-6.4p1.tar.gz) = 1201402 -SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca -SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450 -SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460 -SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962 -SHA256 (openssh-6.4-x509-glue.patch) = 8a199b3e6fe031775531c82e7a2d18fe468c1193c9d90ba17554ba9de2834876 -SIZE (openssh-6.4-x509-glue.patch) = 1219 -SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767 -SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486 +SHA256 (openssh-6.5p1.tar.gz) = a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027 +SIZE (openssh-6.5p1.tar.gz) = 1293187 +SHA256 (openssh-6.5p1-hpnssh14v2.diff.gz) = be6915130f2b1aad00235e02d55b67114dbb517b13d04d52a8abac9343166efd +SIZE (openssh-6.5p1-hpnssh14v2.diff.gz) = 24534 +SHA256 (openssh-6.5p1+x509-7.8.diff.gz) = b096ff7569e9ea3601673383540a986ce87636a984cc605a60dc53574888b992 +SIZE (openssh-6.5p1+x509-7.8.diff.gz) = 225483 +SHA256 (openssh-6.5p1-gsskex-all-20110125.patch.gz) = dd3b0f383a58e490f735646ae27f3dd05db96446e2e4ae8e753b64eee7f46582 +SIZE (openssh-6.5p1-gsskex-all-20110125.patch.gz) = 23516 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 -SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb -SIZE (openssh-sctp-2329.patch.gz) = 8706 +SHA256 (openssh-6.5p1-sctp-2329.patch.gz) = 07acf0c6e6be493dbcf6fb166b846eef99256f6f60f0feb3451522147a1d9464 +SIZE (openssh-6.5p1-sctp-2329.patch.gz) = 8722 diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options index c4551a51e756..235db7f624a7 100644 --- a/security/openssh-portable/files/extra-patch-hpn-build-options +++ b/security/openssh-portable/files/extra-patch-hpn-build-options @@ -36,13 +36,13 @@ --- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 +++ readconf.c 2013-10-11 09:19:12.295135966 -0500 -@@ -251,12 +251,16 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, - { "requesttty", oRequestTTY }, +@@ -268,12 +268,16 @@ static struct { + { "canonicalizehostname", oCanonicalizeHostname }, + { "canonicalizemaxdots", oCanonicalizeMaxDots }, + { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, +#ifdef NONECIPHER { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, + { "noneswitch", oNoneSwitch }, +#endif +#ifdef HPN { "tcprcvbufpoll", oTcpRcvBufPoll }, @@ -53,7 +53,7 @@ { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } -@@ -1417,12 +1421,20 @@ fill_default_options(Options * options) +@@ -1739,12 +1743,20 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index 32b8b3519ad3..22b3801571ba 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -38,7 +38,8 @@ openssh_keygen() if [ -f %%ETCSSH%%/ssh_host_key -a \ -f %%ETCSSH%%/ssh_host_dsa_key -a \ -f %%ETCSSH%%/ssh_host_rsa_key -a \ - -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then + -f %%ETCSSH%%/ssh_host_ecdsa_key -a + -f %%ETCSSH%%/ssh_host_ed25519_key ]; then return 0 fi @@ -83,6 +84,15 @@ openssh_keygen() %%PREFIX%%/bin/ssh-keygen -t ecdsa \ -f %%ETCSSH%%/ssh_host_ecdsa_key -N '' fi + + if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then + echo "You already have a Elliptic Curve ED25519 host key" \ + "in %%ETCSSH%%/ssh_host_ed25519_key" + echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + -f %%ETCSSH%%/ssh_host_ed25519_key -N '' + fi } openssh_check_same_ports(){ diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c index 1066aa8ed0d2..9f2b6369dd66 100644 --- a/security/openssh-portable/files/patch-readconf.c +++ b/security/openssh-portable/files/patch-readconf.c @@ -26,10 +26,10 @@ Submitted by: delphij@ #include #include +#include + #include #include - #include -@@ -265,7 +266,19 @@ add_local_forward(Options *options, cons +@@ -282,7 +283,19 @@ Forward *fwd; #ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; @@ -50,7 +50,7 @@ Submitted by: delphij@ fatal("Privileged ports can only be forwarded by root."); #endif options->local_forwards = xrealloc(options->local_forwards, -@@ -1281,7 +1294,7 @@ fill_default_options(Options * options) +@@ -1607,7 +1620,7 @@ if (options->batch_mode == -1) options->batch_mode = 0; if (options->check_host_ip == -1) diff --git a/security/openssh-portable/files/patch-sandbox-capsicum.c b/security/openssh-portable/files/patch-sandbox-capsicum.c new file mode 100644 index 000000000000..3f91db8d3469 --- /dev/null +++ b/security/openssh-portable/files/patch-sandbox-capsicum.c @@ -0,0 +1,17 @@ +--- sandbox-capsicum.c.orig 2014-01-25 16:39:53.000000000 -0600 ++++ sandbox-capsicum.c 2014-02-02 20:14:02.881233373 -0600 +@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *bo + fatal("can't limit stderr: %m"); + + cap_rights_init(&rights, CAP_READ, CAP_WRITE); +- if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1) ++ if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1 && ++ errno != ENOSYS) + fatal("%s: failed to limit the network socket", __func__); + cap_rights_init(&rights, CAP_WRITE); +- if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1) ++ if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1 && ++ errno != ENOSYS) + fatal("%s: failed to limit the logging socket", __func__); + if (cap_enter() < 0 && errno != ENOSYS) + fatal("%s: failed to enter capability mode", __func__); diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 55363fb67186..67e45e98a1fe 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -39,3 +39,12 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) +@@ -335,7 +339,7 @@ + options->version_addendum = xstrdup(""); + /* Turn privilege separation on by default */ + if (use_privsep == -1) +- use_privsep = PRIVSEP_NOSANDBOX; ++ use_privsep = PRIVSEP_ON; + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 422d49a735b1..9f4c84f4d88d 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -42,7 +42,7 @@ connections, do not protect connection handlers spawned from inetd. #include #ifdef HAVE_SYS_STAT_H # include -@@ -83,6 +83,13 @@ +@@ -83,6 +84,13 @@ #include #endif @@ -56,18 +56,18 @@ connections, do not protect connection handlers spawned from inetd. #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" -@@ -1823,6 +1824,10 @@ +@@ -1877,6 +1885,10 @@ /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); + - /* Initialize the random number generator. */ - arc4random_stir(); - -@@ -1864,6 +1871,29 @@ + /* Chdir to the root directory so that the current disk can be + unmounted if desired. */ + if (chdir("/") == -1) +@@ -1995,6 +2007,29 @@ signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index b6a6013d2390..773f90d667f0 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -10,7 +10,7 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -37,7 +40,7 @@ +@@ -41,7 +44,7 @@ # Authentication: #LoginGraceTime 2m @@ -19,7 +19,7 @@ #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -46,8 +49,7 @@ +@@ -50,8 +53,7 @@ #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 @@ -29,7 +29,7 @@ #AuthorizedPrincipalsFile none -@@ -64,11 +66,11 @@ +@@ -68,11 +70,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -44,16 +44,16 @@ #ChallengeResponseAuthentication yes # Kerberos options -@@ -81,7 +83,7 @@ +@@ -85,7 +87,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes --# Set this to 'yes' to enable PAM authentication, account processing, +-# Set this to 'yes' to enable PAM authentication, account processing, +# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will + # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -90,19 +92,19 @@ +@@ -94,12 +96,12 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -67,12 +67,13 @@ +#X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes - #PrintMotd yes + #PermitTTY yes +@@ -107,7 +109,7 @@ #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. -+#UsePrivilegeSeparation yes ++#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0