1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-27 00:57:50 +00:00

- Update to 7.5p1.

- Update X509 to 10.1.
- Disable KERB_GSSAPI for now as it does not build.

Changes: https://www.openssh.com/txt/release-7.5
This commit is contained in:
Bryan Drewery 2017-04-01 01:59:25 +00:00
parent c451c8c9fd
commit 9051821be1
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=437391
6 changed files with 47 additions and 32 deletions

View File

@ -5,6 +5,23 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
20170331:
AFFECTS: users of security/openssh-portable
AUTHOR: bdrewery@FreeBSD.org
The format of several log messages emitted by the packet code has
changed to include additional information about the user and
their authentication state. Software that monitors ssh/sshd logs
may need to account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
20170326:
AFFECTS: users of samba43
AUTHOR: antoine@FreeBSD.org

View File

@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openssh
DISTVERSION= 7.4p1
PORTREVISION= 1
DISTVERSION= 7.5p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= OPENBSD/OpenSSH/portable
@ -58,10 +58,10 @@ HPN_CONFIGURE_WITH= hpn
NONECIPHER_CONFIGURE_WITH= nonecipher
# See http://www.roumenpetrov.info/openssh/
X509_VERSION= 9.3
X509_VERSION= 10.1
X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue
X509_PATCHFILES= ${PORTNAME}-7.4p1+x509-${X509_VERSION}.diff.gz:-p1:x509
X509_PATCHFILES= ${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
@ -92,6 +92,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
BROKEN= No patch for 7.5 yet.
# Patch from:
# http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
@ -215,6 +216,7 @@ test: build
OBJ=${WRKDIR} ${MAKE_ENV} \
TEST_SHELL=${SH} \
SUDO="${SUDO}" \
LOGNAME="${LOGNAME}" \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests

View File

@ -1,9 +1,9 @@
TIMESTAMP = 1484161900
SHA256 (openssh-7.4p1.tar.gz) = 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1
SIZE (openssh-7.4p1.tar.gz) = 1511780
SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
SIZE (openssh-7.5p1.tar.gz) = 1510857
SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
SHA256 (openssh-7.4p1+x509-9.3.diff.gz) = 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee
SIZE (openssh-7.4p1+x509-9.3.diff.gz) = 446572
SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2
SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721
SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091

View File

@ -1181,8 +1181,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
char buf[256]; /* Must not be larger than remote_version. */
char remote_version[256]; /* Must be at least as big as buf. */
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+#ifdef HPN_ENABLED
+ options.hpn_disabled ? "" : SSH_HPN,
@ -1190,7 +1190,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ "",
+#endif
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
options.version_addendum);
@@ -1027,6 +1032,10 @@ server_listen(void)
int ret, listen_sock, on = 1;
@ -1203,7 +1203,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1067,6 +1076,13 @@ server_listen(void)
@@ -1072,6 +1081,13 @@ server_listen(void)
debug("Bind to port %s on %s.", strport, ntop);
@ -1217,7 +1217,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
@@ -1591,6 +1607,15 @@ main(int ac, char **av)
@@ -1596,6 +1612,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@ -1233,7 +1233,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
@@ -2085,6 +2110,11 @@ main(int ac, char **av)
@@ -2099,6 +2124,11 @@ main(int ac, char **av)
}
#endif
@ -1245,7 +1245,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* In privilege separation, we fork another child and prepare
* file descriptor passing.
@@ -2163,6 +2193,11 @@ do_ssh2_kex(void)
@@ -2177,6 +2207,11 @@ do_ssh2_kex(void)
struct kex *kex;
int r;

View File

@ -5,9 +5,9 @@ Changed paths:
Apply class-imposed login restrictions.
--- auth2.c.orig 2012-12-02 16:53:20.000000000 -0600
+++ auth2.c 2013-05-22 17:21:37.979631466 -0500
@@ -46,6 +46,7 @@
--- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700
+++ auth2.c 2017-03-20 11:52:27.960733000 -0700
@@ -47,6 +47,7 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
@ -15,12 +15,11 @@ Apply class-imposed login restrictions.
#include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
@@ -216,6 +217,14 @@ input_userauth_request(int type, u_int32
@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+ struct ssh *ssh = active_state; /* XXX */
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+
@ -30,7 +29,7 @@ Apply class-imposed login restrictions.
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -262,6 +271,27 @@ input_userauth_request(int type, u_int32
@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}

View File

@ -1,5 +1,5 @@
--- sshd_config.5.orig 2016-12-18 20:59:41.000000000 -0800
+++ sshd_config.5 2017-01-11 13:35:46.496538000 -0800
--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
@@ -373,7 +373,9 @@ By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
@ -11,7 +11,7 @@
The default is
.Cm yes .
.It Cm ChrootDirectory
@@ -663,7 +665,9 @@ ssh-ed25519,ssh-rsa
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .
.It Cm HostbasedAuthentication
@ -22,7 +22,7 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
@@ -1120,7 +1124,22 @@ are refused if the number of unauthentic
@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@ -45,7 +45,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1216,6 +1235,13 @@ and
@@ -1232,6 +1251,13 @@ and
.Cm ethernet .
The default is
.Cm no .
@ -59,16 +59,13 @@
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
@@ -1473,7 +1499,7 @@ is enabled, you will not be able to run
@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
@@ -1500,7 +1526,10 @@ The default is
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
@ -80,7 +77,7 @@
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
@@ -1514,7 +1543,7 @@ The argument must be
@@ -1512,7 +1541,7 @@ The argument must be
or
.Cm no .
The default is