security/openssh-portable: Update to 8.9p1

- Unbreak GSSAPI [1] - rc.d/openssh: Allow modifying host key generation [2] Changes: https://www.openssh.com/txt/release-8.9 PR: 259909 [1] PR: 202169 [2] Submitted by: Rick Miller [1] Submitted by: Chad Jacob Milios [2]
2025-02-07 11:49:40 +00:00 · 2022-03-03 10:27:34 -08:00 · 2022-03-03 10:27:34 -08:00 · ae66cffc19
commit ae66cffc19
parent ad60ad3528
9 changed files with 80 additions and 81 deletions
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@ -1,8 +1,8 @@
 # Created by: dwcjr@inethouston.net

 PORTNAME=	openssh
-DISTVERSION=	8.8p1
-PORTREVISION=	2
+DISTVERSION=	8.9p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@ -100,7 +100,7 @@ PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex

 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
-BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
+#BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
@ -114,7 +114,7 @@ PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_S
 # Bump this when updating the patch location
 GSSAPI_UPDATE_DATE=	20200607
 PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
-EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-sshconnect2.c
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@ -1,3 +1,5 @@
-TIMESTAMP = 1634059537
-SHA256 (openssh-8.8p1.tar.gz) = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
-SIZE (openssh-8.8p1.tar.gz) = 1815060
+TIMESTAMP = 1646332316
+SHA256 (openssh-8.9p1.tar.gz) = fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
+SIZE (openssh-8.9p1.tar.gz) = 1820282
+SHA256 (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 0e53e7d26c54713afdb6bca7c6034ab1b2b35483270feaa5e7665ceda9867f16
+SIZE (openssh-8.9p1-gsskex-all-20141021-debian-rh-20200607.patch) = 127245
--- a/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
@ -0,0 +1,19 @@
+--- auth2-gss.c.orig	2022-03-03 10:56:35.668672000 -0800
+++ auth2-gss.c	2022-03-03 11:03:16.048838000 -0800
+@@ -59,7 +59,7 @@ static int input_gssapi_errtok(int, u_int32_t, struct 
+  * The 'gssapi_keyex' userauth mechanism.
+  */
+ static int
+-userauth_gsskeyex(struct ssh *ssh)
+userauth_gsskeyex(struct ssh *ssh, const char *method)
+ {
+ 	Authctxt *authctxt = ssh->authctxt;
+ 	int r, authenticated = 0;
+@@ -373,6 +373,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh 
+ 
+ Authmethod method_gsskeyex = {
+ 	"gssapi-keyex",
+	NULL,
+ 	userauth_gsskeyex,
+ 	&options.gss_authentication
+ };
--- a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
+++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c
@ -1,12 +0,0 @@
-Avoid free(const char*)
--- sshconnect2.c.orig	2020-11-19 14:56:54.387846000 -0800
-+++ sshconnect2.c	2020-11-19 14:57:04.445045000 -0800
-@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh)
- 		/* Fall back to specified host if we are using proxy command
- 		 * and can not use DNS on that socket */
- 		if (strcmp(gss_host, "UNKNOWN") == 0) {
-			gss_host = authctxt->host;
-+			gss_host = xstrdup(authctxt->host);
- 		}
- 	} else {
- 		gss_host = xstrdup(authctxt->host);
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@ -309,9 +309,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 			free(cipher_list);
 			return 0;
 		}
--- work/openssh-7.7p1/clientloop.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ work/openssh-7.7p1/clientloop.c	2018-06-27 16:40:24.560906000 -0700
-@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
+--- work/openssh/clientloop.c.orig	2022-02-23 03:31:11.000000000 -0800
+++ work/openssh/clientloop.c	2022-03-02 12:53:47.624273000 -0800
+@@ -1571,6 +1571,15 @@ client_request_x11(struct ssh *ssh, const char *reques
 	sock = x11_connect_display(ssh);
 	if (sock < 0)
 		return NULL;
@ -327,10 +327,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
- 			    __func__, ssh_err(r));
- 		return NULL;
- 	}
+@@ -1606,6 +1615,14 @@ client_request_agent(struct ssh *ssh, const char *requ
+ 	else
+ 		debug2_fr(r, "ssh_agent_bind_hostkey");
+ 
 +#ifdef HPN_ENABLED
 +	if (!options.hpn_disabled)
 +		c = channel_new(ssh, "authentication agent connection",
@ -342,7 +342,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 	c = channel_new(ssh, "authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1634,6 +1651,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 	}
 	debug("Tunnel forwarding using interface %s", ifname);
 
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@ -83,11 +83,9 @@ index 0ade557..045f149 100644
 
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
-diff --git configure.ac configure.ac
-index f48ba4a..66fbe82 100644
--- configure.ac.orig	2019-04-17 15:52:57.000000000 -0700
-+++ configure.ac	2019-07-02 20:58:48.627832000 -0700
-@@ -1494,6 +1494,62 @@ else
+--- configure.ac.orig	2022-02-23 03:31:11.000000000 -0800
+++ configure.ac	2022-03-02 12:47:49.958341000 -0800
+@@ -1599,6 +1599,62 @@ else
 	AC_MSG_RESULT([no])
 fi
 
@ -150,11 +148,11 @@ index f48ba4a..66fbe82 100644
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -5245,6 +5301,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5593,6 +5649,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
- echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@ -22,6 +22,15 @@ load_rc_config ${name}
 : ${openssh_enable:="NO"}
 : ${openssh_skipportscheck="NO"}

+: ${openssh_dsa_keygen_enable="YES"}
+: ${openssh_dsa_keygen_flags=""}
+: ${openssh_rsa_keygen_enable="YES"}
+: ${openssh_rsa_keygen_flags=""}
+: ${openssh_ecdsa_keygen_enable="YES"}
+: ${openssh_ecdsa_keygen_flags=""}
+: ${openssh_ed25519_keygen_enable="YES"}
+: ${openssh_ed25519_keygen_flags=""}
+
 command=%%PREFIX%%/sbin/sshd
 extra_commands="configtest reload keygen"
 start_precmd="${name}_checks"
@ -33,10 +42,16 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"}

 openssh_keygen()
 {
-	if [ -f %%ETCDIR%%/ssh_host_dsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_rsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_ecdsa_key -a \
-	    -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
+	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
+	checkyesno openssh_dsa_keygen_enable || skip_dsa=y
+	checkyesno openssh_rsa_keygen_enable || skip_rsa=y
+	checkyesno openssh_ecdsa_keygen_enable || skip_ecdsa=y
+	checkyesno openssh_ed25519_keygen_enable || skip_ed25519=y
+
+	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
+	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
+	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
+	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
 		return 0
 	fi

@ -50,8 +65,8 @@ openssh_keygen()
 		echo "You already have a DSA host key" \
 			"in %%ETCDIR%%/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t dsa \
+	elif checkyesno openssh_dsa_keygen_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_keygen_flags \
 			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
 	fi

@ -59,8 +74,8 @@ openssh_keygen()
 		echo "You already have a RSA host key" \
 			"in %%ETCDIR%%/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t rsa \
+	elif checkyesno openssh_rsa_keygen_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_keygen_flags \
 			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
 	fi

@ -68,8 +83,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve DSA host key" \
 			"in %%ETCDIR%%/ssh_host_ecdsa_key"
 		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t ecdsa \
+	elif checkyesno openssh_ecdsa_keygen_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_keygen_flags \
 			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
 	fi

@ -77,8 +92,8 @@ openssh_keygen()
 		echo "You already have a Elliptic Curve ED25519 host key" \
 			"in %%ETCDIR%%/ssh_host_ed25519_key"
 		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
-	else
-		%%PREFIX%%/bin/ssh-keygen -t ed25519 \
+	elif checkyesno openssh_ed25519_keygen_enable; then
+		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_keygen_flags \
 			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
 	fi
 }
--- a/security/openssh-portable/files/patch-platform-tracing.c
+++ b/security/openssh-portable/files/patch-platform-tracing.c
@ -1,25 +0,0 @@
--- platform-tracing.c.orig	2021-09-26 07:03:19.000000000 -0700
-+++ platform-tracing.c	2021-10-15 10:08:20.537813000 -0700
-@@ -16,6 +16,10 @@
- 
- #include "includes.h"
- 
-+#if defined(HAVE_PROCCTL)
-+#include <string.h>
-+#include <unistd.h>
-+#endif
- #include <sys/types.h>
- #ifdef HAVE_SYS_PROCCTL_H
- #include <sys/procctl.h>
-@@ -40,8 +44,9 @@ platform_disable_tracing(int strict)
- 	/* On FreeBSD, we should make this process untraceable */
- 	int disable_trace = PROC_TRACE_CTL_DISABLE;
- 
-	if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
-		fatal("unable to make the process untraceable");
-+	if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
-+		fatal("unable to make the process untraceable: %s for pid %d",
-+		    strerror(errno), (int)getpid());
- #endif
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- 	/* Disable ptrace on Linux without sgid bit */
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.

--- ssh-agent.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ ssh-agent.c	2021-04-27 11:47:59.362589000 -0700
-@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+--- ssh-agent.c.orig	2022-02-23 03:31:11.000000000 -0800
+++ ssh-agent.c	2022-03-02 12:50:47.745853000 -0800
+@@ -189,11 +189,28 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
 static int restrict_websafe = 1;
 
@ -27,17 +27,19 @@ disconnected.
 static void
 close_socket(SocketEntry *e)
 {
+ 	size_t i;
 +	int last = 0;
-+
+ 
 +	if (e->type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount - 1);
 +		if (--xcount == 0)
 +			last = 1;
 +	}
+
 	close(e->fd);
 	sshbuf_free(e->input);
 	sshbuf_free(e->output);
-@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
+@@ -206,6 +223,8 @@ close_socket(SocketEntry *e)
 	memset(e, '\0', sizeof(*e));
 	e->fd = -1;
 	e->type = AUTH_UNUSED;
@ -46,7 +48,7 @@ disconnected.
 }
 
 static void
-@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
+@@ -1707,6 +1726,10 @@ new_socket(sock_type type, int fd)
 
 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
@ -57,7 +59,7 @@ disconnected.
 	set_nonblock(fd);
 
 	if (fd > max_fd)
-@@ -1360,7 +1383,7 @@ static void
+@@ -1999,7 +2022,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,
@ -66,7 +68,7 @@ disconnected.
 	    "                 [-P allowed_providers] [-t life]\n"
 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
 	    "                 [-t life] command [arg ...]\n"
-@@ -1394,6 +1417,7 @@ main(int ac, char **av)
+@@ -2033,6 +2056,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
@ -74,7 +76,7 @@ disconnected.
 
 	platform_disable_tracing(0);	/* strict=no */
 
-@@ -1405,7 +1429,7 @@ main(int ac, char **av)
+@@ -2044,7 +2068,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 
@ -83,7 +85,7 @@ disconnected.
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1454,6 +1478,9 @@ main(int ac, char **av)
+@@ -2093,6 +2117,9 @@ main(int ac, char **av)
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}