- Update to OpenSSH 2.9.9p2

- security-patch for cookie files obsolete
- MD5 password support activated

Approved by:	dwcjr@FreeBSD.org

security/hpn-ssh/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	2.9p2
+PORTVERSION=	2.9.9p2
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \
@@ -22,7 +22,7 @@ MAN8=	sftp-server.8 sshd.8
 CRYPTOLIBS=	-L${OPENSSLLIB} -lcrypto
 USE_OPENSSL=	YES
 GNU_CONFIGURE=	yes
-CONFIGURE_ARGS?=	--prefix=${PREFIX}
+CONFIGURE_ARGS?=	--prefix=${PREFIX} --with-md5-passwords
 
 .if exists(/usr/include/security/pam_modules.h)
 CONFIGURE_ARGS+=	--with-pam

security/hpn-ssh/distinfo

@@ -1 +1 @@
-MD5 (openssh-2.9p2.tar.gz) = fb5ea44cb5a894bed7b610c5a517542d
+MD5 (openssh-2.9.9p2.tar.gz) = 5061e6e0748713bca1b40fc8b13ff5ce

security/hpn-ssh/files/patch-cookie

@@ -1,66 +0,0 @@
---- channels.c.orig	Tue Apr 17 14:55:03 2001
-+++ channels.c	Sat Jun  9 06:43:41 2001
-@@ -1612,7 +1612,7 @@
- 		switch (channels[i].type) {
- 		case SSH_CHANNEL_AUTH_SOCKET:
- 			close(channels[i].sock);
--			unlink(channels[i].path);
-+			/* auth_sock_cleanup_proc deletes the socket */
- 			channel_free(i);
- 			break;
- 		case SSH_CHANNEL_PORT_LISTENER:
---- session.c.orig	Sun Jun 17 05:40:51 2001
-+++ session.c	Sun Aug 19 18:20:27 2001
-@@ -235,6 +235,7 @@
- 	int success, type, n_bytes, plen, screen_flag, have_pty = 0;
- 	int compression_level = 0, enable_compression_after_reply = 0;
- 	u_int proto_len, data_len, dlen;
-+	struct stat st;
- 
- 	s = session_new();
- 	s->pw = authctxt->pw;
-@@ -317,7 +318,8 @@
- 				packet_send_debug("X11 forwarding disabled in server configuration file.");
- 				break;
- 			}
--			if (!options.xauth_location) {
-+			if (!options.xauth_location ||
-+			    (stat(options.xauth_location, &st) == -1)) {
- 				packet_send_debug("No xauth program; cannot forward with spoofing.");
- 				break;
- 			}
-@@ -1384,10 +1386,11 @@
- 	if (!options.use_login) {
- 		/* ignore _PATH_SSH_USER_RC for subsystems */
- 		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-+			snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
-+			    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
- 			if (debug_flag)
--				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
--				    _PATH_SSH_USER_RC);
--			f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w");
-+				fprintf(stderr, "Running %s\n", cmd);
-+			f = popen(cmd, "w");
- 			if (f) {
- 				if (do_xauth)
- 					fprintf(f, "%s %s\n", s->auth_proto,
-@@ -1707,12 +1710,19 @@
- int
- session_x11_req(Session *s)
- {
-+	struct stat st;
-+
- 	if (no_x11_forwarding_flag) {
- 		debug("X11 forwarding disabled in user configuration file.");
- 		return 0;
- 	}
- 	if (!options.x11_forwarding) {
- 		debug("X11 forwarding disabled in server configuration file.");
-+		return 0;
-+	}
-+	if (!options.xauth_location ||
-+            (stat(options.xauth_location, &st) == -1)) {
-+		packet_send_debug("No xauth program; cannot forward with spoofig.");
- 		return 0;
- 	}
- 	debug("Received request for X11 forwarding with auth spoofing.");

security/hpn-ssh/files/patch-session.c

@@ -1,6 +1,6 @@
---- session.c.orig	Sun Jun 10 17:22:44 2001
-+++ session.c	Sun Jun 10 17:23:22 2001
-@@ -514,6 +514,13 @@
+--- session.c.orig	Mon Sep 17 00:17:15 2001
++++ session.c	Wed Oct  3 14:18:36 2001
+@@ -437,6 +437,13 @@
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
  		/*
@@ -14,10 +14,11 @@
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -628,6 +635,13 @@
+@@ -551,6 +558,14 @@
+ 
  		/* Child.  Reinitialize the log because the pid has changed. */
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
- 
++
 +		/*
 +		 * Using login and executing a specific "command" are mutually
 +		 * exclusive, so turn off use_login if there's a command.
@@ -28,7 +29,7 @@
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -707,6 +721,11 @@
+@@ -682,6 +697,11 @@
  	time_t last_login_time;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
@@ -40,7 +41,7 @@
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -767,6 +786,21 @@
+@@ -742,6 +762,21 @@
  			printf("Last login: %s from %s\r\n", time_string, hostname);
  	}
  
@@ -62,7 +63,7 @@
  	do_motd();
  }
  
-@@ -1376,7 +1410,7 @@
+@@ -1340,7 +1375,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -71,7 +72,7 @@
  		close(i);
  
  	/* Change current directory to the user\'s home directory. */
-@@ -1400,6 +1434,28 @@
+@@ -1376,6 +1411,28 @@
  	 * in this order).
  	 */
  	if (!options.use_login) {

security/hpn-ssh/files/patch-sshconnect.c

@@ -1,12 +1,13 @@
---- sshconnect.c.orig	Fri Apr 13 01:34:36 2001
-+++ sshconnect.c	Fri Jun  1 08:01:05 2001
-@@ -504,10 +504,12 @@
- 		local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+--- sshconnect.c.orig	Wed Aug  8 00:29:09 2001
++++ sshconnect.c	Wed Oct  3 14:28:15 2001
+@@ -577,11 +577,13 @@
+ 		    sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
  		salen = sizeof(struct sockaddr_in);
  		break;
 +#ifdef INET6
  	case AF_INET6:
- 		local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
+ 		local = IN6_IS_ADDR_LOOPBACK(
+ 		    &(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
  		salen = sizeof(struct sockaddr_in6);
  		break;
 +#endif

security/hpn-ssh/pkg-plist

@@ -8,4 +8,5 @@ bin/ssh-keygen
 bin/ssh-keyscan
 bin/sftp
 sbin/sshd
+share/Ssh.bin
 libexec/sftp-server

security/openssh-portable/Makefile

@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	2.9p2
+PORTVERSION=	2.9.9p2
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \
@@ -22,7 +22,7 @@ MAN8=	sftp-server.8 sshd.8
 CRYPTOLIBS=	-L${OPENSSLLIB} -lcrypto
 USE_OPENSSL=	YES
 GNU_CONFIGURE=	yes
-CONFIGURE_ARGS?=	--prefix=${PREFIX}
+CONFIGURE_ARGS?=	--prefix=${PREFIX} --with-md5-passwords
 
 .if exists(/usr/include/security/pam_modules.h)
 CONFIGURE_ARGS+=	--with-pam

security/openssh-portable/distinfo

@@ -1 +1 @@
-MD5 (openssh-2.9p2.tar.gz) = fb5ea44cb5a894bed7b610c5a517542d
+MD5 (openssh-2.9.9p2.tar.gz) = 5061e6e0748713bca1b40fc8b13ff5ce

security/openssh-portable/files/patch-cookie

@@ -1,66 +0,0 @@
---- channels.c.orig	Tue Apr 17 14:55:03 2001
-+++ channels.c	Sat Jun  9 06:43:41 2001
-@@ -1612,7 +1612,7 @@
- 		switch (channels[i].type) {
- 		case SSH_CHANNEL_AUTH_SOCKET:
- 			close(channels[i].sock);
--			unlink(channels[i].path);
-+			/* auth_sock_cleanup_proc deletes the socket */
- 			channel_free(i);
- 			break;
- 		case SSH_CHANNEL_PORT_LISTENER:
---- session.c.orig	Sun Jun 17 05:40:51 2001
-+++ session.c	Sun Aug 19 18:20:27 2001
-@@ -235,6 +235,7 @@
- 	int success, type, n_bytes, plen, screen_flag, have_pty = 0;
- 	int compression_level = 0, enable_compression_after_reply = 0;
- 	u_int proto_len, data_len, dlen;
-+	struct stat st;
- 
- 	s = session_new();
- 	s->pw = authctxt->pw;
-@@ -317,7 +318,8 @@
- 				packet_send_debug("X11 forwarding disabled in server configuration file.");
- 				break;
- 			}
--			if (!options.xauth_location) {
-+			if (!options.xauth_location ||
-+			    (stat(options.xauth_location, &st) == -1)) {
- 				packet_send_debug("No xauth program; cannot forward with spoofing.");
- 				break;
- 			}
-@@ -1384,10 +1386,11 @@
- 	if (!options.use_login) {
- 		/* ignore _PATH_SSH_USER_RC for subsystems */
- 		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-+			snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
-+			    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
- 			if (debug_flag)
--				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
--				    _PATH_SSH_USER_RC);
--			f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w");
-+				fprintf(stderr, "Running %s\n", cmd);
-+			f = popen(cmd, "w");
- 			if (f) {
- 				if (do_xauth)
- 					fprintf(f, "%s %s\n", s->auth_proto,
-@@ -1707,12 +1710,19 @@
- int
- session_x11_req(Session *s)
- {
-+	struct stat st;
-+
- 	if (no_x11_forwarding_flag) {
- 		debug("X11 forwarding disabled in user configuration file.");
- 		return 0;
- 	}
- 	if (!options.x11_forwarding) {
- 		debug("X11 forwarding disabled in server configuration file.");
-+		return 0;
-+	}
-+	if (!options.xauth_location ||
-+            (stat(options.xauth_location, &st) == -1)) {
-+		packet_send_debug("No xauth program; cannot forward with spoofig.");
- 		return 0;
- 	}
- 	debug("Received request for X11 forwarding with auth spoofing.");

security/openssh-portable/files/patch-session.c

@@ -1,6 +1,6 @@
---- session.c.orig	Sun Jun 10 17:22:44 2001
-+++ session.c	Sun Jun 10 17:23:22 2001
-@@ -514,6 +514,13 @@
+--- session.c.orig	Mon Sep 17 00:17:15 2001
++++ session.c	Wed Oct  3 14:18:36 2001
+@@ -437,6 +437,13 @@
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
  		/*
@@ -14,10 +14,11 @@
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -628,6 +635,13 @@
+@@ -551,6 +558,14 @@
+ 
  		/* Child.  Reinitialize the log because the pid has changed. */
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
- 
++
 +		/*
 +		 * Using login and executing a specific "command" are mutually
 +		 * exclusive, so turn off use_login if there's a command.
@@ -28,7 +29,7 @@
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -707,6 +721,11 @@
+@@ -682,6 +697,11 @@
  	time_t last_login_time;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
@@ -40,7 +41,7 @@
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -767,6 +786,21 @@
+@@ -742,6 +762,21 @@
  			printf("Last login: %s from %s\r\n", time_string, hostname);
  	}
  
@@ -62,7 +63,7 @@
  	do_motd();
  }
  
-@@ -1376,7 +1410,7 @@
+@@ -1340,7 +1375,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -71,7 +72,7 @@
  		close(i);
  
  	/* Change current directory to the user\'s home directory. */
-@@ -1400,6 +1434,28 @@
+@@ -1376,6 +1411,28 @@
  	 * in this order).
  	 */
  	if (!options.use_login) {

security/openssh-portable/files/patch-sshconnect.c

@@ -1,12 +1,13 @@
---- sshconnect.c.orig	Fri Apr 13 01:34:36 2001
-+++ sshconnect.c	Fri Jun  1 08:01:05 2001
-@@ -504,10 +504,12 @@
- 		local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
+--- sshconnect.c.orig	Wed Aug  8 00:29:09 2001
++++ sshconnect.c	Wed Oct  3 14:28:15 2001
+@@ -577,11 +577,13 @@
+ 		    sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
  		salen = sizeof(struct sockaddr_in);
  		break;
 +#ifdef INET6
  	case AF_INET6:
- 		local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
+ 		local = IN6_IS_ADDR_LOOPBACK(
+ 		    &(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
  		salen = sizeof(struct sockaddr_in6);
  		break;
 +#endif

security/openssh-portable/pkg-plist

@@ -8,4 +8,5 @@ bin/ssh-keygen
 bin/ssh-keyscan
 bin/sftp
 sbin/sshd
+share/Ssh.bin
 libexec/sftp-server