1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-18 00:10:04 +00:00
Commit Graph

37 Commits

Author SHA1 Message Date
Brian Feldman
d64b6e2fd2 I've cleaned up ${CVS_DATE} usage a bit (keep spaces correctly), and
updated to today's snapshot of OpenSSH.

Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing".  Nothing major has changed;  the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
1999-12-08 04:06:38 +00:00
Brian Feldman
7db4f457f6 In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.
1999-12-06 06:32:22 +00:00
Brian Feldman
c249079362 Under advisories, put RESTRICTED back. It more accurately reflects
reality, though.  One file, cipher.c, calls cryptographic routines
from external libraries.  This really cannot encumber OpenSSH in
any case, but I put RESTRICTED back since it would give people a
false hope of being able to install the OpenSSH package but
not the requisite, RESTRICTED (so nonexistant) openssl package.
1999-12-06 06:26:17 +00:00
Brian Feldman
1394b1ef56 Good-bye, RESTRICTED.
Reasons:
1. It's not crypto.
2. It links with crypto.
	a. That crypto is in the public domain.
	b. Linking with crypto does not constitute cryptography.
3. Even if it were crypto, the description of the entire protocol, etc.,
   is in the public domain.  The RFC is PD in the USA, and the white paper
   in Europe.
4. Precedence?  Even if it were crypto, the Bernstein case has set
   precedence for allowing export of that.  But it's not even crypto.
1999-12-06 04:49:22 +00:00
Brian Feldman
99f8fb2572 Reduce LoginGraceTime from 10 minutes (!!!) to 30 seconds. More to
come, soon.
1999-12-04 12:40:39 +00:00
Brian Feldman
c52ee5193f Add the PAM SSH RSA key authentication module. For example, you can add,
"login  auth    sufficient      pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)

PR:		15158
Submitted by:	Andrew J. Korty <ajk@waterspout.com>
Reviewed by:	obrien
1999-11-29 07:09:45 +00:00
Brian Feldman
8e53bbefee Update to a current CVS_DATE. The only real change I see is the (big)
change of KNFization being finalized :)

Patches had to be modified, but should look "better" according to
style(9), now.
1999-11-28 22:40:28 +00:00
Brian Feldman
cc029c1647 Change CFLAGS to get modified in Makefile.inc, fixing the
problem several people have reported with make.conf setting ${CFLAGS}.

Partially submitted by:	Jos Backus <Jos.Backus@nl.origin-it.com>
1999-11-28 21:40:58 +00:00
Brian Feldman
56a0d0c739 Also, set SSH_PROGRAM correctly. 1999-11-24 03:39:54 +00:00
Brian Feldman
f0ca59b2b5 Update the CVS_DATE. This brings in support for TIS authentication,
obsoleting a couple patches (it's the same code, though, except for
additions).

This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.

My patches have been almost entirely rewritten.  The places are the
same, but the code's rewritten.  It fits with the style (KNF) now,
and looks better.

I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs.  After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2.  Adding it to ssh/lib/ makes it work
yet again :)
1999-11-24 03:36:23 +00:00
Brian Feldman
f9d23e53cc Correct ssh-keygen usage.
Submitted by:	Larry Baird <lab@gta.com>
1999-11-23 03:04:05 +00:00
Brian Feldman
64c59a88a8 Clean up some shell scripting and replace it with proper Makefile
syntax.  Run ssh-keygen for ssh_host_key on port install, not just
package install.
1999-11-22 22:45:47 +00:00
Brian Feldman
64484c75cf I wish CVS would report new files. This broke the carefully designed
mirroring system.  The tarball was fine, but the extraction was not
1999-11-22 22:44:47 +00:00
Brian Feldman
41408c5a51 And away we go! Here comes the source mirror, thanks Mark!
Submitted by:	markm
1999-11-21 23:10:48 +00:00
Brian Feldman
7b3d367711 Update to the latest CVS_DATE, obsoleting patches patch-a[yz].
Add "ignorelogin" login.conf functionality to sshd.

The biggest change: new port functionality.  Making "fetchsrctarball"
will soon work for those of you who cannot use CVS to get OpenSSH.
Mark Murray, the savior he is :), will use "make makesrctarball" and
put the snapshots of OpenSSH source in the proper place.

The current ${MASTER_SITES} is just a guess at where the snapshot
files could be hosted; something definite should be worked out very
soon.
1999-11-21 16:42:44 +00:00
Brian Feldman
f12ea805b6 Set all the default PATHs correctly, removing a "hack"-ish ${PERL}
transform.

Prompted by:	deraadt
1999-11-20 22:54:06 +00:00
Brian Feldman
5ef3dcc5cb Give OpenSSH TIS client-side authentication.
Submitted by:	peter
1999-11-20 06:59:57 +00:00
Brian Feldman
db8a62a578 ARGH! Remember the echo -n ' sshd'. 1999-11-20 03:55:29 +00:00
Brian Feldman
7382aa363a Change around sshd.sh for the last time. 1999-11-20 03:42:05 +00:00
Brian Feldman
c2edf69286 Turn on HAVE_OPENPTY so more than 16 terminals work with sshd.
Put sshd.sh installation in the pre-install, ssh_host_key generation
back in the PLIST, and check for ssh_config, too.  This port now
works much better as a package.  The configuration files and sshd.sh
are also part of the package, and as such removed on deinstall.

The proper upgrade procedure from one OpenSSH version to a newer one is:
chflags schg /usr/local/etc/ssh*	# preserve them from deletion
cd /usr/ports/security/openssh
make all deinstall reinstall clean

Partially submitted by:	peter
1999-11-20 03:05:31 +00:00
Brian Feldman
8e684ae74d Add that pesky slogin link to the packing list. 1999-11-20 01:55:53 +00:00
Brian Feldman
8a53efc29c Update to the latest CVS_DATE (now =) The biggest change to the OpenBSD
code tree is the addition of the SSH_CMSG_MAX_PACKET_SIZE command.

Really big tiny change:	PermitRootLogin is now DISABLED by default.  This
change has been specifically okayed.

Reviewed by:	imp
1999-11-20 01:52:21 +00:00
Brian Feldman
6ddc61a499 Make the second CVS site work for real.
Move sshd.sh to files and ${INSTALL_SCRIPT}/${PERL} -pi it.

Clean up the Makefile's style a bit (MNF anyone? :)

Add WWW: to pkg/DESCR.

Change MASTER_SITES back to CVS_SITES to avoid problems with
MASTER_SITE_OVERRIDE.

Parts submitted by:	Christian Weisgerber <naddy@mips.rhein-neckar.de>, Robert Muir <rmuir@gibralter.net>
1999-11-18 01:46:43 +00:00
Brian Feldman
db156967fa Update OpenSSH to the latest CVS_DATE.
CVS_SITE is now MASTER_SITES, and each is tried if the previous fails

Include a :pserver: as one of the CVS repositories, so those inside firewalls
should be able to fetch SSH.  If this doesn't work for everyone, I've still
got a trick up my sleeve.

Fix rlimit-related warnings people are seeing by moving the setclasscontext()
to before the switching of uids.  Let me know if this does not work, as I
never got the warnings in the first place.

Don't clobber sshd_config, etc.  Instead, if they're there, just warn of
their existance.

Take the config files and sshd.sh out of the pkg/PLIST, mainly so you don't
lose your configuration files by doing a "make deinstall reinstall clean"
update.

Parts submitted by:	Robert Muir <rmuir@gibralter.net>, Travis Mikalson <bofh@terranova.net>
1999-11-17 20:12:35 +00:00
Brian Feldman
fd06b5f819 Thanks to those who replied! The include (ssl versus openssl) transform
is now done in post-patch.

Submitted by:	Anton Berezin <tobez@plab.ku.dk>, Christian Weisgerber <naddy@unix-ag.uni-kl.de>
1999-11-17 17:19:28 +00:00
Brian Feldman
0a2eb1046a And update those checksums too. 1999-11-17 02:53:30 +00:00
Brian Feldman
cd2a8b0406 Prompted by Kris Kennaway <kris@FreeBSD.org>
Update to to the current time for OpenSSH.  The notable commit given to me
for this new date is:

(provos@cvs.openbsd.org)

        usr.bin/ssh    : hostfile.c

in known_hosts key lookup the entry for the bits does not need to match, all
the information is contained in n and e.  This solves the problem with buggy
servers announcing the wrong modulus length.  markus and me.
1999-11-17 00:56:07 +00:00
Brian Feldman
d4dc9aea78 Bump CVS_DATE to a few minutes ago, and update MD5 checksums for updated
files.  Also, CVS_RSH can now be specified (to override the ignored
environmental CVS_RSH) as PORTS_CVS_RSH.  For instance, you can use ssh
to check out ssh ( :] ) with "PORTS_CVS_RSH=ssh make fetch".
1999-11-15 06:48:02 +00:00
Brian Feldman
db6ff5ab61 Enable TCP wrapper support (conditionalized to turn off if tcpd.h is
nonexistant).  Also, add the Makefile hooks for AFS, Kerberos, and S/Key.
1999-11-15 06:18:46 +00:00
Brian Feldman
828e1fc6be Add support for setting login.conf class things including rlimits, priority,
and umask.  Also support /var/run/nologin, copyright, and support motd
correctly.  The PR was used as a base, thanks!

PR:	14859
Submitted by:	Dan Harnett <danh@wzrd.com>
1999-11-13 23:37:58 +00:00
Brian Feldman
97a018a48f Lots of OpenSSH changes, let's see if I remember them all.
1. Makefile cleanups, pkg/DESCR original comment (obrien)
	2. sshd.sh and automatic host key generation when installed
	   (Christian Weisgerber <naddy@unix-ag.uni-kl.de>)
	3. Completely redone downloading procedure:
		* CVS is used to download the source (${CVS_CMD} defaults to
		  cvs -z3)
		* MD5 checksums and a specific ${CVS_DATE} are used to get
		  a specific source tree and verify it;  ${CVS_DATE} and
		  checksums can easily be rolled forward once tested.
		* Source is checked out to distfiles like other ports,
		  and is only updated when ${CVS_DATE} changes.
		  Rebuilding the port doesn't require another cvs co.

Enjoy!

Reviewed mostly by:	obrien
1999-11-13 05:55:42 +00:00
Brian Feldman
2bd1eb4e18 Correct the do-fetch target and improve error detection in fetchit. 1999-11-11 20:49:44 +00:00
Brian Feldman
0adf5c3f15 Whoops, extra parenthesis broke do-fetch. 1999-11-11 16:50:43 +00:00
Brian Feldman
ac3b838e7f Quite a bit of change to OpenSSH made:
Add "/usr/local/bin" to _PATH_STDPATH (makes scp work inbound, for instance.)
Fetch OpenSSH from OpenBSD's src tree.  This uses a script and ftp(1).
Add strlcpy.c to ssh/lib, so this port should build on 3.X now.
Make TCP_WRAPPERS conditional on /usr/include/tcpd.h like the PR, so it
 should build on older RELEASEs without TCP Wrappers.

The PR is still open because I am taking more from it.

PR:		ports/14653
1999-11-11 14:33:23 +00:00
Brian Feldman
2122dd8811 Make some various cleanups. Note that I did not add RESTRICTED since this is
in no way cryptographically encumbered code.  The fact that it's
redistributed by me from freefall is completely coincidental.

Submitted by:	obrien, Christian Weisgerber <naddy@unix-ag.uni-kl.de>
1999-11-09 12:43:45 +00:00
Dirk Froemberg
02adc6ab70 Add library dependency to crypto.1. 1999-11-09 11:43:11 +00:00
Brian Feldman
406efcfe3b Say hello to OpenSSH! It's more secure, has a better license, and
is actively maintained by members of the OpenBSD project.
1999-11-08 06:20:54 +00:00