updated to today's snapshot of OpenSSH.
Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing". Nothing major has changed; the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
obsoleting a couple patches (it's the same code, though, except for
additions).
This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.
My patches have been almost entirely rewritten. The places are the
same, but the code's rewritten. It fits with the style (KNF) now,
and looks better.
I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs. After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2. Adding it to ssh/lib/ makes it work
yet again :)
Add "ignorelogin" login.conf functionality to sshd.
The biggest change: new port functionality. Making "fetchsrctarball"
will soon work for those of you who cannot use CVS to get OpenSSH.
Mark Murray, the savior he is :), will use "make makesrctarball" and
put the snapshots of OpenSSH source in the proper place.
The current ${MASTER_SITES} is just a guess at where the snapshot
files could be hosted; something definite should be worked out very
soon.
Move sshd.sh to files and ${INSTALL_SCRIPT}/${PERL} -pi it.
Clean up the Makefile's style a bit (MNF anyone? :)
Add WWW: to pkg/DESCR.
Change MASTER_SITES back to CVS_SITES to avoid problems with
MASTER_SITE_OVERRIDE.
Parts submitted by: Christian Weisgerber <naddy@mips.rhein-neckar.de>, Robert Muir <rmuir@gibralter.net>
Update to to the current time for OpenSSH. The notable commit given to me
for this new date is:
(provos@cvs.openbsd.org)
usr.bin/ssh : hostfile.c
in known_hosts key lookup the entry for the bits does not need to match, all
the information is contained in n and e. This solves the problem with buggy
servers announcing the wrong modulus length. markus and me.
and umask. Also support /var/run/nologin, copyright, and support motd
correctly. The PR was used as a base, thanks!
PR: 14859
Submitted by: Dan Harnett <danh@wzrd.com>
Add "/usr/local/bin" to _PATH_STDPATH (makes scp work inbound, for instance.)
Fetch OpenSSH from OpenBSD's src tree. This uses a script and ftp(1).
Add strlcpy.c to ssh/lib, so this port should build on 3.X now.
Make TCP_WRAPPERS conditional on /usr/include/tcpd.h like the PR, so it
should build on older RELEASEs without TCP Wrappers.
The PR is still open because I am taking more from it.
PR: ports/14653
in no way cryptographically encumbered code. The fact that it's
redistributed by me from freefall is completely coincidental.
Submitted by: obrien, Christian Weisgerber <naddy@unix-ag.uni-kl.de>