(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
the nmap port otherwise the build fell over despite the configure script
saying that it would continue without it.
PR: 15714 (4 of 4)
Submitted by: maintainer
The version is now 1.2.1, from 1.2. You can mv your old distfiles/OpenSSH-1.2
dir to distfiles/OpenSSH-1.2.1, if you want to not waste time/space.
Some minor nits have been fixed, and a couple bugs. One sizeof(len)
should have just been len, and, in markus's words,
"fix get_remote_port() and friends for sshd -i".
* Remove current MAINTAINER as email has been unreachable for weeks
* Add dan@freebsddiary.com as MAINTAINER at his request
PR: 15490
Submitted by: Dan Langille <dan@freebsddiary.com>
so that there is no need to have commands such as /usr/bin/su in the
restricted environment. Access to the file system is restricted to
the newroot subtree and privileges are restricted to those of the
newuser account (which must be a known account in the unrestricted
environment).
updated to today's snapshot of OpenSSH.
Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing". Nothing major has changed; the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
reality, though. One file, cipher.c, calls cryptographic routines
from external libraries. This really cannot encumber OpenSSH in
any case, but I put RESTRICTED back since it would give people a
false hope of being able to install the OpenSSH package but
not the requisite, RESTRICTED (so nonexistant) openssl package.
Reasons:
1. It's not crypto.
2. It links with crypto.
a. That crypto is in the public domain.
b. Linking with crypto does not constitute cryptography.
3. Even if it were crypto, the description of the entire protocol, etc.,
is in the public domain. The RFC is PD in the USA, and the white paper
in Europe.
4. Precedence? Even if it were crypto, the Bernstein case has set
precedence for allowing export of that. But it's not even crypto.
Submitted by: Anders Nordby <anders@fix.no>
NASL is a scripting language designed for the Nessus security scanner. Its
aim is to allow anyone to write a test for a given security hole in a few
minutes, to allow people to share their tests without having to worry
about their operating system, and to garantee everyone that a NASL script
can not do anything nasty except performing a given security test against
a given target.
NASL is not a powerful scripting language. Its purpose is to make scripts
that are security tests. So, do not expect to write a third generation web
server in this language, nor a file conversion utility. Use perl, python
or whatever scripting language to do this.
WWW: http://www.nessus.org/doc/nasl.html
Submitted by: maintainer
Update to 0.99.1, and disable nessus for compiling in -current.
Original patch submitted by the maintainer, and some fixes from me.
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
obsoleting a couple patches (it's the same code, though, except for
additions).
This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.
My patches have been almost entirely rewritten. The places are the
same, but the code's rewritten. It fits with the style (KNF) now,
and looks better.
I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs. After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2. Adding it to ssh/lib/ makes it work
yet again :)
* Added "firewall mode" timing optimizations which can decrease the
amount of time neccessary to SYN or connect scan some heavily filtered
hosts.
* Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
called Snort was using this to detect Nmap TCP pings).
* better FDDI support
* changes which should lead to tremendous speedups against some firewalled
hosts.
Add "ignorelogin" login.conf functionality to sshd.
The biggest change: new port functionality. Making "fetchsrctarball"
will soon work for those of you who cannot use CVS to get OpenSSH.
Mark Murray, the savior he is :), will use "make makesrctarball" and
put the snapshots of OpenSSH source in the proper place.
The current ${MASTER_SITES} is just a guess at where the snapshot
files could be hosted; something definite should be worked out very
soon.
Put sshd.sh installation in the pre-install, ssh_host_key generation
back in the PLIST, and check for ssh_config, too. This port now
works much better as a package. The configuration files and sshd.sh
are also part of the package, and as such removed on deinstall.
The proper upgrade procedure from one OpenSSH version to a newer one is:
chflags schg /usr/local/etc/ssh* # preserve them from deletion
cd /usr/ports/security/openssh
make all deinstall reinstall clean
Partially submitted by: peter
code tree is the addition of the SSH_CMSG_MAX_PACKET_SIZE command.
Really big tiny change: PermitRootLogin is now DISABLED by default. This
change has been specifically okayed.
Reviewed by: imp
Move sshd.sh to files and ${INSTALL_SCRIPT}/${PERL} -pi it.
Clean up the Makefile's style a bit (MNF anyone? :)
Add WWW: to pkg/DESCR.
Change MASTER_SITES back to CVS_SITES to avoid problems with
MASTER_SITE_OVERRIDE.
Parts submitted by: Christian Weisgerber <naddy@mips.rhein-neckar.de>, Robert Muir <rmuir@gibralter.net>
CVS_SITE is now MASTER_SITES, and each is tried if the previous fails
Include a :pserver: as one of the CVS repositories, so those inside firewalls
should be able to fetch SSH. If this doesn't work for everyone, I've still
got a trick up my sleeve.
Fix rlimit-related warnings people are seeing by moving the setclasscontext()
to before the switching of uids. Let me know if this does not work, as I
never got the warnings in the first place.
Don't clobber sshd_config, etc. Instead, if they're there, just warn of
their existance.
Take the config files and sshd.sh out of the pkg/PLIST, mainly so you don't
lose your configuration files by doing a "make deinstall reinstall clean"
update.
Parts submitted by: Robert Muir <rmuir@gibralter.net>, Travis Mikalson <bofh@terranova.net>
Update to to the current time for OpenSSH. The notable commit given to me
for this new date is:
(provos@cvs.openbsd.org)
usr.bin/ssh : hostfile.c
in known_hosts key lookup the entry for the bits does not need to match, all
the information is contained in n and e. This solves the problem with buggy
servers announcing the wrong modulus length. markus and me.
files. Also, CVS_RSH can now be specified (to override the ignored
environmental CVS_RSH) as PORTS_CVS_RSH. For instance, you can use ssh
to check out ssh ( :] ) with "PORTS_CVS_RSH=ssh make fetch".
and umask. Also support /var/run/nologin, copyright, and support motd
correctly. The PR was used as a base, thanks!
PR: 14859
Submitted by: Dan Harnett <danh@wzrd.com>
1. Makefile cleanups, pkg/DESCR original comment (obrien)
2. sshd.sh and automatic host key generation when installed
(Christian Weisgerber <naddy@unix-ag.uni-kl.de>)
3. Completely redone downloading procedure:
* CVS is used to download the source (${CVS_CMD} defaults to
cvs -z3)
* MD5 checksums and a specific ${CVS_DATE} are used to get
a specific source tree and verify it; ${CVS_DATE} and
checksums can easily be rolled forward once tested.
* Source is checked out to distfiles like other ports,
and is only updated when ${CVS_DATE} changes.
Rebuilding the port doesn't require another cvs co.
Enjoy!
Reviewed mostly by: obrien
Add "/usr/local/bin" to _PATH_STDPATH (makes scp work inbound, for instance.)
Fetch OpenSSH from OpenBSD's src tree. This uses a script and ftp(1).
Add strlcpy.c to ssh/lib, so this port should build on 3.X now.
Make TCP_WRAPPERS conditional on /usr/include/tcpd.h like the PR, so it
should build on older RELEASEs without TCP Wrappers.
The PR is still open because I am taking more from it.
PR: ports/14653
in no way cryptographically encumbered code. The fact that it's
redistributed by me from freefall is completely coincidental.
Submitted by: obrien, Christian Weisgerber <naddy@unix-ag.uni-kl.de>
. remove an army of patches that are no longer needed with this version
. enable shared library support
. compress man pages
. add missing newline to COMMENT
* Added sophisticated timing controls to give the user much more control
over Nmap's speed. This allows you to make Nmap much more aggressive to
scan hosts faster, or you can make Nmap more "polite" -- slower but less
likely to wreak havoc on your Network. You can even enforce large delays
between sending packets to sneak under IDS thresholds and prevent
detection. See the new "Timing Options" section of the Nmap man page for
more information on using this.
* New "Window scan" that does fun things with ACK packets. -sW activates
this scan type. It is mostly effective against BSD, AIX, Digital UNIX, and
various older HP/UX, SunOS, and VAX.
some piece of the base system (a-la crypto). I wrote "rsaref port" instead
of "security/rsaref" since on the remote chance that rsaref switches
categories, I don't want the message to become wrong.
[Has anyone figured-out what makes the number 393 so interesting to PW, now?]
I wonder what was going through Jordan's head during his infamous
$Id$-smashing commit.
Before I forget....
Thanks to naddy@mips.rhein-neckar.de (Christian Weisgerber) for prompting
this commit. See msg-id: 7geokh$tje$1@mips.rhein-neckar.de
Submitted by: Issei Suzuki <issei@jp.FreeBSD.ORG>
Upgrade to 1.2.27.
# I'm not maintainer but it seems that torstenb is too busy to
# look the PR and many people want new version ssh port.
of paper, twice the size of a credit card for easy storage in a
wallet, card holder, etc. It produces a PostScript file which can be
printed and then trimmed to size:
Submitted by: Anders Nordby <anders.fix.no>
Nessus is a security scanner. That is, it's a program which will scan a
given network and will seek for vulnerabilities which could be exploited
by some remote intruder.
Check the homepage at: http://www.nessus.org/
2)Was installing into a directory but not removing it with the rest of
the package.
3)Now supports NOPORTDOCS (which isn't documented in Mk/bsd.port.mk)
This is a library, which contains a safe reincarnations
of strcpy/strcat/sprintf and some other functions,
which is known to be a source to 99% of stack smashing
attacks since Morrison Worm.
PR: ports/9279
Submitted by: Alexandre Snarskii <snar@paranoia.ru>
commenting out MASTER_SITES.
Modify the IGNORE= message a little, and use ${DISTFILES} to describe
the file to fetch so that the message doesn't have to be modified every
time the port is updated.
the diffs are trashed because Makefile.org is used as a basis for
Makefile.ssl during configuration. Now that patch-ab is applied correctly
libRSAglue.a is installed.
- add patch-aj obtained from the OpenSSL CVS repository:
"Make sure the RSA OAEP test is skipped under -DRSAref because
OAEP isn't supported when OpenSSL is built with RSAref."
According to the OpenSSL-core-team you are strongly encouraged to upgrade
any old version. The new version has a lot of bug fixes.
- ${PREFIX}/bin/ssleay was renamed to ${PREFIX}/bin/openssl and
${PREFIX}/etc/ssleay.cnf to ${PREFIX}/lib/openssl.cnf
- there are no links from e. g. ${PREFIX}/bin/md5 to ${PREFIX}/bin/ssleay
any longer, instead you have to call "openssl md5" now
- replaced HAS_CONFIGURE, CONFIGURE_SCRIPT and CONFIGURE_ENV with a
do-configure target and changed the indention level
- some perl scripts need perl5 now, so set USE_PERL5 and replace perl
with ${PERL5} where neccessary.
- honour ${CFLAGS}
(2) Reorganize MASTER_SITEs
(3) Remove reference to Phil Karn's ssh speedups, it is now distributed
as a full source package, and not a patch kit. If we want to use it,
we will have to make a new port for it.
(4) Use ${ECHO} instead of echo, ${RM} instead of rm, ${LN} instead of ln
(5) Use ${FALSE} instead of false
(6) Remove multiple blank lines in Makefile
(7) Remove trailing blank lines in pkg/DESCR
Submitted by: Alex Perel <veers@disturbed.net> (1, 2, 4, 6)
Bill Fumerola <billf@FreeBSD.org> (3, 5, 7)
brief discussion on -committers, tcp_wrappers will be imported into the base
system which will allow us to build our system portmapper with hosts.allow
functionality.
Apply openssl-0.9.1c-bnrec.patch via PATCHFILES:
"DESCRIPTION:
The Big Number (BN) library in OpenSSL 0.9.1c has some problems when dealing
with very large numbers. Because mostly all other OpenSSL sub-libraries
(including the RSA library) are based on BN, this can cause failures when
doing certificate verification and performing other SSL functions. These BN
bugs are already fixed for OpenSSL 0.9.2. But for OpenSSL 0.9.1c the easiest
workaround to fix the subtle problems is to apply the above patch which mainly
disables the broken Montgomery multiplication algorithm inside BN."
bsd.port.mk rev. 1.304 for details on the change.
The fix here is one of the following.
(1) Define USE_BZIP2 instead of BUILD_DEPENDS on bzip2 and redefining
EXTRACT_* commands.
(2) Change ${EXTRACT_CMD} to ${TAR} when the command is obviously
calling the "tar" command (i.e., arguments like "-xzf" are spelled
out).
(3) If ${EXTRACT_CMD} is called directly with ${EXTRACT_BEFORE_ARGS},
add ${EXTRACT_AFTER_ARGS} to the command line as well.
(4) If any of EXTRACT_CMD, EXTRACT_BEFORE_ARGS or EXTRACT_AFTER_ARGS
is set, define the other two too.