aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBryan Drewery <bdrewery@FreeBSD.org>2021-09-08 16:55:19 +0000
committerBryan Drewery <bdrewery@FreeBSD.org>2021-09-09 19:09:40 +0000
commita981593ecc06f124506f481e5dd0eee9ea6a70f8 (patch)
treec08a068e8638f80371c8aa7e5526fae82ade22cb
parent4070b50ad4b7be88b6a47229d6e6afc4e0da6a34 (diff)
downloadports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.tar.gz
ports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.zip
security/openssh-portable: Update to 8.7p1.
-rw-r--r--security/openssh-portable/Makefile2
-rw-r--r--security/openssh-portable/distinfo6
-rw-r--r--security/openssh-portable/files/extra-patch-hpn63
-rw-r--r--security/openssh-portable/files/patch-sshd.810
-rw-r--r--security/openssh-portable/files/patch-sshd_config24
-rw-r--r--security/openssh-portable/files/patch-sshd_config.511
6 files changed, 45 insertions, 71 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index e9ac6fb39f13..3c072134a788 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,7 +1,7 @@
# Created by: dwcjr@inethouston.net
PORTNAME= openssh
-DISTVERSION= 8.6p1
+DISTVERSION= 8.7p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 209322451613..45a643313a29 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1619547768
-SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae
-SIZE (openssh-8.6p1.tar.gz) = 1786328
+TIMESTAMP = 1631042634
+SHA256 (openssh-8.7p1.tar.gz) = 7ca34b8bb24ae9e50f33792b7091b3841d7e1b440ff57bc9fabddf01e2ed1e24
+SIZE (openssh-8.7p1.tar.gz) = 1814595
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 258b36150078..ed7a78ab71a0 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -384,8 +384,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
void enable_compat13(void);
void enable_compat20(void);
---- configure.ac.orig 2020-03-22 11:06:53.034550000 -0700
-+++ configure.ac 2020-03-22 11:07:10.017487000 -0700
+--- work/openssh/configure.ac.orig 2020-03-22 11:06:53.034550000 -0700
++++ work/openssh/configure.ac 2020-03-22 11:07:10.017487000 -0700
@@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
]
) # maildir
@@ -524,8 +524,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
#if !defined(WITH_OPENSSL)
# undef BIGNUM
# undef EC_KEY
---- work/openssh/readconf.c.orig 2021-04-28 13:58:36.413806000 -0700
-+++ work/openssh/readconf.c 2021-04-28 14:39:31.145856000 -0700
+--- work/openssh/readconf.c.orig 2021-09-08 09:56:20.567664000 -0700
++++ work/openssh/readconf.c 2021-09-08 09:57:31.560617000 -0700
@@ -67,6 +67,9 @@
#include "uidswap.h"
#include "myproposal.h"
@@ -539,17 +539,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
@@ -168,6 +171,12 @@ typedef enum {
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull,
+#ifdef HPN_ENABLED
+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
+#endif
+#ifdef NONE_CIPHER_ENABLED
+ oNoneSwitch, oNoneEnabled,
+#endif
+ oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
- oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -312,6 +321,16 @@ static struct {
+@@ -316,6 +325,16 @@ static struct {
{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
@@ -566,7 +566,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
-@@ -1091,6 +1110,44 @@ parse_time:
+@@ -1125,6 +1144,44 @@ parse_time:
intptr = &options->check_host_ip;
goto parse_flag;
@@ -611,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
-@@ -2262,6 +2319,16 @@ initialize_options(Options * options)
+@@ -2386,6 +2443,16 @@ initialize_options(Options * options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
@@ -625,10 +625,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
+#endif
- options->proxy_use_fdpass = -1;
- options->ignored_unknown = NULL;
- options->num_canonical_domains = 0;
-@@ -2432,6 +2499,34 @@ fill_default_options(Options * options)
+ options->session_type = -1;
+ options->stdin_null = -1;
+ options->fork_after_authentication = -1;
+@@ -2557,6 +2624,34 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
@@ -1119,8 +1119,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
---- work/openssh/sshconnect2.c.orig 2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh/sshconnect2.c 2021-04-28 14:51:57.237202000 -0700
+--- work/openssh/sshconnect2.c.orig 2021-08-19 21:03:49.000000000 -0700
++++ work/openssh/sshconnect2.c 2021-09-08 10:02:03.037982000 -0700
@@ -84,7 +84,13 @@
extern char *client_version_string;
extern char *server_version_string;
@@ -1157,7 +1157,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal_f("kex_names_cat");
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
-@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
@@ -1184,13 +1184,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ }
+ }
+#endif
-+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
---- work/openssh/sshd.c.orig 2020-11-10 21:36:31.340159000 -0800
-+++ work/openssh/sshd.c 2020-11-10 21:37:10.097038000 -0800
-@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+--- work/openssh/sshd.c.orig 2021-09-08 10:00:01.411822000 -0700
++++ work/openssh/sshd.c 2021-09-08 10:03:02.820813000 -0700
+@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1201,7 +1200,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
debug("Bind to port %s on %s.", strport, ntop);
@@ -1215,7 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1753,6 +1764,15 @@ main(int ac, char **av)
+@@ -1760,6 +1771,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1228,10 +1227,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ }
+#endif
+
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
-@@ -2220,6 +2240,11 @@ main(int ac, char **av)
+ /* Check that options are sensible */
+ if (options.authorized_keys_command_user == NULL &&
+ (options.authorized_keys_command != NULL &&
+@@ -2216,6 +2236,11 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@@ -1243,7 +1242,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2233,7 +2258,7 @@ main(int ac, char **av)
+@@ -2229,7 +2254,7 @@ main(int ac, char **av)
alarm(options.login_grace_time);
if ((r = kex_exchange_identification(ssh, -1,
@@ -1252,7 +1251,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
ssh_packet_set_nonblocking(ssh);
-@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
int r;
@@ -1262,7 +1261,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ debug ("WARNING: None cipher enabled");
+#endif
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
options.kex_algorithms);
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8
index edb5c8cb6498..4d2a477899c6 100644
--- a/security/openssh-portable/files/patch-sshd.8
+++ b/security/openssh-portable/files/patch-sshd.8
@@ -24,13 +24,3 @@ Document FreeBSD/port-specific paths
(unless root).
.It
Changes to run with normal user privileges.
-@@ -407,7 +408,8 @@
- exists, runs it; else if
- .Pa /etc/ssh/sshrc
- exists, runs
--it; otherwise runs xauth.
-+it; otherwise runs
-+.Xr xauth 1 .
- The
- .Dq rc
- files are given the X11
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 57cff284b725..b582ac8f3691 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,5 +1,5 @@
---- sshd_config.orig 2013-02-11 18:02:09.000000000 UTC
-+++ sshd_config 2013-05-13 06:46:45.153627197 -0500
+--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700
++++ sshd_config 2021-09-07 12:34:49.372652000 -0700
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@@ -10,7 +10,7 @@
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
-@@ -50,8 +53,7 @@
+@@ -37,8 +40,7 @@
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -20,34 +20,30 @@
#AuthorizedPrincipalsFile none
-@@ -68,11 +70,11 @@
+@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-+# Change to yes to enable built-in password authentication.
++# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
#PermitEmptyPasswords no
--# Change to no to disable s/key passwords
-+# Change to no to disable PAM authentication
- #ChallengeResponseAuthentication yes
-
- # Kerberos options
-@@ -85,7 +87,7 @@
+ # Change to no to disable s/key passwords
+@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
- # be allowed through the ChallengeResponseAuthentication and
+ # be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -94,12 +96,12 @@
+@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 90c3940cf02c..442225160130 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,16 +1,5 @@
--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
-@@ -373,7 +373,9 @@ By default, no banner is displayed.
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or through authentication styles supported in
--.Xr login.conf 5 )
-+.Xr login.conf 5 ) .
-+See also
-+.Cm UsePAM .
- The default is
- .Cm yes .
- .It Cm ChrootDirectory
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
The list of available key types may also be obtained using
.Qq ssh -Q key .