diff options
| author | Dirk Meyer <dinoex@FreeBSD.org> | 2002-07-04 18:27:59 +0000 |
|---|---|---|
| committer | Dirk Meyer <dinoex@FreeBSD.org> | 2002-07-04 18:27:59 +0000 |
| commit | e97a16d2f3bc14b5d310dad41bbbe8b1a3d7d55f (patch) | |
| tree | 6096c7347295b3e56f198e0a6755a33d22b120d8 /security/openssh | |
| parent | 2a717d66954e2efa8867a5b1432e3686cbeeef47 (diff) | |
| download | ports-e97a16d2f3bc14b5d310dad41bbbe8b1a3d7d55f.tar.gz ports-e97a16d2f3bc14b5d310dad41bbbe8b1a3d7d55f.zip | |
'PermitRootLogin no' is the new default for the OpenSSH port.
This now matches the PermitRootLogin configuration of OpenSSH in
the base system. Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.
Users are encouraged to create single-purpose users with ssh keys
and very narrowly defined sudo privileges instead of using root
for automated tasks.
Notes
Notes:
svn path=/head/; revision=62436
Diffstat (limited to 'security/openssh')
| -rw-r--r-- | security/openssh/Makefile | 3 | ||||
| -rw-r--r-- | security/openssh/files/patch-session.c | 33 | ||||
| -rw-r--r-- | security/openssh/files/patch-sshd_config | 16 |
3 files changed, 29 insertions, 23 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 6ffce6a8c628..65f141c81163 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.4 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ @@ -36,6 +36,7 @@ PRECIOUS= ssh_config sshd_config \ ssh_host_key ssh_host_key.pub \ ssh_host_rsa_key ssh_host_rsa_key.pub \ ssh_host_dsa_key ssh_host_dsa_key.pub +# PAM ist broken, use openssh-portable instead. PAM=no .include <bsd.port.pre.mk> diff --git a/security/openssh/files/patch-session.c b/security/openssh/files/patch-session.c index 2e1f6ec6f70b..7a36132b613f 100644 --- a/security/openssh/files/patch-session.c +++ b/security/openssh/files/patch-session.c @@ -1,5 +1,5 @@ ---- session.c.orig Sun Jun 30 21:19:19 2002 -+++ session.c Sun Jun 30 21:24:47 2002 +--- session.c.orig Sun Jun 30 21:25:39 2002 ++++ session.c Mon Jul 1 06:45:09 2002 @@ -58,6 +58,13 @@ #include "session.h" #include "monitor_wrap.h" @@ -292,38 +292,33 @@ char **env; +#ifdef HAVE_LOGIN_CAP + extern char **environ; -+ char **senv; -+#endif ++ char **senv, **var; ++#endif /* HAVE_LOGIN_CAP */ struct passwd *pw = s->pw; /* Initialize the environment. */ -@@ -826,17 +1018,22 @@ +@@ -826,17 +1018,15 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); if (!options.use_login) { -+#ifdef HAVE_LOGIN_CAP -+ char *var; -+#endif /* HAVE_LOGIN_CAP */ + /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); - #ifdef HAVE_LOGIN_CAP +-#ifdef HAVE_LOGIN_CAP - (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH); - child_set_env(&env, &envsize, "PATH", getenv("PATH")); +- child_set_env(&env, &envsize, "PATH", getenv("PATH")); -#else -+#else /* !HAVE_LOGIN_CAP */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -#endif -+#endif /* HAVE_LOGIN_CAP */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); -@@ -844,9 +1041,19 @@ +@@ -844,9 +1034,21 @@ /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); @@ -336,6 +331,8 @@ + perror("unable to set user context enviroment"); + } + copy_environment(environ, &env, &envsize); ++ for (var = environ; *var != NULL; ++var) ++ xfree(*var); + xfree(environ); + environ = senv; +#endif /* HAVE_LOGIN_CAP */ @@ -345,7 +342,7 @@ /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -889,6 +1096,10 @@ +@@ -889,6 +1091,10 @@ child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file); #endif @@ -356,7 +353,7 @@ if (auth_sock_name != NULL) child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, auth_sock_name); -@@ -1005,7 +1216,7 @@ +@@ -1005,7 +1211,7 @@ if (getuid() == 0 || geteuid() == 0) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, @@ -365,7 +362,7 @@ perror("unable to set user context"); exit(1); } -@@ -1045,6 +1256,36 @@ +@@ -1045,6 +1251,36 @@ exit(1); } @@ -402,7 +399,7 @@ /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group -@@ -1123,7 +1364,7 @@ +@@ -1123,7 +1359,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ @@ -411,7 +408,7 @@ close(i); /* -@@ -1153,6 +1394,31 @@ +@@ -1153,6 +1389,31 @@ exit(1); #endif } diff --git a/security/openssh/files/patch-sshd_config b/security/openssh/files/patch-sshd_config index 78ea8c69fb59..6ed602861a63 100644 --- a/security/openssh/files/patch-sshd_config +++ b/security/openssh/files/patch-sshd_config @@ -1,6 +1,14 @@ ---- sshd_config.orig Thu Jun 27 22:07:41 2002 -+++ sshd_config Fri Jun 28 06:00:05 2002 -@@ -56,6 +56,7 @@ +--- sshd_config.orig Sun Jun 30 21:25:40 2002 ++++ sshd_config Wed Jul 3 06:22:22 2002 +@@ -32,6 +32,7 @@ + + #LoginGraceTime 600 + #PermitRootLogin yes ++PermitRootLogin no + #StrictModes yes + + #RSAAuthentication yes +@@ -56,6 +57,7 @@ # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes @@ -8,7 +16,7 @@ # Kerberos options #KerberosAuthentication no -@@ -75,6 +76,7 @@ +@@ -75,6 +77,7 @@ #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes |