security/openssh-portable: Update to 8.7p1.

Changes: https://www.openssh.com/txt/release-8.7
author: Bryan Drewery <bdrewery@FreeBSD.org> 2021-09-08 16:55:19 +0000
committer: Bryan Drewery <bdrewery@FreeBSD.org> 2021-09-09 19:09:40 +0000
commit: a981593ecc06f124506f481e5dd0eee9ea6a70f8 (patch)
tree: c08a068e8638f80371c8aa7e5526fae82ade22cb /security
parent: 4070b50ad4b7be88b6a47229d6e6afc4e0da6a34 (diff)
download: ports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.tar.gz
ports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.zip
6 files changed, 45 insertions, 71 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index e9ac6fb39f13..3c072134a788 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,7 +1,7 @@
 # Created by: dwcjr@inethouston.net
 
 PORTNAME=	openssh
-DISTVERSION=	8.6p1
+DISTVERSION=	8.7p1
 PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 209322451613..45a643313a29 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1619547768
-SHA256 (openssh-8.6p1.tar.gz) = c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae
-SIZE (openssh-8.6p1.tar.gz) = 1786328
+TIMESTAMP = 1631042634
+SHA256 (openssh-8.7p1.tar.gz) = 7ca34b8bb24ae9e50f33792b7091b3841d7e1b440ff57bc9fabddf01e2ed1e24
+SIZE (openssh-8.7p1.tar.gz) = 1814595
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 258b36150078..ed7a78ab71a0 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -384,8 +384,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  void     enable_compat13(void);
  void     enable_compat20(void);
---- configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
-+++ configure.ac	2020-03-22 11:07:10.017487000 -0700
+--- work/openssh/configure.ac.orig	2020-03-22 11:06:53.034550000 -0700
++++ work/openssh/configure.ac	2020-03-22 11:07:10.017487000 -0700
 @@ -4778,6 +4778,25 @@ AC_ARG_WITH([maildir],
      ]
  ) # maildir
@@ -524,8 +524,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  #if !defined(WITH_OPENSSL)
  # undef BIGNUM
  # undef EC_KEY
---- work/openssh/readconf.c.orig	2021-04-28 13:58:36.413806000 -0700
-+++ work/openssh/readconf.c	2021-04-28 14:39:31.145856000 -0700
+--- work/openssh/readconf.c.orig	2021-09-08 09:56:20.567664000 -0700
++++ work/openssh/readconf.c	2021-09-08 09:57:31.560617000 -0700
 @@ -67,6 +67,9 @@
  #include "uidswap.h"
  #include "myproposal.h"
@@ -539,17 +539,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 @@ -168,6 +171,12 @@ typedef enum {
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
  	oVisualHostKey,
- 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oSessionType, oStdinNull,
 +#ifdef HPN_ENABLED
 +	oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
 +#endif
 +#ifdef NONE_CIPHER_ENABLED
 +	oNoneSwitch, oNoneEnabled, 
 +#endif
+ 	oForkAfterAuthentication, oIgnoreUnknown, oProxyUseFdpass,
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
- 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -312,6 +321,16 @@ static struct {
+@@ -316,6 +325,16 @@ static struct {
  	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
  	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
  	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
@@ -566,7 +566,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	{ "ignoreunknown", oIgnoreUnknown },
  	{ "proxyjump", oProxyJump },
  	{ "securitykeyprovider", oSecurityKeyProvider },
-@@ -1091,6 +1110,44 @@ parse_time:
+@@ -1125,6 +1144,44 @@ parse_time:
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
@@ -611,7 +611,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		multistate_ptr = multistate_yesnoask;
-@@ -2262,6 +2319,16 @@ initialize_options(Options * options)
+@@ -2386,6 +2443,16 @@ initialize_options(Options * options)
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
@@ -625,10 +625,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	options->tcp_rcv_buf_poll = -1;
 +	options->tcp_rcv_buf = -1;
 +#endif
- 	options->proxy_use_fdpass = -1;
- 	options->ignored_unknown = NULL;
- 	options->num_canonical_domains = 0;
-@@ -2432,6 +2499,34 @@ fill_default_options(Options * options)
+ 	options->session_type = -1;
+ 	options->stdin_null = -1;
+ 	options->fork_after_authentication = -1;
+@@ -2557,6 +2624,34 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
@@ -1119,8 +1119,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		sshpkt_fatal(ssh, r, "banner exchange");
  
  	/* Put the connection into non-blocking mode. */
---- work/openssh/sshconnect2.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh/sshconnect2.c	2021-04-28 14:51:57.237202000 -0700
+--- work/openssh/sshconnect2.c.orig	2021-08-19 21:03:49.000000000 -0700
++++ work/openssh/sshconnect2.c	2021-09-08 10:02:03.037982000 -0700
 @@ -84,7 +84,13 @@
  extern char *client_version_string;
  extern char *server_version_string;
@@ -1157,7 +1157,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
  		fatal_f("kex_names_cat");
  	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
-@@ -489,6 +497,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -487,6 +495,29 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");
@@ -1184,13 +1184,12 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +		}
 +	}
 +#endif
-+
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- 
---- work/openssh/sshd.c.orig	2020-11-10 21:36:31.340159000 -0800
-+++ work/openssh/sshd.c	2020-11-10 21:37:10.097038000 -0800
-@@ -1065,6 +1065,10 @@ listen_on_addrs(struct listenaddr *la)
+ 	if (ssh_packet_connection_is_on_socket(ssh)) {
+ 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+--- work/openssh/sshd.c.orig	2021-09-08 10:00:01.411822000 -0700
++++ work/openssh/sshd.c	2021-09-08 10:03:02.820813000 -0700
+@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
  	int ret, listen_sock;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1201,7 +1200,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  	for (ai = la->addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1110,6 +1114,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1215,7 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1753,6 +1764,15 @@ main(int ac, char **av)
+@@ -1760,6 +1771,15 @@ main(int ac, char **av)
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
@@ -1228,10 +1227,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +	}
 +#endif
 +
- 	/* challenge-response is implemented via keyboard interactive */
- 	if (options.challenge_response_authentication)
- 		options.kbd_interactive_authentication = 1;
-@@ -2220,6 +2240,11 @@ main(int ac, char **av)
+ 	/* Check that options are sensible */
+ 	if (options.authorized_keys_command_user == NULL &&
+ 	    (options.authorized_keys_command != NULL &&
+@@ -2216,6 +2236,11 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
  
@@ -1243,7 +1242,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2233,7 +2258,7 @@ main(int ac, char **av)
+@@ -2229,7 +2254,7 @@ main(int ac, char **av)
  		alarm(options.login_grace_time);
  
  	if ((r = kex_exchange_identification(ssh, -1,
@@ -1252,7 +1251,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		sshpkt_fatal(ssh, r, "banner exchange");
  
  	ssh_packet_set_nonblocking(ssh);
-@@ -2397,6 +2422,11 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
  	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
  	struct kex *kex;
  	int r;
@@ -1262,7 +1261,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +                debug ("WARNING: None cipher enabled");
 +#endif
  
- 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
  	    options.kex_algorithms);
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8
index edb5c8cb6498..4d2a477899c6 100644
--- a/security/openssh-portable/files/patch-sshd.8
+++ b/security/openssh-portable/files/patch-sshd.8
@@ -24,13 +24,3 @@ Document FreeBSD/port-specific paths
  (unless root).
  .It
  Changes to run with normal user privileges.
-@@ -407,7 +408,8 @@
- exists, runs it; else if
- .Pa /etc/ssh/sshrc
- exists, runs
--it; otherwise runs xauth.
-+it; otherwise runs
-+.Xr xauth 1 .
- The
- .Dq rc
- files are given the X11
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 57cff284b725..b582ac8f3691 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,5 +1,5 @@
---- sshd_config.orig	2013-02-11 18:02:09.000000000 UTC
-+++ sshd_config	2013-05-13 06:46:45.153627197 -0500
+--- sshd_config.orig	2021-08-19 21:03:49.000000000 -0700
++++ sshd_config	2021-09-07 12:34:49.372652000 -0700
 @@ -10,6 +10,9 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
@@ -10,7 +10,7 @@
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -50,8 +53,7 @@
+@@ -37,8 +40,7 @@
  #PubkeyAuthentication yes
  
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -20,34 +20,30 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -68,11 +70,11 @@
+@@ -53,8 +55,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  
 -# To disable tunneled clear text passwords, change to no here!
 -#PasswordAuthentication yes
-+# Change to yes to enable built-in password authentication.
++# To enable tunneled clear text passwords, change to yes here!
 +#PasswordAuthentication no
  #PermitEmptyPasswords no
  
--# Change to no to disable s/key passwords
-+# Change to no to disable PAM authentication
- #ChallengeResponseAuthentication yes
- 
- # Kerberos options
-@@ -85,7 +87,7 @@
+ # Change to no to disable s/key passwords
+@@ -70,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  
 -# Set this to 'yes' to enable PAM authentication, account processing,
 +# Set this to 'no' to disable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
- # be allowed through the ChallengeResponseAuthentication and
+ # be allowed through the KbdInteractiveAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
-@@ -94,12 +96,12 @@
+@@ -79,12 +81,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
 -#UsePAM no
 +#UsePAM yes
  
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 90c3940cf02c..442225160130 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,16 +1,5 @@
 --- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
 +++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
-@@ -373,7 +373,9 @@ By default, no banner is displayed.
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or through authentication styles supported in
--.Xr login.conf 5 )
-+.Xr login.conf 5 ) .
-+See also
-+.Cm UsePAM .
- The default is
- .Cm yes .
- .It Cm ChrootDirectory
 @@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
  The list of available key types may also be obtained using
  .Qq ssh -Q key .
author	Bryan Drewery <bdrewery@FreeBSD.org>	2021-09-08 16:55:19 +0000
committer	Bryan Drewery <bdrewery@FreeBSD.org>	2021-09-09 19:09:40 +0000
commit	a981593ecc06f124506f481e5dd0eee9ea6a70f8 (patch)
tree	c08a068e8638f80371c8aa7e5526fae82ade22cb /security
parent	4070b50ad4b7be88b6a47229d6e6afc4e0da6a34 (diff)
download	ports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.tar.gz ports-a981593ecc06f124506f481e5dd0eee9ea6a70f8.zip