diff options
Diffstat (limited to 'security/openssh-portable/files')
9 files changed, 363 insertions, 271 deletions
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd index a7145e42ce9b..3118103c5d74 100644 --- a/security/openssh-portable/files/extra-patch-blacklistd +++ b/security/openssh-portable/files/extra-patch-blacklistd @@ -1,9 +1,80 @@ ---- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700 -+++ blacklist.c 2021-04-28 13:56:45.677805000 -0700 -@@ -0,0 +1,92 @@ +--- Makefile.in.orig 2025-10-02 12:00:00.000000000 ++++ Makefile.in 2025-10-02 12:00:00.000000000 +@@ -208,6 +208,8 @@ + FIXPATHSCMD = $(SED) $(PATHSUBS) + FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ + @UNSUPPORTED_ALGORITHMS@ ++ ++LIBSSH_OBJS+= blacklist.o + + all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) + +--- auth-pam.c.orig 2025-10-02 12:00:00.000000000 ++++ auth-pam.c 2025-10-02 12:00:00.000000000 +@@ -101,6 +101,7 @@ + #endif + #include "monitor_wrap.h" + #include "srclimit.h" ++#include "blacklist_client.h" + + extern ServerOptions options; + extern struct sshbuf *loginmsg; +@@ -936,6 +937,8 @@ + sshbuf_free(buffer); + return (0); + } ++ BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL, ++ "PAM illegal user"); + error("PAM: %s for %s%.100s from %.100s", msg, + sshpam_authctxt->valid ? "" : "illegal user ", + sshpam_authctxt->user, sshpam_rhost); +--- auth.c.orig 2025-10-02 12:00:00.000000000 ++++ auth.c 2025-10-02 12:00:00.000000000 +@@ -75,6 +75,7 @@ + #include "monitor_wrap.h" + #include "ssherr.h" + #include "channels.h" ++#include "blacklist_client.h" + + /* import */ + extern ServerOptions options; +@@ -285,8 +286,12 @@ + authmsg = "Postponed"; + else if (partial) + authmsg = "Partial"; +- else ++ else { + authmsg = authenticated ? "Accepted" : "Failed"; ++ if (authenticated) ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, ++ "Authenticated"); ++ } + + if ((extra = format_method_key(authctxt)) == NULL) { + if (authctxt->auth_method_info != NULL) +@@ -334,6 +339,7 @@ + { + Authctxt *authctxt = (Authctxt *)ssh->authctxt; + ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded"); + error("maximum authentication attempts exceeded for " + "%s%.100s from %.200s port %d ssh2", + authctxt->valid ? "" : "invalid user ", +@@ -494,6 +500,8 @@ + aix_restoreauthdb(); + #endif + if (pw == NULL) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, ++ "Invalid user"); + logit("Invalid user %.100s from %.100s port %d", + user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); + #ifdef CUSTOM_FAILED_LOGIN +--- blacklist.c.orig 2025-10-02 12:00:00.000000000 ++++ blacklist.c 2025-10-02 12:00:00.000000000 +@@ -0,0 +1,97 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. -+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl @@ -48,11 +119,15 @@ +#include "packet.h" +#include "log.h" +#include "misc.h" ++#include "servconf.h" +#include <blacklist.h> +#include "blacklist_client.h" + +static struct blacklist *blstate = NULL; + ++/* import */ ++extern ServerOptions options; ++ +/* internal definition from bl.h */ +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list)); + @@ -82,23 +157,24 @@ +blacklist_init(void) +{ + -+ blstate = bl_create(false, NULL, im_log); ++ if (options.use_blacklist) ++ blstate = bl_create(false, NULL, im_log); +} + +void -+blacklist_notify(int action, struct ssh *ssh, const char *msg) ++blacklist_notify(struct ssh *ssh, int action, const char *msg) +{ + + if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh)) + (void)blacklist_r(blstate, action, + ssh_packet_get_connection_in(ssh), msg); +} ---- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800 -+++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800 +--- blacklist_client.h.orig 2025-10-02 12:00:00.000000000 ++++ blacklist_client.h 2025-10-02 12:00:00.000000000 @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. -+ * Copyright (c) 2016 The FreeBSD Foundation, Inc. ++ * Copyright (c) 2016 The FreeBSD Foundation + * All rights reserved. + * + * Portions of this software were developed by Kurt Lidl @@ -143,23 +219,62 @@ + +#ifdef USE_BLACKLIST +void blacklist_init(void); -+void blacklist_notify(int, struct ssh *, const char *); ++void blacklist_notify(struct ssh *, int, const char *); + +#define BLACKLIST_INIT() blacklist_init() -+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg) ++#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg) + +#else + +#define BLACKLIST_INIT() -+#define BLACKLIST_NOTIFY(x, ssh, msg) ++#define BLACKLIST_NOTIFY(ssh,x,msg) + +#endif + + +#endif /* BLACKLIST_CLIENT_H */ ---- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ servconf.c 2021-04-28 13:36:19.591999000 -0700 -@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options) +--- monitor.c.orig 2025-10-02 12:00:00.000000000 ++++ monitor.c 2025-10-02 12:00:00.000000000 +@@ -85,6 +85,8 @@ + #include "misc.h" + #include "servconf.h" + #include "monitor.h" ++#include "blacklist_client.h" ++ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif +@@ -353,16 +355,24 @@ + } + } + if (authctxt->failures > options.max_authtries) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, ++ "Too many authentication attempts"); + /* Shouldn't happen */ + fatal_f("privsep child made too many authentication " + "attempts"); + } + } + +- if (!authctxt->valid) +- fatal_f("authenticated invalid user"); +- if (strcmp(auth_method, "unknown") == 0) ++ if (!authctxt->valid) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, ++ "Authenticated invalid user"); ++ fatal_f("authenticated invalid user"); ++ } ++ if (strcmp(auth_method, "unknown") == 0) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, ++ "Authentication method name unknown"); + fatal_f("authentication method name unknown"); ++ } + + debug_f("user %s authenticated by privileged process", authctxt->user); + auth_attempted = 0; +--- servconf.c.orig 2025-10-02 12:00:00.000000000 ++++ servconf.c 2025-10-02 12:00:00.000000000 +@@ -186,6 +186,7 @@ options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; @@ -167,7 +282,7 @@ options->client_alive_interval = -1; options->client_alive_count_max = -1; options->num_authkeys_files = 0; -@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options) +@@ -455,6 +456,8 @@ options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 0; @@ -176,15 +291,15 @@ if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) -@@ -506,6 +509,7 @@ typedef enum { +@@ -563,6 +566,7 @@ sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, + sUseBlacklist, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, - sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, -@@ -642,6 +646,8 @@ static struct { + sPerSourcePenalties, sPerSourcePenaltyExemptList, +@@ -706,6 +710,8 @@ { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, @@ -193,7 +308,7 @@ { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, -@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option +@@ -1788,6 +1794,10 @@ intptr = &options->use_dns; goto parse_flag; @@ -203,8 +318,8 @@ + case sLogFacility: log_facility_ptr = &options->log_facility; - arg = strdelim(&cp); -@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o) + arg = argv_next(&ac, &av); +@@ -3276,6 +3286,7 @@ dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); @@ -212,9 +327,9 @@ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); ---- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800 -+++ servconf.h 2020-11-16 15:51:02.962173000 -0800 -@@ -179,6 +179,7 @@ typedef struct { +--- servconf.h.orig 2025-10-02 12:00:00.000000000 ++++ servconf.h 2025-10-02 12:00:00.000000000 +@@ -195,6 +195,7 @@ int max_sessions; char *banner; /* SSH-2 banner message */ int use_dns; @@ -222,150 +337,61 @@ int client_alive_interval; /* * poke the client this often to * see if it's still there ---- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800 -+++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800 -@@ -105,6 +105,7 @@ extern char *__progname; - #include "ssh-gss.h" - #endif - #include "monitor_wrap.h" -+#include "blacklist_client.h" - - extern ServerOptions options; - extern struct sshbuf *loginmsg; -@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info, - sshbuf_free(buffer); - return (0); - } -+ /* XXX: ssh context unavailable here, unclear if this is even needed. -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, -+ the_active_state, sshpam_authctxt->user); -+ */ - error("PAM: %s for %s%.100s from %.100s", msg, - sshpam_authctxt->valid ? "" : "illegal user ", - sshpam_authctxt->user, sshpam_rhost); ---- auth.c.orig 2020-11-16 15:52:45.824171000 -0800 -+++ auth.c 2020-11-16 15:57:51.091969000 -0800 -@@ -76,6 +76,7 @@ - #include "ssherr.h" - #include "compat.h" - #include "channels.h" -+#include "blacklist_client.h" - - /* import */ - extern ServerOptions options; -@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti - authmsg = "Postponed"; - else if (partial) - authmsg = "Partial"; -- else -+ else { - authmsg = authenticated ? "Accepted" : "Failed"; -+ if (authenticated) -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh"); -+ } - - if ((extra = format_method_key(authctxt)) == NULL) { - if (authctxt->auth_method_info != NULL) -@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user) - aix_restoreauthdb(); - #endif - if (pw == NULL) { -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user); - logit("Invalid user %.100s from %.100s port %d", - user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); - #ifdef CUSTOM_FAILED_LOGIN ---- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800 -+++ auth2.c 2020-11-16 17:12:04.852943000 -0800 -@@ -58,6 +58,7 @@ - #include "monitor_wrap.h" - #include "digest.h" - #include "kex.h" -+#include "blacklist_client.h" - - /* import */ - extern ServerOptions options; -@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct - } else { - /* Invalid user, fake password information */ - authctxt->pw = fakepw(); -+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh"); - #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); - #endif -@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co - } else { - /* Allow initial try of "none" auth without failure penalty */ - if (!partial && !authctxt->server_caused_failure && -- (authctxt->attempt > 1 || strcmp(method, "none") != 0)) -+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { - authctxt->failures++; -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); -+ } - if (authctxt->failures >= options.max_authtries) { - #ifdef SSH_AUDIT_EVENTS - PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES)); ---- packet.c.orig 2020-11-16 15:52:45.839070000 -0800 -+++ packet.c 2020-11-16 15:56:09.285418000 -0800 -@@ -96,6 +96,7 @@ - #include "packet.h" - #include "ssherr.h" - #include "sshbuf.h" -+#include "blacklist_client.h" - - #ifdef PACKET_DEBUG - #define DBG(x) x -@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt, - case SSH_ERR_NO_KEX_ALG_MATCH: - case SSH_ERR_NO_HOSTKEY_ALG_MATCH: - if (ssh->kex && ssh->kex->failed_choice) { -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); - ssh_packet_clear_keys(ssh); - errno = oerrno; - logdie("Unable to negotiate with %s: %s. " ---- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd.c 2021-09-10 10:37:17.926747000 -0700 -@@ -123,6 +123,7 @@ - #include "version.h" - #include "ssherr.h" +--- sshd-session.c.orig 2025-10-02 12:00:00.000000000 ++++ sshd-session.c 2025-10-02 12:00:00.000000000 +@@ -108,6 +108,7 @@ #include "sk-api.h" -+#include "blacklist_client.h" #include "srclimit.h" #include "dh.h" ++#include "blacklist_client.h" -@@ -2225,6 +2228,9 @@ main(int ac, char **av) - if ((loginmsg = sshbuf_new()) == NULL) - fatal_f("sshbuf_new failed"); - auth_debug_reset(); + #ifdef LIBWRAP + #include <tcpd.h> +@@ -223,6 +224,8 @@ + static void + grace_alarm_handler(int sig) + { ++ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL, ++ "Grace period expired"); + /* + * Try to kill any processes that we have spawned, E.g. authorized + * keys command helpers or privsep children. +@@ -1206,6 +1209,8 @@ + ssh_signal(SIGQUIT, SIG_DFL); + ssh_signal(SIGCHLD, SIG_DFL); + ssh_signal(SIGINT, SIG_DFL); + -+ if (options.use_blacklist) -+ BLACKLIST_INIT(); ++ BLACKLIST_INIT(); - if (use_privsep) { - if (privsep_preauth(ssh) == 1) ---- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700 -+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700 -@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S - FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \ - @UNSUPPORTED_ALGORITHMS@ + /* + * Register our connection. This turns encryption off because we do +@@ -1297,8 +1302,10 @@ + } -+LIBSSH_OBJS+= blacklist.o -+ - all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) ++ options.version_addendum)) != 0) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); + sshpkt_fatal(ssh, r, "banner exchange"); ++ } - $(LIBSSH_OBJS): Makefile.in config.h ---- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800 -+++ sshd_config 2020-11-16 16:57:42.183846000 -0800 -@@ -94,6 +94,7 @@ - #PrintLastLog yes - #TCPKeepAlive yes - #PermitUserEnvironment no -+#UseBlacklist no - #Compression delayed - #ClientAliveInterval 0 - #ClientAliveCountMax 3 ---- sshd_config.5.orig 2023-12-18 15:59:50.000000000 +0100 -+++ sshd_config.5 2024-01-06 16:36:17.025742000 +0100 -@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with + ssh_packet_set_nonblocking(ssh); + +@@ -1443,7 +1450,10 @@ + audit_event(the_active_state, SSH_CONNECTION_ABANDON); + #endif + /* Override default fatal exit value when auth was attempted */ +- if (i == 255 && auth_attempted) ++ if (i == 255 && auth_attempted) { ++ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL, ++ "Fatal exit"); + _exit(EXIT_AUTH_ATTEMPTED); ++ } + _exit(i); + } +--- sshd_config.5.orig 2025-10-02 12:00:00.000000000 ++++ sshd_config.5 2025-10-02 12:00:00.000000000 +@@ -2009,6 +2009,20 @@ is to never expire connections for having no open channels. This option may be useful in conjunction with .Cm ChannelTimeout . @@ -386,34 +412,13 @@ .It Cm UseDNS Specifies whether .Xr sshd 8 ---- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800 -+++ monitor.c 2020-11-16 17:25:57.642510000 -0800 -@@ -96,6 +96,7 @@ - #include "match.h" - #include "ssherr.h" - #include "sk-api.h" -+#include "blacklist_client.h" +--- sshd_config.orig 2025-10-02 12:00:00.000000000 ++++ sshd_config 2025-10-02 12:00:00.000000000 +@@ -102,6 +102,7 @@ + #MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none ++#UseBlacklist no + #VersionAddendum none - #ifdef GSSAPI - static Gssctxt *gsscontext = NULL; -@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor - if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { - auth_log(ssh, authenticated, partial, - auth_method, auth_submethod); -- if (!partial && !authenticated) -+ if (!partial && !authenticated) { - authctxt->failures++; -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, -+ ssh, "ssh"); -+ } - if (authenticated || partial) { - auth2_update_session_info(authctxt, - auth_method, auth_submethod); -@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct - } else { - /* Log failed attempt */ - auth_log(ssh, 0, 0, auth_method, NULL); -+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh"); - free(cuser); - free(chost); - } + # no default banner path diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 6fec82f1fc2e..a4df93cc2186 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -905,9 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o .It Fl r Recursively copy entire directories when uploading and downloading. Note that ---- work/openssh/ssh.c.orig 2024-06-30 21:36:28.000000000 -0700 -+++ work/openssh/ssh.c 2024-07-01 13:58:31.555859000 -0700 -@@ -1070,6 +1070,14 @@ main(int ac, char **av) +--- work/openssh/ssh.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ work/openssh/ssh.c 2025-10-06 08:20:57.445863000 -0700 +@@ -1092,6 +1092,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; @@ -922,7 +922,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o break; case 'o': line = xstrdup(optarg); -@@ -2159,6 +2167,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes +@@ -2235,6 +2243,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes NULL, fileno(stdin), command, environ); } @@ -1001,7 +1001,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* open new channel for a session */ static int ssh_session2_open(struct ssh *ssh) -@@ -2177,9 +2257,17 @@ ssh_session2_open(struct ssh *ssh) +@@ -2253,9 +2333,17 @@ ssh_session2_open(struct ssh *ssh) if (in == -1 || out == -1 || err == -1) fatal("dup() in/out/err failed"); @@ -1019,22 +1019,22 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o window >>= 1; packetmax >>= 1; } -@@ -2188,6 +2276,12 @@ ssh_session2_open(struct ssh *ssh) - window, packetmax, CHAN_EXTENDED_WRITE, +@@ -2265,6 +2353,12 @@ ssh_session2_open(struct ssh *ssh) "client-session", CHANNEL_NONBLOCK_STDIO); - + if (tty_flag) + channel_set_tty(ssh, c); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { + c->dynamic_window = 1; + debug ("Enabled Dynamic Window Scaling"); + } +#endif - debug3_f("channel_new: %d", c->self); + debug3_f("channel_new: %d%s", c->self, tty_flag ? " (tty)" : ""); channel_send_open(ssh, c->self); -@@ -2203,6 +2297,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in +@@ -2280,6 +2374,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in { - int r, interactive, id = -1; + int r, id = -1; char *cp, *tun_fwd_ifname = NULL; + +#ifdef HPN_ENABLED @@ -1233,17 +1233,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. We don't ---- work.clean/openssh-9.8p1/sshd-session.c.orig 2024-07-01 13:54:25.745441000 -0700 -+++ work/openssh-9.8p1/sshd-session.c 2024-07-01 13:54:57.335695000 -0700 -@@ -1305,7 +1305,7 @@ main(int ac, char **av) - alarm(options.login_grace_time); +--- work/openssh/sshd-session.c.orig 2025-10-11 10:19:18.935826000 -0700 ++++ work/openssh/sshd-session.c 2025-10-11 10:20:11.460279000 -0700 +@@ -1281,7 +1281,7 @@ main(int ac, char **av) + } if ((r = kex_exchange_identification(ssh, -1, -- options.version_addendum)) != 0) -+ options.version_addendum, options.hpn_disabled)) != 0) +- options.version_addendum)) != 0) { ++ options.version_addendum, options.hpn_disabled)) != 0) { + BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); sshpkt_fatal(ssh, r, "banner exchange"); - - ssh_packet_set_nonblocking(ssh); + } --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -1267,11 +1267,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no ---- work/openssh/version.h.orig 2025-02-18 00:15:08.000000000 -0800 -+++ work/openssh/version.h 2025-02-19 07:59:36.425254000 -0800 +--- work/openssh/version.h.orig 2025-10-05 19:25:16.000000000 -0700 ++++ work/openssh/version.h 2025-10-06 08:19:38.217160000 -0700 @@ -4,3 +4,4 @@ - #define SSH_PORTABLE "p2" + #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" --- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index ef6542e0e64a..58c2d7a0e0e7 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -16,12 +16,12 @@ r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ ---- readconf.c.orig 2025-04-09 00:02:43.000000000 -0700 -+++ readconf.c 2025-04-10 21:55:30.974643000 -0700 -@@ -332,6 +332,12 @@ static struct { - { "obscurekeystroketiming", oObscureKeystrokeTiming }, - { "channeltimeout", oChannelTimeout }, +--- readconf.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ readconf.c 2025-10-06 08:47:03.024775000 -0700 +@@ -328,6 +328,12 @@ static struct { { "versionaddendum", oVersionAddendum }, + { "refuseconnection", oRefuseConnection }, + { "warnweakcrypto", oWarnWeakCrypto }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue index 57b47e8b023a..3924a57f9d67 100644 --- a/security/openssh-portable/files/extra-patch-hpn-gss-glue +++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue @@ -22,9 +22,9 @@ if (options.gss_keyex) { /* Add the GSSAPI mechanisms currently supported on this * client to the key exchange algorithm proposal */ ---- readconf.c.orig 2019-07-19 12:13:18.000312000 -0700 -+++ readconf.c 2019-07-19 12:13:29.614552000 -0700 -@@ -63,11 +63,11 @@ +--- readconf.c.orig 2025-10-08 15:36:47.220504000 -0700 ++++ readconf.c 2025-10-08 15:38:09.729314000 -0700 +@@ -60,11 +60,11 @@ #include "readconf.h" #include "match.h" #include "kex.h" @@ -34,12 +34,12 @@ #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" + #include "version.h" /* Format of the configuration file: - ---- servconf.c.orig 2019-07-19 12:14:42.078398000 -0700 -+++ servconf.c 2019-07-19 12:14:43.543687000 -0700 -@@ -54,6 +54,7 @@ +--- servconf.c.orig 2025-10-08 15:36:47.223017000 -0700 ++++ servconf.c 2025-10-08 15:38:32.182178000 -0700 +@@ -56,6 +56,7 @@ #include "sshkey.h" #include "kex.h" #include "mac.h" @@ -47,11 +47,11 @@ #include "match.h" #include "channels.h" #include "groupaccess.h" -@@ -64,7 +65,6 @@ +@@ -66,7 +67,6 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" -#include "ssh-gss.h" + #include "version.h" - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); + #if !defined(SSHD_PAM_SERVICE) diff --git a/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue new file mode 100644 index 000000000000..1059f57cc88b --- /dev/null +++ b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue @@ -0,0 +1,27 @@ +--- sshd-session.c.orig 2025-10-11 10:16:00.048273000 -0700 ++++ sshd-session.c 2025-10-11 10:16:02.937735000 -0700 +@@ -149,6 +149,12 @@ static int have_agent = 0; + /* Daemon's agent connection */ + int auth_sock = -1; + static int have_agent = 0; ++ ++/* ++ * This is compiled WITHOUT blocklistd support. This is done for patch ++ * glue in ports. ++ */ ++#define BLACKLIST_NOTIFY(...) + + /* + * Any really sensitive data in the application is contained in this +@@ -1275,8 +1281,10 @@ main(int ac, char **av) + } + + if ((r = kex_exchange_identification(ssh, -1, +- options.version_addendum)) != 0) ++ options.version_addendum)) != 0) { ++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange"); + sshpkt_fatal(ssh, r, "banner exchange"); ++ } + + ssh_packet_set_nonblocking(ssh); + diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in index 9526a70b0d07..1818d0bf0984 100644 --- a/security/openssh-portable/files/openssh.in +++ b/security/openssh-portable/files/openssh.in @@ -23,8 +23,6 @@ load_rc_config ${name} : ${openssh_skipportscheck="NO"} # These only control ssh-keygen automatically generating host keys. -: ${openssh_dsa_enable="YES"} -: ${openssh_dsa_flags=""} : ${openssh_rsa_enable="YES"} : ${openssh_rsa_flags=""} : ${openssh_ecdsa_enable="YES"} @@ -43,14 +41,12 @@ pidfile=${openssh_pidfile:="/var/run/sshd.pid"} openssh_keygen() { - local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519= - checkyesno openssh_dsa_enable || skip_dsa=y + local skip_rsa= skip_ecdsa= skip_ed25519= checkyesno openssh_rsa_enable || skip_rsa=y checkyesno openssh_ecdsa_enable || skip_ecdsa=y checkyesno openssh_ed25519_enable || skip_ed25519=y - if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \ - \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ + if [ \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \ \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \ \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then return 0 @@ -62,15 +58,6 @@ openssh_keygen() [ -x %%PREFIX%%/bin/ssh-keygen ] || err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." - if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in %%ETCDIR%%/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - elif checkyesno openssh_dsa_enable; then - %%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \ - -f %%ETCDIR%%/ssh_host_dsa_key -N '' - fi - if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then echo "You already have a RSA host key" \ "in %%ETCDIR%%/ssh_host_rsa_key" diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 index 8e5a9777519f..d44465be3124 100644 --- a/security/openssh-portable/files/patch-ssh-agent.1 +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -4,21 +4,21 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.1.orig 2020-02-13 16:40:54.000000000 -0800 -+++ ssh-agent.1 2020-03-21 17:03:22.952068000 -0700 +--- ssh-agent.1.orig 2025-10-05 19:25:16.000000000 -0700 ++++ ssh-agent.1 2025-10-06 08:30:26.521757000 -0700 @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl \&Dd -+.Op Fl \&Ddx +-.Op Fl \&DdTU ++.Op Fl \&DdTUx .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash - .Op Fl P Ar provider_whitelist -@@ -125,6 +125,8 @@ A lifetime specified for an identity with - .Xr ssh-add 1 - overrides this value. - Without this option the default maximum lifetime is forever. + .Op Fl O Ar option +@@ -203,6 +203,8 @@ will delete stale agent sockets regardless of the host + If this option is given twice, + .Nm + will delete stale agent sockets regardless of the host name that created them. +.It Fl x +Exit after the last client has disconnected. .It Ar command Op Ar arg ... diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index cd85012d883f..b17027d0e340 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,11 +8,11 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2023-12-18 06:59:50.000000000 -0800 -+++ ssh-agent.c 2023-12-19 17:16:22.128981000 -0800 -@@ -196,11 +196,28 @@ - /* Refuse signing of non-SSH messages for web-origin FIDO keys */ +--- ssh-agent.c.orig 2025-10-05 19:25:16.000000000 -0700 ++++ ssh-agent.c 2025-10-06 08:33:47.247562000 -0700 +@@ -193,11 +193,28 @@ static char *websafe_allowlist; static int restrict_websafe = 1; + static char *websafe_allowlist; +/* + * Client connection count; incremented in new_socket() and decremented in @@ -39,7 +39,7 @@ disconnected. close(e->fd); sshbuf_free(e->input); sshbuf_free(e->output); -@@ -213,6 +230,8 @@ +@@ -210,6 +227,8 @@ close_socket(SocketEntry *e) memset(e, '\0', sizeof(*e)); e->fd = -1; e->type = AUTH_UNUSED; @@ -48,7 +48,7 @@ disconnected. } static void -@@ -1893,6 +1912,10 @@ +@@ -1887,6 +1906,10 @@ new_socket(sock_type type, int fd) debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" : (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); @@ -59,16 +59,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -2184,7 +2207,7 @@ +@@ -2177,7 +2200,7 @@ usage(void) usage(void) { fprintf(stderr, -- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" -+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" +- "usage: ssh-agent [-c | -s] [-DdTU] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-DdTUx] [-a bind_address] [-E fingerprint_hash]\n" " [-O option] [-P allowed_providers] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n" + " ssh-agent [-TU] [-a bind_address] [-E fingerprint_hash] [-O option]\n" " [-P allowed_providers] [-t life] command [arg ...]\n" -@@ -2218,6 +2241,7 @@ +@@ -2218,6 +2241,7 @@ main(int ac, char **av) /* drop */ (void)setegid(getgid()); (void)setgid(getgid()); @@ -76,22 +76,22 @@ disconnected. platform_disable_tracing(0); /* strict=no */ -@@ -2229,7 +2253,7 @@ +@@ -2229,7 +2253,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksTuUE:a:O:P:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksTuUE:a:O:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -2280,6 +2304,9 @@ - fprintf(stderr, "Invalid lifetime\n"); +@@ -2286,6 +2310,9 @@ main(int ac, char **av) usage(); } -+ break; + break; + case 'x': + xcount = 0; ++ break; + case 'T': + T_flag++; break; - default: - usage(); diff --git a/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 b/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 new file mode 100644 index 000000000000..e9cb994331ab --- /dev/null +++ b/security/openssh-portable/files/patch-upstream-beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 @@ -0,0 +1,73 @@ +From beae06f56e0d0a66ca535896149d5fb0b2e8a1b4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Tue, 7 Oct 2025 08:02:32 +0000 +Subject: [PATCH] upstream: don't reuse c->isatty for signalling that the + remote channel + +has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). +bz3872 + +ok markus@ + +OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 +--- + channels.c | 9 +++++---- + channels.h | 3 ++- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/channels.c b/channels.c +index f1d7bcf345b..80014ff341f 100644 +--- channels.c ++++ channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) + { + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; +- const char *classifier = c->isatty ? ++ const char *classifier = (c->isatty || c->remote_has_tty) ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, + void + channel_set_tty(struct ssh *ssh, Channel *c) + { +- c->isatty = 1; ++ c->remote_has_tty = 1; + channel_classify(ssh, c); + } + +@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) + c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, + c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, + c->io_want, c->io_ready, +- c->isatty ? "T" : "", c->bulk ? "B" : "I"); ++ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), ++ c->bulk ? "B" : "I"); + return ret; + } + +diff --git a/channels.h b/channels.h +index df7c7f364d2..7456541f8ce 100644 +--- channels.h ++++ channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ + + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> +@@ -145,6 +145,7 @@ struct Channel { + int ctl_chan; /* control channel (multiplexed connections) */ + uint32_t ctl_child_id; /* child session for mux controllers */ + int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ ++ int remote_has_tty; /* remote side has a tty */ + int isatty; /* rfd is a tty */ + #ifdef _AIX + int wfd_isatty; /* wfd is a tty */ |