Page MenuHomeFreeBSD
Files F143188892

D52880.id.diff
No OneTemporary
Actions

D52880.id.diff
View Options

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openssh
DISTVERSION= 10.1p1
-PORTREVISION= 4
+PORTREVISION= 5
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -43,7 +43,7 @@
OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
HPN KERB_GSSAPI \
LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
-OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
+OPTIONS_DEFAULT= BLACKLISTD LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
.if ${FLAVOR:U} == hpn
OPTIONS_DEFAULT+= HPN NONECIPHER
.endif
@@ -99,6 +99,14 @@
PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
+# Must add this patch before HPN due to conflicts
+.if !${PORT_OPTIONS:MBLACKLISTD}
+. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+# Needed glue for applying HPN patch without conflict
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-no-blocklistd-hpn-glue
+. endif
+.endif
+
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
# BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@@ -1,9 +1,80 @@
---- blacklist.c.orig 2021-04-28 13:37:52.679784000 -0700
-+++ blacklist.c 2021-04-28 13:56:45.677805000 -0700
-@@ -0,0 +1,92 @@
+--- Makefile.in.orig 2025-10-02 12:00:00.000000000
++++ Makefile.in 2025-10-02 12:00:00.000000000
+@@ -208,6 +208,8 @@
+ FIXPATHSCMD = $(SED) $(PATHSUBS)
+ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+ @UNSUPPORTED_ALGORITHMS@
++
++LIBSSH_OBJS+= blacklist.o
+
+ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+
+--- auth-pam.c.orig 2025-10-02 12:00:00.000000000
++++ auth-pam.c 2025-10-02 12:00:00.000000000
+@@ -101,6 +101,7 @@
+ #endif
+ #include "monitor_wrap.h"
+ #include "srclimit.h"
++#include "blacklist_client.h"
+
+ extern ServerOptions options;
+ extern struct sshbuf *loginmsg;
+@@ -936,6 +937,8 @@
+ sshbuf_free(buffer);
+ return (0);
+ }
++ BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
++ "PAM illegal user");
+ error("PAM: %s for %s%.100s from %.100s", msg,
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user, sshpam_rhost);
+--- auth.c.orig 2025-10-02 12:00:00.000000000
++++ auth.c 2025-10-02 12:00:00.000000000
+@@ -75,6 +75,7 @@
+ #include "monitor_wrap.h"
+ #include "ssherr.h"
+ #include "channels.h"
++#include "blacklist_client.h"
+
+ /* import */
+ extern ServerOptions options;
+@@ -285,8 +286,12 @@
+ authmsg = "Postponed";
+ else if (partial)
+ authmsg = "Partial";
+- else
++ else {
+ authmsg = authenticated ? "Accepted" : "Failed";
++ if (authenticated)
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
++ "Authenticated");
++ }
+
+ if ((extra = format_method_key(authctxt)) == NULL) {
+ if (authctxt->auth_method_info != NULL)
+@@ -334,6 +339,7 @@
+ {
+ Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
+ error("maximum authentication attempts exceeded for "
+ "%s%.100s from %.200s port %d ssh2",
+ authctxt->valid ? "" : "invalid user ",
+@@ -494,6 +500,8 @@
+ aix_restoreauthdb();
+ #endif
+ if (pw == NULL) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++ "Invalid user");
+ logit("Invalid user %.100s from %.100s port %d",
+ user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+ #ifdef CUSTOM_FAILED_LOGIN
+--- blacklist.c.orig 2025-10-02 12:00:00.000000000
++++ blacklist.c 2025-10-02 12:00:00.000000000
+@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
@@ -48,11 +119,15 @@
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
++#include "servconf.h"
+#include <blacklist.h>
+#include "blacklist_client.h"
+
+static struct blacklist *blstate = NULL;
+
++/* import */
++extern ServerOptions options;
++
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
@@ -82,23 +157,24 @@
+blacklist_init(void)
+{
+
-+ blstate = bl_create(false, NULL, im_log);
++ if (options.use_blacklist)
++ blstate = bl_create(false, NULL, im_log);
+}
+
+void
-+blacklist_notify(int action, struct ssh *ssh, const char *msg)
++blacklist_notify(struct ssh *ssh, int action, const char *msg)
+{
+
+ if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
+ (void)blacklist_r(blstate, action,
+ ssh_packet_get_connection_in(ssh), msg);
+}
---- blacklist_client.h.orig 2020-11-16 16:45:22.823087000 -0800
-+++ blacklist_client.h 2020-11-16 16:45:09.761962000 -0800
+--- blacklist_client.h.orig 2025-10-02 12:00:00.000000000
++++ blacklist_client.h 2025-10-02 12:00:00.000000000
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
@@ -143,23 +219,62 @@
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
-+void blacklist_notify(int, struct ssh *, const char *);
++void blacklist_notify(struct ssh *, int, const char *);
+
+#define BLACKLIST_INIT() blacklist_init()
-+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg)
+
+#else
+
+#define BLACKLIST_INIT()
-+#define BLACKLIST_NOTIFY(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
---- servconf.c.orig 2021-04-15 20:55:25.000000000 -0700
-+++ servconf.c 2021-04-28 13:36:19.591999000 -0700
-@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
+--- monitor.c.orig 2025-10-02 12:00:00.000000000
++++ monitor.c 2025-10-02 12:00:00.000000000
+@@ -85,6 +85,8 @@
+ #include "misc.h"
+ #include "servconf.h"
+ #include "monitor.h"
++#include "blacklist_client.h"
++
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+@@ -353,16 +355,24 @@
+ }
+ }
+ if (authctxt->failures > options.max_authtries) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++ "Too many authentication attempts");
+ /* Shouldn't happen */
+ fatal_f("privsep child made too many authentication "
+ "attempts");
+ }
+ }
+
+- if (!authctxt->valid)
+- fatal_f("authenticated invalid user");
+- if (strcmp(auth_method, "unknown") == 0)
++ if (!authctxt->valid) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++ "Authenticated invalid user");
++ fatal_f("authenticated invalid user");
++ }
++ if (strcmp(auth_method, "unknown") == 0) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++ "Authentication method name unknown");
+ fatal_f("authentication method name unknown");
++ }
+
+ debug_f("user %s authenticated by privileged process", authctxt->user);
+ auth_attempted = 0;
+--- servconf.c.orig 2025-10-02 12:00:00.000000000
++++ servconf.c 2025-10-02 12:00:00.000000000
+@@ -186,6 +186,7 @@
options->max_sessions = -1;
options->banner = NULL;
options->use_dns = -1;
@@ -167,7 +282,7 @@
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
-@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -455,6 +456,8 @@
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
options->use_dns = 0;
@@ -176,15 +291,15 @@
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
-@@ -506,6 +509,7 @@ typedef enum {
+@@ -563,6 +566,7 @@
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
sBanner, sUseDNS, sHostbasedAuthentication,
+ sUseBlacklist,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
- sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -642,6 +646,8 @@ static struct {
+ sPerSourcePenalties, sPerSourcePenaltyExemptList,
+@@ -706,6 +710,8 @@
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@@ -193,7 +308,7 @@
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1788,6 +1794,10 @@
intptr = &options->use_dns;
goto parse_flag;
@@ -203,8 +318,8 @@
+
case sLogFacility:
log_facility_ptr = &options->log_facility;
- arg = strdelim(&cp);
-@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
+ arg = argv_next(&ac, &av);
+@@ -3276,6 +3286,7 @@
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -212,9 +327,9 @@
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
---- servconf.h.orig 2020-11-16 15:51:00.752090000 -0800
-+++ servconf.h 2020-11-16 15:51:02.962173000 -0800
-@@ -179,6 +179,7 @@ typedef struct {
+--- servconf.h.orig 2025-10-02 12:00:00.000000000
++++ servconf.h 2025-10-02 12:00:00.000000000
+@@ -195,6 +195,7 @@
int max_sessions;
char *banner; /* SSH-2 banner message */
int use_dns;
@@ -222,150 +337,61 @@
int client_alive_interval; /*
* poke the client this often to
* see if it's still there
---- auth-pam.c.orig 2020-11-16 15:52:45.816578000 -0800
-+++ auth-pam.c 2020-11-16 15:54:19.796583000 -0800
-@@ -105,6 +105,7 @@ extern char *__progname;
- #include "ssh-gss.h"
- #endif
- #include "monitor_wrap.h"
-+#include "blacklist_client.h"
-
- extern ServerOptions options;
- extern struct sshbuf *loginmsg;
-@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
- sshbuf_free(buffer);
- return (0);
- }
-+ /* XXX: ssh context unavailable here, unclear if this is even needed.
-+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
-+ the_active_state, sshpam_authctxt->user);
-+ */
- error("PAM: %s for %s%.100s from %.100s", msg,
- sshpam_authctxt->valid ? "" : "illegal user ",
- sshpam_authctxt->user, sshpam_rhost);
---- auth.c.orig 2020-11-16 15:52:45.824171000 -0800
-+++ auth.c 2020-11-16 15:57:51.091969000 -0800
-@@ -76,6 +76,7 @@
- #include "ssherr.h"
- #include "compat.h"
- #include "channels.h"
-+#include "blacklist_client.h"
-
- /* import */
- extern ServerOptions options;
-@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
- authmsg = "Postponed";
- else if (partial)
- authmsg = "Partial";
-- else
-+ else {
- authmsg = authenticated ? "Accepted" : "Failed";
-+ if (authenticated)
-+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
-+ }
-
- if ((extra = format_method_key(authctxt)) == NULL) {
- if (authctxt->auth_method_info != NULL)
-@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
- aix_restoreauthdb();
- #endif
- if (pw == NULL) {
-+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
- logit("Invalid user %.100s from %.100s port %d",
- user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
- #ifdef CUSTOM_FAILED_LOGIN
---- auth2.c.orig 2020-11-16 17:10:36.772062000 -0800
-+++ auth2.c 2020-11-16 17:12:04.852943000 -0800
-@@ -58,6 +58,7 @@
- #include "monitor_wrap.h"
- #include "digest.h"
- #include "kex.h"
-+#include "blacklist_client.h"
-
- /* import */
- extern ServerOptions options;
-@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
- } else {
- /* Invalid user, fake password information */
- authctxt->pw = fakepw();
-+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
- #ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
- #endif
-@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
- } else {
- /* Allow initial try of "none" auth without failure penalty */
- if (!partial && !authctxt->server_caused_failure &&
-- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
-+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
- authctxt->failures++;
-+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
-+ }
- if (authctxt->failures >= options.max_authtries) {
- #ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
---- packet.c.orig 2020-11-16 15:52:45.839070000 -0800
-+++ packet.c 2020-11-16 15:56:09.285418000 -0800
-@@ -96,6 +96,7 @@
- #include "packet.h"
- #include "ssherr.h"
- #include "sshbuf.h"
-+#include "blacklist_client.h"
-
- #ifdef PACKET_DEBUG
- #define DBG(x) x
-@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
- case SSH_ERR_NO_KEX_ALG_MATCH:
- case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
- if (ssh->kex && ssh->kex->failed_choice) {
-+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- ssh_packet_clear_keys(ssh);
- errno = oerrno;
- logdie("Unable to negotiate with %s: %s. "
---- sshd.c.orig 2021-08-19 21:03:49.000000000 -0700
-+++ sshd.c 2021-09-10 10:37:17.926747000 -0700
-@@ -123,6 +123,7 @@
- #include "version.h"
- #include "ssherr.h"
+--- sshd-session.c.orig 2025-10-02 12:00:00.000000000
++++ sshd-session.c 2025-10-02 12:00:00.000000000
+@@ -108,6 +108,7 @@
#include "sk-api.h"
-+#include "blacklist_client.h"
#include "srclimit.h"
#include "dh.h"
++#include "blacklist_client.h"
-@@ -2225,6 +2228,9 @@ main(int ac, char **av)
- if ((loginmsg = sshbuf_new()) == NULL)
- fatal_f("sshbuf_new failed");
- auth_debug_reset();
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+@@ -223,6 +224,8 @@
+ static void
+ grace_alarm_handler(int sig)
+ {
++ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++ "Grace period expired");
+ /*
+ * Try to kill any processes that we have spawned, E.g. authorized
+ * keys command helpers or privsep children.
+@@ -1206,6 +1209,8 @@
+ ssh_signal(SIGQUIT, SIG_DFL);
+ ssh_signal(SIGCHLD, SIG_DFL);
+ ssh_signal(SIGINT, SIG_DFL);
+
-+ if (options.use_blacklist)
-+ BLACKLIST_INIT();
++ BLACKLIST_INIT();
- if (use_privsep) {
- if (privsep_preauth(ssh) == 1)
---- Makefile.in.orig 2022-10-03 07:51:42.000000000 -0700
-+++ Makefile.in 2022-10-09 10:50:06.401377000 -0700
-@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
- FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
- @UNSUPPORTED_ALGORITHMS@
+ /*
+ * Register our connection. This turns encryption off because we do
+@@ -1297,8 +1302,10 @@
+ }
-+LIBSSH_OBJS+= blacklist.o
-+
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ if ((r = kex_exchange_identification(ssh, -1,
+- options.version_addendum)) != 0)
++ options.version_addendum)) != 0) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ sshpkt_fatal(ssh, r, "banner exchange");
++ }
- $(LIBSSH_OBJS): Makefile.in config.h
---- sshd_config.orig 2020-11-16 16:57:14.276036000 -0800
-+++ sshd_config 2020-11-16 16:57:42.183846000 -0800
-@@ -94,6 +94,7 @@
- #PrintLastLog yes
- #TCPKeepAlive yes
- #PermitUserEnvironment no
-+#UseBlacklist no
- #Compression delayed
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
---- sshd_config.5.orig 2023-12-18 15:59:50.000000000 +0100
-+++ sshd_config.5 2024-01-06 16:36:17.025742000 +0100
-@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
+ ssh_packet_set_nonblocking(ssh);
+
+@@ -1443,7 +1450,10 @@
+ audit_event(the_active_state, SSH_CONNECTION_ABANDON);
+ #endif
+ /* Override default fatal exit value when auth was attempted */
+- if (i == 255 && auth_attempted)
++ if (i == 255 && auth_attempted) {
++ BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++ "Fatal exit");
+ _exit(EXIT_AUTH_ATTEMPTED);
++ }
+ _exit(i);
+ }
+--- sshd_config.5.orig 2025-10-02 12:00:00.000000000
++++ sshd_config.5 2025-10-02 12:00:00.000000000
+@@ -2009,6 +2009,20 @@
is to never expire connections for having no open channels.
This option may be useful in conjunction with
.Cm ChannelTimeout .
@@ -386,34 +412,13 @@
.It Cm UseDNS
Specifies whether
.Xr sshd 8
---- monitor.c.orig 2020-11-16 17:24:03.457283000 -0800
-+++ monitor.c 2020-11-16 17:25:57.642510000 -0800
-@@ -96,6 +96,7 @@
- #include "match.h"
- #include "ssherr.h"
- #include "sk-api.h"
-+#include "blacklist_client.h"
+--- sshd_config.orig 2025-10-02 12:00:00.000000000
++++ sshd_config 2025-10-02 12:00:00.000000000
+@@ -102,6 +102,7 @@
+ #MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
++#UseBlacklist no
+ #VersionAddendum none
- #ifdef GSSAPI
- static Gssctxt *gsscontext = NULL;
-@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor
- if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
- auth_log(ssh, authenticated, partial,
- auth_method, auth_submethod);
-- if (!partial && !authenticated)
-+ if (!partial && !authenticated) {
- authctxt->failures++;
-+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
-+ ssh, "ssh");
-+ }
- if (authenticated || partial) {
- auth2_update_session_info(authctxt,
- auth_method, auth_submethod);
-@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
- } else {
- /* Log failed attempt */
- auth_log(ssh, 0, 0, auth_method, NULL);
-+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- free(cuser);
- free(chost);
- }
+ # no default banner path
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -1233,17 +1233,17 @@
/*
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group. We don't
---- work.clean/openssh-9.8p1/sshd-session.c.orig 2024-07-01 13:54:25.745441000 -0700
-+++ work/openssh-9.8p1/sshd-session.c 2024-07-01 13:54:57.335695000 -0700
-@@ -1305,7 +1305,7 @@ main(int ac, char **av)
- alarm(options.login_grace_time);
+--- work/openssh/sshd-session.c.orig 2025-10-11 10:19:18.935826000 -0700
++++ work/openssh/sshd-session.c 2025-10-11 10:20:11.460279000 -0700
+@@ -1281,7 +1281,7 @@ main(int ac, char **av)
+ }
if ((r = kex_exchange_identification(ssh, -1,
-- options.version_addendum)) != 0)
-+ options.version_addendum, options.hpn_disabled)) != 0)
+- options.version_addendum)) != 0) {
++ options.version_addendum, options.hpn_disabled)) != 0) {
+ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
sshpkt_fatal(ssh, r, "banner exchange");
-
- ssh_packet_set_nonblocking(ssh);
+ }
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
diff --git a/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
new file mode 100644
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
@@ -0,0 +1,27 @@
+--- sshd-session.c.orig 2025-10-11 10:16:00.048273000 -0700
++++ sshd-session.c 2025-10-11 10:16:02.937735000 -0700
+@@ -149,6 +149,12 @@ static int have_agent = 0;
+ /* Daemon's agent connection */
+ int auth_sock = -1;
+ static int have_agent = 0;
++
++/*
++ * This is compiled WITHOUT blocklistd support. This is done for patch
++ * glue in ports.
++ */
++#define BLACKLIST_NOTIFY(...)
+
+ /*
+ * Any really sensitive data in the application is contained in this
+@@ -1275,8 +1281,10 @@ main(int ac, char **av)
+ }
+
+ if ((r = kex_exchange_identification(ssh, -1,
+- options.version_addendum)) != 0)
++ options.version_addendum)) != 0) {
++ BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ sshpkt_fatal(ssh, r, "banner exchange");
++ }
+
+ ssh_packet_set_nonblocking(ssh);
+

File Metadata

Mime Type
text/plain
Expires
Wed, Jan 28, 4:18 AM (18 h, 33 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28063167
Default Alt Text
D52880.id.diff (20 KB)

Event Timeline