diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 69edba17e8cc..676c1b750027 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,242 +1,244 @@ PORTNAME= openssh DISTVERSION= 9.9p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH WWW= https://www.openssh.com/portable.html LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses LICENSE_FILE= ${WRKSRC}/LICENCE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel USES= alias autoreconf compiler:c11 cpe localbase ncurses \ pkgconfig ssl GNU_CONFIGURE= yes GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share CONFIGURE_ARGS= --prefix=${PREFIX} \ --without-zlib-version-check \ --with-ssl-engine \ --with-mantype=man ETCOLD= ${PREFIX}/etc CPE_VENDOR= openbsd FLAVORS= default hpn gssapi default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ openssh-portable-x509 hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ openssh-portable-x509 gssapi_PKGNAMESUFFIX= -portable-gssapi OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN KERB_GSSAPI \ LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif .if ${FLAVOR:U} == gssapi OPTIONS_DEFAULT+= KERB_GSSAPI MIT .endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi #BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. GSSAPI_DEBIAN_VERSION= 9.9p1 GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location GSSAPI_DISTVERSION= 9.9p1 PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} CONFIGURE_LIBS+= -lblacklist .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} #BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass post-patch: @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} \ -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \ ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-configure-BLACKLISTD-on: @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/moduli \ ${STAGEDIR}${ETCDIR}/moduli.sample ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}/ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample + ${MKDIR} ${STAGEDIR}${ETCDIR}/ssh_config.d \ + ${STAGEDIR}${ETCDIR}/sshd_config.d .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ HOME="${HOME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config new file mode 100644 index 000000000000..ea5fafad4d30 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh_config @@ -0,0 +1,11 @@ +--- ssh_config.orig 2024-09-19 15:20:48.000000000 -0700 ++++ ssh_config 2024-11-09 12:23:47.263548000 -0800 +@@ -17,6 +17,8 @@ + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. + ++Include ssh_config.d/*.conf ++ + # Host * + # ForwardAgent no + # ForwardX11 no diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index c19496486f4f..7b6bc14977c7 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,34 +1,33 @@ -!!! -!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. -!!! ---- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 -+++ sshd_config 2022-02-11 18:52:31.639435000 +0000 -@@ -10,6 +10,9 @@ +--- sshd_config.orig 2024-11-09 12:22:03.414050000 -0800 ++++ sshd_config 2024-11-09 12:25:59.964286000 -0800 +@@ -10,6 +10,11 @@ # possible, but leave them commented. Uncommented options override the # default value. +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. ++ ++Include sshd_config.d/*.conf + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -37,8 +40,7 @@ +@@ -37,8 +42,7 @@ #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none -@@ -84,7 +86,7 @@ +@@ -84,7 +88,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +#X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 15d3ff7bf9d8..f5297c2a42c2 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,57 +1,59 @@ --- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 +++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 @@ -701,7 +701,9 @@ .Qq ssh -Q HostbasedAcceptedAlgorithms . This was formerly named HostbasedAcceptedKeyTypes. .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or +.Pa /etc/hosts.equiv +authentication together with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1416,6 +1434,13 @@ +@@ -1416,6 +1434,15 @@ .Cm ethernet . The default is .Cm no . +Note that if +.Cm ChallengeResponseAuthentication +is +.Cm yes , +the root user may be allowed in with its password even if +.Cm PermitRootLogin is set to ++.Cm prohibit-password ++or +.Cm without-password . .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1774,12 +1799,19 @@ +@@ -1774,12 +1801,19 @@ .Xr sshd 8 as a non-root user. The default is +.Cm yes , +unless +.Nm sshd +was built without PAM support, in which case the default is .Cm no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Cm none . +.Cm %%SSH_VERSION_FREEBSD_PORT%% . +The value +.Cm none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1793,7 +1825,7 @@ +@@ -1793,7 +1827,7 @@ or .Cm no . The default is -.Cm no . +.Cm yes . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist index 276fd4a7590d..09c4267cc7ca 100644 --- a/security/openssh-portable/pkg-plist +++ b/security/openssh-portable/pkg-plist @@ -1,32 +1,34 @@ bin/scp bin/sftp bin/ssh bin/ssh-add bin/ssh-agent bin/ssh-keygen bin/ssh-keyscan @sample %%ETCDIR%%/moduli.sample @sample %%ETCDIR%%/ssh_config.sample @sample %%ETCDIR%%/sshd_config.sample +@dir %%ETCDIR%%/ssh_config.d +@dir %%ETCDIR%%/sshd_config.d @postexec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi sbin/sshd libexec/sftp-server libexec/ssh-keysign libexec/ssh-pkcs11-helper libexec/ssh-sk-helper libexec/sshd-session share/man/man1/sftp.1.gz share/man/man1/ssh-add.1.gz share/man/man1/ssh-agent.1.gz share/man/man1/ssh-keygen.1.gz share/man/man1/ssh-keyscan.1.gz share/man/man1/scp.1.gz share/man/man1/ssh.1.gz share/man/man5/moduli.5.gz share/man/man5/ssh_config.5.gz share/man/man5/sshd_config.5.gz share/man/man8/sftp-server.8.gz share/man/man8/ssh-keysign.8.gz share/man/man8/ssh-pkcs11-helper.8.gz share/man/man8/ssh-sk-helper.8.gz share/man/man8/sshd.8.gz