Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 392997) +++ head/security/openssh-portable/Makefile (revision 392998) @@ -1,229 +1,228 @@ # Created by: dwcjr@inethouston.net # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.8p1 -PORTREVISION= 8 +DISTVERSION= 6.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias USE_AUTOTOOLS= autoconf autoheader USE_OPENSSL= yes GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine ETCOLD= ${PREFIX}/etc OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ OVERWRITE_BASE SCTP LDNS NONECIPHER OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch SCTP_DESC= SCTP support OVERWRITE_BASE_DESC= EOL, No longer supported. HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ttssh TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' # http://www.psc.edu/index.php/hpn-ssh HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 8.3 +X509_VERSION= 8.4 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= ${PORTNAME}-6.8p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .endif # Must add this patch after HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} # 6.7 patch taken from # http://sources.debian.net/data/main/o/openssh/1:6.7p1-3/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ PATCHFILES+= openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz:-p1:gsskex .endif .if ${OSVERSION} >= 900000 CONFIGURE_LIBS+= -lutil .endif # 900007 is when utmp(5) was removed and utmpx(3) added .if ${OSVERSION} >= 900007 CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog .else EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size .endif # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MSCTP} BROKEN= X509 patch and SCTP patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif .endif . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= Does not apply to 6.8 . endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty .if ${PORT_OPTIONS:MOVERWRITE_BASE} || defined(OPENSSH_OVERWRITE_BASE) IGNORE= Overwrite base option is no longer supported. .endif USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}//ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include Index: head/security/openssh-portable/distinfo =================================================================== --- head/security/openssh-portable/distinfo (revision 392997) +++ head/security/openssh-portable/distinfo (revision 392998) @@ -1,8 +1,8 @@ -SHA256 (openssh-6.8p1.tar.gz) = 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e -SIZE (openssh-6.8p1.tar.gz) = 1475953 -SHA256 (openssh-6.8p1+x509-8.3.diff.gz) = 34dbefcce8509d3c876be3e7d8966455c7c3589a6872bdfb1f8ce3d133f4d304 -SIZE (openssh-6.8p1+x509-8.3.diff.gz) = 347942 +SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe +SIZE (openssh-6.9p1.tar.gz) = 1487617 +SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb +SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531 Index: head/security/openssh-portable/files/patch-compat.c =================================================================== --- head/security/openssh-portable/files/patch-compat.c (revision 392997) +++ head/security/openssh-portable/files/patch-compat.c (nonexistent) @@ -1,17 +0,0 @@ -Avoid a heap overflow. Upstream did not deem this a security issue. It appears -to be mostly harmless too. - -http://www.openwall.com/lists/oss-security/2015/05/16/3 -https://anongit.mindrot.org/openssh.git/commit/?id=77199d6ec8986d470487e66f8ea8f4cf43d2e20c - ---- compat.c 2015-03-17 06:49:20.000000000 +0100 -+++ compat.c 2015-05-03 17:51:32.251293388 +0200 -@@ -229,7 +229,7 @@ - buffer_init(&b); - tmp = orig_prop = xstrdup(proposal); - while ((cp = strsep(&tmp, ",")) != NULL) { -- if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { -+ if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) { - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - buffer_append(&b, cp, strlen(cp)); Property changes on: head/security/openssh-portable/files/patch-compat.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-monitor_wrap.c =================================================================== --- head/security/openssh-portable/files/patch-monitor_wrap.c (revision 392997) +++ head/security/openssh-portable/files/patch-monitor_wrap.c (nonexistent) @@ -1,16 +0,0 @@ -diff --git a/monitor_wrap.c b/monitor_wrap.c -index b379f05..d39d491 100644 ---- monitor_wrap.c -+++ monitor_wrap.c -@@ -153,10 +153,8 @@ mm_request_receive(int sock, Buffer *m) - debug3("%s entering", __func__); - - if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { -- if (errno == EPIPE) { -- error("%s: socket closed", __func__); -+ if (errno == EPIPE) - cleanup_exit(255); -- } - fatal("%s: read: %s", __func__, strerror(errno)); - } - msg_len = get_u32(buf); Property changes on: head/security/openssh-portable/files/patch-monitor_wrap.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/extra-patch-ttssh =================================================================== --- head/security/openssh-portable/files/extra-patch-ttssh (revision 392997) +++ head/security/openssh-portable/files/extra-patch-ttssh (nonexistent) @@ -1,78 +0,0 @@ -commit d8f391caef62378463a0e6b36f940170dadfe605 -Author: dtucker@openbsd.org -Date: Fri Apr 10 05:16:50 2015 +0000 - - upstream commit - - Don't send hostkey advertisments - (hostkeys-00@openssh.com) to current versions of Tera Term as they can't - handle them. Newer versions should be OK. Patch from Bryan Drewery and - IWAMOTO Kouichi, ok djm@ - -diff --git compat.c compat.c -index 2498168..0934de9 100644 ---- compat.c -+++ compat.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.c,v 1.88 2015/04/07 23:00:42 djm Exp $ */ -+/* $OpenBSD: compat.c,v 1.89 2015/04/10 05:16:50 dtucker Exp $ */ - /* - * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. - * -@@ -167,6 +167,17 @@ compat_datafellows(const char *version) - SSH_BUG_SCANNER }, - { "Probe-*", - SSH_BUG_PROBE }, -+ { "TeraTerm SSH*," -+ "TTSSH/1.5.*," -+ "TTSSH/2.1*," -+ "TTSSH/2.2*," -+ "TTSSH/2.3*," -+ "TTSSH/2.4*," -+ "TTSSH/2.5*," -+ "TTSSH/2.6*," -+ "TTSSH/2.70*," -+ "TTSSH/2.71*," -+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, - { NULL, 0 } - }; - -diff --git compat.h compat.h -index af2f007..83507f0 100644 ---- compat.h -+++ compat.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.h,v 1.46 2015/01/19 20:20:20 markus Exp $ */ -+/* $OpenBSD: compat.h,v 1.47 2015/04/10 05:16:50 dtucker Exp $ */ - - /* - * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. -@@ -60,6 +60,7 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_CURVE25519PAD 0x10000000 -+#define SSH_BUG_HOSTKEYS 0x20000000 - - void enable_compat13(void); - void enable_compat20(void); -diff --git sshd.c sshd.c -index 6aa17fa..60b0cd4 100644 ---- sshd.c -+++ sshd.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.445 2015/03/31 22:55:24 djm Exp $ */ -+/* $OpenBSD: sshd.c,v 1.446 2015/04/10 05:16:50 dtucker Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh) - int i, nkeys, r; - char *fp; - -+ /* Some clients cannot cope with the hostkeys message, skip those. */ -+ if (datafellows & SSH_BUG_HOSTKEYS) -+ return; -+ - if ((buf = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new", __func__); - for (i = nkeys = 0; i < options.num_host_key_files; i++) { Property changes on: head/security/openssh-portable/files/extra-patch-ttssh ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/extra-patch-hpn =================================================================== --- head/security/openssh-portable/files/extra-patch-hpn (revision 392997) +++ head/security/openssh-portable/files/extra-patch-hpn (revision 392998) @@ -1,1300 +1,1299 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/openssh-6.8p1/HPN-README work/openssh-6.8p1/HPN-README --- work.clean/openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600 +++ work/openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500 @@ -0,0 +1,129 @@ +Notes: + +MULTI-THREADED CIPHER: +The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations +on hosts with multiple cores to use more than one processing core during encryption. +Tests have show significant throughput performance increases when using MTR-AES-CTR up +to and including a full gigabit per second on quad core systems. It should be possible to +achieve full line rate on dual core systems but OS and data management overhead makes this +more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single +thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal +performance requires the MTR-AES-CTR mode be enabled on both ends of the connection. +The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same +nomenclature. +Use examples: ssh -caes128-ctr you@host.com + scp -oCipher=aes256-ctr file you@host.com:~/file + +NONE CIPHER: +To use the NONE option you must have the NoneEnabled switch set on the server and +you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE +feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not +spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will +be disabled. + +The performance increase will only be as good as the network and TCP stack tuning +on the reciever side of the connection allows. As a rule of thumb a user will need +at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The +HPN-SSH home page describes this in greater detail. + +http://www.psc.edu/networking/projects/hpn-ssh + +BUFFER SIZES: + +If HPN is disabled the receive buffer size will be set to the +OpenSSH default of 64K. + +If an HPN system connects to a nonHPN system the receive buffer will +be set to the HPNBufferSize value. The default is 2MB but user adjustable. + +If an HPN to HPN connection is established a number of different things might +happen based on the user options and conditions. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set +HPN Buffer Size = up to 64MB +This is the default state. The HPN buffer size will grow to a maximum of 64MB +as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is +geared towards 10GigE transcontinental connections. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set +HPN Buffer Size = TCP receive buffer value. +Users on non-autotuning systesm should disable TCPRcvBufPoll in the +ssh_cofig and sshd_config + +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set +HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize. +This would be the system defined TCP receive buffer (RWIN). + +Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. +Generally there is no need to set both. + +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set +HPN Buffer Size = grows to HPNBufferSize +The buffer will grow up to the maximum size specified here. + +Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET +HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize. +Generally there is no need to set both of these, especially on autotuning +systems. However, if the users wishes to override the autotuning this would be +one way to do it. + +Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET +HPN Buffer Size = TCPRcvBuf. +This will override autotuning and set the TCP recieve buffer to the user defined +value. + + +HPN Specific Configuration options + +TcpRcvBuf=[int]KB client + set the TCP socket receive buffer to n Kilobytes. It can be set up to the +maximum socket size allowed by the system. This is useful in situations where +the tcp receive window is set low but the maximum buffer size is set +higher (as is typical). This works on a per TCP connection basis. You can also +use this to artifically limit the transfer rate of the connection. In these +cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB. +Default is the current system wide tcp receive buffer size. + +TcpRcvBufPoll=[yes/no] client/server + enable of disable the polling of the tcp receive buffer through the life +of the connection. You would want to make sure that this option is enabled +for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista) +default is yes. + +NoneEnabled=[yes/no] client/server + enable or disable the use of the None cipher. Care must always be used +when enabling this as it will allow users to send data in the clear. However, +it is important to note that authentication information remains encrypted +even if this option is enabled. Set to no by default. + +NoneSwitch=[yes/no] client + Switch the encryption cipher being used to the None cipher after +authentication takes place. NoneEnabled must be enabled on both the client +and server side of the connection. When the connection switches to the NONE +cipher a warning is sent to STDERR. The connection attempt will fail with an +error if a client requests a NoneSwitch from the server that does not explicitly +have NoneEnabled set to yes. Note: The NONE cipher cannot be used in +interactive (shell) sessions and it will fail silently. Set to no by default. + +HPNDisabled=[yes/no] client/server + In some situations, such as transfers on a local area network, the impact +of the HPN code produces a net decrease in performance. In these cases it is +helpful to disable the HPN functionality. By default HPNDisabled is set to no. + +HPNBufferSize=[int]KB client/server + This is the default buffer size the HPN functionality uses when interacting +with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf +option as applied to the internal SSH flow control. This value can range from +1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance +problems depending on the length of the network path. The default size of this buffer +is 2MB. + + +Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu) + The majority of the actual coding for versions up to HPN12v1 was performed + by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was + implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota + (tasota@gmail.com) an NSF REU grant recipient for 2013. + This work was financed, in part, by Cisco System, Inc., the National + Library of Medicine, and the National Science Foundation. --- work.clean/openssh-6.8p1/channels.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/channels.c 2015-04-03 15:51:59.599537000 -0500 @@ -183,8 +183,14 @@ static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); + +#ifdef HPN_ENABLED +static int hpn_disabled = 0; +static int hpn_buffer_size = 2 * 1024 * 1024; +#endif + /* -- channel core */ Channel * channel_by_id(int id) { @@ -333,6 +339,9 @@ c->local_window_max = window; c->local_consumed = 0; c->local_maxpacket = maxpack; +#ifdef HPN_ENABLED + c->dynamic_window = 0; +#endif c->remote_id = -1; c->remote_name = xstrdup(remote_name); c->remote_window = 0; @@ -837,11 +846,41 @@ FD_SET(c->sock, writeset); } +#ifdef HPN_ENABLED +static u_int +channel_tcpwinsz(void) +{ + u_int32_t tcpwinsz = 0; + socklen_t optsz = sizeof(tcpwinsz); + int ret = -1; + + /* if we aren't on a socket return 128KB */ + if (!packet_connection_is_on_socket()) + return (128*1024); + ret = getsockopt(packet_get_connection_in(), + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + /* return no more than SSHBUF_SIZE_MAX */ + if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX) + tcpwinsz = SSHBUF_SIZE_MAX; + debug2("tcpwinsz: %d for connection: %d", tcpwinsz, + packet_get_connection_in()); + return (tcpwinsz); +} +#endif + static void channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) { u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); +#ifdef HPN_ENABLED + /* check buffer limits */ + if (!c->tcpwinsz || c->dynamic_window > 0) + c->tcpwinsz = channel_tcpwinsz(); + + limit = MIN(limit, 2 * c->tcpwinsz); +#endif + if (c->istate == CHAN_INPUT_OPEN && limit > 0 && buffer_len(&c->input) < limit && @@ -1846,6 +1885,20 @@ c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { +#ifdef HPN_ENABLED + /* adjust max window size if we are in a dynamic environment */ + if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) { + u_int addition = 0; + + /* + * grow the window somewhat aggressively to maintain + * pressure + */ + addition = 1.5*(c->tcpwinsz - c->local_window_max); + c->local_window_max += addition; + c->local_consumed += addition; + } +#endif packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); packet_put_int(c->remote_id); packet_put_int(c->local_consumed); @@ -2794,6 +2847,17 @@ return addr; } +#ifdef HPN_ENABLED +void +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size) +{ + hpn_disabled = external_hpn_disabled; + hpn_buffer_size = external_hpn_buffer_size; + debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, + hpn_buffer_size); +} +#endif + static int channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, int *allocated_listen_port, struct ForwardOptions *fwd_opts) @@ -2918,9 +2982,20 @@ } /* Allocate a channel number for the socket. */ +#ifdef HPN_ENABLED + /* + * explicitly test for hpn disabled option. if true use smaller + * window size. + */ + if (!hpn_disabled) + c = channel_new("port listener", type, sock, sock, -1, + hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, + 0, "port listener", 1); + else +#endif c = channel_new("port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); c->path = xstrdup(host); c->host_port = fwd->connect_port; c->listening_addr = addr == NULL ? NULL : xstrdup(addr); @@ -3952,6 +4027,14 @@ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; +#ifdef HPN_ENABLED + if (!hpn_disabled) + nc = channel_new("x11 listener", + SSH_CHANNEL_X11_LISTENER, sock, sock, -1, + hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, + 0, "X11 inet listener", 1); + else +#endif nc = channel_new("x11 listener", SSH_CHANNEL_X11_LISTENER, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, --- work.clean/openssh-6.8p1/channels.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/channels.h 2015-04-03 13:58:44.472717000 -0500 @@ -136,6 +136,10 @@ u_int local_maxpacket; int extended_usage; int single_connection; +#ifdef HPN_ENABLED + int dynamic_window; + u_int tcpwinsz; +#endif char *ctype; /* type */ @@ -311,4 +315,9 @@ void chan_write_failed(Channel *); void chan_obuf_empty(Channel *); +#ifdef HPN_ENABLED +/* hpn handler */ +void channel_set_hpn(int, int); +#endif + #endif --- work.clean/openssh-6.8p1/cipher.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/cipher.c 2015-04-03 16:22:04.972592000 -0500 @@ -244,7 +244,13 @@ for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; (p = strsep(&cp, CIPHER_SEP))) { c = cipher_by_name(p); - if (c == NULL || c->number != SSH_CIPHER_SSH2) { + if (c == NULL || (c->number != SSH_CIPHER_SSH2 && +#ifdef NONE_CIPHER_ENABLED + c->number != SSH_CIPHER_NONE +#else + 1 +#endif + )) { free(cipher_list); return 0; } @@ -545,6 +551,9 @@ switch (c->number) { #ifdef WITH_OPENSSL +#ifdef NONE_CIPHER_ENABLED + case SSH_CIPHER_NONE: +#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: @@ -593,6 +602,9 @@ switch (c->number) { #ifdef WITH_OPENSSL +#ifdef NONE_CIPHER_ENABLED + case SSH_CIPHER_NONE: +#endif case SSH_CIPHER_SSH2: case SSH_CIPHER_DES: case SSH_CIPHER_BLOWFISH: --- work.clean/openssh-6.8p1/clientloop.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/clientloop.c 2015-04-03 17:29:40.618489000 -0500 @@ -1909,6 +1909,15 @@ sock = x11_connect_display(); if (sock < 0) return NULL; +#ifdef HPN_ENABLED + /* again is this really necessary for X11? */ + if (!options.hpn_disabled) + c = channel_new("x11", + SSH_CHANNEL_X11_OPEN, sock, sock, -1, + options.hpn_buffer_size, + CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); + else +#endif c = channel_new("x11", SSH_CHANNEL_X11_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); @@ -1934,6 +1943,14 @@ __func__, ssh_err(r)); return NULL; } +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); + else +#endif c = channel_new("authentication agent connection", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, @@ -1964,6 +1981,12 @@ return -1; } +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; --- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500 @@ -177,6 +177,14 @@ debug("match: %s pat %s compat 0x%08x", version, check[i].pat, check[i].bugs); datafellows = check[i].bugs; /* XXX for now */ +#ifdef HPN_ENABLED + /* Check to see if the remote side is OpenSSH and not HPN */ + if (strstr(version,"OpenSSH") != NULL && + strstr(version,"hpn") == NULL) { + datafellows |= SSH_BUG_LARGEWINDOW; + debug("Remote is NON-HPN aware"); + } +#endif return check[i].bugs; } } ---- work.clean/openssh-6.8p1/compat.h 2015-03-17 00:49:20.000000000 -0500 -+++ work/openssh-6.8p1/compat.h 2015-04-03 16:39:34.780416000 -0500 -@@ -60,7 +60,10 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 +--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/compat.h 2015-06-02 09:55:04.208681000 -0500 +@@ -62,6 +62,9 @@ #define SSH_BUG_CURVE25519PAD 0x10000000 #define SSH_BUG_HOSTKEYS 0x20000000 + #define SSH_BUG_DHGEX_LARGE 0x40000000 +#ifdef HPN_ENABLED -+#define SSH_BUG_LARGEWINDOW 0x40000000 ++#define SSH_BUG_LARGEWINDOW 0x80000000 +#endif void enable_compat13(void); void enable_compat20(void); --- work.clean/openssh-6.8p1/configure.ac 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 -0500 @@ -4238,6 +4238,25 @@ ] ) # maildir +#check whether user wants HPN support +HPN_MSG="no" +AC_ARG_WITH(hpn, + [ --with-hpn Enable HPN support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.]) + HPN_MSG="yes" + fi ] +) +#check whether user wants NONECIPHER support +NONECIPHER_MSG="no" +AC_ARG_WITH(nonecipher, + [ --with-nonecipher Enable NONECIPHER support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.]) + NONECIPHER_MSG="yes" + fi ] +) + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) disable_ptmx_check=yes @@ -4905,6 +4924,8 @@ echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" +echo " HPN support: $HPN_MSG" +echo " NONECIPHER support: $NONECIPHER_MSG" echo "" --- work.clean/openssh-6.8p1/kex.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/kex.c 2015-04-03 17:06:44.032682000 -0500 @@ -587,6 +587,13 @@ int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; int r, first_kex_follows; +#ifdef NONE_CIPHER_ENABLED + /* XXX: Could this move into the lower block? */ + int auth_flag; + + auth_flag = ssh_packet_authentication_state(ssh); + debug ("AUTH STATE IS %d", auth_flag); +#endif if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 || (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0) @@ -635,6 +642,17 @@ if ((r = choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp])) != 0) goto out; +#ifdef NONE_CIPHER_ENABLED + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); + if (strcmp(newkeys->enc.name, "none") == 0) { + debug("Requesting NONE. Authflag is %d", auth_flag); + if (auth_flag == 1) { + debug("None requested post authentication."); + } else { + fatal("Pre-authentication none cipher requests are not allowed."); + } + } +#endif debug("kex: %s %s %s %s", ctos ? "client->server" : "server->client", newkeys->enc.name, --- work.clean/openssh-6.8p1/myproposal.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/myproposal.h 2015-04-03 16:43:33.747402000 -0500 @@ -171,6 +171,10 @@ #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" +#ifdef NONE_CIPHER_ENABLED +#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none" +#endif + #define KEX_CLIENT \ KEX_CLIENT_KEX, \ KEX_DEFAULT_PK_ALG, \ --- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500 @@ -2199,6 +2199,24 @@ } } +#ifdef NONE_CIPHER_ENABLED +/* this supports the forced rekeying required for the NONE cipher */ +int rekey_requested = 0; +void +packet_request_rekeying(void) +{ + rekey_requested = 1; +} + +int +ssh_packet_authentication_state(struct ssh *ssh) +{ + struct session_state *state = ssh->state; + + return(state->after_authentication); +} +#endif + #define MAX_PACKETS (1U<<31) int ssh_packet_need_rekeying(struct ssh *ssh) @@ -2207,6 +2225,12 @@ if (ssh->compat & SSH_BUG_NOREKEY) return 0; +#ifdef NONE_CIPHER_ENABLED + if (rekey_requested == 1) { + rekey_requested = 0; + return 1; + } +#endif return (state->p_send.packets > MAX_PACKETS) || (state->p_read.packets > MAX_PACKETS) || --- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 @@ -188,6 +188,11 @@ int sshpkt_get_end(struct ssh *ssh); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); +#ifdef NONE_CIPHER_ENABLED +void packet_request_rekeying(void); +int ssh_packet_authentication_state(struct ssh *ssh); +#endif + /* OLD API */ extern struct ssh *active_state; #include "opacket.h" --- work.clean/openssh-6.8p1/readconf.c 2015-04-01 22:07:18.135435000 -0500 +++ work/openssh-6.8p1/readconf.c 2015-04-03 15:10:44.188916000 -0500 @@ -154,6 +154,12 @@ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, +#ifdef HPN_ENABLED + oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf, +#endif +#ifdef NONE_CIPHER_ENABLED + oNoneSwitch, oNoneEnabled, +#endif oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, @@ -276,6 +282,16 @@ { "fingerprinthash", oFingerprintHash }, { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, +#endif +#ifdef HPN_ENABLED + { "tcprcvbufpoll", oTcpRcvBufPoll }, + { "tcprcvbuf", oTcpRcvBuf }, + { "hpndisabled", oHPNDisabled }, + { "hpnbuffersize", oHPNBufferSize }, +#endif { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -917,6 +933,44 @@ intptr = &options->check_host_ip; goto parse_flag; +#ifdef HPN_ENABLED + case oHPNDisabled: + intptr = &options->hpn_disabled; + goto parse_flag; + + case oHPNBufferSize: + intptr = &options->hpn_buffer_size; + goto parse_int; + + case oTcpRcvBufPoll: + intptr = &options->tcp_rcv_buf_poll; + goto parse_flag; + + case oTcpRcvBuf: + intptr = &options->tcp_rcv_buf; + goto parse_int; +#endif + +#ifdef NONE_CIPHER_ENABLED + case oNoneEnabled: + intptr = &options->none_enabled; + goto parse_flag; + + /* we check to see if the command comes from the */ + /* command line or not. If it does then enable it */ + /* otherwise fail. NONE should never be a default configuration */ + case oNoneSwitch: + if(strcmp(filename,"command-line") == 0) { + intptr = &options->none_switch; + goto parse_flag; + } else { + error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename); + error("Continuing..."); + debug("NoneSwitch directive found in %.200s.", filename); + return 0; + } +#endif + case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; multistate_ptr = multistate_yesnoask; @@ -1678,6 +1732,16 @@ options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; +#ifdef NONE_CIPHER_ENABLED + options->none_switch = -1; + options->none_enabled = -1; +#endif +#ifdef HPN_ENABLED + options->hpn_disabled = -1; + options->hpn_buffer_size = -1; + options->tcp_rcv_buf_poll = -1; + options->tcp_rcv_buf = -1; +#endif options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; options->num_canonical_domains = 0; @@ -1838,6 +1902,35 @@ options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; +#ifdef NONE_CIPHER_ENABLED + if (options->none_switch == -1) + options->none_switch = 0; + if (options->none_enabled == -1) + options->none_enabled = 0; +#endif +#ifdef HPN_ENABLED + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; + if (options->hpn_buffer_size > -1) { + /* if a user tries to set the size to 0 set it to 1KB */ + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; + /* limit the buffer to 64MB */ + if (options->hpn_buffer_size > 64*1024) { + options->hpn_buffer_size = 64*1024*1024; + debug("User requested buffer larger than 64MB. Request" + " reverted to 64MB"); + } else + options->hpn_buffer_size *= 1024; + debug("hpn_buffer_size set to %d", options->hpn_buffer_size); + } + if (options->tcp_rcv_buf == 0) + options->tcp_rcv_buf = 1; + if (options->tcp_rcv_buf > -1) + options->tcp_rcv_buf *=1024; + if (options->tcp_rcv_buf_poll == -1) + options->tcp_rcv_buf_poll = 1; +#endif if (options->control_master == -1) options->control_master = 0; if (options->control_persist == -1) { --- work.clean/openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500 @@ -105,6 +105,16 @@ int clear_forwardings; int enable_ssh_keysign; +#ifdef NONE_CIPHER_ENABLED + int none_switch; /* Use none cipher */ + int none_enabled; /* Allow none to be used */ +#endif +#ifdef HPN_ENABLED + int tcp_rcv_buf; /* user switch to set tcp recv buffer */ + int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */ + int hpn_disabled; /* Switch to disable HPN buffer management */ + int hpn_buffer_size; /* User definable size for HPN buffer window */ +#endif int64_t rekey_limit; int rekey_interval; int no_host_authentication_for_localhost; --- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500 @@ -750,7 +750,7 @@ off_t i, statbytes; size_t amt, nr; int fd = -1, haderr, indx; - char *last, *name, buf[2048], encname[PATH_MAX]; + char *last, *name, buf[16384], encname[PATH_MAX]; int len; for (indx = 0; indx < argc; ++indx) { @@ -919,7 +919,7 @@ off_t size, statbytes; unsigned long long ull; int setimes, targisdir, wrerrno = 0; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; + char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; struct timeval tv[2]; #define atime tv[0] ---- work.clean/openssh-6.8p1/servconf.c 2015-04-01 22:07:18.142441000 -0500 -+++ work/openssh-6.8p1/servconf.c 2015-04-03 16:32:16.114236000 -0500 -@@ -160,6 +160,14 @@ - options->revoked_keys_file = NULL; - options->trusted_user_ca_keys = NULL; +--- work/openssh/servconf.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ work/openssh/servconf.c 2015-06-02 09:56:36.041601000 -0500 +@@ -163,6 +163,14 @@ initialize_server_options(ServerOptions options->authorized_principals_file = NULL; + options->authorized_principals_command = NULL; + options->authorized_principals_command_user = NULL; +#ifdef NONE_CIPHER_ENABLED + options->none_enabled = -1; +#endif +#ifdef HPN_ENABLED + options->tcp_rcv_buf_poll = -1; + options->hpn_disabled = -1; + options->hpn_buffer_size = -1; +#endif options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; -@@ -326,6 +334,57 @@ +@@ -329,6 +337,57 @@ fill_default_server_options(ServerOption } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; +#ifdef NONE_CIPHER_ENABLED + if (options->none_enabled == -1) + options->none_enabled = 0; +#endif +#ifdef HPN_ENABLED + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; + + if (options->hpn_buffer_size == -1) { + /* + * option not explicitly set. Now we have to figure out + * what value to use. + */ + if (options->hpn_disabled == 1) { + options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + } else { + int sock, socksize; + socklen_t socksizelen = sizeof(socksize); + + /* + * get the current RCV size and set it to that + * create a socket but don't connect it + * we use that the get the rcv socket size + */ + sock = socket(AF_INET, SOCK_STREAM, 0); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + options->hpn_buffer_size = socksize; + debug ("HPN Buffer Size: %d", options->hpn_buffer_size); + } + } else { + /* + * we have to do this incase the user sets both values in a + * contradictory manner. hpn_disabled overrrides + * hpn_buffer_size + */ + if (options->hpn_disabled <= 0) { + if (options->hpn_buffer_size == 0) + options->hpn_buffer_size = 1; + /* limit the maximum buffer to 64MB */ + if (options->hpn_buffer_size > 64*1024) { + options->hpn_buffer_size = 64*1024*1024; + } else { + options->hpn_buffer_size *= 1024; + } + } else + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + } +#endif + if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) -@@ -401,6 +460,12 @@ +@@ -406,6 +465,12 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +#ifdef NONE_CIPHER_ENABLED + sNoneEnabled, +#endif +#ifdef HPN_ENABLED + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +#endif + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, -@@ -529,6 +594,14 @@ +@@ -537,6 +602,14 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, +#ifdef NONE_CIPHER_ENABLED + { "noneenabled", sNoneEnabled, SSHCFG_ALL }, +#endif +#ifdef HPN_ENABLED + { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, + { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, + { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, +#endif { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -@@ -1113,6 +1186,25 @@ +@@ -1156,6 +1229,25 @@ process_server_config_line(ServerOptions intptr = &options->ignore_user_known_hosts; goto parse_flag; +#ifdef NONE_CIPHER_ENABLED + case sNoneEnabled: + intptr = &options->none_enabled; + goto parse_flag; +#endif +#ifdef HPN_ENABLED + case sTcpRcvBufPoll: + intptr = &options->tcp_rcv_buf_poll; + goto parse_flag; + + case sHPNDisabled: + intptr = &options->hpn_disabled; + goto parse_flag; + + case sHPNBufferSize: + intptr = &options->hpn_buffer_size; + goto parse_int; +#endif + case sRhostsRSAAuthentication: intptr = &options->rhosts_rsa_authentication; goto parse_flag; --- work.clean/openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500 @@ -169,6 +169,15 @@ int use_pam; /* Enable auth via PAM */ +#ifdef NONE_CIPHER_ENABLED + int none_enabled; /* enable NONE cipher switch */ +#endif +#ifdef HPN_ENABLED + int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/ + int hpn_disabled; /* disable hpn functionality. false by default */ + int hpn_buffer_size; /* set the hpn buffer size - default 3MB */ +#endif + int permit_tun; int num_permitted_opens; --- work.clean/openssh-6.8p1/serverloop.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/serverloop.c 2015-04-03 17:14:15.182548000 -0500 @@ -1051,6 +1051,12 @@ sock = tun_open(tun, mode); if (sock < 0) goto done; +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + else +#endif c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); c->datagram = 1; @@ -1088,6 +1094,10 @@ c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll && !options.hpn_disabled) + c->dynamic_window = 1; +#endif if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); --- work.clean/openssh-6.8p1/session.c 2015-04-01 22:07:18.149110000 -0500 +++ work/openssh-6.8p1/session.c 2015-04-03 17:09:02.984097000 -0500 @@ -2340,6 +2340,14 @@ */ if (s->chanid == -1) fatal("no channel for session %d", s->self); +#ifdef HPN_ENABLED + if (!options.hpn_disabled) + channel_set_fds(s->chanid, + fdout, fdin, fderr, + ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, + 1, is_tty, options.hpn_buffer_size); + else +#endif channel_set_fds(s->chanid, fdout, fdin, fderr, ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ, --- work.clean/openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500 @@ -263,7 +263,8 @@ Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. -The default is 64 outstanding requests. +The default is 256 outstanding requests providing for 8MB +of outstanding data with a 32KB buffer. .It Fl r Recursively copy entire directories when uploading and downloading. Note that --- work.clean/openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500 @@ -71,7 +71,11 @@ #include "sftp-client.h" #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ +#ifdef HPN_ENABLED +#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ +#else #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ +#endif /* File to read commands from */ FILE* infile; --- work.clean/openssh-6.8p1/ssh.c 2015-04-01 22:07:18.166356000 -0500 +++ work/openssh-6.8p1/ssh.c 2015-04-03 17:16:34.114673000 -0500 @@ -885,6 +885,14 @@ break; case 'T': options.request_tty = REQUEST_TTY_NO; +#ifdef NONE_CIPHER_ENABLED + /* + * ensure that the user doesn't try to backdoor a + * null cipher switch on an interactive session + * so explicitly disable it no matter what. + */ + options.none_switch = 0; +#endif break; case 'o': line = xstrdup(optarg); @@ -1848,9 +1856,85 @@ if (!isatty(err)) set_nonblock(err); +#ifdef HPN_ENABLED + /* + * we need to check to see if what they want to do about buffer + * sizes here. In a hpn to nonhpn connection we want to limit + * the window size to something reasonable in case the far side + * has the large window bug. In hpn to hpn connection we want to + * use the max window size but allow the user to override it + * lastly if they disabled hpn then use the ssh std window size + + * so why don't we just do a getsockopt() here and set the + * ssh window to that? In the case of a autotuning receive + * window the window would get stuck at the initial buffer + * size generally less than 96k. Therefore we need to set the + * maximum ssh window size to the maximum hpn buffer size + * unless the user has specifically set the tcprcvbufpoll + * to no. In which case we *can* just set the window to the + * minimum of the hpn buffer size and tcp receive buffer size + */ + + if (tty_flag) + options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT; + else + options.hpn_buffer_size = 2*1024*1024; + + if (datafellows & SSH_BUG_LARGEWINDOW) { + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; + socklen_t socksizelen = sizeof(socksize); + + if (options.tcp_rcv_buf_poll <= 0) { + sock = socket(AF_INET, SOCK_STREAM, 0); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; + debug ("HPNBufferSize set to TCP RWIN: %d", + options.hpn_buffer_size); + } else { + if (options.tcp_rcv_buf > 0) { + /* + * create a socket but don't connect it. + * we use that the get the rcv socket size + */ + sock = socket(AF_INET, SOCK_STREAM, 0); + /* + * if they are using the tcp_rcv_buf option + * attempt to set the buffer size to that + */ + if (options.tcp_rcv_buf) + setsockopt(sock, SOL_SOCKET, SO_RCVBUF, + (void *)&options.tcp_rcv_buf, + sizeof(options.tcp_rcv_buf)); + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + close(sock); + debug("socksize %d", socksize); + options.hpn_buffer_size = socksize; + debug ("HPNBufferSize set to user TCPRcvBuf: " + "%d", options.hpn_buffer_size); + } + } + } + + debug("Final hpn_buffer_size = %d", options.hpn_buffer_size); + + window = options.hpn_buffer_size; + + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); +#else window = CHAN_SES_WINDOW_DEFAULT; +#endif + packetmax = CHAN_SES_PACKET_DEFAULT; if (tty_flag) { +#ifdef HPN_ENABLED + window = CHAN_SES_WINDOW_DEFAULT; +#endif window >>= 1; packetmax >>= 1; } @@ -1859,6 +1943,12 @@ window, packetmax, CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { + c->dynamic_window = 1; + debug ("Enabled Dynamic Window Scaling"); + } +#endif debug3("ssh_session2_open: channel_new: %d", c->self); channel_send_open(c->self); --- work.clean/openssh-6.8p1/sshconnect.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sshconnect.c 2015-04-03 16:32:38.204744000 -0500 @@ -266,6 +266,31 @@ kill(proxy_command_pid, SIGHUP); } +#ifdef HPN_ENABLED +/* + * Set TCP receive buffer if requested. + * Note: tuning needs to happen after the socket is + * created but before the connection happens + * so winscale is negotiated properly -cjr + */ +static void +ssh_set_socket_recvbuf(int sock) +{ + void *buf = (void *)&options.tcp_rcv_buf; + int sz = sizeof(options.tcp_rcv_buf); + int socksize; + socklen_t socksizelen = sizeof(socksize); + + debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf); + if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) { + getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen); + debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize); + } else + error("Couldn't set socket receive buffer to %d: %.100s", + options.tcp_rcv_buf, strerror(errno)); +} +#endif + /* * Creates a (possibly privileged) socket for use as the ssh connection. */ @@ -282,6 +307,11 @@ } fcntl(sock, F_SETFD, FD_CLOEXEC); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf > 0) + ssh_set_socket_recvbuf(sock); +#endif + /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && !privileged) return sock; @@ -523,11 +553,23 @@ send_client_banner(int connection_out, i { /* Send our own protocol version identification. */ if (compat20) { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN +#else + "" +#endif + ); } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); + xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\n", + PROTOCOL_MAJOR_1, minor1, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN +#else + "" +#endif + ); } if (roaming_atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) --- work.clean/openssh-6.8p1/sshconnect2.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sshconnect2.c 2015-04-03 16:54:23.936298000 -0500 @@ -80,6 +80,14 @@ extern char *client_version_string; extern char *server_version_string; extern Options options; +#ifdef NONE_CIPHER_ENABLED +struct kex *xxx_kex; + +/* tty_flag is set in ssh.c. use this in ssh_userauth2 */ +/* if it is set then prevent the switch to the null cipher */ + +extern int tty_flag; +#endif /* * SSH2 key exchange @@ -153,13 +161,16 @@ return ret; } +static char *myproposal[PROPOSAL_MAX]; +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; void ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; struct kex *kex; int r; + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + xxx_host = host; xxx_hostaddr = hostaddr; @@ -222,6 +233,10 @@ kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; +#ifdef NONE_CIPHER_ENABLED + xxx_kex = kex; +#endif + dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); if (options.use_roaming && !kex->roaming) { @@ -423,6 +438,29 @@ pubkey_cleanup(&authctxt); dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL); +#ifdef NONE_CIPHER_ENABLED + /* + * if the user wants to use the none cipher do it + * post authentication and only if the right conditions are met + * both of the NONE commands must be true and there must be no + * tty allocated. + */ + if ((options.none_switch == 1) && (options.none_enabled == 1)) { + if (!tty_flag) { /* no null on tty sessions */ + debug("Requesting none rekeying..."); + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; + kex_prop2buf(xxx_kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + } else { + /* requested NONE cipher when in a tty */ + debug("Cannot switch to NONE cipher with tty allocated"); + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + } + } +#endif + debug("Authentication succeeded (%s).", authctxt.method->name); } --- work.clean/openssh-6.8p1/sshd.c.orig 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/sshd.c 2015-05-06 13:29:02.129507000 -0500 @@ -430,8 +430,13 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", major, minor, SSH_VERSION, +#ifdef HPN_ENABLED + options.hpn_disabled ? "" : SSH_HPN, +#else + "", +#endif *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); @@ -1149,6 +1154,10 @@ server_listen(void) int ret, listen_sock, on = 1; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; +#ifdef HPN_ENABLED + int socksize; + socklen_t socksizelen = sizeof(socksize); +#endif for (ai = options.listen_addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -1189,6 +1198,13 @@ server_listen(void) debug("Bind to port %s on %s.", strport, ntop); +#ifdef HPN_ENABLED + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + debug("Server TCP RWIN socket size: %d", socksize); + debug("HPN Buffer Size: %d", options.hpn_buffer_size); +#endif + /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", @@ -2132,6 +2148,11 @@ main(int ac, char **av) remote_ip, remote_port, get_local_ipaddr(sock_in), get_local_port()); +#ifdef HPN_ENABLED + /* set the HPN options for the child */ + channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size); +#endif + /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is @@ -2531,6 +2552,12 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; +#ifdef NONE_CIPHER_ENABLED + } else if (options.none_enabled == 1) { + debug ("WARNING: None cipher enabled"); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE; +#endif } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -127,6 +127,20 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# disable hpn performance boosts +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no --- work.clean/openssh-6.8p1/version.h 2015-04-01 22:07:18.258955000 -0500 +++ work/openssh-6.8p1/version.h 2015-04-02 16:51:25.209617000 -0500 @@ -3,4 +3,5 @@ #define SSH_VERSION "OpenSSH_6.8" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v5" Index: head/security/openssh-portable/files/patch-servconf.c =================================================================== --- head/security/openssh-portable/files/patch-servconf.c (revision 392997) +++ head/security/openssh-portable/files/patch-servconf.c (revision 392998) @@ -1,58 +1,49 @@ --- servconf.c.orig 2015-03-22 23:58:50.869706000 -0500 +++ servconf.c 2015-03-22 23:59:46.645390000 -0500 @@ -81,6 +81,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" +#include "version.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -216,7 +217,7 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 0; + options->use_pam = 1; /* X.509 Standard Options */ #ifdef OPENSSL_FIPS -@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption - if (options->key_regeneration_time == -1) - options->key_regeneration_time = 3600; - if (options->permit_root_login == PERMIT_NOT_SET) -- options->permit_root_login = PERMIT_YES; -+ options->permit_root_login = PERMIT_NO; - if (options->ignore_rhosts == -1) - options->ignore_rhosts = 1; - if (options->ignore_user_known_hosts == -1) @@ -287,7 +288,7 @@ fill_default_server_options(ServerOption if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) - options->x11_forwarding = 0; + options->x11_forwarding = 1; if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) @@ -333,7 +334,11 @@ fill_default_server_options(ServerOption if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) +#ifdef USE_PAM + options->password_authentication = 0; +#else options->password_authentication = 1; +#endif if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) @@ -396,7 +401,7 @@ fill_default_server_options(ServerOption options->fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; + use_privsep = PRIVSEP_ON; #define CLEAR_ON_NONE(v) \ do { \ Index: head/security/openssh-portable/files/patch-ssh-agent.1 =================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.1 (revision 392997) +++ head/security/openssh-portable/files/patch-ssh-agent.1 (revision 392998) @@ -1,27 +1,25 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. -Index: ssh-agent.1 -=================================================================== ---- ssh-agent.1 (revision 226102) -+++ ssh-agent.1 (revision 226103) -@@ -44,7 +44,7 @@ +--- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 +@@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s --.Op Fl d -+.Op Fl dx +-.Op Fl Dd ++.Op Fl Ddx .Op Fl a Ar bind_address + .Op Fl E Ar fingerprint_hash .Op Fl t Ar life - .Op Ar command Op Ar arg ... -@@ -103,6 +103,8 @@ +@@ -128,6 +128,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. +.It Fl x +Exit after the last client has disconnected. .El .Pp If a commandline is given, this is executed as a subprocess of the agent. Index: head/security/openssh-portable/files/patch-ssh-agent.c =================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c (revision 392997) +++ head/security/openssh-portable/files/patch-ssh-agent.c (revision 392998) @@ -1,93 +1,93 @@ r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines Set the ruid to the euid at startup as a workaround for a bug in pam_ssh. r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-03-17 00:49:20.000000000 -0500 -+++ ssh-agent.c 2015-03-20 00:00:48.800352000 -0500 -@@ -150,15 +150,34 @@ static long lifetime = 0; +--- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 ++++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 +@@ -157,15 +157,34 @@ static long lifetime = 0; static int fingerprint_hash = SSH_FP_HASH_DEFAULT; +/* + * Client connection count; incremented in new_socket() and decremented in + * close_socket(). When it reaches 0, ssh-agent will exit. Since it is + * normally initialized to 1, it will never reach 0. However, if the -x + * option is specified, it is initialized to 0 in main(); in that case, + * ssh-agent will exit as soon as it has had at least one client but no + * longer has any. + */ +static int xcount = 1; + static void close_socket(SocketEntry *e) { + int last = 0; + + if (e->type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount - 1); + if (--xcount == 0) + last = 1; + } close(e->fd); e->fd = -1; e->type = AUTH_UNUSED; sshbuf_free(e->input); sshbuf_free(e->output); sshbuf_free(e->request); + if (last) + cleanup_exit(0); } static void -@@ -910,6 +929,10 @@ new_socket(sock_type type, int fd) +@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; + if (type == AUTH_CONNECTION) { + debug("xcount %d -> %d", xcount, xcount + 1); + ++xcount; + } set_nonblock(fd); if (fd > max_fd) -@@ -1138,7 +1161,7 @@ usage(void) +@@ -1166,7 +1189,7 @@ static void + usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-E fingerprint_hash]\n" -- " [-t life] [command [arg ...]]\n" -+ " [-t life] [-x] [command [arg ...]]\n" +- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" ++ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" + " [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); - } -@@ -1168,6 +1191,7 @@ main(int ac, char **av) +@@ -1197,6 +1220,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); + setuid(geteuid()); #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1181,7 +1205,7 @@ main(int ac, char **av) +@@ -1210,7 +1234,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); -- while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksE:a:t:x")) != -1) { +- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1215,6 +1239,9 @@ main(int ac, char **av) +@@ -1249,6 +1273,9 @@ main(int ac, char **av) usage(); } break; + case 'x': + xcount = 0; + break; default: usage(); } Index: head/security/openssh-portable/files/patch-sshd_config =================================================================== --- head/security/openssh-portable/files/patch-sshd_config (revision 392997) +++ head/security/openssh-portable/files/patch-sshd_config (revision 392998) @@ -1,70 +1,61 @@ --- sshd_config.orig 2013-02-11 18:02:09.000000000 -0600 +++ sshd_config 2013-05-13 06:46:45.153627197 -0500 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. +# Note that some of FreeBSD's defaults differ from OpenBSD's, and +# FreeBSD has a few additional options. + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -41,7 +44,7 @@ - # Authentication: - - #LoginGraceTime 2m --#PermitRootLogin yes -+#PermitRootLogin no - #StrictModes yes - #MaxAuthTries 6 - #MaxSessions 10 @@ -50,8 +53,7 @@ #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none @@ -68,11 +70,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +# Change to yes to enable built-in password authentication. +#PasswordAuthentication no #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options @@ -85,7 +87,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, +# Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, @@ -94,12 +96,12 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -#UsePAM no +#UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +#X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes Index: head/security/openssh-portable/files/patch-sshd_config.5 =================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 (revision 392997) +++ head/security/openssh-portable/files/patch-sshd_config.5 (revision 392998) @@ -1,93 +1,91 @@ ---- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 -+++ sshd_config.5 2015-03-22 21:57:45.538655000 -0500 -@@ -304,7 +304,9 @@ By default, no banner is displayed. +--- sshd_config.5.orig 2015-05-29 03:27:21.000000000 -0500 ++++ sshd_config.5 2015-06-02 09:49:08.463186000 -0500 +@@ -375,7 +375,9 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via PAM or through authentication styles supported in -.Xr login.conf 5 ) +.Xr login.conf 5 ) . +See also +.Cm UsePAM . The default is .Dq yes . .It Cm ChrootDirectory -@@ -977,7 +979,22 @@ are refused if the number of unauthentic +@@ -1111,7 +1113,22 @@ are refused if the number of unauthentic .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is +.Dq no , +unless +.Nm sshd +was built without PAM support, in which case the default is .Dq yes . +Note that if +.Cm ChallengeResponseAuthentication +is +.Dq yes , +and the PAM authentication policy for +.Nm sshd +includes +.Xr pam_unix 8 , +password authentication will be allowed through the challenge-response +mechanism regardless of the value of +.Cm PasswordAuthentication . .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1023,7 +1040,14 @@ The argument must be - or +@@ -1158,6 +1175,13 @@ or .Dq no . The default is --.Dq yes . -+.Dq no . + .Dq no . +Note that if +.Cm ChallengeResponseAuthentication +is +.Dq yes , +the root user may be allowed in with its password even if +.Cm PermitRootLogin is set to +.Dq without-password . .Pp If this option is set to .Dq without-password , -@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as +@@ -1331,7 +1355,9 @@ an OpenSSH Key Revocation List (KRL) as For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or +.Pa /etc/hosts.equiv +authentication together with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run +@@ -1498,7 +1524,7 @@ is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is -.Dq no . +.Dq yes . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1365,7 +1391,10 @@ restrictions. +@@ -1520,7 +1546,10 @@ restrictions. Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Dq none . +.Dq %%SSH_VERSION_FREEBSD_PORT%% . +The value +.Dq none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1379,7 +1408,7 @@ The argument must be +@@ -1534,7 +1563,7 @@ The argument must be or .Dq no . The default is -.Dq no . +.Dq yes . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the