Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 466576) +++ head/security/openssh-portable/Makefile (revision 466577) @@ -1,228 +1,217 @@ # Created by: dwcjr@inethouston.net # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.6p1 -PORTREVISION= 3 +DISTVERSION= 7.7p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias autoreconf ncurses ssl GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine \ --with-mantype=man ETCOLD= ${PREFIX}/etc BROKEN_SSL= openssl-devel BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ - SCTP LDNS NONECIPHER + LDNS NONECIPHER OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch -SCTP_DESC= SCTP support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' # http://www.psc.edu/index.php/hpn-ssh HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.0 +X509_VERSION= 11.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 -# See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604 -#SCTP_PATCHFILES= ${PORTNAME}-7.2_p1-sctp.patch.gz:-p1 -SCTP_BROKEN= Does not apply to 7.6+ -SCTP_CONFIGURE_WITH= sctp -SCTP_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sctp:-p1 - MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= No patch for 7.6 yet. # Patch from: # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ # It is mirrored simply to apply gzip -9. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex .endif # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= Not yet updated for 7.6+ and disabled in base PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_LIBS+= -lutil CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MSCTP} -BROKEN= X509 patch and SCTP patch do not apply cleanly together -. endif - . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}//ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ + TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include Index: head/security/openssh-portable/distinfo =================================================================== --- head/security/openssh-portable/distinfo (revision 466576) +++ head/security/openssh-portable/distinfo (revision 466577) @@ -1,7 +1,5 @@ -TIMESTAMP = 1507833573 -SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 -SIZE (openssh-7.6p1.tar.gz) = 1489788 -SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 +TIMESTAMP = 1522788732 +SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f +SIZE (openssh-7.7p1.tar.gz) = 1536900 +SHA256 (openssh-7.7p1+x509-11.3.diff.gz) = 57be0d0028863f1f690b8b4ccae7583c0f8dd8ed2c688a912b25832bf7f9b185 +SIZE (openssh-7.7p1+x509-11.3.diff.gz) = 488467 Index: head/security/openssh-portable/files/patch-upstream-servconf.c =================================================================== --- head/security/openssh-portable/files/patch-upstream-servconf.c (revision 466576) +++ head/security/openssh-portable/files/patch-upstream-servconf.c (nonexistent) @@ -1,44 +0,0 @@ -commit 7c9613fac3371cf65fb07739212cdd1ebf6575da -Author: djm@openbsd.org -Date: Wed Oct 4 18:49:30 2017 +0000 - - upstream commit - - fix (another) problem in PermitOpen introduced during the - channels.c refactor: the third and subsequent arguments to PermitOpen were - being silently ignored; ok markus@ - - Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd - -diff --git servconf.c servconf.c -index 2c321a4a..95686295 100644 ---- servconf.c -+++ servconf.c -@@ -1,5 +1,5 @@ - --/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */ -+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */ - /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved -@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line, - if (!arg || *arg == '\0') - fatal("%s line %d: missing PermitOpen specification", - filename, linenum); -- i = options->num_permitted_opens; /* modified later */ -+ value = options->num_permitted_opens; /* modified later */ - if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->num_permitted_opens = 1; - options->permitted_opens = xcalloc(1, - sizeof(*options->permitted_opens)); -@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line, - if (arg == NULL || ((port = permitopen_port(arg)) < 0)) - fatal("%s line %d: bad port number in " - "PermitOpen", filename, linenum); -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->permitted_opens = xrecallocarray( - options->permitted_opens, - options->num_permitted_opens, Property changes on: head/security/openssh-portable/files/patch-upstream-servconf.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/extra-patch-hpn-compat =================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-compat (revision 466576) +++ head/security/openssh-portable/files/extra-patch-hpn-compat (revision 466577) @@ -1,46 +1,46 @@ ------------------------------------------------------------------------ r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines Changed paths: M /head/crypto/openssh/servconf.c Instead of removing the NoneEnabled option, mark it as unsupported. (should have done this in r291198, but didn't think of it until now) ------------------------------------------------------------------------ ------------------------------------------------------------------------ r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines Changed paths: M /head/crypto/openssh/readconf.c r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ --- readconf.c.orig 2017-10-12 12:18:59.927293000 -0700 +++ readconf.c 2017-10-12 12:19:45.048532000 -0700 @@ -305,6 +305,12 @@ static struct { { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, + { "tcprcvbuf", oDeprecated }, + { "noneenabled", oUnsupported }, + { "noneswitch", oUnsupported }, { NULL, oBadOption } }; --- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 +++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -566,6 +566,10 @@ static struct { - { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, +@@ -618,6 +618,10 @@ static struct { { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, + { "rdomain", sRDomain, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, + { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; Index: head/security/openssh-portable/files/extra-patch-tcpwrappers =================================================================== --- head/security/openssh-portable/files/extra-patch-tcpwrappers (revision 466576) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers (revision 466577) @@ -1,159 +1,160 @@ Revert TCPWRAPPER removal -bdrewery commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 Author: Damien Miller Date: Sun Apr 20 13:22:18 2014 +1000 - tedu@cvs.openbsd.org 2014/03/26 19:58:37 [sshd.8 sshd.c] remove libwrap support. ok deraadt djm mfriedl diff --git sshd.8 sshd.8 index 289e13d..e6a900b 100644 --- sshd.8 +++ sshd.8 @@ -851,6 +851,12 @@ the user's home directory becomes accessible. This file should be writable only by the user, and need not be readable by anyone else. .Pp +.It Pa /etc/hosts.allow +.It Pa /etc/hosts.deny +Access controls that should be enforced by tcp-wrappers are defined here. +Further details are described in +.Xr hosts_access 5 . +.Pp .It Pa /etc/hosts.equiv This file is for host-based authentication (see .Xr ssh 1 ) . @@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , .Xr chroot 2 , +.Xr hosts_access 5 , .Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , diff --git sshd.c sshd.c index 0ade557..045f149 100644 ---- sshd.c -+++ sshd.c +--- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 ++++ sshd.c 2018-04-04 15:40:20.964130000 -0700 @@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */ +-/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -123,6 +123,13 @@ +@@ -131,6 +131,13 @@ #include "version.h" #include "ssherr.h" +#ifdef LIBWRAP +#include +#include +int allow_severity; +int deny_severity; +#endif /* LIBWRAP */ + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -1971,6 +1978,24 @@ main(int ac, char **av) - #ifdef SSH_AUDIT_EVENTS - audit_connection_from(remote_ip, remote_port); +@@ -2072,6 +2079,25 @@ main(int ac, char **av) #endif + + rdomain = ssh_packet_rdomain_in(ssh); ++ +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; + /* Check whether logins are denied from this host. */ + if (packet_connection_is_on_socket()) { + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); + fromhost(&req); + + if (!hosts_access(&req)) { + debug("Connection refused by tcp wrapper"); + refuse(&req); + /* NOTREACHED */ + fatal("libwrap refuse returns"); + } + } +#endif /* LIBWRAP */ /* Log the connection. */ laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 --- configure.ac +++ configure.ac @@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], ] ) +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH([tcp-wrappers], + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBS="-lwrap $LIBS" + AC_MSG_CHECKING([for libwrap]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +#include +int deny_severity = 0, allow_severity = 0; + ]], [[ + hosts_access(0); + ]])], [ + AC_MSG_RESULT([yes]) + AC_DEFINE([LIBWRAP], [1], + [Define if you want + TCP Wrappers support]) + SSHDLIBS="$SSHDLIBS -lwrap" + TCPW_MSG="yes" + ], [ + AC_MSG_ERROR([*** libwrap missing]) + + ]) + LIBS="$saved_LIBS" + fi + ] +) + # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, @@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" Index: head/security/openssh-portable/files/extra-patch-x509-glue =================================================================== --- head/security/openssh-portable/files/extra-patch-x509-glue (revision 466576) +++ head/security/openssh-portable/files/extra-patch-x509-glue (revision 466577) @@ -1,147 +1,157 @@ --- session.c.orig 2017-10-12 11:52:52.953370000 -0700 +++ session.c 2017-10-12 11:53:40.793055000 -0700 -@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); -#ifdef __ANDROID__ -{ -#define COPY_ANDROID_ENV(name) { \ - char *s = getenv(name); \ - if (s) child_set_env(&env, &envsize, name, s); } - - /* from /init.rc */ - COPY_ANDROID_ENV("ANDROID_BOOTLOGO"); - COPY_ANDROID_ENV("ANDROID_ROOT"); - COPY_ANDROID_ENV("ANDROID_ASSETS"); - COPY_ANDROID_ENV("ANDROID_DATA"); - COPY_ANDROID_ENV("ASEC_MOUNTPOINT"); - COPY_ANDROID_ENV("LOOP_MOUNTPOINT"); - COPY_ANDROID_ENV("BOOTCLASSPATH"); - - /* FIXME: keep android property workspace open - * (see openbsd-compat/bsd-closefrom.c) - */ - COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE"); - - COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */ - COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */ - COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */ - - /* may contain path to custom libraries */ - COPY_ANDROID_ENV("LD_LIBRARY_PATH"); -#undef COPY_ANDROID_ENV -} -#endif - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { --- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 +++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 -@@ -1641,52 +1641,7 @@ is set to +@@ -1682,7 +1682,57 @@ is set to then the pre-authentication unprivileged process is subject to additional restrictions. The default is -.Cm sandbox . --.It Cm VACertificateFile --File with X.509 certificates in PEM format concatenated together. --In use when --.Cm VAType --is set to --.Cm ocspspec . --The default value is --.Sq --.. --(empty). --Certificates from that file explicitly trust --.Sq "OCSP Responder" --public key. --They are used as trusted certificates in addition to certificates from --.Cm CACertificateFile --and --.Cm CACertificatePath --to verify responder certificate. --.It Cm VAType --Specifies whether --.Sq "Online Certificate Status Protocol" --(OCSP) is used to validate X.509 certificates. --Accepted values are case insensitive: --.Bl -tag -offset indent -compact --.It none --do not use OCSP to validate certificates; --.It ocspcert --validate only certificates that specify --.Sq "OCSP Service Locator" --URL; --.It ocspspec --use specified in the configuration --.Sq "OCSP Responder" --to validate all certificates. --.El --The default is --.Cm none . --.It Cm VAOCSPResponderURL --.Sq "Access Location" --/ --.Sq "OCSP Service Locator" --URL of the OCSP provider. In use when --.Cm VAType --is set to --.Cm ocspspec . +.Cm no . - .It Cm VersionAddendum - Optionally specifies additional text to append to the SSH protocol banner - sent by the server upon connection. -@@ -1737,6 +1692,51 @@ the wildcard address. - By default, - sshd binds the forwarding server to the loopback address and sets the - hostname part of the -+.It Cm VACertificateFile -+File with X.509 certificates in PEM format concatenated together. -+In use when -+.Cm VAType -+is set to -+.Cm ocspspec . -+The default value is -+.Sq -+.. -+(empty). -+Certificates from that file explicitly trust -+.Sq "OCSP Responder" -+public key. -+They are used as trusted certificates in addition to certificates from -+.Cm CACertificateFile -+and -+.Cm CACertificatePath -+to verify responder certificate. -+.It Cm VAType -+Specifies whether -+.Sq "Online Certificate Status Protocol" -+(OCSP) is used to validate X.509 certificates. -+Accepted values are case insensitive: -+.Bl -tag -offset indent -compact -+.It none -+do not use OCSP to validate certificates; -+.It ocspcert -+validate only certificates that specify -+.Sq "OCSP Service Locator" -+URL; -+.It ocspspec -+use specified in the configuration -+.Sq "OCSP Responder" -+to validate all certificates. -+.El ++.It Cm VersionAddendum ++Optionally specifies additional text to append to the SSH protocol banner ++sent by the server upon connection. +The default is +.Cm none . -+.It Cm VAOCSPResponderURL -+.Sq "Access Location" -+/ -+.Sq "OCSP Service Locator" -+URL of the OCSP provider. In use when -+.Cm VAType -+is set to -+.Cm ocspspec . ++.It Cm X11DisplayOffset ++Specifies the first display number available for ++.Xr sshd 8 Ns 's ++X11 forwarding. ++This prevents sshd from interfering with real X11 servers. ++The default is 10. ++.It Cm X11Forwarding ++Specifies whether X11 forwarding is permitted. ++The argument must be ++.Cm yes ++or ++.Cm no . ++The default is ++.Cm no . ++.Pp ++When X11 forwarding is enabled, there may be additional exposure to ++the server and to client displays if the ++.Xr sshd 8 ++proxy display is configured to listen on the wildcard address (see ++.Cm X11UseLocalhost ) , ++though this is not the default. ++Additionally, the authentication spoofing and authentication data ++verification and substitution occur on the client side. ++The security risk of using X11 forwarding is that the client's X11 ++display server may be exposed to attack when the SSH client requests ++forwarding (see the warnings for ++.Cm ForwardX11 ++in ++.Xr ssh_config 5 ) . ++A system administrator may have a stance in which they want to ++protect clients that may expose themselves to attack by unwittingly ++requesting X11 forwarding, which can warrant a ++.Cm no ++setting. ++.Pp ++Note that disabling X11 forwarding does not prevent users from ++forwarding X11 traffic, as users can always install their own forwarders. ++.It Cm X11UseLocalhost ++Specifies whether ++.Xr sshd 8 ++should bind the X11 forwarding server to the loopback address or to ++the wildcard address. ++By default, ++sshd binds the forwarding server to the loopback address and sets the ++hostname part of the + .It Cm VACertificateFile + File with X.509 certificates in PEM format concatenated together. + In use when +@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when + .Cm VAType + is set to + .Cm ocspspec . +-.It Cm VersionAddendum +-Optionally specifies additional text to append to the SSH protocol banner +-sent by the server upon connection. +-The default is +-.Cm none . +-.It Cm X11DisplayOffset +-Specifies the first display number available for +-.Xr sshd 8 Ns 's +-X11 forwarding. +-This prevents sshd from interfering with real X11 servers. +-The default is 10. +-.It Cm X11Forwarding +-Specifies whether X11 forwarding is permitted. +-The argument must be +-.Cm yes +-or +-.Cm no . +-The default is +-.Cm no . +-.Pp +-When X11 forwarding is enabled, there may be additional exposure to +-the server and to client displays if the +-.Xr sshd 8 +-proxy display is configured to listen on the wildcard address (see +-.Cm X11UseLocalhost ) , +-though this is not the default. +-Additionally, the authentication spoofing and authentication data +-verification and substitution occur on the client side. +-The security risk of using X11 forwarding is that the client's X11 +-display server may be exposed to attack when the SSH client requests +-forwarding (see the warnings for +-.Cm ForwardX11 +-in +-.Xr ssh_config 5 ) . +-A system administrator may have a stance in which they want to +-protect clients that may expose themselves to attack by unwittingly +-requesting X11 forwarding, which can warrant a +-.Cm no +-setting. +-.Pp +-Note that disabling X11 forwarding does not prevent users from +-forwarding X11 traffic, as users can always install their own forwarders. +-.It Cm X11UseLocalhost +-Specifies whether +-.Xr sshd 8 +-should bind the X11 forwarding server to the loopback address or to +-the wildcard address. +-By default, +-sshd binds the forwarding server to the loopback address and sets the +-hostname part of the .Ev DISPLAY environment variable to .Cm localhost . Index: head/security/openssh-portable/files/patch-session.c =================================================================== --- head/security/openssh-portable/files/patch-session.c (revision 466576) +++ head/security/openssh-portable/files/patch-session.c (revision 466577) @@ -1,85 +1,85 @@ ------------------------------------------------------------------------ r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines Changed paths: M /head/crypto/openssh/session.c Make sure the environment variables set by setusercontext() are passed on to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c 2013-03-14 19:22:37 UTC -+++ session.c -@@ -985,6 +985,9 @@ do_setup_env(Session *s, const char *she +--- session.c.orig 2018-04-01 22:38:28.000000000 -0700 ++++ session.c 2018-04-03 13:56:49.599400000 -0700 +@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; +#else + extern char **environ; + char **senv, **var; #endif /* Initialize the environment. */ -@@ -1006,6 +1009,9 @@ do_setup_env(Session *s, const char *she +@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); + #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1023,11 +1029,21 @@ do_setup_env(Session *s, const char *she +@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); + snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); - else - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + child_set_env(&env, &envsize, "TERM", "su"); + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH); + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); + environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1047,15 +1063,9 @@ do_setup_env(Session *s, const char *she +@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); - /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) { - struct envstring *ce = custom_environment; -@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw) + /* Set custom environment options from pubkey authentication. */ + if (options.permit_user_env) { + for (n = 0 ; n < auth_opts->nenv; n++) { +@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); }