Date: Thu, 1 Sep 2005 14:09:55 -0300 (BRT) From: Marcus Grando <marcus@corp.grupos.com.br> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/85578: Update port: security/openssh-portable to 4.2p1 Message-ID: <200509011709.j81H9t9g036140@marcus.grupos.com.br> Resent-Message-ID: <200509011710.j81HA7id057879@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 85578
>Category: ports
>Synopsis: Update port: security/openssh-portable to 4.2p1
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 01 17:10:06 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Marcus Grando
>Release: FreeBSD 6.0-BETA3 i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD marcus.grupos.com.br 6.0-BETA3 FreeBSD 6.0-BETA3 #33: Wed Aug 31 12:46:26 BRT 2005 root@marcus.grupos.com.br:/usr/obj/usr/src/sys/MARCUS i386
>Description:
- Update to 4.2p1
- Use OPTIONS
- Reorganize Makefile
Removed files:
files/patch-auth-pam.c
files/patch-fake-rfc2553.h
>How-To-Repeat:
>Fix:
--- openssh-portable.patch begins here ---
diff -ruN openssh-portable.orig/Makefile openssh-portable/Makefile
--- openssh-portable.orig/Makefile Mon Jun 6 16:09:04 2005
+++ openssh-portable/Makefile Thu Sep 1 12:06:03 2005
@@ -6,7 +6,7 @@
#
PORTNAME= openssh
-PORTVERSION= 4.1.0.1
+PORTVERSION= 4.2.0.0
.if defined(OPENSSH_SNAPSHOT)
PORTREVISION!= date -v-1d +%Y%m%d
.endif
@@ -21,7 +21,8 @@
MAINTAINER= ports@FreeBSD.org
COMMENT= The portable version of OpenBSD's OpenSSH
-OPENSSHVERSION= 4.1p1
+OPENSSHVERSION= 4.2p1
+
.if defined(OPENSSH_SNAPSHOT)
MASTER_SITE_SUBDIR2= snapshot/
DISTNAME2= ${PORTNAME}-SNAP-${PORTREVISION}
@@ -52,6 +53,13 @@
ETCOLD= ${PREFIX}/etc
PORTABLE_SUFFIX= -portable
+SUDO?=
+MAKE_ENV+= SUDO="${SUDO}"
+
+OPTIONS= SUID_SSH "Enable suid SSH (Recommended off)" off \
+ GSSAPI "Enable GSSAPI support" off \
+ OPENSSH_CHROOT "Enable CHROOT support" off
+
.if exists(/usr/include/security/pam_modules.h)
CONFIGURE_ARGS+= --with-pam
.endif
@@ -60,7 +68,9 @@
CONFIGURE_ARGS+= --with-tcp-wrappers
.endif
-.if !defined(ENABLE_SUID_SSH)
+.include <bsd.port.pre.mk>
+
+.if !defined(WITH_SUID_SSH)
CONFIGURE_ARGS+= --disable-suid-ssh
.endif
@@ -69,13 +79,21 @@
GSSAPI_SUFFIX= -gssapi
CONFLICTS+= openssh-portable-*
CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME}
+.if ${OPENSSLBASE} == "/usr"
+CONFIGURE_ARGS+= --without-rpath
+LDFLAGS=
+.endif
.else
CONFLICTS+= openssh-gssapi-*
+CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH}
.if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h)
CONFIGURE_ARGS+= --with-kerberos5
EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch
.endif
.endif
+.if ${OPENSSLBASE} != "/usr"
+CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
+.endif
.if defined(BATCH)
EXTRA_PATCHES+= ${FILESDIR}/batch.patch
@@ -118,52 +136,35 @@
${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh
pre-install:
-.if defined(OPENSSH_OVERWRITE_BASE)
- -${MKDIR} ${EMPTYDIR}
-.else
- -${MKDIR} ${PREFIX}/empty
-.endif
+. if defined(OPENSSH_OVERWRITE_BASE)
+ -${MKDIR} ${EMPTYDIR}
+. else
+ -${MKDIR} ${PREFIX}/empty
+. endif
if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi
if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \
-h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi
-@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH}
-.for i in ${PRECIOUS}
- -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \
- ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \
- ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i}
-.endfor
+. for i in ${PRECIOUS}
+ -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \
+ ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \
+ ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i}
+. endfor
post-install:
-.if !defined(OPENSSH_OVERWRITE_BASE)
- ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample
-.endif
+. if !defined(OPENSSH_OVERWRITE_BASE)
+ ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample
+. endif
${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist
${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist
-.if !defined(OPENSSH_OVERWRITE_BASE)
- @${CAT} ${PKGMESSAGE}
-.endif
+. if !defined(OPENSSH_OVERWRITE_BASE)
+ @${CAT} ${PKGMESSAGE}
+. endif
test:
(cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \
TEST_SHELL=/bin/sh \
PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} )
-
-.include <bsd.port.pre.mk>
-
-SUDO?=
-MAKE_ENV+= SUDO="${SUDO}"
-
-.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
-.if ${OPENSSLBASE} == "/usr"
-CONFIGURE_ARGS+= --without-rpath
-LDFLAGS=
-.endif
-.else
-CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH}
-.endif
-.if ${OPENSSLBASE} != "/usr"
-CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE}
-.endif
.include <bsd.port.post.mk>
diff -ruN openssh-portable.orig/distinfo openssh-portable/distinfo
--- openssh-portable.orig/distinfo Mon Jun 6 16:09:04 2005
+++ openssh-portable/distinfo Thu Sep 1 11:09:53 2005
@@ -1,2 +1,2 @@
-MD5 (openssh-4.1p1.tar.gz) = 959c663e709c981f07a3315bfd64f3d0
-SIZE (openssh-4.1p1.tar.gz) = 894234
+MD5 (openssh-4.2p1.tar.gz) = df899194a340c933944b193477c628fa
+SIZE (openssh-4.2p1.tar.gz) = 914165
diff -ruN openssh-portable.orig/files/patch-auth-pam.c openssh-portable/files/patch-auth-pam.c
--- openssh-portable.orig/files/patch-auth-pam.c Sat Mar 19 22:00:03 2005
+++ openssh-portable/files/patch-auth-pam.c Wed Dec 31 21:00:00 1969
@@ -1,65 +0,0 @@
---- auth-pam.c.orig Thu Jan 20 03:29:51 2005
-+++ auth-pam.c Sat Mar 19 21:52:37 2005
-@@ -290,7 +290,7 @@
- * Conversation function for authentication thread.
- */
- static int
--sshpam_thread_conv(int n, struct pam_message **msg,
-+sshpam_thread_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
- Buffer buffer;
-@@ -390,7 +390,7 @@
- u_int i;
- const char *pam_user;
-
-- pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user);
-+ pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
- environ[0] = NULL;
-
- if (sshpam_authctxt != NULL) {
-@@ -482,7 +482,7 @@
- }
-
- static int
--sshpam_null_conv(int n, struct pam_message **msg,
-+sshpam_null_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
- debug3("PAM: %s entering, %d messages", __func__, n);
-@@ -492,7 +492,7 @@
- static struct pam_conv null_conv = { sshpam_null_conv, NULL };
-
- static int
--sshpam_store_conv(int n, struct pam_message **msg,
-+sshpam_store_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
- struct pam_response *reply;
-@@ -565,7 +565,7 @@
- if (sshpam_handle != NULL) {
- /* We already have a PAM context; check if the user matches */
- sshpam_err = pam_get_item(sshpam_handle,
-- PAM_USER, (void **)&pam_user);
-+ PAM_USER, (const void **)&pam_user);
- if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
- return (0);
- pam_end(sshpam_handle, sshpam_err);
-@@ -881,7 +881,7 @@
- }
-
- static int
--sshpam_tty_conv(int n, struct pam_message **msg,
-+sshpam_tty_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
- char input[PAM_MAX_MSG_SIZE];
-@@ -1040,7 +1040,7 @@
- * display.
- */
- static int
--sshpam_passwd_conv(int n, struct pam_message **msg,
-+sshpam_passwd_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
- struct pam_response *reply;
diff -ruN openssh-portable.orig/files/patch-auth1.c openssh-portable/files/patch-auth1.c
--- openssh-portable.orig/files/patch-auth1.c Sat Mar 19 22:00:03 2005
+++ openssh-portable/files/patch-auth1.c Thu Sep 1 11:24:17 2005
@@ -1,5 +1,5 @@
---- auth1.c.orig Tue Feb 8 11:52:48 2005
-+++ auth1.c Sat Mar 19 21:34:47 2005
+--- auth1.c.orig Sun Jul 17 04:26:44 2005
++++ auth1.c Thu Sep 1 11:23:35 2005
@@ -26,6 +26,7 @@
#include "uidswap.h"
#include "monitor_wrap.h"
@@ -8,10 +8,10 @@
/* import */
extern ServerOptions options;
-@@ -71,6 +72,15 @@
- u_int dlen;
- u_int ulen;
- int prev, type = 0;
+@@ -220,6 +221,15 @@
+ char info[1024];
+ int prev = 0, type = 0;
+ const struct AuthMethod1 *meth;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+#endif /* HAVE_LOGIN_CAP */
@@ -24,38 +24,37 @@
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -219,6 +229,34 @@
- logit("Unknown message during authentication: type %d", type);
- break;
+@@ -270,6 +280,33 @@
+ "type %d", type);
+ goto skip;
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
++ lc = login_getpwclass(authctxt->pw);
++ if (lc == NULL)
++ lc = login_getclassbyname(NULL, authctxt->pw);
++ if (!auth_hostok(lc, from_host, from_ip)) {
++ logit("Denied connection for %.200s from %.200s [%.200s].",
++ authctxt->pw->pw_name, from_host, from_ip);
++ packet_disconnect("Sorry, you are not allowed to connect.");
++ }
++ if (!auth_timeok(lc, time(NULL))) {
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ authctxt->pw->pw_name, from_host);
++ packet_disconnect("Logins not available right now.");
++ }
++ login_close(lc);
++ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
++#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
++ logit("Denied connection for %.200s from %.200s [%.200s].",
++ authctxt->pw->pw_name, from_host, from_ip);
++ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+#endif /* LOGIN_ACCESS */
-+
- #ifdef BSD_AUTH
- if (authctxt->as) {
- auth_close(authctxt->as);
+
+ if (!*(meth->enabled)) {
+ verbose("%s authentication disabled.", meth->name);
diff -ruN openssh-portable.orig/files/patch-fake-rfc2553.h openssh-portable/files/patch-fake-rfc2553.h
--- openssh-portable.orig/files/patch-fake-rfc2553.h Sat Mar 19 22:00:03 2005
+++ openssh-portable/files/patch-fake-rfc2553.h Wed Dec 31 21:00:00 1969
@@ -1,11 +0,0 @@
---- openbsd-compat/fake-rfc2553.h.orig Fri Feb 11 08:32:13 2005
-+++ openbsd-compat/fake-rfc2553.h Sat Mar 19 21:27:33 2005
-@@ -113,7 +113,7 @@
- # define NI_MAXHOST 1025
- #endif /* !NI_MAXHOST */
-
--#ifndef EAI_NODATA
-+#ifndef EAI_MEMORY
- # define EAI_NODATA 1
- # define EAI_MEMORY 2
- # define EAI_NONAME 3
--- openssh-portable.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509011709.j81H9t9g036140>