Date: Thu, 1 Sep 2005 14:09:55 -0300 (BRT) From: Marcus Grando <marcus@corp.grupos.com.br> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/85578: Update port: security/openssh-portable to 4.2p1 Message-ID: <200509011709.j81H9t9g036140@marcus.grupos.com.br> Resent-Message-ID: <200509011710.j81HA7id057879@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 85578 >Category: ports >Synopsis: Update port: security/openssh-portable to 4.2p1 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Sep 01 17:10:06 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Marcus Grando >Release: FreeBSD 6.0-BETA3 i386 >Organization: Grupos Internet S/A >Environment: System: FreeBSD marcus.grupos.com.br 6.0-BETA3 FreeBSD 6.0-BETA3 #33: Wed Aug 31 12:46:26 BRT 2005 root@marcus.grupos.com.br:/usr/obj/usr/src/sys/MARCUS i386 >Description: - Update to 4.2p1 - Use OPTIONS - Reorganize Makefile Removed files: files/patch-auth-pam.c files/patch-fake-rfc2553.h >How-To-Repeat: >Fix: --- openssh-portable.patch begins here --- diff -ruN openssh-portable.orig/Makefile openssh-portable/Makefile --- openssh-portable.orig/Makefile Mon Jun 6 16:09:04 2005 +++ openssh-portable/Makefile Thu Sep 1 12:06:03 2005 @@ -6,7 +6,7 @@ # PORTNAME= openssh -PORTVERSION= 4.1.0.1 +PORTVERSION= 4.2.0.0 .if defined(OPENSSH_SNAPSHOT) PORTREVISION!= date -v-1d +%Y%m%d .endif @@ -21,7 +21,8 @@ MAINTAINER= ports@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH -OPENSSHVERSION= 4.1p1 +OPENSSHVERSION= 4.2p1 + .if defined(OPENSSH_SNAPSHOT) MASTER_SITE_SUBDIR2= snapshot/ DISTNAME2= ${PORTNAME}-SNAP-${PORTREVISION} @@ -52,6 +53,13 @@ ETCOLD= ${PREFIX}/etc PORTABLE_SUFFIX= -portable +SUDO?= +MAKE_ENV+= SUDO="${SUDO}" + +OPTIONS= SUID_SSH "Enable suid SSH (Recommended off)" off \ + GSSAPI "Enable GSSAPI support" off \ + OPENSSH_CHROOT "Enable CHROOT support" off + .if exists(/usr/include/security/pam_modules.h) CONFIGURE_ARGS+= --with-pam .endif @@ -60,7 +68,9 @@ CONFIGURE_ARGS+= --with-tcp-wrappers .endif -.if !defined(ENABLE_SUID_SSH) +.include <bsd.port.pre.mk> + +.if !defined(WITH_SUID_SSH) CONFIGURE_ARGS+= --disable-suid-ssh .endif @@ -69,13 +79,21 @@ GSSAPI_SUFFIX= -gssapi CONFLICTS+= openssh-portable-* CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} +.if ${OPENSSLBASE} == "/usr" +CONFIGURE_ARGS+= --without-rpath +LDFLAGS= +.endif .else CONFLICTS+= openssh-gssapi-* +CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH} .if !defined(WITHOUT_KERBEROS) && exists(/usr/include/krb5.h) CONFIGURE_ARGS+= --with-kerberos5 EXTRA_PATCHES+= ${FILESDIR}/gss-serv.c.patch .endif .endif +.if ${OPENSSLBASE} != "/usr" +CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} +.endif .if defined(BATCH) EXTRA_PATCHES+= ${FILESDIR}/batch.patch @@ -118,52 +136,35 @@ ${FILESDIR}/sshd.sh > ${WRKSRC}/sshd.sh pre-install: -.if defined(OPENSSH_OVERWRITE_BASE) - -${MKDIR} ${EMPTYDIR} -.else - -${MKDIR} ${PREFIX}/empty -.endif +. if defined(OPENSSH_OVERWRITE_BASE) + -${MKDIR} ${EMPTYDIR} +. else + -${MKDIR} ${PREFIX}/empty +. endif if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi -@[ ! -d ${ETCSSH} ] && ${MKDIR} ${ETCSSH} -.for i in ${PRECIOUS} - -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ - ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ - ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} -.endfor +. for i in ${PRECIOUS} + -@[ -f ${ETCOLD}/${i} ] && [ ! -f ${ETCSSH}/${i} ] && \ + ${ECHO_MSG} ">> Linking ${ETCSSH}/${i} from old layout." && \ + ${LN} ${ETCOLD}/${i} ${ETCSSH}/${i} +. endfor post-install: -.if !defined(OPENSSH_OVERWRITE_BASE) - ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample -.endif +. if !defined(OPENSSH_OVERWRITE_BASE) + ${INSTALL_SCRIPT} ${WRKSRC}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh.sample +. endif ${INSTALL_DATA} -c ${WRKSRC}/ssh_config.out ${ETCSSH}/ssh_config-dist ${INSTALL_DATA} -c ${WRKSRC}/sshd_config.out ${ETCSSH}/sshd_config-dist -.if !defined(OPENSSH_OVERWRITE_BASE) - @${CAT} ${PKGMESSAGE} -.endif +. if !defined(OPENSSH_OVERWRITE_BASE) + @${CAT} ${PKGMESSAGE} +. endif test: (cd ${WRKSRC}/regress && ${SETENV} ${MAKE_ENV} \ TEST_SHELL=/bin/sh \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} ) - -.include <bsd.port.pre.mk> - -SUDO?= -MAKE_ENV+= SUDO="${SUDO}" - -.if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) -.if ${OPENSSLBASE} == "/usr" -CONFIGURE_ARGS+= --without-rpath -LDFLAGS= -.endif -.else -CONFIGURE_ARGS+= --with-rpath=${OPENSSLRPATH} -.endif -.if ${OPENSSLBASE} != "/usr" -CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} -.endif .include <bsd.port.post.mk> diff -ruN openssh-portable.orig/distinfo openssh-portable/distinfo --- openssh-portable.orig/distinfo Mon Jun 6 16:09:04 2005 +++ openssh-portable/distinfo Thu Sep 1 11:09:53 2005 @@ -1,2 +1,2 @@ -MD5 (openssh-4.1p1.tar.gz) = 959c663e709c981f07a3315bfd64f3d0 -SIZE (openssh-4.1p1.tar.gz) = 894234 +MD5 (openssh-4.2p1.tar.gz) = df899194a340c933944b193477c628fa +SIZE (openssh-4.2p1.tar.gz) = 914165 diff -ruN openssh-portable.orig/files/patch-auth-pam.c openssh-portable/files/patch-auth-pam.c --- openssh-portable.orig/files/patch-auth-pam.c Sat Mar 19 22:00:03 2005 +++ openssh-portable/files/patch-auth-pam.c Wed Dec 31 21:00:00 1969 @@ -1,65 +0,0 @@ ---- auth-pam.c.orig Thu Jan 20 03:29:51 2005 -+++ auth-pam.c Sat Mar 19 21:52:37 2005 -@@ -290,7 +290,7 @@ - * Conversation function for authentication thread. - */ - static int --sshpam_thread_conv(int n, struct pam_message **msg, -+sshpam_thread_conv(int n, const struct pam_message **msg, - struct pam_response **resp, void *data) - { - Buffer buffer; -@@ -390,7 +390,7 @@ - u_int i; - const char *pam_user; - -- pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user); -+ pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); - environ[0] = NULL; - - if (sshpam_authctxt != NULL) { -@@ -482,7 +482,7 @@ - } - - static int --sshpam_null_conv(int n, struct pam_message **msg, -+sshpam_null_conv(int n, const struct pam_message **msg, - struct pam_response **resp, void *data) - { - debug3("PAM: %s entering, %d messages", __func__, n); -@@ -492,7 +492,7 @@ - static struct pam_conv null_conv = { sshpam_null_conv, NULL }; - - static int --sshpam_store_conv(int n, struct pam_message **msg, -+sshpam_store_conv(int n, const struct pam_message **msg, - struct pam_response **resp, void *data) - { - struct pam_response *reply; -@@ -565,7 +565,7 @@ - if (sshpam_handle != NULL) { - /* We already have a PAM context; check if the user matches */ - sshpam_err = pam_get_item(sshpam_handle, -- PAM_USER, (void **)&pam_user); -+ PAM_USER, (const void **)&pam_user); - if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) - return (0); - pam_end(sshpam_handle, sshpam_err); -@@ -881,7 +881,7 @@ - } - - static int --sshpam_tty_conv(int n, struct pam_message **msg, -+sshpam_tty_conv(int n, const struct pam_message **msg, - struct pam_response **resp, void *data) - { - char input[PAM_MAX_MSG_SIZE]; -@@ -1040,7 +1040,7 @@ - * display. - */ - static int --sshpam_passwd_conv(int n, struct pam_message **msg, -+sshpam_passwd_conv(int n, const struct pam_message **msg, - struct pam_response **resp, void *data) - { - struct pam_response *reply; diff -ruN openssh-portable.orig/files/patch-auth1.c openssh-portable/files/patch-auth1.c --- openssh-portable.orig/files/patch-auth1.c Sat Mar 19 22:00:03 2005 +++ openssh-portable/files/patch-auth1.c Thu Sep 1 11:24:17 2005 @@ -1,5 +1,5 @@ ---- auth1.c.orig Tue Feb 8 11:52:48 2005 -+++ auth1.c Sat Mar 19 21:34:47 2005 +--- auth1.c.orig Sun Jul 17 04:26:44 2005 ++++ auth1.c Thu Sep 1 11:23:35 2005 @@ -26,6 +26,7 @@ #include "uidswap.h" #include "monitor_wrap.h" @@ -8,10 +8,10 @@ /* import */ extern ServerOptions options; -@@ -71,6 +72,15 @@ - u_int dlen; - u_int ulen; - int prev, type = 0; +@@ -220,6 +221,15 @@ + char info[1024]; + int prev = 0, type = 0; + const struct AuthMethod1 *meth; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; +#endif /* HAVE_LOGIN_CAP */ @@ -24,38 +24,37 @@ debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); -@@ -219,6 +229,34 @@ - logit("Unknown message during authentication: type %d", type); - break; +@@ -270,6 +280,33 @@ + "type %d", type); + goto skip; } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; ++ lc = login_getpwclass(authctxt->pw); ++ if (lc == NULL) ++ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ packet_disconnect("Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ packet_disconnect("Logins not available right now."); ++ } ++ login_close(lc); ++ lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS ++#ifdef LOGIN_ACCESS + if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ packet_disconnect("Sorry, you are not allowed to connect."); + } +#endif /* LOGIN_ACCESS */ -+ - #ifdef BSD_AUTH - if (authctxt->as) { - auth_close(authctxt->as); + + if (!*(meth->enabled)) { + verbose("%s authentication disabled.", meth->name); diff -ruN openssh-portable.orig/files/patch-fake-rfc2553.h openssh-portable/files/patch-fake-rfc2553.h --- openssh-portable.orig/files/patch-fake-rfc2553.h Sat Mar 19 22:00:03 2005 +++ openssh-portable/files/patch-fake-rfc2553.h Wed Dec 31 21:00:00 1969 @@ -1,11 +0,0 @@ ---- openbsd-compat/fake-rfc2553.h.orig Fri Feb 11 08:32:13 2005 -+++ openbsd-compat/fake-rfc2553.h Sat Mar 19 21:27:33 2005 -@@ -113,7 +113,7 @@ - # define NI_MAXHOST 1025 - #endif /* !NI_MAXHOST */ - --#ifndef EAI_NODATA -+#ifndef EAI_MEMORY - # define EAI_NODATA 1 - # define EAI_MEMORY 2 - # define EAI_NONAME 3 --- openssh-portable.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509011709.j81H9t9g036140>