Date: Thu, 3 Jul 2003 20:32:34 +0200 (CEST) From: Marius Strobl <marius@alchemy.franken.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: netchild@FreeBSD.org Subject: ports/54071: security/ssh2: security update to 3.2.5 and cleanup Message-ID: <200307031832.h63IWYC8032002@alchemy.franken.de> Resent-Message-ID: <200307031840.h63IeGWA079704@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 54071
>Category: ports
>Synopsis: security/ssh2: security update to 3.2.5 and cleanup
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 03 11:40:16 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Marius Strobl
>Release: FreeBSD 5.1-CURRENT sparc64
>Organization:
>Environment:
System: FreeBSD alchemy.franken.de 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Wed Jun 18 21:28:13 CEST 2003 marius@alchemy.franken.de:/tmp/sys/sparc64/compile/alchemy sparc64
>Description:
Ssh2 from ssh.com has a critical security bug, from the original CHANGES:
* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
The patch below updates the port to ssh2 3.2.5 which fixes the bug. It also
changes the following:
- Update MASTER_SITES, remove sites that are down or no langer carry ssh2
and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
found in the post-install target in the Makefile of the port, this is
already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
package versus installing the port. I.e. make the package create the host
key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
the examples if not already existent and create the directories for the
global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
i.e. configuration files that don't differ from the corresponding examples
and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
"/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
The patch add the file patch-apps::ssh::sshchsession.c to the FILESDIR.
>How-To-Repeat:
>Fix:
Index: Makefile
===================================================================
RCS file: /usr/data/bsd/cvs/fbsd/ports/security/ssh2/Makefile,v
retrieving revision 1.113
diff -u -r1.113 Makefile
--- Makefile 23 Feb 2003 22:39:05 -0000 1.113
+++ Makefile 2 Jul 2003 22:22:16 -0000
@@ -6,22 +6,22 @@
#
PORTNAME= ssh2
-PORTVERSION= 3.2.3
+PORTVERSION= 3.2.5
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.ssh.com/pub/ssh/ \
ftp://sunsite.unc.edu/pub/packages/security/ssh/ \
- ftp://ftp.kyoto.wide.ad.jp/pub/security/ssh/ \
- ftp://ftp.cis.fed.gov/pub/ssh/ \
ftp://ftp.keystealth.org/pub/ssh/ \
- ftp://mirror.chpc.utah.edu/pub/ssh/ \
ftp://metalab.unc.edu/pub/packages/security/ssh/ \
- ftp://herbie.ucs.indiana.edu/pub/security/ssh/
+ ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/ \
+ ftp://ftp.cronyx.ru/mirror/ssh/ \
+ ftp://ftp.univie.ac.at/applications/ssh.com/
DISTNAME= ssh-${PORTVERSION}
MAINTAINER= larse@ISI.EDU
COMMENT= Secure shell client and server (remote login program)
GNU_CONFIGURE= YES
+USE_REINPLACE= YES
CONFIGURE_ARGS= --with-etcdir=${SSH2_ETC} --disable-debug
@@ -29,43 +29,43 @@
SSH2_RCD= ${PREFIX}/etc/rc.d
CONFIG_FILES= ssh2_config sshd2_config
-# Uncomment if all your users are in their own group and their homedir
+.include <bsd.port.pre.mk>
+
+# Define if all your users are in their own group and their homedir
# is writeable by that group. Beware the security implications!
#
-#CONFIGURE_ARGS+= --enable-group-writeability
+.if defined(WITH_GROUP_WRITEABILITY)
+CONFIGURE_ARGS+= --enable-group-writeability
+.endif
-# Kerberos support is untested.
+# Kerberos5 support in ssh2 is EXPERIMENTAL and requires MIT Kerberos,
+# Heimdal is unsupported.
#
-#.if defined(KRB5_HOME) && exists(${KRB5_HOME})
-#CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
-#.endif
+.if defined(WITH_KERBEROS) && defined(KRB5_HOME) && \
+ exists(${KRB5_HOME}/lib/libkrb5.a)
+CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
+.endif
-# Auto-configure tcp_wrappers support.
-#
-.if exists(/usr/include/tcpd.h) && !defined(WITHOUT_TCPWRAP) && \
- !defined(WITHOUT_TCPWRAP)
+.if exists(/usr/include/tcpd.h) && !defined(WITHOUT_TCPWRAP)
CONFIGURE_ARGS+= --with-libwrap
-.elif defined(WITH_TCPWRAP)
-CONFIGURE_ARGS+= --with-libwrap="-L${LOCALBASE}/lib -lwrap"
-
-LIB_DEPENDS+= wrap.7:${PORTSDIR}/security/tcp_wrapper
.endif
-.include <bsd.port.pre.mk>
-
-# This is necessary for a working ssh-chrootmgr. Added by mic@nethack.at
+# This is necessary for a working ssh-chrootmgr. Added by mic@nethack.at.
#
.if defined(WITH_STATIC_SFTP)
CONFIGURE_ARGS+= --enable-static
+PLIST_SUB= STATIC=""
+.else
+PLIST_SUB= STATIC="@comment "
.endif
.if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \
&& exists(${X11BASE}/bin/xauth) && !defined(WITHOUT_X11))
USE_XLIB= yes
-PLIST_SUB= WITH_X11:=""
+PLIST_SUB+= WITH_X11:=""
.else
CONFIGURE_ARGS+= --without-x
-PLIST_SUB= WITH_X11:="@comment "
+PLIST_SUB+= WITH_X11:="@comment "
.endif
MAN1= ssh2.1 ssh-keygen2.1 ssh-add2.1 ssh-agent2.1 scp2.1 sftp2.1 \
@@ -81,6 +81,14 @@
PORTDOCS= CHANGES FAQ INSTALL LICENSE MANIFEST NEWS README \
REGEX-SYNTAX SSH2.QUICKSTART
+post-patch:
+.for i in ${MAN1} ${MAN5} ${MAN8}
+ @${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g;' \
+ ${WRKSRC}/apps/ssh/${i}
+.endfor
+ @${REINPLACE_CMD} -E -e 's|\$$\(ETCDIR\)|${PREFIX}\/etc|g;' \
+ ${WRKSRC}/apps/ssh/ssh_dummy_shell.out
+
post-install:
.if !defined(NOPORTDOCS)
${MKDIR} ${DOCSDIR}
@@ -88,11 +96,7 @@
${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR}
.endfor
.endif
- @if [ ! -f ${SSH2_ETC}/hostkey ]; then \
- ${ECHO} "Generating a secret host key..."; \
- ${PREFIX}/bin/ssh-keygen2 -P -b 1024 -t dsa ${SSH2_ETC}/hostkey; \
- fi; \
- if [ "`grep ssh /etc/inetd.conf|grep -v ^#ssh`" = "" ]; then \
+ if [ "`${GREP} ssh /etc/inetd.conf | ${GREP} -v ^#ssh`" = "" ]; then \
if [ ! -f ${SSH2_RCD}/sshd.sh ]; then \
${ECHO} "Installing ${SSH2_RCD}/sshd.sh startup file."; \
${SED} -e 's+!!PREFIX!!+${PREFIX}+' < ${FILESDIR}/sshd.sh \
Index: distinfo
===================================================================
RCS file: /usr/data/bsd/cvs/fbsd/ports/security/ssh2/distinfo,v
retrieving revision 1.33
diff -u -r1.33 distinfo
--- distinfo 23 Feb 2003 22:39:05 -0000 1.33
+++ distinfo 2 Jul 2003 21:29:49 -0000
@@ -1 +1 @@
-MD5 (ssh-3.2.3.tar.gz) = d74afd27a5df00ae8fbbe066ec82c88a
+MD5 (ssh-3.2.5.tar.gz) = 0d9da1d79e4ce9cff44daf93e5b66a11
Index: pkg-plist
===================================================================
RCS file: /usr/data/bsd/cvs/fbsd/ports/security/ssh2/pkg-plist,v
retrieving revision 1.24
diff -u -r1.24 pkg-plist
--- pkg-plist 23 Feb 2003 22:39:05 -0000 1.24
+++ pkg-plist 2 Jul 2003 21:29:49 -0000
@@ -8,7 +8,9 @@
bin/ssh-signer2
bin/ssh-probe2
bin/sftp-server2
+%%STATIC%%bin/sftp-server2.static
bin/ssh-dummy-shell
+%%STATIC%%bin/ssh-dummy-shell.static
bin/ssh
bin/ssh-agent
bin/ssh-add
@@ -20,17 +22,23 @@
bin/ssh-signer
bin/ssh-probe
etc/rc.d/sshd.sh
+@unexec if cmp -s %D/etc/ssh2/sshd2_config %D/etc/ssh2/sshd2_config.example; then rm -f %D/etc/ssh2/sshd2_config; fi
etc/ssh2/sshd2_config.example
+@exec [ -f %B/sshd2_config ] || cp %B/%f %B/sshd2_config
+@unexec if cmp -s %D/etc/ssh2/ssh2_config %D/etc/ssh2/ssh2_config.example; then rm -f %D/etc/ssh2/ssh2_config; fi
etc/ssh2/ssh2_config.example
+@exec [ -f %B/ssh2_config ] || cp %B/%f %B/ssh2_config
etc/ssh2/ssh_dummy_shell.out
etc/ssh2/subconfig/anonymous.example
etc/ssh2/subconfig/host_ext.example
etc/ssh2/subconfig/host_int.example
etc/ssh2/subconfig/user.example
+@exec [ -d %D/etc/ssh2/hostkeys ] || mkdir %D/etc/ssh2/hostkeys
+@exec [ -d %D/etc/ssh2/knownhosts ] || mkdir %D/etc/ssh2/knownhosts
sbin/sshd2
sbin/sshd-check-conf
sbin/sshd
-@exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating 1024 bit host key."; %D/bin/ssh-keygen2 -P -b 1024 -t dsa %D/etc/ssh2/hostkey; fi
+@exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating host key."; %D/bin/ssh-keygen2 -P -t dsa "DSA hostkey" %D/etc/ssh2/hostkey; fi
%%PORTDOCS%%share/doc/ssh2/CHANGES
%%PORTDOCS%%share/doc/ssh2/FAQ
%%PORTDOCS%%share/doc/ssh2/INSTALL
@@ -41,3 +49,7 @@
%%PORTDOCS%%share/doc/ssh2/REGEX-SYNTAX
%%PORTDOCS%%share/doc/ssh2/SSH2.QUICKSTART
%%PORTDOCS%%@dirrm share/doc/ssh2
+@unexec rmdir %D/etc/ssh2/hostkeys 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2/knownhosts 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2/subconfig 2> /dev/null || true
+@unexec rmdir %D/etc/ssh2 2> /dev/null || echo "If permanently deleting this package, %D/etc/ssh2 and its contents must be removed manually."
Index: files/patch-apps::ssh::sshchsession.c
===================================================================
RCS file: files/patch-apps::ssh::sshchsession.c
diff -N files/patch-apps::ssh::sshchsession.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-apps::ssh::sshchsession.c 2 Jul 2003 22:22:04 -0000
@@ -0,0 +1,22 @@
+--- apps/ssh/sshchsession.c.orig Thu Jul 3 00:19:57 2003
++++ apps/ssh/sshchsession.c Thu Jul 3 00:21:12 2003
+@@ -218,8 +218,8 @@
+ #ifdef _PATH_USERPATH
+ #define DEFAULT_PATH _PATH_USERPATH
+ #else
+-#ifdef _PATH_DEFPATH
+-#define DEFAULT_PATH _PATH_DEFPATH
++#ifdef _PATH_STDPATH
++#define DEFAULT_PATH _PATH_STDPATH
+ #else
+ #define DEFAULT_PATH "/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin"
+ #endif
+@@ -502,7 +502,7 @@
+ ssh_child_set_env(envp, envsizep, "HOME", user_dir);
+ ssh_child_set_env(envp, envsizep, "USER", user_name);
+ ssh_child_set_env(envp, envsizep, "LOGNAME", user_name);
+- ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
++ ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH SSH_BINDIR);
+
+ #ifdef MAIL_SPOOL_DIRECTORY
+ ssh_snprintf(buf, sizeof(buf), "%s/%s", MAIL_SPOOL_DIRECTORY, user_name);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307031832.h63IWYC8032002>