From owner-svn-ports-head@FreeBSD.ORG Wed Feb 5 01:40:48 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9BA4C3F7; Wed, 5 Feb 2014 01:40:48 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 84FF7155A; Wed, 5 Feb 2014 01:40:48 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s151emZx065817; Wed, 5 Feb 2014 01:40:48 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s151ek6k065407; Wed, 5 Feb 2014 01:40:46 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201402050140.s151ek6k065407@svn.freebsd.org> From: Bryan Drewery Date: Wed, 5 Feb 2014 01:40:46 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r342618 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Feb 2014 01:40:48 -0000 Author: bdrewery Date: Wed Feb 5 01:40:46 2014 New Revision: 342618 URL: http://svnweb.freebsd.org/changeset/ports/342618 QAT: https://qat.redports.org/buildarchive/r342618/ Log: - Update to 6.5 ChangeLog: http://www.openssh.org/txt/release-6.5 - Update X509 patch to 7.8 - Update LIB_DEPENDS to new format - Revert r328706 and re-enable privilege separation sandboxing by default as the issue causing crashes has been fixed upstream - capsicum(4) is now enabled upstream. A local patch is added to fix an issue with it [1] - KERB_GSSAPI is marked BROKEN. It does not build. This patch lacks an upstream and I have no way to test it. It needs a non-trivial amount of refactoring for 6.5 as the key handling API has changed quite a bit. Submitted by: pjd@ [1] Added: head/security/openssh-portable/files/patch-sandbox-capsicum.c (contents, props changed) Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn-build-options head/security/openssh-portable/files/openssh.in head/security/openssh-portable/files/patch-readconf.c head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-sshd.c head/security/openssh-portable/files/patch-sshd_config Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/Makefile Wed Feb 5 01:40:46 2014 (r342618) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.4p1 +DISTVERSION= 6.5p1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -12,8 +12,8 @@ PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH -#LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style -#LICENSE_FILE= ${WRKSRC}/LICENCE +#LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style +#LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* @@ -79,21 +79,20 @@ LPK_CONFIGURE_ON= --with-ldap=yes \ LPK_USE= OPENLDAP=yes # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 7.6 +X509_VERSION= 7.8 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 -X509_PATCHFILES= openssh-6.4-x509-glue.patch \ - ${PORTNAME}-6.3p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-6.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -SCTP_PATCHFILES= ${PORTNAME}-sctp-2329.patch.gz +SCTP_PATCHFILES= ${PORTNAME}-6.5p1-sctp-2329.patch.gz SCTP_CONFIGURE_WITH= sctp # Adapated from 5.7 patch at http://www.sxw.org.uk/computing/patches/ -KERB_GSSAPI_PATCHFILES= openssh-6.3p1-gsskex-all-20110125.patch.gz +KERB_GSSAPI_PATCHFILES= openssh-6.5p1-gsskex-all-20110125.patch.gz -MIT_LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 -HEIMDAL_LIB_DEPENDS= krb5.26:${PORTSDIR}/security/heimdal +MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 +HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers @@ -104,11 +103,15 @@ BSM_CONFIGURE_ON= --with-audit=bsm .include +.if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= KERB_GSSAPI Patch is not updated for 6.5 and upstream has not been active since 2001. +.endif + # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README HPN_VERSION= 14v2 -HPN_DISTVERSION= 6.3p1 +HPN_DISTVERSION= 6.5p1 PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/distinfo Wed Feb 5 01:40:46 2014 (r342618) @@ -1,14 +1,12 @@ -SHA256 (openssh-6.4p1.tar.gz) = 5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 -SIZE (openssh-6.4p1.tar.gz) = 1201402 -SHA256 (openssh-6.3p1-hpnssh14v2.diff.gz) = 23ae9307b58629ccf76a8ed5d9cf7215a45d6b7533d6b17eef17279fb9c48dca -SIZE (openssh-6.3p1-hpnssh14v2.diff.gz) = 24450 -SHA256 (openssh-6.3p1+x509-7.6.diff.gz) = d9e5f37c1a7750c19895f71d9b54e35afb6e7a45511b828e9da51252d0946460 -SIZE (openssh-6.3p1+x509-7.6.diff.gz) = 219962 -SHA256 (openssh-6.4-x509-glue.patch) = 8a199b3e6fe031775531c82e7a2d18fe468c1193c9d90ba17554ba9de2834876 -SIZE (openssh-6.4-x509-glue.patch) = 1219 -SHA256 (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 9dac542ed23f1ee330ddb03a34825f04abea726d227e9433f970e9a24325d767 -SIZE (openssh-6.3p1-gsskex-all-20110125.patch.gz) = 23486 +SHA256 (openssh-6.5p1.tar.gz) = a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027 +SIZE (openssh-6.5p1.tar.gz) = 1293187 +SHA256 (openssh-6.5p1-hpnssh14v2.diff.gz) = be6915130f2b1aad00235e02d55b67114dbb517b13d04d52a8abac9343166efd +SIZE (openssh-6.5p1-hpnssh14v2.diff.gz) = 24534 +SHA256 (openssh-6.5p1+x509-7.8.diff.gz) = b096ff7569e9ea3601673383540a986ce87636a984cc605a60dc53574888b992 +SIZE (openssh-6.5p1+x509-7.8.diff.gz) = 225483 +SHA256 (openssh-6.5p1-gsskex-all-20110125.patch.gz) = dd3b0f383a58e490f735646ae27f3dd05db96446e2e4ae8e753b64eee7f46582 +SIZE (openssh-6.5p1-gsskex-all-20110125.patch.gz) = 23516 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 -SHA256 (openssh-sctp-2329.patch.gz) = 1c460d6173c87313691ca279ac120959c3693a0570657514f1dcadcff5f405cb -SIZE (openssh-sctp-2329.patch.gz) = 8706 +SHA256 (openssh-6.5p1-sctp-2329.patch.gz) = 07acf0c6e6be493dbcf6fb166b846eef99256f6f60f0feb3451522147a1d9464 +SIZE (openssh-6.5p1-sctp-2329.patch.gz) = 8722 Modified: head/security/openssh-portable/files/extra-patch-hpn-build-options ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-build-options Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/extra-patch-hpn-build-options Wed Feb 5 01:40:46 2014 (r342618) @@ -36,13 +36,13 @@ --- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 +++ readconf.c 2013-10-11 09:19:12.295135966 -0500 -@@ -251,12 +251,16 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, - { "requesttty", oRequestTTY }, +@@ -268,12 +268,16 @@ static struct { + { "canonicalizehostname", oCanonicalizeHostname }, + { "canonicalizemaxdots", oCanonicalizeMaxDots }, + { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, +#ifdef NONECIPHER { "noneenabled", oNoneEnabled }, - { "noneswitch", oNoneSwitch }, + { "noneswitch", oNoneSwitch }, +#endif +#ifdef HPN { "tcprcvbufpoll", oTcpRcvBufPoll }, @@ -53,7 +53,7 @@ { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } -@@ -1417,12 +1421,20 @@ fill_default_options(Options * options) +@@ -1739,12 +1743,20 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; Modified: head/security/openssh-portable/files/openssh.in ============================================================================== --- head/security/openssh-portable/files/openssh.in Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/openssh.in Wed Feb 5 01:40:46 2014 (r342618) @@ -38,7 +38,8 @@ openssh_keygen() if [ -f %%ETCSSH%%/ssh_host_key -a \ -f %%ETCSSH%%/ssh_host_dsa_key -a \ -f %%ETCSSH%%/ssh_host_rsa_key -a \ - -f %%ETCSSH%%/ssh_host_ecdsa_key ]; then + -f %%ETCSSH%%/ssh_host_ecdsa_key -a + -f %%ETCSSH%%/ssh_host_ed25519_key ]; then return 0 fi @@ -83,6 +84,15 @@ openssh_keygen() %%PREFIX%%/bin/ssh-keygen -t ecdsa \ -f %%ETCSSH%%/ssh_host_ecdsa_key -N '' fi + + if [ -f %%ETCSSH%%/ssh_host_ed25519_key ]; then + echo "You already have a Elliptic Curve ED25519 host key" \ + "in %%ETCSSH%%/ssh_host_ed25519_key" + echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation" + else + %%PREFIX%%/bin/ssh-keygen -t ed25519 \ + -f %%ETCSSH%%/ssh_host_ed25519_key -N '' + fi } openssh_check_same_ports(){ Modified: head/security/openssh-portable/files/patch-readconf.c ============================================================================== --- head/security/openssh-portable/files/patch-readconf.c Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/patch-readconf.c Wed Feb 5 01:40:46 2014 (r342618) @@ -26,10 +26,10 @@ Submitted by: delphij@ #include #include +#include + #include #include - #include -@@ -265,7 +266,19 @@ add_local_forward(Options *options, cons +@@ -282,7 +283,19 @@ Forward *fwd; #ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; @@ -50,7 +50,7 @@ Submitted by: delphij@ fatal("Privileged ports can only be forwarded by root."); #endif options->local_forwards = xrealloc(options->local_forwards, -@@ -1281,7 +1294,7 @@ fill_default_options(Options * options) +@@ -1607,7 +1620,7 @@ if (options->batch_mode == -1) options->batch_mode = 0; if (options->check_host_ip == -1) Added: head/security/openssh-portable/files/patch-sandbox-capsicum.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/patch-sandbox-capsicum.c Wed Feb 5 01:40:46 2014 (r342618) @@ -0,0 +1,17 @@ +--- sandbox-capsicum.c.orig 2014-01-25 16:39:53.000000000 -0600 ++++ sandbox-capsicum.c 2014-02-02 20:14:02.881233373 -0600 +@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *bo + fatal("can't limit stderr: %m"); + + cap_rights_init(&rights, CAP_READ, CAP_WRITE); +- if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1) ++ if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1 && ++ errno != ENOSYS) + fatal("%s: failed to limit the network socket", __func__); + cap_rights_init(&rights, CAP_WRITE); +- if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1) ++ if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1 && ++ errno != ENOSYS) + fatal("%s: failed to limit the logging socket", __func__); + if (cap_enter() < 0 && errno != ENOSYS) + fatal("%s: failed to enter capability mode", __func__); Modified: head/security/openssh-portable/files/patch-servconf.c ============================================================================== --- head/security/openssh-portable/files/patch-servconf.c Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/patch-servconf.c Wed Feb 5 01:40:46 2014 (r342618) @@ -39,3 +39,12 @@ if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) +@@ -335,7 +339,7 @@ + options->version_addendum = xstrdup(""); + /* Turn privilege separation on by default */ + if (use_privsep == -1) +- use_privsep = PRIVSEP_NOSANDBOX; ++ use_privsep = PRIVSEP_ON; + + #ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { Modified: head/security/openssh-portable/files/patch-sshd.c ============================================================================== --- head/security/openssh-portable/files/patch-sshd.c Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/patch-sshd.c Wed Feb 5 01:40:46 2014 (r342618) @@ -42,7 +42,7 @@ connections, do not protect connection h #include #ifdef HAVE_SYS_STAT_H # include -@@ -83,6 +83,13 @@ +@@ -83,6 +84,13 @@ #include #endif @@ -56,18 +56,18 @@ connections, do not protect connection h #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" -@@ -1823,6 +1824,10 @@ +@@ -1877,6 +1885,10 @@ /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ /* Avoid killing the process in high-pressure swapping environments. */ -+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) -+ debug("madvise(): %.200s", strerror(errno)); ++ /* Avoid killing the process in high-pressure swapping environments. */ ++ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) ++ debug("madvise(): %.200s", strerror(errno)); + - /* Initialize the random number generator. */ - arc4random_stir(); - -@@ -1864,6 +1871,29 @@ + /* Chdir to the root directory so that the current disk can be + unmounted if desired. */ + if (chdir("/") == -1) +@@ -1995,6 +2007,29 @@ signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); Modified: head/security/openssh-portable/files/patch-sshd_config ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config Wed Feb 5 00:42:29 2014 (r342617) +++ head/security/openssh-portable/files/patch-sshd_config Wed Feb 5 01:40:46 2014 (r342618) @@ -10,7 +10,7 @@ #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -37,7 +40,7 @@ +@@ -41,7 +44,7 @@ # Authentication: #LoginGraceTime 2m @@ -19,7 +19,7 @@ #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -46,8 +49,7 @@ +@@ -50,8 +53,7 @@ #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 @@ -29,7 +29,7 @@ #AuthorizedPrincipalsFile none -@@ -64,11 +66,11 @@ +@@ -68,11 +70,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -44,16 +44,16 @@ #ChallengeResponseAuthentication yes # Kerberos options -@@ -81,7 +83,7 @@ +@@ -85,7 +87,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes --# Set this to 'yes' to enable PAM authentication, account processing, +-# Set this to 'yes' to enable PAM authentication, account processing, +# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will + # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -90,19 +92,19 @@ +@@ -94,12 +96,12 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. @@ -67,12 +67,13 @@ +#X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes - #PrintMotd yes + #PermitTTY yes +@@ -107,7 +109,7 @@ #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. -+#UsePrivilegeSeparation yes ++#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0