From owner-svn-ports-head@FreeBSD.ORG Mon Nov 17 18:08:16 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DDEF26D8; Mon, 17 Nov 2014 18:08:16 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C8D0CDBC; Mon, 17 Nov 2014 18:08:16 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sAHI8GTC091054; Mon, 17 Nov 2014 18:08:16 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sAHI8FB5091048; Mon, 17 Nov 2014 18:08:15 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201411171808.sAHI8FB5091048@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 17 Nov 2014 18:08:15 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r372676 - in head/security/openssh-portable: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 18:08:17 -0000 Author: bdrewery Date: Mon Nov 17 18:08:14 2014 New Revision: 372676 URL: https://svnweb.freebsd.org/changeset/ports/372676 QAT: https://qat.redports.org/buildarchive/r372676/ Log: - Update to 6.7p1. Several patches do not currently apply. Use security/openssh-portable66 for: HPN, NONECIPHER, KERB_GSSAPI, X509. - Add a TCP_WRAPPER patch to re-enable support after it was removed upstream. Added: head/security/openssh-portable/files/extra-patch-tcpwrappers (contents, props changed) Deleted: head/security/openssh-portable/files/extra-patch-openssh661 Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/patch-readconf.c head/security/openssh-portable/files/patch-ssh-agent.c head/security/openssh-portable/files/patch-sshd_config.5 Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Nov 17 17:51:51 2014 (r372675) +++ head/security/openssh-portable/Makefile Mon Nov 17 18:08:14 2014 (r372676) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 6.6p1 -PORTREVISION= 4 +DISTVERSION= 6.7p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -33,33 +33,31 @@ ETCOLD= ${PREFIX}/etc SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" -# https://github.com/openssh/openssh-portable/commit/5618210618256bbf5f4f71b2887ff186fd451736.patch -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-openssh661 - OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ - HPN LPK X509 KERB_GSSAPI \ + HPN X509 KERB_GSSAPI \ OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing -KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) -HPN_DESC= HPN-SSH patch -LPK_DESC= LDAP Public Key (LPK) [OBSOLETE] +KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) [BROKEN] +HPN_DESC= HPN-SSH patch [BROKEN] LDNS_DESC= SSHFP/LDNS support -X509_DESC= x509 certificate patch +X509_DESC= x509 certificate patch [BROKEN] SCTP_DESC= SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) -AES_THREADED_DESC= Threaded AES-CTR -NONECIPHER_DESC= NONE Cipher support +AES_THREADED_DESC= Threaded AES-CTR [BROKEN] +NONECIPHER_DESC= NONE Cipher support [BROKEN] OPTIONS_SUB= yes PLIST_SUB+= MANPREFIX=${MANPREFIX} +TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers + LDNS_CONFIGURE_WITH= ldns LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns @@ -72,24 +70,13 @@ HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher AES_THREADED_CONFIGURE_WITH= aes-threaded -# See http://code.google.com/p/openssh-lpk/wiki/Main -# and svn repo described here: -# http://code.google.com/p/openssh-lpk/source/checkout -# LPK is now OBSOLETE with 6.2: https://code.google.com/p/openssh-lpk/issues/detail?id=15#c1 -LPK_PATCHFILES= ${PORTNAME}-lpk-6.3p1.patch.gz -LPK_CPPFLAGS= -I${LOCALBASE}/include -LPK_CONFIGURE_ON= --with-ldap=yes \ - --with-ldflags='-L${LOCALBASE}/lib' \ - --with-cppflags='${CPPFLAGS}' -LPK_USE= OPENLDAP=yes - # See http://www.roumenpetrov.info/openssh/ X509_VERSION= 7.9 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_PATCHFILES= ${PORTNAME}-6.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -SCTP_PATCHFILES= ${PORTNAME}-6.6p1-sctp-2329.patch.gz +SCTP_PATCHFILES= ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp # 6.6 patch taken from http://www.stacken.kth.se/~haba/ which was originally @@ -137,6 +124,16 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch .endif .if ${PORT_OPTIONS:MX509} +BROKEN= X509 does not apply yet. Use security/openssh-portable66 +.endif +.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} +BROKEN= HPN does not apply yet. Use security/openssh-portable66 +.endif +.if ${PORT_OPTIONS:MKERB_GSSAPI} +BROKEN= KERB_GSSAPI does not apply yet. Use security/openssh-portable66 +.endif + +.if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif @@ -145,10 +142,6 @@ BROKEN= X509 patch and HPN patch do not BROKEN= X509 patch and SCTP patch do not apply cleanly together . endif -. if ${PORT_OPTIONS:MLPK} -BROKEN= X509 patch and LPK patch do not apply cleanly together -. endif - . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif @@ -196,10 +189,6 @@ IGNORE= KERB_GSSAPI requires one of MIT CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif -.if ${PORT_OPTIONS:MLPK} -CONFIGURE_LIBS+= -lldap -.endif - EMPTYDIR= /var/empty .if ${PORT_OPTIONS:MOVERWRITE_BASE} Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Mon Nov 17 17:51:51 2014 (r372675) +++ head/security/openssh-portable/distinfo Mon Nov 17 18:08:14 2014 (r372676) @@ -1,5 +1,5 @@ -SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb -SIZE (openssh-6.6p1.tar.gz) = 1282502 +SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 +SIZE (openssh-6.7p1.tar.gz) = 1351367 SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376 SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473 SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34 @@ -8,5 +8,5 @@ SHA256 (openssh-6.6p1-gsskex-all-2014031 SIZE (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 24299 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 -SHA256 (openssh-6.6p1-sctp-2329.patch.gz) = e054529810815d63f7de5d1c6cc76fccb7766e1b2d1b62438ca83770afac9bfa -SIZE (openssh-6.6p1-sctp-2329.patch.gz) = 8695 +SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db +SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052 Added: head/security/openssh-portable/files/extra-patch-tcpwrappers ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers Mon Nov 17 18:08:14 2014 (r372676) @@ -0,0 +1,179 @@ +Revert TCPWRAPPER removal -bdrewery +$FreeBSD$ + +commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 +Author: Damien Miller +Date: Sun Apr 20 13:22:18 2014 +1000 + + - tedu@cvs.openbsd.org 2014/03/26 19:58:37 + [sshd.8 sshd.c] + remove libwrap support. ok deraadt djm mfriedl + +diff --git sshd.8 sshd.8 +index 289e13d..e6a900b 100644 +--- sshd.8 ++++ sshd.8 +@@ -851,6 +851,12 @@ the user's home directory becomes accessible. + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +diff --git sshd.c sshd.c +index 0ade557..045f149 100644 +--- sshd.c ++++ sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.421 2014/03/26 19:58:37 tedu Exp $ */ ++/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -122,6 +122,13 @@ + #include "ssh-sandbox.h" + #include "version.h" + ++#ifdef LIBWRAP ++#include ++#include ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + #ifndef O_NOCTTY + #define O_NOCTTY 0 + #endif +@@ -2027,6 +2034,24 @@ main(int ac, char **av) + #ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); + #endif ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (packet_connection_is_on_socket()) { ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ + + /* Log the connection. */ + verbose("Connection from %s port %d on %s port %d", +commit f9696566fb41320820f3b257ab564fa321bb3751 +Author: Darren Tucker +Date: Fri Jun 13 11:06:04 2014 +1000 + + - (dtucker) [configure.ac] Remove tcpwrappers support, support has already + been removed from sshd.c. + +diff --git ChangeLog ChangeLog +index f4c6ea6..1c043ae 100644 +--- ChangeLog ++++ ChangeLog +@@ -1,7 +1,3 @@ +-20140612 +- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already +- been removed from sshd.c. +- + 20140611 + - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from + openbsd-compat/bsd-asprintf.c. +diff --git configure.ac configure.ac +index f48ba4a..66fbe82 100644 +--- configure.ac ++++ configure.ac +@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], + ] + ) + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include ++#include ++#include ++#include ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" + echo " Smartcard support: $SCARD_MSG" + echo " S/KEY support: $SKEY_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " Solaris process contract support: $SPC_MSG" Modified: head/security/openssh-portable/files/patch-readconf.c ============================================================================== --- head/security/openssh-portable/files/patch-readconf.c Mon Nov 17 17:51:51 2014 (r372675) +++ head/security/openssh-portable/files/patch-readconf.c Mon Nov 17 18:08:14 2014 (r372676) @@ -18,22 +18,21 @@ Submitted upstream, no reaction. Submitted by: delphij@ - ---- readconf.c.orig 2013-10-03 06:56:21.649139613 -0500 -+++ readconf.c 2013-10-03 06:56:50.961467272 -0500 +--- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500 ++++ readconf.c 2014-11-03 16:45:05.188796445 -0600 @@ -17,6 +17,7 @@ #include #include #include +#include #include + #include - #include -@@ -282,7 +283,19 @@ - Forward *fwd; +@@ -281,7 +282,19 @@ add_local_forward(Options *options, cons + struct Forward *fwd; #ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; -- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) +- if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 && + int ipport_reserved; +#ifdef __FreeBSD__ + size_t len_ipport_reserved = sizeof(ipport_reserved); @@ -46,11 +45,11 @@ Submitted by: delphij@ +#else + ipport_reserved = IPPORT_RESERVED; +#endif -+ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0) ++ if (newfwd->listen_port < ipport_reserved && original_real_uid != 0 && + newfwd->listen_path == NULL) fatal("Privileged ports can only be forwarded by root."); #endif - options->local_forwards = xrealloc(options->local_forwards, -@@ -1607,7 +1620,7 @@ +@@ -1674,7 +1687,7 @@ fill_default_options(Options * options) if (options->batch_mode == -1) options->batch_mode = 0; if (options->check_host_ip == -1) Modified: head/security/openssh-portable/files/patch-ssh-agent.c ============================================================================== --- head/security/openssh-portable/files/patch-ssh-agent.c Mon Nov 17 17:51:51 2014 (r372675) +++ head/security/openssh-portable/files/patch-ssh-agent.c Mon Nov 17 18:08:14 2014 (r372676) @@ -7,11 +7,11 @@ r226103 | des | 2011-10-07 08:10:16 -050 Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2011-06-02 23:14:16.000000000 -0500 -+++ ssh-agent.c 2013-05-09 15:59:14.044627857 -0500 -@@ -137,15 +137,34 @@ - /* Default lifetime (0 == forever) */ - static int lifetime = 0; +--- ssh-agent.c.orig 2014-07-29 21:32:46.000000000 -0500 ++++ ssh-agent.c 2014-11-03 16:48:03.930786112 -0600 +@@ -142,15 +142,34 @@ extern char *__progname; + /* Default lifetime in seconds (0 == forever) */ + static long lifetime = 0; +/* + * Client connection count; incremented in new_socket() and decremented in @@ -44,7 +44,7 @@ disconnected. } static void -@@ -900,6 +919,10 @@ +@@ -810,6 +829,10 @@ new_socket(sock_type type, int fd) { u_int i, old_alloc, new_alloc; @@ -55,15 +55,16 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1120,6 +1143,7 @@ - fprintf(stderr, " -d Debug mode.\n"); - fprintf(stderr, " -a socket Bind agent socket to given name.\n"); - fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); -+ fprintf(stderr, " -x Exit when the last client disconnects.\n"); +@@ -1026,7 +1049,7 @@ usage(void) + { + fprintf(stderr, + "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n" +- " [command [arg ...]]\n" ++ " [-x] [command [arg ...]]\n" + " ssh-agent [-c | -s] -k\n"); exit(1); } - -@@ -1149,6 +1173,7 @@ +@@ -1056,6 +1079,7 @@ main(int ac, char **av) /* drop */ setegid(getgid()); setgid(getgid()); @@ -71,7 +72,7 @@ disconnected. #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -@@ -1160,7 +1185,7 @@ +@@ -1069,7 +1093,7 @@ main(int ac, char **av) __progname = ssh_get_progname(av[0]); seed_rng(); @@ -80,7 +81,7 @@ disconnected. switch (ch) { case 'c': if (s_flag) -@@ -1189,6 +1214,9 @@ +@@ -1098,6 +1122,9 @@ main(int ac, char **av) usage(); } break; Modified: head/security/openssh-portable/files/patch-sshd_config.5 ============================================================================== --- head/security/openssh-portable/files/patch-sshd_config.5 Mon Nov 17 17:51:51 2014 (r372675) +++ head/security/openssh-portable/files/patch-sshd_config.5 Mon Nov 17 18:08:14 2014 (r372676) @@ -1,9 +1,9 @@ ---- sshd_config.5.orig 2013-02-11 18:02:09.000000000 -0600 -+++ sshd_config.5 2013-05-13 06:49:28.164628328 -0500 -@@ -277,7 +277,9 @@ +--- sshd_config.5.orig 2014-10-02 18:24:57.000000000 -0500 ++++ sshd_config.5 2014-11-03 16:49:35.943778119 -0600 +@@ -304,7 +304,9 @@ .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via - PAM or though authentication styles supported in + PAM or through authentication styles supported in -.Xr login.conf 5 ) +.Xr login.conf 5 ) . +See also @@ -11,7 +11,7 @@ The default is .Dq yes . .It Cm ChrootDirectory -@@ -555,7 +557,7 @@ +@@ -615,7 +617,7 @@ .Pp .Pa /etc/hosts.equiv and @@ -20,7 +20,7 @@ are still used. The default is .Dq yes . -@@ -841,7 +843,22 @@ +@@ -977,7 +979,22 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -43,7 +43,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -887,7 +904,14 @@ +@@ -1023,7 +1040,14 @@ or .Dq no . The default is @@ -59,8 +59,8 @@ .Pp If this option is set to .Dq without-password , -@@ -1006,7 +1030,9 @@ - section in +@@ -1178,7 +1202,9 @@ + For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together @@ -70,7 +70,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -1146,7 +1172,7 @@ +@@ -1343,7 +1369,7 @@ .Xr sshd 8 as a non-root user. The default is @@ -79,7 +79,7 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -1182,7 +1208,7 @@ +@@ -1379,7 +1405,7 @@ or .Dq no . The default is