Date: Fri, 18 Apr 2008 12:54:58 +0900 (JST) From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/122879: update security/openssh-portable Message-ID: <200804180354.m3I3swar094341@h120.65.226.10.32118.vlan.kuins.net> Resent-Message-ID: <200804180400.m3I403ig080045@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 122879 >Category: ports >Synopsis: update security/openssh-portable >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 18 04:00:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 6.3-PRERELEASE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #11: Wed Jan 16 16:30:07 JST 2008 turutani@polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: update security/openssh-portable. some security issues have been reported. >How-To-Repeat: >Fix: here is a patch to ports skelton. fixes about files/* are not necessary indeed, except patch-auth2.c and patch-session.c. openssh-lpk-5.0p1-0.3.9.patch is not available from original site, and can be downloaded from http://jfut.featia.net/linux/openssh/openssh-lpk-5.0p1-0.3.9.patch . I examined with some options, and no trouble about patching found. diff -urN openssh-portable.orig/Makefile openssh-portable/Makefile --- openssh-portable.orig/Makefile 2008-01-18 04:34:38.000000000 +0900 +++ openssh-portable/Makefile 2008-04-18 12:45:35.000000000 +0900 @@ -6,9 +6,7 @@ # PORTNAME= openssh -DISTVERSION= 4.7p1 -PORTREVISION= 1 -PORTEPOCH= 1 +DISTVERSION= 5.0p1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ @@ -95,7 +93,7 @@ .if defined(WITH_KERB_GSSAPI) PATCH_DIST_STRIP= -p0 PATCH_SITES+= http://www.sxw.org.uk/computing/patches/ -PATCHFILES+= openssh-4.7p1-gsskex-20070927.patch +PATCHFILES+= openssh-5.0p1-gsskex-20080404.patch .endif PORTABLE_SUFFIX= # empty GSSAPI_SUFFIX= -gssapi @@ -140,14 +138,14 @@ .if defined(WITH_HPN) PATCH_DIST_STRIP= -p1 PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/ -PATCHFILES+= openssh-4.7p1-hpn12v20.diff.gz +PATCHFILES+= openssh-5.0p1-hpn13v3.diff.gz .endif # See http://dev.inversepath.com/trac/openssh-lpk .if defined(WITH_LPK) PATCH_DIST_STRIP= -p2 PATCH_SITES+= http://dev.inversepath.com/openssh-lpk/ -PATCHFILES+= openssh-lpk-4.6p1-0.3.9.patch +PATCHFILES+= openssh-lpk-5.0p1-0.3.9.patch USE_OPENLDAP= yes CPPFLAGS+= "-I${LOCALBASE}/include -DWITH_LDAP_PUBKEY" CONFIGURE_ARGS+= --with-libs='-lldap' --with-ldflags='-L/usr/local/lib' \ diff -urN openssh-portable.orig/distinfo openssh-portable/distinfo --- openssh-portable.orig/distinfo 2008-01-18 04:34:38.000000000 +0900 +++ openssh-portable/distinfo 2008-04-18 12:44:02.000000000 +0900 @@ -1,12 +1,12 @@ -MD5 (openssh-4.7p1.tar.gz) = 50a800fd2c6def9e9a53068837e87b91 -SHA256 (openssh-4.7p1.tar.gz) = d47133f0c6737d2889bf8da7bdf389fc2268d1c7fa3cd11a52451501eab548bc -SIZE (openssh-4.7p1.tar.gz) = 991119 -MD5 (openssh-4.7p1-gsskex-20070927.patch) = ad58a9848dcaa3ad5a2ab14182fb9212 -SHA256 (openssh-4.7p1-gsskex-20070927.patch) = 7ef9009baa842c696d356c7e5e5d022797a227531c1662dd998510e45a6dd597 -SIZE (openssh-4.7p1-gsskex-20070927.patch) = 66693 -MD5 (openssh-4.7p1-hpn12v20.diff.gz) = 7a75e87b03e4d713973c5a3330a68ab5 -SHA256 (openssh-4.7p1-hpn12v20.diff.gz) = 4b951b444f3c093ca3dbb1ae6e9825c33610719ee8ca593e660ec8248c5b09c6 -SIZE (openssh-4.7p1-hpn12v20.diff.gz) = 15211 -MD5 (openssh-lpk-4.6p1-0.3.9.patch) = f43a8aae7d69e72f0ec07bc96e46b328 -SHA256 (openssh-lpk-4.6p1-0.3.9.patch) = e12335e8bf020508ea3866db07b306f4c965e3f9de262c06f62fad494e93107e -SIZE (openssh-lpk-4.6p1-0.3.9.patch) = 61605 +MD5 (openssh-5.0p1.tar.gz) = 1f1dfaa775f33dd3328169de9bdc292a +SHA256 (openssh-5.0p1.tar.gz) = 73a58620cd475155be8524f46997ba1942bc9e54204eeb15f0465e54ca279f4f +SIZE (openssh-5.0p1.tar.gz) = 1011556 +MD5 (openssh-5.0p1-gsskex-20080404.patch) = d13bf38e852e38b7f29b9e6993b00b52 +SHA256 (openssh-5.0p1-gsskex-20080404.patch) = 8f8b9910af767ce8e2a5d4854e95c8eb8b089bb250b290d22add38e9ddb1791e +SIZE (openssh-5.0p1-gsskex-20080404.patch) = 68272 +MD5 (openssh-5.0p1-hpn13v3.diff.gz) = 95e7f78d63b419babd820c0653aa47ef +SHA256 (openssh-5.0p1-hpn13v3.diff.gz) = e9000f969705dbdf72f7ea069e5f8a2475eb89e88e014c678ecb102ddf4bcde2 +SIZE (openssh-5.0p1-hpn13v3.diff.gz) = 24060 +MD5 (openssh-lpk-5.0p1-0.3.9.patch) = 11aa3cbecd88887a771ae8a1a7f5147d +SHA256 (openssh-lpk-5.0p1-0.3.9.patch) = 65c32699eec19b780a06f97621fcf51dc713478414142275ce8cc63468192e85 +SIZE (openssh-lpk-5.0p1-0.3.9.patch) = 62050 diff -urN openssh-portable.orig/files/gss-serv.c.patch openssh-portable/files/gss-serv.c.patch --- openssh-portable.orig/files/gss-serv.c.patch 2006-02-08 05:07:54.000000000 +0900 +++ openssh-portable/files/gss-serv.c.patch 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- gss-serv.c.orig Sat Nov 5 02:07:05 2005 -+++ gss-serv.c Thu Feb 2 22:45:37 2006 -@@ -134,6 +134,16 @@ +--- gss-serv.c.orig 2007-06-12 22:40:39.000000000 +0900 ++++ gss-serv.c 2008-04-18 11:32:41.000000000 +0900 +@@ -191,6 +191,16 @@ OM_uint32 offset; OM_uint32 oidl; diff -urN openssh-portable.orig/files/openssh.in openssh-portable/files/openssh.in --- openssh-portable.orig/files/openssh.in 2006-02-22 04:28:37.000000000 +0900 +++ openssh-portable/files/openssh.in 1970-01-01 09:00:00.000000000 +0900 @@ -1,88 +0,0 @@ -#!/bin/sh -# -# $FreeBSD: ports/security/openssh-portable/files/openssh.in,v 1.2 2006/02/21 19:28:37 mnag Exp $ -# -# PROVIDE: openssh -# REQUIRE: DAEMON -# -# Add the following lines to /etc/rc.conf to enable openssh: -# -# openssh_enable (bool): Set it to "YES" to enable openssh. -# Default is "NO". -# openssh_flags (flags): Set extra flags to openssh. -# Default is "". see sshd(1). -# openssh_pidfile (file): Set full path to pid file. -# Default is "/var/run/sshd.pid". -# - -. %%RC_SUBR%% - -name="openssh" -rcvar=${name}_enable - -load_rc_config ${name} - -: ${openssh_enable="NO"} -: ${openssh_pidfile="/var/run/sshd.pid"} - -command=%%PREFIX%%/sbin/sshd -extra_commands="reload keygen" -start_precmd="${name}_checks" -restart_precmd="${name}_checks" -keygen_cmd="${name}_keygen" -pidfile=${openssh_pidfile} - -openssh_keygen() -{ - if [ ! -f %%ETCSSH%%/ssh_host_key -o \ - ! -f %%ETCSSH%%/ssh_host_dsa_key -o \ - ! -f %%ETCSSH%%/ssh_host_rsa_key ]; then - - umask 022 - - # Can't do anything if ssh is not installed - [ -x %%PREFIX%%/bin/ssh-keygen ] || { - err 1 "%%PREFIX%%/bin/ssh-keygen does not exist." - } - - if [ -f %%ETCSSH%%/ssh_host_key ]; then - echo "You already have an RSA host key" \ - "in %%ETCSSH%%/ssh_host_key" - echo "Skipping protocol version 1 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa1 -b 1024 \ - -f %%ETCSSH%%/ssh_host_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in %%ETCSSH%%/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t dsa \ - -f %%ETCSSH%%/ssh_host_dsa_key -N '' - fi - - if [ -f %%ETCSSH%%/ssh_host_rsa_key ]; then - echo "You already have a RSA host key" \ - "in %%ETCSSH%%/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" - else - %%PREFIX%%/bin/ssh-keygen -t rsa \ - -f %%ETCSSH%%/ssh_host_rsa_key -N '' - fi - - fi -} - -openssh_checks() -{ - if checkyesno sshd_enable ; then - err 1 "sshd_enable is set. Please set sshd_enable to NO in your rc.conf" - fi - - run_rc_command keygen - eval "${command} -t" -} - -run_rc_command "$1" diff -urN openssh-portable.orig/files/patch-Makefile.in openssh-portable/files/patch-Makefile.in --- openssh-portable.orig/files/patch-Makefile.in 2006-02-08 05:07:54.000000000 +0900 +++ openssh-portable/files/patch-Makefile.in 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- Makefile.in.orig Fri Feb 25 18:12:38 2005 -+++ Makefile.in Sat Mar 19 19:53:44 2005 -@@ -230,7 +230,7 @@ +--- Makefile.in.orig 2008-03-13 10:41:31.000000000 +0900 ++++ Makefile.in 2008-04-18 11:32:41.000000000 +0900 +@@ -231,7 +231,7 @@ -rm -rf autom4te.cache (cd scard && $(MAKE) -f Makefile.in distprep) diff -urN openssh-portable.orig/files/patch-auth.c openssh-portable/files/patch-auth.c --- openssh-portable.orig/files/patch-auth.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-auth.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- auth.c.orig Wed Sep 6 21:36:43 2006 -+++ auth.c Sat Sep 30 10:38:04 2006 -@@ -500,7 +501,7 @@ +--- auth.c.orig 2007-10-26 13:25:13.000000000 +0900 ++++ auth.c 2008-04-18 11:32:41.000000000 +0900 +@@ -500,7 +500,7 @@ if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP diff -urN openssh-portable.orig/files/patch-auth1.c openssh-portable/files/patch-auth1.c --- openssh-portable.orig/files/patch-auth1.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-auth1.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,5 +1,5 @@ ---- auth1.c.orig Fri Sep 1 02:38:36 2006 -+++ auth1.c Sat Sep 30 18:47:57 2006 +--- auth1.c.orig 2007-10-26 13:25:13.000000000 +0900 ++++ auth1.c 2008-04-18 11:32:41.000000000 +0900 @@ -39,6 +39,7 @@ #endif #include "monitor_wrap.h" @@ -22,11 +22,10 @@ debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); -@@ -288,6 +296,26 @@ - "type %d", type); +@@ -289,6 +297,26 @@ goto skip; } -+ + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); @@ -46,6 +45,7 @@ + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ - ++ if (!*(meth->enabled)) { verbose("%s authentication disabled.", meth->name); + goto skip; diff -urN openssh-portable.orig/files/patch-auth2.c openssh-portable/files/patch-auth2.c --- openssh-portable.orig/files/patch-auth2.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-auth2.c 2008-04-18 12:01:59.000000000 +0900 @@ -1,14 +1,14 @@ --- auth2.c.orig Fri Aug 4 23:39:39 2006 +++ auth2.c Sat Sep 30 10:38:04 2006 -@@ -44,6 +45,7 @@ - #include "dispatch.h" - #include "pathnames.h" - #include "buffer.h" -+#include "canohost.h" - - #ifdef GSSAPI +@@ -49,6 +49,7 @@ #include "ssh-gss.h" -@@ -147,6 +149,13 @@ + #endif + #include "monitor_wrap.h" ++#include "canohost.h" + + /* import */ + extern ServerOptions options; +@@ -142,6 +143,13 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; @@ -22,7 +22,7 @@ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -190,6 +199,27 @@ +@@ -185,6 +193,27 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } diff -urN openssh-portable.orig/files/patch-loginrec.c openssh-portable/files/patch-loginrec.c --- openssh-portable.orig/files/patch-loginrec.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-loginrec.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,16 +1,16 @@ ---- loginrec.c.orig Tue Feb 15 12:19:28 2005 -+++ loginrec.c Sat Mar 19 20:55:59 2005 -@@ -164,6 +164,9 @@ - #ifdef HAVE_LIBUTIL_H - # include <libutil.h> +--- loginrec.c.orig 2007-04-29 11:10:58.000000000 +0900 ++++ loginrec.c 2008-04-18 11:32:41.000000000 +0900 +@@ -179,6 +179,9 @@ + #ifdef HAVE_UTIL_H + # include <util.h> #endif +#ifdef __FreeBSD__ +#include <osreldate.h> +#endif - RCSID("$Id: loginrec.c,v 1.67 2005/02/15 11:19:28 dtucker Exp $"); - -@@ -670,8 +673,13 @@ + #ifdef HAVE_LIBUTIL_H + # include <libutil.h> +@@ -688,8 +691,13 @@ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP diff -urN openssh-portable.orig/files/patch-readconf.c openssh-portable/files/patch-readconf.c --- openssh-portable.orig/files/patch-readconf.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-readconf.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- readconf.c.orig Fri Sep 1 02:38:37 2006 -+++ readconf.c Sat Sep 30 10:38:05 2006 -@@ -1112,7 +1122,7 @@ +--- readconf.c.orig 2008-02-10 20:25:52.000000000 +0900 ++++ readconf.c 2008-04-18 11:32:41.000000000 +0900 +@@ -1112,7 +1112,7 @@ if (options->batch_mode == -1) options->batch_mode = 0; if (options->check_host_ip == -1) diff -urN openssh-portable.orig/files/patch-servconf.c openssh-portable/files/patch-servconf.c --- openssh-portable.orig/files/patch-servconf.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-servconf.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- servconf.c.orig Fri Aug 18 11:23:15 2006 -+++ servconf.c Sat Sep 30 21:54:26 2006 -@@ -129,7 +129,7 @@ +--- servconf.c.orig 2008-02-10 20:48:55.000000000 +0900 ++++ servconf.c 2008-04-18 11:32:41.000000000 +0900 +@@ -130,7 +130,7 @@ { /* Portable-specific options */ if (options->use_pam == -1) @@ -9,7 +9,7 @@ /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) -@@ -159,7 +159,7 @@ +@@ -160,7 +160,7 @@ if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) @@ -18,7 +18,7 @@ if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -@@ -169,7 +169,7 @@ +@@ -170,7 +170,7 @@ if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -27,7 +27,7 @@ if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -207,7 +207,11 @@ +@@ -208,7 +208,11 @@ if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; if (options->password_authentication == -1) diff -urN openssh-portable.orig/files/patch-session.c openssh-portable/files/patch-session.c --- openssh-portable.orig/files/patch-session.c 2006-11-17 04:31:44.000000000 +0900 +++ openssh-portable/files/patch-session.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,5 +1,5 @@ ---- session.c.orig Mon Oct 23 14:01:56 2006 -+++ session.c Fri Nov 10 12:21:51 2006 +--- session.c.orig 2008-03-27 09:03:05.000000000 +0900 ++++ session.c 2008-04-18 11:32:41.000000000 +0900 @@ -776,6 +776,24 @@ { FILE *f; @@ -25,7 +25,7 @@ if (options.print_motd) { #ifdef HAVE_LOGIN_CAP -@@ -1004,6 +1022,9 @@ +@@ -1005,6 +1023,9 @@ struct passwd *pw = s->pw; #ifndef HAVE_LOGIN_CAP char *path = NULL; @@ -35,7 +35,7 @@ #endif /* Initialize the environment. */ -@@ -1025,6 +1046,9 @@ +@@ -1026,6 +1047,9 @@ } #endif @@ -45,7 +45,7 @@ #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1044,11 +1068,22 @@ +@@ -1045,11 +1069,22 @@ child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -72,7 +72,7 @@ #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1069,15 +1104,9 @@ +@@ -1070,15 +1105,9 @@ # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -88,19 +88,19 @@ /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1287,6 +1316,10 @@ - void - do_setusercontext(struct passwd *pw) +@@ -1346,6 +1375,10 @@ { + char *chroot_path, *tmp; + +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ - #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) - #endif /* HAVE_CYGWIN */ -@@ -1313,8 +1346,27 @@ - do_pam_setcred(0); + #ifdef WITH_SELINUX + /* Cache selinux status for later use */ + (void)ssh_selinux_enabled(); +@@ -1369,6 +1402,25 @@ + do_pam_setcred(use_privsep); } # endif /* USE_PAM */ +#ifdef CHROOT @@ -123,13 +123,10 @@ + } +#endif /* CHROOT */ if (setusercontext(lc, pw, pw->pw_uid, -- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); - exit(1); - } -@@ -1472,6 +1524,9 @@ - char *argv[10]; +@@ -1540,6 +1592,9 @@ + char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; +#ifdef HAVE_LOGIN_CAP @@ -138,7 +135,7 @@ /* remove hostkey from the child's memory */ destroy_sensitive_data(); -@@ -1559,6 +1614,10 @@ +@@ -1627,6 +1682,10 @@ */ environ = env; @@ -149,7 +146,7 @@ #if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have -@@ -1590,7 +1649,7 @@ +@@ -1658,7 +1717,7 @@ fprintf(stderr, "Could not chdir to home directory %s: %s\n", pw->pw_dir, strerror(errno)); #ifdef HAVE_LOGIN_CAP diff -urN openssh-portable.orig/files/patch-ssh-agent.c openssh-portable/files/patch-ssh-agent.c --- openssh-portable.orig/files/patch-ssh-agent.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-ssh-agent.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- ssh-agent.c.orig Fri Sep 1 02:38:37 2006 -+++ ssh-agent.c Sat Sep 30 18:30:32 2006 -@@ -1036,6 +1036,7 @@ +--- ssh-agent.c.orig 2008-02-28 17:13:52.000000000 +0900 ++++ ssh-agent.c 2008-04-18 11:32:41.000000000 +0900 +@@ -1055,6 +1055,7 @@ /* drop */ setegid(getgid()); setgid(getgid()); diff -urN openssh-portable.orig/files/patch-ssh.c openssh-portable/files/patch-ssh.c --- openssh-portable.orig/files/patch-ssh.c 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-ssh.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,10 +1,9 @@ ---- ssh.c.orig Sat Sep 2 02:32:40 2006 -+++ ssh.c Sat Sep 30 10:38:05 2006 -@@ -639,6 +640,23 @@ - +--- ssh.c.orig 2008-02-28 17:13:52.000000000 +0900 ++++ ssh.c 2008-04-18 11:32:41.000000000 +0900 +@@ -645,6 +645,23 @@ if (options.hostname != NULL) host = options.hostname; -+ + + /* Find canonic host name. */ + if (strchr(host, '.') == 0) { + struct addrinfo hints; @@ -21,6 +20,7 @@ + freeaddrinfo(ai); + } + } - ++ /* force lowercase for hostkey matching */ if (options.host_key_alias != NULL) { + for (p = options.host_key_alias; *p; p++) diff -urN openssh-portable.orig/files/patch-ssh_config openssh-portable/files/patch-ssh_config --- openssh-portable.orig/files/patch-ssh_config 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-ssh_config 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- ssh_config.orig Tue Jun 13 00:01:10 2006 -+++ ssh_config Sat Sep 30 10:39:07 2006 -@@ -27,7 +28,7 @@ +--- ssh_config.orig 2007-06-11 13:04:42.000000000 +0900 ++++ ssh_config 2008-04-18 11:32:41.000000000 +0900 +@@ -27,7 +27,7 @@ # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no diff -urN openssh-portable.orig/files/patch-ssh_config.5 openssh-portable/files/patch-ssh_config.5 --- openssh-portable.orig/files/patch-ssh_config.5 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-ssh_config.5 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- ssh_config.5.orig Fri Aug 4 22:34:51 2006 -+++ ssh_config.5 Sat Sep 30 10:39:07 2006 -@@ -165,7 +166,7 @@ +--- ssh_config.5.orig 2007-12-02 21:09:30.000000000 +0900 ++++ ssh_config.5 2008-04-18 11:32:41.000000000 +0900 +@@ -163,7 +163,7 @@ .Dq no , the check will not be executed. The default is diff -urN openssh-portable.orig/files/patch-sshd.8 openssh-portable/files/patch-sshd.8 --- openssh-portable.orig/files/patch-sshd.8 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-sshd.8 2008-04-18 11:36:27.000000000 +0900 @@ -1,15 +1,15 @@ ---- sshd.8.orig Tue Aug 29 22:07:01 2006 -+++ sshd.8 Sat Sep 30 20:05:16 2006 -@@ -65,7 +65,7 @@ +--- sshd.8.orig 2008-04-03 18:52:51.000000000 +0900 ++++ sshd.8 2008-04-18 11:32:42.000000000 +0900 +@@ -68,7 +68,7 @@ .Nm listens for connections from clients. It is normally started at boot from -.Pa /etc/rc . -+.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% . ++.Pa /usr/local/etc/rc.d/openssh . It forks a new daemon for each incoming connection. The forked daemons handle -@@ -342,8 +342,9 @@ +@@ -346,8 +346,9 @@ If the login is on a tty, records login time. .It Checks @@ -21,7 +21,7 @@ (unless root). .It Changes to run with normal user privileges. -@@ -365,7 +366,8 @@ +@@ -369,7 +370,8 @@ exists, runs it; else if .Pa /etc/ssh/sshrc exists, runs diff -urN openssh-portable.orig/files/patch-sshd.c openssh-portable/files/patch-sshd.c --- openssh-portable.orig/files/patch-sshd.c 2006-11-17 04:31:44.000000000 +0900 +++ openssh-portable/files/patch-sshd.c 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- sshd.c.patch Sun Sep 17 01:04:46 2006 -+++ sshd.c Sat Sep 30 10:38:05 2006 -@@ -80,6 +81,13 @@ +--- sshd.c.orig 2008-03-11 20:58:25.000000000 +0900 ++++ sshd.c 2008-04-18 11:32:41.000000000 +0900 +@@ -82,6 +82,13 @@ #include <prot.h> #endif @@ -14,11 +14,10 @@ #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" -@@ -1697,6 +1705,29 @@ - signal(SIGQUIT, SIG_DFL); +@@ -1723,6 +1730,29 @@ signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); -+ + +#ifdef __FreeBSD__ + /* + * Initialize the resolver. This may not happen automatically @@ -41,6 +40,7 @@ + } +#endif +#endif - ++ /* * Register our connection. This turns encryption off because we do + * not have a key. diff -urN openssh-portable.orig/files/patch-sshd_config openssh-portable/files/patch-sshd_config --- openssh-portable.orig/files/patch-sshd_config 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-sshd_config 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- sshd_config.orig Mon Jul 24 01:06:47 2006 -+++ sshd_config Sat Sep 30 21:52:31 2006 -@@ -34,7 +34,7 @@ +--- sshd_config.orig 2008-02-10 20:40:12.000000000 +0900 ++++ sshd_config 2008-04-18 11:32:41.000000000 +0900 +@@ -38,7 +38,7 @@ # Authentication: #LoginGraceTime 2m @@ -9,7 +9,7 @@ #StrictModes yes #MaxAuthTries 6 -@@ -52,11 +52,11 @@ +@@ -56,11 +56,11 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -24,7 +24,7 @@ #ChallengeResponseAuthentication yes # Kerberos options -@@ -69,7 +69,7 @@ +@@ -73,7 +73,7 @@ #GSSAPIAuthentication no #GSSAPICleanupCredentials yes @@ -33,7 +33,7 @@ # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -@@ -78,11 +78,11 @@ +@@ -82,11 +82,11 @@ # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. diff -urN openssh-portable.orig/files/patch-sshd_config.5 openssh-portable/files/patch-sshd_config.5 --- openssh-portable.orig/files/patch-sshd_config.5 2006-10-01 11:15:00.000000000 +0900 +++ openssh-portable/files/patch-sshd_config.5 2008-04-18 11:36:27.000000000 +0900 @@ -1,6 +1,6 @@ ---- sshd_config.5.orig Tue Aug 29 22:06:34 2006 -+++ sshd_config.5 Sat Sep 30 10:39:07 2006 -@@ -169,9 +170,16 @@ +--- sshd_config.5.orig 2008-03-27 09:02:02.000000000 +0900 ++++ sshd_config.5 2008-04-18 11:32:41.000000000 +0900 +@@ -168,9 +168,16 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. @@ -19,8 +19,8 @@ +variables. The default is .Dq yes . - .It Cm Ciphers -@@ -554,7 +560,22 @@ + .It Cm ChrootDirectory +@@ -610,7 +617,22 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -43,7 +43,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -597,7 +618,14 @@ +@@ -653,7 +675,14 @@ or .Dq no . The default is @@ -59,7 +59,7 @@ .Pp If this option is set to .Dq without-password , -@@ -704,7 +732,9 @@ +@@ -760,7 +789,9 @@ .Dq yes . Note that this option applies to protocol version 2 only. .It Cm RhostsRSAAuthentication @@ -70,7 +70,7 @@ with successful RSA host authentication is allowed. The default is .Dq no . -@@ -814,7 +844,7 @@ +@@ -881,7 +912,7 @@ .Xr sshd 8 as a non-root user. The default is @@ -79,7 +79,7 @@ .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -@@ -839,7 +874,7 @@ +@@ -906,7 +937,7 @@ or .Dq no . The default is diff -urN openssh-portable.orig/files/scardin.patch openssh-portable/files/scardin.patch --- openssh-portable.orig/files/scardin.patch 1970-01-01 09:00:00.000000000 +0900 +++ openssh-portable/files/scardin.patch 2008-04-18 11:49:18.000000000 +0900 @@ -0,0 +1,111 @@ +--- scard-opensc.c.orig 2007-03-13 05:35:39.000000000 +0900 ++++ scard-opensc.c 2008-04-18 11:40:40.000000000 +0900 +@@ -43,6 +43,8 @@ + #include "misc.h" + #include "scard.h" + ++int ask_for_pin=0; ++ + #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE) + #define USE_ENGINE + #define RSA_get_default_method RSA_get_default_openssl_method +@@ -124,6 +126,7 @@ + struct sc_pkcs15_prkey_info *key; + struct sc_pkcs15_object *pin_obj; + struct sc_pkcs15_pin_info *pin; ++ char *passphrase = NULL; + + priv = (struct sc_priv_data *) RSA_get_app_data(rsa); + if (priv == NULL) +@@ -161,24 +164,47 @@ + goto err; + } + pin = pin_obj->data; ++ ++ if (sc_pin) ++ passphrase = sc_pin; ++ else if (ask_for_pin) { ++ /* we need a pin but don't have one => ask for the pin */ ++ char prompt[64]; ++ ++ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", ++ key_obj->label ? key_obj->label : "smartcard key"); ++ passphrase = read_passphrase(prompt, 0); ++ if (!passphrase || !strcmp(passphrase, "")) ++ goto err; ++ } else ++ /* no pin => error */ ++ goto err; ++ + r = sc_lock(card); + if (r) { + error("Unable to lock smartcard: %s", sc_strerror(r)); + goto err; + } +- if (sc_pin != NULL) { +- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin, +- strlen(sc_pin)); +- if (r) { +- sc_unlock(card); +- error("PIN code verification failed: %s", +- sc_strerror(r)); +- goto err; +- } ++ r = sc_pkcs15_verify_pin(p15card, pin, passphrase, ++ strlen(passphrase)); ++ if (r) { ++ sc_unlock(card); ++ error("PIN code verification failed: %s", ++ sc_strerror(r)); ++ goto err; + } ++ + *key_obj_out = key_obj; ++ if (!sc_pin) { ++ memset(passphrase, 0, strlen(passphrase)); ++ xfree(passphrase); ++ } + return 0; + err: ++ if (!sc_pin && passphrase) { ++ memset(passphrase, 0, strlen(passphrase)); ++ xfree(passphrase); ++ } + sc_close(); + return -1; + } +--- scard.c.orig 2006-11-07 21:14:42.000000000 +0900 ++++ scard.c 2008-04-18 11:40:40.000000000 +0900 +@@ -40,6 +40,9 @@ + #include "misc.h" + #include "scard.h" + ++/* currently unused */ ++int ask_for_pin = 0; ++ + #if OPENSSL_VERSION_NUMBER < 0x00907000L + #define USE_ENGINE + #define RSA_get_default_method RSA_get_default_openssl_method +--- scard.h.orig 2006-08-05 11:39:40.000000000 +0900 ++++ scard.h 2008-04-18 11:40:40.000000000 +0900 +@@ -31,6 +31,8 @@ + #define SCARD_ERROR_NOCARD -2 + #define SCARD_ERROR_APPLET -3 + ++extern int ask_for_pin; ++ + Key **sc_get_keys(const char *, const char *); + void sc_close(void); + int sc_put_key(Key *, const char *); +--- ssh.c.orig 2008-02-28 17:13:52.000000000 +0900 ++++ ssh.c 2008-04-18 11:48:17.000000000 +0900 +@@ -1239,6 +1239,9 @@ + #ifdef SMARTCARD + Key **keys; + ++ if (!options.batch_mode) ++ ask_for_pin = 1; ++ + if (options.smartcard_device != NULL && + options.num_identity_files < SSH_MAX_IDENTITY_FILES && + (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) { diff -urN openssh-portable.orig/files/scardpin.patch openssh-portable/files/scardpin.patch --- openssh-portable.orig/files/scardpin.patch 2007-08-31 04:31:21.000000000 +0900 +++ openssh-portable/files/scardpin.patch 1970-01-01 09:00:00.000000000 +0900 @@ -1,134 +0,0 @@ -# -# https://bugzilla.mindrot.org/show_bug.cgi?id=608 -# -Index: scard-opensc.c -=================================================================== -RCS file: /cvs/openssh/scard-opensc.c,v -retrieving revision 1.12 -diff -u -r1.12 scard-opensc.c ---- scard-opensc.c 25 Aug 2003 00:58:26 -0000 1.12 -+++ scard-opensc.c 27 Aug 2003 11:42:02 -0000 -@@ -38,6 +38,8 @@ - #include "readpass.h" - #include "scard.h" - -+int ask_for_pin=0; -+ - #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE) - #define USE_ENGINE - #define RSA_get_default_method RSA_get_default_openssl_method -@@ -119,6 +121,7 @@ - struct sc_pkcs15_prkey_info *key; - struct sc_pkcs15_object *pin_obj; - struct sc_pkcs15_pin_info *pin; -+ char *passphrase = NULL; - - priv = (struct sc_priv_data *) RSA_get_app_data(rsa); - if (priv == NULL) -@@ -156,24 +159,47 @@ - goto err; - } - pin = pin_obj->data; -+ -+ if (sc_pin) -+ passphrase = sc_pin; -+ else if (ask_for_pin) { -+ /* we need a pin but don't have one => ask for the pin */ -+ char prompt[64]; -+ -+ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", -+ key_obj->label ? key_obj->label : "smartcard key"); -+ passphrase = read_passphrase(prompt, 0); -+ if (!passphrase || !strcmp(passphrase, "")) -+ goto err; -+ } else -+ /* no pin => error */ -+ goto err; -+ - r = sc_lock(card); - if (r) { - error("Unable to lock smartcard: %s", sc_strerror(r)); - goto err; - } -- if (sc_pin != NULL) { -- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin, -- strlen(sc_pin)); -- if (r) { -- sc_unlock(card); -- error("PIN code verification failed: %s", -- sc_strerror(r)); -- goto err; -- } -+ r = sc_pkcs15_verify_pin(p15card, pin, passphrase, -+ strlen(passphrase)); -+ if (r) { -+ sc_unlock(card); -+ error("PIN code verification failed: %s", -+ sc_strerror(r)); -+ goto err; - } -+ - *key_obj_out = key_obj; -+ if (!sc_pin) { -+ memset(passphrase, 0, strlen(passphrase)); -+ xfree(passphrase); -+ } - return 0; - err: -+ if (!sc_pin && passphrase) { -+ memset(passphrase, 0, strlen(passphrase)); -+ xfree(passphrase); -+ } - sc_close(); - return -1; - } -Index: scard.c -=================================================================== -RCS file: /cvs/openssh/scard.c,v -retrieving revision 1.27 -diff -u -r1.27 scard.c ---- scard.c 18 Jun 2003 10:28:40 -0000 1.27 -+++ scard.c 27 Aug 2003 11:42:02 -0000 -@@ -35,6 +35,9 @@ - #include "readpass.h" - #include "scard.h" - -+/* currently unused */ -+int ask_for_pin = 0; -+ - #if OPENSSL_VERSION_NUMBER < 0x00907000L - #define USE_ENGINE - #define RSA_get_default_method RSA_get_default_openssl_method -Index: scard.h -=================================================================== -RCS file: /cvs/openssh/scard.h,v -retrieving revision 1.10 -diff -u -r1.10 scard.h ---- scard.h 18 Jun 2003 10:28:40 -0000 1.10 -+++ scard.h 27 Aug 2003 11:42:02 -0000 -@@ -33,6 +33,8 @@ - #define SCARD_ERROR_NOCARD -2 - #define SCARD_ERROR_APPLET -3 - -+extern int ask_for_pin; -+ - Key **sc_get_keys(const char *, const char *); - void sc_close(void); - int sc_put_key(Key *, const char *); -Index: ssh.c -=================================================================== -RCS file: /cvs/openssh/ssh.c,v -retrieving revision 1.180 -diff -u -r1.180 ssh.c ---- ssh.c 21 Aug 2003 23:34:41 -0000 1.180 -+++ ssh.c 27 Aug 2003 11:42:02 -0000 -@@ -1155,6 +1155,9 @@ - #ifdef SMARTCARD - Key **keys; - -+ if (!options.batch_mode) -+ ask_for_pin = 1; -+ - if (options.smartcard_device != NULL && - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804180354.m3I3swar094341>