Date: Sun, 24 Jun 2012 14:23:40 -0400 From: "J. Hellenthal" <jhellenthal@dataix.net> To: Robert Simmons <rsimmons0@gmail.com> Cc: ports@freebsd.org Subject: Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA Message-ID: <20120624182340.GA4715@DataIX.net> In-Reply-To: <CA%2BQLa9Av=G98qc1jh00M6u2TBLsG0k0TLS2ujk1YnWTV9TyVFQ@mail.gmail.com> References: <20120624171753.GA15646@DataIX.net> <CA%2BQLa9Av=G98qc1jh00M6u2TBLsG0k0TLS2ujk1YnWTV9TyVFQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--dc+cDN39EJAMEtIO
Content-Type: multipart/mixed; boundary="n8g4imXOkfNTN/H1"
Content-Disposition: inline
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
> On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal <jhellenthal@dataix.net> w=
rote:
> >
> > As stated in the subject
> >
> > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
> > =A0 =A0 =A0 =A0echo "You already have a Elliptic Curve DSA host key" \
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0"in /usr/local/etc/ssh/ssh_host_ecdsa_ke=
y"
> > =A0 =A0 =A0 =A0echo "Skipping protocol version 2 Elliptic Curve DSA Key=
Generation"
> > else
> > =A0 =A0 =A0 =A0/usr/local/bin/ssh-keygen -t dsa \
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-f /usr/local/etc/ssh/ssh_host_ecdsa_key=
-N ''
> > fi
> >
> >
> > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to
> > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key
> > in a different file.
>=20
> Good eye. I'm in the process of updating that port to 6.0p1. There
> are quite a lot of local patches that are part of the port. At the
> moment I'm muddling through what they do and whether they can be
> removed or not. I didn't even notice this problem.
>=20
> I've attached a pair of patches that correct this problem. Open a PR
> about this, and you can attach these patches to it. I'm not the
> maintainer nor do I have commit privileges, but if you open a PR, I'm
> sure someone will make the change.
Yeah I have been there too. The current port 5.8 I updated to 5.9. Some
of the patches do not work but the diff I have is attached for the
functions I use out of it.
Also attached is my config for that port. But when I made it I did not
have GSSAPI turned on. That does work but just have not adjusted it.
--=20
- (2^(N-1))
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssh-portable-5.9p1_2,1.config"
===> The following configuration options are available for openssh-portable-5.9.p1_2,1:
BSM=on: "Enable OpenBSM Auditing"
FILECONTROL=off: "Enable file control patch (broken)"
HPN=on: "Enable HPN-SSH patch"
KERBEROS=off: "Enable kerberos (autodetection)"
KERB_GSSAPI=off: "Enable Kerberos/GSSAPI patch (req: GSSAPI)"
LIBEDIT=on: "Enable readline support to sftp(1)"
LPK=off: "Enable LDAP Public Key (LPK) patch"
OPENSSH_CHROOT=on: "Enable CHROOT support"
OVERWRITE_BASE=off: "OpenSSH overwrite base"
PAM=on: "Enable pam(3) support"
TCP_WRAPPERS=on: "Enable tcp_wrappers support"
X509=off: "Enable x509 certificate patch"
===> Use 'make config' to modify these settings
--n8g4imXOkfNTN/H1
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="openssh-portable-5.9p1_2,1.diff"
Content-Transfer-Encoding: quoted-printable
diff -urN security/openssh-portable-5.8p2/Makefile security/openssh-portabl=
e/Makefile
--- security/openssh-portable-5.8p2/Makefile 2012-05-01 05:56:31.000000000 =
-0400
+++ security/openssh-portable/Makefile 2012-05-30 20:01:26.493449509 -0400
@@ -6,9 +6,9 @@
#
=20
PORTNAME=3D openssh
-DISTVERSION=3D 5.8p2
-PORTREVISION=3D 2
-PORTEPOCH=3D 1
+DISTVERSION=3D 5.9p1
+PORTREVISION=3D 2
+PORTEPOCH=3D 1
CATEGORIES=3D security ipv6
MASTER_SITES=3D ${MASTER_SITE_OPENBSD}
MASTER_SITE_SUBDIR=3D OpenSSH/portable
@@ -42,7 +42,6 @@
OPTIONS=3D PAM "Enable pam(3) support" on \
TCP_WRAPPERS "Enable tcp_wrappers support" on \
LIBEDIT "Enable readline support to sftp(1)" on \
- SUID_SSH "Enable suid SSH (Recommended off)" off \
BSM "Enable OpenBSM Auditing" off \
KERBEROS "Enable kerberos (autodetection)" off \
KERB_GSSAPI "Enable Kerberos/GSSAPI patch (req: GSSAPI)" off \
@@ -87,10 +86,6 @@
CONFIGURE_ARGS+=3D --with-libedit
.endif
=20
-.if !defined(WITH_SUID_SSH)
-CONFIGURE_ARGS+=3D --disable-suid-ssh
-.endif
-
.if defined(WITH_BSM)
CONFIGURE_ARGS+=3D --with-audit=3Dbsm
.endif
@@ -119,7 +114,7 @@
=20
.if defined(WITH_HPN)
PATCH_SITES+=3D http://www.psc.edu/networking/projects/hpn-ssh/
-PATCHFILES+=3D ${PORTNAME}-5.8p1-hpn13v11.diff.gz
+PATCHFILES+=3D ${PORTNAME}-5.9p1-hpn13v12.diff.gz
PATCH_DIST_STRIP=3D
.endif
=20
@@ -194,11 +189,9 @@
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
- @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \
- ${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PO=
RT_VERSION' >> \
+ @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' >> \
${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PO=
RT_VERSION' >> \
+ @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' >> \
${WRKSRC}/version.h
.if defined(WITH_HPN)
@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_=
PORTABLE SSH_HPN|' \
diff -urN security/openssh-portable-5.8p2/distinfo security/openssh-portabl=
e/distinfo
--- security/openssh-portable-5.8p2/distinfo 2011-10-21 12:18:56.000000000 =
-0400
+++ security/openssh-portable/distinfo 2012-05-30 19:07:47.129970365 -0400
@@ -1,8 +1,4 @@
-SHA256 (openssh-5.8p2.tar.gz) =3D 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7=
368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) =3D 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) =3D 62b500d29d8889ce76c8b596eb6573=
1d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) =3D 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) =3D 3b578cbf69f25e630e8da52b6586a3=
6c62c0c7ce026f95acda91c023dc47c85b
-SIZE (openssh-5.8p1+x509-7.0.diff.gz) =3D 184277
-SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) =3D bfdc72c3d7d5d4f9f8a78=
b649988dff8fad780cfa72bad4a69eb94c54de9a359
-SIZE (openssh-5.7p1-gsskex-all-20110125.patch) =3D 91889
+SHA256 (openssh-5.9p1.tar.gz) =3D 8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3=
310cc32eba84c939b07777d5
+SIZE (openssh-5.9p1.tar.gz) =3D 1110014
+SHA256 (openssh-5.9p1-hpn13v12.diff.gz) =3D 74499c3487a53eaaeaad79d89d8260=
c23f9a416173d7c256d1f3131677213040
+SIZE (openssh-5.9p1-hpn13v12.diff.gz) =3D 20186
diff -urN security/openssh-portable-5.8p2/files/patch-Makefile.in security/=
openssh-portable/files/patch-Makefile.in
--- security/openssh-portable-5.8p2/files/patch-Makefile.in 2011-10-21 12:1=
8:56.000000000 -0400
+++ security/openssh-portable/files/patch-Makefile.in 1969-12-31 19:00:00.0=
00000000 -0500
@@ -1,11 +0,0 @@
---- Makefile.in.orig 2010-05-12 00:51:39.000000000 -0600
-+++ Makefile.in 2010-09-14 16:14:12.000000000 -0600
-@@ -238,7 +238,7 @@
- $(AUTORECONF)
- -rm -rf autom4te.cache
-=20
--install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-=
files install-sysconf host-key check-config
-+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-=
files install-sysconf
- install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) i=
nstall-files install-sysconf
- install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS=
) install-files
-=20
--n8g4imXOkfNTN/H1--
--dc+cDN39EJAMEtIO
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJP51ssAAoJEBSh2Dr1DU7WgU8H/1G33pssAoG8vWHcVqIxOzEG
olucJygSPc+HwvknnhdV//dvcZiqwBGzGWZOAYURfCg/o0rWfauV7vq7gJg3bcvm
NSZH9i4lQal/GgFx7RuFBDVREUTODAdGx9MQ9KY24nPH4ED24FN+bA/YhJrJ2UGV
8xKg1W89Q0H6mZ5KwyyofBAmPJjnoK6DDYBKpnjDk+fAGLwqbyAnJmTFn/FaJGJY
V/qRQVfW/9qD/lUicsfkJcuhhuXekjSV0rlJxwVJpl4afsrLRR7pbfoLcD7ouRUb
zkW4Zzfdz/f4U1zJDyCVjsjv6lu/3GTyb13ypOc2Gt1uBfkXvuSR45nlKzQoQK8=
=eCbd
-----END PGP SIGNATURE-----
--dc+cDN39EJAMEtIO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120624182340.GA4715>