Date: Mon, 31 Aug 2009 22:10:19 +0400 (MSD) From: Denis Barov <dindin@dindin.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/138409: [MAINTAINER] security/openssh-portable: cumulative port Message-ID: <200908311810.n7VIAJkV096044@sepulca.yandex.ru> Resent-Message-ID: <200908311820.n7VIK2VG006828@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 138409 >Category: ports >Synopsis: [MAINTAINER] security/openssh-portable: cumulative port >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Aug 31 18:20:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Denis Barov >Release: FreeBSD 7.2-RELEASE i386 >Organization: Yandex >Environment: System: FreeBSD sepulca.yandex.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue Jun 2 19:57:10 MSD >Description: [DESCRIBE CHANGES] cumulative port update for: - ports/137192 - ports/137100 - ports/138284 - ports/137985 Changed file(s): - Makefile - distinfo - files/openssh-lpk+hpn-servconf.patch Added file(s): - files/patch-includes.h Generated with FreeBSD Port Tools 0.77 >How-To-Repeat: >Fix: --- openssh-portable-5.2.p1_1,1 begins here --- diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/Makefile /usr/ports/security/openssh-portable/Makefile --- /usr/ports/security/openssh-portable/Makefile 2009-08-24 15:55:27.000000000 +0400 +++ /usr/ports/security/openssh-portable/Makefile 2009-08-31 22:09:08.000000000 +0400 @@ -57,6 +57,7 @@ LIBEDIT "Enable readline support to sftp(1)" on \ KERBEROS "Enable kerberos (autodetection)" on \ SUID_SSH "Enable suid SSH (Recommended off)" off \ + BSM "Enable OpenBSM Auditing" off \ GSSAPI "Enable GSSAPI support (req: KERBEROS)" off \ KERB_GSSAPI "Enable Kerberos/GSSAPI patch (req: GSSAPI)" off \ OPENSSH_CHROOT "Enable CHROOT support" off \ @@ -69,10 +70,6 @@ .include <bsd.port.pre.mk> -.if ${OSVERSION} >= 800037 -BROKEN= does not compile -.endif - .if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK)) BROKEN= X509 patch incompatible with HPN and LPK patches .endif @@ -97,13 +94,16 @@ CONFIGURE_ARGS+= --disable-suid-ssh .endif +.if defined(WITH_BSM) +CONFIGURE_ARGS+= --with-audit=bsm +.endif + .if !defined(WITHOUT_KERBEROS) .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI) .if defined(WITH_KERB_GSSAPI) -BROKEN= KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1 PATCH_DIST_STRIP= -p0 PATCH_SITES+= http://www.sxw.org.uk/computing/patches/ -PATCHFILES+= openssh-5.0p1-gsskex-20080404.patch +PATCHFILES+= openssh-5.2p1-gsskex-all-20090726.patch .endif PORTABLE_SUFFIX= # empty GSSAPI_SUFFIX= -gssapi @@ -182,8 +182,7 @@ EMPTYDIR= /var/empty PREFIX= /usr ETCSSH= /etc/ssh -USE_RC_SUBR= yes -SUB_FILES+= openssh +USE_RC_SUBR= openssh PLIST_SUB+= NOTBASE="@comment " PLIST_SUB+= BASE="" PLIST_SUB+= BASEPREFIX="${PREFIX}" diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/distinfo /usr/ports/security/openssh-portable/distinfo --- /usr/ports/security/openssh-portable/distinfo 2009-05-15 15:00:27.000000000 +0400 +++ /usr/ports/security/openssh-portable/distinfo 2009-07-29 18:48:34.000000000 +0400 @@ -1,6 +1,6 @@ MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae SIZE (openssh-5.2p1.tar.gz) = 1016612 -MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9 -SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34 -SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010 +MD5 (openssh-5.2p1-gsskex-all-20090726.patch) = e5c116b4bc3f4b816206e8403dd08af7 +SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) = 6eb297d6fa74be3323c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7 +SIZE (openssh-5.2p1-gsskex-all-20090726.patch) = 90959 diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/openssh-lpk+hpn-servconf.patch /usr/ports/security/openssh-portable/files/openssh-lpk+hpn-servconf.patch --- /usr/ports/security/openssh-portable/files/openssh-lpk+hpn-servconf.patch 1970-01-01 03:00:00.000000000 +0300 +++ /usr/ports/security/openssh-portable/files/openssh-lpk+hpn-servconf.patch 2009-07-29 17:50:40.000000000 +0400 @@ -0,0 +1,240 @@ +--- servconf.c.orig 2009-05-02 19:35:42.000000000 +0400 ++++ servconf.c 2009-05-02 19:37:13.000000000 +0400 +@@ -42,6 +42,10 @@ + #include "channels.h" + #include "groupaccess.h" + ++#ifdef WITH_LDAP_PUBKEY ++#include "ldapauth.h" ++#endif ++ + static void add_listen_addr(ServerOptions *, char *, int); + static void add_one_listen_addr(ServerOptions *, char *, int); + +@@ -74,7 +78,7 @@ + options->ignore_user_known_hosts = -1; + options->print_motd = -1; + options->print_lastlog = -1; +- options->x11_forwarding = -1; ++ options->x11_forwarding = 1; + options->x11_display_offset = -1; + options->x11_use_localhost = -1; + options->xauth_location = NULL; +@@ -127,12 +131,39 @@ + options->num_permitted_opens = -1; + options->adm_forced_command = NULL; + options->chroot_directory = NULL; ++ options->none_enabled = -1; ++ options->tcp_rcv_buf_poll = -1; ++ options->hpn_disabled = -1; ++ options->hpn_buffer_size = -1; + options->zero_knowledge_password_authentication = -1; ++#ifdef WITH_LDAP_PUBKEY ++ /* XXX dirty */ ++ options->lpk.ld = NULL; ++ options->lpk.on = -1; ++ options->lpk.servers = NULL; ++ options->lpk.u_basedn = NULL; ++ options->lpk.g_basedn = NULL; ++ options->lpk.binddn = NULL; ++ options->lpk.bindpw = NULL; ++ options->lpk.sgroup = NULL; ++ options->lpk.filter = NULL; ++ options->lpk.fgroup = NULL; ++ options->lpk.l_conf = NULL; ++ options->lpk.tls = -1; ++ options->lpk.b_timeout.tv_sec = -1; ++ options->lpk.s_timeout.tv_sec = -1; ++ options->lpk.flags = FLAG_EMPTY; ++#endif + } + + void + fill_default_server_options(ServerOptions *options) + { ++ /* needed for hpn socket tests */ ++ int sock; ++ int socksize; ++ int socksizelen = sizeof(int); ++ + /* Portable-specific options */ + if (options->use_pam == -1) + options->use_pam = 1; +@@ -265,6 +296,32 @@ + options->permit_tun = SSH_TUNMODE_NO; + if (options->zero_knowledge_password_authentication == -1) + options->zero_knowledge_password_authentication = 0; ++#ifdef WITH_LDAP_PUBKEY ++ if (options->lpk.on == -1) ++ options->lpk.on = _DEFAULT_LPK_ON; ++ if (options->lpk.servers == NULL) ++ options->lpk.servers = _DEFAULT_LPK_SERVERS; ++ if (options->lpk.u_basedn == NULL) ++ options->lpk.u_basedn = _DEFAULT_LPK_UDN; ++ if (options->lpk.g_basedn == NULL) ++ options->lpk.g_basedn = _DEFAULT_LPK_GDN; ++ if (options->lpk.binddn == NULL) ++ options->lpk.binddn = _DEFAULT_LPK_BINDDN; ++ if (options->lpk.bindpw == NULL) ++ options->lpk.bindpw = _DEFAULT_LPK_BINDPW; ++ if (options->lpk.sgroup == NULL) ++ options->lpk.sgroup = _DEFAULT_LPK_SGROUP; ++ if (options->lpk.filter == NULL) ++ options->lpk.filter = _DEFAULT_LPK_FILTER; ++ if (options->lpk.tls == -1) ++ options->lpk.tls = _DEFAULT_LPK_TLS; ++ if (options->lpk.b_timeout.tv_sec == -1) ++ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT; ++ if (options->lpk.s_timeout.tv_sec == -1) ++ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT; ++ if (options->lpk.l_conf == NULL) ++ options->lpk.l_conf = _DEFAULT_LPK_LDP; ++#endif + + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; +@@ -345,8 +402,15 @@ + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, ++ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, + sZeroKnowledgePasswordAuthentication, + sDeprecated, sUnsupported ++#ifdef WITH_LDAP_PUBKEY ++ ,sLdapPublickey, sLdapServers, sLdapUserDN ++ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup ++ ,sLdapFilter, sForceTLS, sBindTimeout ++ ,sSearchTimeout, sLdapConf ++#endif + } ServerOpCodes; + + #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ +@@ -457,6 +521,20 @@ + { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, + { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, + { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, ++#ifdef WITH_LDAP_PUBKEY ++ { _DEFAULT_LPK_TOKEN, sLdapPublickey, SSHCFG_GLOBAL }, ++ { _DEFAULT_SRV_TOKEN, sLdapServers, SSHCFG_GLOBAL }, ++ { _DEFAULT_USR_TOKEN, sLdapUserDN, SSHCFG_GLOBAL }, ++ { _DEFAULT_GRP_TOKEN, sLdapGroupDN, SSHCFG_GLOBAL }, ++ { _DEFAULT_BDN_TOKEN, sBindDN, SSHCFG_GLOBAL }, ++ { _DEFAULT_BPW_TOKEN, sBindPw, SSHCFG_GLOBAL }, ++ { _DEFAULT_MYG_TOKEN, sMyGroup, SSHCFG_GLOBAL }, ++ { _DEFAULT_FIL_TOKEN, sLdapFilter, SSHCFG_GLOBAL }, ++ { _DEFAULT_TLS_TOKEN, sForceTLS, SSHCFG_GLOBAL }, ++ { _DEFAULT_BTI_TOKEN, sBindTimeout, SSHCFG_GLOBAL }, ++ { _DEFAULT_STI_TOKEN, sSearchTimeout, SSHCFG_GLOBAL }, ++ { _DEFAULT_LDP_TOKEN, sLdapConf, SSHCFG_GLOBAL }, ++#endif + { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, + { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, + { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, +@@ -1368,6 +1446,107 @@ + while (arg) + arg = strdelim(&cp); + break; ++#ifdef WITH_LDAP_PUBKEY ++ case sLdapPublickey: ++ intptr = &options->lpk.on; ++ goto parse_flag; ++ case sLdapServers: ++ /* arg = strdelim(&cp); */ ++ p = line; ++ while(*p++); ++ arg = p; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing ldap server",filename,linenum); ++ arg[strlen(arg)] = '\0'; ++ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL) ++ fatal("%s line %d: error in ldap servers", filename, linenum); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sLdapUserDN: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing ldap server",filename,linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.u_basedn = xstrdup(arg); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sLdapGroupDN: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing ldap server",filename,linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.g_basedn = xstrdup(arg); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sBindDN: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing binddn",filename,linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.binddn = xstrdup(arg); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sBindPw: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing bindpw",filename,linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.bindpw = xstrdup(arg); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sMyGroup: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing groupname",filename, linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.sgroup = xstrdup(arg); ++ if (options->lpk.sgroup) ++ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sLdapFilter: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing filter",filename, linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.filter = xstrdup(arg); ++ memset(arg,0,strlen(arg)); ++ break; ++ case sForceTLS: ++ intptr = &options->lpk.tls; ++ arg = strdelim(&cp); ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing yes/no argument.", ++ filename, linenum); ++ value = 0; /* silence compiler */ ++ if (strcmp(arg, "yes") == 0) ++ value = 1; ++ else if (strcmp(arg, "no") == 0) ++ value = 0; ++ else if (strcmp(arg, "try") == 0) ++ value = -1; ++ else ++ fatal("%s line %d: Bad yes/no argument: %s", ++ filename, linenum, arg); ++ if (*intptr == -1) ++ *intptr = value; ++ break; ++ case sBindTimeout: ++ intptr = (int *) &options->lpk.b_timeout.tv_sec; ++ goto parse_int; ++ case sSearchTimeout: ++ intptr = (int *) &options->lpk.s_timeout.tv_sec; ++ goto parse_int; ++ break; ++ case sLdapConf: ++ arg = cp; ++ if (!arg || *arg == '\0') ++ fatal("%s line %d: missing LpkLdapConf", filename, linenum); ++ arg[strlen(arg)] = '\0'; ++ options->lpk.l_conf = xstrdup(arg); ++ memset(arg, 0, strlen(arg)); ++ break; ++#endif + + default: + fatal("%s line %d: Missing handler for opcode %s (%d)", diff -ruN --exclude=CVS /usr/ports/security/openssh-portable/files/patch-includes.h /usr/ports/security/openssh-portable/files/patch-includes.h --- /usr/ports/security/openssh-portable/files/patch-includes.h 1970-01-01 03:00:00.000000000 +0300 +++ /usr/ports/security/openssh-portable/files/patch-includes.h 2009-08-31 22:02:01.000000000 +0400 @@ -0,0 +1,13 @@ +--- includes.h 2008-07-04 17:10:49.000000000 +0400 ++++ includes.h 2009-08-31 22:01:13.000000000 +0400 +@@ -31,7 +31,8 @@ + #endif + #if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \ + defined(GLOB_HAS_GL_MATCHC) && \ +- defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 ++ defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \ ++ !defined(BROKEN_GLOB) + # include <glob.h> + #endif + #ifdef HAVE_ENDIAN_H + --- openssh-portable-5.2.p1_1,1 ends here --- >Release-Note: >Audit-Trail: >Unformatted: >update for ports/137192, ports/137100, ports/138284, ports/137985
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908311810.n7VIAJkV096044>