pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssh OpenSSH 7.9



details:   https://anonhg.NetBSD.org/pkgsrc/rev/80d270b68f79
branches:  trunk
changeset: 318063:80d270b68f79
user:      tnn <tnn%pkgsrc.org@localhost>
date:      Fri Jan 18 20:13:36 2019 +0000

description:
OpenSSH 7.9

Potentially-incompatible changes
================================
 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
   option (see below) bans the use of DSA keys as certificate
   authorities.
 * sshd(8): the authentication success/failure log message has
   changed format slightly. It now includes the certificate
   fingerprint (previously it included only key ID and CA key
   fingerprint).

New Features
------------
 * ssh(1), sshd(8): allow most port numbers to be specified using
   service names from getservbyname(3) (typically /etc/services).
 * ssh(1): allow the IdentityAgent configuration directive to accept
   environment variable names. This supports the use of multiple
   agent sockets without needing to use fixed paths.
 * sshd(8): support signalling sessions via the SSH protocol.
   A limited subset of signals is supported and only for login or
   command sessions (i.e. not subsystems) that were not subject to
   a forced command via authorized_keys or sshd_config. bz#1424
 * ssh(1): support "ssh -Q sig" to list supported signature options.
   Also "ssh -Q help" to show the full set of supported queries.
 * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
   client and server configs to allow control over which signature
   formats are allowed for CAs to sign certificates. For example,
   this allows banning CAs that sign certificates using the RSA-SHA1
   signature algorithm.
 * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
   revoke keys specified by SHA256 hash.
 * ssh-keygen(1): allow creation of key revocation lists directly
   from base64-encoded SHA256 fingerprints. This supports revoking
   keys using only the information contained in sshd(8)
   authentication log messages.

Bugfixes
--------
 * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
   attempting to load PEM private keys while using an incorrect
   passphrase. bz#2901
 * sshd(8): when a channel closed message is received from a client,
   close the stderr file descriptor at the same time stdout is
   closed. This avoids stuck processes if they were waiting for
   stderr to close and were insensitive to stdin/out closing. bz#2863
 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
   forwarding timeout and support X11 forwarding indefinitely.
   Previously the behaviour of ForwardX11Timeout=0 was undefined.
 * sshd(8): when compiled with GSSAPI support, cache supported method
   OIDs regardless of whether GSSAPI authentication is enabled in the
   main section of sshd_config. This avoids sandbox violations if
   GSSAPI authentication was later enabled in a Match block. bz#2107
 * sshd(8): do not fail closed when configured with a text key
   revocation list that contains a too-short key. bz#2897
 * ssh(1): treat connections with ProxyJump specified the same as
   ones with a ProxyCommand set with regards to hostname
   canonicalisation (i.e. don't try to canonicalise the hostname
   unless CanonicalizeHostname is set to 'always'). bz#2896
 * ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
   key authentication using certificates hosted in a ssh-agent(1)
   or against sshd(8) from OpenSSH <7.8.

Portability
-----------
 * All: support building against the openssl-1.1 API (releases 1.1.0g
   and later). The openssl-1.0 API will remain supported at least
   until OpenSSL terminates security patch support for that API version.
 * sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
   apparently required by some glibc/OpenSSL combinations.
 * sshd(8): handle getgrouplist(3) returning more than
   _SC_NGROUPS_MAX groups. Some platforms consider this limit more
   as a guideline.

OpenSSH 7.8:

Potentially-incompatible changes
================================
 * ssh-keygen(1): write OpenSSH format private keys by default
   instead of using OpenSSL's PEM format. The OpenSSH format,
   supported in OpenSSH releases since 2014 and described in the
   PROTOCOL.key file in the source distribution, offers substantially
   better protection against offline password guessing and supports
   key comments in private keys. If necessary, it is possible to write
   old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
   when generating or updating a key.
 * sshd(8): remove internal support for S/Key multiple factor
   authentication. S/Key may still be used via PAM or BSD auth.
 * ssh(1): remove vestigal support for running ssh(1) as setuid. This
   used to be required for hostbased authentication and the (long
   gone) rhosts-style authentication, but has not been necessary for
   a long time. Attempting to execute ssh as a setuid binary, or with
   uid != effective uid will now yield a fatal error at runtime.
 * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
   HostbasedAcceptedKeyTypes options have changed. These now specify
   signature algorithms that are accepted for their respective
   authentication mechanism, where previously they specified accepted
   key types. This distinction matters when using the RSA/SHA2
   signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
   certificate counterparts. Configurations that override these
   options but omit these algorithm names may cause unexpected
   authentication failures (no action is required for configurations
   that accept the default for these options).
 * sshd(8): the precedence of session environment variables has
   changed. ~/.ssh/environment and environment="..." options in
   authorized_keys files can no longer override SSH_* variables set
   implicitly by sshd.
 * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
   They will now use DSCP AF21 for interactive traffic and CS1 for
   bulk.  For a detailed rationale, please see the commit message:
   https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284

New Features
------------
 * ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-
   v01%openssh.com@localhost" and "rsa-sha2-512-cert-v01%openssh.com@localhost" to
   explicitly force use of RSA/SHA2 signatures in authentication.
 * sshd(8): extend the PermitUserEnvironment option to accept a
   whitelist of environment variable names in addition to global
   "yes" or "no" settings.
 * sshd(8): add a PermitListen directive to sshd_config(5) and a
   corresponding permitlisten= authorized_keys option that control
   which listen addresses and port numbers may be used by remote
   forwarding (ssh -R ...).
 * sshd(8): add some countermeasures against timing attacks used for
   account validation/enumeration. sshd will enforce a minimum time
   or each failed authentication attempt consisting of a global 5ms
   minimum plus an additional per-user 0-4ms delay derived from a
   host secret.
 * sshd(8): add a SetEnv directive to allow an administrator to
   explicitly specify environment variables in sshd_config.
   Variables set by SetEnv override the default and client-specified
   environment.
 * ssh(1): add a SetEnv directive to request that the server sets
   an environment variable in the session. Similar to the existing
   SendEnv option, these variables are set subject to server
   configuration.
 * ssh(1): allow "SendEnv -PATTERN" to clear environment variables
   previously marked for sending to the server. bz#1285
 * ssh(1)/sshd(8): make UID available as a %-expansion everywhere
   that the username is available currently. bz#2870
 * ssh(1): allow setting ProxyJump=none to disable ProxyJump
   functionality. bz#2869

Bugfixes
--------
 * sshd(8): avoid observable differences in request parsing that could
   be used to determine whether a target user is valid.
 * all: substantial internal refactoring
 * ssh(1)/sshd(8): fix some memory leaks; bz#2366
 * ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could
   occur during key loading, manifesting as crash on some platforms.
 * sshd_config(5): clarify documentation for AuthenticationMethods
   option; bz#2663
 * ssh(1): ensure that the public key algorithm sent in a
   public key SSH_MSG_USERAUTH_REQUEST matches the content of the
   signature blob. Previously, these could be inconsistent when a
   legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature
   when asked to make a RSA/SHA2 signature.
 * sshd(8): fix failures to read authorized_keys caused by faulty
   supplemental group caching. bz#2873
 * scp(1): apply umask to directories, fixing potential mkdir/chmod
   race when copying directory trees bz#2839
 * ssh-keygen(1): return correct exit code when searching for and
   hashing known_hosts entries in a single operation; bz#2772
 * ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when
   re-executing ssh for ProxyJump. bz#2831
 * sshd(8): do not ban PTY allocation when a sshd session is
   restricted because the user password is expired as it breaks
   password change dialog. (regression in openssh-7.7).
 * ssh(1)/sshd(8): fix error reporting from select() failures.
 * ssh(1): improve documentation for -w (tunnel) flag, emphasising
   that -w implicitly sets Tunnel=point-to-point. bz#2365
 * ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent
   will no longer spin when its file descriptor limit is exceeded.
   bz#2576
 * ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch
   clients. Twisted Conch versions that lack a version number in
   their identification strings will mishandle these messages when
   running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422)
 * sftp(1): notify user immediately when underlying ssh process dies
   expectedly. bz#2719
 * ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release.
   bz#2855
 * ssh-agent(1): don't kill ssh-agent's listening socket entirely if
   it fails to accept(2) a connection. bz#2837
 * sshd(8): relax checking of authorized_keys environment="..."
   options to allow underscores in variable names (regression
   introduced in 7.7). bz#2851
 * ssh(1): add some missing options in the configuration dump output
   (ssh -G). bz#2835

Portability
-----------
 * sshd(8): Expose details of completed authentication to PAM auth
   modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408
 * Fix compilation problems caused by fights between zlib and OpenSSL
   colliding uses of "free_func"
 * Improve detection of unsupported compiler options. Recently these
   may have manifested as "unsupported -Wl,-z,retpoline" warnings
   during linking.
 * sshd(8): some sandbox support for Linux/s390 bz#2752.
 * regress tests: unbreak key-options.sh test on platforms without
   openpty(3). bz#2856
 * use getrandom(2) for PRNG seeding when built without OpenSSL.

OpenSSH 7.7:

Potentially-incompatible changes
================================
 * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
   implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
   versions were all released in or before 2001 and predate the final
   SSH RFCs. The support in question isn't necessary for RFC-compliant
   SSH implementations.

New Features
------------
 * All: Add experimental support for PQC XMSS keys (Extended Hash-
   Based Signatures) based on the algorithm described in
   https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
   The XMSS signature code is experimental and not compiled in by
   default.
 * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
   to allow conditional configuration that depends on which routing
   domain a connection was received on (currently supported on OpenBSD
   and Linux).
 * sshd_config(5): Add an optional rdomain qualifier to the
   ListenAddress directive to allow listening on different routing
   domains. This is supported only on OpenBSD and Linux at present.
 * sshd_config(5): Add RDomain directive to allow the authenticated
   session to be placed in an explicit routing domain. This is only
   supported on OpenBSD at present.
 * sshd(8): Add "expiry-time" option for authorized_keys files to
   allow for expiring keys.
 * ssh(1): Add a BindInterface option to allow binding the outgoing
   connection to an interface's address (basically a more usable
   BindAddress)
 * ssh(1): Expose device allocated for tun/tap forwarding via a new
   %T expansion for LocalCommand. This allows LocalCommand to be used
   to prepare the interface.
 * sshd(8): Expose the device allocated for tun/tap forwarding via a
   new SSH_TUNNEL environment variable. This allows automatic setup of
   the interface and surrounding network configuration automatically on
   the server.
 * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
   ssh://user@host or sftp://user@host/path.  Additional connection
   parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
   implemented since the ssh fingerprint format in the draft uses the
   deprecated MD5 hash with no way to specify the any other algorithm.
 * ssh-keygen(1): Allow certificate validity intervals that specify
   only a start or stop time (instead of both or neither).
 * sftp(1): Allow "cd" and "lcd" commands with no explicit path
   argument. lcd will change to the local user's home directory as
   usual. cd will change to the starting directory for session (because
   the protocol offers no way to obtain the remote user's home
   directory). bz#2760
 * sshd(8): When doing a config test with sshd -T, only require the
   attributes that are actually used in Match criteria rather than (an
   incomplete list of) all criteria.

Bugfixes
--------

 * ssh(1)/sshd(8): More strictly check signature types during key
   exchange against what was negotiated. Prevents downgrade of RSA
   signatures made with SHA-256/512 to SHA-1.
 * sshd(8): Fix support for client that advertise a protocol version
   of "1.99" (indicating that they are prepared to accept both SSHv1 and
   SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
   support. bz#2810
 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
   a rsa-sha2-256/512 signature was requested. This condition is possible
   when an old or non-OpenSSH agent is in use. bz#2799
 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
   to fatally exit if presented an invalid signature request message.
 * sshd_config(5): Accept yes/no flag options case-insensitively, as
   has been the case in ssh_config(5) for a long time. bz#2664
 * ssh(1): Improve error reporting for failures during connection.
   Under some circumstances misleading errors were being shown. bz#2814
 * ssh-keyscan(1): Add -D option to allow printing of results directly
   in SSHFP format. bz#2821
 * regress tests: fix PuTTY interop test broken in last release's SSHv1
   removal. bz#2823
 * ssh(1): Compatibility fix for some servers that erroneously drop the
   connection when the IUTF8 (RFC8160) option is sent.
 * scp(1): Disable RemoteCommand and RequestTTY in the ssh session
   started by scp (sftp was already doing this.)
 * ssh-keygen(1): Refuse to create a certificate with an unusable
   number of principals.
 * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
   public key during key generation. Previously it would silently
   ignore errors writing the comment and terminating newline.
 * ssh(1): Do not modify hostname arguments that are addresses by
   automatically forcing them to lower-case. Instead canonicalise them
   to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
   against known_hosts. bz#2763
 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
   prompts. bz#2803
 * sftp(1): Have sftp print a warning about shell cleanliness when
   decoding the first packet fails, which is usually caused by shells
   polluting stdout of non-interactive startups. bz#2800
 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
   time to monotonic time, allowing the packet layer to better function
   over a clock step and avoiding possible integer overflows during
   steps.
 * Numerous manual page fixes and improvements.

Portability
-----------
 * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
   sandbox violations on some environments.
 * sshd(8): Remove UNICOS support. The hardware and software are literal
   museum pieces and support in sshd is too intrusive to justify
   maintaining.
 * All: Build and link with "retpoline" flags when available to mitigate
   the "branch target injection" style (variant 2) of the Spectre
   branch-prediction vulnerability.
 * All: Add auto-generated dependency information to Makefile.
 * Numerous fixed to the RPM spec files.

diffstat:

 security/openssh/Makefile                                |   5 +-
 security/openssh/distinfo                                |  29 +++++++--------
 security/openssh/patches/patch-Makefile.in               |  18 +++++---
 security/openssh/patches/patch-auth-passwd.c             |  15 +++----
 security/openssh/patches/patch-auth2.c                   |   8 ++--
 security/openssh/patches/patch-config.h.in               |  14 +++---
 security/openssh/patches/patch-configure.ac              |  26 ++++++------
 security/openssh/patches/patch-openbsd-compat_port-tun.c |  19 ++++++---
 security/openssh/patches/patch-session.c                 |  21 +++++-----
 security/openssh/patches/patch-ssh.c                     |  15 --------
 security/openssh/patches/patch-sshd.c                    |  30 ++++++++--------
 security/openssh/patches/patch-uidswap.c                 |  23 ++++++-----
 12 files changed, 107 insertions(+), 116 deletions(-)

diffs (truncated from 590 to 300 lines):

diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/Makefile
--- a/security/openssh/Makefile Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/Makefile Fri Jan 18 20:13:36 2019 +0000
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.256 2018/08/22 09:46:19 wiz Exp $
+# $NetBSD: Makefile,v 1.257 2019/01/18 20:13:36 tnn Exp $
 
-DISTNAME=              openssh-7.6p1
+DISTNAME=              openssh-7.9p1
 PKGNAME=               ${DISTNAME:S/p1/.1/}
-PKGREVISION=           1
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/distinfo
--- a/security/openssh/distinfo Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/distinfo Fri Jan 18 20:13:36 2019 +0000
@@ -1,30 +1,29 @@
-$NetBSD: distinfo,v 1.105 2017/10/04 11:44:14 wiz Exp $
+$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
 
-SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b
-RMD160 (openssh-7.6p1.tar.gz) = 486ae743f51ffbf8197d564aab9ae54f9e2ac9da
-SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
-Size (openssh-7.6p1.tar.gz) = 1489788 bytes
-SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
-SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
+SHA1 (openssh-7.9p1.tar.gz) = 993aceedea8ecabb1d0dd7293508a361891c4eaa
+RMD160 (openssh-7.9p1.tar.gz) = 236617fb9c04dcca12f9d56b5975efda4e798f53
+SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
+Size (openssh-7.9p1.tar.gz) = 1565384 bytes
+SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
+SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
-SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
+SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
 SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
-SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
-SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222
+SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
+SHA1 (patch-configure.ac) = c8ee9d49a4989c5dfe02a89e0d3a8a4e16c32b9d
 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
 SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
 SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
 SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
-SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
+SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
-SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93
+SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
-SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = 040ac961247fdd55bd09b85e65b905b63bc24f7d
+SHA1 (patch-sshd.c) = 1944283a09772f767044e46acf5329bfad5dae3c
 SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
-SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
+SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-Makefile.in
--- a/security/openssh/patches/patch-Makefile.in        Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-Makefile.in        Fri Jan 18 20:13:36 2019 +0000
@@ -1,27 +1,31 @@
-$NetBSD: patch-Makefile.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
 
 Removed install-sysconf as we handle that phase through post-install
 
---- Makefile.in.orig   2015-08-21 04:49:03.000000000 +0000
+--- Makefile.in.orig   2018-10-17 00:01:20.000000000 +0000
 +++ Makefile.in
-@@ -2,5 +2,5 @@
- 
- # uncomment if you run a non bourne compatable shell. Ie. csh
+@@ -1,5 +1,5 @@
+ # uncomment if you run a non bourne compatible shell. Ie. csh
 -#SHELL = @SH@
 +SHELL = @SH@
  
  AUTORECONF=autoreconf
-@@ -23,5 +23,5 @@ DESTDIR=
+ 
+@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
+ DESTDIR=
  VPATH=@srcdir@
  SSH_PROGRAM=@bindir@/ssh
 -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-@@ -288,5 +288,5 @@ distprep: catman-do
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+@@ -320,7 +320,7 @@ distprep: catman-do depend-check
+       -rm -rf autom4te.cache .depend.bak
  
  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
 -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
 +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  
+ check-config:
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-auth-passwd.c
--- a/security/openssh/patches/patch-auth-passwd.c      Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-auth-passwd.c      Fri Jan 18 20:13:36 2019 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-auth-passwd.c,v 1.4 2016/09/18 17:30:11 taca Exp $
+$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth-passwd.c.orig 2016-07-27 22:54:27.000000000 +0000
+--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
 +++ auth-passwd.c
-@@ -93,7 +93,7 @@ auth_password(Authctxt *authctxt, const 
+@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
                return 0;
  
  #ifndef HAVE_CYGWIN
@@ -13,16 +13,15 @@
                ok = 0;
  #endif
        if (*password == '\0' && options.permit_empty_passwd == 0)
-@@ -128,7 +128,12 @@ auth_password(Authctxt *authctxt, const 
+@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
                        authctxt->force_pwchange = 1;
        }
  #endif
-+
 +#ifdef HAVE_INTERIX
-+        result = (!setuser(pw->pw_name, password, SU_CHECK));
++      result = (!setuser(pw->pw_name, password, SU_CHECK));
 +#else
-       result = sys_auth_passwd(authctxt, password);
+       result = sys_auth_passwd(ssh, password);
 +#endif
        if (authctxt->force_pwchange)
-               disable_forwarding();
+               auth_restrict_session(ssh);
        return (result && ok);
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-auth2.c
--- a/security/openssh/patches/patch-auth2.c    Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-auth2.c    Fri Jan 18 20:13:36 2019 +0000
@@ -1,15 +1,15 @@
-$NetBSD: patch-auth2.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
 
 Replace uid 0 with ROOTUID macro
 
---- auth2.c.orig       2015-08-21 04:49:03.000000000 +0000
+--- auth2.c.orig       2018-10-17 00:01:20.000000000 +0000
 +++ auth2.c
-@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
                fatal("INTERNAL ERROR: authenticated and postponed");
  
        /* Special handling for root */
 -      if (authenticated && authctxt->pw->pw_uid == 0 &&
 +      if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
-           !auth_root_allowed(method)) {
+           !auth_root_allowed(ssh, method)) {
                authenticated = 0;
  #ifdef SSH_AUDIT_EVENTS
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-config.h.in
--- a/security/openssh/patches/patch-config.h.in        Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-config.h.in        Fri Jan 18 20:13:36 2019 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
 
 * Added Interix and define new path to if_tun.h.
 * Revive tcp_wrappers support.
 
---- config.h.in.orig   2015-08-21 05:09:20.000000000 +0000
+--- config.h.in.orig   2018-10-19 01:06:33.000000000 +0000
 +++ config.h.in
-@@ -640,6 +640,9 @@
+@@ -741,6 +741,9 @@
  /* define if you have int64_t data type */
  #undef HAVE_INT64_T
  
@@ -15,9 +15,9 @@
  /* Define to 1 if the system has the type `intmax_t'. */
  #undef HAVE_INTMAX_T
  
-@@ -799,6 +802,9 @@
- /* Define to 1 if you have the <net/if_tun.h> header file. */
- #undef HAVE_NET_IF_TUN_H
+@@ -910,6 +913,9 @@
+ /* Define to 1 if you have the <net/route.h> header file. */
+ #undef HAVE_NET_ROUTE_H
  
 +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
 +#undef HAVE_NET_TUN_IF_TUN_H
@@ -25,7 +25,7 @@
  /* Define if you are on NeXT */
  #undef HAVE_NEXT
  
-@@ -1394,6 +1400,9 @@
+@@ -1617,6 +1623,9 @@
  /* Define if pututxline updates lastlog too */
  #undef LASTLOG_WRITE_PUTUTXLINE
  
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-configure.ac
--- a/security/openssh/patches/patch-configure.ac       Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-configure.ac       Fri Jan 18 20:13:36 2019 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $
+$NetBSD: patch-configure.ac,v 1.7 2019/01/18 20:13:37 tnn Exp $
 
 * Various fixes regarding portability
 * Revive tcp_wrappers support.
 
---- configure.ac.orig  2017-03-20 02:39:27.000000000 +0000
+--- configure.ac.orig  2018-10-17 00:01:20.000000000 +0000
 +++ configure.ac
-@@ -306,6 +306,9 @@ AC_ARG_WITH([rpath],
+@@ -293,6 +293,9 @@ AC_ARG_WITH([rpath],
        ]
  )
  
@@ -15,7 +15,7 @@
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
        [  --with-cflags           Specify additional flags to pass to compiler],
-@@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \
+@@ -386,6 +389,7 @@ AC_CHECK_HEADERS([ \
        maillock.h \
        ndir.h \
        net/if_tun.h \
@@ -23,7 +23,7 @@
        netdb.h \
        netgroup.h \
        pam/pam_appl.h \
-@@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -736,6 +740,15 @@ main() { if (NSVersionOfRunTimeLibrary("
                ;;
        esac
        ;;
@@ -39,9 +39,9 @@
  *-*-irix5*)
        PATH="$PATH:/usr/etc"
        AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey],
-       ]
- )
+@@ -1493,6 +1506,62 @@ else
+       AC_MSG_RESULT([no])
+ fi
  
 +# Check whether user wants TCP wrappers support
 +TCPW_MSG="no"
@@ -102,7 +102,7 @@
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -5189,9 +5258,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
        if test x"$system_wtmpx_path" = x"no" ; then
@@ -122,7 +122,7 @@
        AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
                [Define if you want to specify the path to your wtmpx file])
  fi
-@@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t
+@@ -5283,7 +5360,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -131,10 +131,10 @@
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
-@@ -5093,6 +5170,7 @@ echo "                 KerberosV support
+@@ -5305,6 +5382,7 @@ echo "                       PAM support
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
diff -r a7e91ba8d7eb -r 80d270b68f79 security/openssh/patches/patch-openbsd-compat_port-tun.c
--- a/security/openssh/patches/patch-openbsd-compat_port-tun.c  Fri Jan 18 19:35:30 2019 +0000
+++ b/security/openssh/patches/patch-openbsd-compat_port-tun.c  Fri Jan 18 20:13:36 2019 +0000
@@ -1,10 +1,15 @@
-$NetBSD: patch-openbsd-compat_port-tun.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
 
 if_tun.h can be found in net/tun
 
---- openbsd-compat/port-tun.c.orig     2015-08-21 04:49:03.000000000 +0000
-+++ openbsd-compat/port-tun.c
-@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
+--- openbsd-compat/port-net.c.orig     2018-10-17 00:01:20.000000000 +0000
++++ openbsd-compat/port-net.c



Home | Main Index | Thread Index | Old Index