Minix/pkgsrc-ng
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import of pkgsrc-2015Q3

Browse Source
This commit is contained in:
Lionel Sambuc
2015-10-03 03:37:01 -07:00
committed by Lionel Sambuc
parent f641581404
commit 9d819b6d54
7578 changed files with 228314 additions and 80018 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
security/openssh/Makefile
View File

@@ -1,8 +1,7 @@
# $NetBSD: Makefile,v 1.230 2015/06/12 10:51:03 wiz Exp $
# $NetBSD: Makefile,v 1.237 2015/09/03 21:05:24 sevan Exp $
DISTNAME= openssh-6.6p1
PKGNAME= openssh-6.6.1
PKGREVISION= 7
DISTNAME= openssh-7.1p1
PKGNAME= ${DISTNAME:S/p1/.1/}
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
@@ -15,9 +14,10 @@ CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+= openssh+gssapi-[0-9]*
CONFLICTS+= lsh>2.0
BROKEN_FOR_PLATFORM+= OpenBSD-*-*
USE_GCC_RUNTIME= yes
USE_TOOLS+= perl
USE_TOOLS+= autoconf perl
CRYPTO= yes
@@ -33,6 +33,11 @@ INSTALL_TARGET= install-nokeys
.include "options.mk"
.if ${OPSYS} == "Darwin"
# fixes: dyld: Symbol not found: _allow_severity
CONFIGURE_ARGS+= --disable-strip
.endif
.if ${OPSYS} == "Interix"
# OpenSSH on Interix has some important caveats
@@ -114,14 +119,14 @@ CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
CONFIGURE_ARGS+= --enable-md5-password
.endif
# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending
# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM= ${X11PREFIX}/bin/ssh-askpass
ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
@@ -130,12 +135,12 @@ MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+= --with-xauth=${X11PREFIX}/bin/xauth
CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
.endif
CONFS= ssh_config sshd_config moduli
PLIST_VARS+= prng
PLIST_VARS+= darwin prng
.if exists(/dev/urandom)
. if ${OPSYS} == "NetBSD"
@@ -148,7 +153,14 @@ PLIST.prng= yes
.endif
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
CONF_FILES= # empty
# enable privsep patches
.if ${OPSYS} == "Darwin"
CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
PLIST.darwin= yes
.endif
.for f in ${CONFS}
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
@@ -161,9 +173,9 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q}
SUBST_CLASSES+= patch
SUBST_STAGE.patch= pre-configure
SUBST_FILES.patch= session.c
SUBST_FILES.patch= session.c sandbox-darwin.c
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_MESSAGE.patch= More patch a file.
SUBST_VARS.patch= PKG_SYSCONFDIR
.include "../../devel/zlib/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
@@ -172,6 +184,9 @@ SUBST_MESSAGE.patch= More patch a file.
#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
#
pre-configure:
cd ${WRKSRC} && autoconf -i
post-configure:
if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
${WRKSRC}/config.h; then \
@@ -181,6 +196,9 @@ post-configure:
${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
fi
${SED} -e 's,@VARBASE@,${VARBASE:Q},g' \
< ${FILESDIR}/org.openssh.sshd.sb.in \
> ${WRKDIR}/org.openssh.sshd.sb
post-install:
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
@@ -191,5 +209,9 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
${DESTDIR}${EGDIR}/sshd.pam
.endif
.if ${OPSYS} == "Darwin"
${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
${DESTDIR}${EGDIR}/org.openssh.sshd.sb
.endif
.include "../../mk/bsd.pkg.mk"

3
security/openssh/PLIST
View File

@@ -1,4 +1,4 @@
@comment $NetBSD: PLIST,v 1.16 2014/03/29 09:38:11 taca Exp $
@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $
bin/scp
bin/sftp
bin/slogin
@@ -28,6 +28,7 @@ man/man8/ssh-pkcs11-helper.8
man/man8/sshd.8
sbin/sshd
share/examples/openssh/moduli
${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
share/examples/openssh/ssh_config
${PLIST.prng}share/examples/openssh/ssh_prng_cmds
${PLIST.pam}share/examples/openssh/sshd.pam

67
security/openssh/distinfo
View File

@@ -1,35 +1,34 @@
$NetBSD: distinfo,v 1.91 2015/05/16 14:43:02 sevan Exp $
$NetBSD: distinfo,v 1.97 2015/08/22 05:17:22 taca Exp $
SHA1 (openssh-6.6p1-hpnssh14v4.diff.gz) = 1cb86c7151ea4c805cfb1197eac13844cd8f2f2c
RMD160 (openssh-6.6p1-hpnssh14v4.diff.gz) = 292cea7880ff66040d915f2d5957dd27d0835984
Size (openssh-6.6p1-hpnssh14v4.diff.gz) = 23417 bytes
SHA1 (openssh-6.6p1.tar.gz) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
RMD160 (openssh-6.6p1.tar.gz) = e19ed34e240001898b6665bb4356b868bba5513d
Size (openssh-6.6p1.tar.gz) = 1282502 bytes
SHA1 (patch-Makefile.in) = 3b136be23e0dab21894dcc881746cf5a186ff572
SHA1 (patch-auth-passwd.c) = de9f5487fe1f5848cc702e549bce949fd75d70cd
SHA1 (patch-auth-rhosts.c) = ab8dd3e375accc5bed3e15b158a85a1b1f9a2e3e
SHA1 (patch-auth.c) = 950b0380bcbb0fa1681014cfbb41528d09a10a18
SHA1 (patch-auth1.c) = 7b0481f445bc85cce9d7539b00bf581b9aa09fea
SHA1 (patch-auth2.c) = 8f4f97516874fc4af5814cbd3a1f59b9ca77b43f
SHA1 (patch-channels.c) = 88af4136f13f93d73c70caacea0a2ded0601d1cf
SHA1 (patch-clientloop.c) = 499f34ce4e067f1da8aca257cfa7dd820efa3504
SHA1 (patch-compat.c) = 9248aace83134287c1f0b78f2b3b61ad5545f5e2
SHA1 (patch-config.h.in) = 9799f48f204aa213318914f1d6c45e83a8af942f
SHA1 (patch-configure) = 3015dda57a5626667cf5c15c7c7be25f8844cfc6
SHA1 (patch-configure.ac) = 996a3bcf133a0832b9d7fa35cc0983562d9fa60a
SHA1 (patch-defines.h) = 4f4f4c8dc54aa86275192edf230b36737b1c0cf6
SHA1 (patch-includes.h) = 0a899d3b38ef3de7f5b08fec022696b4e998b54e
SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce
SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695
SHA1 (patch-openbsd-compat_openbsd-compat.h) = 1cafbe8f226c16443d2cfd003166923f33352eb0
SHA1 (patch-openbsd-compat_port-tun.c) = 8288e2b9336ea1fcc1129d8a2ab5e55816b2ccbf
SHA1 (patch-platform.c) = c2f85f494f0a38ed9fea93c46c98b20d865610a0
SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54
SHA1 (patch-session.c) = 55e84175c7294816107c970f002401d1766f7095
SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd
SHA1 (patch-ssh.c) = 8965e0458aabc137fa3b5e53c6573c0f0fba8280
SHA1 (patch-sshconnect.c) = 7bee56ee50ec26913999296eefa93c0be63a9e75
SHA1 (patch-sshd.c) = 43b3e4383142303a5d1158f08baee4a27f2f7b13
SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11
SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd
SHA1 (openssh-7.1p1-hpn-20150822.diff.bz2) = 444a2fbd80d57ff93b53ade84ec162e2a2f3aa67
RMD160 (openssh-7.1p1-hpn-20150822.diff.bz2) = 87fb6887d9ccb4b305ff3c25fd5f67847d9996d1
Size (openssh-7.1p1-hpn-20150822.diff.bz2) = 12173 bytes
SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6
RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07
Size (openssh-7.1p1.tar.gz) = 1493170 bytes
SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2
SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116
SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987
SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450
SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7
SHA1 (patch-auth2.c) = 8a939381f72968d74a7df508a072dfb10f400284
SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa
SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e
SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219
SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea
SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02
SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d
SHA1 (patch-loginrec.c) = b06a236e9faf871e9eb102c52dd0f583bf096373
SHA1 (patch-openbsd-compat_bsd-openpty.c) = 9ccde56bfcfe1791b367f933e51b25137acce960
SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9
SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5
SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6
SHA1 (patch-sandbox-darwin.c) = a9255b1e8d52759506b61394de11050ea7ea25bb
SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0
SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e
SHA1 (patch-sftp-common.c) = 72146d410f78b5e4e5efae51ca05b22039d64545
SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca
SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15
SHA1 (patch-sshd.c) = d381db6d05067d0f28be8268847df97a0c8e9ba4
SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a
SHA1 (patch-uidswap.c) = 875be63bb6d1a7dd8c3d1c008c85aa4bf37dfdc2

23
security/openssh/files/org.openssh.sshd.sb.in Normal file
View File

@@ -0,0 +1,23 @@
;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
;;
;; Copyright (c) 2008 Apple Inc. All Rights reserved.
;;
;; sshd - profile for privilege separated children
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;
(version 1)
(deny default)
(allow file-chroot)
(allow file-read-metadata (literal "@VARBASE@"))
(allow sysctl-read)
(allow mach-per-user-lookup)
(allow mach-lookup
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.logger"))

4
security/openssh/options.mk
View File

@@ -1,4 +1,4 @@
# $NetBSD: options.mk,v 1.29 2014/03/29 10:30:15 taca Exp $
# $NetBSD: options.mk,v 1.31 2015/08/22 05:17:22 taca Exp $
.include "../../mk/bsd.prefs.mk"
@@ -16,7 +16,7 @@ CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
.endif
.if !empty(PKG_OPTIONS:Mhpn-patch)
PATCHFILES= openssh-6.6p1-hpnssh14v4.diff.gz
PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
PATCH_DIST_STRIP= -p1
.endif

6
security/openssh/patches/patch-Makefile.in
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-Makefile.in,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-Makefile.in,v 1.4 2015/07/09 16:14:23 taca Exp $
Removed install-sysconf as we handle that phase through post-install
--- Makefile.in.orig 2014-02-04 00:12:56.000000000 +0000
--- Makefile.in.orig 2015-07-01 02:35:31.000000000 +0000
+++ Makefile.in
@@ -2,5 +2,5 @@
@@ -18,7 +18,7 @@ Removed install-sysconf as we handle that phase through post-install
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@@ -250,5 +250,5 @@ distprep: catman-do
@@ -288,5 +288,5 @@ distprep: catman-do
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf

8
security/openssh/patches/patch-auth-passwd.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-auth-passwd.c,v 1.1 2013/05/01 19:58:26 imil Exp $
$NetBSD: patch-auth-passwd.c,v 1.2 2015/07/09 16:14:23 taca Exp $
Replace uid 0 with ROOTUID macro
--- auth-passwd.c.orig 2012-04-25 23:51:28.000000000 +0000
--- auth-passwd.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ auth-passwd.c
@@ -87,7 +87,7 @@ auth_password(Authctxt *authctxt, const
@@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const
#endif
#ifndef HAVE_CYGWIN
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
@@ -122,7 +122,12 @@ auth_password(Authctxt *authctxt, const
@@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const
authctxt->force_pwchange = 1;
}
#endif

24
security/openssh/patches/patch-auth-rhosts.c
View File

@@ -1,19 +1,19 @@
$NetBSD: patch-auth-rhosts.c,v 1.1 2013/05/01 19:58:26 imil Exp $
$NetBSD: patch-auth-rhosts.c,v 1.2 2015/07/09 16:14:23 taca Exp $
Replace uid 0 with ROOTUID macro
--- auth-rhosts.c.orig 2010-03-07 12:05:17.000000000 +0000
--- auth-rhosts.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ auth-rhosts.c
@@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
return 0;
/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
- if (pw->pw_uid != 0) {
+ if (pw->pw_uid != ROOTUID) {
@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* If not logging in as superuser, try /etc/hosts.equiv and
* shosts.equiv.
*/
- if (pw->pw_uid == 0)
+ if (pw->pw_uid == ROOTUID)
debug3("%s: root user, ignoring system hosts files", __func__);
else {
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
client_user, pw->pw_name)) {
auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
@@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
return 0;
}
if (options.strict_modes &&
@@ -22,7 +22,7 @@ Replace uid 0 with ROOTUID macro
(st.st_mode & 022) != 0)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
@@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* allowing access to their account by anyone.
*/
if (options.strict_modes &&

20
security/openssh/patches/patch-auth.c
View File

@@ -1,10 +1,13 @@
$NetBSD: patch-auth.c,v 1.2 2013/12/01 06:11:41 taca Exp $
$NetBSD: patch-auth.c,v 1.3 2015/07/09 16:14:23 taca Exp $
Replace uid 0 with ROOTUID macro
* Replace uid 0 with ROOTUID macro.
* Use login_getpwclass() instead of login_getclass() so that the root
vs. default login class distinction is made correctly, from FrrrBSD's
ports.
--- auth.c.orig 2013-06-01 21:41:51.000000000 +0000
--- auth.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ auth.c
@@ -407,7 +407,7 @@ check_key_in_hostfiles(struct passwd *pw
@@ -422,7 +422,7 @@ check_key_in_hostfiles(struct passwd *pw
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
@@ -13,3 +16,12 @@ Replace uid 0 with ROOTUID macro
(st.st_mode & 022) != 0)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
@@ -651,7 +651,7 @@ getpwnamallow(const char *user)
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}

8
security/openssh/patches/patch-auth1.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-auth1.c,v 1.2 2013/12/01 06:11:41 taca Exp $
$NetBSD: patch-auth1.c,v 1.3 2015/07/09 16:14:23 taca Exp $
Replace uid 0 with ROOTUID macro
--- auth1.c.orig 2013-06-01 22:01:24.000000000 +0000
--- auth1.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ auth1.c
@@ -319,7 +319,7 @@ do_authloop(Authctxt *authctxt)
@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt)
#ifndef HAVE_CYGWIN
/* Special handling for root */
@@ -13,7 +13,7 @@ Replace uid 0 with ROOTUID macro
!auth_root_allowed(meth->name)) {
authenticated = 0;
# ifdef SSH_AUDIT_EVENTS
@@ -420,8 +420,8 @@ do_authentication(Authctxt *authctxt)
@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt)
* If we are not running as root, the user must have the same uid as
* the server.
*/

6
security/openssh/patches/patch-auth2.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-auth2.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-auth2.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
Replace uid 0 with ROOTUID macro
--- auth2.c.orig 2014-02-04 00:12:57.000000000 +0000
--- auth2.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ auth2.c
@@ -301,7 +301,7 @@ userauth_finish(Authctxt *authctxt, int
@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int
fatal("INTERNAL ERROR: authenticated and postponed");
/* Special handling for root */

8
security/openssh/patches/patch-channels.c
View File

@@ -1,12 +1,12 @@
$NetBSD: patch-channels.c,v 1.1 2015/03/19 20:23:55 tron Exp $
$NetBSD: patch-channels.c,v 1.2 2015/07/09 16:14:23 taca Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
--- channels.c.orig 2014-02-26 23:18:33.000000000 +0000
+++ channels.c 2015-03-19 20:16:04.000000000 +0000
@@ -3576,15 +3576,35 @@
--- channels.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ channels.c
@@ -4037,15 +4037,35 @@ x11_connect_display(void)
* connection to the real X server.
*/

14
security/openssh/patches/patch-clientloop.c
View File

@@ -1,14 +1,14 @@
$NetBSD: patch-clientloop.c,v 1.1 2015/03/19 20:23:55 tron Exp $
$NetBSD: patch-clientloop.c,v 1.2 2015/07/09 16:14:23 taca Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
--- clientloop.c.orig 2014-02-04 00:20:15.000000000 +0000
+++ clientloop.c 2015-03-19 20:16:04.000000000 +0000
@@ -313,6 +313,10 @@
--- clientloop.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ clientloop.c
@@ -314,6 +314,10 @@ client_x11_get_proto(const char *display
struct stat st;
u_int now;
u_int now, x11_timeout_real;
+#if __APPLE__
+ int is_path_to_socket = 0;
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
@@ -328,6 +332,33 @@
@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
debug("x11_get_proto: DISPLAY not set");
return;
}
@@ -51,7 +51,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@@ -407,6 +438,9 @@
@@ -420,6 +451,9 @@ client_x11_get_proto(const char *display
if (!got_data) {
u_int32_t rnd = 0;

16
security/openssh/patches/patch-compat.c
View File

@@ -1,16 +0,0 @@
$NetBSD: patch-compat.c,v 1.1 2015/05/16 14:43:02 sevan Exp $
Use the correct buffer when calling strlen
http://www.openwall.com/lists/oss-security/2015/05/16/3
--- compat.c.orig 2015-05-16 13:05:33.000000000 +0000
+++ compat.c
@@ -223,7 +223,7 @@ filter_proposal(char *proposal, const ch
buffer_init(&b);
tmp = orig_prop = xstrdup(proposal);
while ((cp = strsep(&tmp, ",")) != NULL) {
- if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
+ if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) {
if (buffer_len(&b) > 0)
buffer_append(&b, ",", 1);
buffer_append(&b, cp, strlen(cp));

21
security/openssh/patches/patch-config.h.in
View File

@@ -1,10 +1,11 @@
$NetBSD: patch-config.h.in,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-config.h.in,v 1.4 2015/07/09 16:14:23 taca Exp $
Added Interix and define new path to if_tun.h
* Added Interix and define new path to if_tun.h.
* Revive tcp_wrappers support.
--- config.h.in.orig 2014-03-13 02:18:56.000000000 +0000
--- config.h.in.orig 2015-07-01 02:41:59.000000000 +0000
+++ config.h.in
@@ -636,6 +636,9 @@
@@ -640,6 +640,9 @@
/* define if you have int64_t data type */
#undef HAVE_INT64_T
@@ -14,7 +15,7 @@ Added Interix and define new path to if_tun.h
/* Define to 1 if the system has the type `intmax_t'. */
#undef HAVE_INTMAX_T
@@ -792,6 +795,9 @@
@@ -799,6 +802,9 @@
/* Define to 1 if you have the <net/if_tun.h> header file. */
#undef HAVE_NET_IF_TUN_H
@@ -24,3 +25,13 @@ Added Interix and define new path to if_tun.h
/* Define if you are on NeXT */
#undef HAVE_NEXT
@@ -1394,6 +1400,9 @@
/* Define if pututxline updates lastlog too */
#undef LASTLOG_WRITE_PUTUTXLINE
+/* Define if you want TCP Wrappers support */
+#undef LIBWRAP
+
/* Define to whatever link() returns for "not supported" if it doesn't return
EOPNOTSUPP. */
#undef LINK_OPNOTSUPP_ERRNO

103
security/openssh/patches/patch-configure
View File

@@ -1,103 +0,0 @@
$NetBSD: patch-configure,v 1.3 2014/03/29 09:38:11 taca Exp $
Various fixes regarding portability
--- configure.orig 2014-03-13 02:19:03.000000000 +0000
+++ configure
@@ -6500,6 +6500,9 @@ if test "${with_rpath+set}" = set; then
fi
+# pkgsrc handles any rpath settings this package needs
+need_dash_r=
+
# Allow user to specify flags
# Check whether --with-cflags was given.
@@ -6586,6 +6589,7 @@ for ac_header in \
maillock.h \
ndir.h \
net/if_tun.h \
+ net/tun/if_tun.h \
netdb.h \
netgroup.h \
pam/pam_appl.h \
@@ -7369,6 +7373,36 @@ $as_echo "#define HAVE_SECUREWARE 1" >>c
;;
esac
;;
+*-*-interix*)
+ cat >>confdefs.h <<\_ACEOF
+#define HAVE_INTERIX 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define DISABLE_FD_PASSING 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define DISABLE_SHADOW 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define IP_TOS_IS_BROKEN 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define MISSING_HOWMANY 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define NO_IPPORT_RESERVED_CONCEPT 1
+_ACEOF
+
+ cat >>confdefs.h <<\_ACEOF
+#define USE_PIPES 1
+_ACEOF
+
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
@@ -7578,7 +7612,7 @@ $as_echo "#define BROKEN_STRNVIS 1" >>co
$as_echo "#define BROKEN_READ_COMPARISON 1" >>confdefs.h
;;
-*-*-freebsd*)
+*-*-freebsd*|*-*-dragonfly*)
check_for_libcrypt_later=1
$as_echo "#define LOCKED_PASSWD_PREFIX \"*LOCKED*\"" >>confdefs.h
@@ -18248,12 +18282,18 @@ fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
- $as_echo "#define DISABLE_WTMPX 1" >>confdefs.h
-
+ for f in /var/log/wtmpx; do
+ if test -f $f ; then
+ conf_wtmpx_location=$f
+ fi
+ done
+ if test -z "$conf_wtmpx_location"; then
+ $as_echo "#define DISABLE_WTMPX 1" >>confdefs.h
+ fi
fi
-else
-
-cat >>confdefs.h <<_ACEOF
+fi
+if test -n "$conf_wtmpx_location"; then
+ cat >>confdefs.h <<_ACEOF
#define CONF_WTMPX_FILE "$conf_wtmpx_location"
_ACEOF
@@ -19660,7 +19700,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
-echo " Askpass program: $E"
+echo " Askpass program: ${ASKPASS_PROGRAM}"
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"

88
security/openssh/patches/patch-configure.ac
View File

@@ -1,10 +1,11 @@
$NetBSD: patch-configure.ac,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-configure.ac,v 1.4 2015/07/09 16:14:23 taca Exp $
Various fixes regarding portability
* Various fixes regarding portability
* Revive tcp_wrappers support.
--- configure.ac.orig 2014-02-21 17:09:34.000000000 +0000
--- configure.ac.orig 2015-07-01 02:35:31.000000000 +0000
+++ configure.ac
@@ -275,6 +275,9 @@ AC_ARG_WITH([rpath],
@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
]
)
@@ -14,7 +15,7 @@ Various fixes regarding portability
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
@@ -346,6 +349,7 @@ AC_CHECK_HEADERS([ \
@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
maillock.h \
ndir.h \
net/if_tun.h \
@@ -22,7 +23,7 @@ Various fixes regarding portability
netdb.h \
netgroup.h \
pam/pam_appl.h \
@@ -655,6 +659,15 @@ main() { if (NSVersionOfRunTimeLibrary("
@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
;;
esac
;;
@@ -38,7 +39,70 @@ Various fixes regarding portability
*-*-irix5*)
PATH="$PATH:/usr/etc"
AC_DEFINE([BROKEN_INET_NTOA], [1],
@@ -4731,9 +4744,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
]
)
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -4791,9 +4860,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
@@ -58,7 +122,7 @@ Various fixes regarding portability
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
@@ -4820,7 +4841,7 @@ echo "OpenSSH has been configured with t
@@ -4880,7 +4957,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
@@ -67,3 +131,11 @@ Various fixes regarding portability
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
@@ -4904,6 +4981,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"

6
security/openssh/patches/patch-defines.h
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-defines.h,v 1.2 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-defines.h,v 1.3 2015/07/09 16:14:23 taca Exp $
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
--- defines.h.orig 2014-01-17 13:12:38.000000000 +0000
--- defines.h.orig 2015-07-01 02:35:31.000000000 +0000
+++ defines.h
@@ -30,6 +30,15 @@
@@ -20,7 +20,7 @@ Define ROOTUID, UTMPX_FILE and WTMPX_FILE
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
enum
{
@@ -708,6 +717,24 @@ struct winsize {
@@ -721,6 +730,24 @@ struct winsize {
# endif
# endif
#endif

6
security/openssh/patches/patch-includes.h
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-includes.h,v 1.2 2013/12/01 06:11:41 taca Exp $
$NetBSD: patch-includes.h,v 1.3 2015/07/09 16:14:23 taca Exp $
Interix support
--- includes.h.orig 2013-03-22 01:51:09.000000000 +0000
--- includes.h.orig 2015-07-01 02:35:31.000000000 +0000
+++ includes.h
@@ -126,6 +126,10 @@
@@ -127,6 +127,10 @@
#ifdef HAVE_READPASSPHRASE_H
# include <readpassphrase.h>
#endif

4
security/openssh/patches/patch-loginrec.c
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-loginrec.c,v 1.3 2015/03/20 22:41:19 rodent Exp $
$NetBSD: patch-loginrec.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
Interix support and related fixes. Fix build on FreeBSD.
--- loginrec.c.orig 2014-01-17 01:23:24.000000000 +0000
--- loginrec.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ loginrec.c
@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
int

4
security/openssh/patches/patch-openbsd-compat_bsd-openpty.c
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.1 2013/05/01 19:58:26 imil Exp $
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.2 2015/08/14 08:57:00 jperkin Exp $
Interix support
--- openbsd-compat/bsd-openpty.c.orig 2006-08-24 09:52:30.000000000 +0000
--- openbsd-compat/bsd-openpty.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ openbsd-compat/bsd-openpty.c
@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char
return (-1);

6
security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.3 2015/07/09 16:14:23 taca Exp $
strtoll() declaration
--- openbsd-compat/openbsd-compat.h.orig 2014-02-04 00:18:23.000000000 +0000
--- openbsd-compat/openbsd-compat.h.orig 2015-07-01 02:35:31.000000000 +0000
+++ openbsd-compat/openbsd-compat.h
@@ -84,6 +84,10 @@ size_t strlcat(char *dst, const char *sr
@@ -91,6 +91,10 @@ size_t strlcat(char *dst, const char *sr
int setenv(register const char *name, register const char *value, int rewrite);
#endif

29
security/openssh/patches/patch-openbsd-compat_port-tun.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.1 2013/05/01 19:58:26 imil Exp $
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.2 2015/07/09 16:14:23 taca Exp $
if_tun.h can be found in net/tun
--- openbsd-compat/port-tun.c.orig 2010-08-10 02:47:42.000000000 +0000
--- openbsd-compat/port-tun.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ openbsd-compat/port-tun.c
@@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode)
@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode)
#include <sys/socket.h>
#include <net/if.h>
@@ -15,3 +15,26 @@ if_tun.h can be found in net/tun
#ifdef HAVE_NET_IF_TUN_H
#include <net/if_tun.h>
#endif
@@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode)
{
struct ifreq ifr;
char name[100];
- int fd = -1, sock, flag;
+ int fd = -1, sock;
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ int flag;
+#endif
const char *tunbase = "tun";
if (mode == SSH_TUNMODE_ETHERNET) {
@@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode)
return (-1);
}
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
/* Turn on tunnel headers */
flag = 1;
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
if (mode != SSH_TUNMODE_ETHERNET &&
ioctl(fd, TUNSIFHEAD, &flag) == -1) {
debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,

6
security/openssh/patches/patch-platform.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-platform.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-platform.c,v 1.4 2015/07/09 16:14:23 taca Exp $
Interix support
--- platform.c.orig 2014-01-21 01:59:29.000000000 +0000
--- platform.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ platform.c
@@ -89,7 +89,9 @@ platform_privileged_uidswap(void)
@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
/* uid 0 is not special on Cygwin so always try */
return 1;
#else

23
security/openssh/patches/patch-sandbox-darwin.c Normal file
View File

@@ -0,0 +1,23 @@
$NetBSD: patch-sandbox-darwin.c,v 1.1 2015/08/14 08:57:00 jperkin Exp $
Support sandbox on newer OSX, from MacPorts.
--- sandbox-darwin.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ sandbox-darwin.c
@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
struct rlimit rl_zero;
debug3("%s: starting Darwin sandbox", __func__);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+#ifndef SANDBOX_NAMED_EXTERNAL
+#define SANDBOX_NAMED_EXTERNAL (0x3)
+#endif
+ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
+ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
+#else
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
&errmsg) == -1)
+#endif
fatal("%s: sandbox_init: %s", __func__, errmsg);
/*

10
security/openssh/patches/patch-scp.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-scp.c,v 1.2 2013/12/01 06:11:41 taca Exp $
$NetBSD: patch-scp.c,v 1.3 2015/07/09 16:14:23 taca Exp $
Interix support
--- scp.c.orig 2013-07-18 06:11:25.000000000 +0000
--- scp.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ scp.c
@@ -477,7 +477,11 @@ main(int argc, char **argv)
@@ -478,7 +478,11 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
@@ -16,7 +16,7 @@ Interix support
fatal("unknown user %u", (u_int) userid);
if (!isatty(STDOUT_FILENO))
@@ -881,8 +885,10 @@ rsource(char *name, struct stat *statp)
@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
return;
}
while ((dp = readdir(dirp)) != NULL) {
@@ -27,7 +27,7 @@ Interix support
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
continue;
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
@@ -1292,7 +1298,9 @@ okname(char *cp0)
@@ -1297,7 +1303,9 @@ okname(char *cp0)
case '\'':
case '"':
case '`':

14
security/openssh/patches/patch-session.c
View File

@@ -1,10 +1,10 @@
$NetBSD: patch-session.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-session.c,v 1.4 2015/07/09 16:14:23 taca Exp $
Interix support
--- session.c.orig 2014-03-03 22:35:17.000000000 +0000
--- session.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ session.c
@@ -1109,7 +1109,7 @@ read_etc_default_login(char ***env, u_in
@@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
@@ -13,7 +13,7 @@ Interix support
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
@@ -1218,7 +1218,7 @@ do_setup_env(Session *s, const char *she
@@ -1202,7 +1202,7 @@ do_setup_env(Session *s, const char *she
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
@@ -22,7 +22,7 @@ Interix support
SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
@@ -1332,6 +1332,18 @@ do_setup_env(Session *s, const char *she
@@ -1316,6 +1316,18 @@ do_setup_env(Session *s, const char *she
strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
read_environment_file(&env, &envsize, buf);
}
@@ -41,7 +41,7 @@ Interix support
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
@@ -1522,11 +1534,13 @@ do_setusercontext(struct passwd *pw)
@@ -1510,11 +1522,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
@@ -55,7 +55,7 @@ Interix support
endgrent();
#endif
@@ -2358,7 +2372,7 @@ session_pty_cleanup2(Session *s)
@@ -2356,7 +2370,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */

4
security/openssh/patches/patch-sftp-common.c
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-sftp-common.c,v 1.2 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-sftp-common.c,v 1.3 2015/08/14 08:57:00 jperkin Exp $
Include <unistd.h> for strmode(3).
--- sftp-common.c.orig 2014-01-09 23:40:45.000000000 +0000
--- sftp-common.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ sftp-common.c
@@ -37,6 +37,9 @@
#include <string.h>

12
security/openssh/patches/patch-ssh.c
View File

@@ -1,13 +1,13 @@
$NetBSD: patch-ssh.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-ssh.c,v 1.4 2015/07/09 16:14:23 taca Exp $
Interix support
--- ssh.c.orig 2014-02-26 23:17:13.000000000 +0000
--- ssh.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ ssh.c
@@ -943,7 +943,7 @@ main(int ac, char **av)
strcmp(options.proxy_command, "-") == 0 &&
options.proxy_use_fdpass)
fatal("ProxyCommand=- and ProxyUseFDPass are incompatible");
@@ -1083,7 +1083,7 @@ main(int ac, char **av)
"disabling");
options.update_hostkeys = 0;
}
-#ifndef HAVE_CYGWIN
+#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
if (original_effective_uid != 0)

87
security/openssh/patches/patch-sshconnect.c
View File

@@ -1,87 +0,0 @@
$NetBSD: patch-sshconnect.c,v 1.1 2014/10/08 15:50:22 taca Exp $
Fix for CVE-2014-2653 from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.
--- sshconnect.c.orig 2014-02-06 22:24:34.000000000 +0000
+++ sshconnect.c
@@ -1213,6 +1213,51 @@ fail:
return -1;
}
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+ int rc = -1;
+ int flags = 0;
+ Key *raw_key = NULL;
+
+ if (!options.verify_host_key_dns)
+ goto done;
+
+ /* XXX certs are not yet supported for DNS; try looking the raw key
+ * up in the DNS anyway.
+ */
+ if (key_is_cert(host_key)) {
+ debug2("Extracting key from cert for SSHFP lookup");
+ raw_key = key_from_private(host_key);
+ if (key_drop_cert(raw_key))
+ fatal("Couldn't drop certificate");
+ host_key = raw_key;
+ }
+
+ if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+ goto done;
+
+ if (flags & DNS_VERIFY_FOUND) {
+
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ rc = 0;
+ } else if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(host_key);
+ error("Update the SSHFP RR in DNS with the new "
+ "host key to get rid of this message.");
+ }
+ }
+
+done:
+ if (raw_key)
+ key_free(raw_key);
+ return rc;
+}
+
/* returns 0 if key verifies or -1 if key does NOT verify */
int
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
@@ -1224,25 +1269,8 @@ verify_host_key(char *host, struct socka
debug("Server host key: %s %s", key_type(host_key), fp);
free(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
- }
- }
- }
+ if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+ return 0;
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
options.user_hostfiles, options.num_user_hostfiles,

27
security/openssh/patches/patch-sshd.8 Normal file
View File

@@ -0,0 +1,27 @@
$NetBSD: patch-sshd.8,v 1.1 2015/07/09 16:14:23 taca Exp $
* Revive tcp_wrappers support.
--- sshd.8.orig 2015-07-01 02:35:31.000000000 +0000
+++ sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitiv
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,

76
security/openssh/patches/patch-sshd.c
View File

@@ -1,22 +1,37 @@
$NetBSD: patch-sshd.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-sshd.c,v 1.5 2015/08/14 08:57:00 jperkin Exp $
Interix support
* Interix support
* Revive tcp_wrappers support.
--- sshd.c.orig 2014-02-26 23:20:08.000000000 +0000
--- sshd.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ sshd.c
@@ -243,7 +243,11 @@ int *startup_pipes = NULL;
@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
int startup_pipe; /* in child */
/* variables used for privilege separation */
+#ifdef HAVE_INTERIX
int use_privsep = -1;
+#else
+int use_privsep = 0;
+#else
int use_privsep = -1;
+#endif
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
@@ -646,10 +650,15 @@ privsep_preauth_child(void)
@@ -643,10 +654,15 @@ privsep_preauth_child(void)
/* XXX not ready, too heavy after chroot */
do_setusercontext(privsep_pw);
#else
@@ -32,16 +47,27 @@ Interix support
#endif
}
@@ -711,7 +720,7 @@ privsep_preauth(Authctxt *authctxt)
@@ -714,11 +730,18 @@ privsep_preauth(Authctxt *authctxt)
set_log_handler(mm_log_handler, pmonitor);
/* Demote the child */
- if (getuid() == 0 || geteuid() == 0)
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ /* We need to do this before we chroot() so we can read sshd.sb */
+ if (box != NULL)
+ ssh_sandbox_child(box);
+#endif
+ if (getuid() == ROOTUID || geteuid() == ROOTUID)
privsep_preauth_child();
setproctitle("%s", "[net]");
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
if (box != NULL)
@@ -729,7 +738,7 @@ privsep_postauth(Authctxt *authctxt)
ssh_sandbox_child(box);
+#endif
return 0;
}
@@ -732,7 +755,7 @@ privsep_postauth(Authctxt *authctxt)
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -50,7 +76,7 @@ Interix support
#endif
/* File descriptor passing is broken or root login */
use_privsep = 0;
@@ -1413,8 +1422,10 @@ main(int ac, char **av)
@@ -1485,8 +1508,10 @@ main(int ac, char **av)
av = saved_argv;
#endif
@@ -62,7 +88,7 @@ Interix support
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -1815,7 +1826,7 @@ main(int ac, char **av)
@@ -1915,7 +1940,7 @@ main(int ac, char **av)
(st.st_uid != getuid () ||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
#else
@@ -71,7 +97,7 @@ Interix support
#endif
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
@@ -1838,8 +1849,10 @@ main(int ac, char **av)
@@ -1938,8 +1963,10 @@ main(int ac, char **av)
* to create a file, and we can't control the code in every
* module which might be used).
*/
@@ -82,3 +108,29 @@ Interix support
if (rexec_flag) {
rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
@@ -2135,6 +2162,25 @@ main(int ac, char **av)
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (packet_connection_is_on_socket()) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
+
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
verbose("Connection from %s port %d on %s port %d",

8
security/openssh/patches/patch-sshpty.c
View File

@@ -1,19 +1,19 @@
$NetBSD: patch-sshpty.c,v 1.1 2013/05/01 19:58:27 imil Exp $
$NetBSD: patch-sshpty.c,v 1.2 2015/07/09 16:14:23 taca Exp $
Replace uid 0 with ROOTUID macro
--- sshpty.c.orig 2009-02-12 01:19:21.000000000 +0000
--- sshpty.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ sshpty.c
@@ -86,7 +86,7 @@ void
pty_release(const char *tty)
{
#ifndef __APPLE_PRIVPTY__
#if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
+ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
if (chmod(tty, (mode_t) 0666) < 0)
error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
@@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch
@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&

4
security/openssh/patches/patch-uidswap.c
View File

@@ -1,8 +1,8 @@
$NetBSD: patch-uidswap.c,v 1.3 2014/03/29 09:38:11 taca Exp $
$NetBSD: patch-uidswap.c,v 1.4 2015/08/14 08:57:00 jperkin Exp $
Interix support
--- uidswap.c.orig 2014-01-18 09:43:50.000000000 +0000
--- uidswap.c.orig 2015-07-01 02:35:31.000000000 +0000
+++ uidswap.c
@@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw)
(u_int)pw->pw_uid, (u_int)pw->pw_gid,