diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /net-misc/openssh/files |
reinit the tree, so we can have metadata
Diffstat (limited to 'net-misc/openssh/files')
25 files changed, 2250 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000000000000..fa33af39b6f8 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch new file mode 100644 index 000000000000..7eaadaf11cda --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/591392 +https://bugzilla.mindrot.org/show_bug.cgi?id=2590 + +7.3 added seccomp support to MIPS, but failed to handled the N32 +case. This patch is temporary until upstream fixes. + +--- openssh-7.3p1/configure.ac ++++ openssh-7.3p1/configure.ac +@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary(" + seccomp_audit_arch=AUDIT_ARCH_MIPSEL + ;; + mips64-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPS64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 + ;; + mips64el-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..806b36d0ca94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch new file mode 100644 index 000000000000..784cd2aa7efb --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch @@ -0,0 +1,29 @@ +https://bugs.gentoo.org/595342 + +Backport of +https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 + +--- openssh-7.3p1/kex.c ++++ openssh-7.3p1/kex.c +@@ -419,6 +419,8 @@ + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +--- openssh-7.3p1/packet.c ++++ openssh-7.3p1/packet.c +@@ -1919,9 +1919,7 @@ + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0; diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch new file mode 100644 index 000000000000..8603601ca7b6 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch @@ -0,0 +1,32 @@ +https://bugs.gentoo.org/597360 + +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" <markus@openbsd.org> +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kex.c b/kex.c +index 3f97f8c00919..6a94bc535bd7 100644 +--- a/kex.c ++++ b/kex.c +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch new file mode 100644 index 000000000000..7fb0d8069b94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/592122 + +From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Wed, 3 Aug 2016 04:23:55 +0000 +Subject: [PATCH] upstream commit + +Fix bug introduced in rev 1.467 which causes +"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 +and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol +2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, +ok deraadt@ + +Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 799c7711f49c..9fc829a91bc8 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } else + #endif +- if ((r = sshbuf_put_u32(m, 1)) != 0) ++ if ((r = sshbuf_put_u32(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch new file mode 100644 index 000000000000..0602307128f0 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch @@ -0,0 +1,39 @@ +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +--- a/0004-support-dynamically-sized-receive-buffers.patch ++++ b/0004-support-dynamically-sized-receive-buffers.patch +@@ -2144,9 +2144,9 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch new file mode 100644 index 000000000000..9cc7b61a6ab5 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch @@ -0,0 +1,245 @@ +diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c +index fdc9b2f..300cd90 100644 +--- a/cipher-ctr-mt.c ++++ b/cipher-ctr-mt.c +@@ -127,7 +127,7 @@ struct kq { + u_char keys[KQLEN][AES_BLOCK_SIZE]; + u_char ctr[AES_BLOCK_SIZE]; + u_char pad0[CACHELINE_LEN]; +- volatile int qstate; ++ int qstate; + pthread_mutex_t lock; + pthread_cond_t cond; + u_char pad1[CACHELINE_LEN]; +@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx + STATS_STRUCT(stats); + u_char aes_counter[AES_BLOCK_SIZE]; + pthread_t tid[CIPHER_THREADS]; ++ pthread_rwlock_t tid_lock; ++#ifdef __APPLE__ ++ pthread_rwlock_t stop_lock; ++ int exit_flag; ++#endif /* __APPLE__ */ + int state; + int qidx; + int ridx; +@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x) + pthread_mutex_unlock((pthread_mutex_t *)x); + } + ++#ifdef __APPLE__ ++/* Check if we should exit, we are doing both cancel and exit condition ++ * since on OSX threads seem to occasionally fail to notice when they have ++ * been cancelled. We want to have a backup to make sure that we won't hang ++ * when the main process join()-s the cancelled thread. ++ */ ++static void ++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) ++{ ++ int exit_flag; ++ ++ pthread_rwlock_rdlock(&c->stop_lock); ++ exit_flag = c->exit_flag; ++ pthread_rwlock_unlock(&c->stop_lock); ++ ++ if (exit_flag) ++ pthread_exit(NULL); ++} ++#else ++# define thread_loop_check_exit(s) ++#endif /* __APPLE__ */ ++ ++/* ++ * Helper function to terminate the helper threads ++ */ ++static void ++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c) ++{ ++ int i; ++ ++#ifdef __APPLE__ ++ /* notify threads that they should exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++#endif /* __APPLE__ */ ++ ++ /* Cancel pregen threads */ ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_cancel(c->tid[i]); ++ } ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_join(c->tid[i], NULL); ++ } ++} ++ + /* + * The life of a pregen thread: + * Find empty keystream queues and fill them using their counter. +@@ -201,6 +257,7 @@ thread_loop(void *x) + struct kq *q; + int i; + int qidx; ++ pthread_t first_tid; + + /* Threads stats on cancellation */ + STATS_INIT(stats); +@@ -211,11 +268,15 @@ thread_loop(void *x) + /* Thread local copy of AES key */ + memcpy(&key, &c->aes_ctx, sizeof(key)); + ++ pthread_rwlock_rdlock(&c->tid_lock); ++ first_tid = c->tid[0]; ++ pthread_rwlock_unlock(&c->tid_lock); ++ + /* + * Handle the special case of startup, one thread must fill + * the first KQ then mark it as draining. Lock held throughout. + */ +- if (pthread_equal(pthread_self(), c->tid[0])) { ++ if (pthread_equal(pthread_self(), first_tid)) { + q = &c->q[0]; + pthread_mutex_lock(&q->lock); + if (q->qstate == KQINIT) { +@@ -245,12 +306,16 @@ thread_loop(void *x) + /* Check if I was cancelled, also checked in cond_wait */ + pthread_testcancel(); + ++ /* Check if we should exit as well */ ++ thread_loop_check_exit(c); ++ + /* Lock queue and block if its draining */ + q = &c->q[qidx]; + pthread_mutex_lock(&q->lock); + pthread_cleanup_push(thread_loop_cleanup, &q->lock); + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { + STATS_WAIT(stats); ++ thread_loop_check_exit(c); + pthread_cond_wait(&q->cond, &q->lock); + } + pthread_cleanup_pop(0); +@@ -268,6 +333,7 @@ thread_loop(void *x) + * can see that it's being filled. + */ + q->qstate = KQFILLING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + for (i = 0; i < KQLEN; i++) { + AES_encrypt(q->ctr, q->keys[i], &key); +@@ -279,7 +345,7 @@ thread_loop(void *x) + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); + q->qstate = KQFULL; + STATS_FILL(stats); +- pthread_cond_signal(&q->cond); ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + } + +@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + pthread_cond_wait(&q->cond, &q->lock); + } + q->qstate = KQDRAINING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + + /* Mark consumed queue empty and signal producers */ +@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); ++ pthread_rwlock_init(&c->tid_lock, NULL); ++#ifdef __APPLE__ ++ pthread_rwlock_init(&c->stop_lock, NULL); ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ + + c->state = HAVE_NONE; + for (i = 0; i < NUMKQ; i++) { +@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + } + + if (c->state == (HAVE_KEY | HAVE_IV)) { +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ /* tell the pregen threads to exit */ ++ stop_and_join_pregen_threads(c); ++ ++#ifdef __APPLE__ ++ /* reset the exit flag */ ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ ++ + /* Start over getting key & iv */ + c->state = HAVE_NONE; + } +@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + /* Start threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + pthread_mutex_lock(&c->q[0].lock); +- while (c->q[0].qstate != KQDRAINING) ++ while (c->q[0].qstate == KQINIT) + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); + pthread_mutex_unlock(&c->q[0].lock); + } +@@ -461,15 +538,10 @@ void + ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; ++ + c = EVP_CIPHER_CTX_get_app_data(ctx); +- /* destroy threads */ +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_cancel(c->tid[i]); +- } +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_join(c->tid[i], NULL); +- } ++ ++ stop_and_join_pregen_threads(c); + } + + void +@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) + /* reconstruct threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + } + +@@ -489,18 +563,13 @@ static int + ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + #ifdef CIPHER_THREAD_STATS + debug("main thread: %u drains, %u waits", c->stats.drains, + c->stats.waits); + #endif +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ stop_and_join_pregen_threads(c); + + memset(c, 0, sizeof(*c)); + free(c); diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch new file mode 100644 index 000000000000..f077c0517fa2 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch @@ -0,0 +1,41 @@ +--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700 ++++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700 +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2144,12 +2144,12 @@ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && !privileged) + return sock; +-@@ -527,10 +555,10 @@ ++@@ -555,10 +583,10 @@ + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch new file mode 100644 index 000000000000..2def6993e6c3 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch @@ -0,0 +1,67 @@ +--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700 ++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700 +@@ -226,14 +226,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User + @@ -224,6 +225,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -493,19 +485,11 @@ + .Sh SYNOPSIS + .Nm ssh + .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UpdateHostKeys + @@ -795,6 +796,8 @@ controls. + .Pp + .It Fl y +@@ -533,18 +517,18 @@ + usage(void) + { + fprintf(stderr, +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +- " [-F configfile] [-I pkcs11] [-i identity_file]\n" +- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" ++ " [-F configfile]\n" ++ #ifdef USE_OPENSSL_ENGINE + @@ -608,7 +613,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++ # define ENGCONFIG "" ++ #endif + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -857,6 +862,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch new file mode 100644 index 000000000000..528dc6f22a94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch @@ -0,0 +1,109 @@ +diff --git a/kex.c b/kex.c +index 143227a..c9b84c2 100644 +--- a/kex.c ++++ b/kex.c +@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh) + static int + kex_send_ext_info(struct ssh *ssh) + { ++#ifdef EXPERIMENTAL_RSA_SHA2_256 + int r; + +-#ifdef EXPERIMENTAL_RSA_SHA2_256 + /* IMPORTANT NOTE: + * Do not offer rsa-sha2-* until is resolved misconfiguration issue + * with allowed public key algorithms! +diff --git a/key-eng.c b/key-eng.c +index 9bc50fd..bc0d03d 100644 +--- a/key-eng.c ++++ b/key-eng.c +@@ -786,7 +786,6 @@ ssh_engines_shutdown() { + while (buffer_len(&eng_list) > 0) { + u_int k = 0; + char *s; +- ENGINE *e; + + s = buffer_get_cstring_ret(&eng_list, &k); + ssh_engine_reset(s); +diff --git a/monitor.c b/monitor.c +index 345d3df..0de30ad 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m) + (r = sshbuf_get_string(m, &p, &datlen)) != 0 || + (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (keyid > INT_MAX) ++ if (keyid32 > INT_MAX) + fatal("%s: invalid key ID", __func__); + + keyid = keyid32; /*save cast*/ +diff --git a/readconf.c b/readconf.c +index beb38a0..1cbda7e 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1459,7 +1459,9 @@ parse_int: + + case oHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++# endif + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", +diff --git a/servconf.c b/servconf.c +index a540138..e77a344 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1574,7 +1573,9 @@ parse_string: + + case sHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++#endif + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 50f04b7..3f9a7bf 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa) + } + + #ifdef OPENSSL_HAS_ECC ++#ifdef HAVE_EC_KEY_METHOD_NEW + /* openssl callback for freeing an EC key */ + static void + pkcs11_ec_finish(EC_KEY *ec) + { + struct pkcs11_key *k11; + +-#ifdef HAVE_EC_KEY_METHOD_NEW + k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); + EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#else +- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); +- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#endif + pkcs11_key_free(k11); + } ++#endif /*def HAVE_EC_KEY_METHOD_NEW*/ + #endif /*def OPENSSL_HAS_ECC*/ + + +diff --git a/sshconnect.c b/sshconnect.c +index fd2a70e..0960be1 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", diff --git a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..ec2a6d894938 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch new file mode 100644 index 000000000000..3e02b6f8ccc0 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch @@ -0,0 +1,29 @@ +https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html + +From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 19 Dec 2016 15:59:00 -0500 +Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test + +The test command uses = for string compares, not ==. Using some POSIX +shells will reject this statement with an error about an unknown operator. +--- + regress/allow-deny-users.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh +index 32a269afa97c..86805e19322b 100644 +--- a/regress/allow-deny-users.sh ++++ b/regress/allow-deny-users.sh +@@ -4,7 +4,7 @@ + tid="AllowUsers/DenyUsers" + + me="$LOGNAME" +-if [ "x$me" == "x" ]; then ++if [ "x$me" = "x" ]; then + me=`whoami` + fi + other="nobody" +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..6b1e6dd35a41 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "smartcarddevice", oPKCS11Provider }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch new file mode 100644 index 000000000000..1c2b7b8a091a --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch @@ -0,0 +1,39 @@ +From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@chromium.org> +Date: Wed, 24 May 2017 23:18:41 -0400 +Subject: [PATCH] configure: actually set cache vars when cross-compiling + +The cross-compiling fallback message says it's assuming the test +passed, but it didn't actually set the cache var which causes +later tests to fail. +--- + configure.ac | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5cfea38c0a6c..895c5211ea93 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE( + select_works_with_rlimit=yes], + [AC_MSG_RESULT([no]) + select_works_with_rlimit=no], +- [AC_MSG_WARN([cross compiling: assuming yes])] ++ [AC_MSG_WARN([cross compiling: assuming yes]) ++ select_works_with_rlimit=yes] + ) + + AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) +@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE( + rlimit_nofile_zero_works=yes], + [AC_MSG_RESULT([no]) + rlimit_nofile_zero_works=no], +- [AC_MSG_WARN([cross compiling: assuming yes])] ++ [AC_MSG_WARN([cross compiling: assuming yes]) ++ rlimit_nofile_zero_works=yes] + ) + + AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) +-- +2.12.0 + diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch new file mode 100644 index 000000000000..e55a8b14c573 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch @@ -0,0 +1,63 @@ +diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700 +@@ -40,7 +40,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -1023,6 +1023,3 @@ + do_authenticated(authctxt); + + /* The connection has been terminated. */ +--- +-2.12.0 +- +diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch +--- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700 +@@ -926,9 +926,9 @@ + @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -943,11 +943,11 @@ + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); ++ options.version_addendum, newline); + + @@ -1020,6 +1020,8 @@ server_listen(void) + int ret, listen_sock, on = 1; +@@ -1008,10 +1008,6 @@ + @@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_7.5" + +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" + +#define SSH_HPN "-hpn14v12" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +--- +-2.12.0 +- diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch new file mode 100644 index 000000000000..11a5b364be4d --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch @@ -0,0 +1,67 @@ +diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700 +@@ -40,7 +40,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -1023,6 +1023,3 @@ + do_authenticated(authctxt); + + /* The connection has been terminated. */ +--- +-2.12.0 +- +diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch +--- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700 +@@ -926,9 +926,9 @@ + @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -943,11 +943,11 @@ + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s", ++- major, minor, SSH_VERSION, pkix_comment, +++ major, minor, SSH_RELEASE, pkix_comment, + *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); ++ options.version_addendum, newline); + + @@ -1020,6 +1020,8 @@ server_listen(void) + int ret, listen_sock, on = 1; +@@ -1006,12 +1008,9 @@ + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,5 @@ ++@@ -3,4 +3,6 @@ + #define SSH_VERSION "OpenSSH_7.5" + +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" +++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION + +#define SSH_HPN "-hpn14v12" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +--- +-2.12.0 +- diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch new file mode 100644 index 000000000000..5dca1b0e4e16 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch @@ -0,0 +1,25 @@ +From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 20 Mar 2017 14:57:40 -0400 +Subject: [PATCH] seccomp sandbox: fix typo w/x32 check + +--- + sandbox-seccomp-filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 3a1aedce72c2..a8d472a63ccb 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = { + * x86-64 syscall under some circumstances, e.g. + * https://bugs.debian.org/849923 + */ +- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); ++ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), + #endif + + /* Default deny */ +-- +2.12.0 + diff --git a/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch new file mode 100644 index 000000000000..b4f36a513180 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch @@ -0,0 +1,202 @@ +diff -urN openssh-7.5p1.orig/a_utf8.c openssh-7.5p1/a_utf8.c +--- openssh-7.5p1.orig/a_utf8.c 1970-01-01 00:00:00.000000000 +0000 ++++ openssh-7.5p1/a_utf8.c 2017-03-30 17:38:25.179532110 +0000 +@@ -0,0 +1,186 @@ ++/* ++ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include <stdio.h> ++ ++/* UTF8 utilities */ ++ ++/*- ++ * This parses a UTF8 string one character at a time. It is passed a pointer ++ * to the string and the length of the string. It sets 'value' to the value of ++ * the current character. It returns the number of characters read or a ++ * negative error code: ++ * -1 = string too short ++ * -2 = illegal character ++ * -3 = subsequent characters not of the form 10xxxxxx ++ * -4 = character encoded incorrectly (not minimal length). ++ */ ++ ++int UTF8_getc(const unsigned char *str, int len, unsigned long *val) ++{ ++ const unsigned char *p; ++ unsigned long value; ++ int ret; ++ if (len <= 0) ++ return 0; ++ p = str; ++ ++ /* Check syntax and work out the encoded value (if correct) */ ++ if ((*p & 0x80) == 0) { ++ value = *p++ & 0x7f; ++ ret = 1; ++ } else if ((*p & 0xe0) == 0xc0) { ++ if (len < 2) ++ return -1; ++ if ((p[1] & 0xc0) != 0x80) ++ return -3; ++ value = (*p++ & 0x1f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x80) ++ return -4; ++ ret = 2; ++ } else if ((*p & 0xf0) == 0xe0) { ++ if (len < 3) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80)) ++ return -3; ++ value = (*p++ & 0xf) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x800) ++ return -4; ++ ret = 3; ++ } else if ((*p & 0xf8) == 0xf0) { ++ if (len < 4) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x7)) << 18; ++ value |= (*p++ & 0x3f) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x10000) ++ return -4; ++ ret = 4; ++ } else if ((*p & 0xfc) == 0xf8) { ++ if (len < 5) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80) ++ || ((p[4] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x3)) << 24; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 18; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x200000) ++ return -4; ++ ret = 5; ++ } else if ((*p & 0xfe) == 0xfc) { ++ if (len < 6) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80) ++ || ((p[4] & 0xc0) != 0x80) ++ || ((p[5] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x1)) << 30; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 24; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 18; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x4000000) ++ return -4; ++ ret = 6; ++ } else ++ return -2; ++ *val = value; ++ return ret; ++} ++ ++/* ++ * This takes a character 'value' and writes the UTF8 encoded value in 'str' ++ * where 'str' is a buffer containing 'len' characters. Returns the number of ++ * characters written or -1 if 'len' is too small. 'str' can be set to NULL ++ * in which case it just returns the number of characters. It will need at ++ * most 6 characters. ++ */ ++ ++int UTF8_putc(unsigned char *str, int len, unsigned long value) ++{ ++ if (!str) ++ len = 6; /* Maximum we will need */ ++ else if (len <= 0) ++ return -1; ++ if (value < 0x80) { ++ if (str) ++ *str = (unsigned char)value; ++ return 1; ++ } ++ if (value < 0x800) { ++ if (len < 2) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 2; ++ } ++ if (value < 0x10000) { ++ if (len < 3) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 3; ++ } ++ if (value < 0x200000) { ++ if (len < 4) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 4; ++ } ++ if (value < 0x4000000) { ++ if (len < 5) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8); ++ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 5; ++ } ++ if (len < 6) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc); ++ *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 6; ++} +diff -urN openssh-7.5p1.orig/Makefile.in openssh-7.5p1/Makefile.in +--- openssh-7.5p1.orig/Makefile.in 2017-03-30 17:33:30.983830629 +0000 ++++ openssh-7.5p1/Makefile.in 2017-03-30 17:39:28.392905858 +0000 +@@ -74,7 +74,7 @@ + @OCSP_ON@OCSP_OBJS=ssh-ocsp.o + @OCSP_OFF@OCSP_OBJS= + +-SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o ++SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o a_utf8.o + X509STORE_OBJS=x509store.o $(LDAP_OBJS) + + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 000000000000..28952b4a285a --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 000000000000..b801aaafa0f9 --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100644 index 000000000000..5e301420361f --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,84 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 000000000000..b5e96b3a251f --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 000000000000..94b9533180da --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 000000000000..2645ad047cc6 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog |