From 02930d1eb5af78d32b1597af6af24163895d9e0f Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 11 May 2023 23:47:37 +0100 Subject: gentoo auto-resync : 11:05:2023 - 23:47:37 --- .../openssh-6.7_p1-openssl-ignore-status.patch | 17 + ...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 ++ .../files/openssh-7.9_p1-include-stdlib.patch | 48 +++ .../files/openssh-8.0_p1-fix-putty-tests.patch | 57 ++++ .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 ++ .../files/openssh-8.6_p1-hpn-version.patch | 13 + .../files/openssh-8.7_p1-GSSAPI-dns.patch | 357 +++++++++++++++++++++ .../files/openssh-8.9_p1-allow-ppoll_time64.patch | 14 + .../openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch | 13 + .../openssh-9.0_p1-X509-uninitialized-delay.patch | 12 + ...mget-shmat-shmdt-in-preauth-privsep-child.patch | 20 ++ ...enssh-9.3_p1-openssl-version-compat-check.patch | 58 ++++ net-misc/openssh-contrib/files/sshd-r1.confd | 33 ++ net-misc/openssh-contrib/files/sshd-r1.initd | 87 +++++ net-misc/openssh-contrib/files/sshd.pam_include.2 | 4 + net-misc/openssh-contrib/files/sshd.service.1 | 15 + net-misc/openssh-contrib/files/sshd.socket | 10 + net-misc/openssh-contrib/files/sshd_at.service.1 | 8 + 18 files changed, 804 insertions(+) create mode 100644 net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch create mode 100644 net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch create mode 100644 net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch create mode 100644 net-misc/openssh-contrib/files/sshd-r1.confd create mode 100644 net-misc/openssh-contrib/files/sshd-r1.initd create mode 100644 net-misc/openssh-contrib/files/sshd.pam_include.2 create mode 100644 net-misc/openssh-contrib/files/sshd.service.1 create mode 100644 net-misc/openssh-contrib/files/sshd.socket create mode 100644 net-misc/openssh-contrib/files/sshd_at.service.1 (limited to 'net-misc/openssh-contrib/files') diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000000000000..fa33af39b6f8 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch new file mode 100644 index 000000000000..a5647ce9d8d3 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch @@ -0,0 +1,20 @@ +Disable conch interop tests which are failing when called +via portage for yet unknown reason and because using conch +seems to be flaky (test is failing when using Python2 but +passing when using Python3). + +Bug: https://bugs.gentoo.org/605446 + +--- a/regress/conch-ciphers.sh ++++ b/regress/conch-ciphers.sh +@@ -3,6 +3,10 @@ + + tid="conch ciphers" + ++# https://bugs.gentoo.org/605446 ++echo "conch interop tests skipped due to Gentoo bug #605446" ++exit 0 ++ + if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then + echo "conch interop tests not enabled" + exit 0 diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch new file mode 100644 index 000000000000..c5697c2b8bd1 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch @@ -0,0 +1,48 @@ +diff --git a/auth-options.c b/auth-options.c +index b05d6d6f..d1f42f04 100644 +--- a/auth-options.c ++++ b/auth-options.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include "openbsd-compat/sys-queue.h" + +diff --git a/hmac.c b/hmac.c +index 1c879640..a29f32c5 100644 +--- a/hmac.c ++++ b/hmac.c +@@ -19,6 +19,7 @@ + + #include + #include ++#include + + #include "sshbuf.h" + #include "digest.h" +diff --git a/krl.c b/krl.c +index 8e2d5d5d..c32e147a 100644 +--- a/krl.c ++++ b/krl.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "sshbuf.h" + #include "ssherr.h" +diff --git a/mac.c b/mac.c +index 51dc11d7..3d11eba6 100644 +--- a/mac.c ++++ b/mac.c +@@ -29,6 +29,7 @@ + + #include + #include ++#include + + #include "digest.h" + #include "hmac.h" diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch new file mode 100644 index 000000000000..4310aa123fc8 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch @@ -0,0 +1,57 @@ +Make sure that host keys are already accepted before +running tests. + +https://bugs.gentoo.org/493866 + +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -10,11 +10,17 @@ fi + + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" ++ rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + +- rm -f ${COPY} ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -14,6 +14,13 @@ for c in 0 1 ; do + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k ++ ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then diff --git a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch new file mode 100644 index 000000000000..7199227589c6 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch @@ -0,0 +1,18 @@ +diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 +@@ -1414,14 +1414,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b4fa372..332fb486 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,5 @@ +- #define SSH_VERSION "OpenSSH_8.5" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn15v2" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch new file mode 100644 index 000000000000..6dc290d6737b --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch @@ -0,0 +1,13 @@ +diff --git a/kex.c b/kex.c +index 34808b5c..88d7ccac 100644 +--- a/kex.c ++++ b/kex.c +@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + oerrno = errno; diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..ffc40b70ae3d --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch @@ -0,0 +1,357 @@ +diff --git a/auth.c b/auth.c +index 00b168b4..8ee93581 100644 +--- a/auth.c ++++ b/auth.c +@@ -729,118 +729,6 @@ fakepw(void) + return (&fake); + } + +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on based on conflation of hostnames and IP addresses. +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) == -1) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return xstrdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return xstrdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return xstrdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return xstrdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return xstrdup(ntop); +- } +- return xstrdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +- + /* These functions link key/cert options to the auth framework */ + + /* Log sshauthopt options locally and (optionally) for remote transmission */ +diff --git a/canohost.c b/canohost.c +index a810da0e..18e9d8d4 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) == -1) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return xstrdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return xstrdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return xstrdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return xstrdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return xstrdup(ntop); ++ } ++ return xstrdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} +diff --git a/readconf.c b/readconf.c +index 03369a08..b45898ce 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -161,6 +161,7 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -207,9 +208,11 @@ static struct { + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "pkcs11provider", oPKCS11Provider }, +@@ -1117,6 +1120,10 @@ parse_time: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -2307,6 +2314,7 @@ initialize_options(Options * options) + options->pubkey_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -2465,6 +2473,8 @@ fill_default_options(Options * options) + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index f7d53b06..c3a91898 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -40,6 +40,7 @@ typedef struct { + int hostbased_authentication; /* ssh2's rhosts_rsa */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/ssh_config.5 b/ssh_config.5 +index cd0eea86..27101943 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -832,6 +832,16 @@ The default is + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index fea50fab..aeff639b 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh) + OM_uint32 min; + int r, ok = 0; + gss_OID mech = NULL; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(ssh, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; + /* My DER encoding requires length<128 */ + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { + ok = 1; /* Mechanism works */ + } else { + authctxt->mech_tried++; diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch new file mode 100644 index 000000000000..8c46625aa29c --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch @@ -0,0 +1,14 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 2e065ba3..4ce80cb2 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_ppoll + SC_ALLOW(__NR_ppoll), + #endif ++#ifdef __NR_ppoll_time64 ++ SC_ALLOW(__NR_ppoll_time64), ++#endif + #ifdef __NR_poll + SC_ALLOW(__NR_poll), + #endif diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch new file mode 100644 index 000000000000..9e08b2a553c2 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch @@ -0,0 +1,13 @@ +diff --git a/gss-serv.c b/gss-serv.c +index b5d4bb2d..00e3d118 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + gss_create_empty_oid_set(&status, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset); + +- if (gethostname(lname, MAXHOSTNAMELEN)) { ++ if (gethostname(lname, HOST_NAME_MAX)) { + gss_release_oid_set(&status, &oidset); + return (-1); + } diff --git a/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch new file mode 100644 index 000000000000..2a83ed37d138 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch @@ -0,0 +1,12 @@ +diff -ur a/auth2.c b/auth2.c +--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 ++++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 +@@ -226,7 +226,7 @@ + int digest_alg; + size_t len; + u_char *hash; +- double delay; ++ double delay = 0; + + digest_alg = ssh_digest_maxbytes(); + if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch new file mode 100644 index 000000000000..4d098b2231c7 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch @@ -0,0 +1,20 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 23b40b643..d93a357c6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_statx + SC_DENY(__NR_statx, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch new file mode 100644 index 000000000000..b571ae253fff --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch @@ -0,0 +1,58 @@ +https://bugzilla.mindrot.org/show_bug.cgi?id=3548 +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver) + if (headerver == libver) + return 1; + +- /* for versions < 1.0.0, major,minor,fix,status must match */ +- if (headerver < 0x1000000f) { +- mask = 0xfffff00fL; /* major,minor,fix,status */ +- return (headerver & mask) == (libver & mask); ++ /* ++ * For versions < 3.0.0, major,minor,status must match and library ++ * fix version must be equal to or newer than the header. ++ */ ++ if (headerver < 0x3000000f) { ++ mask = 0xfff0000fL; /* major,minor,status */ ++ hfix = (headerver & 0x000ff000) >> 12; ++ lfix = (libver & 0x000ff000) >> 12; ++ if ( (headerver & mask) == (libver & mask) && lfix >= hfix) ++ return 1; + } + + /* +- * For versions >= 1.0.0, major,minor,status must match and library +- * fix version must be equal to or newer than the header. ++ * For versions >= 3.0.0, major must match and minor,status must be ++ * equal to or greater than the header. + */ +- mask = 0xfff00000L; /* major,minor,status */ +- hfix = (headerver & 0x000ff000) >> 12; +- lfix = (libver & 0x000ff000) >> 12; ++ mask = 0xf000000fL; /* major, status */ ++ hfix = (headerver & 0x0ffffff0L) >> 12; ++ lfix = (libver & 0x0ffffff0L) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) + return 1; + return 0; +--- a/openbsd-compat/regress/opensslvertest.c ++++ b/openbsd-compat/regress/opensslvertest.c +@@ -31,7 +31,7 @@ struct version_test { + { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ + { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ + { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ +- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ ++ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */ + { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ + { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ + +@@ -41,7 +41,7 @@ struct version_test { + { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ + { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ + { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ +- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ ++ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */ + { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ + { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ + }; diff --git a/net-misc/openssh-contrib/files/sshd-r1.confd b/net-misc/openssh-contrib/files/sshd-r1.confd new file mode 100644 index 000000000000..cf430371bf0f --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd-r1.confd @@ -0,0 +1,33 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress. + +#SSHD_SSD_OPTS="--wait 1000" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd" + + +# Path to the ssh-keygen binary (needs to be absolute path). + +#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen" diff --git a/net-misc/openssh-contrib/files/sshd-r1.initd b/net-misc/openssh-contrib/files/sshd-r1.initd new file mode 100644 index 000000000000..e91cd0116cd4 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd-r1.initd @@ -0,0 +1,87 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # Make sure that the user's config isn't busted before we try + # to start the daemon (this will produce better error messages + # than if we just try to start it blindly). + # + # We always need to call checkconfig because this function will + # also generate any missing host key and you can start a + # non-running service with "restart" argument. + checkconfig || return $? +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/net-misc/openssh-contrib/files/sshd.pam_include.2 b/net-misc/openssh-contrib/files/sshd.pam_include.2 new file mode 100644 index 000000000000..b801aaafa0f9 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh-contrib/files/sshd.service.1 b/net-misc/openssh-contrib/files/sshd.service.1 new file mode 100644 index 000000000000..a541164cd7f2 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.service.1 @@ -0,0 +1,15 @@ +[Unit] +Description=OpenSSH server daemon +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +OOMPolicy=continue +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh-contrib/files/sshd.socket b/net-misc/openssh-contrib/files/sshd.socket new file mode 100644 index 000000000000..94b9533180da --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh-contrib/files/sshd_at.service.1 b/net-misc/openssh-contrib/files/sshd_at.service.1 new file mode 100644 index 000000000000..e43a457994f4 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd_at.service.1 @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=journal -- cgit v1.2.3