Pullup ticket #4771 - requested by taca security/openssh: security update Revisions pulled up: - security/openssh/Makefile 1.233 - security/openssh/distinfo 1.92-1.93 - security/openssh/options.mk 1.30 - security/openssh/patches/patch-Makefile.in 1.4 - security/openssh/patches/patch-auth-passwd.c 1.2 - security/openssh/patches/patch-auth-rhosts.c 1.2 - security/openssh/patches/patch-auth.c 1.3 - security/openssh/patches/patch-auth1.c 1.3 - security/openssh/patches/patch-auth2.c 1.4 - security/openssh/patches/patch-channels.c 1.2 - security/openssh/patches/patch-clientloop.c 1.2 - security/openssh/patches/patch-compat.c deleted - security/openssh/patches/patch-config.h.in 1.4 - security/openssh/patches/patch-configure deleted - security/openssh/patches/patch-configure.ac 1.4 - security/openssh/patches/patch-defines.h 1.3 - security/openssh/patches/patch-includes.h 1.3 - security/openssh/patches/patch-openbsd-compat_openbsd-compat.h 1.3 - security/openssh/patches/patch-openbsd-compat_port-tun.c 1.2 - security/openssh/patches/patch-platform.c 1.4 - security/openssh/patches/patch-scp.c 1.3 - security/openssh/patches/patch-session.c 1.4 - security/openssh/patches/patch-ssh.c 1.4 - security/openssh/patches/patch-sshconnect.c deleted - security/openssh/patches/patch-sshd.8 1.1 - security/openssh/patches/patch-sshd.c 1.4 - security/openssh/patches/patch-sshpty.c 1.2 --- Module Name: pkgsrc Committed By: taca Date: Thu Jul 9 16:14:24 UTC 2015 Modified Files: pkgsrc/security/openssh: Makefile distinfo options.mk pkgsrc/security/openssh/patches: patch-Makefile.in patch-auth-passwd.c patch-auth-rhosts.c patch-auth.c patch-auth1.c patch-auth2.c patch-channels.c patch-clientloop.c patch-config.h.in patch-configure.ac patch-defines.h patch-includes.h patch-openbsd-compat_openbsd-compat.h patch-openbsd-compat_port-tun.c patch-platform.c patch-scp.c patch-session.c patch-ssh.c patch-sshd.c patch-sshpty.c Added Files: pkgsrc/security/openssh/patches: patch-sshd.8 Removed Files: pkgsrc/security/openssh/patches: patch-compat.c patch-configure patch-sshconnect.c Log Message: Update openssh to 6.9.1 (OpenSSH 6.9p1) which contains security fix. pkgsrc change: * tcp_wrappers support was removed from release 6.7, but add it refering FreeBSD's ports. * hpn-patch is also based on FreeBSD's ports. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. For more information, please refer release announce. http://www.openssh.com/txt/release-6.9 http://www.openssh.com/txt/release-6.8 http://www.openssh.com/txt/release-6.7 --- Module Name: pkgsrc Committed By: dsainty Date: Fri Jul 10 07:00:29 UTC 2015 Modified Files: pkgsrc/security/openssh: distinfo Log Message: Remove dangling stale hash for patch-sshconnect.cdiff -r1.230 -r1.230.2.1 pkgsrc/security/openssh/Makefile
(tron)
@@ -1,33 +1,32 @@ | @@ -1,33 +1,32 @@ | |||
1 | # $NetBSD: Makefile,v 1.230 2015/06/12 10:51:03 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.230.2.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= openssh-6.6p1 | 3 | DISTNAME= openssh-6.9p1 | |
4 | PKGNAME= openssh-6.6.1 | 4 | PKGNAME= openssh-6.9.1 | |
5 | PKGREVISION= 7 | |||
6 | CATEGORIES= security | 5 | CATEGORIES= security | |
7 | MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} | 6 | MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} | |
8 | 7 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://www.openssh.com/ | 9 | HOMEPAGE= http://www.openssh.com/ | |
11 | COMMENT= Open Source Secure shell client and server (remote login program) | 10 | COMMENT= Open Source Secure shell client and server (remote login program) | |
12 | 11 | |||
13 | CONFLICTS= sftp-[0-9]* | 12 | CONFLICTS= sftp-[0-9]* | |
14 | CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* | 13 | CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* | |
15 | CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* | 14 | CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* | |
16 | CONFLICTS+= openssh+gssapi-[0-9]* | 15 | CONFLICTS+= openssh+gssapi-[0-9]* | |
17 | CONFLICTS+= lsh>2.0 | 16 | CONFLICTS+= lsh>2.0 | |
18 | 17 | |||
19 | USE_GCC_RUNTIME= yes | 18 | USE_GCC_RUNTIME= yes | |
20 | USE_TOOLS+= perl | 19 | USE_TOOLS+= autoconf perl | |
21 | 20 | |||
22 | CRYPTO= yes | 21 | CRYPTO= yes | |
23 | 22 | |||
24 | # retain the following line, for IPv6-ready pkgsrc webpage | 23 | # retain the following line, for IPv6-ready pkgsrc webpage | |
25 | BUILD_DEFS+= IPV6_READY | 24 | BUILD_DEFS+= IPV6_READY | |
26 | 25 | |||
27 | PKG_GROUPS_VARS+= OPENSSH_GROUP | 26 | PKG_GROUPS_VARS+= OPENSSH_GROUP | |
28 | PKG_USERS_VARS+= OPENSSH_USER | 27 | PKG_USERS_VARS+= OPENSSH_USER | |
29 | BUILD_DEFS+= OPENSSH_CHROOT | 28 | BUILD_DEFS+= OPENSSH_CHROOT | |
30 | BUILD_DEFS+= VARBASE | 29 | BUILD_DEFS+= VARBASE | |
31 | 30 | |||
32 | INSTALL_TARGET= install-nokeys | 31 | INSTALL_TARGET= install-nokeys | |
33 | 32 | |||
@@ -162,26 +161,29 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR | @@ -162,26 +161,29 @@ FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR | |||
162 | SUBST_CLASSES+= patch | 161 | SUBST_CLASSES+= patch | |
163 | SUBST_STAGE.patch= pre-configure | 162 | SUBST_STAGE.patch= pre-configure | |
164 | SUBST_FILES.patch= session.c | 163 | SUBST_FILES.patch= session.c | |
165 | SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' | 164 | SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' | |
166 | SUBST_MESSAGE.patch= More patch a file. | 165 | SUBST_MESSAGE.patch= More patch a file. | |
167 | 166 | |||
168 | .include "../../devel/zlib/buildlink3.mk" | 167 | .include "../../devel/zlib/buildlink3.mk" | |
169 | .include "../../security/openssl/buildlink3.mk" | 168 | .include "../../security/openssl/buildlink3.mk" | |
170 | .include "../../security/tcp_wrappers/buildlink3.mk" | 169 | .include "../../security/tcp_wrappers/buildlink3.mk" | |
171 | 170 | |||
172 | # | 171 | # | |
173 | # type of key "ecdsa" isn't always supported depends on OpenSSL. | 172 | # type of key "ecdsa" isn't always supported depends on OpenSSL. | |
174 | # | 173 | # | |
174 | pre-configure: | |||
175 | cd ${WRKSRC} && autoconf -i | |||
176 | ||||
175 | post-configure: | 177 | post-configure: | |
176 | if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \ | 178 | if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \ | |
177 | ${WRKSRC}/config.h; then \ | 179 | ${WRKSRC}/config.h; then \ | |
178 | ${SED} -e '/HAVE_ECDSA/s/.*//' \ | 180 | ${SED} -e '/HAVE_ECDSA/s/.*//' \ | |
179 | ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ | 181 | ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ | |
180 | else \ | 182 | else \ | |
181 | ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ | 183 | ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ | |
182 | ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ | 184 | ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ | |
183 | fi | 185 | fi | |
184 | 186 | |||
185 | post-install: | 187 | post-install: | |
186 | ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} | 188 | ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} | |
187 | cd ${WRKSRC}; for file in ${CONFS}; do \ | 189 | cd ${WRKSRC}; for file in ${CONFS}; do \ |
@@ -1,35 +1,33 @@ | @@ -1,35 +1,33 @@ | |||
1 | $NetBSD: distinfo,v 1.91 2015/05/16 14:43:02 sevan Exp $ | 1 | $NetBSD: distinfo,v 1.91.2.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (openssh-6.6p1-hpnssh14v4.diff.gz) = 1cb86c7151ea4c805cfb1197eac13844cd8f2f2c | 3 | SHA1 (openssh-6.9p1-hpn-20150709.diff.gz) = a39571c1cdb13382631a1d9cfe89b82fb346c92c | |
4 | RMD160 (openssh-6.6p1-hpnssh14v4.diff.gz) = 292cea7880ff66040d915f2d5957dd27d0835984 | 4 | RMD160 (openssh-6.9p1-hpn-20150709.diff.gz) = 8bb077e7ecbc7550386a050209e84d6f4d895788 | |
5 | Size (openssh-6.6p1-hpnssh14v4.diff.gz) = 23417 bytes | 5 | Size (openssh-6.9p1-hpn-20150709.diff.gz) = 13370 bytes | |
6 | SHA1 (openssh-6.6p1.tar.gz) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e | 6 | SHA1 (openssh-6.9p1.tar.gz) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265 | |
7 | RMD160 (openssh-6.6p1.tar.gz) = e19ed34e240001898b6665bb4356b868bba5513d | 7 | RMD160 (openssh-6.9p1.tar.gz) = 4fb2f0a0280db51024bf72b0f5cd3912d25cb59a | |
8 | Size (openssh-6.6p1.tar.gz) = 1282502 bytes | 8 | Size (openssh-6.9p1.tar.gz) = 1487617 bytes | |
9 | SHA1 (patch-Makefile.in) = 3b136be23e0dab21894dcc881746cf5a186ff572 | 9 | SHA1 (patch-Makefile.in) = 2bf52a85ecdebac3aa299b25ecb561218a3316a2 | |
10 | SHA1 (patch-auth-passwd.c) = de9f5487fe1f5848cc702e549bce949fd75d70cd | 10 | SHA1 (patch-auth-passwd.c) = 32da596dd9b255ffdd8168e6ea6f62596304b116 | |
11 | SHA1 (patch-auth-rhosts.c) = ab8dd3e375accc5bed3e15b158a85a1b1f9a2e3e | 11 | SHA1 (patch-auth-rhosts.c) = 5752c384f1fd81ed6ef21707fa2b9743a3891987 | |
12 | SHA1 (patch-auth.c) = 950b0380bcbb0fa1681014cfbb41528d09a10a18 | 12 | SHA1 (patch-auth.c) = 80f1c5ad8ea01a3c9dedce4eef1b625640958450 | |
13 | SHA1 (patch-auth1.c) = 7b0481f445bc85cce9d7539b00bf581b9aa09fea | 13 | SHA1 (patch-auth1.c) = 0bb4bc35e2ca2cd03c5596dadcd2ffb4329091a7 | |
14 | SHA1 (patch-auth2.c) = 8f4f97516874fc4af5814cbd3a1f59b9ca77b43f | 14 | SHA1 (patch-auth2.c) = 831139b9cdbd9b4d3429ea1aba176daf78be3405 | |
15 | SHA1 (patch-channels.c) = 88af4136f13f93d73c70caacea0a2ded0601d1cf | 15 | SHA1 (patch-channels.c) = 9ad160fd1c2c7fabbea3d49dacb36036d13adfaa | |
16 | SHA1 (patch-clientloop.c) = 499f34ce4e067f1da8aca257cfa7dd820efa3504 | 16 | SHA1 (patch-clientloop.c) = 11d44815ec39030ae20cb75727acff8c8e91144e | |
17 | SHA1 (patch-compat.c) = 9248aace83134287c1f0b78f2b3b61ad5545f5e2 | 17 | SHA1 (patch-config.h.in) = 5df3b952565c054f39110b66012005087bba7219 | |
18 | SHA1 (patch-config.h.in) = 9799f48f204aa213318914f1d6c45e83a8af942f | 18 | SHA1 (patch-configure.ac) = 8df3e2793a9bbd9179c69286f5cfea763bac3eea | |
19 | SHA1 (patch-configure) = 3015dda57a5626667cf5c15c7c7be25f8844cfc6 | 19 | SHA1 (patch-defines.h) = ecb225b4319347d0bcc6a271c81b7042f4c18b02 | |
20 | SHA1 (patch-configure.ac) = 996a3bcf133a0832b9d7fa35cc0983562d9fa60a | 20 | SHA1 (patch-includes.h) = f3d502dc30e680889ed1c7cf4fa6ad8282e6cd4d | |
21 | SHA1 (patch-defines.h) = 4f4f4c8dc54aa86275192edf230b36737b1c0cf6 | |||
22 | SHA1 (patch-includes.h) = 0a899d3b38ef3de7f5b08fec022696b4e998b54e | |||
23 | SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce | 21 | SHA1 (patch-loginrec.c) = 111530a4895c8f88c464c7495cee0dba1952d9ce | |
24 | SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695 | 22 | SHA1 (patch-openbsd-compat_bsd-openpty.c) = a1318cf691f0ad844a8761a77e3bb32a9e20c695 | |
25 | SHA1 (patch-openbsd-compat_openbsd-compat.h) = 1cafbe8f226c16443d2cfd003166923f33352eb0 | 23 | SHA1 (patch-openbsd-compat_openbsd-compat.h) = da33ee063f0a45c3a5f165ee5ae96c3168890ef9 | |
26 | SHA1 (patch-openbsd-compat_port-tun.c) = 8288e2b9336ea1fcc1129d8a2ab5e55816b2ccbf | 24 | SHA1 (patch-openbsd-compat_port-tun.c) = 5a8c8a7d2381a4b9530593754afe0ae0dbe2c8f5 | |
27 | SHA1 (patch-platform.c) = c2f85f494f0a38ed9fea93c46c98b20d865610a0 | 25 | SHA1 (patch-platform.c) = 92d563030a6c7f8b1924b988e9a2565edfd8c3d6 | |
28 | SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54 | 26 | SHA1 (patch-scp.c) = 0f11569d52ff813f42dd41fe315beab2af650dd0 | |
29 | SHA1 (patch-session.c) = 55e84175c7294816107c970f002401d1766f7095 | 27 | SHA1 (patch-session.c) = 4e07cc45bc020d720f32788d7344d0213891969e | |
30 | SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd | 28 | SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd | |
31 | SHA1 (patch-ssh.c) = 8965e0458aabc137fa3b5e53c6573c0f0fba8280 | 29 | SHA1 (patch-ssh.c) = 25645adeaa67e04a98b75d04d1f016704aa84bca | |
32 | SHA1 (patch-sshconnect.c) = 7bee56ee50ec26913999296eefa93c0be63a9e75 | 30 | SHA1 (patch-sshd.8) = 50154729a94aeaef17213d92979967b12d9c4e15 | |
33 | SHA1 (patch-sshd.c) = 43b3e4383142303a5d1158f08baee4a27f2f7b13 | 31 | SHA1 (patch-sshd.c) = f84fd4b4d299f75792f31d8967a1f9f6273ff06b | |
34 | SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11 | 32 | SHA1 (patch-sshpty.c) = f87451e49e39fe137c8876fae52110dc2569958a | |
35 | SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd | 33 | SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd |
@@ -1,32 +1,32 @@ | @@ -1,32 +1,32 @@ | |||
1 | # $NetBSD: options.mk,v 1.29 2014/03/29 10:30:15 taca Exp $ | 1 | # $NetBSD: options.mk,v 1.29.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | .include "../../mk/bsd.prefs.mk" | 3 | .include "../../mk/bsd.prefs.mk" | |
4 | 4 | |||
5 | PKG_OPTIONS_VAR= PKG_OPTIONS.openssh | 5 | PKG_OPTIONS_VAR= PKG_OPTIONS.openssh | |
6 | PKG_SUPPORTED_OPTIONS= kerberos hpn-patch pam | 6 | PKG_SUPPORTED_OPTIONS= kerberos hpn-patch pam | |
7 | 7 | |||
8 | .include "../../mk/bsd.options.mk" | 8 | .include "../../mk/bsd.options.mk" | |
9 | 9 | |||
10 | .if !empty(PKG_OPTIONS:Mkerberos) | 10 | .if !empty(PKG_OPTIONS:Mkerberos) | |
11 | . include "../../mk/krb5.buildlink3.mk" | 11 | . include "../../mk/krb5.buildlink3.mk" | |
12 | CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} | 12 | CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} | |
13 | . if ${KRB5_TYPE} == "mit-krb5" | 13 | . if ${KRB5_TYPE} == "mit-krb5" | |
14 | CONFIGURE_ENV+= ac_cv_search_k_hasafs=no | 14 | CONFIGURE_ENV+= ac_cv_search_k_hasafs=no | |
15 | . endif | 15 | . endif | |
16 | .endif | 16 | .endif | |
17 | 17 | |||
18 | .if !empty(PKG_OPTIONS:Mhpn-patch) | 18 | .if !empty(PKG_OPTIONS:Mhpn-patch) | |
19 | PATCHFILES= openssh-6.6p1-hpnssh14v4.diff.gz | 19 | PATCHFILES= openssh-6.9p1-hpn-20150709.diff.gz | |
20 | PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/ | 20 | PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/ | |
21 | PATCH_DIST_STRIP= -p1 | 21 | PATCH_DIST_STRIP= -p1 | |
22 | .endif | 22 | .endif | |
23 | 23 | |||
24 | PLIST_VARS+= pam | 24 | PLIST_VARS+= pam | |
25 | 25 | |||
26 | .if !empty(PKG_OPTIONS:Mpam) | 26 | .if !empty(PKG_OPTIONS:Mpam) | |
27 | .include "../../mk/pam.buildlink3.mk" | 27 | .include "../../mk/pam.buildlink3.mk" | |
28 | CONFIGURE_ARGS+= --with-pam | 28 | CONFIGURE_ARGS+= --with-pam | |
29 | MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam | 29 | MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam | |
30 | MESSAGE_SUBST+= EGDIR=${EGDIR} | 30 | MESSAGE_SUBST+= EGDIR=${EGDIR} | |
31 | .if ${OPSYS} == "Linux" | 31 | .if ${OPSYS} == "Linux" | |
32 | PLIST.pam= yes | 32 | PLIST.pam= yes |
@@ -1,27 +1,27 @@ | @@ -1,27 +1,27 @@ | |||
1 | $NetBSD: patch-Makefile.in,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-Makefile.in,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Removed install-sysconf as we handle that phase through post-install | 3 | Removed install-sysconf as we handle that phase through post-install | |
4 | 4 | |||
5 | --- Makefile.in.orig 2014-02-04 00:12:56.000000000 +0000 | 5 | --- Makefile.in.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ Makefile.in | 6 | +++ Makefile.in | |
7 | @@ -2,5 +2,5 @@ | 7 | @@ -2,5 +2,5 @@ | |
8 | 8 | |||
9 | # uncomment if you run a non bourne compatable shell. Ie. csh | 9 | # uncomment if you run a non bourne compatable shell. Ie. csh | |
10 | -#SHELL = @SH@ | 10 | -#SHELL = @SH@ | |
11 | +SHELL = @SH@ | 11 | +SHELL = @SH@ | |
12 | 12 | |||
13 | AUTORECONF=autoreconf | 13 | AUTORECONF=autoreconf | |
14 | @@ -23,5 +23,5 @@ DESTDIR= | 14 | @@ -23,5 +23,5 @@ DESTDIR= | |
15 | VPATH=@srcdir@ | 15 | VPATH=@srcdir@ | |
16 | SSH_PROGRAM=@bindir@/ssh | 16 | SSH_PROGRAM=@bindir@/ssh | |
17 | -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | 17 | -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | |
18 | +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | 18 | +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | |
19 | SFTP_SERVER=$(libexecdir)/sftp-server | 19 | SFTP_SERVER=$(libexecdir)/sftp-server | |
20 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 20 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | |
21 | @@ -250,5 +250,5 @@ distprep: catman-do | 21 | @@ -288,5 +288,5 @@ distprep: catman-do | |
22 | 22 | |||
23 | install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config | 23 | install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config | |
24 | -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf | 24 | -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf | |
25 | +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | 25 | +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | |
26 | install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | 26 | install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | |
27 | 27 |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: patch-auth2.c,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-auth2.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth2.c.orig 2014-02-04 00:12:57.000000000 +0000 | 5 | --- auth2.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ auth2.c | 6 | +++ auth2.c | |
7 | @@ -301,7 +301,7 @@ userauth_finish(Authctxt *authctxt, int | 7 | @@ -302,7 +330,7 @@ userauth_finish(Authctxt *authctxt, int | |
8 | fatal("INTERNAL ERROR: authenticated and postponed"); | 8 | fatal("INTERNAL ERROR: authenticated and postponed"); | |
9 | 9 | |||
10 | /* Special handling for root */ | 10 | /* Special handling for root */ | |
11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | 11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | |
12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | 12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | |
13 | !auth_root_allowed(method)) { | 13 | !auth_root_allowed(method)) { | |
14 | authenticated = 0; | 14 | authenticated = 0; | |
15 | #ifdef SSH_AUDIT_EVENTS | 15 | #ifdef SSH_AUDIT_EVENTS |
@@ -1,26 +1,37 @@ | @@ -1,26 +1,37 @@ | |||
1 | $NetBSD: patch-config.h.in,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-config.h.in,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Added Interix and define new path to if_tun.h | 3 | * Added Interix and define new path to if_tun.h. | |
4 | * Revive tcp_wrappers support. | |||
4 | 5 | |||
5 | --- config.h.in.orig 2014-03-13 02:18:56.000000000 +0000 | 6 | --- config.h.in.orig 2015-07-01 02:41:59.000000000 +0000 | |
6 | +++ config.h.in | 7 | +++ config.h.in | |
7 | @@ -636,6 +636,9 @@ | 8 | @@ -640,6 +640,9 @@ | |
8 | /* define if you have int64_t data type */ | 9 | /* define if you have int64_t data type */ | |
9 | #undef HAVE_INT64_T | 10 | #undef HAVE_INT64_T | |
10 | 11 | |||
11 | +/* Define if you are on Interix */ | 12 | +/* Define if you are on Interix */ | |
12 | +#undef HAVE_INTERIX | 13 | +#undef HAVE_INTERIX | |
13 | + | 14 | + | |
14 | /* Define to 1 if the system has the type `intmax_t'. */ | 15 | /* Define to 1 if the system has the type `intmax_t'. */ | |
15 | #undef HAVE_INTMAX_T | 16 | #undef HAVE_INTMAX_T | |
16 | 17 | |||
17 | @@ -792,6 +795,9 @@ | 18 | @@ -799,6 +802,9 @@ | |
18 | /* Define to 1 if you have the <net/if_tun.h> header file. */ | 19 | /* Define to 1 if you have the <net/if_tun.h> header file. */ | |
19 | #undef HAVE_NET_IF_TUN_H | 20 | #undef HAVE_NET_IF_TUN_H | |
20 | 21 | |||
21 | +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ | 22 | +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ | |
22 | +#undef HAVE_NET_TUN_IF_TUN_H | 23 | +#undef HAVE_NET_TUN_IF_TUN_H | |
23 | + | 24 | + | |
24 | /* Define if you are on NeXT */ | 25 | /* Define if you are on NeXT */ | |
25 | #undef HAVE_NEXT | 26 | #undef HAVE_NEXT | |
26 | 27 | |||
28 | @@ -1394,6 +1400,9 @@ | |||
29 | /* Define if pututxline updates lastlog too */ | |||
30 | #undef LASTLOG_WRITE_PUTUTXLINE | |||
31 | ||||
32 | +/* Define if you want TCP Wrappers support */ | |||
33 | +#undef LIBWRAP | |||
34 | + | |||
35 | /* Define to whatever link() returns for "not supported" if it doesn't return | |||
36 | EOPNOTSUPP. */ | |||
37 | #undef LINK_OPNOTSUPP_ERRNO |
@@ -1,69 +1,141 @@ | @@ -1,69 +1,141 @@ | |||
1 | $NetBSD: patch-configure.ac,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-configure.ac,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Various fixes regarding portability | 3 | * Various fixes regarding portability | |
4 | * Revive tcp_wrappers support. | |||
4 | 5 | |||
5 | --- configure.ac.orig 2014-02-21 17:09:34.000000000 +0000 | 6 | --- configure.ac.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ configure.ac | 7 | +++ configure.ac | |
7 | @@ -275,6 +275,9 @@ AC_ARG_WITH([rpath], | 8 | @@ -316,6 +316,9 @@ AC_ARG_WITH([rpath], | |
8 | ] | 9 | ] | |
9 | ) | 10 | ) | |
10 | 11 | |||
11 | +# pkgsrc handles any rpath settings this package needs | 12 | +# pkgsrc handles any rpath settings this package needs | |
12 | +need_dash_r= | 13 | +need_dash_r= | |
13 | + | 14 | + | |
14 | # Allow user to specify flags | 15 | # Allow user to specify flags | |
15 | AC_ARG_WITH([cflags], | 16 | AC_ARG_WITH([cflags], | |
16 | [ --with-cflags Specify additional flags to pass to compiler], | 17 | [ --with-cflags Specify additional flags to pass to compiler], | |
17 | @@ -346,6 +349,7 @@ AC_CHECK_HEADERS([ \ | 18 | @@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \ | |
18 | maillock.h \ | 19 | maillock.h \ | |
19 | ndir.h \ | 20 | ndir.h \ | |
20 | net/if_tun.h \ | 21 | net/if_tun.h \ | |
21 | + net/tun/if_tun.h \ | 22 | + net/tun/if_tun.h \ | |
22 | netdb.h \ | 23 | netdb.h \ | |
23 | netgroup.h \ | 24 | netgroup.h \ | |
24 | pam/pam_appl.h \ | 25 | pam/pam_appl.h \ | |
25 | @@ -655,6 +659,15 @@ main() { if (NSVersionOfRunTimeLibrary(" | 26 | @@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary(" | |
26 | ;; | 27 | ;; | |
27 | esac | 28 | esac | |
28 | ;; | 29 | ;; | |
29 | +*-*-interix*) | 30 | +*-*-interix*) | |
30 | + AC_DEFINE(HAVE_INTERIX) | 31 | + AC_DEFINE(HAVE_INTERIX) | |
31 | + AC_DEFINE(DISABLE_FD_PASSING) | 32 | + AC_DEFINE(DISABLE_FD_PASSING) | |
32 | + AC_DEFINE(DISABLE_SHADOW) | 33 | + AC_DEFINE(DISABLE_SHADOW) | |
33 | + AC_DEFINE(IP_TOS_IS_BROKEN) | 34 | + AC_DEFINE(IP_TOS_IS_BROKEN) | |
34 | + AC_DEFINE(MISSING_HOWMANY) | 35 | + AC_DEFINE(MISSING_HOWMANY) | |
35 | + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) | 36 | + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) | |
36 | + AC_DEFINE(USE_PIPES) | 37 | + AC_DEFINE(USE_PIPES) | |
37 | + ;; | 38 | + ;; | |
38 | *-*-irix5*) | 39 | *-*-irix5*) | |
39 | PATH="$PATH:/usr/etc" | 40 | PATH="$PATH:/usr/etc" | |
40 | AC_DEFINE([BROKEN_INET_NTOA], [1], | 41 | AC_DEFINE([BROKEN_INET_NTOA], [1], | |
41 | @@ -4731,9 +4744,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 42 | @@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey], | |
43 | ] | |||
44 | ) | |||
45 | ||||
46 | +# Check whether user wants TCP wrappers support | |||
47 | +TCPW_MSG="no" | |||
48 | +AC_ARG_WITH([tcp-wrappers], | |||
49 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | |||
50 | + [ | |||
51 | + if test "x$withval" != "xno" ; then | |||
52 | + saved_LIBS="$LIBS" | |||
53 | + saved_LDFLAGS="$LDFLAGS" | |||
54 | + saved_CPPFLAGS="$CPPFLAGS" | |||
55 | + if test -n "${withval}" && \ | |||
56 | + test "x${withval}" != "xyes"; then | |||
57 | + if test -d "${withval}/lib"; then | |||
58 | + if test -n "${need_dash_r}"; then | |||
59 | + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | |||
60 | + else | |||
61 | + LDFLAGS="-L${withval}/lib ${LDFLAGS}" | |||
62 | + fi | |||
63 | + else | |||
64 | + if test -n "${need_dash_r}"; then | |||
65 | + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | |||
66 | + else | |||
67 | + LDFLAGS="-L${withval} ${LDFLAGS}" | |||
68 | + fi | |||
69 | + fi | |||
70 | + if test -d "${withval}/include"; then | |||
71 | + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | |||
72 | + else | |||
73 | + CPPFLAGS="-I${withval} ${CPPFLAGS}" | |||
74 | + fi | |||
75 | + fi | |||
76 | + LIBS="-lwrap $LIBS" | |||
77 | + AC_MSG_CHECKING([for libwrap]) | |||
78 | + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | |||
79 | +#include <sys/types.h> | |||
80 | +#include <sys/socket.h> | |||
81 | +#include <netinet/in.h> | |||
82 | +#include <tcpd.h> | |||
83 | +int deny_severity = 0, allow_severity = 0; | |||
84 | + ]], [[ | |||
85 | + hosts_access(0); | |||
86 | + ]])], [ | |||
87 | + AC_MSG_RESULT([yes]) | |||
88 | + AC_DEFINE([LIBWRAP], [1], | |||
89 | + [Define if you want | |||
90 | + TCP Wrappers support]) | |||
91 | + SSHDLIBS="$SSHDLIBS -lwrap" | |||
92 | + TCPW_MSG="yes" | |||
93 | + ], [ | |||
94 | + AC_MSG_ERROR([*** libwrap missing]) | |||
95 | + | |||
96 | + ]) | |||
97 | + LIBS="$saved_LIBS" | |||
98 | + fi | |||
99 | + ] | |||
100 | +) | |||
101 | + | |||
102 | # Check whether user wants to use ldns | |||
103 | LDNS_MSG="no" | |||
104 | AC_ARG_WITH(ldns, | |||
105 | @@ -4791,9 +4860,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | |||
42 | ]) | 106 | ]) | |
43 | if test -z "$conf_wtmpx_location"; then | 107 | if test -z "$conf_wtmpx_location"; then | |
44 | if test x"$system_wtmpx_path" = x"no" ; then | 108 | if test x"$system_wtmpx_path" = x"no" ; then | |
45 | - AC_DEFINE([DISABLE_WTMPX]) | 109 | - AC_DEFINE([DISABLE_WTMPX]) | |
46 | + for f in /var/log/wtmpx; do | 110 | + for f in /var/log/wtmpx; do | |
47 | + if test -f $f ; then | 111 | + if test -f $f ; then | |
48 | + conf_wtmpx_location=$f | 112 | + conf_wtmpx_location=$f | |
49 | + fi | 113 | + fi | |
50 | + done | 114 | + done | |
51 | + if test -z "$conf_wtmpx_location"; then | 115 | + if test -z "$conf_wtmpx_location"; then | |
52 | + AC_DEFINE(DISABLE_WTMPX) | 116 | + AC_DEFINE(DISABLE_WTMPX) | |
53 | + fi | 117 | + fi | |
54 | fi | 118 | fi | |
55 | -else | 119 | -else | |
56 | +fi | 120 | +fi | |
57 | +if test -n "$conf_wtmpx_location"; then | 121 | +if test -n "$conf_wtmpx_location"; then | |
58 | AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], | 122 | AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], | |
59 | [Define if you want to specify the path to your wtmpx file]) | 123 | [Define if you want to specify the path to your wtmpx file]) | |
60 | fi | 124 | fi | |
61 | @@ -4820,7 +4841,7 @@ echo "OpenSSH has been configured with t | 125 | @@ -4880,7 +4957,7 @@ echo "OpenSSH has been configured with t | |
62 | echo " User binaries: $B" | 126 | echo " User binaries: $B" | |
63 | echo " System binaries: $C" | 127 | echo " System binaries: $C" | |
64 | echo " Configuration files: $D" | 128 | echo " Configuration files: $D" | |
65 | -echo " Askpass program: $E" | 129 | -echo " Askpass program: $E" | |
66 | +echo " Askpass program: ${ASKPASS_PROGRAM}" | 130 | +echo " Askpass program: ${ASKPASS_PROGRAM}" | |
67 | echo " Manual pages: $F" | 131 | echo " Manual pages: $F" | |
68 | echo " PID file: $G" | 132 | echo " PID file: $G" | |
69 | echo " Privilege separation chroot path: $H" | 133 | echo " Privilege separation chroot path: $H" | |
134 | @@ -4904,6 +4981,7 @@ echo " KerberosV support | |||
135 | echo " SELinux support: $SELINUX_MSG" | |||
136 | echo " Smartcard support: $SCARD_MSG" | |||
137 | echo " S/KEY support: $SKEY_MSG" | |||
138 | +echo " TCP Wrappers support: $TCPW_MSG" | |||
139 | echo " MD5 password support: $MD5_MSG" | |||
140 | echo " libedit support: $LIBEDIT_MSG" | |||
141 | echo " Solaris process contract support: $SPC_MSG" |
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | $NetBSD: patch-platform.c,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-platform.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- platform.c.orig 2014-01-21 01:59:29.000000000 +0000 | 5 | --- platform.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ platform.c | 6 | +++ platform.c | |
7 | @@ -89,7 +89,9 @@ platform_privileged_uidswap(void) | 7 | @@ -90,7 +90,9 @@ platform_privileged_uidswap(void) | |
8 | /* uid 0 is not special on Cygwin so always try */ | 8 | /* uid 0 is not special on Cygwin so always try */ | |
9 | return 1; | 9 | return 1; | |
10 | #else | 10 | #else | |
11 | +#if !defined(HAVE_INTERIX) | 11 | +#if !defined(HAVE_INTERIX) | |
12 | return (getuid() == 0 || geteuid() == 0); | 12 | return (getuid() == 0 || geteuid() == 0); | |
13 | +#endif /* !HAVE_INTERIX */ | 13 | +#endif /* !HAVE_INTERIX */ | |
14 | #endif | 14 | #endif | |
15 | } | 15 | } | |
16 | 16 |
@@ -1,66 +1,66 @@ | @@ -1,66 +1,66 @@ | |||
1 | $NetBSD: patch-session.c,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-session.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- session.c.orig 2014-03-03 22:35:17.000000000 +0000 | 5 | --- session.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ session.c | 6 | +++ session.c | |
7 | @@ -1109,7 +1109,7 @@ read_etc_default_login(char ***env, u_in | 7 | @@ -1093,7 +1093,7 @@ read_etc_default_login(char ***env, u_in | |
8 | if (tmpenv == NULL) | 8 | if (tmpenv == NULL) | |
9 | return; | 9 | return; | |
10 | 10 | |||
11 | - if (uid == 0) | 11 | - if (uid == 0) | |
12 | + if (uid == ROOTUID) | 12 | + if (uid == ROOTUID) | |
13 | var = child_get_env(tmpenv, "SUPATH"); | 13 | var = child_get_env(tmpenv, "SUPATH"); | |
14 | else | 14 | else | |
15 | var = child_get_env(tmpenv, "PATH"); | 15 | var = child_get_env(tmpenv, "PATH"); | |
16 | @@ -1218,7 +1218,7 @@ do_setup_env(Session *s, const char *she | 16 | @@ -1202,7 +1202,7 @@ do_setup_env(Session *s, const char *she | |
17 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | 17 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | |
18 | if (path == NULL || *path == '\0') { | 18 | if (path == NULL || *path == '\0') { | |
19 | child_set_env(&env, &envsize, "PATH", | 19 | child_set_env(&env, &envsize, "PATH", | |
20 | - s->pw->pw_uid == 0 ? | 20 | - s->pw->pw_uid == 0 ? | |
21 | + s->pw->pw_uid == ROOTUID ? | 21 | + s->pw->pw_uid == ROOTUID ? | |
22 | SUPERUSER_PATH : _PATH_STDPATH); | 22 | SUPERUSER_PATH : _PATH_STDPATH); | |
23 | } | 23 | } | |
24 | # endif /* HAVE_CYGWIN */ | 24 | # endif /* HAVE_CYGWIN */ | |
25 | @@ -1332,6 +1332,18 @@ do_setup_env(Session *s, const char *she | 25 | @@ -1316,6 +1316,18 @@ do_setup_env(Session *s, const char *she | |
26 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | 26 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | |
27 | read_environment_file(&env, &envsize, buf); | 27 | read_environment_file(&env, &envsize, buf); | |
28 | } | 28 | } | |
29 | + | 29 | + | |
30 | +#ifdef HAVE_INTERIX | 30 | +#ifdef HAVE_INTERIX | |
31 | + { | 31 | + { | |
32 | + /* copy standard Windows environment, then apply changes */ | 32 | + /* copy standard Windows environment, then apply changes */ | |
33 | + env_t *winenv = env_login(pw); | 33 | + env_t *winenv = env_login(pw); | |
34 | + env_putarray(winenv, env, ENV_OVERRIDE); | 34 | + env_putarray(winenv, env, ENV_OVERRIDE); | |
35 | + | 35 | + | |
36 | + /* swap over to altered environment as a traditional array */ | 36 | + /* swap over to altered environment as a traditional array */ | |
37 | + env = env_array(winenv); | 37 | + env = env_array(winenv); | |
38 | + } | 38 | + } | |
39 | +#endif | 39 | +#endif | |
40 | + | 40 | + | |
41 | if (debug_flag) { | 41 | if (debug_flag) { | |
42 | /* dump the environment */ | 42 | /* dump the environment */ | |
43 | fprintf(stderr, "Environment:\n"); | 43 | fprintf(stderr, "Environment:\n"); | |
44 | @@ -1522,11 +1534,13 @@ do_setusercontext(struct passwd *pw) | 44 | @@ -1510,11 +1522,13 @@ do_setusercontext(struct passwd *pw) | |
45 | perror("setgid"); | 45 | perror("setgid"); | |
46 | exit(1); | 46 | exit(1); | |
47 | } | 47 | } | |
48 | +# if !defined(HAVE_INTERIX) | 48 | +# if !defined(HAVE_INTERIX) | |
49 | /* Initialize the group list. */ | 49 | /* Initialize the group list. */ | |
50 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | 50 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | |
51 | perror("initgroups"); | 51 | perror("initgroups"); | |
52 | exit(1); | 52 | exit(1); | |
53 | } | 53 | } | |
54 | +# endif /* !HAVE_INTERIX */ | 54 | +# endif /* !HAVE_INTERIX */ | |
55 | endgrent(); | 55 | endgrent(); | |
56 | #endif | 56 | #endif | |
57 | 57 | |||
58 | @@ -2358,7 +2372,7 @@ session_pty_cleanup2(Session *s) | 58 | @@ -2356,7 +2370,7 @@ session_pty_cleanup2(Session *s) | |
59 | record_logout(s->pid, s->tty, s->pw->pw_name); | 59 | record_logout(s->pid, s->tty, s->pw->pw_name); | |
60 | 60 | |||
61 | /* Release the pseudo-tty. */ | 61 | /* Release the pseudo-tty. */ | |
62 | - if (getuid() == 0) | 62 | - if (getuid() == 0) | |
63 | + if (getuid() == ROOTUID) | 63 | + if (getuid() == ROOTUID) | |
64 | pty_release(s->tty); | 64 | pty_release(s->tty); | |
65 | 65 | |||
66 | /* | 66 | /* |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: patch-ssh.c,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-ssh.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- ssh.c.orig 2014-02-26 23:17:13.000000000 +0000 | 5 | --- ssh.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ ssh.c | 6 | +++ ssh.c | |
7 | @@ -943,7 +943,7 @@ main(int ac, char **av) | 7 | @@ -1083,7 +1083,7 @@ main(int ac, char **av) | |
8 | strcmp(options.proxy_command, "-") == 0 && | 8 | "disabling"); | |
9 | options.proxy_use_fdpass) | 9 | options.update_hostkeys = 0; | |
10 | fatal("ProxyCommand=- and ProxyUseFDPass are incompatible"); | 10 | } | |
11 | -#ifndef HAVE_CYGWIN | 11 | -#ifndef HAVE_CYGWIN | |
12 | +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) | 12 | +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) | |
13 | if (original_effective_uid != 0) | 13 | if (original_effective_uid != 0) | |
14 | options.use_privileged_port = 0; | 14 | options.use_privileged_port = 0; | |
15 | #endif | 15 | #endif |
@@ -1,84 +1,125 @@ | @@ -1,84 +1,125 @@ | |||
1 | $NetBSD: patch-sshd.c,v 1.3 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-sshd.c,v 1.3.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | * Interix support | |
4 | * Revive tcp_wrappers support. | |||
4 | 5 | |||
5 | --- sshd.c.orig 2014-02-26 23:20:08.000000000 +0000 | 6 | --- sshd.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ sshd.c | 7 | +++ sshd.c | |
7 | @@ -243,7 +243,11 @@ int *startup_pipes = NULL; | 8 | @@ -125,6 +125,13 @@ | |
9 | #include "version.h" | |||
10 | #include "ssherr.h" | |||
11 | ||||
12 | +#ifdef LIBWRAP | |||
13 | +#include <tcpd.h> | |||
14 | +#include <syslog.h> | |||
15 | +int allow_severity; | |||
16 | +int deny_severity; | |||
17 | +#endif /* LIBWRAP */ | |||
18 | + | |||
19 | #ifndef O_NOCTTY | |||
20 | #define O_NOCTTY 0 | |||
21 | #endif | |||
22 | @@ -236,7 +243,11 @@ int *startup_pipes = NULL; | |||
8 | int startup_pipe; /* in child */ | 23 | int startup_pipe; /* in child */ | |
9 | 24 | |||
10 | /* variables used for privilege separation */ | 25 | /* variables used for privilege separation */ | |
11 | +#ifdef HAVE_INTERIX | 26 | +#ifdef HAVE_INTERIX | |
12 | int use_privsep = -1; | 27 | int use_privsep = -1; | |
13 | +#else | 28 | +#else | |
14 | +int use_privsep = 0; | 29 | +int use_privsep = 0; | |
15 | +#endif | 30 | +#endif | |
16 | struct monitor *pmonitor = NULL; | 31 | struct monitor *pmonitor = NULL; | |
17 | int privsep_is_preauth = 1; | 32 | int privsep_is_preauth = 1; | |
18 | 33 | |||
19 | @@ -646,10 +650,15 @@ privsep_preauth_child(void) | 34 | @@ -643,10 +654,15 @@ privsep_preauth_child(void) | |
20 | /* XXX not ready, too heavy after chroot */ | 35 | /* XXX not ready, too heavy after chroot */ | |
21 | do_setusercontext(privsep_pw); | 36 | do_setusercontext(privsep_pw); | |
22 | #else | 37 | #else | |
23 | +#ifdef HAVE_INTERIX | 38 | +#ifdef HAVE_INTERIX | |
24 | + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE)) | 39 | + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE)) | |
25 | + fatal("setuser: %.100s", strerror(errno)); | 40 | + fatal("setuser: %.100s", strerror(errno)); | |
26 | +#else | 41 | +#else | |
27 | gidset[0] = privsep_pw->pw_gid; | 42 | gidset[0] = privsep_pw->pw_gid; | |
28 | if (setgroups(1, gidset) < 0) | 43 | if (setgroups(1, gidset) < 0) | |
29 | fatal("setgroups: %.100s", strerror(errno)); | 44 | fatal("setgroups: %.100s", strerror(errno)); | |
30 | permanently_set_uid(privsep_pw); | 45 | permanently_set_uid(privsep_pw); | |
31 | +#endif /* HAVE_INTERIX */ | 46 | +#endif /* HAVE_INTERIX */ | |
32 | #endif | 47 | #endif | |
33 | } | 48 | } | |
34 | 49 | |||
35 | @@ -711,7 +720,7 @@ privsep_preauth(Authctxt *authctxt) | 50 | @@ -714,7 +730,7 @@ privsep_preauth(Authctxt *authctxt) | |
36 | set_log_handler(mm_log_handler, pmonitor); | 51 | set_log_handler(mm_log_handler, pmonitor); | |
37 | 52 | |||
38 | /* Demote the child */ | 53 | /* Demote the child */ | |
39 | - if (getuid() == 0 || geteuid() == 0) | 54 | - if (getuid() == 0 || geteuid() == 0) | |
40 | + if (getuid() == ROOTUID || geteuid() == ROOTUID) | 55 | + if (getuid() == ROOTUID || geteuid() == ROOTUID) | |
41 | privsep_preauth_child(); | 56 | privsep_preauth_child(); | |
42 | setproctitle("%s", "[net]"); | 57 | setproctitle("%s", "[net]"); | |
43 | if (box != NULL) | 58 | if (box != NULL) | |
44 | @@ -729,7 +738,7 @@ privsep_postauth(Authctxt *authctxt) | 59 | @@ -732,7 +748,7 @@ privsep_postauth(Authctxt *authctxt) | |
45 | #ifdef DISABLE_FD_PASSING | 60 | #ifdef DISABLE_FD_PASSING | |
46 | if (1) { | 61 | if (1) { | |
47 | #else | 62 | #else | |
48 | - if (authctxt->pw->pw_uid == 0 || options.use_login) { | 63 | - if (authctxt->pw->pw_uid == 0 || options.use_login) { | |
49 | + if (authctxt->pw->pw_uid == ROOTUID || options.use_login) { | 64 | + if (authctxt->pw->pw_uid == ROOTUID || options.use_login) { | |
50 | #endif | 65 | #endif | |
51 | /* File descriptor passing is broken or root login */ | 66 | /* File descriptor passing is broken or root login */ | |
52 | use_privsep = 0; | 67 | use_privsep = 0; | |
53 | @@ -1413,8 +1422,10 @@ main(int ac, char **av) | 68 | @@ -1485,8 +1501,10 @@ main(int ac, char **av) | |
54 | av = saved_argv; | 69 | av = saved_argv; | |
55 | #endif | 70 | #endif | |
56 | 71 | |||
57 | - if (geteuid() == 0 && setgroups(0, NULL) == -1) | 72 | - if (geteuid() == 0 && setgroups(0, NULL) == -1) | |
58 | +#ifndef HAVE_INTERIX | 73 | +#ifndef HAVE_INTERIX | |
59 | + if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) | 74 | + if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) | |
60 | debug("setgroups(): %.200s", strerror(errno)); | 75 | debug("setgroups(): %.200s", strerror(errno)); | |
61 | +#endif | 76 | +#endif | |
62 | 77 | |||
63 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 78 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | |
64 | sanitise_stdfd(); | 79 | sanitise_stdfd(); | |
65 | @@ -1815,7 +1826,7 @@ main(int ac, char **av) | 80 | @@ -1915,7 +1933,7 @@ main(int ac, char **av) | |
66 | (st.st_uid != getuid () || | 81 | (st.st_uid != getuid () || | |
67 | (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) | 82 | (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) | |
68 | #else | 83 | #else | |
69 | - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | 84 | - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | |
70 | + if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | 85 | + if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | |
71 | #endif | 86 | #endif | |
72 | fatal("%s must be owned by root and not group or " | 87 | fatal("%s must be owned by root and not group or " | |
73 | "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); | 88 | "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); | |
74 | @@ -1838,8 +1849,10 @@ main(int ac, char **av) | 89 | @@ -1938,8 +1956,10 @@ main(int ac, char **av) | |
75 | * to create a file, and we can't control the code in every | 90 | * to create a file, and we can't control the code in every | |
76 | * module which might be used). | 91 | * module which might be used). | |
77 | */ | 92 | */ | |
78 | +#ifndef HAVE_INTERIX | 93 | +#ifndef HAVE_INTERIX | |
79 | if (setgroups(0, NULL) < 0) | 94 | if (setgroups(0, NULL) < 0) | |
80 | debug("setgroups() failed: %.200s", strerror(errno)); | 95 | debug("setgroups() failed: %.200s", strerror(errno)); | |
81 | +#endif | 96 | +#endif | |
82 | 97 | |||
83 | if (rexec_flag) { | 98 | if (rexec_flag) { | |
84 | rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); | 99 | rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); | |
100 | @@ -2135,6 +2155,25 @@ main(int ac, char **av) | |||
101 | audit_connection_from(remote_ip, remote_port); | |||
102 | #endif | |||
103 | ||||
104 | +#ifdef LIBWRAP | |||
105 | + allow_severity = options.log_facility|LOG_INFO; | |||
106 | + deny_severity = options.log_facility|LOG_WARNING; | |||
107 | + /* Check whether logins are denied from this host. */ | |||
108 | + if (packet_connection_is_on_socket()) { | |||
109 | + struct request_info req; | |||
110 | + | |||
111 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | |||
112 | + fromhost(&req); | |||
113 | + | |||
114 | + if (!hosts_access(&req)) { | |||
115 | + debug("Connection refused by tcp wrapper"); | |||
116 | + refuse(&req); | |||
117 | + /* NOTREACHED */ | |||
118 | + fatal("libwrap refuse returns"); | |||
119 | + } | |||
120 | + } | |||
121 | +#endif /* LIBWRAP */ | |||
122 | + | |||
123 | /* Log the connection. */ | |||
124 | laddr = get_local_ipaddr(sock_in); | |||
125 | verbose("Connection from %s port %d on %s port %d", |
@@ -1,28 +1,28 @@ | @@ -1,28 +1,28 @@ | |||
1 | $NetBSD: patch-auth-passwd.c,v 1.1 2013/05/01 19:58:26 imil Exp $ | 1 | $NetBSD: patch-auth-passwd.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth-passwd.c.orig 2012-04-25 23:51:28.000000000 +0000 | 5 | --- auth-passwd.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ auth-passwd.c | 6 | +++ auth-passwd.c | |
7 | @@ -87,7 +87,7 @@ auth_password(Authctxt *authctxt, const | 7 | @@ -88,7 +88,7 @@ auth_password(Authctxt *authctxt, const | |
8 | #endif | 8 | #endif | |
9 | 9 | |||
10 | #ifndef HAVE_CYGWIN | 10 | #ifndef HAVE_CYGWIN | |
11 | - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | 11 | - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | |
12 | + if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) | 12 | + if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) | |
13 | ok = 0; | 13 | ok = 0; | |
14 | #endif | 14 | #endif | |
15 | if (*password == '\0' && options.permit_empty_passwd == 0) | 15 | if (*password == '\0' && options.permit_empty_passwd == 0) | |
16 | @@ -122,7 +122,12 @@ auth_password(Authctxt *authctxt, const | 16 | @@ -123,7 +123,12 @@ auth_password(Authctxt *authctxt, const | |
17 | authctxt->force_pwchange = 1; | 17 | authctxt->force_pwchange = 1; | |
18 | } | 18 | } | |
19 | #endif | 19 | #endif | |
20 | + | 20 | + | |
21 | +#ifdef HAVE_INTERIX | 21 | +#ifdef HAVE_INTERIX | |
22 | + result = (!setuser(pw->pw_name, password, SU_CHECK)); | 22 | + result = (!setuser(pw->pw_name, password, SU_CHECK)); | |
23 | +#else | 23 | +#else | |
24 | result = sys_auth_passwd(authctxt, password); | 24 | result = sys_auth_passwd(authctxt, password); | |
25 | +#endif | 25 | +#endif | |
26 | if (authctxt->force_pwchange) | 26 | if (authctxt->force_pwchange) | |
27 | disable_forwarding(); | 27 | disable_forwarding(); | |
28 | return (result && ok); | 28 | return (result && ok); |
@@ -1,33 +1,33 @@ | @@ -1,33 +1,33 @@ | |||
1 | $NetBSD: patch-auth-rhosts.c,v 1.1 2013/05/01 19:58:26 imil Exp $ | 1 | $NetBSD: patch-auth-rhosts.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth-rhosts.c.orig 2010-03-07 12:05:17.000000000 +0000 | 5 | --- auth-rhosts.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ auth-rhosts.c | 6 | +++ auth-rhosts.c | |
7 | @@ -230,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | 7 | @@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | |
8 | return 0; | 8 | * If not logging in as superuser, try /etc/hosts.equiv and | |
9 | 9 | * shosts.equiv. | ||
10 | /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ | 10 | */ | |
11 | - if (pw->pw_uid != 0) { | 11 | - if (pw->pw_uid == 0) | |
12 | + if (pw->pw_uid != ROOTUID) { | 12 | + if (pw->pw_uid == ROOTUID) | |
13 | debug3("%s: root user, ignoring system hosts files", __func__); | |||
14 | else { | |||
13 | if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, | 15 | if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, | |
14 | client_user, pw->pw_name)) { | 16 | @@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | |
15 | auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", | |||
16 | @@ -256,7 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | |||
17 | return 0; | 17 | return 0; | |
18 | } | 18 | } | |
19 | if (options.strict_modes && | 19 | if (options.strict_modes && | |
20 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 20 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | |
21 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | 21 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | |
22 | (st.st_mode & 022) != 0)) { | 22 | (st.st_mode & 022) != 0)) { | |
23 | logit("Rhosts authentication refused for %.100s: " | 23 | logit("Rhosts authentication refused for %.100s: " | |
24 | "bad ownership or modes for home directory.", pw->pw_name); | 24 | "bad ownership or modes for home directory.", pw->pw_name); | |
25 | @@ -283,7 +283,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | 25 | @@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons | |
26 | * allowing access to their account by anyone. | 26 | * allowing access to their account by anyone. | |
27 | */ | 27 | */ | |
28 | if (options.strict_modes && | 28 | if (options.strict_modes && | |
29 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 29 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | |
30 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | 30 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | |
31 | (st.st_mode & 022) != 0)) { | 31 | (st.st_mode & 022) != 0)) { | |
32 | logit("Rhosts authentication refused for %.100s: bad modes for %.200s", | 32 | logit("Rhosts authentication refused for %.100s: bad modes for %.200s", | |
33 | pw->pw_name, buf); | 33 | pw->pw_name, buf); |
@@ -1,17 +1,40 @@ | @@ -1,17 +1,40 @@ | |||
1 | $NetBSD: patch-openbsd-compat_port-tun.c,v 1.1 2013/05/01 19:58:26 imil Exp $ | 1 | $NetBSD: patch-openbsd-compat_port-tun.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | if_tun.h can be found in net/tun | 3 | if_tun.h can be found in net/tun | |
4 | 4 | |||
5 | --- openbsd-compat/port-tun.c.orig 2010-08-10 02:47:42.000000000 +0000 | 5 | --- openbsd-compat/port-tun.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ openbsd-compat/port-tun.c | 6 | +++ openbsd-compat/port-tun.c | |
7 | @@ -110,6 +110,10 @@ sys_tun_open(int tun, int mode) | 7 | @@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode) | |
8 | #include <sys/socket.h> | 8 | #include <sys/socket.h> | |
9 | #include <net/if.h> | 9 | #include <net/if.h> | |
10 | 10 | |||
11 | +#ifdef HAVE_NET_TUN_IF_TUN_H | 11 | +#ifdef HAVE_NET_TUN_IF_TUN_H | |
12 | +#include <net/tun/if_tun.h> | 12 | +#include <net/tun/if_tun.h> | |
13 | +#endif | 13 | +#endif | |
14 | + | 14 | + | |
15 | #ifdef HAVE_NET_IF_TUN_H | 15 | #ifdef HAVE_NET_IF_TUN_H | |
16 | #include <net/if_tun.h> | 16 | #include <net/if_tun.h> | |
17 | #endif | 17 | #endif | |
18 | @@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode) | |||
19 | { | |||
20 | struct ifreq ifr; | |||
21 | char name[100]; | |||
22 | - int fd = -1, sock, flag; | |||
23 | + int fd = -1, sock; | |||
24 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |||
25 | + int flag; | |||
26 | +#endif | |||
27 | const char *tunbase = "tun"; | |||
28 | ||||
29 | if (mode == SSH_TUNMODE_ETHERNET) { | |||
30 | @@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode) | |||
31 | return (-1); | |||
32 | } | |||
33 | ||||
34 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |||
35 | /* Turn on tunnel headers */ | |||
36 | flag = 1; | |||
37 | -#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |||
38 | if (mode != SSH_TUNMODE_ETHERNET && | |||
39 | ioctl(fd, TUNSIFHEAD, &flag) == -1) { | |||
40 | debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd, |
@@ -1,24 +1,24 @@ | @@ -1,24 +1,24 @@ | |||
1 | $NetBSD: patch-sshpty.c,v 1.1 2013/05/01 19:58:27 imil Exp $ | 1 | $NetBSD: patch-sshpty.c,v 1.1.18.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- sshpty.c.orig 2009-02-12 01:19:21.000000000 +0000 | 5 | --- sshpty.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ sshpty.c | 6 | +++ sshpty.c | |
7 | @@ -86,7 +86,7 @@ void | 7 | @@ -86,7 +86,7 @@ void | |
8 | pty_release(const char *tty) | 8 | pty_release(const char *tty) | |
9 | { | 9 | { | |
10 | #ifndef __APPLE_PRIVPTY__ | 10 | #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY) | |
11 | - if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) | 11 | - if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) | |
12 | + if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0) | 12 | + if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0) | |
13 | error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); | 13 | error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); | |
14 | if (chmod(tty, (mode_t) 0666) < 0) | 14 | if (chmod(tty, (mode_t) 0666) < 0) | |
15 | error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); | 15 | error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); | |
16 | @@ -233,7 +233,7 @@ pty_setowner(struct passwd *pw, const ch | 16 | @@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch | |
17 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | 17 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | |
18 | if (chown(tty, pw->pw_uid, gid) < 0) { | 18 | if (chown(tty, pw->pw_uid, gid) < 0) { | |
19 | if (errno == EROFS && | 19 | if (errno == EROFS && | |
20 | - (st.st_uid == pw->pw_uid || st.st_uid == 0)) | 20 | - (st.st_uid == pw->pw_uid || st.st_uid == 0)) | |
21 | + (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID)) | 21 | + (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID)) | |
22 | debug("chown(%.100s, %u, %u) failed: %.100s", | 22 | debug("chown(%.100s, %u, %u) failed: %.100s", | |
23 | tty, (u_int)pw->pw_uid, (u_int)gid, | 23 | tty, (u_int)pw->pw_uid, (u_int)gid, | |
24 | strerror(errno)); | 24 | strerror(errno)); |
@@ -1,15 +1,27 @@ | @@ -1,15 +1,27 @@ | |||
1 | $NetBSD: patch-auth.c,v 1.2 2013/12/01 06:11:41 taca Exp $ | 1 | $NetBSD: patch-auth.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | * Replace uid 0 with ROOTUID macro. | |
4 | * Use login_getpwclass() instead of login_getclass() so that the root | |||
5 | vs. default login class distinction is made correctly, from FrrrBSD's | |||
6 | ports. | |||
4 | 7 | |||
5 | --- auth.c.orig 2013-06-01 21:41:51.000000000 +0000 | 8 | --- auth.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ auth.c | 9 | +++ auth.c | |
7 | @@ -407,7 +407,7 @@ check_key_in_hostfiles(struct passwd *pw | 10 | @@ -422,7 +422,7 @@ check_key_in_hostfiles(struct passwd *pw | |
8 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 11 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | |
9 | if (options.strict_modes && | 12 | if (options.strict_modes && | |
10 | (stat(user_hostfile, &st) == 0) && | 13 | (stat(user_hostfile, &st) == 0) && | |
11 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | 14 | - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || | |
12 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | 15 | + ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) || | |
13 | (st.st_mode & 022) != 0)) { | 16 | (st.st_mode & 022) != 0)) { | |
14 | logit("Authentication refused for %.100s: " | 17 | logit("Authentication refused for %.100s: " | |
15 | "bad owner or modes for %.200s", | 18 | "bad owner or modes for %.200s", | |
19 | @@ -651,7 +651,7 @@ getpwnamallow(const char *user) | |||
20 | if (!allowed_user(pw)) | |||
21 | return (NULL); | |||
22 | #ifdef HAVE_LOGIN_CAP | |||
23 | - if ((lc = login_getclass(pw->pw_class)) == NULL) { | |||
24 | + if ((lc = login_getpwclass(pw)) == NULL) { | |||
25 | debug("unable to get login class: %s", user); | |||
26 | return (NULL); | |||
27 | } |
@@ -1,26 +1,26 @@ | @@ -1,26 +1,26 @@ | |||
1 | $NetBSD: patch-auth1.c,v 1.2 2013/12/01 06:11:41 taca Exp $ | 1 | $NetBSD: patch-auth1.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth1.c.orig 2013-06-01 22:01:24.000000000 +0000 | 5 | --- auth1.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ auth1.c | 6 | +++ auth1.c | |
7 | @@ -319,7 +319,7 @@ do_authloop(Authctxt *authctxt) | 7 | @@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt) | |
8 | 8 | |||
9 | #ifndef HAVE_CYGWIN | 9 | #ifndef HAVE_CYGWIN | |
10 | /* Special handling for root */ | 10 | /* Special handling for root */ | |
11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | 11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | |
12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | 12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | |
13 | !auth_root_allowed(meth->name)) { | 13 | !auth_root_allowed(meth->name)) { | |
14 | authenticated = 0; | 14 | authenticated = 0; | |
15 | # ifdef SSH_AUDIT_EVENTS | 15 | # ifdef SSH_AUDIT_EVENTS | |
16 | @@ -420,8 +420,8 @@ do_authentication(Authctxt *authctxt) | 16 | @@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt) | |
17 | * If we are not running as root, the user must have the same uid as | 17 | * If we are not running as root, the user must have the same uid as | |
18 | * the server. | 18 | * the server. | |
19 | */ | 19 | */ | |
20 | -#ifndef HAVE_CYGWIN | 20 | -#ifndef HAVE_CYGWIN | |
21 | - if (!use_privsep && getuid() != 0 && authctxt->pw && | 21 | - if (!use_privsep && getuid() != 0 && authctxt->pw && | |
22 | +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) | 22 | +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) | |
23 | + if (!use_privsep && getuid() != ROOTUID && authctxt->pw && | 23 | + if (!use_privsep && getuid() != ROOTUID && authctxt->pw && | |
24 | authctxt->pw->pw_uid != getuid()) | 24 | authctxt->pw->pw_uid != getuid()) | |
25 | packet_disconnect("Cannot change user when server not running as root."); | 25 | packet_disconnect("Cannot change user when server not running as root."); | |
26 | #endif | 26 | #endif |
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | $NetBSD: patch-includes.h,v 1.2 2013/12/01 06:11:41 taca Exp $ | 1 | $NetBSD: patch-includes.h,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- includes.h.orig 2013-03-22 01:51:09.000000000 +0000 | 5 | --- includes.h.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ includes.h | 6 | +++ includes.h | |
7 | @@ -126,6 +126,10 @@ | 7 | @@ -127,6 +127,10 @@ | |
8 | #ifdef HAVE_READPASSPHRASE_H | 8 | #ifdef HAVE_READPASSPHRASE_H | |
9 | # include <readpassphrase.h> | 9 | # include <readpassphrase.h> | |
10 | #endif | 10 | #endif | |
11 | +#ifdef HAVE_INTERIX | 11 | +#ifdef HAVE_INTERIX | |
12 | +# include <interix/env.h> | 12 | +# include <interix/env.h> | |
13 | +# include <interix/security.h> | 13 | +# include <interix/security.h> | |
14 | +#endif | 14 | +#endif | |
15 | 15 | |||
16 | #ifdef HAVE_IA_H | 16 | #ifdef HAVE_IA_H | |
17 | # include <ia.h> | 17 | # include <ia.h> |
@@ -1,39 +1,39 @@ | @@ -1,39 +1,39 @@ | |||
1 | $NetBSD: patch-scp.c,v 1.2 2013/12/01 06:11:41 taca Exp $ | 1 | $NetBSD: patch-scp.c,v 1.2.14.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- scp.c.orig 2013-07-18 06:11:25.000000000 +0000 | 5 | --- scp.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ scp.c | 6 | +++ scp.c | |
7 | @@ -477,7 +477,11 @@ main(int argc, char **argv) | 7 | @@ -478,7 +478,11 @@ main(int argc, char **argv) | |
8 | argc -= optind; | 8 | argc -= optind; | |
9 | argv += optind; | 9 | argv += optind; | |
10 | 10 | |||
11 | +#ifdef HAVE_INTERIX | 11 | +#ifdef HAVE_INTERIX | |
12 | + if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL) | 12 | + if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL) | |
13 | +#else | 13 | +#else | |
14 | if ((pwd = getpwuid(userid = getuid())) == NULL) | 14 | if ((pwd = getpwuid(userid = getuid())) == NULL) | |
15 | +#endif | 15 | +#endif | |
16 | fatal("unknown user %u", (u_int) userid); | 16 | fatal("unknown user %u", (u_int) userid); | |
17 | 17 | |||
18 | if (!isatty(STDOUT_FILENO)) | 18 | if (!isatty(STDOUT_FILENO)) | |
19 | @@ -881,8 +885,10 @@ rsource(char *name, struct stat *statp) | 19 | @@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp) | |
20 | return; | 20 | return; | |
21 | } | 21 | } | |
22 | while ((dp = readdir(dirp)) != NULL) { | 22 | while ((dp = readdir(dirp)) != NULL) { | |
23 | +#ifndef HAVE_INTERIX | 23 | +#ifndef HAVE_INTERIX | |
24 | if (dp->d_ino == 0) | 24 | if (dp->d_ino == 0) | |
25 | continue; | 25 | continue; | |
26 | +#endif | 26 | +#endif | |
27 | if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) | 27 | if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) | |
28 | continue; | 28 | continue; | |
29 | if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { | 29 | if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { | |
30 | @@ -1292,7 +1298,9 @@ okname(char *cp0) | 30 | @@ -1297,7 +1303,9 @@ okname(char *cp0) | |
31 | case '\'': | 31 | case '\'': | |
32 | case '"': | 32 | case '"': | |
33 | case '`': | 33 | case '`': | |
34 | +#ifndef HAVE_INTERIX | 34 | +#ifndef HAVE_INTERIX | |
35 | case ' ': | 35 | case ' ': | |
36 | +#endif | 36 | +#endif | |
37 | case '#': | 37 | case '#': | |
38 | goto bad; | 38 | goto bad; | |
39 | default: | 39 | default: |
@@ -1,22 +1,22 @@ | @@ -1,22 +1,22 @@ | |||
1 | $NetBSD: patch-channels.c,v 1.1 2015/03/19 20:23:55 tron Exp $ | 1 | $NetBSD: patch-channels.c,v 1.1.4.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. | 3 | Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. | |
4 | 4 | |||
5 | https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 | 5 | https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 | |
6 | 6 | |||
7 | --- channels.c.orig 2014-02-26 23:18:33.000000000 +0000 | 7 | --- channels.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
8 | +++ channels.c 2015-03-19 20:16:04.000000000 +0000 | 8 | +++ channels.c | |
9 | @@ -3576,15 +3576,35 @@ | 9 | @@ -4037,15 +4037,35 @@ x11_connect_display(void) | |
10 | * connection to the real X server. | 10 | * connection to the real X server. | |
11 | */ | 11 | */ | |
12 | 12 | |||
13 | - /* Check if the display is from launchd. */ | 13 | - /* Check if the display is from launchd. */ | |
14 | #ifdef __APPLE__ | 14 | #ifdef __APPLE__ | |
15 | - if (strncmp(display, "/tmp/launch", 11) == 0) { | 15 | - if (strncmp(display, "/tmp/launch", 11) == 0) { | |
16 | - sock = connect_local_xsocket_path(display); | 16 | - sock = connect_local_xsocket_path(display); | |
17 | - if (sock < 0) | 17 | - if (sock < 0) | |
18 | - return -1; | 18 | - return -1; | |
19 | + /* Check if the display is a path to a socket (as set by launchd). */ | 19 | + /* Check if the display is a path to a socket (as set by launchd). */ | |
20 | + { | 20 | + { | |
21 | + char path[PATH_MAX]; | 21 | + char path[PATH_MAX]; | |
22 | + struct stat sbuf; | 22 | + struct stat sbuf; |
@@ -1,33 +1,33 @@ | @@ -1,33 +1,33 @@ | |||
1 | $NetBSD: patch-clientloop.c,v 1.1 2015/03/19 20:23:55 tron Exp $ | 1 | $NetBSD: patch-clientloop.c,v 1.1.4.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. | 3 | Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. | |
4 | 4 | |||
5 | https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 | 5 | https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 | |
6 | 6 | |||
7 | --- clientloop.c.orig 2014-02-04 00:20:15.000000000 +0000 | 7 | --- clientloop.c.orig 2015-07-01 02:35:31.000000000 +0000 | |
8 | +++ clientloop.c 2015-03-19 20:16:04.000000000 +0000 | 8 | +++ clientloop.c | |
9 | @@ -313,6 +313,10 @@ | 9 | @@ -314,6 +314,10 @@ client_x11_get_proto(const char *display | |
10 | struct stat st; | 10 | struct stat st; | |
11 | u_int now; | 11 | u_int now, x11_timeout_real; | |
12 | 12 | |||
13 | +#if __APPLE__ | 13 | +#if __APPLE__ | |
14 | + int is_path_to_socket = 0; | 14 | + int is_path_to_socket = 0; | |
15 | +#endif /* __APPLE__ */ | 15 | +#endif /* __APPLE__ */ | |
16 | + | 16 | + | |
17 | xauthdir = xauthfile = NULL; | 17 | xauthdir = xauthfile = NULL; | |
18 | *_proto = proto; | 18 | *_proto = proto; | |
19 | *_data = data; | 19 | *_data = data; | |
20 | @@ -328,6 +332,33 @@ | 20 | @@ -329,6 +333,33 @@ client_x11_get_proto(const char *display | |
21 | debug("x11_get_proto: DISPLAY not set"); | 21 | debug("x11_get_proto: DISPLAY not set"); | |
22 | return; | 22 | return; | |
23 | } | 23 | } | |
24 | +#if __APPLE__ | 24 | +#if __APPLE__ | |
25 | + { | 25 | + { | |
26 | + /* | 26 | + /* | |
27 | + * If using launchd socket, remove the screen number from the end | 27 | + * If using launchd socket, remove the screen number from the end | |
28 | + * of $DISPLAY. is_path_to_socket is used later in this function | 28 | + * of $DISPLAY. is_path_to_socket is used later in this function | |
29 | + * to determine if an error should be displayed. | 29 | + * to determine if an error should be displayed. | |
30 | + */ | 30 | + */ | |
31 | + char path[PATH_MAX]; | 31 | + char path[PATH_MAX]; | |
32 | + struct stat sbuf; | 32 | + struct stat sbuf; | |
33 | + | 33 | + | |
@@ -41,23 +41,23 @@ https://trac.macports.org/browser/trunk/ | @@ -41,23 +41,23 @@ https://trac.macports.org/browser/trunk/ | |||
41 | + /* screen = atoi(dot + 1); */ | 41 | + /* screen = atoi(dot + 1); */ | |
42 | + if (0 == stat(path, &sbuf)) { | 42 | + if (0 == stat(path, &sbuf)) { | |
43 | + is_path_to_socket = 1; | 43 | + is_path_to_socket = 1; | |
44 | + debug("x11_get_proto: $DISPLAY is launchd, removing screennum"); | 44 | + debug("x11_get_proto: $DISPLAY is launchd, removing screennum"); | |
45 | + setenv("DISPLAY", path, 1); | 45 | + setenv("DISPLAY", path, 1); | |
46 | + } | 46 | + } | |
47 | + } | 47 | + } | |
48 | + } | 48 | + } | |
49 | + } | 49 | + } | |
50 | +#endif /* __APPLE__ */ | 50 | +#endif /* __APPLE__ */ | |
51 | /* | 51 | /* | |
52 | * Handle FamilyLocal case where $DISPLAY does | 52 | * Handle FamilyLocal case where $DISPLAY does | |
53 | * not match an authorization entry. For this we | 53 | * not match an authorization entry. For this we | |
54 | @@ -407,6 +438,9 @@ | 54 | @@ -420,6 +451,9 @@ client_x11_get_proto(const char *display | |
55 | if (!got_data) { | 55 | if (!got_data) { | |
56 | u_int32_t rnd = 0; | 56 | u_int32_t rnd = 0; | |
57 | 57 | |||
58 | +#if __APPLE__ | 58 | +#if __APPLE__ | |
59 | + if (!is_path_to_socket) | 59 | + if (!is_path_to_socket) | |
60 | +#endif /* __APPLE__ */ | 60 | +#endif /* __APPLE__ */ | |
61 | logit("Warning: No xauth data; " | 61 | logit("Warning: No xauth data; " | |
62 | "using fake authentication data for X11 forwarding."); | 62 | "using fake authentication data for X11 forwarding."); | |
63 | strlcpy(proto, SSH_X11_PROTO, sizeof proto); | 63 | strlcpy(proto, SSH_X11_PROTO, sizeof proto); |
@@ -1,36 +1,36 @@ | @@ -1,36 +1,36 @@ | |||
1 | $NetBSD: patch-defines.h,v 1.2 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-defines.h,v 1.2.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | Define ROOTUID, UTMPX_FILE and WTMPX_FILE | 3 | Define ROOTUID, UTMPX_FILE and WTMPX_FILE | |
4 | 4 | |||
5 | --- defines.h.orig 2014-01-17 13:12:38.000000000 +0000 | 5 | --- defines.h.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ defines.h | 6 | +++ defines.h | |
7 | @@ -30,6 +30,15 @@ | 7 | @@ -30,6 +30,15 @@ | |
8 | 8 | |||
9 | /* Constants */ | 9 | /* Constants */ | |
10 | 10 | |||
11 | +#ifdef HAVE_INTERIX | 11 | +#ifdef HAVE_INTERIX | |
12 | +/* Interix has a special concept of "administrator". */ | 12 | +/* Interix has a special concept of "administrator". */ | |
13 | +# define ROOTUID 197108 | 13 | +# define ROOTUID 197108 | |
14 | +# define ROOTGID 131616 | 14 | +# define ROOTGID 131616 | |
15 | +#else | 15 | +#else | |
16 | +# define ROOTUID 0 | 16 | +# define ROOTUID 0 | |
17 | +# define ROOTGID 0 | 17 | +# define ROOTGID 0 | |
18 | +#endif | 18 | +#endif | |
19 | + | 19 | + | |
20 | #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0 | 20 | #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0 | |
21 | enum | 21 | enum | |
22 | { | 22 | { | |
23 | @@ -708,6 +717,24 @@ struct winsize { | 23 | @@ -721,6 +730,24 @@ struct winsize { | |
24 | # endif | 24 | # endif | |
25 | # endif | 25 | # endif | |
26 | #endif | 26 | #endif | |
27 | +#ifndef UTMPX_FILE | 27 | +#ifndef UTMPX_FILE | |
28 | +# ifdef _PATH_UTMPX | 28 | +# ifdef _PATH_UTMPX | |
29 | +# define UTMPX_FILE _PATH_UTMPX | 29 | +# define UTMPX_FILE _PATH_UTMPX | |
30 | +# else | 30 | +# else | |
31 | +# ifdef CONF_UTMPX_FILE | 31 | +# ifdef CONF_UTMPX_FILE | |
32 | +# define UTMPX_FILE CONF_UTMPX_FILE | 32 | +# define UTMPX_FILE CONF_UTMPX_FILE | |
33 | +# endif | 33 | +# endif | |
34 | +# endif | 34 | +# endif | |
35 | +#endif | 35 | +#endif | |
36 | +#ifndef WTMPX_FILE | 36 | +#ifndef WTMPX_FILE |
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | $NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2 2014/03/29 09:38:11 taca Exp $ | 1 | $NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.2.12.1 2015/07/14 22:03:39 tron Exp $ | |
2 | 2 | |||
3 | strtoll() declaration | 3 | strtoll() declaration | |
4 | 4 | |||
5 | --- openbsd-compat/openbsd-compat.h.orig 2014-02-04 00:18:23.000000000 +0000 | 5 | --- openbsd-compat/openbsd-compat.h.orig 2015-07-01 02:35:31.000000000 +0000 | |
6 | +++ openbsd-compat/openbsd-compat.h | 6 | +++ openbsd-compat/openbsd-compat.h | |
7 | @@ -84,6 +84,10 @@ size_t strlcat(char *dst, const char *sr | 7 | @@ -91,6 +91,10 @@ size_t strlcat(char *dst, const char *sr | |
8 | int setenv(register const char *name, register const char *value, int rewrite); | 8 | int setenv(register const char *name, register const char *value, int rewrite); | |
9 | #endif | 9 | #endif | |
10 | 10 | |||
11 | +#ifndef HAVE_STRTOLL | 11 | +#ifndef HAVE_STRTOLL | |
12 | +long long strtoll(const char *, char **, int); | 12 | +long long strtoll(const char *, char **, int); | |
13 | +#endif | 13 | +#endif | |
14 | + | 14 | + | |
15 | #ifndef HAVE_STRMODE | 15 | #ifndef HAVE_STRMODE | |
16 | void strmode(int mode, char *p); | 16 | void strmode(int mode, char *p); | |
17 | #endif | 17 | #endif |
$NetBSD: patch-sshd.8,v 1.1.2.2 2015/07/14 22:03:39 tron Exp $
* Revive tcp_wrappers support.
--- sshd.8.orig 2015-07-01 02:35:31.000000000 +0000
+++ sshd.8
@@ -853,6 +853,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -956,6 +962,7 @@ The content of this file is not sensitiv
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,