Attachment #223403 for bug #254389

View | Details | Raw Unified | Return to bug 254389
Collapse All | Expand All

Lines 2-9 Link Here

(-)security/openssh-portable/Makefile (-3 / +2 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= openssh	4	PORTNAME= openssh
5	DISTVERSION= 8.4p1	5	DISTVERSION= 8.5p1
6	PORTREVISION= 3
7	PORTEPOCH= 1	6	PORTEPOCH= 1
8	CATEGORIES= security	7	CATEGORIES= security
9	MASTER_SITES= OPENBSD/OpenSSH/portable	8	MASTER_SITES= OPENBSD/OpenSSH/portable
Lines 101-107 Link Here
101		100
102	# Must add this patch before HPN due to conflicts	101	# Must add this patch before HPN due to conflicts
103	.if ${PORT_OPTIONS:MKERB_GSSAPI}	102	.if ${PORT_OPTIONS:MKERB_GSSAPI}
104	#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.	103	BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
105	. if ${PORT_OPTIONS:MHPN} \|\| ${PORT_OPTIONS:MNONECIPHER}	104	. if ${PORT_OPTIONS:MHPN} \|\| ${PORT_OPTIONS:MNONECIPHER}
106	# Needed glue for applying HPN patch without conflict	105	# Needed glue for applying HPN patch without conflict
107	EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue	106	EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue

Lines 1-5 Link Here

(-)security/openssh-portable/distinfo (-5 / +3 lines)
1	TIMESTAMP = 1605552780	1	TIMESTAMP = 1616061001
2	SHA256 (openssh-8.4p1.tar.gz) = 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24	2	SHA256 (openssh-8.5p1.tar.gz) = f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25
3	SIZE (openssh-8.4p1.tar.gz) = 1742201	3	SIZE (openssh-8.5p1.tar.gz) = 1779733
4	SHA256 (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 15139c42894dd0ebd182608ecd7151a9eef6158aed30c676e7685e8407c6d1cb
5	SIZE (openssh-8.4p1-gsskex-all-20141021-debian-rh-20200607.patch) = 126748




+	default:
+		imlevel = SYSLOG_LEVEL_DEBUG2;
+	}
+	do_log2(imlevel, message, args);
+}
+
+void

 		options->client_alive_interval = 0;
 	if (options->client_alive_count_max == -1)
@@ -528,6 +531,7 @@ typedef enum {
 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
+	sUseBlacklist,
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -658,6 +662,8 @@ static struct {
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },

--- sshd.c.orig	2020-11-16 15:52:45.846609000 -0800
+++ sshd.c	2020-11-16 15:56:34.401305000 -0800
@@ -131,6 +131,7 @@
 #include "version.h"
 #include "ssherr.h"
 #include "sk-api.h"
 #include "srclimit.h"
+#include "blacklist_client.h"
 
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
 		kill(0, SIGTERM);
 	}




 static void
 channel_pre_open(struct ssh *ssh, Channel *c,
     fd_set *readset, fd_set *writeset)
@@ -2158,18 +2191,29 @@ channel_check_window(struct ssh *ssh, Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {

+		}
+#endif
 		if (!c->have_remote_id)
 			fatal_f("channel %d: no remote id", c->self);
 			    __func__, c->self);
 		if ((r = sshpkt_start(ssh,
 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||

-		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 		    (r = sshpkt_send(ssh)) != 0) {
 			fatal_fr(r, "channel %i", c->self);
 			    c->self, ssh_err(r));
 		}
 		debug2("channel %d: window %d sent adjust %d", c->self,
-		    c->local_window, c->local_consumed);
-		    c->local_consumed);
-		c->local_window += c->local_consumed;
+		    c->local_window, c->local_consumed + addition);
+		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}

 	c->datagram = 1;
--- work.clean/openssh-6.8p1/compat.c	2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/compat.c	2015-04-03 16:39:57.665699000 -0500
@@ -144,11 +144,19 @@
 
 	/* process table, return first match */
 	ssh->compat = 0;
+#ifdef HPN_ENABLED
+	/* Check to see if the remote side is OpenSSH and not HPN */
+	if (strstr(version,"OpenSSH") != NULL &&
+	    strstr(version,"hpn") == NULL) {
+		ssh->compat |= SSH_BUG_LARGEWINDOW;
+		debug("Remote is NON-HPN aware");
+	}
+#endif
 	for (i = 0; check[i].pat; i++) {
 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
 			debug_f("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
-			ssh->compat = check[i].bugs;
+			ssh->compat |= check[i].bugs;
 			return;
 		}
 	}
--- work/openssh/compat.h.orig	2015-05-29 03:27:21.000000000 -0500

 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -304,6 +313,16 @@ static struct {
 	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
 	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
+#ifdef NONE_CIPHER_ENABLED
+	{ "noneenabled", oNoneEnabled },
+	{ "noneswitch", oNoneSwitch },

+		debug ("Enabled Dynamic Window Scaling");
+	}
+#endif
 	debug3_f("channel_new: %d", c->self);
 
 	channel_send_open(ssh, c->self);
@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)

 /*
  * SSH2 key exchange
  */
@@ -156,11 +162,12 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
 	return ret;
 }
 

+static char *myproposal[PROPOSAL_MAX];
+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
 void
 ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
     const struct ssh_conn_info *cinfo)
 {
-	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;

Lines 22-27 Link Here

(-)security/openssh-portable/files/extra-patch-hpn-compat (+1 lines)
22	{ "ignoreunknown", oIgnoreUnknown },	22	{ "ignoreunknown", oIgnoreUnknown },
23	{ "proxyjump", oProxyJump },	23	{ "proxyjump", oProxyJump },
24	{ "securitykeyprovider", oSecurityKeyProvider },	24	{ "securitykeyprovider", oSecurityKeyProvider },
		25	{ "knownhostscommand", oKnownHostsCommand },
25	+ { "hpndisabled", oDeprecated },	26	+ { "hpndisabled", oDeprecated },
26	+ { "hpnbuffersize", oDeprecated },	27	+ { "hpnbuffersize", oDeprecated },
27	+ { "tcprcvbufpoll", oDeprecated },	28	+ { "tcprcvbufpoll", oDeprecated },




--- UTC
r100838 | fanf | 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) | 7 lines
Changed paths:
   M /head/crypto/openssh/auth.c

Use login_getpwclass() instead of login_getclass() so that the root
vs. default login class distinction is made correctly.

PR:             37416

--- auth.c.orig	2010-08-12 11:33:01.000000000 -0600
+++ auth.c	2010-09-14 16:14:12.000000000 -0600
@@ -594,7 +594,7 @@
 	if (!allowed_user(pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+	if ((lc = login_getpwclass(pw)) == NULL) {
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}




--- UTC
base defaults

r99048 | des | 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) | 4 lines
Changed paths:
   M /head/crypto/openssh/myproposal.h
   M /head/crypto/openssh/readconf.c
   M /head/crypto/openssh/servconf.c

Apply FreeBSD's configuration defaults.

--- readconf.c.orig	2014-07-17 23:11:26.000000000 -0500
+++ readconf.c	2014-11-03 16:45:05.188796445 -0600
@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
-		options->check_host_ip = 1;
+		options->check_host_ip = 0;
 	if (options->strict_host_key_checking == -1)
 		options->strict_host_key_checking = 2;	/* 2 is default */
 	if (options->compression == -1)

Lines 22-28 Link Here

(-)security/openssh-portable/files/patch-session.c (-2 / +2 lines)
22	-#if defined(USE_PAM) \|\| defined(HAVE_CYGWIN)	22	-#if defined(USE_PAM) \|\| defined(HAVE_CYGWIN)
23	+#if defined(USE_PAM) \|\| defined(HAVE_CYGWIN) \|\| defined(HAVE_LOGIN_CAP)	23	+#if defined(USE_PAM) \|\| defined(HAVE_CYGWIN) \|\| defined(HAVE_LOGIN_CAP)
24	static void	24	static void
25	copy_environment_blacklist(char source, char env, u_int envsize,	25	copy_environment_denylist(char source, char env, u_int envsize,
26	const char *blacklist)	26	const char *blacklist)
27	@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh ssh, Session s, const char *	27	@@ -1056,7 +1056,8 @@ do_setup_env(struct ssh ssh, Session s, const char *
28	# endif /* HAVE_CYGWIN */	28	# endif /* HAVE_CYGWIN */
Lines 48-54 Link Here
48	+ environ = xmalloc(sizeof(char *));	48	+ environ = xmalloc(sizeof(char *));
49	+ *environ = NULL;	49	+ *environ = NULL;
50	+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);	50	+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV);
51	+ copy_environment_blacklist(environ, &env, &envsize, NULL);	51	+ copy_environment_denylist(environ, &env, &envsize, NULL);
52	+ for (var = environ; *var != NULL; ++var)	52	+ for (var = environ; *var != NULL; ++var)
53	+ free(*var);	53	+ free(*var);
54	+ free(environ);	54	+ free(environ);




Add a -x option that causes ssh-agent(1) to exit when all clients have
disconnected.

--- ssh-agent.c.orig	2021-03-02 10:31:47 UTC
+++ ssh-agent.c
@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
 /* Refuse signing of non-SSH messages for web-origin FIDO keys */
 static int restrict_websafe = 1;
 

+			last = 1;
+	}
 	close(e->fd);
 	sshbuf_free(e->input);
 	sshbuf_free(e->output);
@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
 	memset(e, '\0', sizeof(*e));
 	e->fd = -1;
 	e->type = AUTH_UNUSED;
 	sshbuf_free(e->input);
 	sshbuf_free(e->output);
 	sshbuf_free(e->request);
+	if (last)
+		cleanup_exit(0);
 }
 
 static void
@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
 {
 	u_int i, old_alloc, new_alloc;
 
 	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
 	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+	if (type == AUTH_CONNECTION) {
+		debug("xcount %d -> %d", xcount, xcount + 1);
+		++xcount;

 	set_nonblock(fd);
 
 	if (fd > max_fd)
@@ -1360,7 +1383,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,

 	    "                 [-P allowed_providers] [-t life]\n"
 	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
 	    "                 [-t life] command [arg ...]\n"
@@ -1394,6 +1417,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());

 
 	platform_disable_tracing(0);	/* strict=no */
 
@@ -1405,7 +1429,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 

 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1454,6 +1478,9 @@ main(int ac, char **av)
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}

Lines 6-21 Link Here

(-)security/openssh-portable/files/patch-ssh_config.5 (-10 lines)
6		6
7	--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800	7	--- ssh_config.5.orig 2020-11-16 11:53:55.871161000 -0800
8	+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800	8	+++ ssh_config.5 2020-11-16 12:43:41.763006000 -0800
9	@@ -420,8 +420,7 @@ or
10	.Cm no .
11	.It Cm CheckHostIP
12	If set to
13	-.Cm yes
14	-(the default),
15	+.Cm yes ,
16	.Xr ssh 1
17	will additionally check the host IP address in the
18	.Pa known_hosts
19	@@ -434,6 +433,8 @@ in the process, regardless of the setting of	9	@@ -434,6 +433,8 @@ in the process, regardless of the setting of
20	If the option is set to	10	If the option is set to
21	.Cm no ,	11	.Cm no ,

Return to bug 254389

Lines 187-193 Link Here

(-)security/openssh-portable/files/extra-patch-hpn (-26 / +30 lines)
187	static void	187	static void
188	channel_pre_open(struct ssh ssh, Channel c,	188	channel_pre_open(struct ssh ssh, Channel c,
189	fd_set readset, fd_set writeset)	189	fd_set readset, fd_set writeset)
190	@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh ssh, Channel c)	190	@@ -2158,18 +2191,29 @@ channel_check_window(struct ssh ssh, Channel c)
191	c->local_maxpacket*3) \|\|	191	c->local_maxpacket*3) \|\|
192	c->local_window < c->local_window_max/2) &&	192	c->local_window < c->local_window_max/2) &&
193	c->local_consumed > 0) {	193	c->local_consumed > 0) {
Lines 203-210 Link Here
203	+ }	203	+ }
204	+#endif	204	+#endif
205	if (!c->have_remote_id)	205	if (!c->have_remote_id)
206	fatal(":%s: channel %d: no remote id",	206	fatal_f("channel %d: no remote id", c->self);
207	__func__, c->self);
208	if ((r = sshpkt_start(ssh,	207	if ((r = sshpkt_start(ssh,
209	SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 \|\|	208	SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 \|\|
210	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|	209	(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 \|\|
Lines 211-224 Link Here
211	- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 \|\|	210	- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 \|\|
212	+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 \|\|	211	+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 \|\|
213	(r = sshpkt_send(ssh)) != 0) {	212	(r = sshpkt_send(ssh)) != 0) {
214	fatal("%s: channel %i: %s", __func__,	213	fatal_fr(r, "channel %i", c->self);
215	c->self, ssh_err(r));
216	}	214	}
217	debug2("channel %d: window %d sent adjust %d",	215	debug2("channel %d: window %d sent adjust %d", c->self,
218	c->self, c->local_window,	216	- c->local_window, c->local_consumed);
219	- c->local_consumed);
220	- c->local_window += c->local_consumed;	217	- c->local_window += c->local_consumed;
221	+ c->local_consumed + addition);	218	+ c->local_window, c->local_consumed + addition);
222	+ c->local_window += c->local_consumed + addition;	219	+ c->local_window += c->local_consumed + addition;
223	c->local_consumed = 0;	220	c->local_consumed = 0;
224	}	221	}
Lines 360-378 Link Here
360	c->datagram = 1;	357	c->datagram = 1;
361	--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500	358	--- work.clean/openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
362	+++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500	359	+++ work/openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500
363	@@ -177,6 +177,14 @@	360	@@ -144,11 +144,19 @@
364	debug("match: %s pat %s compat 0x%08x",	361
365	version, check[i].pat, check[i].bugs);	362	/* process table, return first match */
366	datafellows = check[i].bugs; /* XXX for now */	363	ssh->compat = 0;
367	+#ifdef HPN_ENABLED	364	+#ifdef HPN_ENABLED
368	+ /* Check to see if the remote side is OpenSSH and not HPN */	365	+ /* Check to see if the remote side is OpenSSH and not HPN */
369	+ if (strstr(version,"OpenSSH") != NULL &&	366	+ if (strstr(version,"OpenSSH") != NULL &&
370	+ strstr(version,"hpn") == NULL) {	367	+ strstr(version,"hpn") == NULL) {
371	+ datafellows \|= SSH_BUG_LARGEWINDOW;	368	+ ssh->compat \|= SSH_BUG_LARGEWINDOW;
372	+ debug("Remote is NON-HPN aware");	369	+ debug("Remote is NON-HPN aware");
373	+ }	370	+ }
374	+#endif	371	+#endif
375	return check[i].bugs;	372	for (i = 0; check[i].pat; i++) {
		373	if (match_pattern_list(version, check[i].pat, 0) == 1) {
		374	debug_f("match: %s pat %s compat 0x%08x",
		375	version, check[i].pat, check[i].bugs);
		376	- ssh->compat = check[i].bugs;
		377	+ ssh->compat \|= check[i].bugs;
		378	return;
376	}	379	}
377	}	380	}
378	--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500	381	--- work/openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500
Lines 553-561 Link Here
553	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	556	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
554	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,	557	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
555	@@ -304,6 +313,16 @@ static struct {	558	@@ -304,6 +313,16 @@ static struct {
556	{ "updatehostkeys", oUpdateHostkeys },	559	{ "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */
557	{ "hostbasedkeytypes", oHostbasedKeyTypes },	560	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
558	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },	561	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
559	+#ifdef NONE_CIPHER_ENABLED	562	+#ifdef NONE_CIPHER_ENABLED
560	+ { "noneenabled", oNoneEnabled },	563	+ { "noneenabled", oNoneEnabled },
561	+ { "noneswitch", oNoneSwitch },	564	+ { "noneswitch", oNoneSwitch },
Lines 1046-1052 Link Here
1046	+ debug ("Enabled Dynamic Window Scaling");	1049	+ debug ("Enabled Dynamic Window Scaling");
1047	+ }	1050	+ }
1048	+#endif	1051	+#endif
1049	debug3("%s: channel_new: %d", __func__, c->self);	1052	debug3_f("channel_new: %d", c->self);
1050		1053
1051	channel_send_open(ssh, c->self);	1054	channel_send_open(ssh, c->self);
1052	@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh ssh, struct passwd pw)	1055	@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh ssh, struct passwd pw)
Lines 1152-1158 Link Here
1152	/*	1155	/*
1153	* SSH2 key exchange	1156	* SSH2 key exchange
1154	*/	1157	*/
1155	@@ -156,10 +162,11 @@ order_hostkeyalgs(char host, struct sockaddr hostadd	1158	@@ -156,11 +162,12 @@ order_hostkeyalgs(char host, struct sockaddr hostadd
1156	return ret;	1159	return ret;
1157	}	1160	}
1158		1161
Lines 1159-1165 Link Here
1159	+static char *myproposal[PROPOSAL_MAX];	1162	+static char *myproposal[PROPOSAL_MAX];
1160	+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };	1163	+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
1161	void	1164	void
1162	ssh_kex2(struct ssh ssh, char host, struct sockaddr *hostaddr, u_short port)	1165	ssh_kex2(struct ssh ssh, char host, struct sockaddr *hostaddr, u_short port,
		1166	const struct ssh_conn_info *cinfo)
1163	{	1167	{
1164	- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };	1168	- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
1165	char s, all_key;	1169	char s, all_key;

Lines 75-81 Link Here

(-)security/openssh-portable/files/extra-patch-blacklistd (-7 / +7 lines)
75	+ default:	75	+ default:
76	+ imlevel = SYSLOG_LEVEL_DEBUG2;	76	+ imlevel = SYSLOG_LEVEL_DEBUG2;
77	+ }	77	+ }
78	+ do_log(imlevel, message, args);	78	+ do_log2(imlevel, message, args);
79	+}	79	+}
80	+	80	+
81	+void	81	+void
Lines 177-188 Link Here
177	options->client_alive_interval = 0;	177	options->client_alive_interval = 0;
178	if (options->client_alive_count_max == -1)	178	if (options->client_alive_count_max == -1)
179	@@ -528,6 +531,7 @@ typedef enum {	179	@@ -528,6 +531,7 @@ typedef enum {
180	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,	180	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
181	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,	181	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
182	sBanner, sUseDNS, sHostbasedAuthentication,	182	sBanner, sUseDNS, sHostbasedAuthentication,
183	+ sUseBlacklist,	183	+ sUseBlacklist,
184	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	184	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
185	sHostKeyAlgorithms,	185	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
186	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	186	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
187	@@ -658,6 +662,8 @@ static struct {	187	@@ -658,6 +662,8 @@ static struct {
188	{ "maxsessions", sMaxSessions, SSHCFG_ALL },	188	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
Lines 325-337 Link Here
325	--- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800	325	--- sshd.c.orig 2020-11-16 15:52:45.846609000 -0800
326	+++ sshd.c 2020-11-16 15:56:34.401305000 -0800	326	+++ sshd.c 2020-11-16 15:56:34.401305000 -0800
327	@@ -131,6 +131,7 @@	327	@@ -131,6 +131,7 @@
328	#include "version.h"
329	#include "ssherr.h"	328	#include "ssherr.h"
330	#include "sk-api.h"	329	#include "sk-api.h"
		330	#include "srclimit.h"
331	+#include "blacklist_client.h"	331	+#include "blacklist_client.h"
332		332
333	#ifdef LIBWRAP	333	/* Re-exec fds */
334	#include <tcpd.h>	334	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
335	@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)	335	@@ -388,6 +389,8 @@ grace_alarm_handler(int sig)
336	kill(0, SIGTERM);	336	kill(0, SIGTERM);
337	}	337	}

Lines 1-21 Link Here

(-)security/openssh-portable/files/patch-auth.c (-21 lines)
1	--- UTC
2	r100838 \| fanf \| 2002-07-28 19:36:24 -0500 (Sun, 28 Jul 2002) \| 7 lines
3	Changed paths:
4	M /head/crypto/openssh/auth.c
5
6	Use login_getpwclass() instead of login_getclass() so that the root
7	vs. default login class distinction is made correctly.
8
9	PR: 37416
10
11	--- auth.c.orig 2010-08-12 11:33:01.000000000 -0600
12	+++ auth.c 2010-09-14 16:14:12.000000000 -0600
13	@@ -594,7 +594,7 @@
14	if (!allowed_user(pw))
15	return (NULL);
16	#ifdef HAVE_LOGIN_CAP
17	- if ((lc = login_getclass(pw->pw_class)) == NULL) {
18	+ if ((lc = login_getpwclass(pw)) == NULL) {
19	debug("unable to get login class: %s", user);
20	return (NULL);
21	}

Lines 1-22 Link Here

(-)security/openssh-portable/files/patch-readconf.c (-22 lines)
1	--- UTC
2	base defaults
3
4	r99048 \| des \| 2002-06-29 05:51:56 -0500 (Sat, 29 Jun 2002) \| 4 lines
5	Changed paths:
6	M /head/crypto/openssh/myproposal.h
7	M /head/crypto/openssh/readconf.c
8	M /head/crypto/openssh/servconf.c
9
10	Apply FreeBSD's configuration defaults.
11
12	--- readconf.c.orig 2014-07-17 23:11:26.000000000 -0500
13	+++ readconf.c 2014-11-03 16:45:05.188796445 -0600
14	@@ -1934,7 +1946,7 @@ fill_default_options(Options * options)
15	if (options->batch_mode == -1)
16	options->batch_mode = 0;
17	if (options->check_host_ip == -1)
18	- options->check_host_ip = 1;
19	+ options->check_host_ip = 0;
20	if (options->strict_host_key_checking == -1)
21	options->strict_host_key_checking = 2; /* 2 is default */
22	if (options->compression == -1)

Lines 8-16 Link Here

(-)security/openssh-portable/files/patch-ssh-agent.c (-13 / +14 lines)
8	Add a -x option that causes ssh-agent(1) to exit when all clients have	8	Add a -x option that causes ssh-agent(1) to exit when all clients have
9	disconnected.	9	disconnected.
10		10
11	--- ssh-agent.c.orig 2020-09-27 00:25:01.000000000 -0700	11	--- ssh-agent.c.orig 2021-03-02 10:31:47 UTC
12	+++ ssh-agent.c 2020-11-09 09:07:10.924940000 -0800	12	+++ ssh-agent.c
13	@@ -171,15 +171,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;	13	@@ -171,9 +171,26 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
14	/* Refuse signing of non-SSH messages for web-origin FIDO keys */	14	/* Refuse signing of non-SSH messages for web-origin FIDO keys */
15	static int restrict_websafe = 1;	15	static int restrict_websafe = 1;
16		16
Lines 35-54 Link Here
35	+ last = 1;	35	+ last = 1;
36	+ }	36	+ }
37	close(e->fd);	37	close(e->fd);
		38	sshbuf_free(e->input);
		39	sshbuf_free(e->output);
		40	@@ -181,6 +198,8 @@ close_socket(SocketEntry *e)
		41	memset(e, '\0', sizeof(*e));
38	e->fd = -1;	42	e->fd = -1;
39	e->type = AUTH_UNUSED;	43	e->type = AUTH_UNUSED;
40	sshbuf_free(e->input);
41	sshbuf_free(e->output);
42	sshbuf_free(e->request);
43	+ if (last)	44	+ if (last)
44	+ cleanup_exit(0);	45	+ cleanup_exit(0);
45	}	46	}
46		47
47	static void	48	static void
48	@@ -961,6 +980,10 @@ new_socket(sock_type type, int fd)	49	@@ -1067,6 +1086,10 @@ new_socket(sock_type type, int fd)
49	{
50	u_int i, old_alloc, new_alloc;
51		50
		51	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
		52	(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
52	+ if (type == AUTH_CONNECTION) {	53	+ if (type == AUTH_CONNECTION) {
53	+ debug("xcount %d -> %d", xcount, xcount + 1);	54	+ debug("xcount %d -> %d", xcount, xcount + 1);
54	+ ++xcount;	55	+ ++xcount;
Lines 56-62 Link Here
56	set_nonblock(fd);	57	set_nonblock(fd);
57		58
58	if (fd > max_fd)	59	if (fd > max_fd)
59	@@ -1261,7 +1284,7 @@ static void	60	@@ -1360,7 +1383,7 @@ static void
60	usage(void)	61	usage(void)
61	{	62	{
62	fprintf(stderr,	63	fprintf(stderr,
Lines 65-71 Link Here
65	" [-P allowed_providers] [-t life]\n"	66	" [-P allowed_providers] [-t life]\n"
66	" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"	67	" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
67	" [-t life] command [arg ...]\n"	68	" [-t life] command [arg ...]\n"
68	@@ -1295,6 +1318,7 @@ main(int ac, char **av)	69	@@ -1394,6 +1417,7 @@ main(int ac, char **av)
69	/* drop */	70	/* drop */
70	setegid(getgid());	71	setegid(getgid());
71	setgid(getgid());	72	setgid(getgid());
Lines 73-79 Link Here
73		74
74	platform_disable_tracing(0); /* strict=no */	75	platform_disable_tracing(0); /* strict=no */
75		76
76	@@ -1306,7 +1330,7 @@ main(int ac, char **av)	77	@@ -1405,7 +1429,7 @@ main(int ac, char **av)
77	__progname = ssh_get_progname(av[0]);	78	__progname = ssh_get_progname(av[0]);
78	seed_rng();	79	seed_rng();
79		80
Lines 82-88 Link Here
82	switch (ch) {	83	switch (ch) {
83	case 'E':	84	case 'E':
84	fingerprint_hash = ssh_digest_alg_by_name(optarg);	85	fingerprint_hash = ssh_digest_alg_by_name(optarg);
85	@@ -1355,6 +1379,9 @@ main(int ac, char **av)	86	@@ -1454,6 +1478,9 @@ main(int ac, char **av)
86	fprintf(stderr, "Invalid lifetime\n");	87	fprintf(stderr, "Invalid lifetime\n");
87	usage();	88	usage();
88	}	89	}