Attachment #231761 for bug #261342

View | Details | Raw Unified | Return to bug 261342
Collapse All | Expand All

Lines 2-8 Link Here

(-)b/security/openssh-portable/Makefile (-1 / +3 lines)
2		2
3	PORTNAME= openssh	3	PORTNAME= openssh
4	DISTVERSION= 8.8p1	4	DISTVERSION= 8.8p1
5	PORTREVISION= 1	5	PORTREVISION= 2
6	PORTEPOCH= 1	6	PORTEPOCH= 1
7	CATEGORIES= security	7	CATEGORIES= security
8	MASTER_SITES= OPENBSD/OpenSSH/portable	8	MASTER_SITES= OPENBSD/OpenSSH/portable
Lines 67-72 BLACKLISTD_DESC= FreeBSD blacklistd(8) support Link Here
67		67
68	OPTIONS_SUB= yes	68	OPTIONS_SUB= yes
69		69
		70	PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config
		71
70	TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers	72	TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
71		73
72	LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}	74	LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}




--- sshd_config.nopam	2022-02-11 19:19:59.515475000 +0000
+++ sshd_config	2022-02-11 19:20:45.334738000 +0000
@@ -55,8 +55,8 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -72,7 +72,7 @@
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -81,7 +81,7 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes




--- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
+++ sshd_config	2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.

 
 #AuthorizedPrincipalsFile none
 
@@ -84,7 +86,7 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To enable tunneled clear text passwords, change to yes here!
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -70,7 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
@@ -79,12 +81,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no




--- sshd_config.5.orig	2022-02-11 18:50:00.822679000 +0000
+++ sshd_config.5	2022-02-11 19:09:05.162504000 +0000
@@ -701,7 +701,9 @@
 .Qq ssh -Q HostbasedAcceptedAlgorithms .
 This was formerly named HostbasedAcceptedKeyTypes.
 .It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or

 with successful public key client host authentication is allowed
 (host-based authentication).
 The default is
@@ -1277,7 +1279,23 @@
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is

+.Nm sshd
+was built without PAM support, in which case the default is
 .Cm yes .
+.Pp
+Note that if
+.Cm ChallengeResponseAuthentication
+is

 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -1416,6 +1434,13 @@
 .Cm ethernet .
 The default is
 .Cm no .

 .Pp
 Independent of this setting, the permissions of the selected
 .Xr tun 4
@@ -1774,12 +1799,19 @@
 .Xr sshd 8
 as a non-root user.
 The default is
+.Cm yes ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Cm no .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.

 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
@@ -1793,7 +1825,7 @@
 or
 .Cm no .
 The default is
- 

Return to bug 261342

Added Link Here

(-)b/security/openssh-portable/files/extra-patch-pam-sshd_config (+31 lines)
1	--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000
2	+++ sshd_config 2022-02-11 19:20:45.334738000 +0000
3	@@ -55,8 +55,8 @@
4	# Don't read the user's ~/.rhosts and ~/.shosts files
5	#IgnoreRhosts yes
6
7	-# To disable tunneled clear text passwords, change to no here!
8	-#PasswordAuthentication yes
9	+# To enable tunneled clear text passwords, change to yes here!
10	+#PasswordAuthentication no
11	#PermitEmptyPasswords no
12
13	# Change to no to disable s/key passwords
14	@@ -72,7 +72,7 @@
15	#GSSAPIAuthentication no
16	#GSSAPICleanupCredentials yes
17
18	-# Set this to 'yes' to enable PAM authentication, account processing,
19	+# Set this to 'no' to disable PAM authentication, account processing,
20	# and session processing. If this is enabled, PAM authentication will
21	# be allowed through the KbdInteractiveAuthentication and
22	# PasswordAuthentication. Depending on your PAM configuration,
23	@@ -81,7 +81,7 @@
24	# If you just want the PAM account and session checks to run without
25	# PAM authentication, then enable this but set PasswordAuthentication
26	# and KbdInteractiveAuthentication to 'no'.
27	-#UsePAM no
28	+#UsePAM yes
29
30	#AllowAgentForwarding yes
31	#AllowTcpForwarding yes

Lines 1-5 Link Here

(-)b/security/openssh-portable/files/patch-sshd_config (-29 / +3 lines)
1	--- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700	1	--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000
2	+++ sshd_config 2021-09-07 12:34:49.372652000 -0700	2	+++ sshd_config 2022-02-11 18:52:31.639435000 +0000
3	@@ -10,6 +10,9 @@	3	@@ -10,6 +10,9 @@
4	# possible, but leave them commented. Uncommented options override the	4	# possible, but leave them commented. Uncommented options override the
5	# default value.	5	# default value.
Lines 20-52 Link Here
20		20
21	#AuthorizedPrincipalsFile none	21	#AuthorizedPrincipalsFile none
22		22
23	@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys	23	@@ -84,7 +86,7 @@
24	# Don't read the user's ~/.rhosts and ~/.shosts files
25	#IgnoreRhosts yes
26
27	-# To disable tunneled clear text passwords, change to no here!
28	-#PasswordAuthentication yes
29	+# To enable tunneled clear text passwords, change to yes here!
30	+#PasswordAuthentication no
31	#PermitEmptyPasswords no
32
33	# Change to no to disable s/key passwords
34	@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
35	#GSSAPIAuthentication no
36	#GSSAPICleanupCredentials yes
37
38	-# Set this to 'yes' to enable PAM authentication, account processing,
39	+# Set this to 'no' to disable PAM authentication, account processing,
40	# and session processing. If this is enabled, PAM authentication will
41	# be allowed through the KbdInteractiveAuthentication and
42	# PasswordAuthentication. Depending on your PAM configuration,
43	@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys
44	# If you just want the PAM account and session checks to run without
45	# PAM authentication, then enable this but set PasswordAuthentication
46	# and KbdInteractiveAuthentication to 'no'.
47	-#UsePAM no
48	+#UsePAM yes
49
50	#AllowAgentForwarding yes	24	#AllowAgentForwarding yes
51	#AllowTcpForwarding yes	25	#AllowTcpForwarding yes
52	#GatewayPorts no	26	#GatewayPorts no

Lines 1-8 Link Here

(-)b/security/openssh-portable/files/patch-sshd_config.5 (-12 / +15 lines)
1	--- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700	1	--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000
2	+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700	2	+++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000
3	@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa	3	@@ -701,7 +701,9 @@
4	The list of available key types may also be obtained using	4	.Qq ssh -Q HostbasedAcceptedAlgorithms .
5	.Qq ssh -Q key .	5	This was formerly named HostbasedAcceptedKeyTypes.
6	.It Cm HostbasedAuthentication	6	.It Cm HostbasedAuthentication
7	-Specifies whether rhosts or /etc/hosts.equiv authentication together	7	-Specifies whether rhosts or /etc/hosts.equiv authentication together
8	+Specifies whether rhosts or	8	+Specifies whether rhosts or
Lines 11-17 Link Here
11	with successful public key client host authentication is allowed	11	with successful public key client host authentication is allowed
12	(host-based authentication).	12	(host-based authentication).
13	The default is	13	The default is
14	@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic	14	@@ -1277,7 +1279,23 @@
15	.It Cm PasswordAuthentication	15	.It Cm PasswordAuthentication
16	Specifies whether password authentication is allowed.	16	Specifies whether password authentication is allowed.
17	The default is	17	The default is
Lines 20-25 Link Here
20	+.Nm sshd	20	+.Nm sshd
21	+was built without PAM support, in which case the default is	21	+was built without PAM support, in which case the default is
22	.Cm yes .	22	.Cm yes .
		23	+.Pp
23	+Note that if	24	+Note that if
24	+.Cm ChallengeResponseAuthentication	25	+.Cm ChallengeResponseAuthentication
25	+is	26	+is
Lines 34-40 Link Here
34	.It Cm PermitEmptyPasswords	35	.It Cm PermitEmptyPasswords
35	When password authentication is allowed, it specifies whether the	36	When password authentication is allowed, it specifies whether the
36	server allows login to accounts with empty password strings.	37	server allows login to accounts with empty password strings.
37	@@ -1232,6 +1251,13 @@ and	38	@@ -1416,6 +1434,13 @@
38	.Cm ethernet .	39	.Cm ethernet .
39	The default is	40	The default is
40	.Cm no .	41	.Cm no .
Lines 48-59 Link Here
48	.Pp	49	.Pp
49	Independent of this setting, the permissions of the selected	50	Independent of this setting, the permissions of the selected
50	.Xr tun 4	51	.Xr tun 4
51	@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run	52	@@ -1774,12 +1799,19 @@
52	.Xr sshd 8	53	.Xr sshd 8
53	as a non-root user.	54	as a non-root user.
54	The default is	55	The default is
55	-.Cm no .	56	+.Cm yes ,
56	+.Cm yes .	57	+unless
		58	+.Nm sshd
		59	+was built without PAM support, in which case the default is
		60	.Cm no .
57	.It Cm VersionAddendum	61	.It Cm VersionAddendum
58	Optionally specifies additional text to append to the SSH protocol banner	62	Optionally specifies additional text to append to the SSH protocol banner
59	sent by the server upon connection.	63	sent by the server upon connection.
Lines 66-72 Link Here
66	.It Cm X11DisplayOffset	70	.It Cm X11DisplayOffset
67	Specifies the first display number available for	71	Specifies the first display number available for
68	.Xr sshd 8 Ns 's	72	.Xr sshd 8 Ns 's
69	@@ -1512,7 +1541,7 @@ The argument must be	73	@@ -1793,7 +1825,7 @@
70	or	74	or
71	.Cm no .	75	.Cm no .
72	The default is	76	The default is
73	-