FreeBSD Bugzilla – Attachment 159934 Details for
Bug 202253
[NEW PORT] net/ocserv: server implementing the AnyConnect SSL VPN protocol
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
next-try
ocserv.shar (text/plain), 25.52 KB, created by
Kurt Jaeger
on 2015-08-16 21:11:26 UTC
(
hide
)
Description:
next-try
Filename:
MIME Type:
Creator:
Kurt Jaeger
Created:
2015-08-16 21:11:26 UTC
Size:
25.52 KB
patch
obsolete
># This is a shell archive. Save it in a file, remove anything before ># this line, and then unpack it by entering "sh file". Note, it may ># create directories; files and directories will be owned by you and ># have default permissions. ># ># This archive contains: ># ># ocserv ># ocserv/pkg-descr ># ocserv/Makefile ># ocserv/distinfo ># ocserv/files ># ocserv/files/patch-configure.ac ># ocserv/files/ocserv.in ># ocserv/files/patch-src_config.c ># ocserv/files/patch-src_main-ctl-unix.c ># ocserv/files/ocserv.conf ># ocserv/files/patch-doc_Makefile.am ># ocserv/files/patch-src_main.c ># ocserv/files/patch-src_ocserv-args.def ># ocserv/pkg-plist ># >echo c - ocserv >mkdir -p ocserv > /dev/null 2>&1 >echo x - ocserv/pkg-descr >sed 's/^X//' >ocserv/pkg-descr << 'b2c358fffb5836b4f2c2719b6d64f716' >XOpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a >Xsecure, small, fast and configurable VPN server. It implements the OpenConnect >XSSL VPN protocol, and has also (currently experimental) compatibility with >Xclients using the AnyConnect SSL VPN protocol. The OpenConnect protocol >Xprovides a dual TCP/UDP VPN channel, and uses the standard IETF security >Xprotocols to secure it. Both IPv4 and IPv6 are supported. >X >XOcserv's main features are security through provilege separation and >Xsandboxing, accounting, and resilience due to a combined use of TCP and UDP. >XAuthentication occurs in an isolated security module process, and each user is >Xassigned an unprivileged worker process, and a networking (tun) device. That >Xnot only eases the control of the resources of each user or group of users, >Xbut also prevents data leak (e.g., heartbleed-style attacks), and privilege >Xescalation due to any bug on the VPN handling (worker) process. A management >Xinterface allows for viewing and querying logged-in users. >X >XWWW: http://www.infradead.org/ocserv/ >b2c358fffb5836b4f2c2719b6d64f716 >echo x - ocserv/Makefile >sed 's/^X//' >ocserv/Makefile << '67365262cc98d4a47b63b26fdd1ef82d' >X# Created by: Carlos J Puga Medina <cpm@fbsd.es> >X# $FreeBSD$ >X >XPORTNAME= ocserv >XPORTVERSION= 0.10.7 >XCATEGORIES= net security >XMASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ >X >XMAINTAINER= cpm@fbsd.es >XCOMMENT= Server implementing the AnyConnect SSL VPN protocol >X >XLICENSE= GPLv2 >X >XBUILD_DEPENDS= autogen:${PORTSDIR}/devel/autogen \ >X gsed:${PORTSDIR}/textproc/gsed >XLIB_DEPENDS= liblz4.so:${PORTSDIR}/archivers/liblz4 \ >X libiconv.so:${PORTSDIR}/converters/libiconv \ >X libtalloc.so:${PORTSDIR}/devel/talloc \ >X libprotobuf-c.so:${PORTSDIR}/devel/protobuf-c \ >X libgnutls.so:${PORTSDIR}/security/gnutls >X >XUSES= autoreconf cpe gmake gperf libtool ncurses pathfix pkgconfig readline tar:xz >XCPE_VENDOR= infradead >XCFLAGS+= -I${LOCALBASE}/include >XLDFLAGS+= -L${LOCALBASE}/lib -lintl >XGNU_CONFIGURE= yes >XUSE_LDCONFIG= yes >X >XCONFIGURE_ARGS= --disable-nls \ >X --enable-local-libopts \ >X --without-http-parser \ >X --without-pcl-lib \ >X --without-radius >X >XUSERS= _ocserv >XGROUPS= _ocserv >X >XUSE_RC_SUBR= ocserv >X >XOPTIONS_DEFINE= DOCS EXAMPLES GSSAPI >X >XPORTDOCS= AUTHORS ChangeLog INSTALL NEWS README TODO >XPORTEXAMPLES= profile.xml sample.config sample.passwd >X >X.include <bsd.port.options.mk> >X >X.if ${PORT_OPTIONS:MGSSAPI} >XUSES+= gssapi:mit >XLIB_DEPENDS+= libkrb5support.so:${PORTSDIR}/security/krb5 >X.else >XCONFIGURE_ARGS+= --without-gssapi >X.endif >X >Xpost-patch: >X ${RM} ${WRKSRC}/doc/occtl.8 >X ${RM} ${WRKSRC}/doc/ocpasswd.8 >X ${RM} ${WRKSRC}/doc/ocserv.8 >X >Xpost-install: >X ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/occtl >X ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/ocpasswd >X ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/ocserv >X ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv/ >X ${MKDIR} ${STAGEDIR}/var/run/ocserv/ >X ${CP} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/conf.sample >X >X.if ${PORT_OPTIONS:MDOCS} >X ${MKDIR} ${STAGEDIR}${DOCSDIR} >X cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} >X.endif >X >X.if ${PORT_OPTIONS:MEXAMPLES} >X ${MKDIR} ${STAGEDIR}${EXAMPLESDIR} >X cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR} >X.endif >X >X.include <bsd.port.mk> >67365262cc98d4a47b63b26fdd1ef82d >echo x - ocserv/distinfo >sed 's/^X//' >ocserv/distinfo << 'e834ff983be3682f6dec3970911a910f' >XSHA256 (ocserv-0.10.7.tar.xz) = 222212baae53e7f74273245e1459d4132cda41ad255a21f1e42ab4cd240f431d >XSIZE (ocserv-0.10.7.tar.xz) = 712232 >e834ff983be3682f6dec3970911a910f >echo c - ocserv/files >mkdir -p ocserv/files > /dev/null 2>&1 >echo x - ocserv/files/patch-configure.ac >sed 's/^X//' >ocserv/files/patch-configure.ac << 'e71ff3e5d722fe86dffc5ba2dc99a47a' >X--- configure.ac.orig 2015-08-06 16:43:09 UTC >X+++ configure.ac >X@@ -16,11 +16,11 @@ AM_PROG_CC_C_O >X if [ test "$GCC" = "yes" ];then >X CFLAGS="$CFLAGS -Wall" >X fi >X-AC_PATH_PROG(CTAGS, ctags, /bin/true) >X-AC_PATH_PROG(CSCOPE, cscope, /bin/true) >X-AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [/bin/true]) >X+AC_PATH_PROG(CTAGS, ctags, /usr/bin/true) >X+AC_PATH_PROG(CSCOPE, cscope, /usr/bin/true) >X+AC_CHECK_PROG([AUTOGEN], [autogen], [autogen], [autogen]) >X >X-if test x"$AUTOGEN" = "x/bin/true"; then >X+if test x"$AUTOGEN" = "x:"; then >X AC_MSG_WARN([[ >X *** >X *** autogen not found. Will not link against libopts. >X@@ -124,7 +124,7 @@ if test "$test_for_libnl" = yes;then >X fi >X >X have_readline=no >X-AC_LIB_HAVE_LINKFLAGS(readline,, [ >X+AC_LIB_HAVE_LINKFLAGS(readline,ncurses, [ >X #include <stdio.h> >X #include <readline/readline.h>], [rl_replace_line(0,0);]) >X if test x$ac_cv_libreadline = xyes; then >X@@ -441,7 +441,7 @@ if test "$NEED_LIBOPTS_DIR" = "true";the >X cp -f $i $nam >X fi >X done >X- AC_SUBST([AUTOGEN], [/bin/true]) >X+ AC_SUBST([AUTOGEN], [autogen]) >X enable_local_libopts=yes >X else >X enable_local_libopts=no >e71ff3e5d722fe86dffc5ba2dc99a47a >echo x - ocserv/files/ocserv.in >sed 's/^X//' >ocserv/files/ocserv.in << '4cc8a414e18b47f9a42a6876c83acf73' >X#!/bin/sh >X# >X# $FreeBSD$ >X# >X# PROVIDE: ocserv >X# REQUIRE: DAEMON >X# KEYWORD: shutdown >X# >X# Add the following to /etc/rc.conf to enable ocserv: >X# >X# ocserv_enable="YES" >X# >X >X. /etc/rc.subr >X >Xname="ocserv" >Xrcvar="ocserv_enable" >X >Xload_rc_config ${name} >X >X: ${ocserv_enable:="NO"} >X: ${ocserv_pidfile:=/var/run/${name}.pid} >X: ${ocserv_socket:=/var/run/${name}.socket} >X: ${ocserv_conf:=/usr/local/etc/${name}/conf} >X >X# command_args="-c /usr/local/etc/${name}/conf" >X >Xcommand=/usr/local/sbin/${name} >X >Xrun_rc_command "$1" >4cc8a414e18b47f9a42a6876c83acf73 >echo x - ocserv/files/patch-src_config.c >sed 's/^X//' >ocserv/files/patch-src_config.c << '35196079851371cf6d81e035f17718e5' >X--- src/config.c.orig 2015-07-18 10:35:29 UTC >X+++ src/config.c >X@@ -52,8 +52,7 @@ >X #include <tlslib.h> >X #include "common-config.h" >X >X-#define OLD_DEFAULT_CFG_FILE "/etc/ocserv.conf" >X-#define DEFAULT_CFG_FILE "/etc/ocserv/ocserv.conf" >X+#define DEFAULT_CFG_FILE "/usr/local/etc/ocserv/conf" >X >X static char pid_file[_POSIX_PATH_MAX] = ""; >X static const char* cfg_file = DEFAULT_CFG_FILE; >X@@ -414,7 +413,7 @@ static void figure_auth_funcs(struct per >X } >X talloc_free(auth[j]); >X } >X- fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); >X+ /* fprintf(stderr, "Setting '%s' as primary authentication method\n", config->auth[0].name); */ >X } else { >X unsigned x = config->auth_methods; >X /* Append authentication methods (alternative options) */ >X@@ -583,9 +582,6 @@ size_t urlfw_size = 0; >X #endif >X >X pov = configFileLoad(file); >X- if (pov == NULL && file != NULL && strcmp(file, DEFAULT_CFG_FILE) == 0) >X- pov = configFileLoad(OLD_DEFAULT_CFG_FILE); >X- >X if (pov == NULL) { >X fprintf(stderr, "Error loading config file %s\n", file); >X exit(1); >35196079851371cf6d81e035f17718e5 >echo x - ocserv/files/patch-src_main-ctl-unix.c >sed 's/^X//' >ocserv/files/patch-src_main-ctl-unix.c << '2933301ac11001b2a9f89588b258b2a8' >X--- src/main-ctl-unix.c.orig 2015-05-26 16:33:38 UTC >X+++ src/main-ctl-unix.c >X@@ -110,10 +110,15 @@ int ctl_handler_init(main_server_st * s) >X struct sockaddr_un sa; >X int sd, e; >X >X- if (s->config->use_occtl == 0 || s->perm_config->occtl_socket_file == NULL) >X+ mslog(s, NULL, LOG_INFO, "using control unix socket: %s", s->perm_config->occtl_socket_file); >X+ >X+ if (s->config->use_occtl == 0 || >X+ s->perm_config->occtl_socket_file == NULL) { >X+ mslog(s, NULL, LOG_INFO, "not using control unix socket"); >X return 0; >X+ } >X >X- mslog(s, NULL, LOG_DEBUG, "initializing control unix socket: %s", s->perm_config->occtl_socket_file); >X+ mslog(s, NULL, LOG_INFO, "initializing control unix socket: %s", s->perm_config->occtl_socket_file); >X memset(&sa, 0, sizeof(sa)); >X sa.sun_family = AF_UNIX; >X strlcpy(sa.sun_path, s->perm_config->occtl_socket_file, sizeof(sa.sun_path)); >X@@ -122,7 +127,7 @@ int ctl_handler_init(main_server_st * s) >X sd = socket(AF_UNIX, SOCK_STREAM, 0); >X if (sd == -1) { >X e = errno; >X- mslog(s, NULL, LOG_ERR, "could not create socket '%s': %s", >X+ mslog(s, NULL, LOG_INFO, "could not create socket '%s': %s", >X s->perm_config->occtl_socket_file, strerror(e)); >X return -1; >X } >X@@ -131,7 +136,7 @@ int ctl_handler_init(main_server_st * s) >X ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa)); >X if (ret == -1) { >X e = errno; >X- mslog(s, NULL, LOG_ERR, "could not bind socket '%s': %s", >X+ mslog(s, NULL, LOG_INFO, "could not bind socket '%s': %s", >X s->perm_config->occtl_socket_file, strerror(e)); >X return -1; >X } >X@@ -139,14 +144,14 @@ int ctl_handler_init(main_server_st * s) >X ret = chown(s->perm_config->occtl_socket_file, s->perm_config->uid, s->perm_config->gid); >X if (ret == -1) { >X e = errno; >X- mslog(s, NULL, LOG_ERR, "could not chown socket '%s': %s", >X+ mslog(s, NULL, LOG_INFO, "could not chown socket '%s': %s", >X s->perm_config->occtl_socket_file, strerror(e)); >X } >X >X ret = listen(sd, 1024); >X if (ret == -1) { >X e = errno; >X- mslog(s, NULL, LOG_ERR, "could not listen to socket '%s': %s", >X+ mslog(s, NULL, LOG_INFO, "could not listen to socket '%s': %s", >X s->perm_config->occtl_socket_file, strerror(e)); >X return -1; >X } >2933301ac11001b2a9f89588b258b2a8 >echo x - ocserv/files/ocserv.conf >sed 's/^X//' >ocserv/files/ocserv.conf << '858cba7bfda66951c101538e2696f391' >X# User authentication method. Could be set multiple times and in that case >X# all should succeed. >X# Options: certificate, pam. >X#auth = "certificate" >X#auth = "pam" >X >X# The plain option requires specifying a password file which contains >X# entries of the following format. >X# "username:groupname:encoded-password" >X# One entry must be listed per line, and 'ocpasswd' can be used >X# to generate password entries. >Xauth = "plain[passwd=/usr/local/etc/ocserv/passwd]" >X >X# A banner to be displayed on clients >Xbanner = "Welcome to OpenConnect VPN" >X >X# Use listen-host to limit to specific IPs or to the IPs of a provided >X# hostname. >X#listen-host = [IP|HOSTNAME] >X >X# Limit the number of clients. Unset or set to zero for unlimited. >X#max-clients = 1024 >Xmax-clients = 8 >X >X# Limit the number of client connections to one every X milliseconds >X# (X is the provided value). Set to zero for no limit. >X#rate-limit-ms = 100 >X >X# Limit the number of identical clients (i.e., users connecting >X# multiple times). Unset or set to zero for unlimited. >Xmax-same-clients = 2 >X >X# TCP and UDP port number >Xtcp-port = 4443 >Xudp-port = 4443 >X >X# Keepalive in seconds >Xkeepalive = 32400 >X >X# Dead peer detection in seconds. >Xdpd = 120 >X >X# Dead peer detection for mobile clients. The needs to >X# be much higher to prevent such clients being awaken too >X# often by the DPD messages, and save battery. >X# (clients that send the X-AnyConnect-Identifier-DeviceType) >X#mobile-dpd = 1800 >X >X# MTU discovery (DPD must be enabled) >Xtry-mtu-discovery = false >X >X# The key and the certificates of the server >X# The key may be a file, or any URL supported by GnuTLS (e.g., >X# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user >X# or pkcs11:object=my-vpn-key;object-type=private) >X# >X# There may be multiple certificate and key pairs and each key >X# should correspond to the preceding certificate. >Xserver-cert = /usr/local/etc/ocserv/pub.pem >Xserver-key = /usr/local/etc/ocserv/key.pem >X >X# Diffie-Hellman parameters. Only needed if you require support >X# for the DHE ciphersuites (by default this server supports ECDHE). >X# Can be generated using: >X# certtool --generate-dh-params --outfile /path/to/dh.pem >X#dh-params = /path/to/dh.pem >X >X# If you have a certificate from a CA that provides an OCSP >X# service you may provide a fresh OCSP status response within >X# the TLS handshake. That will prevent the client from connecting >X# independently on the OCSP server. >X# You can update this response periodically using: >X# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response >X# Make sure that you replace the following file in an atomic way. >X#ocsp-response = /path/to/ocsp.der >X >X# In case PKCS #11 or TPM keys are used the PINs should be available >X# in files. The srk-pin-file is applicable to TPM keys only, and is the >X# storage root key. >X#pin-file = /path/to/pin.txt >X#srk-pin-file = /path/to/srkpin.txt >X >X# The Certificate Authority that will be used to verify >X# client certificates (public keys) if certificate authentication >X# is set. >X#ca-cert = /usr/local/etc/ocserv/ca.pem >X >X# The object identifier that will be used to read the user ID in the client >X# certificate. The object identifier should be part of the certificate's DN >X# Useful OIDs are: >X# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 >X#cert-user-oid = 0.9.2342.19200300.100.1.1 >X >X# The object identifier that will be used to read the user group in the >X# client certificate. The object identifier should be part of the certificate's >X# DN. Useful OIDs are: >X# OU (organizational unit) = 2.5.4.11 >X#cert-group-oid = 2.5.4.11 >X >X# The revocation list of the certificates issued by the 'ca-cert' above. >X#crl = /usr/local/etc/ocserv/crl.pem >X >X# GnuTLS priority string >Xtls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" >X >X# To enforce perfect forward secrecy (PFS) on the main channel. >X#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" >X >X# The time (in seconds) that a client is allowed to stay connected prior >X# to authentication >Xauth-timeout = 40 >X >X# The time (in seconds) that a client is allowed to stay idle (no traffic) >X# before being disconnected. Unset to disable. >X#idle-timeout = 1200 >X >X# The time (in seconds) that a mobile client is allowed to stay idle (no >X# traffic) before being disconnected. Unset to disable. >X#mobile-idle-timeout = 2400 >X >X# The time (in seconds) that a client is not allowed to reconnect after >X# a failed authentication attempt. >X#min-reauth-time = 2 >X >X# Cookie validity time (in seconds) >X# Once a client is authenticated he's provided a cookie with >X# which he can reconnect. This option sets the maximum lifetime >X# of that cookie. >X#cookie-validity = 86400 >X >X# ReKey time (in seconds) >X# ocserv will ask the client to refresh keys periodically once >X# this amount of seconds is elapsed. Set to zero to disable. >Xrekey-time = 172800 >X >X# ReKey method >X# Valid options: ssl, new-tunnel >X# ssl: Will perform an efficient rehandshake on the channel allowing >X# a seamless connection during rekey. >X# new-tunnel: Will instruct the client to discard and re-establish the channel. >X# Use this option only if the connecting clients have issues with the ssl >X# option. >Xrekey-method = ssl >X >X# Script to call when a client connects and obtains an IP >X# Parameters are passed on the environment. >X# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), >X# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP >X# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), >X# ID (a unique numeric ID); REASON may be "connect" or "disconnect". >X#connect-script = /scripts/ocserv-script >X#disconnect-script = /scripts/ocserv-script >X >X# UTMP >Xuse-utmp = false >X >X# OCCTL >Xuse-occtl = true >X >X# PID file. It can be overriden in the command line. >Xpid-file = /var/run/ocserv/pid >X >X# The default server directory. Does not require any devices present. >Xchroot-dir = /var/run/ocserv >X >X# socket file used for IPC, will be appended with .PID >X# It must be accessible within the chroot environment (if any) >Xsocket-file = socket >X >X# The user the worker processes will be run as. It should be >X# unique (no other services run as this user). >Xrun-as-user = _ocserv >Xrun-as-group = _ocserv >X >X# Set the protocol-defined priority (SO_PRIORITY) for packets to >X# be sent. That is a number from 0 to 6 with 0 being the lowest >X# priority. Alternatively this can be used to set the IP Type- >X# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). >X# This can be set per user/group or globally. >X#net-priority = 3 >X >X# Set the VPN worker process into a specific cgroup. This is Linux >X# specific and can be set per user/group or globally. >X#cgroup = "cpuset,cpu:test" >X >X# >X# Network settings >X# >X >X# The name of the tun device >Xdevice = vpns >X >X# The default domain to be advertised >Xdefault-domain = example.com >X >X# The pool of addresses that leases will be given from. >Xipv4-network = 192.168.1.0 >Xipv4-netmask = 255.255.255.0 >X >X# The advertized DNS server. Use multiple lines for >X# multiple servers. >X# dns = fc00::4be0 >Xdns = 192.168.1.2 >X >X# The NBNS server (if any) >X#nbns = 192.168.1.3 >X >X# The IPv6 subnet that leases will be given from. >X#ipv6-network = fc00:: >X#ipv6-prefix = 16 >X >X# The domains over which the provided DNS should be used. Use >X# multiple lines for multiple domains. >X#split-dns = example.com >X >X# Prior to leasing any IP from the pool ping it to verify that >X# it is not in use by another (unrelated to this server) host. >Xping-leases = false >X >X# Unset to assign the default MTU of the device >X# mtu = >X >X# Unset to enable bandwidth restrictions (in bytes/sec). The >X# setting here is global, but can also be set per user or per group. >X#rx-data-per-sec = 40000 >X#tx-data-per-sec = 40000 >X >X# The number of packets (of MTU size) that are available in >X# the output buffer. The default is low to improve latency. >X# Setting it higher will improve throughput. >X#output-buffer = 10 >X >X# Routes to be forwarded to the client. If you need the >X# client to forward routes to the server, you may use the >X# config-per-user/group or even connect and disconnect scripts. >X# >X# To set the server as the default gateway for the client just >X# comment out all routes from the server. >Xroute = 192.168.1.0/255.255.255.0 >Xroute = 192.168.5.0/255.255.255.0 >X#route = fef4:db8:1000:1001::/64 >X >X# Configuration files that will be applied per user connection or >X# per group. Each file name on these directories must match the username >X# or the groupname. >X# The options allowed in the configuration files are dns, nbns, >X# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, >X# net-priority and cgroup. >X# >X# Note that the 'iroute' option allows to add routes on the server >X# based on a user or group. The syntax depends on the input accepted >X# by the commands route-add-cmd and route-del-cmd (see below). >X >X#config-per-user = /usr/local/etc/ocserv/config-per-user/ >X#config-per-group = /usr/local/etc/ocserv/config-per-group/ >X >X# The system command to use to setup a route. %R will be replaced with the >X# route/mask and %D with the (tun) device. >X# >X# The following example is from linux systems. %R should be something >X# like 192.168.2.0/24 >X >X#route-add-cmd = "ip route add %R dev %D" >X#route-del-cmd = "ip route delete %R dev %D" >X >X# >X# The following options are for (experimental) AnyConnect client >X# compatibility. >X >X# Client profile xml. A sample file exists in doc/profile.xml. >X# This file must be accessible from inside the worker's chroot. >X# It is not used by the openconnect client. >X#user-profile = profile.xml >X >X# Binary files that may be downloaded by the CISCO client. Must >X# be within any chroot environment. >X#binary-files = /path/to/binaries >X >X# Unless set to false it is required for clients to present their >X# certificate even if they are authenticating via a previously granted >X# cookie and complete their authentication in the same TCP connection. >X# Legacy CISCO clients do not do that, and thus this option should be >X# set for them. >Xcisco-client-compat = true >X >X#Advanced options >X >X# Option to allow sending arbitrary custom headers to the client after >X# authentication and prior to VPN tunnel establishment. >X#custom-header = "X-My-Header: hi there" >858cba7bfda66951c101538e2696f391 >echo x - ocserv/files/patch-doc_Makefile.am >sed 's/^X//' >ocserv/files/patch-doc_Makefile.am << '7bb6ee8afd9089835402c9894ba552a9' >X--- doc/Makefile.am.orig 2015-05-26 16:33:38 UTC >X+++ doc/Makefile.am >X@@ -5,18 +5,27 @@ EXTRA_DIST = design.dia sample.config sc >X >X dist_man_MANS = ocserv.8 ocpasswd.8 occtl.8 >X >X-ocserv.8: ../src/ocserv-args.def >X- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ >X- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ >X- rm -f "$<".tmp >X+ocserv.8: >X+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ >X+ ../src/ocserv-args.def > ../src/ocserv-args.def.tmp && \ >X+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ >X+ ../src/ocserv-args.def.tmp && \ >X+ rm -f ../src/ocserv-args.def.tmp >X+ sed -I -e 's/^\.NOP //' $@ >X >X-occtl.8: ../src/occtl-args.def >X- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ >X- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ >X- rm -f "$<".tmp >X+occtl.8: >X+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ >X+ ../src/occtl-args.def > ../src/occtl-args.def.tmp && \ >X+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ >X+ ../src/occtl-args.def.tmp && \ >X+ rm -f ../src/occtl-args.def.tmp >X+ sed -I -e 's/^\.NOP //' $@ >X >X-ocpasswd.8: ../src/ocpasswd-args.def >X- -sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \ >X- @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl "$<".tmp && \ >X- rm -f "$<".tmp >X+ocpasswd.8: >X+ -gsed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' \ >X+ ../src/ocpasswd-args.def > ../src/ocpasswd-args.def.tmp && \ >X+ @AUTOGEN@ -L../src -DMAN_SECTION=8 -Tagman-cmd.tpl \ >X+ ../src/ocpasswd-args.def.tmp && \ >X+ rm -f ../src/ocpasswd-args.def.tmp >X+ sed -I -e 's/^\.NOP //' $@ >X >7bb6ee8afd9089835402c9894ba552a9 >echo x - ocserv/files/patch-src_main.c >sed 's/^X//' >ocserv/files/patch-src_main.c << '61dd7333be28589568c364fbf83c9236' >X--- src/main.c.orig 2015-07-01 18:41:01 UTC >X+++ src/main.c >X@@ -131,8 +131,9 @@ int y; >X perror("setsockopt(IP_PKTINFO) failed"); >X #elif defined(IP_RECVDSTADDR) /* *BSD */ >X y = 1; >X- if (setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, >X- (const void *)&y, sizeof(y)) < 0) >X+ if (family == AF_INET && >X+ setsockopt(fd, IPPROTO_IP, IP_RECVDSTADDR, >X+ (const void *)&y, sizeof(y)) < 0) >X perror("setsockopt(IP_RECVDSTADDR) failed"); >X #endif >X #if defined(IPV6_RECVPKTINFO) >61dd7333be28589568c364fbf83c9236 >echo x - ocserv/files/patch-src_ocserv-args.def >sed 's/^X//' >ocserv/files/patch-src_ocserv-args.def << '9b4b27a71830988642d9b26b811ec8e4' >X--- src/ocserv-args.def.orig 2015-07-15 17:17:22 UTC >X+++ src/ocserv-args.def >X@@ -68,7 +68,7 @@ doc-section = { >X ds-format = 'texi'; >X ds-text = <<-_EOT_ >X @subheading ocserv's configuration file format >X-By default, if no other file is specified, ocserv looks for its configuration file at @file{/etc/ocserv/ocserv.conf}. >X+By default, if no other file is specified, ocserv looks for its configuration file at @file{/usr/local/etc/ocserv/conf}. >X An example configuration file follows. >X >X @example >X@@ -87,7 +87,7 @@ An example configuration file follows. >X # This enabled PAM authentication of the user. The gid-min option is used >X # by auto-select-group option, in order to select the minimum valid group ID. >X # >X-# plain[passwd=/etc/ocserv/ocpasswd] >X+# plain[passwd=/usr/local/etc/ocserv/ocpasswd] >X # The plain option requires specifying a password file which contains >X # entries of the following format. >X # "username:groupname1,groupname2:encoded-password" >X@@ -119,7 +119,7 @@ An example configuration file follows. >X #auth = "certificate" >X #auth = "pam" >X #auth = "pam[gid-min=1000]" >X-#auth = "plain[passwd=/etc/ocserv/ocpasswd]" >X+#auth = "plain[passwd=/usr/local/etc/ocserv/passwd]" >X #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" >X >X # Specify alternative authentication methods that are sufficient >X@@ -431,7 +431,7 @@ rekey-method = ssl >X use-occtl = true >X >X # PID file. It can be overriden in the command line. >X-pid-file = /var/run/ocserv.pid >X+pid-file = /var/run/ocserv/pid >X >X # Set the protocol-defined priority (SO_PRIORITY) for packets to >X # be sent. That is a number from 0 to 6 with 0 being the lowest >X@@ -555,13 +555,13 @@ no-route = 192.168.5.0/255.255.255.0 >X # Also explicit addresses, are only allowed when they are odd. In that >X # case the next even address will be used as the remote address (in PtP). >X >X-#config-per-user = /etc/ocserv/config-per-user/ >X-#config-per-group = /etc/ocserv/config-per-group/ >X+#config-per-user = /usr/local/etc/ocserv/config-per-user/ >X+#config-per-group = /usr/local/etc/ocserv/config-per-group/ >X >X # When config-per-xxx is specified and there is no group or user that >X # matches, then utilize the following configuration. >X-#default-user-config = /etc/ocserv/defaults/user.conf >X-#default-group-config = /etc/ocserv/defaults/group.conf >X+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf >X+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf >X >X # The system command to use to setup a route. %{R} will be replaced with the >X # route/mask and %{D} with the (tun) device. >9b4b27a71830988642d9b26b811ec8e4 >echo x - ocserv/pkg-plist >sed 's/^X//' >ocserv/pkg-plist << '1a5aac9e043a10aee3ce1df627027d53' >Xbin/occtl >Xbin/ocpasswd >Xman/man8/occtl.8.gz >Xman/man8/ocpasswd.8.gz >Xman/man8/ocserv.8.gz >X@sample etc/ocserv/conf.sample >Xsbin/ocserv >X@dir /var/run/ocserv >1a5aac9e043a10aee3ce1df627027d53 >exit >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 202253
:
159781
|
159906
|
159907
|
159908
| 159934