FreeBSD Bugzilla – Attachment 237562 Details for
Bug 267052
security/teleport: Update to 4.4.12
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Improved patch
second_attempt.patch (text/plain), 18.36 KB, created by
Michael Reim
on 2022-10-23 17:25:11 UTC
(
hide
)
Description:
Improved patch
Filename:
MIME Type:
Creator:
Michael Reim
Created:
2022-10-23 17:25:11 UTC
Size:
18.36 KB
patch
obsolete
>From fe8d7b0cb082ac9f6f4024df29d77170aee1ac4d Mon Sep 17 00:00:00 2001 >From: Michael Reim <kraileth@elderlinux.org> >Date: Sun, 23 Oct 2022 19:18:41 +0200 >Subject: [PATCH] security/teleport: update to 4.4.12 > >What's new: Concurrent session control, session streaming improvements, API improvements, UI improvements, log formating options added. > >Breaking change: Users will no longer be able to connect via the Web UI to OpenSSH nodes that present public keys or certificates not signed by Teleport. Use the OpenSSH client or tsh with the 'insecure' flag to connect to such nodes. >--- > security/teleport/Makefile | 11 +-- > security/teleport/distinfo | 10 +-- > .../patch-build.assets_pkg_etc_teleport.yaml | 51 -------------- > .../patch-docs_pages_config-reference.mdx | 68 +++++++++++++++++++ > .../files/patch-lib_config_fileconf.go | 11 --- > .../files/patch-lib_defaults_defaults.go | 4 +- > .../files/patch-lib_events_auditlog.go | 4 +- > .../teleport/files/patch-lib_events_doc.go | 2 +- > .../files/patch-lib_services_server.go | 4 +- > ...tch-tool_teleport_common_teleport__test.go | 2 +- > ...ithub.com_kr_pty_ztypes__freebsd__arm64.go | 2 +- > security/teleport/files/patch-version.mk | 2 +- > security/teleport/files/pkg-message.in | 23 ++++--- > security/teleport/pkg-descr | 23 +++---- > 14 files changed, 114 insertions(+), 103 deletions(-) > delete mode 100644 security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml > create mode 100644 security/teleport/files/patch-docs_pages_config-reference.mdx > delete mode 100644 security/teleport/files/patch-lib_config_fileconf.go > >diff --git a/security/teleport/Makefile b/security/teleport/Makefile >index 6e3442557..510ed64d6 100644 >--- a/security/teleport/Makefile >+++ b/security/teleport/Makefile >@@ -1,12 +1,11 @@ > PORTNAME= teleport > DISTVERSIONPREFIX= v >-DISTVERSION= 4.3.9 >-PORTREVISION= 6 >+DISTVERSION= 4.4.12 > CATEGORIES= security > > MAINTAINER= swills@FreeBSD.org >-COMMENT= Gravitational Teleport SSH >-WWW= https://gravitational.com/teleport/ >+COMMENT= Centralized access gateway using the SSH protocol >+WWW= https://goteleport.com/teleport > > LICENSE= APACHE20 > >@@ -15,11 +14,13 @@ NOT_FOR_ARCHS_REASON= Uses 64bit types > > BUILD_DEPENDS= zip:archivers/zip > >+# If you need the auth service to work, you need to compile this port with >+# Go 1.17 or older. In case tsh is what you're after, Go 1.19 is fine. > USES= compiler gmake go > > USE_GITHUB= yes > GH_ACCOUNT= gravitational >-GH_TUPLE= gravitational:webassets:eac734b:webassets/webassets >+GH_TUPLE= gravitational:webassets:2ee76aa:webassets/webassets > GH_COMMIT_SHORT= fabee242d > GH_TAG_COMMIT= ${DISTVERSIONPREFIX}${DISTVERSION}-0-g${GH_COMMIT_SHORT} > >diff --git a/security/teleport/distinfo b/security/teleport/distinfo >index 27c4250be..362cf0489 100644 >--- a/security/teleport/distinfo >+++ b/security/teleport/distinfo >@@ -1,5 +1,5 @@ >-TIMESTAMP = 1609025109 >-SHA256 (gravitational-teleport-v4.3.9_GH0.tar.gz) = 6b095366cfe788ca72ef7dc2bb052ff258b0e48de82b05b34f935f928b1aa776 >-SIZE (gravitational-teleport-v4.3.9_GH0.tar.gz) = 54786284 >-SHA256 (gravitational-webassets-eac734b_GH0.tar.gz) = 3f78270f137d690adafd3ec918e51cebc0c2f18c6b3879a57eaa19a267bfc64c >-SIZE (gravitational-webassets-eac734b_GH0.tar.gz) = 4683803 >+TIMESTAMP = 1665730213 >+SHA256 (gravitational-teleport-v4.4.12_GH0.tar.gz) = 097537273bd0579b3b833870cab74ce1da5432357a14c5501db7a2c525fbcb15 >+SIZE (gravitational-teleport-v4.4.12_GH0.tar.gz) = 37824023 >+SHA256 (gravitational-webassets-2ee76aa_GH0.tar.gz) = 16c5fbdc43723c392d46163073053c850cae7d355fb97b5ba8fd298246be85c4 >+SIZE (gravitational-webassets-2ee76aa_GH0.tar.gz) = 4684443 >diff --git a/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml b/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml >deleted file mode 100644 >index 7a370e692..000000000 >--- a/security/teleport/files/patch-build.assets_pkg_etc_teleport.yaml >+++ /dev/null >@@ -1,51 +0,0 @@ >---- build.assets/pkg/etc/teleport.yaml.orig 2020-07-08 18:08:40 UTC >-+++ build.assets/pkg/etc/teleport.yaml >-@@ -9,7 +9,7 @@ teleport: >- >- # Data directory where Teleport daemon keeps its data. >- # See "Filesystem Layout" section above for more details. >-- # data_dir: /var/lib/teleport >-+ # data_dir: /var/db/teleport >- >- # Invitation token used to join a cluster. it is not used on >- # subsequent starts >-@@ -54,8 +54,8 @@ teleport: >- type: dir >- >- # Array of locations where the audit log events will be stored. by >-- # default they are stored in `/var/lib/teleport/log` >-- # audit_events_uri: ['file:///var/lib/teleport/log', 'dynamodb://events_table_name', 'stdout://'] >-+ # default they are stored in `/var/db/teleport/log` >-+ # audit_events_uri: ['file:///var/db/teleport/log', 'dynamodb://events_table_name', 'stdout://'] >- >- # Use this setting to configure teleport to store the recorded sessions in >- # an AWS S3 bucket. see "Using Amazon S3" chapter for more information. >-@@ -111,7 +111,7 @@ auth_service: >- # By default an automatically generated name is used (not recommended) >- # >- # IMPORTANT: if you change cluster_name, it will invalidate all generated >-- # certificates and keys (may need to wipe out /var/lib/teleport directory) >-+ # certificates and keys (may need to wipe out /var/db/teleport directory) >- # cluster_name: "main" >- >- authentication: >-@@ -185,7 +185,7 @@ auth_service: >- # >- # If not set, by default Teleport will look for the `license.pem` file in >- # the configured `data_dir`. >-- # license_file: /var/lib/teleport/license.pem >-+ # license_file: /var/db/teleport/license.pem >- >- # DEPRECATED in Teleport 3.2 (moved to proxy_service section) >- # kubeconfig_file: /path/to/kubeconfig >-@@ -258,8 +258,8 @@ proxy_service: >- >- # TLS certificate for the HTTPS connection. Configuring these properly is >- # critical for Teleport security. >-- # https_key_file: /var/lib/teleport/webproxy_key.pem >-- # https_cert_file: /var/lib/teleport/webproxy_cert.pem >-+ # https_key_file: /var/db/teleport/webproxy_key.pem >-+ # https_cert_file: /var/db/teleport/webproxy_cert.pem >- >- # This section configures the Kubernetes proxy service >- # kubernetes: >diff --git a/security/teleport/files/patch-docs_pages_config-reference.mdx b/security/teleport/files/patch-docs_pages_config-reference.mdx >new file mode 100644 >index 000000000..b5a8eabc6 >--- /dev/null >+++ b/security/teleport/files/patch-docs_pages_config-reference.mdx >@@ -0,0 +1,68 @@ >+--- docs/pages/config-reference.mdx.orig 2022-02-23 04:58:43 UTC >++++ docs/pages/config-reference.mdx >+@@ -21,7 +21,7 @@ teleport: >+ >+ # Data directory where Teleport daemon keeps its data. >+ # See "Filesystem Layout" section above for more details. >+- data_dir: /var/lib/teleport >++ data_dir: /var/db/teleport >+ >+ # Invitation token used to join a cluster. it is not used on >+ # subsequent starts >+@@ -52,11 +52,11 @@ teleport: >+ max_connections: 1000 >+ max_users: 250 >+ >+- # Logging configuration. Possible output values to disk via '/var/lib/teleport/teleport.log', >++ # Logging configuration. Possible output values to disk via '/var/db/teleport/teleport.log', >+ # 'stdout', 'stderr' and 'syslog'. Possible severity values are INFO, WARN >+ # and ERROR (default). Possible format values include: timestamp, component, caller, and level. >+ log: >+- output: /var/lib/teleport/teleport.log >++ output: /var/db/teleport/teleport.log >+ severity: ERROR >+ format: [level, timestamp, component, caller] >+ # Configuration for the storage back-end used for the cluster state and the >+@@ -68,11 +68,11 @@ teleport: >+ type: dir >+ >+ # List of locations where the audit log events will be stored. By default, >+- # they are stored in `/var/lib/teleport/log` >++ # they are stored in `/var/db/teleport/log` >+ # When specifying multiple destinations like this, make sure that any highly-available >+ # storage methods (like DynamoDB or Firestore) are specified first, as this is what the >+ # Teleport web UI uses as its source of events to display. >+- audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/lib/teleport/log', 'stdout://'] >++ audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/db/teleport/log', 'stdout://'] >+ >+ # Use this setting to configure teleport to store the recorded sessions in >+ # an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using Amazon S3" >+@@ -131,7 +131,7 @@ auth_service: >+ # By default an automatically generated name is used (not recommended) >+ # >+ # IMPORTANT: if you change cluster_name, it will invalidate all generated >+- # certificates and keys (may need to wipe out /var/lib/teleport directory) >++ # certificates and keys (may need to wipe out /var/db/teleport directory) >+ cluster_name: "main" >+ >+ authentication: >+@@ -223,7 +223,7 @@ auth_service: >+ # >+ # If not set, by default Teleport will look for the `license.pem` file in >+ # the configured `data_dir` . >+- license_file: /var/lib/teleport/license.pem >++ license_file: /var/db/teleport/license.pem >+ >+ # This section configures the 'node service': >+ ssh_service: >+@@ -320,8 +320,8 @@ proxy_service: >+ >+ # TLS certificate for the HTTPS connection. Configuring these properly is >+ # critical for Teleport security. >+- https_key_file: /var/lib/teleport/webproxy_key.pem >+- https_cert_file: /var/lib/teleport/webproxy_cert.pem >++ https_key_file: /var/db/teleport/webproxy_key.pem >++ https_cert_file: /var/db/teleport/webproxy_cert.pem >+ >+ # This section configures the Kubernetes proxy service >+ kubernetes: >diff --git a/security/teleport/files/patch-lib_config_fileconf.go b/security/teleport/files/patch-lib_config_fileconf.go >deleted file mode 100644 >index 5f8e7c137..000000000 >--- a/security/teleport/files/patch-lib_config_fileconf.go >+++ /dev/null >@@ -1,11 +0,0 @@ >---- lib/config/fileconf.go.orig 2020-07-08 18:08:40 UTC >-+++ lib/config/fileconf.go >-@@ -281,7 +281,7 @@ func MakeSampleFileConfig() (fc *FileConfig, err error >- s.Commands = []CommandLabel{ >- { >- Name: "hostname", >-- Command: []string{"/usr/bin/hostname"}, >-+ Command: []string{"/bin/hostname"}, >- Period: time.Minute, >- }, >- { >diff --git a/security/teleport/files/patch-lib_defaults_defaults.go b/security/teleport/files/patch-lib_defaults_defaults.go >index 7fbb9101d..a0ec96936 100644 >--- a/security/teleport/files/patch-lib_defaults_defaults.go >+++ b/security/teleport/files/patch-lib_defaults_defaults.go >@@ -1,6 +1,6 @@ >---- lib/defaults/defaults.go.orig 2020-07-08 18:08:40 UTC >+--- lib/defaults/defaults.go.orig 2022-02-23 04:58:43 UTC > +++ lib/defaults/defaults.go >-@@ -436,7 +436,7 @@ var ( >+@@ -466,7 +466,7 @@ var ( > > // DataDir is where all mutable data is stored (user keys, recorded sessions, > // registered SSH servers, etc): >diff --git a/security/teleport/files/patch-lib_events_auditlog.go b/security/teleport/files/patch-lib_events_auditlog.go >index 5d4bf6843..ab0c4e04e 100644 >--- a/security/teleport/files/patch-lib_events_auditlog.go >+++ b/security/teleport/files/patch-lib_events_auditlog.go >@@ -1,4 +1,4 @@ >---- lib/events/auditlog.go.orig 2020-07-08 18:08:40 UTC >+--- lib/events/auditlog.go.orig 2022-02-23 04:58:43 UTC > +++ lib/events/auditlog.go > @@ -45,7 +45,7 @@ import ( > const ( >@@ -8,4 +8,4 @@ > + // in /var/db/teleport/logs/sessions > SessionLogsDir = "sessions" > >- // PlaybacksDir is a directory for playbacks >+ // StreamingLogsDir is a subdirectory of sessions /var/lib/teleport/logs/streaming >diff --git a/security/teleport/files/patch-lib_events_doc.go b/security/teleport/files/patch-lib_events_doc.go >index bc308eaee..570c0aba3 100644 >--- a/security/teleport/files/patch-lib_events_doc.go >+++ b/security/teleport/files/patch-lib_events_doc.go >@@ -1,4 +1,4 @@ >---- lib/events/doc.go.orig 2020-07-08 18:08:40 UTC >+--- lib/events/doc.go.orig 2022-02-23 04:58:43 UTC > +++ lib/events/doc.go > @@ -85,7 +85,7 @@ Main Audit Log Format > >diff --git a/security/teleport/files/patch-lib_services_server.go b/security/teleport/files/patch-lib_services_server.go >index f763c90a5..a93f72ee3 100644 >--- a/security/teleport/files/patch-lib_services_server.go >+++ b/security/teleport/files/patch-lib_services_server.go >@@ -1,6 +1,6 @@ >---- lib/services/server.go.orig 2020-07-08 18:08:40 UTC >+--- lib/services/server.go.orig 2022-02-23 04:58:43 UTC > +++ lib/services/server.go >-@@ -546,7 +546,7 @@ type CommandLabelV1 struct { >+@@ -578,7 +578,7 @@ type CommandLabelV1 struct { > // Period is a time between command runs > Period time.Duration `json:"period"` > // Command is a command to run >diff --git a/security/teleport/files/patch-tool_teleport_common_teleport__test.go b/security/teleport/files/patch-tool_teleport_common_teleport__test.go >index d2f64d575..cccc072a2 100644 >--- a/security/teleport/files/patch-tool_teleport_common_teleport__test.go >+++ b/security/teleport/files/patch-tool_teleport_common_teleport__test.go >@@ -1,4 +1,4 @@ >---- tool/teleport/common/teleport_test.go.orig 2020-07-08 18:08:40 UTC >+--- tool/teleport/common/teleport_test.go.orig 2022-02-23 04:58:43 UTC > +++ tool/teleport/common/teleport_test.go > @@ -62,7 +62,7 @@ func (s *MainTestSuite) SetUpSuite(c *check.C) { > >diff --git a/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go b/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go >index 1362356de..3178f17f7 100644 >--- a/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go >+++ b/security/teleport/files/patch-vendor_github.com_kr_pty_ztypes__freebsd__arm64.go >@@ -1,4 +1,4 @@ >---- vendor/github.com/kr/pty/ztypes_freebsd_arm64.go.orig 2020-07-24 04:36:27 UTC >+--- vendor/github.com/kr/pty/ztypes_freebsd_arm64.go.orig 2022-10-14 07:07:07 UTC > +++ vendor/github.com/kr/pty/ztypes_freebsd_arm64.go > @@ -0,0 +1,13 @@ > +// Created by cgo -godefs - DO NOT EDIT >diff --git a/security/teleport/files/patch-version.mk b/security/teleport/files/patch-version.mk >index ee12c2c4f..1457af7a1 100644 >--- a/security/teleport/files/patch-version.mk >+++ b/security/teleport/files/patch-version.mk >@@ -1,4 +1,4 @@ >---- version.mk.orig 2020-07-08 18:08:40 UTC >+--- version.mk.orig 2022-02-23 04:58:43 UTC > +++ version.mk > @@ -1,4 +1,4 @@ > -GITREF=`git describe --dirty --long --tags` >diff --git a/security/teleport/files/pkg-message.in b/security/teleport/files/pkg-message.in >index 2a874bdc7..f15cd53d3 100644 >--- a/security/teleport/files/pkg-message.in >+++ b/security/teleport/files/pkg-message.in >@@ -1,13 +1,20 @@ > [ > { type: install > message: <<EOM >+ATTENTION! This version of Teleport is very old and likely to contain unfixed >+ATTENTION! vulnerabilities. It's only provided to allow for a working upgrade >+ATTENTION! path from 4.3. Watch for an upgrade to teleport5 next. >+ATTENTION! New installations are STRONGLY discouraged (wait for version 7). >+ > Quick getting started guide: > > 1. Read through the Quick Start Guide (see below). > 2. Start teleport: su -c 'sysrc teleport_enable=YES' >-3. Start teleport: su -c 'service teleport start' >-3. Add yourself as a user: su -c "tctl users add $USER" >-4. Create a password and 2FA code using the URL emitted during >+3. If not just setting up a node: su -c 'sysrc teleport_roles=auth,proxy,node' >+4. Review and edit /usr/local/etc/teleport.yaml >+5. Start teleport: su -c 'service teleport start' >+6. Add yourself as a user on the auth server: su -c "tctl users add $USER" >+7. Create a password and 2FA code using the URL emitted during > the previous step. > > To add a new node to the cluster, on the auth server: >@@ -16,11 +23,11 @@ To add a new node to the cluster, on the auth server: > > See the docs for additional details: > >-Quick start: https://gravitational.com/teleport/docs/quickstart/ >-Admin Manual: https://gravitational.com/teleport/docs/admin-guide/ >-User Manual: https://gravitational.com/teleport/docs/user-manual/ >-Architecture: https://gravitational.com/teleport/docs/architecture/ >-FAQ: https://gravitational.com/teleport/docs/faq/ >+Quick start: https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/quickstart.mdx >+Admin Manual: https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/admin-guide.mdx >+User Manual: https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/user-manual.mdx >+Architecture: https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/architecture/overview.mdx >+FAQ: https://github.com/gravitational/teleport/blob/branch/4.4/docs/pages/faq.mdx > EOM > } > ] >diff --git a/security/teleport/pkg-descr b/security/teleport/pkg-descr >index d74249c8a..e9cb0029b 100644 >--- a/security/teleport/pkg-descr >+++ b/security/teleport/pkg-descr >@@ -1,16 +1,13 @@ > What is Teleport? > ================= >-Gravitational Teleport ("Teleport") is a modern SSH server for remotely >-accessing clusters of servers via SSH or HTTPS. It is intended to be used >-instead of sshd. Teleport enables teams to easily adopt the best SSH practices >-like: >+Teleport is a gateway for managing access to clusters of *nix servers via >+SSH or the Kubernetes API. While it does also support connecting to >+servers running traditional OpenSSH, its own node deamon is intended to be >+used instead for additional functionality. > >-Integrated SSH credentials with your organization Google Apps identities or >-other OAuth identitiy providers. No need to distribute keys: Teleport uses >-certificate-based access with automatic expiration time. Enforcement of 2nd >-factor authentication. Cluster introspection: every Teleport node becomes a part >-of a cluster and is visible on the Web UI. Record and replay SSH sessions for >-knowledge sharing and auditing purposes. Collaboratively troubleshoot issues >-through session sharing. Connect to clusters located behind firewalls without >-direct Internet access via SSH bastions. Teleport is built on top of the >-high-quality Golang SSH implementation and it is compatible with OpenSSH. >+With Teleport it is simple to adopt SSH best practices like using >+certificate-based access and enabling 2FA via TOTP (e.g. Google >+Authenticator), U2F or an SSO provider. Cluster nodes can be accessed via >+a CLI (tsh) or a Web UI which both allow for session sharing. Teleport >+provides centralized user management as well as full session recordings >+that can be played back for knowledge sharing or auditing purposes. >-- >2.38.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=237562">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 267052
:
237302
| 237562