diff options
Diffstat (limited to 'net-misc/openssh/files')
16 files changed, 1145 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch new file mode 100644 index 00000000..c81ae5cb --- /dev/null +++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch @@ -0,0 +1,127 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +Index: readconf.c +=================================================================== +RCS file: /cvs/openssh/readconf.c,v +retrieving revision 1.135 +diff -u -r1.135 readconf.c +--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 ++++ readconf.c 19 Aug 2006 11:59:52 -0000 +@@ -126,6 +126,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -163,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -444,6 +447,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1010,6 +1017,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1100,6 +1108,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +Index: readconf.h +=================================================================== +RCS file: /cvs/openssh/readconf.h,v +retrieving revision 1.63 +diff -u -r1.63 readconf.h +--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 ++++ readconf.h 19 Aug 2006 11:59:52 -0000 +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +Index: ssh_config.5 +=================================================================== +RCS file: /cvs/openssh/ssh_config.5,v +retrieving revision 1.97 +diff -u -r1.97 ssh_config.5 +--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 ++++ ssh_config.5 19 Aug 2006 11:59:53 -0000 +@@ -483,7 +483,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +Index: sshconnect2.c +=================================================================== +RCS file: /cvs/openssh/sshconnect2.c,v +retrieving revision 1.151 +diff -u -r1.151 sshconnect2.c +--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 ++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 +@@ -499,6 +499,12 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -511,7 +517,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch new file mode 100644 index 00000000..c3647d5a --- /dev/null +++ b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch @@ -0,0 +1,51 @@ +--- openssh-6.3p1/Makefile.in ++++ openssh-6.3p1/Makefile.in +@@ -45,7 +45,7 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + K5LIBS=@K5LIBS@ + GSSLIBS=@GSSLIBS@ +@@ -53,6 +53,7 @@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- openssh-6.3p1/sshconnect.c ++++ openssh-6.3p1/sshconnect.c +@@ -465,7 +465,7 @@ + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", +--- openssh-6.3p1/sshd.c ++++ openssh-6.3p1/sshd.c +@@ -472,8 +472,8 @@ + comment = ""; + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", +- major, minor, SSH_VERSION, comment, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", ++ major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +--- openssh-6.3p1/version.h ++++ openssh-6.3p1/version.h +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_6.3" + + #define SSH_PORTABLE "p1" ++#define SSH_X509 " PKIX" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch new file mode 100644 index 00000000..6aed19be --- /dev/null +++ b/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch @@ -0,0 +1,30 @@ +Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch and remove +redundant README.x509v3 directory. + +--- openssh-6.4p1+x509-7.7.diff.orig 2013-11-09 14:51:13.400696545 -0800 ++++ openssh-6.4p1+x509-7.7.diff 2013-11-09 14:51:05.798786189 -0800 +@@ -6809,9 +6809,9 @@ + + -$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ + +$OpenBSD$ +-diff -ruN openssh-6.4p1/README.x509v3/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3 +---- openssh-6.4p1/README.x509v3/README.x509v3 1970-01-01 02:00:00.000000000 +0200 +-+++ openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3 2013-05-17 18:50:02.156263192 +0300 ++diff -ruN openssh-6.4p1/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3 ++--- openssh-6.4p1/README.x509v3 1970-01-01 02:00:00.000000000 +0200 +++++ openssh-6.4p1+x509-7.7/README.x509v3 2013-05-17 18:50:02.156263192 +0300 + @@ -0,0 +1,615 @@ + + Roumen Petrov + + Sofia, Bulgaria +@@ -14793,10 +14793,9 @@ + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in +-@@ -490,6 +567,16 @@ ++@@ -490,5 +567,15 @@ + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch b/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch new file mode 100644 index 00000000..a3361cac --- /dev/null +++ b/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch @@ -0,0 +1,21 @@ +diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c +--- openssh-6.4p1.orig/loginrec.c 2014-01-22 17:33:12.380676129 +0000 ++++ openssh-6.4p1/loginrec.c 2014-01-22 17:55:40.957751536 +0000 +@@ -785,12 +785,12 @@ + /* this is just a 128-bit IPv6 address */ + if (li->hostaddr.sa.sa_family == AF_INET6) { + sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); +- memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); ++ memcpy(utx->ut_addr_v6, sa6->sin6_addr.s6_addr, 16); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { +- ut->ut_addr_v6[0] = ut->ut_addr_v6[3]; +- ut->ut_addr_v6[1] = 0; +- ut->ut_addr_v6[2] = 0; +- ut->ut_addr_v6[3] = 0; ++ utx->ut_addr_v6[0] = utx->ut_addr_v6[3]; ++ utx->ut_addr_v6[1] = 0; ++ utx->ut_addr_v6[2] = 0; ++ utx->ut_addr_v6[3] = 0; + } + } + # endif diff --git a/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch b/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch new file mode 100644 index 00000000..22b6ffac --- /dev/null +++ b/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch @@ -0,0 +1,67 @@ +diff -Naur openssh-6.4p1.orig/channels.c openssh-6.4p1/channels.c +--- openssh-6.4p1.orig/channels.c 2014-01-22 17:14:19.508612783 +0000 ++++ openssh-6.4p1/channels.c 2014-01-22 17:18:18.176626129 +0000 +@@ -61,6 +61,7 @@ + #include <termios.h> + #include <unistd.h> + #include <stdarg.h> ++#include <sys/param.h> + + #include "openbsd-compat/sys-queue.h" + #include "xmalloc.h" +diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c +--- openssh-6.4p1.orig/loginrec.c 2013-06-01 22:07:32.000000000 +0000 ++++ openssh-6.4p1/loginrec.c 2014-01-22 17:30:57.322668577 +0000 +@@ -162,6 +162,7 @@ + #include <stdarg.h> + #include <string.h> + #include <time.h> ++#include <sys/time.h> + #include <unistd.h> + + #include "xmalloc.h" +diff -Naur openssh-6.4p1.orig/sshconnect.c openssh-6.4p1/sshconnect.c +--- openssh-6.4p1.orig/sshconnect.c 2014-01-22 17:16:53.809621411 +0000 ++++ openssh-6.4p1/sshconnect.c 2014-01-22 17:17:19.535622850 +0000 +@@ -40,6 +40,7 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#include <sys/param.h> + + #include "xmalloc.h" + #include "key.h" +diff -Naur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c +--- openssh-6.4p1.orig/sshd.c 2014-01-22 17:14:19.517612784 +0000 ++++ openssh-6.4p1/sshd.c 2014-01-22 17:18:54.560628163 +0000 +@@ -83,6 +83,8 @@ + #include <prot.h> + #endif + ++#include <sys/param.h> ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh1.h" +diff -Naur openssh-6.4p1.orig/ssh-keyscan.c openssh-6.4p1/ssh-keyscan.c +--- openssh-6.4p1.orig/ssh-keyscan.c 2013-06-01 21:31:19.000000000 +0000 ++++ openssh-6.4p1/ssh-keyscan.c 2014-01-22 17:59:37.756764777 +0000 +@@ -29,6 +29,7 @@ + #include <signal.h> + #include <string.h> + #include <unistd.h> ++#include <sys/param.h> + + #include "xmalloc.h" + #include "ssh.h" +diff -Naur openssh-6.4p1.orig/ssh-pkcs11-helper.c openssh-6.4p1/ssh-pkcs11-helper.c +--- openssh-6.4p1.orig/ssh-pkcs11-helper.c 2013-06-01 21:31:19.000000000 +0000 ++++ openssh-6.4p1/ssh-pkcs11-helper.c 2014-01-22 18:00:04.653766281 +0000 +@@ -28,6 +28,7 @@ + #include <string.h> + #include <unistd.h> + #include <errno.h> ++#include <sys/param.h> + + #include "xmalloc.h" + #include "buffer.h" diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 00000000..fa33af39 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch new file mode 100644 index 00000000..bd0b7ce1 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch @@ -0,0 +1,42 @@ +--- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800 ++++ openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800 +@@ -195,14 +195,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -178,6 +178,7 @@ For full details of the options listed b +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UsePrivilegedPort +- .It User +- .It UserKnownHostsFile + @@ -218,6 +219,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -482,14 +474,6 @@ + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -473,6 +473,7 @@ For full details of the options listed b +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UsePrivilegedPort + @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte + controls. + .It Fl y +@@ -527,7 +511,7 @@ +- again: ++ + - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" + + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 00000000..96818e42 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,162 @@ +https://bugs.gentoo.org/378361 +https://bugzilla.mindrot.org/show_bug.cgi?id=928 + +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[NI_MAXHOST]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, sizeof(lname))) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +--- a/servconf.c ++++ b/servconf.c +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +--- a/servconf.h ++++ b/servconf.h +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +--- a/sshd_config ++++ b/sshd_config +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch new file mode 100644 index 00000000..71b9c517 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch @@ -0,0 +1,46 @@ +--- openssh-6.7p1.orig/sshd_config.5 2014-11-24 10:24:29.356244415 -0800 ++++ openssh-6.7p1/sshd_config.5 2014-11-24 10:23:49.415029039 -0800 +@@ -610,21 +610,6 @@ + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. +-.It Cm GSSAPIStrictAcceptorCheck +-Determines whether to be strict about the identity of the GSSAPI acceptor +-a client authenticates against. +-If set to +-.Dq yes +-then the client must authenticate against the +-.Pa host +-service on the current hostname. +-If set to +-.Dq no +-then the client may authenticate against any service key stored in the +-machine's default store. +-This facility is provided to assist with operation on multi homed machines. +-The default is +-.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed +@@ -651,6 +636,21 @@ + attempting to resolve the name from the TCP connection itself. + The default is + .Dq no . ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostCertificate + Specifies a file containing a public host certificate. + The certificate's public key must match a private host key already specified diff --git a/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch b/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch new file mode 100644 index 00000000..4998a941 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch @@ -0,0 +1,441 @@ +diff -ur a/openssh-6.7p1/configure.ac b/openssh-6.7p1/configure.ac +--- a/openssh-6.7p1/configure.ac 2014-08-26 21:32:01.000000000 -0100 ++++ b/openssh-6.7p1/configure.ac 2014-12-08 20:55:47.281836604 -0100 +@@ -252,7 +252,7 @@ + [AC_LANG_PROGRAM([[ + #include <stdlib.h> + __attribute__((__unused__)) static void foo(void){return;}]], +- [[ exit(0); ]])], ++ [[ return 0; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1, +@@ -442,7 +442,7 @@ + [AC_LANG_PROGRAM([[ + #define testmacro foo + #define testmacro bar]], +- [[ exit(0); ]])], ++ [[ return 0; ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) + CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`" +@@ -562,9 +562,9 @@ + AC_MSG_CHECKING([if we have working getaddrinfo]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h> + main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) +- exit(0); ++ return 0; + else +- exit(1); ++ return 1; + } + ]])], + [AC_MSG_RESULT([working])], +@@ -1067,7 +1067,7 @@ + esac + + AC_MSG_CHECKING([compiler and flags for sanity]) +-AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])], ++AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ return 0; ]])], + [ AC_MSG_RESULT([yes]) ], + [ + AC_MSG_RESULT([no]) +@@ -1099,9 +1099,9 @@ + strncpy(buf,"/etc", 32); + s = dirname(buf); + if (!s || strncmp(s, "/", 32) != 0) { +- exit(1); ++ return 1; + } else { +- exit(0); ++ return 0; + } + } + ]])], +@@ -1191,19 +1191,19 @@ + int a=0, b=0, c=0, d=0, n, v; + n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d); + if (n != 3 && n != 4) +- exit(1); ++ return 1; + v = a*1000000 + b*10000 + c*100 + d; + fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v); + + /* 1.1.4 is OK */ + if (a == 1 && b == 1 && c >= 4) +- exit(0); ++ return 0; + + /* 1.2.3 and up are OK */ + if (v >= 1020300) +- exit(0); ++ return 0; + +- exit(2); ++ return 2; + ]])], + AC_MSG_RESULT([no]), + [ AC_MSG_RESULT([yes]) +@@ -1308,7 +1308,7 @@ + #include <dirent.h>]], + [[ + struct dirent d; +- exit(sizeof(d.d_name)<=sizeof(char)); ++ return sizeof(d.d_name)<=sizeof(char); + ]])], + [AC_MSG_RESULT([yes])], + [ +@@ -1354,7 +1354,7 @@ + #include <skey.h> + ]], [[ + char *ff = skey_keyinfo(""); ff=""; +- exit(0); ++ return 0; + ]])], + [AC_MSG_RESULT([yes])], + [ +@@ -1403,7 +1403,7 @@ + #include <stdlib.h> + #include <stdint.h> + #include <ldns/ldns.h> +-int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } ++int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; return 0; } + ]]) + ], + [AC_MSG_RESULT(yes)], +@@ -1460,7 +1460,7 @@ + [[ + int i = H_SETSIZE; + el_init("", NULL, NULL, NULL); +- exit(0); ++ return 0; + ]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) +@@ -1808,9 +1808,9 @@ + errno=0; + setresuid(0,0,0); + if (errno==ENOSYS) +- exit(1); ++ return 1; + else +- exit(0); ++ return 0; + ]])], + [AC_MSG_RESULT([yes])], + [AC_DEFINE([BROKEN_SETRESUID], [1], +@@ -1831,9 +1831,9 @@ + errno=0; + setresgid(0,0,0); + if (errno==ENOSYS) +- exit(1); ++ return 1; + else +- exit(0); ++ return 0; + ]])], + [AC_MSG_RESULT([yes])], + [AC_DEFINE([BROKEN_SETRESGID], [1], +@@ -1875,7 +1875,7 @@ + [[ + char b[5]; + snprintf(b,5,"123456789"); +- exit(b[4]!='\0'); ++ return b[4]!='\0'; + ]])], + [AC_MSG_RESULT([yes])], + [ +@@ -1966,9 +1966,9 @@ + ]], [[ + char template[]="conftest.mkstemp-test"; + if (mkstemp(template) == -1) +- exit(1); ++ return 1; + unlink(template); +- exit(0); ++ return 0; + ]])], + [ + AC_MSG_RESULT([no]) +@@ -1999,22 +1999,22 @@ + + pid = fork(); + if (pid < 0) { /* failed */ +- exit(1); ++ return 1; + } else if (pid > 0) { /* parent */ + waitpid(pid, &status, 0); + if (WIFEXITED(status)) +- exit(WEXITSTATUS(status)); ++ return WEXITSTATUS(status); + else +- exit(2); ++ return 2; + } else { /* child */ + close(0); close(1); close(2); + setsid(); + openpty(&ptyfd, &ttyfd, NULL, NULL, NULL); + fd = open("/dev/tty", O_RDWR | O_NOCTTY); + if (fd >= 0) +- exit(3); /* Acquired ctty: broken */ ++ return 3; /* Acquired ctty: broken */ + else +- exit(0); /* Did not acquire ctty: OK */ ++ return 0; /* Did not acquire ctty: OK */ + } + ]])], + [ +@@ -2055,7 +2055,7 @@ + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); +- exit(1); ++ return 1; + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { +@@ -2072,7 +2072,7 @@ + else + fprintf(stderr, "getnameinfo failed: %s\n", + gai_strerror(err)); +- exit(2); ++ return 2; + } + + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); +@@ -2080,10 +2080,10 @@ + perror("socket"); + if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { + if (errno == EBADF) +- exit(3); ++ return 3; + } + } +- exit(0); ++ return 0; + ]])], + [ + AC_MSG_RESULT([yes]) +@@ -2123,7 +2123,7 @@ + err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai); + if (err != 0) { + fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err)); +- exit(1); ++ return 1; + } + + for (ai = gai_ai; ai != NULL; ai = ai->ai_next) { +@@ -2136,10 +2136,10 @@ + + if (ai->ai_family == AF_INET && err != 0) { + perror("getnameinfo"); +- exit(2); ++ return 2; + } + } +- exit(0); ++ return 0; + ]])], + [ + AC_MSG_RESULT([yes]) +@@ -2248,12 +2248,12 @@ + + fd = fopen(DATA,"w"); + if(fd == NULL) +- exit(1); ++ return 1; + + if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) +- exit(1); ++ return 1; + +- exit(0); ++ return 0; + ]])], + [ + ssl_header_ver=`cat conftest.sslincver` +@@ -2283,13 +2283,13 @@ + + fd = fopen(DATA,"w"); + if(fd == NULL) +- exit(1); ++ return 1; + + if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), + SSLeay_version(SSLEAY_VERSION))) <0) +- exit(1); ++ return 1; + +- exit(0); ++ return 0; + ]])], + [ + ssl_library_ver=`cat conftest.ssllibver` +@@ -2330,7 +2330,7 @@ + #include <string.h> + #include <openssl/opensslv.h> + ]], [[ +- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); ++ return SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1; + ]])], + [ + AC_MSG_RESULT([yes]) +@@ -2419,7 +2419,7 @@ + #include <string.h> + #include <openssl/evp.h> + ]], [[ +- exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); ++ return EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL; + ]])], + [ + AC_MSG_RESULT([no]) +@@ -2490,7 +2490,7 @@ + #include <openssl/evp.h> + ]], [[ + if(EVP_DigestUpdate(NULL, NULL,0)) +- exit(0); ++ return 0; + ]])], + [ + AC_MSG_RESULT([yes]) +@@ -2604,7 +2604,7 @@ + ]],[[ + EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); + const EVP_MD *m = EVP_sha512(); /* We need this too */ +- exit(e == NULL || m == NULL); ++ return e == NULL || m == NULL; + ]])], + [ AC_MSG_RESULT([yes]) + enable_nistp521=1 ], +@@ -2677,7 +2677,7 @@ + #include <string.h> + #include <openssl/rand.h> + ]], [[ +- exit(RAND_status() == 1 ? 0 : 1); ++ return RAND_status() == 1 ? 0 : 1; + ]])], + [ + OPENSSL_SEEDS_ITSELF=yes +@@ -2985,7 +2985,7 @@ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; +- exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0); ++ return setrlimit(RLIMIT_FSIZE, &rl_zero) != 0; + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) +@@ -3119,7 +3119,7 @@ + long long i, llmin, llmax = 0; + + if((f = fopen(DATA,"w")) == NULL) +- exit(1); ++ return 1; + + #if defined(LLONG_MIN) && defined(LLONG_MAX) + fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n"); +@@ -3138,16 +3138,16 @@ + || llmax - 1 > llmax || llmin == llmax || llmin == 0 + || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) { + fprintf(f, "unknown unknown\n"); +- exit(2); ++ return 2; + } + + if (fprint_ll(f, llmin) < 0) +- exit(3); ++ return 3; + if (fprint_ll(f, llmax) < 0) +- exit(4); ++ return 4; + if (fclose(f) < 0) +- exit(5); +- exit(0); ++ return 5; ++ return 0; + ]])], + [ + llong_min=`$AWK '{print $1}' conftest.llminmax` +@@ -3553,8 +3553,8 @@ + strcpy(expected_out, "9223372036854775807"); + snprintf(buf, mazsize, "%lld", num); + if(strcmp(buf, expected_out) != 0) +- exit(1); +- exit(0); ++ return 1; ++ return 0; + } + #else + main() { exit(0); } +@@ -3641,11 +3641,11 @@ + ]], [[ + #ifdef msg_accrights + #error "msg_accrights is a macro" +-exit(1); ++return 1; + #endif + struct msghdr m; + m.msg_accrights = 0; +-exit(0); ++return 0; + ]])], + [ ac_cv_have_accrights_in_msghdr="yes" ], + [ ac_cv_have_accrights_in_msghdr="no" ] +@@ -3702,11 +3702,11 @@ + ]], [[ + #ifdef msg_control + #error "msg_control is a macro" +-exit(1); ++return 1; + #endif + struct msghdr m; + m.msg_control = 0; +-exit(0); ++return 0; + ]])], + [ ac_cv_have_control_in_msghdr="yes" ], + [ ac_cv_have_control_in_msghdr="no" ] +@@ -4128,22 +4128,22 @@ + + fd = fopen(DATA,"w"); + if(fd == NULL) +- exit(1); ++ return 1; + + #if defined (_PATH_MAILDIR) + if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0) +- exit(1); ++ return 1; + #elif defined (MAILDIR) + if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0) +- exit(1); ++ return 1; + #elif defined (_PATH_MAIL) + if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0) +- exit(1); ++ return 1; + #else + exit (2); + #endif + +- exit(0); ++ return 0; + ]])], + [ + maildir_what=`awk -F: '{print $1}' conftest.maildir` +@@ -4378,12 +4378,12 @@ + + fd = fopen(DATA,"w"); + if(fd == NULL) +- exit(1); ++ return 1; + + if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0) +- exit(1); ++ return 1; + +- exit(0); ++ return 0; + ]])], + [ user_path=`cat conftest.stdpath` ], + [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ], diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 00000000..28952b4a --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 00000000..b801aaaf --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100755 index 00000000..1b872bc8 --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,87 @@ +#!/sbin/runscript +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.3 2013/04/24 03:13:03 vapier Exp $ + +extra_commands="checkconfig" +extra_started_commands="reload" + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_CONFIG=${SSHD_CONFIG:-${SSHD_CONFDIR}/sshd_config} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ]; then + : # Do nothing, the user has explicitly set rc_need + else + warn_addr='' + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "$x" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} $x" ;; + esac + done + unset x + if [ "${warn_addr:+set}" = "set" ]; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + unset warn_addr + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 00000000..b5e96b3a --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 00000000..94b95331 --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 00000000..2645ad04 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog |