openssh8: copy of security/openssh updated to 8.0p1.
This commit is contained in:
parent
6925eeb902
commit
4f800ff628
|
@ -0,0 +1,14 @@
|
|||
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
|
||||
all patent-encumbered algorithms removed (to external libraries), all
|
||||
known security bugs fixed, new features reintroduced and many other
|
||||
clean-ups. More information about SSH itself can be found in the file
|
||||
README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
|
||||
Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
|
||||
|
||||
This port consists of the re-introduction of autoconf support, PAM
|
||||
support (for Linux and Solaris), EGD[1] support, SOCKS support (using
|
||||
the Dante [6] libraries and replacements for OpenBSD library functions
|
||||
that are (regrettably) absent from other unices. This port has been
|
||||
best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
|
||||
SCO, NeXT and other Unices is underway. This version actively tracks
|
||||
changes in the OpenBSD CVS repository.
|
|
@ -0,0 +1,36 @@
|
|||
# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
|
||||
|
||||
DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
|
||||
FILES="sshd.conf sshd_config"
|
||||
|
||||
case ${STAGE} in
|
||||
POST-INSTALL)
|
||||
for dir in $DIRS; do
|
||||
if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
|
||||
for file in $FILES; do
|
||||
path=$dir/$file
|
||||
if [ -f $path ]; then
|
||||
${CAT} <<EOF
|
||||
===========================================================================
|
||||
|
||||
*===* NOTICE *===*
|
||||
|
||||
WARNING: previous configuration file $path found.
|
||||
|
||||
The config files for ${PKGNAME} must be located in:
|
||||
|
||||
@PKG_SYSCONFDIR@
|
||||
|
||||
You will need to ensure your configuration files and/or keys are
|
||||
placed in the correct directory before using ${PKGNAME}.
|
||||
|
||||
===========================================================================
|
||||
EOF
|
||||
|
||||
exit
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,20 @@
|
|||
===========================================================================
|
||||
$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
|
||||
|
||||
OpenSSH on Interix has some important caveats:
|
||||
|
||||
* Hostname resolution uses the BIND resolver library rather than Windows
|
||||
native lookup services. This requires that /etc/resolv.conf be set up
|
||||
properly with a "nameserver" line; see resolv.conf(5). In most
|
||||
installations, this was generated automatically when Services for UNIX
|
||||
was installed (based on the name server in use at that time).
|
||||
|
||||
* Currently, UsePrivilegeSeparation does not work properly, so it defaults
|
||||
to "no" on Interix.
|
||||
|
||||
* Network drives and encrypted local files may not be accessible after
|
||||
logging in through sshd thanks to the way the Windows security API works.
|
||||
A workaround is to "exec su USERNAME" after logging in, which will use
|
||||
the password to create a proper Windows access credential key.
|
||||
|
||||
===========================================================================
|
|
@ -0,0 +1,9 @@
|
|||
===========================================================================
|
||||
$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
|
||||
|
||||
To authenticate for SSH using PAM, add the contents of the file:
|
||||
|
||||
${EGDIR}/sshd.pam
|
||||
|
||||
to your PAM configuration file (or PAM configuration directory).
|
||||
===========================================================================
|
|
@ -0,0 +1,209 @@
|
|||
# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
|
||||
|
||||
DISTNAME= openssh-8.0p1
|
||||
PKGNAME= ${DISTNAME:S/p1/.1/}
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
|
||||
|
||||
MAINTAINER= pkgsrc-users@NetBSD.org
|
||||
HOMEPAGE= http://www.openssh.com/
|
||||
COMMENT= Open Source Secure shell client and server (remote login program)
|
||||
LICENSE= modified-bsd
|
||||
|
||||
CONFLICTS= sftp-[0-9]*
|
||||
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
|
||||
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
|
||||
CONFLICTS+= openssh+gssapi-[0-9]*
|
||||
CONFLICTS+= lsh>2.0
|
||||
BROKEN_ON_PLATFORM+= OpenBSD-*-*
|
||||
|
||||
USE_GCC_RUNTIME= yes
|
||||
USE_TOOLS+= autoconf perl
|
||||
|
||||
# retain the following line, for IPv6-ready pkgsrc webpage
|
||||
BUILD_DEFS+= IPV6_READY
|
||||
|
||||
PKG_GROUPS_VARS+= OPENSSH_GROUP
|
||||
PKG_USERS_VARS+= OPENSSH_USER
|
||||
BUILD_DEFS+= OPENSSH_CHROOT
|
||||
BUILD_DEFS+= VARBASE
|
||||
|
||||
INSTALL_TARGET= install-nokeys
|
||||
|
||||
.include "options.mk"
|
||||
|
||||
# fixes: dyld: Symbol not found: _allow_severity
|
||||
CONFIGURE_ARGS.Darwin+= --disable-strip
|
||||
|
||||
# OpenSSH on Interix has some important caveats
|
||||
.if ${OPSYS} == "Interix"
|
||||
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
|
||||
CONFIGURE_ENV+= ac_cv_func_openpty=no
|
||||
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
|
||||
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
|
||||
. if exists(/usr/local/include/bind/resolv.h)
|
||||
CPPFLAGS+= -I/usr/local/include/bind
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
|
||||
. elif exists(/usr/local/bind/include/resolv.h)
|
||||
CPPFLAGS+= -I/usr/local/bind/include
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
|
||||
. endif
|
||||
LDFLAGS+= -L/usr/local/lib/bind
|
||||
LIBS+= -lbind -ldb -lcrypt
|
||||
|
||||
.else # not Interix
|
||||
|
||||
PKG_GROUPS= ${OPENSSH_GROUP}
|
||||
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
|
||||
|
||||
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
|
||||
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
|
||||
|
||||
.endif
|
||||
|
||||
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
|
||||
|
||||
PKG_SYSCONFSUBDIR= ssh
|
||||
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ARGS+= --with-mantype=man
|
||||
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
|
||||
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
|
||||
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
|
||||
|
||||
.if ${OPSYS} != "Interix"
|
||||
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
|
||||
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
|
||||
.endif
|
||||
|
||||
# pkgsrc already enforces a "secure" version of zlib via dependencies,
|
||||
# so skip this bogus version check.
|
||||
CONFIGURE_ARGS+= --without-zlib-version-check
|
||||
|
||||
.if ${_PKGSRC_MKPIE} != "no"
|
||||
CONFIGURE_ARGS+= --with-pie
|
||||
.endif
|
||||
|
||||
# the openssh configure script finds and uses ${LD} if defined and
|
||||
# defaults to ${CC} if not. we override LD here, since running the
|
||||
# linker directly results in undefined symbols for obvious reasons.
|
||||
#
|
||||
CONFIGURE_ENV+= LD=${CC:Q}
|
||||
|
||||
# Enable S/Key support on NetBSD, Darwin, and Solaris.
|
||||
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
|
||||
. include "../../security/skey/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
|
||||
.else
|
||||
CONFIGURE_ARGS+= --without-skey
|
||||
.endif
|
||||
|
||||
.if (${OPSYS} == "NetBSD")
|
||||
. if exists(/usr/include/utmpx.h)
|
||||
# if we have utmpx et al do not try to use login()
|
||||
CONFIGURE_ARGS+= --disable-libutil
|
||||
. endif
|
||||
#
|
||||
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
|
||||
# prior version don't have it. So, disable use of strnvis(3) now.
|
||||
#
|
||||
CONFIGURE_ENV+= ac_cv_func_strnvis=no
|
||||
#
|
||||
# workaround for ./configure problem, pkg/50936
|
||||
#
|
||||
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
|
||||
.endif
|
||||
|
||||
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
|
||||
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
|
||||
.endif
|
||||
|
||||
CONFIGURE_ARGS.Linux+= --enable-md5-password
|
||||
|
||||
# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
|
||||
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
|
||||
# (security/ssh-askpass).
|
||||
#
|
||||
.if exists(${X11BASE}/bin/ssh-askpass)
|
||||
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
|
||||
.else
|
||||
ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
|
||||
.endif
|
||||
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
||||
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
||||
|
||||
# do the same for xauth
|
||||
.if exists(${X11BASE}/bin/xauth)
|
||||
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
|
||||
.else
|
||||
CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
|
||||
.endif
|
||||
|
||||
CONFS= ssh_config sshd_config moduli
|
||||
|
||||
PLIST_VARS+= darwin
|
||||
|
||||
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
|
||||
|
||||
# enable privsep patches
|
||||
.if ${OPSYS} == "Darwin"
|
||||
CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
|
||||
CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
PLIST.darwin= yes
|
||||
.endif
|
||||
|
||||
.for f in ${CONFS}
|
||||
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
|
||||
.endfor
|
||||
OWN_DIRS= ${OPENSSH_CHROOT}
|
||||
RCD_SCRIPTS= sshd
|
||||
RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
|
||||
SMF_METHODS= sshd
|
||||
|
||||
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
|
||||
|
||||
SUBST_CLASSES+= patch
|
||||
SUBST_STAGE.patch= pre-configure
|
||||
SUBST_FILES.patch= session.c sandbox-darwin.c
|
||||
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
|
||||
SUBST_VARS.patch= PKG_SYSCONFDIR
|
||||
|
||||
.include "../../devel/zlib/buildlink3.mk"
|
||||
.include "../../security/tcp_wrappers/buildlink3.mk"
|
||||
|
||||
#
|
||||
# type of key "ecdsa" isn't always supported depends on OpenSSL.
|
||||
#
|
||||
pre-configure:
|
||||
cd ${WRKSRC} && autoconf -i
|
||||
|
||||
post-configure:
|
||||
if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
|
||||
${WRKSRC}/config.h; then \
|
||||
${SED} -e '/HAVE_ECDSA/s/.*//' \
|
||||
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
|
||||
else \
|
||||
${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
|
||||
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
|
||||
fi
|
||||
${SED} -e 's,@VARBASE@,${VARBASE},g' \
|
||||
< ${FILESDIR}/org.openssh.sshd.sb.in \
|
||||
> ${WRKDIR}/org.openssh.sshd.sb
|
||||
|
||||
post-install:
|
||||
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
|
||||
cd ${WRKSRC}; for file in ${CONFS}; do \
|
||||
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
|
||||
done
|
||||
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
|
||||
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
|
||||
${DESTDIR}${EGDIR}/sshd.pam
|
||||
.endif
|
||||
.if ${OPSYS} == "Darwin"
|
||||
${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
|
||||
${DESTDIR}${EGDIR}/org.openssh.sshd.sb
|
||||
.endif
|
||||
|
||||
.include "../../mk/bsd.pkg.mk"
|
|
@ -0,0 +1,31 @@
|
|||
@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
|
||||
bin/scp
|
||||
bin/sftp
|
||||
bin/ssh
|
||||
bin/ssh-add
|
||||
bin/ssh-agent
|
||||
bin/ssh-keygen
|
||||
bin/ssh-keyscan
|
||||
libexec/sftp-server
|
||||
libexec/ssh-keysign
|
||||
libexec/ssh-pkcs11-helper
|
||||
man/man1/scp.1
|
||||
man/man1/sftp.1
|
||||
man/man1/ssh-add.1
|
||||
man/man1/ssh-agent.1
|
||||
man/man1/ssh-keygen.1
|
||||
man/man1/ssh-keyscan.1
|
||||
man/man1/ssh.1
|
||||
man/man5/moduli.5
|
||||
man/man5/ssh_config.5
|
||||
man/man5/sshd_config.5
|
||||
man/man8/sftp-server.8
|
||||
man/man8/ssh-keysign.8
|
||||
man/man8/ssh-pkcs11-helper.8
|
||||
man/man8/sshd.8
|
||||
sbin/sshd
|
||||
share/examples/openssh/moduli
|
||||
${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
|
||||
share/examples/openssh/ssh_config
|
||||
${PLIST.pam}share/examples/openssh/sshd.pam
|
||||
share/examples/openssh/sshd_config
|
|
@ -0,0 +1,29 @@
|
|||
$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
|
||||
|
||||
SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
|
||||
RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
|
||||
SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
|
||||
Size (openssh-8.0p1.tar.gz) = 1597697 bytes
|
||||
SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
|
||||
SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
|
||||
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
|
||||
SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
|
||||
SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
|
||||
SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
|
||||
SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
|
||||
SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
|
||||
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
|
||||
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
|
||||
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
|
||||
SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
|
||||
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
|
||||
SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
|
||||
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
|
||||
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
|
||||
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
|
||||
SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
|
||||
SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
|
||||
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
|
||||
SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
|
||||
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
|
||||
SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
|
|
@ -0,0 +1,23 @@
|
|||
;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
|
||||
;;
|
||||
;; Copyright (c) 2008 Apple Inc. All Rights reserved.
|
||||
;;
|
||||
;; sshd - profile for privilege separated children
|
||||
;;
|
||||
;; WARNING: The sandbox rules in this file currently constitute
|
||||
;; Apple System Private Interface and are subject to change at any time and
|
||||
;; without notice.
|
||||
;;
|
||||
|
||||
(version 1)
|
||||
|
||||
(deny default)
|
||||
|
||||
(allow file-chroot)
|
||||
(allow file-read-metadata (literal "@VARBASE@"))
|
||||
|
||||
(allow sysctl-read)
|
||||
(allow mach-per-user-lookup)
|
||||
(allow mach-lookup
|
||||
(global-name "com.apple.system.notification_center")
|
||||
(global-name "com.apple.system.logger"))
|
|
@ -0,0 +1,46 @@
|
|||
<?xml version='1.0'?>
|
||||
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
|
||||
<service_bundle type='manifest' name='export'>
|
||||
<service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
|
||||
<create_default_instance enabled='false'/>
|
||||
<single_instance/>
|
||||
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/filesystem/local'/>
|
||||
</dependency>
|
||||
<dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/network/loopback'/>
|
||||
</dependency>
|
||||
<dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/network/physical'/>
|
||||
</dependency>
|
||||
<dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/cryptosvc'/>
|
||||
</dependency>
|
||||
<dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/utmp'/>
|
||||
</dependency>
|
||||
<dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
|
||||
<service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
|
||||
</dependency>
|
||||
<dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
|
||||
<service_fmri value='svc:/milestone/multi-user-server'/>
|
||||
</dependent>
|
||||
<exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
|
||||
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
|
||||
<exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
|
||||
<property_group name='general' type='framework'>
|
||||
<property name='action_authorization' type='astring'/>
|
||||
</property_group>
|
||||
<property_group name='startd' type='framework'>
|
||||
<propval name='ignore_error' type='astring' value='core,signal'/>
|
||||
</property_group>
|
||||
<template>
|
||||
<common_name>
|
||||
<loctext xml:lang='C'>OpenSSH server</loctext>
|
||||
</common_name>
|
||||
<documentation>
|
||||
<manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
|
||||
</documentation>
|
||||
</template>
|
||||
</service>
|
||||
</service_bundle>
|
|
@ -0,0 +1,68 @@
|
|||
#!@SMF_METHOD_SHELL@
|
||||
#
|
||||
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
|
||||
# Use is subject to license terms.
|
||||
#
|
||||
# ident "@(#)sshd 1.4 04/11/17 SMI"
|
||||
|
||||
SSHDIR=@PKG_SYSCONFDIR@
|
||||
KEYGEN="@PREFIX@/bin/ssh-keygen -q"
|
||||
PIDFILE=@VARBASE@/run/sshd.pid
|
||||
|
||||
# Checks to see if RSA, and DSA host keys are available
|
||||
# if any of these keys are not present, the respective keys are created.
|
||||
create_key()
|
||||
{
|
||||
keypath=$1
|
||||
keytype=$2
|
||||
|
||||
if [ ! -f $keypath ]; then
|
||||
grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo Creating new $keytype public/private host key pair
|
||||
$KEYGEN -f $keypath -t $keytype -N ''
|
||||
return $?
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# This script is being used for two purposes: as part of an SMF
|
||||
# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
|
||||
# application.
|
||||
#
|
||||
# Both, the SMF methods and sysidconfig/sys-unconfig use different
|
||||
# arguments..
|
||||
|
||||
case $1 in
|
||||
# sysidconfig/sys-unconfig arguments (-c and -u)
|
||||
'-c')
|
||||
create_key $SSHDIR/ssh_host_rsa_key rsa
|
||||
create_key $SSHDIR/ssh_host_dsa_key dsa
|
||||
;;
|
||||
|
||||
'-u')
|
||||
# sys-unconfig(1M) knows how to remove ssh host keys, so there's
|
||||
# nothing to do here.
|
||||
:
|
||||
;;
|
||||
|
||||
# SMF arguments (start and restart [really "refresh"])
|
||||
'start')
|
||||
@PREFIX@/sbin/sshd
|
||||
;;
|
||||
|
||||
'restart')
|
||||
if [ -f "$PIDFILE" ]; then
|
||||
/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 { start | restart }"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $?
|
|
@ -0,0 +1,115 @@
|
|||
#!@RCD_SCRIPTS_SHELL@
|
||||
#
|
||||
# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
|
||||
#
|
||||
# PROVIDE: sshd
|
||||
# REQUIRE: DAEMON LOGIN
|
||||
|
||||
if [ -f /etc/rc.subr ]
|
||||
then
|
||||
. /etc/rc.subr
|
||||
fi
|
||||
|
||||
name="sshd"
|
||||
rcvar=$name
|
||||
command="@PREFIX@/sbin/${name}"
|
||||
keygen_command="@PREFIX@/bin/ssh-keygen"
|
||||
pidfile="@SSH_PID_DIR@/${name}.pid"
|
||||
required_files="@PKG_SYSCONFDIR@/sshd_config"
|
||||
extra_commands="keygen reload"
|
||||
|
||||
sshd_keygen()
|
||||
{
|
||||
(
|
||||
umask 022
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
|
||||
@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 DSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
|
||||
fi
|
||||
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
|
||||
@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 RSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
|
||||
fi
|
||||
# HAVE_ECDSA_START
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
|
||||
@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
|
||||
fi
|
||||
# HAVE_ECDSA_STOP
|
||||
# HAVE_ED25519_START
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
|
||||
@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
|
||||
@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
|
||||
else
|
||||
${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
|
||||
fi
|
||||
# HAVE_ED25519_STOP
|
||||
)
|
||||
}
|
||||
|
||||
sshd_precmd()
|
||||
{
|
||||
if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
|
||||
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
|
||||
then
|
||||
run_rc_command keygen
|
||||
else
|
||||
eval ${keygen_cmd}
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
keygen_cmd=sshd_keygen
|
||||
start_precmd=sshd_precmd
|
||||
|
||||
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
|
||||
then
|
||||
load_rc_config $name
|
||||
run_rc_command "$1"
|
||||
else
|
||||
case ${1:-start} in
|
||||
start)
|
||||
if [ -x ${command} -a -f ${required_files} ]
|
||||
then
|
||||
@ECHO@ "Starting ${name}."
|
||||
eval ${start_precmd}
|
||||
eval ${command} ${sshd_flags} ${command_args}
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
if [ -f ${pidfile} ]; then
|
||||
pid=`@HEAD@ -1 ${pidfile}`
|
||||
@ECHO@ "Stopping ${name}."
|
||||
kill -TERM ${pid}
|
||||
else
|
||||
@ECHO@ "${name} not running?"
|
||||
fi
|
||||
;;
|
||||
restart)
|
||||
( $0 stop )
|
||||
sleep 1
|
||||
$0 start
|
||||
;;
|
||||
status)
|
||||
if [ -f ${pidfile} ]; then
|
||||
pid=`@HEAD@ -1 ${pidfile}`
|
||||
@ECHO@ "${name} is running as pid ${pid}."
|
||||
else
|
||||
@ECHO@ "${name} is not running."
|
||||
fi
|
||||
;;
|
||||
keygen)
|
||||
eval ${keygen_cmd}
|
||||
;;
|
||||
esac
|
||||
fi
|
|
@ -0,0 +1,51 @@
|
|||
# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
|
||||
|
||||
PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
|
||||
PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
|
||||
PKG_SUGGESTED_OPTIONS= editline openssl
|
||||
|
||||
.include "../../mk/bsd.prefs.mk"
|
||||
|
||||
.if ${OPSYS} == "NetBSD"
|
||||
PKG_SUGGESTED_OPTIONS+= pam
|
||||
.endif
|
||||
|
||||
.include "../../mk/bsd.options.mk"
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mopenssl)
|
||||
.include "../../security/openssl/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
|
||||
.else
|
||||
CONFIGURE_ARGS+= --without-openssl
|
||||
.endif
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mkerberos)
|
||||
. include "../../mk/krb5.buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
|
||||
. if ${KRB5_TYPE} == "mit-krb5"
|
||||
CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
|
||||
. endif
|
||||
.endif
|
||||
|
||||
#.if !empty(PKG_OPTIONS:Mhpn-patch)
|
||||
#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
|
||||
#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
|
||||
#PATCH_DIST_STRIP= -p1
|
||||
#.endif
|
||||
|
||||
PLIST_VARS+= pam
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mpam)
|
||||
.include "../../mk/pam.buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-pam
|
||||
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
|
||||
MESSAGE_SUBST+= EGDIR=${EGDIR}
|
||||
. if ${OPSYS} == "Linux"
|
||||
PLIST.pam= yes
|
||||
. endif
|
||||
.endif
|
||||
|
||||
.if !empty(PKG_OPTIONS:Meditline)
|
||||
.include "../../devel/editline/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
|
||||
.endif
|
|
@ -0,0 +1,31 @@
|
|||
$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Removed install-sysconf as we handle that phase through post-install
|
||||
|
||||
--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ Makefile.in
|
||||
@@ -1,5 +1,5 @@
|
||||
# uncomment if you run a non bourne compatible shell. Ie. csh
|
||||
-#SHELL = @SH@
|
||||
+SHELL = @SH@
|
||||
|
||||
AUTORECONF=autoreconf
|
||||
|
||||
@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@@ -320,7 +320,7 @@ distprep: catman-do depend-check
|
||||
-rm -rf autom4te.cache .depend.bak
|
||||
|
||||
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
|
||||
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
|
||||
+install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||
|
||||
check-config:
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ auth-passwd.c
|
||||
@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
|
||||
return 0;
|
||||
|
||||
#ifndef HAVE_CYGWIN
|
||||
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
||||
+ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
|
||||
ok = 0;
|
||||
#endif
|
||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
||||
@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
|
||||
authctxt->force_pwchange = 1;
|
||||
}
|
||||
#endif
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ result = (!setuser(pw->pw_name, password, SU_CHECK));
|
||||
+#else
|
||||
result = sys_auth_passwd(ssh, password);
|
||||
+#endif
|
||||
if (authctxt->force_pwchange)
|
||||
auth_restrict_session(ssh);
|
||||
return (result && ok);
|
|
@ -0,0 +1,33 @@
|
|||
$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ auth-rhosts.c
|
||||
@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
* If not logging in as superuser, try /etc/hosts.equiv and
|
||||
* shosts.equiv.
|
||||
*/
|
||||
- if (pw->pw_uid == 0)
|
||||
+ if (pw->pw_uid == ROOTUID)
|
||||
debug3("%s: root user, ignoring system hosts files", __func__);
|
||||
else {
|
||||
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
|
||||
@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
return 0;
|
||||
}
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Rhosts authentication refused for %.100s: "
|
||||
"bad ownership or modes for home directory.", pw->pw_name);
|
||||
@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
* allowing access to their account by anyone.
|
||||
*/
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
|
||||
pw->pw_name, buf);
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
* Replace uid 0 with ROOTUID macro.
|
||||
* Use login_getpwclass() instead of login_getclass() so that the root
|
||||
vs. default login class distinction is made correctly, from FrrrBSD's
|
||||
ports.
|
||||
|
||||
--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
|
||||
+++ auth.c
|
||||
@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
|
||||
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
|
||||
if (options.strict_modes &&
|
||||
(stat(user_hostfile, &st) == 0) &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Authentication refused for %.100s: "
|
||||
"bad owner or modes for %.200s",
|
||||
@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
|
||||
if (!allowed_user(ssh, pw))
|
||||
return (NULL);
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
|
||||
+ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
|
||||
debug("unable to get login class: %s", user);
|
||||
return (NULL);
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ auth2.c
|
||||
@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
|
||||
fatal("INTERNAL ERROR: authenticated and postponed");
|
||||
|
||||
/* Special handling for root */
|
||||
- if (authenticated && authctxt->pw->pw_uid == 0 &&
|
||||
+ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
|
||||
!auth_root_allowed(ssh, method)) {
|
||||
authenticated = 0;
|
||||
#ifdef SSH_AUDIT_EVENTS
|
|
@ -0,0 +1,63 @@
|
|||
$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
|
||||
|
||||
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
|
||||
|
||||
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
|
||||
|
||||
--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ clientloop.c
|
||||
@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
|
||||
struct stat st;
|
||||
u_int now, x11_timeout_real;
|
||||
|
||||
+#if __APPLE__
|
||||
+ int is_path_to_socket = 0;
|
||||
+#endif /* __APPLE__ */
|
||||
+
|
||||
*_proto = proto;
|
||||
*_data = data;
|
||||
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
|
||||
@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
|
||||
}
|
||||
|
||||
if (xauth_path != NULL) {
|
||||
+#if __APPLE__
|
||||
+ {
|
||||
+ /*
|
||||
+ * If using launchd socket, remove the screen number from the end
|
||||
+ * of $DISPLAY. is_path_to_socket is used later in this function
|
||||
+ * to determine if an error should be displayed.
|
||||
+ */
|
||||
+ char path[PATH_MAX];
|
||||
+ struct stat sbuf;
|
||||
+
|
||||
+ strlcpy(path, display, sizeof(path));
|
||||
+ if (0 == stat(path, &sbuf)) {
|
||||
+ is_path_to_socket = 1;
|
||||
+ } else {
|
||||
+ char *dot = strrchr(path, '.');
|
||||
+ if (dot) {
|
||||
+ *dot = '\0';
|
||||
+ /* screen = atoi(dot + 1); */
|
||||
+ if (0 == stat(path, &sbuf)) {
|
||||
+ is_path_to_socket = 1;
|
||||
+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
|
||||
+ setenv("DISPLAY", path, 1);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* __APPLE__ */
|
||||
/*
|
||||
* Handle FamilyLocal case where $DISPLAY does
|
||||
* not match an authorization entry. For this we
|
||||
@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
|
||||
u_int8_t rnd[16];
|
||||
u_int i;
|
||||
|
||||
+#if __APPLE__
|
||||
+ if (!is_path_to_socket)
|
||||
+#endif /* __APPLE__ */
|
||||
logit("Warning: No xauth data; "
|
||||
"using fake authentication data for X11 forwarding.");
|
||||
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
|
|
@ -0,0 +1,37 @@
|
|||
$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
* Added Interix and define new path to if_tun.h.
|
||||
* Revive tcp_wrappers support.
|
||||
|
||||
--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
|
||||
+++ config.h.in
|
||||
@@ -741,6 +741,9 @@
|
||||
/* define if you have int64_t data type */
|
||||
#undef HAVE_INT64_T
|
||||
|
||||
+/* Define if you are on Interix */
|
||||
+#undef HAVE_INTERIX
|
||||
+
|
||||
/* Define to 1 if the system has the type `intmax_t'. */
|
||||
#undef HAVE_INTMAX_T
|
||||
|
||||
@@ -910,6 +913,9 @@
|
||||
/* Define to 1 if you have the <net/route.h> header file. */
|
||||
#undef HAVE_NET_ROUTE_H
|
||||
|
||||
+/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
|
||||
+#undef HAVE_NET_TUN_IF_TUN_H
|
||||
+
|
||||
/* Define if you are on NeXT */
|
||||
#undef HAVE_NEXT
|
||||
|
||||
@@ -1617,6 +1623,9 @@
|
||||
/* Define if pututxline updates lastlog too */
|
||||
#undef LASTLOG_WRITE_PUTUTXLINE
|
||||
|
||||
+/* Define if you want TCP Wrappers support */
|
||||
+#undef LIBWRAP
|
||||
+
|
||||
/* Define to whatever link() returns for "not supported" if it doesn't return
|
||||
EOPNOTSUPP. */
|
||||
#undef LINK_OPNOTSUPP_ERRNO
|
|
@ -0,0 +1,138 @@
|
|||
$NetBSD$
|
||||
|
||||
--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ configure.ac
|
||||
@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
|
||||
]
|
||||
)
|
||||
|
||||
+# pkgsrc handles any rpath settings this package needs
|
||||
+need_dash_r=
|
||||
+
|
||||
# Allow user to specify flags
|
||||
AC_ARG_WITH([cflags],
|
||||
[ --with-cflags Specify additional flags to pass to compiler],
|
||||
@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
|
||||
maillock.h \
|
||||
ndir.h \
|
||||
net/if_tun.h \
|
||||
+ net/tun/if_tun.h \
|
||||
netdb.h \
|
||||
netgroup.h \
|
||||
pam/pam_appl.h \
|
||||
@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
+*-*-interix*)
|
||||
+ AC_DEFINE(HAVE_INTERIX)
|
||||
+ AC_DEFINE(DISABLE_FD_PASSING)
|
||||
+ AC_DEFINE(DISABLE_SHADOW)
|
||||
+ AC_DEFINE(IP_TOS_IS_BROKEN)
|
||||
+ AC_DEFINE(MISSING_HOWMANY)
|
||||
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
|
||||
+ AC_DEFINE(USE_PIPES)
|
||||
+ ;;
|
||||
*-*-irix5*)
|
||||
PATH="$PATH:/usr/etc"
|
||||
AC_DEFINE([BROKEN_INET_NTOA], [1],
|
||||
@@ -1494,6 +1507,62 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
])
|
||||
if test -z "$conf_wtmpx_location"; then
|
||||
if test x"$system_wtmpx_path" = x"no" ; then
|
||||
- AC_DEFINE([DISABLE_WTMPX])
|
||||
+ for f in /var/log/wtmpx; do
|
||||
+ if test -f $f ; then
|
||||
+ conf_wtmpx_location=$f
|
||||
+ fi
|
||||
+ done
|
||||
+ if test -z "$conf_wtmpx_location"; then
|
||||
+ AC_DEFINE(DISABLE_WTMPX)
|
||||
+ fi
|
||||
fi
|
||||
-else
|
||||
+fi
|
||||
+if test -n "$conf_wtmpx_location"; then
|
||||
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
|
||||
[Define if you want to specify the path to your wtmpx file])
|
||||
fi
|
||||
@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
|
||||
echo " User binaries: $B"
|
||||
echo " System binaries: $C"
|
||||
echo " Configuration files: $D"
|
||||
-echo " Askpass program: $E"
|
||||
+echo " Askpass program: ${ASKPASS_PROGRAM}"
|
||||
echo " Manual pages: $F"
|
||||
echo " PID file: $G"
|
||||
echo " Privilege separation chroot path: $H"
|
||||
@@ -5245,6 +5322,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " libldns support: $LDNS_MSG"
|
|
@ -0,0 +1,47 @@
|
|||
$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
|
||||
|
||||
--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ defines.h
|
||||
@@ -30,6 +30,15 @@
|
||||
|
||||
/* Constants */
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+/* Interix has a special concept of "administrator". */
|
||||
+# define ROOTUID 197108
|
||||
+# define ROOTGID 131616
|
||||
+#else
|
||||
+# define ROOTUID 0
|
||||
+# define ROOTGID 0
|
||||
+#endif
|
||||
+
|
||||
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
|
||||
enum
|
||||
{
|
||||
@@ -721,6 +730,24 @@ struct winsize {
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
+#ifndef UTMPX_FILE
|
||||
+# ifdef _PATH_UTMPX
|
||||
+# define UTMPX_FILE _PATH_UTMPX
|
||||
+# else
|
||||
+# ifdef CONF_UTMPX_FILE
|
||||
+# define UTMPX_FILE CONF_UTMPX_FILE
|
||||
+# endif
|
||||
+# endif
|
||||
+#endif
|
||||
+#ifndef WTMPX_FILE
|
||||
+# ifdef _PATH_WTMPX
|
||||
+# define WTMPX_FILE _PATH_WTMPX
|
||||
+# else
|
||||
+# ifdef CONF_WTMPX_FILE
|
||||
+# define WTMPX_FILE CONF_WTMPX_FILE
|
||||
+# endif
|
||||
+# endif
|
||||
+#endif
|
||||
/* pick up the user's location for lastlog if given */
|
||||
#ifndef LASTLOG_FILE
|
||||
# ifdef _PATH_LASTLOG
|
|
@ -0,0 +1,17 @@
|
|||
$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ includes.h
|
||||
@@ -127,6 +127,10 @@
|
||||
#ifdef HAVE_READPASSPHRASE_H
|
||||
# include <readpassphrase.h>
|
||||
#endif
|
||||
+#ifdef HAVE_INTERIX
|
||||
+# include <interix/env.h>
|
||||
+# include <interix/security.h>
|
||||
+#endif
|
||||
|
||||
#ifdef HAVE_IA_H
|
||||
# include <ia.h>
|
|
@ -0,0 +1,68 @@
|
|||
$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support and related fixes. Fix build on FreeBSD.
|
||||
|
||||
--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ loginrec.c
|
||||
@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
|
||||
int
|
||||
login_write(struct logininfo *li)
|
||||
{
|
||||
-#ifndef HAVE_CYGWIN
|
||||
- if (geteuid() != 0) {
|
||||
+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
|
||||
+ if (geteuid() != ROOTUID) {
|
||||
logit("Attempt to write login records by non-root user (aborting)");
|
||||
return (1);
|
||||
}
|
||||
@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
-#ifdef USE_LOGIN
|
||||
+#if defined(USE_LOGIN) && (HAVE_UTMP_H)
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
#ifdef USE_LASTLOG
|
||||
@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
|
||||
** into account.
|
||||
**/
|
||||
|
||||
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
|
||||
+#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
|
||||
|
||||
/* build the utmp structure */
|
||||
void
|
||||
@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
|
||||
set_utmpx_time(li, utx);
|
||||
utx->ut_pid = li->pid;
|
||||
|
||||
- /* strncpy(): Don't necessarily want null termination */
|
||||
- strncpy(utx->ut_user, li->username,
|
||||
- MIN_SIZEOF(utx->ut_user, li->username));
|
||||
-
|
||||
if (li->type == LTYPE_LOGOUT)
|
||||
return;
|
||||
|
||||
@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
|
||||
* for logouts.
|
||||
*/
|
||||
|
||||
+ /* strncpy(): Don't necessarily want null termination */
|
||||
+#if defined(__FreeBSD__)
|
||||
+ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
|
||||
+#else
|
||||
+ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
|
||||
+#endif
|
||||
# ifdef HAVE_HOST_IN_UTMPX
|
||||
strncpy(utx->ut_host, li->hostname,
|
||||
MIN_SIZEOF(utx->ut_host, li->hostname));
|
||||
@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
|
||||
-#ifdef USE_LOGIN
|
||||
+#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
|
||||
static int
|
||||
syslogin_perform_login(struct logininfo *li)
|
||||
{
|
|
@ -0,0 +1,22 @@
|
|||
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ openbsd-compat/bsd-openpty.c
|
||||
@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+#if !defined(HAVE_INTERIX)
|
||||
/*
|
||||
* Try to push the appropriate streams modules, as described
|
||||
* in Solaris pts(7).
|
||||
@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
|
||||
# ifndef __hpux
|
||||
ioctl(*aslave, I_PUSH, "ttcompat");
|
||||
# endif /* __hpux */
|
||||
+#endif /* !HAVE_INTERIX */
|
||||
|
||||
return (0);
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
strtoll() declaration
|
||||
|
||||
--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ openbsd-compat/openbsd-compat.h
|
||||
@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
|
||||
int setenv(register const char *name, register const char *value, int rewrite);
|
||||
#endif
|
||||
|
||||
+#ifndef HAVE_STRTOLL
|
||||
+long long strtoll(const char *, char **, int);
|
||||
+#endif
|
||||
+
|
||||
#ifndef HAVE_STRMODE
|
||||
void strmode(int mode, char *p);
|
||||
#endif
|
|
@ -0,0 +1,45 @@
|
|||
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
if_tun.h can be found in net/tun
|
||||
|
||||
--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ openbsd-compat/port-net.c
|
||||
@@ -1,3 +1,4 @@
|
||||
+
|
||||
/*
|
||||
* Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
|
||||
*
|
||||
@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
|
||||
+#ifdef HAVE_NET_TUN_IF_TUN_H
|
||||
+#include <net/tun/if_tun.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_NET_IF_TUN_H
|
||||
#include <net/if_tun.h>
|
||||
#endif
|
||||
@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
|
||||
{
|
||||
struct ifreq ifr;
|
||||
char name[100];
|
||||
- int fd = -1, sock, flag;
|
||||
+ int fd = -1, sock;
|
||||
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
+ int flag;
|
||||
+#endif
|
||||
const char *tunbase = "tun";
|
||||
|
||||
if (ifname != NULL)
|
||||
@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
/* Turn on tunnel headers */
|
||||
flag = 1;
|
||||
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
if (mode != SSH_TUNMODE_ETHERNET &&
|
||||
ioctl(fd, TUNSIFHEAD, &flag) == -1) {
|
||||
debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
|
|
@ -0,0 +1,16 @@
|
|||
$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ platform.c
|
||||
@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
|
||||
/* uid 0 is not special on Cygwin so always try */
|
||||
return 1;
|
||||
#else
|
||||
+#if !defined(HAVE_INTERIX)
|
||||
return (getuid() == 0 || geteuid() == 0);
|
||||
+#endif /* !HAVE_INTERIX */
|
||||
#endif
|
||||
}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Support sandbox on newer OSX, from MacPorts.
|
||||
|
||||
--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sandbox-darwin.c
|
||||
@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
|
||||
struct rlimit rl_zero;
|
||||
|
||||
debug3("%s: starting Darwin sandbox", __func__);
|
||||
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
+#ifndef SANDBOX_NAMED_EXTERNAL
|
||||
+#define SANDBOX_NAMED_EXTERNAL (0x3)
|
||||
+#endif
|
||||
+ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
|
||||
+ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
|
||||
+#else
|
||||
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
|
||||
&errmsg) == -1)
|
||||
+#endif
|
||||
fatal("%s: sandbox_init: %s", __func__, errmsg);
|
||||
|
||||
/*
|
|
@ -0,0 +1,39 @@
|
|||
$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ scp.c
|
||||
@@ -478,7 +478,11 @@ main(int argc, char **argv)
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
|
||||
+#else
|
||||
if ((pwd = getpwuid(userid = getuid())) == NULL)
|
||||
+#endif
|
||||
fatal("unknown user %u", (u_int) userid);
|
||||
|
||||
if (!isatty(STDOUT_FILENO))
|
||||
@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
|
||||
return;
|
||||
}
|
||||
while ((dp = readdir(dirp)) != NULL) {
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (dp->d_ino == 0)
|
||||
continue;
|
||||
+#endif
|
||||
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
|
||||
continue;
|
||||
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
|
||||
@@ -1297,7 +1303,9 @@ okname(char *cp0)
|
||||
case '\'':
|
||||
case '"':
|
||||
case '`':
|
||||
+#ifndef HAVE_INTERIX
|
||||
case ' ':
|
||||
+#endif
|
||||
case '#':
|
||||
goto bad;
|
||||
default:
|
|
@ -0,0 +1,65 @@
|
|||
$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
* Interix support.
|
||||
|
||||
--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ session.c
|
||||
@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
|
||||
if (tmpenv == NULL)
|
||||
return;
|
||||
|
||||
- if (uid == 0)
|
||||
+ if (uid == ROOTUID)
|
||||
var = child_get_env(tmpenv, "SUPATH");
|
||||
else
|
||||
var = child_get_env(tmpenv, "PATH");
|
||||
@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
# endif /* HAVE_ETC_DEFAULT_LOGIN */
|
||||
if (path == NULL || *path == '\0') {
|
||||
child_set_env(&env, &envsize, "PATH",
|
||||
- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
|
||||
+ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
|
||||
}
|
||||
# endif /* HAVE_CYGWIN */
|
||||
#endif /* HAVE_LOGIN_CAP */
|
||||
@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
|
||||
original_command);
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ {
|
||||
+ /* copy standard Windows environment, then apply changes */
|
||||
+ env_t *winenv = env_login(pw);
|
||||
+ env_putarray(winenv, env, ENV_OVERRIDE);
|
||||
+
|
||||
+ /* swap over to altered environment as a traditional array */
|
||||
+ env = env_array(winenv);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (debug_flag) {
|
||||
/* dump the environment */
|
||||
fprintf(stderr, "Environment:\n");
|
||||
@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
|
||||
perror("setgid");
|
||||
exit(1);
|
||||
}
|
||||
+# if !defined(HAVE_INTERIX)
|
||||
/* Initialize the group list. */
|
||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
|
||||
perror("initgroups");
|
||||
exit(1);
|
||||
}
|
||||
+# endif /* !HAVE_INTERIX */
|
||||
endgrent();
|
||||
#endif
|
||||
|
||||
@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
|
||||
record_logout(s->pid, s->tty, s->pw->pw_name);
|
||||
|
||||
/* Release the pseudo-tty. */
|
||||
- if (getuid() == 0)
|
||||
+ if (getuid() == ROOTUID)
|
||||
pty_release(s->tty);
|
||||
|
||||
/*
|
|
@ -0,0 +1,14 @@
|
|||
$NetBSD$
|
||||
|
||||
--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ sftp-common.c
|
||||
@@ -36,7 +36,9 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <stdarg.h>
|
||||
+#ifdef HAVE_UNISTD_H
|
||||
#include <unistd.h>
|
||||
+#endif
|
||||
#ifdef HAVE_UTIL_H
|
||||
#include <util.h>
|
||||
#endif
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
* Revive tcp_wrappers support.
|
||||
|
||||
--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sshd.8
|
||||
@@ -850,6 +850,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -953,6 +959,7 @@ The content of this file is not sensitiv
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
|
@ -0,0 +1,137 @@
|
|||
$NetBSD$
|
||||
|
||||
--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ sshd.c
|
||||
@@ -123,6 +123,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
|
||||
static int startup_pipe = -1; /* in child */
|
||||
|
||||
/* variables used for privilege separation */
|
||||
+#ifdef HAVE_INTERIX
|
||||
+int use_privsep = 0;
|
||||
+#else
|
||||
int use_privsep = -1;
|
||||
+#endif
|
||||
struct monitor *pmonitor = NULL;
|
||||
int privsep_is_preauth = 1;
|
||||
static int privsep_chroot = 1;
|
||||
@@ -467,10 +478,15 @@ privsep_preauth_child(void)
|
||||
/* Drop our privileges */
|
||||
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
|
||||
(u_int)privsep_pw->pw_gid);
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
|
||||
+ fatal("setuser: %.100s", strerror(errno));
|
||||
+#else
|
||||
gidset[0] = privsep_pw->pw_gid;
|
||||
if (setgroups(1, gidset) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
permanently_set_uid(privsep_pw);
|
||||
+#endif /* HAVE_INTERIX */
|
||||
}
|
||||
}
|
||||
|
||||
@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
+ /* We need to do this before we chroot() so we can read sshd.sb */
|
||||
+ if (box != NULL)
|
||||
+ ssh_sandbox_child(box);
|
||||
+#endif
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
+#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
#else
|
||||
- if (authctxt->pw->pw_uid == 0) {
|
||||
+ if (authctxt->pw->pw_uid == ROOTUID) {
|
||||
#endif
|
||||
/* File descriptor passing is broken or root login */
|
||||
use_privsep = 0;
|
||||
@@ -1454,7 +1477,7 @@ main(int ac, char **av)
|
||||
av = saved_argv;
|
||||
#endif
|
||||
|
||||
- if (geteuid() == 0 && setgroups(0, NULL) == -1)
|
||||
+ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
|
||||
debug("setgroups(): %.200s", strerror(errno));
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
@@ -1686,7 +1709,7 @@ main(int ac, char **av)
|
||||
);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
|
||||
+ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
if (privsep_chroot || options.kerberos_authentication)
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
@@ -1830,7 +1853,7 @@ main(int ac, char **av)
|
||||
(st.st_uid != getuid () ||
|
||||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
|
||||
#else
|
||||
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
|
||||
+ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
|
||||
#endif
|
||||
fatal("%s must be owned by root and not group or "
|
||||
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
|
||||
@@ -1858,8 +1881,10 @@ main(int ac, char **av)
|
||||
* to create a file, and we can't control the code in every
|
||||
* module which might be used).
|
||||
*/
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (setgroups(0, NULL) < 0)
|
||||
debug("setgroups() failed: %.200s", strerror(errno));
|
||||
+#endif
|
||||
|
||||
if (rexec_flag) {
|
||||
if (rexec_argc < 0)
|
||||
@@ -2053,6 +2078,25 @@ main(int ac, char **av)
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
rdomain = ssh_packet_rdomain_in(ssh);
|
||||
|
||||
/* Log the connection. */
|
|
@ -0,0 +1,24 @@
|
|||
$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sshpty.c
|
||||
@@ -86,7 +86,7 @@ void
|
||||
pty_release(const char *tty)
|
||||
{
|
||||
#if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
|
||||
- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
|
||||
+ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
|
||||
error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
|
||||
if (chmod(tty, (mode_t) 0666) < 0)
|
||||
error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
|
||||
@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
|
||||
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
|
||||
if (chown(tty, pw->pw_uid, gid) < 0) {
|
||||
if (errno == EROFS &&
|
||||
- (st.st_uid == pw->pw_uid || st.st_uid == 0))
|
||||
+ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
|
||||
debug("chown(%.100s, %u, %u) failed: %.100s",
|
||||
tty, (u_int)pw->pw_uid, (u_int)gid,
|
||||
strerror(errno));
|
|
@ -0,0 +1,77 @@
|
|||
$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ uidswap.c
|
||||
@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
|
||||
(u_int)pw->pw_uid, (u_int)pw->pw_gid,
|
||||
(u_int)saved_euid, (u_int)saved_egid);
|
||||
#ifndef HAVE_CYGWIN
|
||||
- if (saved_euid != 0) {
|
||||
+ if (saved_euid != ROOTUID) {
|
||||
privileged = 0;
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
#else
|
||||
- if (geteuid() != 0) {
|
||||
+ if (geteuid() != ROOTUID) {
|
||||
privileged = 0;
|
||||
return;
|
||||
}
|
||||
@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
|
||||
|
||||
/* set and save the user's groups */
|
||||
if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
|
||||
fatal("initgroups: %s: %.100s", pw->pw_name,
|
||||
strerror(errno));
|
||||
-
|
||||
+#endif
|
||||
user_groupslen = getgroups(0, NULL);
|
||||
if (user_groupslen < 0)
|
||||
fatal("getgroups: %.100s", strerror(errno));
|
||||
@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
|
||||
}
|
||||
user_groups_uid = pw->pw_uid;
|
||||
}
|
||||
+#ifndef HAVE_INTERIX
|
||||
/* Set the effective uid to the given (unprivileged) uid. */
|
||||
if (setgroups(user_groupslen, user_groups) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
+#endif
|
||||
#ifndef SAVED_IDS_WORK_WITH_SETEUID
|
||||
/* Propagate the privileged gid to all of our gids. */
|
||||
if (setgid(getegid()) < 0)
|
||||
@@ -166,8 +169,10 @@ restore_uid(void)
|
||||
setgid(getgid());
|
||||
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
|
||||
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (setgroups(saved_egroupslen, saved_egroups) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
+#endif
|
||||
temporarily_use_uid_effective = 0;
|
||||
}
|
||||
|
||||
@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
|
||||
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
|
||||
(u_int)pw->pw_gid);
|
||||
|
||||
+#if defined(HAVE_INTERIX)
|
||||
+ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
|
||||
+ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
|
||||
+#else
|
||||
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
|
||||
fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
|
||||
|
||||
@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
|
||||
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
|
||||
fatal("%s: was able to restore old [e]uid", __func__);
|
||||
#endif
|
||||
+#endif /* HAVE_INTERIX */
|
||||
|
||||
/* Verify UID drop was successful */
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
|
|
@ -0,0 +1,136 @@
|
|||
--- /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac 2019-05-01 12:11:27.813134298 +0000
|
||||
@@ -294,6 +294,9 @@
|
||||
]
|
||||
)
|
||||
|
||||
+# pkgsrc handles any rpath settings this package needs
|
||||
+need_dash_r=
|
||||
+
|
||||
# Allow user to specify flags
|
||||
AC_ARG_WITH([cflags],
|
||||
[ --with-cflags Specify additional flags to pass to compiler],
|
||||
@@ -387,6 +390,7 @@
|
||||
maillock.h \
|
||||
ndir.h \
|
||||
net/if_tun.h \
|
||||
+ net/tun/if_tun.h \
|
||||
netdb.h \
|
||||
netgroup.h \
|
||||
pam/pam_appl.h \
|
||||
@@ -737,6 +741,15 @@
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
+*-*-interix*)
|
||||
+ AC_DEFINE(HAVE_INTERIX)
|
||||
+ AC_DEFINE(DISABLE_FD_PASSING)
|
||||
+ AC_DEFINE(DISABLE_SHADOW)
|
||||
+ AC_DEFINE(IP_TOS_IS_BROKEN)
|
||||
+ AC_DEFINE(MISSING_HOWMANY)
|
||||
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
|
||||
+ AC_DEFINE(USE_PIPES)
|
||||
+ ;;
|
||||
*-*-irix5*)
|
||||
PATH="$PATH:/usr/etc"
|
||||
AC_DEFINE([BROKEN_INET_NTOA], [1],
|
||||
@@ -1494,6 +1507,62 @@
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5129,9 +5198,17 @@
|
||||
])
|
||||
if test -z "$conf_wtmpx_location"; then
|
||||
if test x"$system_wtmpx_path" = x"no" ; then
|
||||
- AC_DEFINE([DISABLE_WTMPX])
|
||||
+ for f in /var/log/wtmpx; do
|
||||
+ if test -f $f ; then
|
||||
+ conf_wtmpx_location=$f
|
||||
+ fi
|
||||
+ done
|
||||
+ if test -z "$conf_wtmpx_location"; then
|
||||
+ AC_DEFINE(DISABLE_WTMPX)
|
||||
+ fi
|
||||
fi
|
||||
-else
|
||||
+fi
|
||||
+if test -n "$conf_wtmpx_location"; then
|
||||
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
|
||||
[Define if you want to specify the path to your wtmpx file])
|
||||
fi
|
||||
@@ -5223,7 +5300,7 @@
|
||||
echo " User binaries: $B"
|
||||
echo " System binaries: $C"
|
||||
echo " Configuration files: $D"
|
||||
-echo " Askpass program: $E"
|
||||
+echo " Askpass program: ${ASKPASS_PROGRAM}"
|
||||
echo " Manual pages: $F"
|
||||
echo " PID file: $G"
|
||||
echo " Privilege separation chroot path: $H"
|
||||
@@ -5245,6 +5322,7 @@
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " libldns support: $LDNS_MSG"
|
|
@ -0,0 +1,14 @@
|
|||
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
|
||||
all patent-encumbered algorithms removed (to external libraries), all
|
||||
known security bugs fixed, new features reintroduced and many other
|
||||
clean-ups. More information about SSH itself can be found in the file
|
||||
README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
|
||||
Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
|
||||
|
||||
This port consists of the re-introduction of autoconf support, PAM
|
||||
support (for Linux and Solaris), EGD[1] support, SOCKS support (using
|
||||
the Dante [6] libraries and replacements for OpenBSD library functions
|
||||
that are (regrettably) absent from other unices. This port has been
|
||||
best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
|
||||
SCO, NeXT and other Unices is underway. This version actively tracks
|
||||
changes in the OpenBSD CVS repository.
|
|
@ -0,0 +1,36 @@
|
|||
# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
|
||||
|
||||
DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
|
||||
FILES="sshd.conf sshd_config"
|
||||
|
||||
case ${STAGE} in
|
||||
POST-INSTALL)
|
||||
for dir in $DIRS; do
|
||||
if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
|
||||
for file in $FILES; do
|
||||
path=$dir/$file
|
||||
if [ -f $path ]; then
|
||||
${CAT} <<EOF
|
||||
===========================================================================
|
||||
|
||||
*===* NOTICE *===*
|
||||
|
||||
WARNING: previous configuration file $path found.
|
||||
|
||||
The config files for ${PKGNAME} must be located in:
|
||||
|
||||
@PKG_SYSCONFDIR@
|
||||
|
||||
You will need to ensure your configuration files and/or keys are
|
||||
placed in the correct directory before using ${PKGNAME}.
|
||||
|
||||
===========================================================================
|
||||
EOF
|
||||
|
||||
exit
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,20 @@
|
|||
===========================================================================
|
||||
$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
|
||||
|
||||
OpenSSH on Interix has some important caveats:
|
||||
|
||||
* Hostname resolution uses the BIND resolver library rather than Windows
|
||||
native lookup services. This requires that /etc/resolv.conf be set up
|
||||
properly with a "nameserver" line; see resolv.conf(5). In most
|
||||
installations, this was generated automatically when Services for UNIX
|
||||
was installed (based on the name server in use at that time).
|
||||
|
||||
* Currently, UsePrivilegeSeparation does not work properly, so it defaults
|
||||
to "no" on Interix.
|
||||
|
||||
* Network drives and encrypted local files may not be accessible after
|
||||
logging in through sshd thanks to the way the Windows security API works.
|
||||
A workaround is to "exec su USERNAME" after logging in, which will use
|
||||
the password to create a proper Windows access credential key.
|
||||
|
||||
===========================================================================
|
|
@ -0,0 +1,9 @@
|
|||
===========================================================================
|
||||
$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
|
||||
|
||||
To authenticate for SSH using PAM, add the contents of the file:
|
||||
|
||||
${EGDIR}/sshd.pam
|
||||
|
||||
to your PAM configuration file (or PAM configuration directory).
|
||||
===========================================================================
|
|
@ -0,0 +1,209 @@
|
|||
# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
|
||||
|
||||
DISTNAME= openssh-8.0p1
|
||||
PKGNAME= ${DISTNAME:S/p1/.1/}
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
|
||||
|
||||
MAINTAINER= pkgsrc-users@NetBSD.org
|
||||
HOMEPAGE= http://www.openssh.com/
|
||||
COMMENT= Open Source Secure shell client and server (remote login program)
|
||||
LICENSE= modified-bsd
|
||||
|
||||
CONFLICTS= sftp-[0-9]*
|
||||
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
|
||||
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
|
||||
CONFLICTS+= openssh+gssapi-[0-9]*
|
||||
CONFLICTS+= lsh>2.0
|
||||
BROKEN_ON_PLATFORM+= OpenBSD-*-*
|
||||
|
||||
USE_GCC_RUNTIME= yes
|
||||
USE_TOOLS+= autoconf perl
|
||||
|
||||
# retain the following line, for IPv6-ready pkgsrc webpage
|
||||
BUILD_DEFS+= IPV6_READY
|
||||
|
||||
PKG_GROUPS_VARS+= OPENSSH_GROUP
|
||||
PKG_USERS_VARS+= OPENSSH_USER
|
||||
BUILD_DEFS+= OPENSSH_CHROOT
|
||||
BUILD_DEFS+= VARBASE
|
||||
|
||||
INSTALL_TARGET= install-nokeys
|
||||
|
||||
.include "options.mk"
|
||||
|
||||
# fixes: dyld: Symbol not found: _allow_severity
|
||||
CONFIGURE_ARGS.Darwin+= --disable-strip
|
||||
|
||||
# OpenSSH on Interix has some important caveats
|
||||
.if ${OPSYS} == "Interix"
|
||||
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
|
||||
CONFIGURE_ENV+= ac_cv_func_openpty=no
|
||||
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
|
||||
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
|
||||
. if exists(/usr/local/include/bind/resolv.h)
|
||||
CPPFLAGS+= -I/usr/local/include/bind
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
|
||||
. elif exists(/usr/local/bind/include/resolv.h)
|
||||
CPPFLAGS+= -I/usr/local/bind/include
|
||||
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
|
||||
. endif
|
||||
LDFLAGS+= -L/usr/local/lib/bind
|
||||
LIBS+= -lbind -ldb -lcrypt
|
||||
|
||||
.else # not Interix
|
||||
|
||||
PKG_GROUPS= ${OPENSSH_GROUP}
|
||||
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
|
||||
|
||||
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
|
||||
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
|
||||
|
||||
.endif
|
||||
|
||||
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
|
||||
|
||||
PKG_SYSCONFSUBDIR= ssh
|
||||
|
||||
GNU_CONFIGURE= yes
|
||||
CONFIGURE_ARGS+= --with-mantype=man
|
||||
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
|
||||
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
|
||||
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
|
||||
|
||||
.if ${OPSYS} != "Interix"
|
||||
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
|
||||
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
|
||||
.endif
|
||||
|
||||
# pkgsrc already enforces a "secure" version of zlib via dependencies,
|
||||
# so skip this bogus version check.
|
||||
CONFIGURE_ARGS+= --without-zlib-version-check
|
||||
|
||||
.if ${_PKGSRC_MKPIE} != "no"
|
||||
CONFIGURE_ARGS+= --with-pie
|
||||
.endif
|
||||
|
||||
# the openssh configure script finds and uses ${LD} if defined and
|
||||
# defaults to ${CC} if not. we override LD here, since running the
|
||||
# linker directly results in undefined symbols for obvious reasons.
|
||||
#
|
||||
CONFIGURE_ENV+= LD=${CC:Q}
|
||||
|
||||
# Enable S/Key support on NetBSD, Darwin, and Solaris.
|
||||
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
|
||||
. include "../../security/skey/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
|
||||
.else
|
||||
CONFIGURE_ARGS+= --without-skey
|
||||
.endif
|
||||
|
||||
.if (${OPSYS} == "NetBSD")
|
||||
. if exists(/usr/include/utmpx.h)
|
||||
# if we have utmpx et al do not try to use login()
|
||||
CONFIGURE_ARGS+= --disable-libutil
|
||||
. endif
|
||||
#
|
||||
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
|
||||
# prior version don't have it. So, disable use of strnvis(3) now.
|
||||
#
|
||||
CONFIGURE_ENV+= ac_cv_func_strnvis=no
|
||||
#
|
||||
# workaround for ./configure problem, pkg/50936
|
||||
#
|
||||
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
|
||||
.endif
|
||||
|
||||
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
|
||||
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
|
||||
.endif
|
||||
|
||||
CONFIGURE_ARGS.Linux+= --enable-md5-password
|
||||
|
||||
# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
|
||||
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
|
||||
# (security/ssh-askpass).
|
||||
#
|
||||
.if exists(${X11BASE}/bin/ssh-askpass)
|
||||
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
|
||||
.else
|
||||
ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
|
||||
.endif
|
||||
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
||||
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
||||
|
||||
# do the same for xauth
|
||||
.if exists(${X11BASE}/bin/xauth)
|
||||
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
|
||||
.else
|
||||
CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
|
||||
.endif
|
||||
|
||||
CONFS= ssh_config sshd_config moduli
|
||||
|
||||
PLIST_VARS+= darwin
|
||||
|
||||
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
|
||||
|
||||
# enable privsep patches
|
||||
.if ${OPSYS} == "Darwin"
|
||||
CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
|
||||
CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
PLIST.darwin= yes
|
||||
.endif
|
||||
|
||||
.for f in ${CONFS}
|
||||
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
|
||||
.endfor
|
||||
OWN_DIRS= ${OPENSSH_CHROOT}
|
||||
RCD_SCRIPTS= sshd
|
||||
RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
|
||||
SMF_METHODS= sshd
|
||||
|
||||
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
|
||||
|
||||
SUBST_CLASSES+= patch
|
||||
SUBST_STAGE.patch= pre-configure
|
||||
SUBST_FILES.patch= session.c sandbox-darwin.c
|
||||
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
|
||||
SUBST_VARS.patch= PKG_SYSCONFDIR
|
||||
|
||||
.include "../../devel/zlib/buildlink3.mk"
|
||||
.include "../../security/tcp_wrappers/buildlink3.mk"
|
||||
|
||||
#
|
||||
# type of key "ecdsa" isn't always supported depends on OpenSSL.
|
||||
#
|
||||
pre-configure:
|
||||
cd ${WRKSRC} && autoconf -i
|
||||
|
||||
post-configure:
|
||||
if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
|
||||
${WRKSRC}/config.h; then \
|
||||
${SED} -e '/HAVE_ECDSA/s/.*//' \
|
||||
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
|
||||
else \
|
||||
${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
|
||||
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
|
||||
fi
|
||||
${SED} -e 's,@VARBASE@,${VARBASE},g' \
|
||||
< ${FILESDIR}/org.openssh.sshd.sb.in \
|
||||
> ${WRKDIR}/org.openssh.sshd.sb
|
||||
|
||||
post-install:
|
||||
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
|
||||
cd ${WRKSRC}; for file in ${CONFS}; do \
|
||||
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
|
||||
done
|
||||
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
|
||||
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
|
||||
${DESTDIR}${EGDIR}/sshd.pam
|
||||
.endif
|
||||
.if ${OPSYS} == "Darwin"
|
||||
${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
|
||||
${DESTDIR}${EGDIR}/org.openssh.sshd.sb
|
||||
.endif
|
||||
|
||||
.include "../../mk/bsd.pkg.mk"
|
|
@ -0,0 +1,31 @@
|
|||
@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
|
||||
bin/scp
|
||||
bin/sftp
|
||||
bin/ssh
|
||||
bin/ssh-add
|
||||
bin/ssh-agent
|
||||
bin/ssh-keygen
|
||||
bin/ssh-keyscan
|
||||
libexec/sftp-server
|
||||
libexec/ssh-keysign
|
||||
libexec/ssh-pkcs11-helper
|
||||
man/man1/scp.1
|
||||
man/man1/sftp.1
|
||||
man/man1/ssh-add.1
|
||||
man/man1/ssh-agent.1
|
||||
man/man1/ssh-keygen.1
|
||||
man/man1/ssh-keyscan.1
|
||||
man/man1/ssh.1
|
||||
man/man5/moduli.5
|
||||
man/man5/ssh_config.5
|
||||
man/man5/sshd_config.5
|
||||
man/man8/sftp-server.8
|
||||
man/man8/ssh-keysign.8
|
||||
man/man8/ssh-pkcs11-helper.8
|
||||
man/man8/sshd.8
|
||||
sbin/sshd
|
||||
share/examples/openssh/moduli
|
||||
${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
|
||||
share/examples/openssh/ssh_config
|
||||
${PLIST.pam}share/examples/openssh/sshd.pam
|
||||
share/examples/openssh/sshd_config
|
|
@ -0,0 +1,29 @@
|
|||
$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
|
||||
|
||||
SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
|
||||
RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
|
||||
SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
|
||||
Size (openssh-8.0p1.tar.gz) = 1597697 bytes
|
||||
SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
|
||||
SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
|
||||
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
|
||||
SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
|
||||
SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
|
||||
SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
|
||||
SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
|
||||
SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
|
||||
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
|
||||
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
|
||||
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
|
||||
SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
|
||||
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
|
||||
SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
|
||||
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
|
||||
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
|
||||
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
|
||||
SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
|
||||
SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
|
||||
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
|
||||
SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
|
||||
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
|
||||
SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
|
|
@ -0,0 +1,23 @@
|
|||
;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
|
||||
;;
|
||||
;; Copyright (c) 2008 Apple Inc. All Rights reserved.
|
||||
;;
|
||||
;; sshd - profile for privilege separated children
|
||||
;;
|
||||
;; WARNING: The sandbox rules in this file currently constitute
|
||||
;; Apple System Private Interface and are subject to change at any time and
|
||||
;; without notice.
|
||||
;;
|
||||
|
||||
(version 1)
|
||||
|
||||
(deny default)
|
||||
|
||||
(allow file-chroot)
|
||||
(allow file-read-metadata (literal "@VARBASE@"))
|
||||
|
||||
(allow sysctl-read)
|
||||
(allow mach-per-user-lookup)
|
||||
(allow mach-lookup
|
||||
(global-name "com.apple.system.notification_center")
|
||||
(global-name "com.apple.system.logger"))
|
|
@ -0,0 +1,46 @@
|
|||
<?xml version='1.0'?>
|
||||
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
|
||||
<service_bundle type='manifest' name='export'>
|
||||
<service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
|
||||
<create_default_instance enabled='false'/>
|
||||
<single_instance/>
|
||||
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/filesystem/local'/>
|
||||
</dependency>
|
||||
<dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/network/loopback'/>
|
||||
</dependency>
|
||||
<dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/network/physical'/>
|
||||
</dependency>
|
||||
<dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/cryptosvc'/>
|
||||
</dependency>
|
||||
<dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
|
||||
<service_fmri value='svc:/system/utmp'/>
|
||||
</dependency>
|
||||
<dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
|
||||
<service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
|
||||
</dependency>
|
||||
<dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
|
||||
<service_fmri value='svc:/milestone/multi-user-server'/>
|
||||
</dependent>
|
||||
<exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
|
||||
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
|
||||
<exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
|
||||
<property_group name='general' type='framework'>
|
||||
<property name='action_authorization' type='astring'/>
|
||||
</property_group>
|
||||
<property_group name='startd' type='framework'>
|
||||
<propval name='ignore_error' type='astring' value='core,signal'/>
|
||||
</property_group>
|
||||
<template>
|
||||
<common_name>
|
||||
<loctext xml:lang='C'>OpenSSH server</loctext>
|
||||
</common_name>
|
||||
<documentation>
|
||||
<manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
|
||||
</documentation>
|
||||
</template>
|
||||
</service>
|
||||
</service_bundle>
|
|
@ -0,0 +1,68 @@
|
|||
#!@SMF_METHOD_SHELL@
|
||||
#
|
||||
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
|
||||
# Use is subject to license terms.
|
||||
#
|
||||
# ident "@(#)sshd 1.4 04/11/17 SMI"
|
||||
|
||||
SSHDIR=@PKG_SYSCONFDIR@
|
||||
KEYGEN="@PREFIX@/bin/ssh-keygen -q"
|
||||
PIDFILE=@VARBASE@/run/sshd.pid
|
||||
|
||||
# Checks to see if RSA, and DSA host keys are available
|
||||
# if any of these keys are not present, the respective keys are created.
|
||||
create_key()
|
||||
{
|
||||
keypath=$1
|
||||
keytype=$2
|
||||
|
||||
if [ ! -f $keypath ]; then
|
||||
grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo Creating new $keytype public/private host key pair
|
||||
$KEYGEN -f $keypath -t $keytype -N ''
|
||||
return $?
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# This script is being used for two purposes: as part of an SMF
|
||||
# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
|
||||
# application.
|
||||
#
|
||||
# Both, the SMF methods and sysidconfig/sys-unconfig use different
|
||||
# arguments..
|
||||
|
||||
case $1 in
|
||||
# sysidconfig/sys-unconfig arguments (-c and -u)
|
||||
'-c')
|
||||
create_key $SSHDIR/ssh_host_rsa_key rsa
|
||||
create_key $SSHDIR/ssh_host_dsa_key dsa
|
||||
;;
|
||||
|
||||
'-u')
|
||||
# sys-unconfig(1M) knows how to remove ssh host keys, so there's
|
||||
# nothing to do here.
|
||||
:
|
||||
;;
|
||||
|
||||
# SMF arguments (start and restart [really "refresh"])
|
||||
'start')
|
||||
@PREFIX@/sbin/sshd
|
||||
;;
|
||||
|
||||
'restart')
|
||||
if [ -f "$PIDFILE" ]; then
|
||||
/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
|
||||
fi
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 { start | restart }"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $?
|
|
@ -0,0 +1,115 @@
|
|||
#!@RCD_SCRIPTS_SHELL@
|
||||
#
|
||||
# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
|
||||
#
|
||||
# PROVIDE: sshd
|
||||
# REQUIRE: DAEMON LOGIN
|
||||
|
||||
if [ -f /etc/rc.subr ]
|
||||
then
|
||||
. /etc/rc.subr
|
||||
fi
|
||||
|
||||
name="sshd"
|
||||
rcvar=$name
|
||||
command="@PREFIX@/sbin/${name}"
|
||||
keygen_command="@PREFIX@/bin/ssh-keygen"
|
||||
pidfile="@SSH_PID_DIR@/${name}.pid"
|
||||
required_files="@PKG_SYSCONFDIR@/sshd_config"
|
||||
extra_commands="keygen reload"
|
||||
|
||||
sshd_keygen()
|
||||
{
|
||||
(
|
||||
umask 022
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
|
||||
@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 DSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
|
||||
fi
|
||||
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
|
||||
@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 RSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
|
||||
fi
|
||||
# HAVE_ECDSA_START
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
|
||||
@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
|
||||
@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
|
||||
else
|
||||
${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
|
||||
fi
|
||||
# HAVE_ECDSA_STOP
|
||||
# HAVE_ED25519_START
|
||||
if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
|
||||
@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
|
||||
@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
|
||||
else
|
||||
${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
|
||||
fi
|
||||
# HAVE_ED25519_STOP
|
||||
)
|
||||
}
|
||||
|
||||
sshd_precmd()
|
||||
{
|
||||
if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
|
||||
! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
|
||||
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
|
||||
then
|
||||
run_rc_command keygen
|
||||
else
|
||||
eval ${keygen_cmd}
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
keygen_cmd=sshd_keygen
|
||||
start_precmd=sshd_precmd
|
||||
|
||||
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
|
||||
then
|
||||
load_rc_config $name
|
||||
run_rc_command "$1"
|
||||
else
|
||||
case ${1:-start} in
|
||||
start)
|
||||
if [ -x ${command} -a -f ${required_files} ]
|
||||
then
|
||||
@ECHO@ "Starting ${name}."
|
||||
eval ${start_precmd}
|
||||
eval ${command} ${sshd_flags} ${command_args}
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
if [ -f ${pidfile} ]; then
|
||||
pid=`@HEAD@ -1 ${pidfile}`
|
||||
@ECHO@ "Stopping ${name}."
|
||||
kill -TERM ${pid}
|
||||
else
|
||||
@ECHO@ "${name} not running?"
|
||||
fi
|
||||
;;
|
||||
restart)
|
||||
( $0 stop )
|
||||
sleep 1
|
||||
$0 start
|
||||
;;
|
||||
status)
|
||||
if [ -f ${pidfile} ]; then
|
||||
pid=`@HEAD@ -1 ${pidfile}`
|
||||
@ECHO@ "${name} is running as pid ${pid}."
|
||||
else
|
||||
@ECHO@ "${name} is not running."
|
||||
fi
|
||||
;;
|
||||
keygen)
|
||||
eval ${keygen_cmd}
|
||||
;;
|
||||
esac
|
||||
fi
|
|
@ -0,0 +1,51 @@
|
|||
# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
|
||||
|
||||
PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
|
||||
PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
|
||||
PKG_SUGGESTED_OPTIONS= editline openssl
|
||||
|
||||
.include "../../mk/bsd.prefs.mk"
|
||||
|
||||
.if ${OPSYS} == "NetBSD"
|
||||
PKG_SUGGESTED_OPTIONS+= pam
|
||||
.endif
|
||||
|
||||
.include "../../mk/bsd.options.mk"
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mopenssl)
|
||||
.include "../../security/openssl/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
|
||||
.else
|
||||
CONFIGURE_ARGS+= --without-openssl
|
||||
.endif
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mkerberos)
|
||||
. include "../../mk/krb5.buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
|
||||
. if ${KRB5_TYPE} == "mit-krb5"
|
||||
CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
|
||||
. endif
|
||||
.endif
|
||||
|
||||
#.if !empty(PKG_OPTIONS:Mhpn-patch)
|
||||
#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
|
||||
#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
|
||||
#PATCH_DIST_STRIP= -p1
|
||||
#.endif
|
||||
|
||||
PLIST_VARS+= pam
|
||||
|
||||
.if !empty(PKG_OPTIONS:Mpam)
|
||||
.include "../../mk/pam.buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-pam
|
||||
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
|
||||
MESSAGE_SUBST+= EGDIR=${EGDIR}
|
||||
. if ${OPSYS} == "Linux"
|
||||
PLIST.pam= yes
|
||||
. endif
|
||||
.endif
|
||||
|
||||
.if !empty(PKG_OPTIONS:Meditline)
|
||||
.include "../../devel/editline/buildlink3.mk"
|
||||
CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
|
||||
.endif
|
|
@ -0,0 +1,31 @@
|
|||
$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Removed install-sysconf as we handle that phase through post-install
|
||||
|
||||
--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ Makefile.in
|
||||
@@ -1,5 +1,5 @@
|
||||
# uncomment if you run a non bourne compatible shell. Ie. csh
|
||||
-#SHELL = @SH@
|
||||
+SHELL = @SH@
|
||||
|
||||
AUTORECONF=autoreconf
|
||||
|
||||
@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@@ -320,7 +320,7 @@ distprep: catman-do depend-check
|
||||
-rm -rf autom4te.cache .depend.bak
|
||||
|
||||
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
|
||||
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
|
||||
+install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||
|
||||
check-config:
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ auth-passwd.c
|
||||
@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
|
||||
return 0;
|
||||
|
||||
#ifndef HAVE_CYGWIN
|
||||
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
|
||||
+ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
|
||||
ok = 0;
|
||||
#endif
|
||||
if (*password == '\0' && options.permit_empty_passwd == 0)
|
||||
@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
|
||||
authctxt->force_pwchange = 1;
|
||||
}
|
||||
#endif
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ result = (!setuser(pw->pw_name, password, SU_CHECK));
|
||||
+#else
|
||||
result = sys_auth_passwd(ssh, password);
|
||||
+#endif
|
||||
if (authctxt->force_pwchange)
|
||||
auth_restrict_session(ssh);
|
||||
return (result && ok);
|
|
@ -0,0 +1,33 @@
|
|||
$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ auth-rhosts.c
|
||||
@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
* If not logging in as superuser, try /etc/hosts.equiv and
|
||||
* shosts.equiv.
|
||||
*/
|
||||
- if (pw->pw_uid == 0)
|
||||
+ if (pw->pw_uid == ROOTUID)
|
||||
debug3("%s: root user, ignoring system hosts files", __func__);
|
||||
else {
|
||||
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
|
||||
@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
return 0;
|
||||
}
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Rhosts authentication refused for %.100s: "
|
||||
"bad ownership or modes for home directory.", pw->pw_name);
|
||||
@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
|
||||
* allowing access to their account by anyone.
|
||||
*/
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
|
||||
pw->pw_name, buf);
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
* Replace uid 0 with ROOTUID macro.
|
||||
* Use login_getpwclass() instead of login_getclass() so that the root
|
||||
vs. default login class distinction is made correctly, from FrrrBSD's
|
||||
ports.
|
||||
|
||||
--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
|
||||
+++ auth.c
|
||||
@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
|
||||
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
|
||||
if (options.strict_modes &&
|
||||
(stat(user_hostfile, &st) == 0) &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
|
||||
(st.st_mode & 022) != 0)) {
|
||||
logit("Authentication refused for %.100s: "
|
||||
"bad owner or modes for %.200s",
|
||||
@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
|
||||
if (!allowed_user(ssh, pw))
|
||||
return (NULL);
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
|
||||
+ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
|
||||
debug("unable to get login class: %s", user);
|
||||
return (NULL);
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ auth2.c
|
||||
@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
|
||||
fatal("INTERNAL ERROR: authenticated and postponed");
|
||||
|
||||
/* Special handling for root */
|
||||
- if (authenticated && authctxt->pw->pw_uid == 0 &&
|
||||
+ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
|
||||
!auth_root_allowed(ssh, method)) {
|
||||
authenticated = 0;
|
||||
#ifdef SSH_AUDIT_EVENTS
|
|
@ -0,0 +1,63 @@
|
|||
$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
|
||||
|
||||
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
|
||||
|
||||
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
|
||||
|
||||
--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ clientloop.c
|
||||
@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
|
||||
struct stat st;
|
||||
u_int now, x11_timeout_real;
|
||||
|
||||
+#if __APPLE__
|
||||
+ int is_path_to_socket = 0;
|
||||
+#endif /* __APPLE__ */
|
||||
+
|
||||
*_proto = proto;
|
||||
*_data = data;
|
||||
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
|
||||
@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
|
||||
}
|
||||
|
||||
if (xauth_path != NULL) {
|
||||
+#if __APPLE__
|
||||
+ {
|
||||
+ /*
|
||||
+ * If using launchd socket, remove the screen number from the end
|
||||
+ * of $DISPLAY. is_path_to_socket is used later in this function
|
||||
+ * to determine if an error should be displayed.
|
||||
+ */
|
||||
+ char path[PATH_MAX];
|
||||
+ struct stat sbuf;
|
||||
+
|
||||
+ strlcpy(path, display, sizeof(path));
|
||||
+ if (0 == stat(path, &sbuf)) {
|
||||
+ is_path_to_socket = 1;
|
||||
+ } else {
|
||||
+ char *dot = strrchr(path, '.');
|
||||
+ if (dot) {
|
||||
+ *dot = '\0';
|
||||
+ /* screen = atoi(dot + 1); */
|
||||
+ if (0 == stat(path, &sbuf)) {
|
||||
+ is_path_to_socket = 1;
|
||||
+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
|
||||
+ setenv("DISPLAY", path, 1);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* __APPLE__ */
|
||||
/*
|
||||
* Handle FamilyLocal case where $DISPLAY does
|
||||
* not match an authorization entry. For this we
|
||||
@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
|
||||
u_int8_t rnd[16];
|
||||
u_int i;
|
||||
|
||||
+#if __APPLE__
|
||||
+ if (!is_path_to_socket)
|
||||
+#endif /* __APPLE__ */
|
||||
logit("Warning: No xauth data; "
|
||||
"using fake authentication data for X11 forwarding.");
|
||||
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
|
|
@ -0,0 +1,37 @@
|
|||
$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
* Added Interix and define new path to if_tun.h.
|
||||
* Revive tcp_wrappers support.
|
||||
|
||||
--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
|
||||
+++ config.h.in
|
||||
@@ -741,6 +741,9 @@
|
||||
/* define if you have int64_t data type */
|
||||
#undef HAVE_INT64_T
|
||||
|
||||
+/* Define if you are on Interix */
|
||||
+#undef HAVE_INTERIX
|
||||
+
|
||||
/* Define to 1 if the system has the type `intmax_t'. */
|
||||
#undef HAVE_INTMAX_T
|
||||
|
||||
@@ -910,6 +913,9 @@
|
||||
/* Define to 1 if you have the <net/route.h> header file. */
|
||||
#undef HAVE_NET_ROUTE_H
|
||||
|
||||
+/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
|
||||
+#undef HAVE_NET_TUN_IF_TUN_H
|
||||
+
|
||||
/* Define if you are on NeXT */
|
||||
#undef HAVE_NEXT
|
||||
|
||||
@@ -1617,6 +1623,9 @@
|
||||
/* Define if pututxline updates lastlog too */
|
||||
#undef LASTLOG_WRITE_PUTUTXLINE
|
||||
|
||||
+/* Define if you want TCP Wrappers support */
|
||||
+#undef LIBWRAP
|
||||
+
|
||||
/* Define to whatever link() returns for "not supported" if it doesn't return
|
||||
EOPNOTSUPP. */
|
||||
#undef LINK_OPNOTSUPP_ERRNO
|
|
@ -0,0 +1,138 @@
|
|||
$NetBSD$
|
||||
|
||||
--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ configure.ac
|
||||
@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
|
||||
]
|
||||
)
|
||||
|
||||
+# pkgsrc handles any rpath settings this package needs
|
||||
+need_dash_r=
|
||||
+
|
||||
# Allow user to specify flags
|
||||
AC_ARG_WITH([cflags],
|
||||
[ --with-cflags Specify additional flags to pass to compiler],
|
||||
@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
|
||||
maillock.h \
|
||||
ndir.h \
|
||||
net/if_tun.h \
|
||||
+ net/tun/if_tun.h \
|
||||
netdb.h \
|
||||
netgroup.h \
|
||||
pam/pam_appl.h \
|
||||
@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
+*-*-interix*)
|
||||
+ AC_DEFINE(HAVE_INTERIX)
|
||||
+ AC_DEFINE(DISABLE_FD_PASSING)
|
||||
+ AC_DEFINE(DISABLE_SHADOW)
|
||||
+ AC_DEFINE(IP_TOS_IS_BROKEN)
|
||||
+ AC_DEFINE(MISSING_HOWMANY)
|
||||
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
|
||||
+ AC_DEFINE(USE_PIPES)
|
||||
+ ;;
|
||||
*-*-irix5*)
|
||||
PATH="$PATH:/usr/etc"
|
||||
AC_DEFINE([BROKEN_INET_NTOA], [1],
|
||||
@@ -1494,6 +1507,62 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
])
|
||||
if test -z "$conf_wtmpx_location"; then
|
||||
if test x"$system_wtmpx_path" = x"no" ; then
|
||||
- AC_DEFINE([DISABLE_WTMPX])
|
||||
+ for f in /var/log/wtmpx; do
|
||||
+ if test -f $f ; then
|
||||
+ conf_wtmpx_location=$f
|
||||
+ fi
|
||||
+ done
|
||||
+ if test -z "$conf_wtmpx_location"; then
|
||||
+ AC_DEFINE(DISABLE_WTMPX)
|
||||
+ fi
|
||||
fi
|
||||
-else
|
||||
+fi
|
||||
+if test -n "$conf_wtmpx_location"; then
|
||||
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
|
||||
[Define if you want to specify the path to your wtmpx file])
|
||||
fi
|
||||
@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
|
||||
echo " User binaries: $B"
|
||||
echo " System binaries: $C"
|
||||
echo " Configuration files: $D"
|
||||
-echo " Askpass program: $E"
|
||||
+echo " Askpass program: ${ASKPASS_PROGRAM}"
|
||||
echo " Manual pages: $F"
|
||||
echo " PID file: $G"
|
||||
echo " Privilege separation chroot path: $H"
|
||||
@@ -5245,6 +5322,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " libldns support: $LDNS_MSG"
|
|
@ -0,0 +1,47 @@
|
|||
$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
|
||||
|
||||
--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ defines.h
|
||||
@@ -30,6 +30,15 @@
|
||||
|
||||
/* Constants */
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+/* Interix has a special concept of "administrator". */
|
||||
+# define ROOTUID 197108
|
||||
+# define ROOTGID 131616
|
||||
+#else
|
||||
+# define ROOTUID 0
|
||||
+# define ROOTGID 0
|
||||
+#endif
|
||||
+
|
||||
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
|
||||
enum
|
||||
{
|
||||
@@ -721,6 +730,24 @@ struct winsize {
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
+#ifndef UTMPX_FILE
|
||||
+# ifdef _PATH_UTMPX
|
||||
+# define UTMPX_FILE _PATH_UTMPX
|
||||
+# else
|
||||
+# ifdef CONF_UTMPX_FILE
|
||||
+# define UTMPX_FILE CONF_UTMPX_FILE
|
||||
+# endif
|
||||
+# endif
|
||||
+#endif
|
||||
+#ifndef WTMPX_FILE
|
||||
+# ifdef _PATH_WTMPX
|
||||
+# define WTMPX_FILE _PATH_WTMPX
|
||||
+# else
|
||||
+# ifdef CONF_WTMPX_FILE
|
||||
+# define WTMPX_FILE CONF_WTMPX_FILE
|
||||
+# endif
|
||||
+# endif
|
||||
+#endif
|
||||
/* pick up the user's location for lastlog if given */
|
||||
#ifndef LASTLOG_FILE
|
||||
# ifdef _PATH_LASTLOG
|
|
@ -0,0 +1,17 @@
|
|||
$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ includes.h
|
||||
@@ -127,6 +127,10 @@
|
||||
#ifdef HAVE_READPASSPHRASE_H
|
||||
# include <readpassphrase.h>
|
||||
#endif
|
||||
+#ifdef HAVE_INTERIX
|
||||
+# include <interix/env.h>
|
||||
+# include <interix/security.h>
|
||||
+#endif
|
||||
|
||||
#ifdef HAVE_IA_H
|
||||
# include <ia.h>
|
|
@ -0,0 +1,68 @@
|
|||
$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support and related fixes. Fix build on FreeBSD.
|
||||
|
||||
--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ loginrec.c
|
||||
@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
|
||||
int
|
||||
login_write(struct logininfo *li)
|
||||
{
|
||||
-#ifndef HAVE_CYGWIN
|
||||
- if (geteuid() != 0) {
|
||||
+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
|
||||
+ if (geteuid() != ROOTUID) {
|
||||
logit("Attempt to write login records by non-root user (aborting)");
|
||||
return (1);
|
||||
}
|
||||
@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
-#ifdef USE_LOGIN
|
||||
+#if defined(USE_LOGIN) && (HAVE_UTMP_H)
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
#ifdef USE_LASTLOG
|
||||
@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
|
||||
** into account.
|
||||
**/
|
||||
|
||||
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
|
||||
+#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
|
||||
|
||||
/* build the utmp structure */
|
||||
void
|
||||
@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
|
||||
set_utmpx_time(li, utx);
|
||||
utx->ut_pid = li->pid;
|
||||
|
||||
- /* strncpy(): Don't necessarily want null termination */
|
||||
- strncpy(utx->ut_user, li->username,
|
||||
- MIN_SIZEOF(utx->ut_user, li->username));
|
||||
-
|
||||
if (li->type == LTYPE_LOGOUT)
|
||||
return;
|
||||
|
||||
@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
|
||||
* for logouts.
|
||||
*/
|
||||
|
||||
+ /* strncpy(): Don't necessarily want null termination */
|
||||
+#if defined(__FreeBSD__)
|
||||
+ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
|
||||
+#else
|
||||
+ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
|
||||
+#endif
|
||||
# ifdef HAVE_HOST_IN_UTMPX
|
||||
strncpy(utx->ut_host, li->hostname,
|
||||
MIN_SIZEOF(utx->ut_host, li->hostname));
|
||||
@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
|
||||
-#ifdef USE_LOGIN
|
||||
+#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
|
||||
static int
|
||||
syslogin_perform_login(struct logininfo *li)
|
||||
{
|
|
@ -0,0 +1,22 @@
|
|||
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
|
||||
+++ openbsd-compat/bsd-openpty.c
|
||||
@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+#if !defined(HAVE_INTERIX)
|
||||
/*
|
||||
* Try to push the appropriate streams modules, as described
|
||||
* in Solaris pts(7).
|
||||
@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
|
||||
# ifndef __hpux
|
||||
ioctl(*aslave, I_PUSH, "ttcompat");
|
||||
# endif /* __hpux */
|
||||
+#endif /* !HAVE_INTERIX */
|
||||
|
||||
return (0);
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
strtoll() declaration
|
||||
|
||||
--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ openbsd-compat/openbsd-compat.h
|
||||
@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
|
||||
int setenv(register const char *name, register const char *value, int rewrite);
|
||||
#endif
|
||||
|
||||
+#ifndef HAVE_STRTOLL
|
||||
+long long strtoll(const char *, char **, int);
|
||||
+#endif
|
||||
+
|
||||
#ifndef HAVE_STRMODE
|
||||
void strmode(int mode, char *p);
|
||||
#endif
|
|
@ -0,0 +1,45 @@
|
|||
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
if_tun.h can be found in net/tun
|
||||
|
||||
--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ openbsd-compat/port-net.c
|
||||
@@ -1,3 +1,4 @@
|
||||
+
|
||||
/*
|
||||
* Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
|
||||
*
|
||||
@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
|
||||
+#ifdef HAVE_NET_TUN_IF_TUN_H
|
||||
+#include <net/tun/if_tun.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_NET_IF_TUN_H
|
||||
#include <net/if_tun.h>
|
||||
#endif
|
||||
@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
|
||||
{
|
||||
struct ifreq ifr;
|
||||
char name[100];
|
||||
- int fd = -1, sock, flag;
|
||||
+ int fd = -1, sock;
|
||||
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
+ int flag;
|
||||
+#endif
|
||||
const char *tunbase = "tun";
|
||||
|
||||
if (ifname != NULL)
|
||||
@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
/* Turn on tunnel headers */
|
||||
flag = 1;
|
||||
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
|
||||
if (mode != SSH_TUNMODE_ETHERNET &&
|
||||
ioctl(fd, TUNSIFHEAD, &flag) == -1) {
|
||||
debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
|
|
@ -0,0 +1,16 @@
|
|||
$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ platform.c
|
||||
@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
|
||||
/* uid 0 is not special on Cygwin so always try */
|
||||
return 1;
|
||||
#else
|
||||
+#if !defined(HAVE_INTERIX)
|
||||
return (getuid() == 0 || geteuid() == 0);
|
||||
+#endif /* !HAVE_INTERIX */
|
||||
#endif
|
||||
}
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Support sandbox on newer OSX, from MacPorts.
|
||||
|
||||
--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sandbox-darwin.c
|
||||
@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
|
||||
struct rlimit rl_zero;
|
||||
|
||||
debug3("%s: starting Darwin sandbox", __func__);
|
||||
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
+#ifndef SANDBOX_NAMED_EXTERNAL
|
||||
+#define SANDBOX_NAMED_EXTERNAL (0x3)
|
||||
+#endif
|
||||
+ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
|
||||
+ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
|
||||
+#else
|
||||
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
|
||||
&errmsg) == -1)
|
||||
+#endif
|
||||
fatal("%s: sandbox_init: %s", __func__, errmsg);
|
||||
|
||||
/*
|
|
@ -0,0 +1,39 @@
|
|||
$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ scp.c
|
||||
@@ -478,7 +478,11 @@ main(int argc, char **argv)
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
|
||||
+#else
|
||||
if ((pwd = getpwuid(userid = getuid())) == NULL)
|
||||
+#endif
|
||||
fatal("unknown user %u", (u_int) userid);
|
||||
|
||||
if (!isatty(STDOUT_FILENO))
|
||||
@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
|
||||
return;
|
||||
}
|
||||
while ((dp = readdir(dirp)) != NULL) {
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (dp->d_ino == 0)
|
||||
continue;
|
||||
+#endif
|
||||
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
|
||||
continue;
|
||||
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
|
||||
@@ -1297,7 +1303,9 @@ okname(char *cp0)
|
||||
case '\'':
|
||||
case '"':
|
||||
case '`':
|
||||
+#ifndef HAVE_INTERIX
|
||||
case ' ':
|
||||
+#endif
|
||||
case '#':
|
||||
goto bad;
|
||||
default:
|
|
@ -0,0 +1,65 @@
|
|||
$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
* Interix support.
|
||||
|
||||
--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ session.c
|
||||
@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
|
||||
if (tmpenv == NULL)
|
||||
return;
|
||||
|
||||
- if (uid == 0)
|
||||
+ if (uid == ROOTUID)
|
||||
var = child_get_env(tmpenv, "SUPATH");
|
||||
else
|
||||
var = child_get_env(tmpenv, "PATH");
|
||||
@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
# endif /* HAVE_ETC_DEFAULT_LOGIN */
|
||||
if (path == NULL || *path == '\0') {
|
||||
child_set_env(&env, &envsize, "PATH",
|
||||
- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
|
||||
+ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
|
||||
}
|
||||
# endif /* HAVE_CYGWIN */
|
||||
#endif /* HAVE_LOGIN_CAP */
|
||||
@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
|
||||
original_command);
|
||||
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ {
|
||||
+ /* copy standard Windows environment, then apply changes */
|
||||
+ env_t *winenv = env_login(pw);
|
||||
+ env_putarray(winenv, env, ENV_OVERRIDE);
|
||||
+
|
||||
+ /* swap over to altered environment as a traditional array */
|
||||
+ env = env_array(winenv);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (debug_flag) {
|
||||
/* dump the environment */
|
||||
fprintf(stderr, "Environment:\n");
|
||||
@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
|
||||
perror("setgid");
|
||||
exit(1);
|
||||
}
|
||||
+# if !defined(HAVE_INTERIX)
|
||||
/* Initialize the group list. */
|
||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
|
||||
perror("initgroups");
|
||||
exit(1);
|
||||
}
|
||||
+# endif /* !HAVE_INTERIX */
|
||||
endgrent();
|
||||
#endif
|
||||
|
||||
@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
|
||||
record_logout(s->pid, s->tty, s->pw->pw_name);
|
||||
|
||||
/* Release the pseudo-tty. */
|
||||
- if (getuid() == 0)
|
||||
+ if (getuid() == ROOTUID)
|
||||
pty_release(s->tty);
|
||||
|
||||
/*
|
|
@ -0,0 +1,14 @@
|
|||
$NetBSD$
|
||||
|
||||
--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ sftp-common.c
|
||||
@@ -36,7 +36,9 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <stdarg.h>
|
||||
+#ifdef HAVE_UNISTD_H
|
||||
#include <unistd.h>
|
||||
+#endif
|
||||
#ifdef HAVE_UTIL_H
|
||||
#include <util.h>
|
||||
#endif
|
|
@ -0,0 +1,27 @@
|
|||
$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
* Revive tcp_wrappers support.
|
||||
|
||||
--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sshd.8
|
||||
@@ -850,6 +850,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -953,6 +959,7 @@ The content of this file is not sensitiv
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
|
@ -0,0 +1,137 @@
|
|||
$NetBSD$
|
||||
|
||||
--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
|
||||
+++ sshd.c
|
||||
@@ -123,6 +123,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
|
||||
static int startup_pipe = -1; /* in child */
|
||||
|
||||
/* variables used for privilege separation */
|
||||
+#ifdef HAVE_INTERIX
|
||||
+int use_privsep = 0;
|
||||
+#else
|
||||
int use_privsep = -1;
|
||||
+#endif
|
||||
struct monitor *pmonitor = NULL;
|
||||
int privsep_is_preauth = 1;
|
||||
static int privsep_chroot = 1;
|
||||
@@ -467,10 +478,15 @@ privsep_preauth_child(void)
|
||||
/* Drop our privileges */
|
||||
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
|
||||
(u_int)privsep_pw->pw_gid);
|
||||
+#ifdef HAVE_INTERIX
|
||||
+ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
|
||||
+ fatal("setuser: %.100s", strerror(errno));
|
||||
+#else
|
||||
gidset[0] = privsep_pw->pw_gid;
|
||||
if (setgroups(1, gidset) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
permanently_set_uid(privsep_pw);
|
||||
+#endif /* HAVE_INTERIX */
|
||||
}
|
||||
}
|
||||
|
||||
@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
|
||||
/* Arrange for logging to be sent to the monitor */
|
||||
set_log_handler(mm_log_handler, pmonitor);
|
||||
|
||||
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
+ /* We need to do this before we chroot() so we can read sshd.sb */
|
||||
+ if (box != NULL)
|
||||
+ ssh_sandbox_child(box);
|
||||
+#endif
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
|
||||
if (box != NULL)
|
||||
ssh_sandbox_child(box);
|
||||
+#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
#else
|
||||
- if (authctxt->pw->pw_uid == 0) {
|
||||
+ if (authctxt->pw->pw_uid == ROOTUID) {
|
||||
#endif
|
||||
/* File descriptor passing is broken or root login */
|
||||
use_privsep = 0;
|
||||
@@ -1454,7 +1477,7 @@ main(int ac, char **av)
|
||||
av = saved_argv;
|
||||
#endif
|
||||
|
||||
- if (geteuid() == 0 && setgroups(0, NULL) == -1)
|
||||
+ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
|
||||
debug("setgroups(): %.200s", strerror(errno));
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
@@ -1686,7 +1709,7 @@ main(int ac, char **av)
|
||||
);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
|
||||
+ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
if (privsep_chroot || options.kerberos_authentication)
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
@@ -1830,7 +1853,7 @@ main(int ac, char **av)
|
||||
(st.st_uid != getuid () ||
|
||||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
|
||||
#else
|
||||
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
|
||||
+ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
|
||||
#endif
|
||||
fatal("%s must be owned by root and not group or "
|
||||
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
|
||||
@@ -1858,8 +1881,10 @@ main(int ac, char **av)
|
||||
* to create a file, and we can't control the code in every
|
||||
* module which might be used).
|
||||
*/
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (setgroups(0, NULL) < 0)
|
||||
debug("setgroups() failed: %.200s", strerror(errno));
|
||||
+#endif
|
||||
|
||||
if (rexec_flag) {
|
||||
if (rexec_argc < 0)
|
||||
@@ -2053,6 +2078,25 @@ main(int ac, char **av)
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
rdomain = ssh_packet_rdomain_in(ssh);
|
||||
|
||||
/* Log the connection. */
|
|
@ -0,0 +1,24 @@
|
|||
$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
|
||||
|
||||
Replace uid 0 with ROOTUID macro
|
||||
|
||||
--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
|
||||
+++ sshpty.c
|
||||
@@ -86,7 +86,7 @@ void
|
||||
pty_release(const char *tty)
|
||||
{
|
||||
#if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
|
||||
- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
|
||||
+ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
|
||||
error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
|
||||
if (chmod(tty, (mode_t) 0666) < 0)
|
||||
error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
|
||||
@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
|
||||
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
|
||||
if (chown(tty, pw->pw_uid, gid) < 0) {
|
||||
if (errno == EROFS &&
|
||||
- (st.st_uid == pw->pw_uid || st.st_uid == 0))
|
||||
+ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
|
||||
debug("chown(%.100s, %u, %u) failed: %.100s",
|
||||
tty, (u_int)pw->pw_uid, (u_int)gid,
|
||||
strerror(errno));
|
|
@ -0,0 +1,77 @@
|
|||
$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
|
||||
|
||||
Interix support
|
||||
|
||||
--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
|
||||
+++ uidswap.c
|
||||
@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
|
||||
(u_int)pw->pw_uid, (u_int)pw->pw_gid,
|
||||
(u_int)saved_euid, (u_int)saved_egid);
|
||||
#ifndef HAVE_CYGWIN
|
||||
- if (saved_euid != 0) {
|
||||
+ if (saved_euid != ROOTUID) {
|
||||
privileged = 0;
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
#else
|
||||
- if (geteuid() != 0) {
|
||||
+ if (geteuid() != ROOTUID) {
|
||||
privileged = 0;
|
||||
return;
|
||||
}
|
||||
@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
|
||||
|
||||
/* set and save the user's groups */
|
||||
if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
|
||||
fatal("initgroups: %s: %.100s", pw->pw_name,
|
||||
strerror(errno));
|
||||
-
|
||||
+#endif
|
||||
user_groupslen = getgroups(0, NULL);
|
||||
if (user_groupslen < 0)
|
||||
fatal("getgroups: %.100s", strerror(errno));
|
||||
@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
|
||||
}
|
||||
user_groups_uid = pw->pw_uid;
|
||||
}
|
||||
+#ifndef HAVE_INTERIX
|
||||
/* Set the effective uid to the given (unprivileged) uid. */
|
||||
if (setgroups(user_groupslen, user_groups) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
+#endif
|
||||
#ifndef SAVED_IDS_WORK_WITH_SETEUID
|
||||
/* Propagate the privileged gid to all of our gids. */
|
||||
if (setgid(getegid()) < 0)
|
||||
@@ -166,8 +169,10 @@ restore_uid(void)
|
||||
setgid(getgid());
|
||||
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
|
||||
|
||||
+#ifndef HAVE_INTERIX
|
||||
if (setgroups(saved_egroupslen, saved_egroups) < 0)
|
||||
fatal("setgroups: %.100s", strerror(errno));
|
||||
+#endif
|
||||
temporarily_use_uid_effective = 0;
|
||||
}
|
||||
|
||||
@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
|
||||
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
|
||||
(u_int)pw->pw_gid);
|
||||
|
||||
+#if defined(HAVE_INTERIX)
|
||||
+ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
|
||||
+ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
|
||||
+#else
|
||||
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
|
||||
fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
|
||||
|
||||
@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
|
||||
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
|
||||
fatal("%s: was able to restore old [e]uid", __func__);
|
||||
#endif
|
||||
+#endif /* HAVE_INTERIX */
|
||||
|
||||
/* Verify UID drop was successful */
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
|
Loading…
Reference in New Issue