rtyler
/
pkgsrc-wip
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

openssh8: copy of security/openssh updated to 8.0p1.

This commit is contained in:
Aleksej Lebedev 2019-05-01 13:37:37 +00:00
parent 6925eeb902
commit 4f800ff628
71 changed files with 3456 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
openssh/DESCR Normal file
View File

@ -0,0 +1,14 @@
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed (to external libraries), all
known security bugs fixed, new features reintroduced and many other
clean-ups. More information about SSH itself can be found in the file
README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
This port consists of the re-introduction of autoconf support, PAM
support (for Linux and Solaris), EGD[1] support, SOCKS support (using
the Dante [6] libraries and replacements for OpenBSD library functions
that are (regrettably) absent from other unices. This port has been
best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
SCO, NeXT and other Unices is underway. This version actively tracks
changes in the OpenBSD CVS repository.

36
openssh/INSTALL Normal file
View File

@ -0,0 +1,36 @@
# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
FILES="sshd.conf sshd_config"
case ${STAGE} in
POST-INSTALL)
for dir in $DIRS; do
if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
for file in $FILES; do
path=$dir/$file
if [ -f $path ]; then
${CAT} <<EOF
===========================================================================
*===* NOTICE *===*
WARNING: previous configuration file $path found.
The config files for ${PKGNAME} must be located in:
@PKG_SYSCONFDIR@
You will need to ensure your configuration files and/or keys are
placed in the correct directory before using ${PKGNAME}.
===========================================================================
EOF
exit
fi
done
fi
done
;;
esac

20
openssh/MESSAGE.Interix Normal file
View File

@ -0,0 +1,20 @@
===========================================================================
$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
OpenSSH on Interix has some important caveats:
* Hostname resolution uses the BIND resolver library rather than Windows
native lookup services. This requires that /etc/resolv.conf be set up
properly with a "nameserver" line; see resolv.conf(5). In most
installations, this was generated automatically when Services for UNIX
was installed (based on the name server in use at that time).
* Currently, UsePrivilegeSeparation does not work properly, so it defaults
to "no" on Interix.
* Network drives and encrypted local files may not be accessible after
logging in through sshd thanks to the way the Windows security API works.
A workaround is to "exec su USERNAME" after logging in, which will use
the password to create a proper Windows access credential key.
===========================================================================

9
openssh/MESSAGE.pam Normal file
View File

@ -0,0 +1,9 @@
===========================================================================
$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
To authenticate for SSH using PAM, add the contents of the file:
${EGDIR}/sshd.pam
to your PAM configuration file (or PAM configuration directory).
===========================================================================

209
openssh/Makefile Normal file
View File

@ -0,0 +1,209 @@
# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
DISTNAME= openssh-8.0p1
PKGNAME= ${DISTNAME:S/p1/.1/}
PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.openssh.com/
COMMENT= Open Source Secure shell client and server (remote login program)
LICENSE= modified-bsd
CONFLICTS= sftp-[0-9]*
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+= openssh+gssapi-[0-9]*
CONFLICTS+= lsh>2.0
BROKEN_ON_PLATFORM+= OpenBSD-*-*
USE_GCC_RUNTIME= yes
USE_TOOLS+= autoconf perl
# retain the following line, for IPv6-ready pkgsrc webpage
BUILD_DEFS+= IPV6_READY
PKG_GROUPS_VARS+= OPENSSH_GROUP
PKG_USERS_VARS+= OPENSSH_USER
BUILD_DEFS+= OPENSSH_CHROOT
BUILD_DEFS+= VARBASE
INSTALL_TARGET= install-nokeys
.include "options.mk"
# fixes: dyld: Symbol not found: _allow_severity
CONFIGURE_ARGS.Darwin+= --disable-strip
# OpenSSH on Interix has some important caveats
.if ${OPSYS} == "Interix"
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
CONFIGURE_ENV+= ac_cv_func_openpty=no
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
. if exists(/usr/local/include/bind/resolv.h)
CPPFLAGS+= -I/usr/local/include/bind
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
. elif exists(/usr/local/bind/include/resolv.h)
CPPFLAGS+= -I/usr/local/bind/include
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
. endif
LDFLAGS+= -L/usr/local/lib/bind
LIBS+= -lbind -ldb -lcrypt
.else # not Interix
PKG_GROUPS= ${OPENSSH_GROUP}
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
.endif
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
PKG_SYSCONFSUBDIR= ssh
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-mantype=man
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
.if ${OPSYS} != "Interix"
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
.endif
# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+= --without-zlib-version-check
.if ${_PKGSRC_MKPIE} != "no"
CONFIGURE_ARGS+= --with-pie
.endif
# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
CONFIGURE_ENV+= LD=${CC:Q}
# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
. include "../../security/skey/buildlink3.mk"
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+= --without-skey
.endif
.if (${OPSYS} == "NetBSD")
. if exists(/usr/include/utmpx.h)
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+= --disable-libutil
. endif
#
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
# prior version don't have it. So, disable use of strnvis(3) now.
#
CONFIGURE_ENV+= ac_cv_func_strnvis=no
#
# workaround for ./configure problem, pkg/50936
#
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
.endif
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
.endif
CONFIGURE_ARGS.Linux+= --enable-md5-password
# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
.endif
CONFS= ssh_config sshd_config moduli
PLIST_VARS+= darwin
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
# enable privsep patches
.if ${OPSYS} == "Darwin"
CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
PLIST.darwin= yes
.endif
.for f in ${CONFS}
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
OWN_DIRS= ${OPENSSH_CHROOT}
RCD_SCRIPTS= sshd
RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
SMF_METHODS= sshd
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
SUBST_CLASSES+= patch
SUBST_STAGE.patch= pre-configure
SUBST_FILES.patch= session.c sandbox-darwin.c
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_VARS.patch= PKG_SYSCONFDIR
.include "../../devel/zlib/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"
#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
#
pre-configure:
cd ${WRKSRC} && autoconf -i
post-configure:
if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
${WRKSRC}/config.h; then \
${SED} -e '/HAVE_ECDSA/s/.*//' \
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
else \
${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
fi
${SED} -e 's,@VARBASE@,${VARBASE},g' \
< ${FILESDIR}/org.openssh.sshd.sb.in \
> ${WRKDIR}/org.openssh.sshd.sb
post-install:
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
cd ${WRKSRC}; for file in ${CONFS}; do \
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
${DESTDIR}${EGDIR}/sshd.pam
.endif
.if ${OPSYS} == "Darwin"
${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
${DESTDIR}${EGDIR}/org.openssh.sshd.sb
.endif
.include "../../mk/bsd.pkg.mk"

31
openssh/PLIST Normal file
View File

@ -0,0 +1,31 @@
@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
bin/scp
bin/sftp
bin/ssh
bin/ssh-add
bin/ssh-agent
bin/ssh-keygen
bin/ssh-keyscan
libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
man/man1/scp.1
man/man1/sftp.1
man/man1/ssh-add.1
man/man1/ssh-agent.1
man/man1/ssh-keygen.1
man/man1/ssh-keyscan.1
man/man1/ssh.1
man/man5/moduli.5
man/man5/ssh_config.5
man/man5/sshd_config.5
man/man8/sftp-server.8
man/man8/ssh-keysign.8
man/man8/ssh-pkcs11-helper.8
man/man8/sshd.8
sbin/sshd
share/examples/openssh/moduli
${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
share/examples/openssh/ssh_config
${PLIST.pam}share/examples/openssh/sshd.pam
share/examples/openssh/sshd_config

29
openssh/distinfo Normal file
View File

@ -0,0 +1,29 @@
$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
Size (openssh-8.0p1.tar.gz) = 1597697 bytes
SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4

23
openssh/files/org.openssh.sshd.sb.in Normal file
View File

@ -0,0 +1,23 @@
;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
;;
;; Copyright (c) 2008 Apple Inc. All Rights reserved.
;;
;; sshd - profile for privilege separated children
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;
(version 1)
(deny default)
(allow file-chroot)
(allow file-read-metadata (literal "@VARBASE@"))
(allow sysctl-read)
(allow mach-per-user-lookup)
(allow mach-lookup
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.logger"))

46
openssh/files/smf/manifest.xml Normal file
View File

@ -0,0 +1,46 @@
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
<service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
<create_default_instance enabled='false'/>
<single_instance/>
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local'/>
</dependency>
<dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/loopback'/>
</dependency>
<dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/physical'/>
</dependency>
<dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/cryptosvc'/>
</dependency>
<dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/utmp'/>
</dependency>
<dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
<service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
</dependency>
<dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
<service_fmri value='svc:/milestone/multi-user-server'/>
</dependent>
<exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
<exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
<property_group name='general' type='framework'>
<property name='action_authorization' type='astring'/>
</property_group>
<property_group name='startd' type='framework'>
<propval name='ignore_error' type='astring' value='core,signal'/>
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>OpenSSH server</loctext>
</common_name>
<documentation>
<manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
</documentation>
</template>
</service>
</service_bundle>

68
openssh/files/smf/sshd.sh Normal file
View File

@ -0,0 +1,68 @@
#!@SMF_METHOD_SHELL@
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)sshd 1.4 04/11/17 SMI"
SSHDIR=@PKG_SYSCONFDIR@
KEYGEN="@PREFIX@/bin/ssh-keygen -q"
PIDFILE=@VARBASE@/run/sshd.pid
# Checks to see if RSA, and DSA host keys are available
# if any of these keys are not present, the respective keys are created.
create_key()
{
keypath=$1
keytype=$2
if [ ! -f $keypath ]; then
grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo Creating new $keytype public/private host key pair
$KEYGEN -f $keypath -t $keytype -N ''
return $?
fi
fi
return 0
}
# This script is being used for two purposes: as part of an SMF
# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
# application.
#
# Both, the SMF methods and sysidconfig/sys-unconfig use different
# arguments..
case $1 in
# sysidconfig/sys-unconfig arguments (-c and -u)
'-c')
create_key $SSHDIR/ssh_host_rsa_key rsa
create_key $SSHDIR/ssh_host_dsa_key dsa
;;
'-u')
# sys-unconfig(1M) knows how to remove ssh host keys, so there's
# nothing to do here.
:
;;
# SMF arguments (start and restart [really "refresh"])
'start')
@PREFIX@/sbin/sshd
;;
'restart')
if [ -f "$PIDFILE" ]; then
/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
fi
;;
*)
echo "Usage: $0 { start | restart }"
exit 1
;;
esac
exit $?

115
openssh/files/sshd.sh Normal file
View File

@ -0,0 +1,115 @@
#!@RCD_SCRIPTS_SHELL@
#
# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
#
# PROVIDE: sshd
# REQUIRE: DAEMON LOGIN
if [ -f /etc/rc.subr ]
then
. /etc/rc.subr
fi
name="sshd"
rcvar=$name
command="@PREFIX@/sbin/${name}"
keygen_command="@PREFIX@/bin/ssh-keygen"
pidfile="@SSH_PID_DIR@/${name}.pid"
required_files="@PKG_SYSCONFDIR@/sshd_config"
extra_commands="keygen reload"
sshd_keygen()
{
(
umask 022
if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
@ECHO@ "Skipping protocol version 2 DSA Key Generation"
else
${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
fi
if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
@ECHO@ "Skipping protocol version 2 RSA Key Generation"
else
${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
fi
# HAVE_ECDSA_START
if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
else
${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
fi
# HAVE_ECDSA_STOP
# HAVE_ED25519_START
if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
else
${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
fi
# HAVE_ED25519_STOP
)
}
sshd_precmd()
{
if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
then
run_rc_command keygen
else
eval ${keygen_cmd}
fi
fi
}
keygen_cmd=sshd_keygen
start_precmd=sshd_precmd
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
then
load_rc_config $name
run_rc_command "$1"
else
case ${1:-start} in
start)
if [ -x ${command} -a -f ${required_files} ]
then
@ECHO@ "Starting ${name}."
eval ${start_precmd}
eval ${command} ${sshd_flags} ${command_args}
fi
;;
stop)
if [ -f ${pidfile} ]; then
pid=`@HEAD@ -1 ${pidfile}`
@ECHO@ "Stopping ${name}."
kill -TERM ${pid}
else
@ECHO@ "${name} not running?"
fi
;;
restart)
( $0 stop )
sleep 1
$0 start
;;
status)
if [ -f ${pidfile} ]; then
pid=`@HEAD@ -1 ${pidfile}`
@ECHO@ "${name} is running as pid ${pid}."
else
@ECHO@ "${name} is not running."
fi
;;
keygen)
eval ${keygen_cmd}
;;
esac
fi

51
openssh/options.mk Normal file
View File

@ -0,0 +1,51 @@
# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
PKG_SUGGESTED_OPTIONS= editline openssl
.include "../../mk/bsd.prefs.mk"
.if ${OPSYS} == "NetBSD"
PKG_SUGGESTED_OPTIONS+= pam
.endif
.include "../../mk/bsd.options.mk"
.if !empty(PKG_OPTIONS:Mopenssl)
.include "../../security/openssl/buildlink3.mk"
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
.else
CONFIGURE_ARGS+= --without-openssl
.endif
.if !empty(PKG_OPTIONS:Mkerberos)
. include "../../mk/krb5.buildlink3.mk"
CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
. if ${KRB5_TYPE} == "mit-krb5"
CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
. endif
.endif
#.if !empty(PKG_OPTIONS:Mhpn-patch)
#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
#PATCH_DIST_STRIP= -p1
#.endif
PLIST_VARS+= pam
.if !empty(PKG_OPTIONS:Mpam)
.include "../../mk/pam.buildlink3.mk"
CONFIGURE_ARGS+= --with-pam
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
MESSAGE_SUBST+= EGDIR=${EGDIR}
. if ${OPSYS} == "Linux"
PLIST.pam= yes
. endif
.endif
.if !empty(PKG_OPTIONS:Meditline)
.include "../../devel/editline/buildlink3.mk"
CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
.endif

31
openssh/patches/patch-Makefile.in Normal file
View File

@ -0,0 +1,31 @@
$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
Removed install-sysconf as we handle that phase through post-install
--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
+++ Makefile.in
@@ -1,5 +1,5 @@
# uncomment if you run a non bourne compatible shell. Ie. csh
-#SHELL = @SH@
+SHELL = @SH@
AUTORECONF=autoreconf
@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -320,7 +320,7 @@ distprep: catman-do depend-check
-rm -rf autom4te.cache .depend.bak
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
check-config:

27
openssh/patches/patch-auth-passwd.c Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
Replace uid 0 with ROOTUID macro
--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ auth-passwd.c
@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
return 0;
#ifndef HAVE_CYGWIN
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
authctxt->force_pwchange = 1;
}
#endif
+#ifdef HAVE_INTERIX
+ result = (!setuser(pw->pw_name, password, SU_CHECK));
+#else
result = sys_auth_passwd(ssh, password);
+#endif
if (authctxt->force_pwchange)
auth_restrict_session(ssh);
return (result && ok);

33
openssh/patches/patch-auth-rhosts.c Normal file
View File

@ -0,0 +1,33 @@
$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
Replace uid 0 with ROOTUID macro
--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ auth-rhosts.c
@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* If not logging in as superuser, try /etc/hosts.equiv and
* shosts.equiv.
*/
- if (pw->pw_uid == 0)
+ if (pw->pw_uid == ROOTUID)
debug3("%s: root user, ignoring system hosts files", __func__);
else {
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
return 0;
}
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
pw->pw_name, buf);

27
openssh/patches/patch-auth.c Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
* Replace uid 0 with ROOTUID macro.
* Use login_getpwclass() instead of login_getclass() so that the root
vs. default login class distinction is made correctly, from FrrrBSD's
ports.
--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
+++ auth.c
@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
if (!allowed_user(ssh, pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}

15
openssh/patches/patch-auth2.c Normal file
View File

@ -0,0 +1,15 @@
$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
Replace uid 0 with ROOTUID macro
--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ auth2.c
@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
fatal("INTERNAL ERROR: authenticated and postponed");
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 &&
+ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
!auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS

63
openssh/patches/patch-clientloop.c Normal file
View File

@ -0,0 +1,63 @@
$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ clientloop.c
@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
struct stat st;
u_int now, x11_timeout_real;
+#if __APPLE__
+ int is_path_to_socket = 0;
+#endif /* __APPLE__ */
+
*_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
}
if (xauth_path != NULL) {
+#if __APPLE__
+ {
+ /*
+ * If using launchd socket, remove the screen number from the end
+ * of $DISPLAY. is_path_to_socket is used later in this function
+ * to determine if an error should be displayed.
+ */
+ char path[PATH_MAX];
+ struct stat sbuf;
+
+ strlcpy(path, display, sizeof(path));
+ if (0 == stat(path, &sbuf)) {
+ is_path_to_socket = 1;
+ } else {
+ char *dot = strrchr(path, '.');
+ if (dot) {
+ *dot = '\0';
+ /* screen = atoi(dot + 1); */
+ if (0 == stat(path, &sbuf)) {
+ is_path_to_socket = 1;
+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
+ setenv("DISPLAY", path, 1);
+ }
+ }
+ }
+ }
+#endif /* __APPLE__ */
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
u_int8_t rnd[16];
u_int i;
+#if __APPLE__
+ if (!is_path_to_socket)
+#endif /* __APPLE__ */
logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);

37
openssh/patches/patch-config.h.in Normal file
View File

@ -0,0 +1,37 @@
$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
* Added Interix and define new path to if_tun.h.
* Revive tcp_wrappers support.
--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
+++ config.h.in
@@ -741,6 +741,9 @@
/* define if you have int64_t data type */
#undef HAVE_INT64_T
+/* Define if you are on Interix */
+#undef HAVE_INTERIX
+
/* Define to 1 if the system has the type `intmax_t'. */
#undef HAVE_INTMAX_T
@@ -910,6 +913,9 @@
/* Define to 1 if you have the <net/route.h> header file. */
#undef HAVE_NET_ROUTE_H
+/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
+#undef HAVE_NET_TUN_IF_TUN_H
+
/* Define if you are on NeXT */
#undef HAVE_NEXT
@@ -1617,6 +1623,9 @@
/* Define if pututxline updates lastlog too */
#undef LASTLOG_WRITE_PUTUTXLINE
+/* Define if you want TCP Wrappers support */
+#undef LIBWRAP
+
/* Define to whatever link() returns for "not supported" if it doesn't return
EOPNOTSUPP. */
#undef LINK_OPNOTSUPP_ERRNO

138
openssh/patches/patch-configure.ac Normal file
View File

@ -0,0 +1,138 @@
$NetBSD$
--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
+++ configure.ac
@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
]
)
+# pkgsrc handles any rpath settings this package needs
+need_dash_r=
+
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
maillock.h \
ndir.h \
net/if_tun.h \
+ net/tun/if_tun.h \
netdb.h \
netgroup.h \
pam/pam_appl.h \
@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
;;
esac
;;
+*-*-interix*)
+ AC_DEFINE(HAVE_INTERIX)
+ AC_DEFINE(DISABLE_FD_PASSING)
+ AC_DEFINE(DISABLE_SHADOW)
+ AC_DEFINE(IP_TOS_IS_BROKEN)
+ AC_DEFINE(MISSING_HOWMANY)
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
+ AC_DEFINE(USE_PIPES)
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
AC_DEFINE([BROKEN_INET_NTOA], [1],
@@ -1494,6 +1507,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
- AC_DEFINE([DISABLE_WTMPX])
+ for f in /var/log/wtmpx; do
+ if test -f $f ; then
+ conf_wtmpx_location=$f
+ fi
+ done
+ if test -z "$conf_wtmpx_location"; then
+ AC_DEFINE(DISABLE_WTMPX)
+ fi
fi
-else
+fi
+if test -n "$conf_wtmpx_location"; then
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
-echo " Askpass program: $E"
+echo " Askpass program: ${ASKPASS_PROGRAM}"
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
@@ -5245,6 +5322,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"

47
openssh/patches/patch-defines.h Normal file
View File

@ -0,0 +1,47 @@
$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ defines.h
@@ -30,6 +30,15 @@
/* Constants */
+#ifdef HAVE_INTERIX
+/* Interix has a special concept of "administrator". */
+# define ROOTUID 197108
+# define ROOTGID 131616
+#else
+# define ROOTUID 0
+# define ROOTGID 0
+#endif
+
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
enum
{
@@ -721,6 +730,24 @@ struct winsize {
# endif
# endif
#endif
+#ifndef UTMPX_FILE
+# ifdef _PATH_UTMPX
+# define UTMPX_FILE _PATH_UTMPX
+# else
+# ifdef CONF_UTMPX_FILE
+# define UTMPX_FILE CONF_UTMPX_FILE
+# endif
+# endif
+#endif
+#ifndef WTMPX_FILE
+# ifdef _PATH_WTMPX
+# define WTMPX_FILE _PATH_WTMPX
+# else
+# ifdef CONF_WTMPX_FILE
+# define WTMPX_FILE CONF_WTMPX_FILE
+# endif
+# endif
+#endif
/* pick up the user's location for lastlog if given */
#ifndef LASTLOG_FILE
# ifdef _PATH_LASTLOG

17
openssh/patches/patch-includes.h Normal file
View File

@ -0,0 +1,17 @@
$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ includes.h
@@ -127,6 +127,10 @@
#ifdef HAVE_READPASSPHRASE_H
# include <readpassphrase.h>
#endif
+#ifdef HAVE_INTERIX
+# include <interix/env.h>
+# include <interix/security.h>
+#endif
#ifdef HAVE_IA_H
# include <ia.h>

68
openssh/patches/patch-loginrec.c Normal file
View File

@ -0,0 +1,68 @@
$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
Interix support and related fixes. Fix build on FreeBSD.
--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ loginrec.c
@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
int
login_write(struct logininfo *li)
{
-#ifndef HAVE_CYGWIN
- if (geteuid() != 0) {
+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
+ if (geteuid() != ROOTUID) {
logit("Attempt to write login records by non-root user (aborting)");
return (1);
}
@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
/* set the timestamp */
login_set_current_time(li);
-#ifdef USE_LOGIN
+#if defined(USE_LOGIN) && (HAVE_UTMP_H)
syslogin_write_entry(li);
#endif
#ifdef USE_LASTLOG
@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
** into account.
**/
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
/* build the utmp structure */
void
@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
set_utmpx_time(li, utx);
utx->ut_pid = li->pid;
- /* strncpy(): Don't necessarily want null termination */
- strncpy(utx->ut_user, li->username,
- MIN_SIZEOF(utx->ut_user, li->username));
-
if (li->type == LTYPE_LOGOUT)
return;
@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
* for logouts.
*/
+ /* strncpy(): Don't necessarily want null termination */
+#if defined(__FreeBSD__)
+ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
+#else
+ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
+#endif
# ifdef HAVE_HOST_IN_UTMPX
strncpy(utx->ut_host, li->hostname,
MIN_SIZEOF(utx->ut_host, li->hostname));
@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
** Low-level libutil login() functions
**/
-#ifdef USE_LOGIN
+#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
static int
syslogin_perform_login(struct logininfo *li)
{

22
openssh/patches/patch-openbsd-compat_bsd-openpty.c Normal file
View File

@ -0,0 +1,22 @@
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
Interix support
--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ openbsd-compat/bsd-openpty.c
@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
return (-1);
}
+#if !defined(HAVE_INTERIX)
/*
* Try to push the appropriate streams modules, as described
* in Solaris pts(7).
@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
# ifndef __hpux
ioctl(*aslave, I_PUSH, "ttcompat");
# endif /* __hpux */
+#endif /* !HAVE_INTERIX */
return (0);

17
openssh/patches/patch-openbsd-compat_openbsd-compat.h Normal file
View File

@ -0,0 +1,17 @@
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
strtoll() declaration
--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ openbsd-compat/openbsd-compat.h
@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
int setenv(register const char *name, register const char *value, int rewrite);
#endif
+#ifndef HAVE_STRTOLL
+long long strtoll(const char *, char **, int);
+#endif
+
#ifndef HAVE_STRMODE
void strmode(int mode, char *p);
#endif

45
openssh/patches/patch-openbsd-compat_port-tun.c Normal file
View File

@ -0,0 +1,45 @@
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
if_tun.h can be found in net/tun
--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ openbsd-compat/port-net.c
@@ -1,3 +1,4 @@
+
/*
* Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
*
@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
#include <sys/socket.h>
#include <net/if.h>
+#ifdef HAVE_NET_TUN_IF_TUN_H
+#include <net/tun/if_tun.h>
+#endif
+
#ifdef HAVE_NET_IF_TUN_H
#include <net/if_tun.h>
#endif
@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
{
struct ifreq ifr;
char name[100];
- int fd = -1, sock, flag;
+ int fd = -1, sock;
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ int flag;
+#endif
const char *tunbase = "tun";
if (ifname != NULL)
@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
return (-1);
}
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
/* Turn on tunnel headers */
flag = 1;
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
if (mode != SSH_TUNMODE_ETHERNET &&
ioctl(fd, TUNSIFHEAD, &flag) == -1) {
debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,

16
openssh/patches/patch-platform.c Normal file
View File

@ -0,0 +1,16 @@
$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ platform.c
@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
/* uid 0 is not special on Cygwin so always try */
return 1;
#else
+#if !defined(HAVE_INTERIX)
return (getuid() == 0 || geteuid() == 0);
+#endif /* !HAVE_INTERIX */
#endif
}

23
openssh/patches/patch-sandbox-darwin.c Normal file
View File

@ -0,0 +1,23 @@
$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
Support sandbox on newer OSX, from MacPorts.
--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ sandbox-darwin.c
@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
struct rlimit rl_zero;
debug3("%s: starting Darwin sandbox", __func__);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+#ifndef SANDBOX_NAMED_EXTERNAL
+#define SANDBOX_NAMED_EXTERNAL (0x3)
+#endif
+ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
+ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
+#else
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
&errmsg) == -1)
+#endif
fatal("%s: sandbox_init: %s", __func__, errmsg);
/*

39
openssh/patches/patch-scp.c Normal file
View File

@ -0,0 +1,39 @@
$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ scp.c
@@ -478,7 +478,11 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
+#ifdef HAVE_INTERIX
+ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
+#else
if ((pwd = getpwuid(userid = getuid())) == NULL)
+#endif
fatal("unknown user %u", (u_int) userid);
if (!isatty(STDOUT_FILENO))
@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
return;
}
while ((dp = readdir(dirp)) != NULL) {
+#ifndef HAVE_INTERIX
if (dp->d_ino == 0)
continue;
+#endif
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
continue;
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
@@ -1297,7 +1303,9 @@ okname(char *cp0)
case '\'':
case '"':
case '`':
+#ifndef HAVE_INTERIX
case ' ':
+#endif
case '#':
goto bad;
default:

65
openssh/patches/patch-session.c Normal file
View File

@ -0,0 +1,65 @@
$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
* Interix support.
--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ session.c
@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
- if (uid == 0)
+ if (uid == ROOTUID)
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
+ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+#ifdef HAVE_INTERIX
+ {
+ /* copy standard Windows environment, then apply changes */
+ env_t *winenv = env_login(pw);
+ env_putarray(winenv, env, ENV_OVERRIDE);
+
+ /* swap over to altered environment as a traditional array */
+ env = env_array(winenv);
+ }
+#endif
+
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
+# if !defined(HAVE_INTERIX)
/* Initialize the group list. */
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
perror("initgroups");
exit(1);
}
+# endif /* !HAVE_INTERIX */
endgrent();
#endif
@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */
- if (getuid() == 0)
+ if (getuid() == ROOTUID)
pty_release(s->tty);
/*

14
openssh/patches/patch-sftp-common.c Normal file
View File

@ -0,0 +1,14 @@
$NetBSD$
--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
+++ sftp-common.c
@@ -36,7 +36,9 @@
#include <string.h>
#include <time.h>
#include <stdarg.h>
+#ifdef HAVE_UNISTD_H
#include <unistd.h>
+#endif
#ifdef HAVE_UTIL_H
#include <util.h>
#endif

27
openssh/patches/patch-sshd.8 Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
* Revive tcp_wrappers support.
--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
+++ sshd.8
@@ -850,6 +850,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -953,6 +959,7 @@ The content of this file is not sensitiv
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,

137
openssh/patches/patch-sshd.c Normal file
View File

@ -0,0 +1,137 @@
$NetBSD$
--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
+++ sshd.c
@@ -123,6 +123,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
static int startup_pipe = -1; /* in child */
/* variables used for privilege separation */
+#ifdef HAVE_INTERIX
+int use_privsep = 0;
+#else
int use_privsep = -1;
+#endif
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
static int privsep_chroot = 1;
@@ -467,10 +478,15 @@ privsep_preauth_child(void)
/* Drop our privileges */
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
(u_int)privsep_pw->pw_gid);
+#ifdef HAVE_INTERIX
+ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
+ fatal("setuser: %.100s", strerror(errno));
+#else
gidset[0] = privsep_pw->pw_gid;
if (setgroups(1, gidset) < 0)
fatal("setgroups: %.100s", strerror(errno));
permanently_set_uid(privsep_pw);
+#endif /* HAVE_INTERIX */
}
}
@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ /* We need to do this before we chroot() so we can read sshd.sb */
+ if (box != NULL)
+ ssh_sandbox_child(box);
+#endif
privsep_preauth_child();
setproctitle("%s", "[net]");
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
if (box != NULL)
ssh_sandbox_child(box);
+#endif
return 0;
}
@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
#ifdef DISABLE_FD_PASSING
if (1) {
#else
- if (authctxt->pw->pw_uid == 0) {
+ if (authctxt->pw->pw_uid == ROOTUID) {
#endif
/* File descriptor passing is broken or root login */
use_privsep = 0;
@@ -1454,7 +1477,7 @@ main(int ac, char **av)
av = saved_argv;
#endif
- if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1686,7 +1709,7 @@ main(int ac, char **av)
);
/* Store privilege separation user for later use if required. */
- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
+ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
if (privsep_chroot || options.kerberos_authentication)
fatal("Privilege separation user %s does not exist",
@@ -1830,7 +1853,7 @@ main(int ac, char **av)
(st.st_uid != getuid () ||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
#else
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
#endif
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
@@ -1858,8 +1881,10 @@ main(int ac, char **av)
* to create a file, and we can't control the code in every
* module which might be used).
*/
+#ifndef HAVE_INTERIX
if (setgroups(0, NULL) < 0)
debug("setgroups() failed: %.200s", strerror(errno));
+#endif
if (rexec_flag) {
if (rexec_argc < 0)
@@ -2053,6 +2078,25 @@ main(int ac, char **av)
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
+
rdomain = ssh_packet_rdomain_in(ssh);
/* Log the connection. */

24
openssh/patches/patch-sshpty.c Normal file
View File

@ -0,0 +1,24 @@
$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
Replace uid 0 with ROOTUID macro
--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ sshpty.c
@@ -86,7 +86,7 @@ void
pty_release(const char *tty)
{
#if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
+ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
if (chmod(tty, (mode_t) 0666) < 0)
error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&
- (st.st_uid == pw->pw_uid || st.st_uid == 0))
+ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
debug("chown(%.100s, %u, %u) failed: %.100s",
tty, (u_int)pw->pw_uid, (u_int)gid,
strerror(errno));

77
openssh/patches/patch-uidswap.c Normal file
View File

@ -0,0 +1,77 @@
$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
Interix support
--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ uidswap.c
@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
(u_int)pw->pw_uid, (u_int)pw->pw_gid,
(u_int)saved_euid, (u_int)saved_egid);
#ifndef HAVE_CYGWIN
- if (saved_euid != 0) {
+ if (saved_euid != ROOTUID) {
privileged = 0;
return;
}
#endif
#else
- if (geteuid() != 0) {
+ if (geteuid() != ROOTUID) {
privileged = 0;
return;
}
@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
/* set and save the user's groups */
if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
+#ifndef HAVE_INTERIX
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
fatal("initgroups: %s: %.100s", pw->pw_name,
strerror(errno));
-
+#endif
user_groupslen = getgroups(0, NULL);
if (user_groupslen < 0)
fatal("getgroups: %.100s", strerror(errno));
@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
}
user_groups_uid = pw->pw_uid;
}
+#ifndef HAVE_INTERIX
/* Set the effective uid to the given (unprivileged) uid. */
if (setgroups(user_groupslen, user_groups) < 0)
fatal("setgroups: %.100s", strerror(errno));
+#endif
#ifndef SAVED_IDS_WORK_WITH_SETEUID
/* Propagate the privileged gid to all of our gids. */
if (setgid(getegid()) < 0)
@@ -166,8 +169,10 @@ restore_uid(void)
setgid(getgid());
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
+#ifndef HAVE_INTERIX
if (setgroups(saved_egroupslen, saved_egroups) < 0)
fatal("setgroups: %.100s", strerror(errno));
+#endif
temporarily_use_uid_effective = 0;
}
@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
+#if defined(HAVE_INTERIX)
+ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
+ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#else
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
fatal("%s: was able to restore old [e]uid", __func__);
#endif
+#endif /* HAVE_INTERIX */
/* Verify UID drop was successful */
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {

136
openssh/t Normal file
View File

@ -0,0 +1,136 @@
--- /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
+++ /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac 2019-05-01 12:11:27.813134298 +0000
@@ -294,6 +294,9 @@
]
)
+# pkgsrc handles any rpath settings this package needs
+need_dash_r=
+
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
@@ -387,6 +390,7 @@
maillock.h \
ndir.h \
net/if_tun.h \
+ net/tun/if_tun.h \
netdb.h \
netgroup.h \
pam/pam_appl.h \
@@ -737,6 +741,15 @@
;;
esac
;;
+*-*-interix*)
+ AC_DEFINE(HAVE_INTERIX)
+ AC_DEFINE(DISABLE_FD_PASSING)
+ AC_DEFINE(DISABLE_SHADOW)
+ AC_DEFINE(IP_TOS_IS_BROKEN)
+ AC_DEFINE(MISSING_HOWMANY)
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
+ AC_DEFINE(USE_PIPES)
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
AC_DEFINE([BROKEN_INET_NTOA], [1],
@@ -1494,6 +1507,62 @@
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5129,9 +5198,17 @@
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
- AC_DEFINE([DISABLE_WTMPX])
+ for f in /var/log/wtmpx; do
+ if test -f $f ; then
+ conf_wtmpx_location=$f
+ fi
+ done
+ if test -z "$conf_wtmpx_location"; then
+ AC_DEFINE(DISABLE_WTMPX)
+ fi
fi
-else
+fi
+if test -n "$conf_wtmpx_location"; then
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
@@ -5223,7 +5300,7 @@
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
-echo " Askpass program: $E"
+echo " Askpass program: ${ASKPASS_PROGRAM}"
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
@@ -5245,6 +5322,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"

14
openssh8/DESCR Normal file
View File

@ -0,0 +1,14 @@
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed (to external libraries), all
known security bugs fixed, new features reintroduced and many other
clean-ups. More information about SSH itself can be found in the file
README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
This port consists of the re-introduction of autoconf support, PAM
support (for Linux and Solaris), EGD[1] support, SOCKS support (using
the Dante [6] libraries and replacements for OpenBSD library functions
that are (regrettably) absent from other unices. This port has been
best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
SCO, NeXT and other Unices is underway. This version actively tracks
changes in the OpenBSD CVS repository.

36
openssh8/INSTALL Normal file
View File

@ -0,0 +1,36 @@
# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
FILES="sshd.conf sshd_config"
case ${STAGE} in
POST-INSTALL)
for dir in $DIRS; do
if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
for file in $FILES; do
path=$dir/$file
if [ -f $path ]; then
${CAT} <<EOF
===========================================================================
*===* NOTICE *===*
WARNING: previous configuration file $path found.
The config files for ${PKGNAME} must be located in:
@PKG_SYSCONFDIR@
You will need to ensure your configuration files and/or keys are
placed in the correct directory before using ${PKGNAME}.
===========================================================================
EOF
exit
fi
done
fi
done
;;
esac

20
openssh8/MESSAGE.Interix Normal file
View File

@ -0,0 +1,20 @@
===========================================================================
$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
OpenSSH on Interix has some important caveats:
* Hostname resolution uses the BIND resolver library rather than Windows
native lookup services. This requires that /etc/resolv.conf be set up
properly with a "nameserver" line; see resolv.conf(5). In most
installations, this was generated automatically when Services for UNIX
was installed (based on the name server in use at that time).
* Currently, UsePrivilegeSeparation does not work properly, so it defaults
to "no" on Interix.
* Network drives and encrypted local files may not be accessible after
logging in through sshd thanks to the way the Windows security API works.
A workaround is to "exec su USERNAME" after logging in, which will use
the password to create a proper Windows access credential key.
===========================================================================

9
openssh8/MESSAGE.pam Normal file
View File

@ -0,0 +1,9 @@
===========================================================================
$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
To authenticate for SSH using PAM, add the contents of the file:
${EGDIR}/sshd.pam
to your PAM configuration file (or PAM configuration directory).
===========================================================================

209
openssh8/Makefile Normal file
View File

@ -0,0 +1,209 @@
# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
DISTNAME= openssh-8.0p1
PKGNAME= ${DISTNAME:S/p1/.1/}
PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.openssh.com/
COMMENT= Open Source Secure shell client and server (remote login program)
LICENSE= modified-bsd
CONFLICTS= sftp-[0-9]*
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+= openssh+gssapi-[0-9]*
CONFLICTS+= lsh>2.0
BROKEN_ON_PLATFORM+= OpenBSD-*-*
USE_GCC_RUNTIME= yes
USE_TOOLS+= autoconf perl
# retain the following line, for IPv6-ready pkgsrc webpage
BUILD_DEFS+= IPV6_READY
PKG_GROUPS_VARS+= OPENSSH_GROUP
PKG_USERS_VARS+= OPENSSH_USER
BUILD_DEFS+= OPENSSH_CHROOT
BUILD_DEFS+= VARBASE
INSTALL_TARGET= install-nokeys
.include "options.mk"
# fixes: dyld: Symbol not found: _allow_severity
CONFIGURE_ARGS.Darwin+= --disable-strip
# OpenSSH on Interix has some important caveats
.if ${OPSYS} == "Interix"
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
CONFIGURE_ENV+= ac_cv_func_openpty=no
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
. if exists(/usr/local/include/bind/resolv.h)
CPPFLAGS+= -I/usr/local/include/bind
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
. elif exists(/usr/local/bind/include/resolv.h)
CPPFLAGS+= -I/usr/local/bind/include
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
. endif
LDFLAGS+= -L/usr/local/lib/bind
LIBS+= -lbind -ldb -lcrypt
.else # not Interix
PKG_GROUPS= ${OPENSSH_GROUP}
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
.endif
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
PKG_SYSCONFSUBDIR= ssh
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-mantype=man
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR}
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
.if ${OPSYS} != "Interix"
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER}
.endif
# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+= --without-zlib-version-check
.if ${_PKGSRC_MKPIE} != "no"
CONFIGURE_ARGS+= --with-pie
.endif
# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
CONFIGURE_ENV+= LD=${CC:Q}
# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
. include "../../security/skey/buildlink3.mk"
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+= --without-skey
.endif
.if (${OPSYS} == "NetBSD")
. if exists(/usr/include/utmpx.h)
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+= --disable-libutil
. endif
#
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
# prior version don't have it. So, disable use of strnvis(3) now.
#
CONFIGURE_ENV+= ac_cv_func_strnvis=no
#
# workaround for ./configure problem, pkg/50936
#
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
.endif
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
.endif
CONFIGURE_ARGS.Linux+= --enable-md5-password
# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth
.endif
CONFS= ssh_config sshd_config moduli
PLIST_VARS+= darwin
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
# enable privsep patches
.if ${OPSYS} == "Darwin"
CONF_FILES+= ${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
CPPFLAGS+= -D__APPLE_SANDBOX_NAMED_EXTERNAL__
PLIST.darwin= yes
.endif
.for f in ${CONFS}
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
OWN_DIRS= ${OPENSSH_CHROOT}
RCD_SCRIPTS= sshd
RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh
SMF_METHODS= sshd
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR}
SUBST_CLASSES+= patch
SUBST_STAGE.patch= pre-configure
SUBST_FILES.patch= session.c sandbox-darwin.c
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_VARS.patch= PKG_SYSCONFDIR
.include "../../devel/zlib/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"
#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
#
pre-configure:
cd ${WRKSRC} && autoconf -i
post-configure:
if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \
${WRKSRC}/config.h; then \
${SED} -e '/HAVE_ECDSA/s/.*//' \
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
else \
${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
fi
${SED} -e 's,@VARBASE@,${VARBASE},g' \
< ${FILESDIR}/org.openssh.sshd.sb.in \
> ${WRKDIR}/org.openssh.sshd.sb
post-install:
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
cd ${WRKSRC}; for file in ${CONFS}; do \
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
${DESTDIR}${EGDIR}/sshd.pam
.endif
.if ${OPSYS} == "Darwin"
${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
${DESTDIR}${EGDIR}/org.openssh.sshd.sb
.endif
.include "../../mk/bsd.pkg.mk"

31
openssh8/PLIST Normal file
View File

@ -0,0 +1,31 @@
@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
bin/scp
bin/sftp
bin/ssh
bin/ssh-add
bin/ssh-agent
bin/ssh-keygen
bin/ssh-keyscan
libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
man/man1/scp.1
man/man1/sftp.1
man/man1/ssh-add.1
man/man1/ssh-agent.1
man/man1/ssh-keygen.1
man/man1/ssh-keyscan.1
man/man1/ssh.1
man/man5/moduli.5
man/man5/ssh_config.5
man/man5/sshd_config.5
man/man8/sftp-server.8
man/man8/ssh-keysign.8
man/man8/ssh-pkcs11-helper.8
man/man8/sshd.8
sbin/sshd
share/examples/openssh/moduli
${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
share/examples/openssh/ssh_config
${PLIST.pam}share/examples/openssh/sshd.pam
share/examples/openssh/sshd_config

29
openssh8/distinfo Normal file
View File

@ -0,0 +1,29 @@
$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
Size (openssh-8.0p1.tar.gz) = 1597697 bytes
SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4

23
openssh8/files/org.openssh.sshd.sb.in Normal file
View File

@ -0,0 +1,23 @@
;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
;;
;; Copyright (c) 2008 Apple Inc. All Rights reserved.
;;
;; sshd - profile for privilege separated children
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;
(version 1)
(deny default)
(allow file-chroot)
(allow file-read-metadata (literal "@VARBASE@"))
(allow sysctl-read)
(allow mach-per-user-lookup)
(allow mach-lookup
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.logger"))

46
openssh8/files/smf/manifest.xml Normal file
View File

@ -0,0 +1,46 @@
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
<service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
<create_default_instance enabled='false'/>
<single_instance/>
<dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local'/>
</dependency>
<dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/loopback'/>
</dependency>
<dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/physical'/>
</dependency>
<dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/cryptosvc'/>
</dependency>
<dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/utmp'/>
</dependency>
<dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
<service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
</dependency>
<dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
<service_fmri value='svc:/milestone/multi-user-server'/>
</dependent>
<exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
<exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
<exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
<property_group name='general' type='framework'>
<property name='action_authorization' type='astring'/>
</property_group>
<property_group name='startd' type='framework'>
<propval name='ignore_error' type='astring' value='core,signal'/>
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>OpenSSH server</loctext>
</common_name>
<documentation>
<manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
</documentation>
</template>
</service>
</service_bundle>

68
openssh8/files/smf/sshd.sh Normal file
View File

@ -0,0 +1,68 @@
#!@SMF_METHOD_SHELL@
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)sshd 1.4 04/11/17 SMI"
SSHDIR=@PKG_SYSCONFDIR@
KEYGEN="@PREFIX@/bin/ssh-keygen -q"
PIDFILE=@VARBASE@/run/sshd.pid
# Checks to see if RSA, and DSA host keys are available
# if any of these keys are not present, the respective keys are created.
create_key()
{
keypath=$1
keytype=$2
if [ ! -f $keypath ]; then
grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo Creating new $keytype public/private host key pair
$KEYGEN -f $keypath -t $keytype -N ''
return $?
fi
fi
return 0
}
# This script is being used for two purposes: as part of an SMF
# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
# application.
#
# Both, the SMF methods and sysidconfig/sys-unconfig use different
# arguments..
case $1 in
# sysidconfig/sys-unconfig arguments (-c and -u)
'-c')
create_key $SSHDIR/ssh_host_rsa_key rsa
create_key $SSHDIR/ssh_host_dsa_key dsa
;;
'-u')
# sys-unconfig(1M) knows how to remove ssh host keys, so there's
# nothing to do here.
:
;;
# SMF arguments (start and restart [really "refresh"])
'start')
@PREFIX@/sbin/sshd
;;
'restart')
if [ -f "$PIDFILE" ]; then
/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
fi
;;
*)
echo "Usage: $0 { start | restart }"
exit 1
;;
esac
exit $?

115
openssh8/files/sshd.sh Normal file
View File

@ -0,0 +1,115 @@
#!@RCD_SCRIPTS_SHELL@
#
# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
#
# PROVIDE: sshd
# REQUIRE: DAEMON LOGIN
if [ -f /etc/rc.subr ]
then
. /etc/rc.subr
fi
name="sshd"
rcvar=$name
command="@PREFIX@/sbin/${name}"
keygen_command="@PREFIX@/bin/ssh-keygen"
pidfile="@SSH_PID_DIR@/${name}.pid"
required_files="@PKG_SYSCONFDIR@/sshd_config"
extra_commands="keygen reload"
sshd_keygen()
{
(
umask 022
if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
@ECHO@ "Skipping protocol version 2 DSA Key Generation"
else
${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
fi
if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
@ECHO@ "Skipping protocol version 2 RSA Key Generation"
else
${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
fi
# HAVE_ECDSA_START
if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
else
${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
fi
# HAVE_ECDSA_STOP
# HAVE_ED25519_START
if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
else
${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
fi
# HAVE_ED25519_STOP
)
}
sshd_precmd()
{
if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
then
run_rc_command keygen
else
eval ${keygen_cmd}
fi
fi
}
keygen_cmd=sshd_keygen
start_precmd=sshd_precmd
if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
then
load_rc_config $name
run_rc_command "$1"
else
case ${1:-start} in
start)
if [ -x ${command} -a -f ${required_files} ]
then
@ECHO@ "Starting ${name}."
eval ${start_precmd}
eval ${command} ${sshd_flags} ${command_args}
fi
;;
stop)
if [ -f ${pidfile} ]; then
pid=`@HEAD@ -1 ${pidfile}`
@ECHO@ "Stopping ${name}."
kill -TERM ${pid}
else
@ECHO@ "${name} not running?"
fi
;;
restart)
( $0 stop )
sleep 1
$0 start
;;
status)
if [ -f ${pidfile} ]; then
pid=`@HEAD@ -1 ${pidfile}`
@ECHO@ "${name} is running as pid ${pid}."
else
@ECHO@ "${name} is not running."
fi
;;
keygen)
eval ${keygen_cmd}
;;
esac
fi

51
openssh8/options.mk Normal file
View File

@ -0,0 +1,51 @@
# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.openssh
PKG_SUPPORTED_OPTIONS= editline kerberos openssl pam
PKG_SUGGESTED_OPTIONS= editline openssl
.include "../../mk/bsd.prefs.mk"
.if ${OPSYS} == "NetBSD"
PKG_SUGGESTED_OPTIONS+= pam
.endif
.include "../../mk/bsd.options.mk"
.if !empty(PKG_OPTIONS:Mopenssl)
.include "../../security/openssl/buildlink3.mk"
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
.else
CONFIGURE_ARGS+= --without-openssl
.endif
.if !empty(PKG_OPTIONS:Mkerberos)
. include "../../mk/krb5.buildlink3.mk"
CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE}
. if ${KRB5_TYPE} == "mit-krb5"
CONFIGURE_ENV+= ac_cv_search_k_hasafs=no
. endif
.endif
#.if !empty(PKG_OPTIONS:Mhpn-patch)
#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2
#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
#PATCH_DIST_STRIP= -p1
#.endif
PLIST_VARS+= pam
.if !empty(PKG_OPTIONS:Mpam)
.include "../../mk/pam.buildlink3.mk"
CONFIGURE_ARGS+= --with-pam
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.pam
MESSAGE_SUBST+= EGDIR=${EGDIR}
. if ${OPSYS} == "Linux"
PLIST.pam= yes
. endif
.endif
.if !empty(PKG_OPTIONS:Meditline)
.include "../../devel/editline/buildlink3.mk"
CONFIGURE_ARGS+= --with-libedit=${BUILDLINK_PREFIX.editline}
.endif

31
openssh8/patches/patch-Makefile.in Normal file
View File

@ -0,0 +1,31 @@
$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
Removed install-sysconf as we handle that phase through post-install
--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000
+++ Makefile.in
@@ -1,5 +1,5 @@
# uncomment if you run a non bourne compatible shell. Ie. csh
-#SHELL = @SH@
+SHELL = @SH@
AUTORECONF=autoreconf
@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -320,7 +320,7 @@ distprep: catman-do depend-check
-rm -rf autom4te.cache .depend.bak
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
+install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
check-config:

27
openssh8/patches/patch-auth-passwd.c Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
Replace uid 0 with ROOTUID macro
--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ auth-passwd.c
@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
return 0;
#ifndef HAVE_CYGWIN
- if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+ if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
authctxt->force_pwchange = 1;
}
#endif
+#ifdef HAVE_INTERIX
+ result = (!setuser(pw->pw_name, password, SU_CHECK));
+#else
result = sys_auth_passwd(ssh, password);
+#endif
if (authctxt->force_pwchange)
auth_restrict_session(ssh);
return (result && ok);

33
openssh8/patches/patch-auth-rhosts.c Normal file
View File

@ -0,0 +1,33 @@
$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
Replace uid 0 with ROOTUID macro
--- auth-rhosts.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ auth-rhosts.c
@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* If not logging in as superuser, try /etc/hosts.equiv and
* shosts.equiv.
*/
- if (pw->pw_uid == 0)
+ if (pw->pw_uid == ROOTUID)
debug3("%s: root user, ignoring system hosts files", __func__);
else {
if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
return 0;
}
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
pw->pw_name, buf);

27
openssh8/patches/patch-auth.c Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
* Replace uid 0 with ROOTUID macro.
* Use login_getpwclass() instead of login_getclass() so that the root
vs. default login class distinction is made correctly, from FrrrBSD's
ports.
--- auth.c.orig 2019-05-01 11:28:52.028281617 +0000
+++ auth.c
@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
+ ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
(st.st_mode & 022) != 0)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
if (!allowed_user(ssh, pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}

15
openssh8/patches/patch-auth2.c Normal file
View File

@ -0,0 +1,15 @@
$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
Replace uid 0 with ROOTUID macro
--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ auth2.c
@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
fatal("INTERNAL ERROR: authenticated and postponed");
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 &&
+ if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
!auth_root_allowed(ssh, method)) {
authenticated = 0;
#ifdef SSH_AUDIT_EVENTS

63
openssh8/patches/patch-clientloop.c Normal file
View File

@ -0,0 +1,63 @@
$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ clientloop.c
@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
struct stat st;
u_int now, x11_timeout_real;
+#if __APPLE__
+ int is_path_to_socket = 0;
+#endif /* __APPLE__ */
+
*_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
}
if (xauth_path != NULL) {
+#if __APPLE__
+ {
+ /*
+ * If using launchd socket, remove the screen number from the end
+ * of $DISPLAY. is_path_to_socket is used later in this function
+ * to determine if an error should be displayed.
+ */
+ char path[PATH_MAX];
+ struct stat sbuf;
+
+ strlcpy(path, display, sizeof(path));
+ if (0 == stat(path, &sbuf)) {
+ is_path_to_socket = 1;
+ } else {
+ char *dot = strrchr(path, '.');
+ if (dot) {
+ *dot = '\0';
+ /* screen = atoi(dot + 1); */
+ if (0 == stat(path, &sbuf)) {
+ is_path_to_socket = 1;
+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
+ setenv("DISPLAY", path, 1);
+ }
+ }
+ }
+ }
+#endif /* __APPLE__ */
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
u_int8_t rnd[16];
u_int i;
+#if __APPLE__
+ if (!is_path_to_socket)
+#endif /* __APPLE__ */
logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);

37
openssh8/patches/patch-config.h.in Normal file
View File

@ -0,0 +1,37 @@
$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
* Added Interix and define new path to if_tun.h.
* Revive tcp_wrappers support.
--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000
+++ config.h.in
@@ -741,6 +741,9 @@
/* define if you have int64_t data type */
#undef HAVE_INT64_T
+/* Define if you are on Interix */
+#undef HAVE_INTERIX
+
/* Define to 1 if the system has the type `intmax_t'. */
#undef HAVE_INTMAX_T
@@ -910,6 +913,9 @@
/* Define to 1 if you have the <net/route.h> header file. */
#undef HAVE_NET_ROUTE_H
+/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
+#undef HAVE_NET_TUN_IF_TUN_H
+
/* Define if you are on NeXT */
#undef HAVE_NEXT
@@ -1617,6 +1623,9 @@
/* Define if pututxline updates lastlog too */
#undef LASTLOG_WRITE_PUTUTXLINE
+/* Define if you want TCP Wrappers support */
+#undef LIBWRAP
+
/* Define to whatever link() returns for "not supported" if it doesn't return
EOPNOTSUPP. */
#undef LINK_OPNOTSUPP_ERRNO

138
openssh8/patches/patch-configure.ac Normal file
View File

@ -0,0 +1,138 @@
$NetBSD$
--- configure.ac.orig 2019-04-17 22:52:57.000000000 +0000
+++ configure.ac
@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
]
)
+# pkgsrc handles any rpath settings this package needs
+need_dash_r=
+
# Allow user to specify flags
AC_ARG_WITH([cflags],
[ --with-cflags Specify additional flags to pass to compiler],
@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
maillock.h \
ndir.h \
net/if_tun.h \
+ net/tun/if_tun.h \
netdb.h \
netgroup.h \
pam/pam_appl.h \
@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
;;
esac
;;
+*-*-interix*)
+ AC_DEFINE(HAVE_INTERIX)
+ AC_DEFINE(DISABLE_FD_PASSING)
+ AC_DEFINE(DISABLE_SHADOW)
+ AC_DEFINE(IP_TOS_IS_BROKEN)
+ AC_DEFINE(MISSING_HOWMANY)
+ AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
+ AC_DEFINE(USE_PIPES)
+ ;;
*-*-irix5*)
PATH="$PATH:/usr/etc"
AC_DEFINE([BROKEN_INET_NTOA], [1],
@@ -1494,6 +1507,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
if test -z "$conf_wtmpx_location"; then
if test x"$system_wtmpx_path" = x"no" ; then
- AC_DEFINE([DISABLE_WTMPX])
+ for f in /var/log/wtmpx; do
+ if test -f $f ; then
+ conf_wtmpx_location=$f
+ fi
+ done
+ if test -z "$conf_wtmpx_location"; then
+ AC_DEFINE(DISABLE_WTMPX)
+ fi
fi
-else
+fi
+if test -n "$conf_wtmpx_location"; then
AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
[Define if you want to specify the path to your wtmpx file])
fi
@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
echo " User binaries: $B"
echo " System binaries: $C"
echo " Configuration files: $D"
-echo " Askpass program: $E"
+echo " Askpass program: ${ASKPASS_PROGRAM}"
echo " Manual pages: $F"
echo " PID file: $G"
echo " Privilege separation chroot path: $H"
@@ -5245,6 +5322,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"

47
openssh8/patches/patch-defines.h Normal file
View File

@ -0,0 +1,47 @@
$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Define ROOTUID, UTMPX_FILE and WTMPX_FILE
--- defines.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ defines.h
@@ -30,6 +30,15 @@
/* Constants */
+#ifdef HAVE_INTERIX
+/* Interix has a special concept of "administrator". */
+# define ROOTUID 197108
+# define ROOTGID 131616
+#else
+# define ROOTUID 0
+# define ROOTGID 0
+#endif
+
#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
enum
{
@@ -721,6 +730,24 @@ struct winsize {
# endif
# endif
#endif
+#ifndef UTMPX_FILE
+# ifdef _PATH_UTMPX
+# define UTMPX_FILE _PATH_UTMPX
+# else
+# ifdef CONF_UTMPX_FILE
+# define UTMPX_FILE CONF_UTMPX_FILE
+# endif
+# endif
+#endif
+#ifndef WTMPX_FILE
+# ifdef _PATH_WTMPX
+# define WTMPX_FILE _PATH_WTMPX
+# else
+# ifdef CONF_WTMPX_FILE
+# define WTMPX_FILE CONF_WTMPX_FILE
+# endif
+# endif
+#endif
/* pick up the user's location for lastlog if given */
#ifndef LASTLOG_FILE
# ifdef _PATH_LASTLOG

17
openssh8/patches/patch-includes.h Normal file
View File

@ -0,0 +1,17 @@
$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- includes.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ includes.h
@@ -127,6 +127,10 @@
#ifdef HAVE_READPASSPHRASE_H
# include <readpassphrase.h>
#endif
+#ifdef HAVE_INTERIX
+# include <interix/env.h>
+# include <interix/security.h>
+#endif
#ifdef HAVE_IA_H
# include <ia.h>

68
openssh8/patches/patch-loginrec.c Normal file
View File

@ -0,0 +1,68 @@
$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
Interix support and related fixes. Fix build on FreeBSD.
--- loginrec.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ loginrec.c
@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
int
login_write(struct logininfo *li)
{
-#ifndef HAVE_CYGWIN
- if (geteuid() != 0) {
+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
+ if (geteuid() != ROOTUID) {
logit("Attempt to write login records by non-root user (aborting)");
return (1);
}
@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
/* set the timestamp */
login_set_current_time(li);
-#ifdef USE_LOGIN
+#if defined(USE_LOGIN) && (HAVE_UTMP_H)
syslogin_write_entry(li);
#endif
#ifdef USE_LASTLOG
@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
** into account.
**/
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
/* build the utmp structure */
void
@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
set_utmpx_time(li, utx);
utx->ut_pid = li->pid;
- /* strncpy(): Don't necessarily want null termination */
- strncpy(utx->ut_user, li->username,
- MIN_SIZEOF(utx->ut_user, li->username));
-
if (li->type == LTYPE_LOGOUT)
return;
@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
* for logouts.
*/
+ /* strncpy(): Don't necessarily want null termination */
+#if defined(__FreeBSD__)
+ strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
+#else
+ strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
+#endif
# ifdef HAVE_HOST_IN_UTMPX
strncpy(utx->ut_host, li->hostname,
MIN_SIZEOF(utx->ut_host, li->hostname));
@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
** Low-level libutil login() functions
**/
-#ifdef USE_LOGIN
+#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
static int
syslogin_perform_login(struct logininfo *li)
{

22
openssh8/patches/patch-openbsd-compat_bsd-openpty.c Normal file
View File

@ -0,0 +1,22 @@
$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
Interix support
--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000
+++ openbsd-compat/bsd-openpty.c
@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char
return (-1);
}
+#if !defined(HAVE_INTERIX)
/*
* Try to push the appropriate streams modules, as described
* in Solaris pts(7).
@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char
# ifndef __hpux
ioctl(*aslave, I_PUSH, "ttcompat");
# endif /* __hpux */
+#endif /* !HAVE_INTERIX */
return (0);

17
openssh8/patches/patch-openbsd-compat_openbsd-compat.h Normal file
View File

@ -0,0 +1,17 @@
$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
strtoll() declaration
--- openbsd-compat/openbsd-compat.h.orig 2015-08-21 04:49:03.000000000 +0000
+++ openbsd-compat/openbsd-compat.h
@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
int setenv(register const char *name, register const char *value, int rewrite);
#endif
+#ifndef HAVE_STRTOLL
+long long strtoll(const char *, char **, int);
+#endif
+
#ifndef HAVE_STRMODE
void strmode(int mode, char *p);
#endif

45
openssh8/patches/patch-openbsd-compat_port-tun.c Normal file
View File

@ -0,0 +1,45 @@
$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
if_tun.h can be found in net/tun
--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ openbsd-compat/port-net.c
@@ -1,3 +1,4 @@
+
/*
* Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
*
@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
#include <sys/socket.h>
#include <net/if.h>
+#ifdef HAVE_NET_TUN_IF_TUN_H
+#include <net/tun/if_tun.h>
+#endif
+
#ifdef HAVE_NET_IF_TUN_H
#include <net/if_tun.h>
#endif
@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
{
struct ifreq ifr;
char name[100];
- int fd = -1, sock, flag;
+ int fd = -1, sock;
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ int flag;
+#endif
const char *tunbase = "tun";
if (ifname != NULL)
@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
return (-1);
}
+#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
/* Turn on tunnel headers */
flag = 1;
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
if (mode != SSH_TUNMODE_ETHERNET &&
ioctl(fd, TUNSIFHEAD, &flag) == -1) {
debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,

16
openssh8/patches/patch-platform.c Normal file
View File

@ -0,0 +1,16 @@
$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- platform.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ platform.c
@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
/* uid 0 is not special on Cygwin so always try */
return 1;
#else
+#if !defined(HAVE_INTERIX)
return (getuid() == 0 || geteuid() == 0);
+#endif /* !HAVE_INTERIX */
#endif
}

23
openssh8/patches/patch-sandbox-darwin.c Normal file
View File

@ -0,0 +1,23 @@
$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
Support sandbox on newer OSX, from MacPorts.
--- sandbox-darwin.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ sandbox-darwin.c
@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
struct rlimit rl_zero;
debug3("%s: starting Darwin sandbox", __func__);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+#ifndef SANDBOX_NAMED_EXTERNAL
+#define SANDBOX_NAMED_EXTERNAL (0x3)
+#endif
+ if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
+ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
+#else
if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
&errmsg) == -1)
+#endif
fatal("%s: sandbox_init: %s", __func__, errmsg);
/*

39
openssh8/patches/patch-scp.c Normal file
View File

@ -0,0 +1,39 @@
$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
Interix support
--- scp.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ scp.c
@@ -478,7 +478,11 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
+#ifdef HAVE_INTERIX
+ if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
+#else
if ((pwd = getpwuid(userid = getuid())) == NULL)
+#endif
fatal("unknown user %u", (u_int) userid);
if (!isatty(STDOUT_FILENO))
@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
return;
}
while ((dp = readdir(dirp)) != NULL) {
+#ifndef HAVE_INTERIX
if (dp->d_ino == 0)
continue;
+#endif
if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
continue;
if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
@@ -1297,7 +1303,9 @@ okname(char *cp0)
case '\'':
case '"':
case '`':
+#ifndef HAVE_INTERIX
case ' ':
+#endif
case '#':
goto bad;
default:

65
openssh8/patches/patch-session.c Normal file
View File

@ -0,0 +1,65 @@
$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
* Interix support.
--- session.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ session.c
@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
if (tmpenv == NULL)
return;
- if (uid == 0)
+ if (uid == ROOTUID)
var = child_get_env(tmpenv, "SUPATH");
else
var = child_get_env(tmpenv, "PATH");
@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
# endif /* HAVE_ETC_DEFAULT_LOGIN */
if (path == NULL || *path == '\0') {
child_set_env(&env, &envsize, "PATH",
- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
+ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH);
}
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+#ifdef HAVE_INTERIX
+ {
+ /* copy standard Windows environment, then apply changes */
+ env_t *winenv = env_login(pw);
+ env_putarray(winenv, env, ENV_OVERRIDE);
+
+ /* swap over to altered environment as a traditional array */
+ env = env_array(winenv);
+ }
+#endif
+
if (debug_flag) {
/* dump the environment */
fprintf(stderr, "Environment:\n");
@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
perror("setgid");
exit(1);
}
+# if !defined(HAVE_INTERIX)
/* Initialize the group list. */
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
perror("initgroups");
exit(1);
}
+# endif /* !HAVE_INTERIX */
endgrent();
#endif
@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
record_logout(s->pid, s->tty, s->pw->pw_name);
/* Release the pseudo-tty. */
- if (getuid() == 0)
+ if (getuid() == ROOTUID)
pty_release(s->tty);
/*

14
openssh8/patches/patch-sftp-common.c Normal file
View File

@ -0,0 +1,14 @@
$NetBSD$
--- sftp-common.c.orig 2019-04-17 22:52:57.000000000 +0000
+++ sftp-common.c
@@ -36,7 +36,9 @@
#include <string.h>
#include <time.h>
#include <stdarg.h>
+#ifdef HAVE_UNISTD_H
#include <unistd.h>
+#endif
#ifdef HAVE_UTIL_H
#include <util.h>
#endif

27
openssh8/patches/patch-sshd.8 Normal file
View File

@ -0,0 +1,27 @@
$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
* Revive tcp_wrappers support.
--- sshd.8.orig 2015-08-21 04:49:03.000000000 +0000
+++ sshd.8
@@ -850,6 +850,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -953,6 +959,7 @@ The content of this file is not sensitiv
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,

137
openssh8/patches/patch-sshd.c Normal file
View File

@ -0,0 +1,137 @@
$NetBSD$
--- sshd.c.orig 2019-04-17 22:52:57.000000000 +0000
+++ sshd.c
@@ -123,6 +123,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -235,7 +242,11 @@ static int *startup_flags = NULL; /* Ind
static int startup_pipe = -1; /* in child */
/* variables used for privilege separation */
+#ifdef HAVE_INTERIX
+int use_privsep = 0;
+#else
int use_privsep = -1;
+#endif
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
static int privsep_chroot = 1;
@@ -467,10 +478,15 @@ privsep_preauth_child(void)
/* Drop our privileges */
debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
(u_int)privsep_pw->pw_gid);
+#ifdef HAVE_INTERIX
+ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
+ fatal("setuser: %.100s", strerror(errno));
+#else
gidset[0] = privsep_pw->pw_gid;
if (setgroups(1, gidset) < 0)
fatal("setgroups: %.100s", strerror(errno));
permanently_set_uid(privsep_pw);
+#endif /* HAVE_INTERIX */
}
}
@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ /* We need to do this before we chroot() so we can read sshd.sb */
+ if (box != NULL)
+ ssh_sandbox_child(box);
+#endif
privsep_preauth_child();
setproctitle("%s", "[net]");
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
if (box != NULL)
ssh_sandbox_child(box);
+#endif
return 0;
}
@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
#ifdef DISABLE_FD_PASSING
if (1) {
#else
- if (authctxt->pw->pw_uid == 0) {
+ if (authctxt->pw->pw_uid == ROOTUID) {
#endif
/* File descriptor passing is broken or root login */
use_privsep = 0;
@@ -1454,7 +1477,7 @@ main(int ac, char **av)
av = saved_argv;
#endif
- if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1686,7 +1709,7 @@ main(int ac, char **av)
);
/* Store privilege separation user for later use if required. */
- privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
+ privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
if (privsep_chroot || options.kerberos_authentication)
fatal("Privilege separation user %s does not exist",
@@ -1830,7 +1853,7 @@ main(int ac, char **av)
(st.st_uid != getuid () ||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
#else
- if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
#endif
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
@@ -1858,8 +1881,10 @@ main(int ac, char **av)
* to create a file, and we can't control the code in every
* module which might be used).
*/
+#ifndef HAVE_INTERIX
if (setgroups(0, NULL) < 0)
debug("setgroups() failed: %.200s", strerror(errno));
+#endif
if (rexec_flag) {
if (rexec_argc < 0)
@@ -2053,6 +2078,25 @@ main(int ac, char **av)
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
+
rdomain = ssh_packet_rdomain_in(ssh);
/* Log the connection. */

24
openssh8/patches/patch-sshpty.c Normal file
View File

@ -0,0 +1,24 @@
$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
Replace uid 0 with ROOTUID macro
--- sshpty.c.orig 2015-08-21 04:49:03.000000000 +0000
+++ sshpty.c
@@ -86,7 +86,7 @@ void
pty_release(const char *tty)
{
#if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
- if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
+ if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
if (chmod(tty, (mode_t) 0666) < 0)
error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS &&
- (st.st_uid == pw->pw_uid || st.st_uid == 0))
+ (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
debug("chown(%.100s, %u, %u) failed: %.100s",
tty, (u_int)pw->pw_uid, (u_int)gid,
strerror(errno));

77
openssh8/patches/patch-uidswap.c Normal file
View File

@ -0,0 +1,77 @@
$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
Interix support
--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000
+++ uidswap.c
@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
(u_int)pw->pw_uid, (u_int)pw->pw_gid,
(u_int)saved_euid, (u_int)saved_egid);
#ifndef HAVE_CYGWIN
- if (saved_euid != 0) {
+ if (saved_euid != ROOTUID) {
privileged = 0;
return;
}
#endif
#else
- if (geteuid() != 0) {
+ if (geteuid() != ROOTUID) {
privileged = 0;
return;
}
@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
/* set and save the user's groups */
if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
+#ifndef HAVE_INTERIX
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
fatal("initgroups: %s: %.100s", pw->pw_name,
strerror(errno));
-
+#endif
user_groupslen = getgroups(0, NULL);
if (user_groupslen < 0)
fatal("getgroups: %.100s", strerror(errno));
@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
}
user_groups_uid = pw->pw_uid;
}
+#ifndef HAVE_INTERIX
/* Set the effective uid to the given (unprivileged) uid. */
if (setgroups(user_groupslen, user_groups) < 0)
fatal("setgroups: %.100s", strerror(errno));
+#endif
#ifndef SAVED_IDS_WORK_WITH_SETEUID
/* Propagate the privileged gid to all of our gids. */
if (setgid(getegid()) < 0)
@@ -166,8 +169,10 @@ restore_uid(void)
setgid(getgid());
#endif /* SAVED_IDS_WORK_WITH_SETEUID */
+#ifndef HAVE_INTERIX
if (setgroups(saved_egroupslen, saved_egroups) < 0)
fatal("setgroups: %.100s", strerror(errno));
+#endif
temporarily_use_uid_effective = 0;
}
@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
+#if defined(HAVE_INTERIX)
+ if (setuser(pw->pw_name, NULL, SU_COMPLETE))
+ fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#else
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
(setuid(old_uid) != -1 || seteuid(old_uid) != -1))
fatal("%s: was able to restore old [e]uid", __func__);
#endif
+#endif /* HAVE_INTERIX */
/* Verify UID drop was successful */
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {