From nobody Sun Jul 07 15:37:21 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WHBFt14svz5Px50; Sun, 07 Jul 2024 15:37:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WHBFt0ckgz4Znx; Sun, 7 Jul 2024 15:37:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720366642; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0MkM7XHMq0B9DtoIR4OYaYc5yXxg0XKBcVvBpMDLswQ=; b=ksIiSkZ6c3LisXpI5ih6EiiEoENN4nGkBV3joBK79nad5zSfZZ0qkmO2eUeugRHvmRwqkS yqkO/52fexHJsmh8LS6hcvL5VCaSnFwg8aP2wIX6bQju4+L4gf4JKZNtYGhxDfF9lqamxI Pi0uWfeq4hBdnIla6knRxP07zQKO7wiQRHyII7fx0jcedodOG304FR2JGCM9b+G3dREmYI L4d+xiYP8ka4UD1i+25TdeFvg/zntNgZSpJlILPJhcp0Xgify/JUyZDxau9Lycxw4MM8S5 HWoT+lApiC4tvzruMoCO4h/VZ2AeoxnDQ9K+pwyzC24XY58xJd7JDSlJ5cbYlw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720366642; a=rsa-sha256; cv=none; b=okkRiBxv3SQekqUh//ZlhgqoJZrsGEUd3pLAg7Cy5wIO19b9m+PLppqZWxPUwtqGW5soxH J++JMkEptKDvvECt1gau4ggx6/O1LB3js8Iy7MSzjs+SQjJQC1MEsRLkgbAjzthUlmc68Q YOfKoL+els2m8xdQfSRzxJVFjGXfjFGK2rXvvoR7Z/BVBq8zLo/bnduI6wwKxpdGj8V9JT YMVegHDx7QRVspWIhekBkMkbsoDUlP3+W2Mo4A112ojD1Hk6ZiAsyu2sxAuu7rqeS8GxD3 4y7y7KQCtwaQhlS5iFT27oqqrO8w5ejlPLvtqWrQ+tUVY5tdfrcBrGe1T4lGFw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720366642; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0MkM7XHMq0B9DtoIR4OYaYc5yXxg0XKBcVvBpMDLswQ=; b=i6WOYD7GJ7PI/46fUVpJQDHRjyZIFb8cNvHjXJNfZvPOR/lr1QIUzy2gMiCb1FNWnyl/+3 P28b85QyYOf8ARhNKyBk3Kh9HK0jN08aZxhP3gb4mtJLOqJf+UjvGSwLwRNgMfS/kXfBpx MDCiB2rdJfhIUvhkknkPboW2zYjsNs1XZP7vov+scV+AGE1Io7C7zMkhk5489NyunmRBDZ ERdmcmI9PDWDHY3t0Fyk5Yx/Kzn0nD+f5LkMgp9JYqHj4ZuECJxa7KcX5TZmDctcz0tyjm dRK9fbLNwONCKJyvFUbTgZqgoh41kpQ8jOYA6mjWC3MNU+aHmA3z0Ny3rf/jLg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WHBFt0172z1SWn; Sun, 7 Jul 2024 15:37:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 467FbLgj068030; Sun, 7 Jul 2024 15:37:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 467FbLZP068027; Sun, 7 Jul 2024 15:37:21 GMT (envelope-from git) Date: Sun, 7 Jul 2024 15:37:21 GMT Message-Id: <202407071537.467FbLZP068027@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bryan Drewery Subject: git: 402562e2559e - main - security/openssh-portable: Update to 9.8p1 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bdrewery X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 402562e2559e198c6660171dec58e7a25cc14ec2 Auto-Submitted: auto-generated The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=402562e2559e198c6660171dec58e7a25cc14ec2 commit 402562e2559e198c6660171dec58e7a25cc14ec2 Author: Bryan Drewery AuthorDate: 2024-07-06 17:03:16 +0000 Commit: Bryan Drewery CommitDate: 2024-07-07 15:37:03 +0000 security/openssh-portable: Update to 9.8p1 Changes: https://www.openssh.com/txt/release-9.8 --- security/openssh-portable/Makefile | 6 +-- security/openssh-portable/distinfo | 8 ++- security/openssh-portable/files/extra-patch-hpn | 63 +++++++++++----------- .../openssh-portable/files/extra-patch-hpn-compat | 8 +-- .../openssh-portable/files/extra-patch-tcpwrappers | 25 ++++----- security/openssh-portable/files/patch-9.8-cves | 56 ------------------- security/openssh-portable/files/patch-servconf.c | 25 ++++----- security/openssh-portable/files/patch-serverloop.c | 52 ------------------ security/openssh-portable/files/patch-sshd.c | 20 +++---- .../openssh-portable/files/patch-sshd_config.5 | 24 --------- security/openssh-portable/pkg-plist | 1 + 11 files changed, 75 insertions(+), 213 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 9b1d44580f94..cdaad70b4195 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh -DISTVERSION= 9.7p1 -PORTREVISION= 2 +DISTVERSION= 9.8p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -102,7 +102,7 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 6d5d064d68be..53b8c023cdd9 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,3 @@ -TIMESTAMP = 1710784635 -SHA256 (openssh-9.7p1.tar.gz) = 490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd -SIZE (openssh-9.7p1.tar.gz) = 1848766 -SHA256 (openssh-9.7p1-gsskex-all-debian-rh-9.7p1.patch) = 30d9652a18851c0b7a80b8f07d70adc3a77267b656f784c9e89cb93171f22210 -SIZE (openssh-9.7p1-gsskex-all-debian-rh-9.7p1.patch) = 131397 +TIMESTAMP = 1719864470 +SHA256 (openssh-9.8p1.tar.gz) = dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3 +SIZE (openssh-9.8p1.tar.gz) = 1910393 diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn index 56202ba8e1b3..bede23fdb4bf 100644 --- a/security/openssh-portable/files/extra-patch-hpn +++ b/security/openssh-portable/files/extra-patch-hpn @@ -905,9 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o .It Fl r Recursively copy entire directories when uploading and downloading. Note that ---- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700 -+++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700 -@@ -1027,6 +1027,14 @@ main(int ac, char **av) +--- work/openssh/ssh.c.orig 2024-06-30 21:36:28.000000000 -0700 ++++ work/openssh/ssh.c 2024-07-01 13:58:31.555859000 -0700 +@@ -1070,6 +1070,14 @@ main(int ac, char **av) break; case 'T': options.request_tty = REQUEST_TTY_NO; @@ -922,7 +922,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o break; case 'o': line = xstrdup(optarg); -@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes +@@ -2159,6 +2167,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes NULL, fileno(stdin), command, environ); } @@ -1001,9 +1001,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* open new channel for a session */ static int ssh_session2_open(struct ssh *ssh) -@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh) - if (!isatty(err)) - set_nonblock(err); +@@ -2177,9 +2257,17 @@ ssh_session2_open(struct ssh *ssh) + if (in == -1 || out == -1 || err == -1) + fatal("dup() in/out/err failed"); +#ifdef HPN_ENABLED + window = options.hpn_buffer_size; @@ -1019,9 +1019,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o window >>= 1; packetmax >>= 1; } -@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh) +@@ -2188,6 +2276,12 @@ ssh_session2_open(struct ssh *ssh) window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", /*nonblock*/0); + "client-session", CHANNEL_NONBLOCK_STDIO); +#ifdef HPN_ENABLED + if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) { @@ -1032,9 +1032,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o debug3_f("channel_new: %d", c->self); channel_send_open(ssh, c->self); -@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in +@@ -2203,6 +2297,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in { - int r, id = -1; + int r, interactive, id = -1; char *cp, *tun_fwd_ifname = NULL; + +#ifdef HPN_ENABLED @@ -1170,9 +1170,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o if (ssh_packet_connection_is_on_socket(ssh)) { verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), ---- work/openssh/sshd.c.orig 2021-09-08 10:00:01.411822000 -0700 -+++ work/openssh/sshd.c 2021-09-08 10:03:02.820813000 -0700 -@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la) +--- work/openssh/sshd.c.orig 2024-06-30 21:36:28.000000000 -0700 ++++ work/openssh/sshd.c 2024-07-01 14:03:40.471948000 -0700 +@@ -742,6 +742,10 @@ listen_on_addrs(struct listenaddr *la) int ret, listen_sock; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1183,21 +1183,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la) +@@ -786,6 +790,13 @@ listen_on_addrs(struct listenaddr *la) + sock_set_v6only(listen_sock); debug("Bind to port %s on %s.", strport, ntop); - ++ +#ifdef HPN_ENABLED + getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, + &socksize, &socksizelen); + debug("Server TCP RWIN socket size: %d", socksize); + debug("HPN Buffer Size: %d", options.hpn_buffer_size); +#endif -+ + /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", -@@ -1760,6 +1771,15 @@ main(int ac, char **av) +@@ -1409,6 +1420,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1213,9 +1213,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o /* Check that options are sensible */ if (options.authorized_keys_command_user == NULL && (options.authorized_keys_command != NULL && -@@ -2216,6 +2236,11 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); +@@ -1742,6 +1762,11 @@ main(int ac, char **av) + /* This is the child processing a new connection. */ + setproctitle("%s", "[accepted]"); +#ifdef HPN_ENABLED + /* set the HPN options for the child */ @@ -1223,9 +1223,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o +#endif + /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is -@@ -2229,7 +2254,7 @@ main(int ac, char **av) + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group. We don't +--- work.clean/openssh-9.8p1/sshd-session.c.orig 2024-07-01 13:54:25.745441000 -0700 ++++ work/openssh-9.8p1/sshd-session.c 2024-07-01 13:54:57.335695000 -0700 +@@ -1305,7 +1305,7 @@ main(int ac, char **av) alarm(options.login_grace_time); if ((r = kex_exchange_identification(ssh, -1, @@ -1234,18 +1236,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o sshpkt_fatal(ssh, r, "banner exchange"); ssh_packet_set_nonblocking(ssh); -@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh) - char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; +@@ -1444,6 +1444,10 @@ do_ssh2_kex(struct ssh *ssh) struct kex *kex; int r; -+ + +#ifdef NONE_CIPHER_ENABLED + if (options.none_enabled == 1) + debug ("WARNING: None cipher enabled"); +#endif - - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, - options.kex_algorithms); + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); --- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500 +++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500 @@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat index b3a5e0973609..2460c27491fa 100644 --- a/security/openssh-portable/files/extra-patch-hpn-compat +++ b/security/openssh-portable/files/extra-patch-hpn-compat @@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well. { NULL, oBadOption } }; ---- servconf.c.orig 2023-12-19 17:11:52.320491000 -0800 -+++ servconf.c 2023-12-19 17:12:43.950318000 -0800 -@@ -693,6 +693,10 @@ - { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, +--- servconf.c.orig 2024-06-30 21:36:28.000000000 -0700 ++++ servconf.c 2024-07-01 13:29:27.091708000 -0700 +@@ -739,6 +739,10 @@ static struct { { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, + { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers index ba7d2834a16a..5d9e8aced144 100644 --- a/security/openssh-portable/files/extra-patch-tcpwrappers +++ b/security/openssh-portable/files/extra-patch-tcpwrappers @@ -33,19 +33,11 @@ index 289e13d..e6a900b 100644 .Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , -diff --git sshd.c sshd.c -index 0ade557..045f149 100644 ---- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 -+++ sshd.c 2018-04-04 15:40:20.964130000 -0700 -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ -+/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -131,6 +131,13 @@ - #include "version.h" - #include "ssherr.h" +--- sshd-session.c.orig 2024-07-01 13:26:10.677919000 -0700 ++++ sshd-session.c 2024-07-01 13:26:58.873906000 -0700 +@@ -110,6 +110,13 @@ + #include "srclimit.h" + #include "dh.h" +#ifdef LIBWRAP +#include @@ -57,7 +49,7 @@ index 0ade557..045f149 100644 /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -2072,6 +2079,25 @@ main(int ac, char **av) +@@ -1256,7 +1263,26 @@ main(int ac, char **av) #endif rdomain = ssh_packet_rdomain_in(ssh); @@ -68,7 +60,7 @@ index 0ade557..045f149 100644 + /* Check whether logins are denied from this host. */ + if (ssh_packet_connection_is_on_socket(ssh)) { + struct request_info req; -+ + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); + fromhost(&req); + @@ -80,9 +72,10 @@ index 0ade557..045f149 100644 + } + } +#endif /* LIBWRAP */ - ++ /* Log the connection. */ laddr = get_local_ipaddr(sock_in); + verbose("Connection from %s port %d on %s port %d%s%s%s", --- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800 +++ configure.ac 2022-03-02 12:47:49.958341000 -0800 @@ -1599,6 +1599,62 @@ else diff --git a/security/openssh-portable/files/patch-9.8-cves b/security/openssh-portable/files/patch-9.8-cves deleted file mode 100644 index 2e47d586edcd..000000000000 --- a/security/openssh-portable/files/patch-9.8-cves +++ /dev/null @@ -1,56 +0,0 @@ -https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html - -Damien Miller djm at mindrot.org -Mon Jul 1 18:21:11 AEST 2024 -Previous message (by thread): Announce: OpenSSH 9.8 released -Next message (by thread): Announce: OpenSSH 9.8 released -Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] -Hi, - -Regarding the race condition fixed in OpenSSH 9.8. A mitigation to -prevent exploitation of this bug is to disable the login grace timer -by setting LoginGraceTime=0 in sshd_config. This will however make -it much easier for an attacker to deny service to sshd. - -Similarly, the much more minor keystroke timing bug can be avoided -by disabling the feature using ObscureKeystrokeTiming=0. - -Some users will understandably prefer to patch their OpenSSH rather -than upgrade to the newest version, so here are minimal patches for -both problems. - -1) Critical race condition in sshd - -2) Minor logic error in ObscureKeystrokeTiming - ---- log.c.orig 2024-07-02 09:05:35.023051000 -0700 -+++ log.c 2024-07-02 09:05:54.881067000 -0700 -@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line - sshsigdie(const char *file, const char *func, int line, int showfunc, - LogLevel level, const char *suffix, const char *fmt, ...) - { -+#ifdef SYSLOG_R_SAFE_IN_SIGHAND - va_list args; - - va_start(args, fmt); - sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, - suffix, fmt, args); - va_end(args); -+#endif - _exit(1); - } - ---- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700 -+++ clientloop.c 2024-07-02 09:06:41.414979000 -0700 -@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim - if (timespeccmp(&now, &chaff_until, >=)) { - /* Stop if there have been no keystrokes for a while */ - stop_reason = "chaff time expired"; -- } else if (timespeccmp(&now, &next_interval, >=)) { -- /* Otherwise if we were due to send, then send chaff */ -+ } else if (timespeccmp(&now, &next_interval, >=) && -+ !ssh_packet_have_data_to_write(ssh)) { -+ /* If due to send but have no data, then send chaff */ - if (send_chaff(ssh)) - nchaff++; - } diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c index 5a7e9b9f30fc..33ead18621bb 100644 --- a/security/openssh-portable/files/patch-servconf.c +++ b/security/openssh-portable/files/patch-servconf.c @@ -6,29 +6,30 @@ Changed paths: Apply FreeBSD's configuration defaults. ---- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700 -+++ servconf.c 2018-06-27 17:19:38.133882000 -0700 -@@ -41,6 +41,7 @@ - #include +--- servconf.c.orig 2024-07-01 13:30:30.284417000 -0700 ++++ servconf.c 2024-07-01 13:31:20.040132000 -0700 +@@ -46,6 +46,7 @@ + # include "openbsd-compat/glob.h" #endif +#include "version.h" #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "ssh.h" -@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options) +@@ -295,7 +296,11 @@ fill_default_server_options(ServerOptions *options) /* Portable-specific options */ if (options->use_pam == -1) +- options->use_pam = 0; +#ifdef USE_PAM + options->use_pam = 1; +#else - options->use_pam = 0; ++ options->use_pam = 0; +#endif + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); - /* Standard Options */ - if (options->num_host_key_files == 0) { -@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options) +@@ -339,7 +344,7 @@ fill_default_server_options(ServerOptions *options) if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) @@ -37,7 +38,7 @@ Apply FreeBSD's configuration defaults. if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) -@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options) +@@ -381,7 +386,11 @@ fill_default_server_options(ServerOptions *options) if (options->gss_strict_acceptor == -1) options->gss_strict_acceptor = 1; if (options->password_authentication == -1) @@ -47,5 +48,5 @@ Apply FreeBSD's configuration defaults. options->password_authentication = 1; +#endif if (options->kbd_interactive_authentication == -1) - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) + options->kbd_interactive_authentication = 1; + if (options->permit_empty_passwd == -1) diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c deleted file mode 100644 index 94a4609d712f..000000000000 --- a/security/openssh-portable/files/patch-serverloop.c +++ /dev/null @@ -1,52 +0,0 @@ ------------------------------------------------------------------------- -r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines -Changed paths: - M /head/crypto/openssh/readconf.c - -Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. -Submitted upstream, no reaction. - -Submitted by: delphij -[rewritten for 7.4 by bdrewery] -[base removed this in 7.8 but it is still useful - bdrewery] - ---- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ serverloop.c 2020-11-16 12:58:44.823775000 -0800 -@@ -56,6 +56,8 @@ - #include - #include - -+#include -+ - #include "openbsd-compat/sys-queue.h" - #include "xmalloc.h" - #include "packet.h" -@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *); - /* requested tunnel forwarding interface(s), shared with session.c */ - char *tun_fwd_ifnames = NULL; - -+static int -+ipport_reserved(void) -+{ -+#ifdef __FreeBSD__ -+ int old; -+ size_t len = sizeof(old); -+ -+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &old, &len, NULL, 0) == 0) -+ return (old + 1); -+#endif -+ return (IPPORT_RESERVED); -+} -+ - /* returns 1 if bind to specified port by specified user is permitted */ - static int - bind_permitted(int port, uid_t uid) - { - if (use_privsep) - return 1; /* allow system to decide */ -- if (port < IPPORT_RESERVED && uid != 0) -+ if (port < ipport_reserved() && uid != 0) - return 0; - return 1; - } diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 6374e22bbacc..6d522d520e90 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -33,9 +33,9 @@ of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. ---- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700 -+++ sshd.c 2021-04-27 11:50:20.239225000 -0700 -@@ -46,6 +46,7 @@ +--- sshd.c.orig 2024-06-30 21:36:28.000000000 -0700 ++++ sshd.c 2024-07-01 13:44:05.739756000 -0700 +@@ -28,6 +28,7 @@ #include #include @@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd. #include #ifdef HAVE_SYS_STAT_H # include -@@ -85,6 +86,13 @@ +@@ -69,6 +70,13 @@ #include #endif @@ -56,8 +56,8 @@ connections, do not protect connection handlers spawned from inetd. + #include "xmalloc.h" #include "ssh.h" - #include "ssh2.h" -@@ -2007,7 +2015,30 @@ main(int ac, char **av) + #include "sshpty.h" +@@ -1671,7 +1679,30 @@ main(int ac, char **av) for (i = 0; i < options.num_log_verbose; i++) log_verbose_add(options.log_verbose[i]); @@ -88,14 +88,14 @@ connections, do not protect connection handlers spawned from inetd. * If not in debugging mode, not started from inetd and not already * daemonized (eg re-exec via SIGHUP), disconnect from the controlling * terminal, and fork. The original process exits. -@@ -2022,6 +2053,10 @@ main(int ac, char **av) - } +@@ -1687,6 +1718,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ + + /* Avoid killing the process in high-pressure swapping environments. */ + if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0) + debug("madvise(): %.200s", strerror(errno)); - ++ /* * Chdir to the root directory so that the current disk can be + * unmounted if desired. diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 2936c7cdca1a..15d3ff7bf9d8 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -11,30 +11,6 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1277,7 +1279,23 @@ - .It Cm PasswordAuthentication - Specifies whether password authentication is allowed. - The default is -+.Cm no , -+unless -+.Nm sshd -+was built without PAM support, in which case the default is - .Cm yes . -+.Pp -+Note that if -+.Cm ChallengeResponseAuthentication -+is -+.Cm yes , -+and the PAM authentication policy for -+.Nm sshd -+includes -+.Xr pam_unix 8 , -+password authentication will be allowed through the challenge-response -+mechanism regardless of the value of -+.Cm PasswordAuthentication . - .It Cm PermitEmptyPasswords - When password authentication is allowed, it specifies whether the - server allows login to accounts with empty password strings. @@ -1416,6 +1434,13 @@ .Cm ethernet . The default is diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist index 991d1f830bbe..276fd4a7590d 100644 --- a/security/openssh-portable/pkg-plist +++ b/security/openssh-portable/pkg-plist @@ -14,6 +14,7 @@ libexec/sftp-server libexec/ssh-keysign libexec/ssh-pkcs11-helper libexec/ssh-sk-helper +libexec/sshd-session share/man/man1/sftp.1.gz share/man/man1/ssh-add.1.gz share/man/man1/ssh-agent.1.gz