git: 418bb1fbd26b - main - security/openssh-portable: fix docs when built without PAM support
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 03 Mar 2022 19:59:11 UTC
The branch main has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=418bb1fbd26b1b66b71096b364b0ee10477541b7
commit 418bb1fbd26b1b66b71096b364b0ee10477541b7
Author: Andrew Fyfe <andrew@neptune-one.net>
AuthorDate: 2022-02-11 17:13:39 +0000
Commit: Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-03-03 19:59:09 +0000
security/openssh-portable: fix docs when built without PAM support
The defaults documented in sshd_config and sshd_config.5 are incorrect
if OpenSSH was built without PAM support and can be misleading to the
user whether or not password authentication is enabled.
- Moved PAM specific changes out of patch-sshd_config and into
extra-patch-pam-sshd_config
- sshd_config.5 PasswordAuthentication: added a new line before the note
to make it easier to read.
- sshd_config.5 UsePAM: noted the default value depends on whether
sshd was built with or without PAM support.
PR: 261342
---
security/openssh-portable/Makefile | 4 ++-
.../files/extra-patch-pam-sshd_config | 31 +++++++++++++++++++
security/openssh-portable/files/patch-sshd_config | 35 ++++------------------
.../openssh-portable/files/patch-sshd_config.5 | 26 +++++++++-------
4 files changed, 55 insertions(+), 41 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 578274ed6edb..8a5f71adabf9 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,7 +2,7 @@
PORTNAME= openssh
DISTVERSION= 8.9p1
-PORTREVISION= 0
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -67,6 +67,8 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support
OPTIONS_SUB= yes
+PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config
+
TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
LDNS_CONFIGURE_WITH= ldns=${LOCALBASE}
diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config
new file mode 100644
index 000000000000..9b6b2619e527
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-pam-sshd_config
@@ -0,0 +1,31 @@
+--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000
++++ sshd_config 2022-02-11 19:20:45.334738000 +0000
+@@ -55,8 +55,8 @@
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
+
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
++# To enable tunneled clear text passwords, change to yes here!
++#PasswordAuthentication no
+ #PermitEmptyPasswords no
+
+ # Change to no to disable s/key passwords
+@@ -72,7 +72,7 @@
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+
+-# Set this to 'yes' to enable PAM authentication, account processing,
++# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+ # be allowed through the KbdInteractiveAuthentication and
+ # PasswordAuthentication. Depending on your PAM configuration,
+@@ -81,7 +81,7 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and KbdInteractiveAuthentication to 'no'.
+-#UsePAM no
++#UsePAM yes
+
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index b582ac8f3691..c19496486f4f 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,5 +1,8 @@
---- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700
-+++ sshd_config 2021-09-07 12:34:49.372652000 -0700
+!!!
+!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
+!!!
+--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000
++++ sshd_config 2022-02-11 18:52:31.639435000 +0000
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@@ -20,33 +23,7 @@
#AuthorizedPrincipalsFile none
-@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys
- # Don't read the user's ~/.rhosts and ~/.shosts files
- #IgnoreRhosts yes
-
--# To disable tunneled clear text passwords, change to no here!
--#PasswordAuthentication yes
-+# To enable tunneled clear text passwords, change to yes here!
-+#PasswordAuthentication no
- #PermitEmptyPasswords no
-
- # Change to no to disable s/key passwords
-@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-
--# Set this to 'yes' to enable PAM authentication, account processing,
-+# Set this to 'no' to disable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
- # be allowed through the KbdInteractiveAuthentication and
- # PasswordAuthentication. Depending on your PAM configuration,
-@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys
- # If you just want the PAM account and session checks to run without
- # PAM authentication, then enable this but set PasswordAuthentication
- # and KbdInteractiveAuthentication to 'no'.
--#UsePAM no
-+#UsePAM yes
-
+@@ -84,7 +86,7 @@
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 442225160130..2936c7cdca1a 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,8 +1,8 @@
---- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700
-+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700
-@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
- The list of available key types may also be obtained using
- .Qq ssh -Q key .
+--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000
++++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000
+@@ -701,7 +701,9 @@
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
+ This was formerly named HostbasedAcceptedKeyTypes.
.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
@@ -11,7 +11,7 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
-@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
+@@ -1277,7 +1279,23 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -20,6 +20,7 @@
+.Nm sshd
+was built without PAM support, in which case the default is
.Cm yes .
++.Pp
+Note that if
+.Cm ChallengeResponseAuthentication
+is
@@ -34,7 +35,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -1232,6 +1251,13 @@ and
+@@ -1416,6 +1434,13 @@
.Cm ethernet .
The default is
.Cm no .
@@ -48,12 +49,15 @@
.Pp
Independent of this setting, the permissions of the selected
.Xr tun 4
-@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
+@@ -1774,12 +1799,19 @@
.Xr sshd 8
as a non-root user.
The default is
--.Cm no .
-+.Cm yes .
++.Cm yes ,
++unless
++.Nm sshd
++was built without PAM support, in which case the default is
+ .Cm no .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
@@ -66,7 +70,7 @@
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
-@@ -1512,7 +1541,7 @@ The argument must be
+@@ -1793,7 +1825,7 @@
or
.Cm no .
The default is