From nobody Thu Mar 03 19:59:11 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E27FB19E58EB; Thu, 3 Mar 2022 19:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4K8hdW628Pz3GMh; Thu, 3 Mar 2022 19:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646337551; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ycZD+wKCtLFmB8Dq+xfdXl3LEG8wa5pXRVPCt4RDn8E=; b=g1fD9pMq35FX3W2cKC1OGC86+SBQw6XfouvY+imE+fsjcU0pyNRbuMmk03kHwNWBPJ1fWL 4N+tKMxAai9Z2ZEN1Fl0lR86lRg1H8IcdK0B4Svjv2/yu8MgfBRpzvmmdwn9RFFPqToWeY 2N/V1vEdmkBjV5wv2UzQc8OZLFQELgDdxchTqv3WHqNuLyuocjGavfm3beBZkk9cG7IAZG VDSs6XizzqB0Es6gF1dZA+9+WIPp1cVhEGu7qGFNRMeI1BQciALriAf18jPGiDiVlP0oNZ VB2mzjvl138lM+4pDZI4XzMaZyPlQXwUJOyfGsfxOYJn2fIiKmj6yp94NtYWng== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AEEB31E0AC; Thu, 3 Mar 2022 19:59:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 223JxB1t045136; Thu, 3 Mar 2022 19:59:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 223JxBNi045135; Thu, 3 Mar 2022 19:59:11 GMT (envelope-from git) Date: Thu, 3 Mar 2022 19:59:11 GMT Message-Id: <202203031959.223JxBNi045135@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bryan Drewery Subject: git: 418bb1fbd26b - main - security/openssh-portable: fix docs when built without PAM support List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bdrewery X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 418bb1fbd26b1b66b71096b364b0ee10477541b7 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646337551; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ycZD+wKCtLFmB8Dq+xfdXl3LEG8wa5pXRVPCt4RDn8E=; b=JmfKkBgTApg+MkcTGJcmL2xDiI3n8e/OGlhInDkXEETKYbO2h87dTkSmgf2pIFGiE1roKc gtfJ1XHIeWGNCJ6Ytwu8vyAelSIdp679CTwLK0LP7nglojC3cIN2ExWUWY5XW/o1I8NrMl Dd9su1viBPJMVFsmfg0ptLl3YjlidvAn8vOb2idtwI/k5UIzmaowmnG7YBwl4gDg9SUiOp eesVmQFPyQMs/9sUwpD2XnQwLRP+Ji2wI0RR9c/fgeGnTk8FlrXNlHYXH9zXKeAB43HcK7 8fevY3yoLfrURNT2CGXfELNKW0LTHbnag+ng39UbTVjqAeAqkBFKUY08HPpT0A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646337551; a=rsa-sha256; cv=none; b=tqOnznL9a6oHOb4ri6xIqEqoFHKNkCHM/wsz1axdq9LVFalZIGqUabOJHQwY3DKSOCccVK PXdJAMM24ikULKxM7rAgVHqXL/BvZ8kQl/uptWYaQ2/0XcerdtHpCfLNWLEqOzJvUTpFn2 3HObYrZv5aQwFCemVCIoxTxfqmHwmd9+HNSYDC+owBpy3TUSZMm5NkFaPgmcmdl5Un1EwM zX/xG6nqfcXjxI0OkXos3BUEW0ghB5TpIVYXPBkPNEKpfb7cPLf5sEB6i98jp2XWjTdNrg AWzesiTKnbTGn8nZ5/V5wokJpO5hWghtWGE76Az+ChbBvfq/DUQFrv3Z2niKHQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=418bb1fbd26b1b66b71096b364b0ee10477541b7 commit 418bb1fbd26b1b66b71096b364b0ee10477541b7 Author: Andrew Fyfe AuthorDate: 2022-02-11 17:13:39 +0000 Commit: Bryan Drewery CommitDate: 2022-03-03 19:59:09 +0000 security/openssh-portable: fix docs when built without PAM support The defaults documented in sshd_config and sshd_config.5 are incorrect if OpenSSH was built without PAM support and can be misleading to the user whether or not password authentication is enabled. - Moved PAM specific changes out of patch-sshd_config and into extra-patch-pam-sshd_config - sshd_config.5 PasswordAuthentication: added a new line before the note to make it easier to read. - sshd_config.5 UsePAM: noted the default value depends on whether sshd was built with or without PAM support. PR: 261342 --- security/openssh-portable/Makefile | 4 ++- .../files/extra-patch-pam-sshd_config | 31 +++++++++++++++++++ security/openssh-portable/files/patch-sshd_config | 35 ++++------------------ .../openssh-portable/files/patch-sshd_config.5 | 26 +++++++++------- 4 files changed, 55 insertions(+), 41 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 578274ed6edb..8a5f71adabf9 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssh DISTVERSION= 8.9p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -67,6 +67,8 @@ BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes +PAM_EXTRA_PATCHES= ${FILESDIR}/extra-patch-pam-sshd_config + TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} diff --git a/security/openssh-portable/files/extra-patch-pam-sshd_config b/security/openssh-portable/files/extra-patch-pam-sshd_config new file mode 100644 index 000000000000..9b6b2619e527 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-pam-sshd_config @@ -0,0 +1,31 @@ +--- sshd_config.nopam 2022-02-11 19:19:59.515475000 +0000 ++++ sshd_config 2022-02-11 19:20:45.334738000 +0000 +@@ -55,8 +55,8 @@ + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes + +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# To enable tunneled clear text passwords, change to yes here! ++#PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +@@ -72,7 +72,7 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the KbdInteractiveAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -81,7 +81,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index b582ac8f3691..c19496486f4f 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,5 +1,8 @@ ---- sshd_config.orig 2021-08-19 21:03:49.000000000 -0700 -+++ sshd_config 2021-09-07 12:34:49.372652000 -0700 +!!! +!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option. +!!! +--- sshd_config.orig 2022-02-11 18:49:55.062881000 +0000 ++++ sshd_config 2022-02-11 18:52:31.639435000 +0000 @@ -10,6 +10,9 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -20,33 +23,7 @@ #AuthorizedPrincipalsFile none -@@ -53,8 +55,8 @@ AuthorizedKeysFile .ssh/authorized_keys - # Don't read the user's ~/.rhosts and ~/.shosts files - #IgnoreRhosts yes - --# To disable tunneled clear text passwords, change to no here! --#PasswordAuthentication yes -+# To enable tunneled clear text passwords, change to yes here! -+#PasswordAuthentication no - #PermitEmptyPasswords no - - # Change to no to disable s/key passwords -@@ -70,7 +72,7 @@ AuthorizedKeysFile .ssh/authorized_keys - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes - --# Set this to 'yes' to enable PAM authentication, account processing, -+# Set this to 'no' to disable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will - # be allowed through the KbdInteractiveAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, -@@ -79,12 +81,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --#UsePAM no -+#UsePAM yes - +@@ -84,7 +86,7 @@ #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 index 442225160130..2936c7cdca1a 100644 --- a/security/openssh-portable/files/patch-sshd_config.5 +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -1,8 +1,8 @@ ---- sshd_config.5.orig 2017-03-19 19:39:27.000000000 -0700 -+++ sshd_config.5 2017-03-20 11:48:37.553620000 -0700 -@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa - The list of available key types may also be obtained using - .Qq ssh -Q key . +--- sshd_config.5.orig 2022-02-11 18:50:00.822679000 +0000 ++++ sshd_config.5 2022-02-11 19:09:05.162504000 +0000 +@@ -701,7 +701,9 @@ + .Qq ssh -Q HostbasedAcceptedAlgorithms . + This was formerly named HostbasedAcceptedKeyTypes. .It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or @@ -11,7 +11,7 @@ with successful public key client host authentication is allowed (host-based authentication). The default is -@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic +@@ -1277,7 +1279,23 @@ .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is @@ -20,6 +20,7 @@ +.Nm sshd +was built without PAM support, in which case the default is .Cm yes . ++.Pp +Note that if +.Cm ChallengeResponseAuthentication +is @@ -34,7 +35,7 @@ .It Cm PermitEmptyPasswords When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. -@@ -1232,6 +1251,13 @@ and +@@ -1416,6 +1434,13 @@ .Cm ethernet . The default is .Cm no . @@ -48,12 +49,15 @@ .Pp Independent of this setting, the permissions of the selected .Xr tun 4 -@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run +@@ -1774,12 +1799,19 @@ .Xr sshd 8 as a non-root user. The default is --.Cm no . -+.Cm yes . ++.Cm yes , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Cm no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. @@ -66,7 +70,7 @@ .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's -@@ -1512,7 +1541,7 @@ The argument must be +@@ -1793,7 +1825,7 @@ or .Cm no . The default is