git: 272dd07a309c - main - security/openssh-portable: Fix some capsicum issues

From: Bryan Drewery <bdrewery_at_FreeBSD.org>
Date: Wed, 25 May 2022 13:34:26 UTC
The branch main has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=272dd07a309c086a4bc97dc015ef7faf4fbf89ca

commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-05-24 23:08:14 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-05-25 13:34:24 +0000

    security/openssh-portable: Fix some capsicum issues
    
    - Brings in latest changes from base. See patches for details.
    - Version 9.0 is being worked on but I wanted to fix this issue
      before proceeding with bigger changes.
    
    PR:             263753
---
 security/openssh-portable/Makefile                 |  2 +-
 .../files/patch-FreeBSD-caph_cache_tzdata          | 43 ++++++++++++++
 .../openssh-portable/files/patch-FreeBSD-logincap  | 69 ++++++++++++++++++++++
 security/openssh-portable/files/patch-auth2.c      | 47 ---------------
 4 files changed, 113 insertions(+), 48 deletions(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 75f4d206e817..f55a7bd0c630 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	8.9p1
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
new file mode 100644
index 000000000000..bf3889265b77
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
@@ -0,0 +1,43 @@
+commit fc3c19a9fceeea48a9259ac3833a125804342c0e
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Sat Oct 6 21:32:55 2018 +0000
+
+    sshd: address capsicum issues
+    
+    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
+      capability mode.
+    * Cache timezone data via caph_cache_tzdata() as we cannot access the
+      timezone file.
+    * Reverse resolve hostname before entering capability mode.
+    
+    PR:             231172
+    Submitted by:   naito.yuichiro@gmail.com
+    Reviewed by:    cem, des
+    Approved by:    re (rgrimes)
+    MFC after:      3 weeks
+    Differential Revision:  https://reviews.freebsd.org/D17128
+
+Notes:
+    svn path=/head/; revision=339216
+
+diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
+index 5f41d526292b..f728abd18250 100644
+--- sandbox-capsicum.c
++++ sandbox-capsicum.c
+@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <capsicum_helpers.h>
+ 
+ #include "log.h"
+ #include "monitor.h"
+@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
+ 	struct rlimit rl_zero;
+ 	cap_rights_t rights;
+ 
++	caph_cache_tzdata();
++
+ 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ 
+ 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap
new file mode 100644
index 000000000000..78d772e8a024
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-logincap
@@ -0,0 +1,69 @@
+(pulled from the PR)
+
+commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Tue Aug 31 15:30:50 2021 -0400
+
+    openssh: simplify login class restrictions
+
+    Login class-based restrictions were introduced in 5b400a39b8ad.  The
+    code was adapted for sshd's Capsicum sandbox and received many changes
+    over time, including at least fc3c19a9fcee, bd393de91cc3, and
+    e8c56fba2926.
+
+    During an attempt to upstream the work a much simpler approach was
+    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
+    future updates.
+
+    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
+    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
+    Reviewed by:    allanjude, kevans
+    MFC after:      2 weeks
+    Differential Revision:  https://reviews.freebsd.org/D31760
+
+
+--- auth.c
++++ auth.c
+@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ {
+ #ifdef HAVE_LOGIN_CAP
+ 	extern login_cap_t *lc;
++#ifdef HAVE_AUTH_HOSTOK
++	const char *from_host, *from_ip;
++#endif
+ #ifdef BSD_AUTH
+ 	auth_session_t *as;
+ #endif
+@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
++#ifdef HAVE_AUTH_HOSTOK
++	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++	from_ip = ssh_remote_ipaddr(ssh);
++	if (!auth_hostok(lc, from_host, from_ip)) {
++		debug("Denied connection for %.200s from %.200s [%.200s].",
++		      pw->pw_name, from_host, from_ip);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_HOSTOK */
++#ifdef HAVE_AUTH_TIMEOK
++	if (!auth_timeok(lc, time(NULL))) {
++		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_TIMEOK */
+ #ifdef BSD_AUTH
+ 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+ 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
+--- configure.ac
++++ configure.ac
+@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
+ 
+ dnl    Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS([ \
++	auth_hostok \
++	auth_timeok \
+ 	Blowfish_initstate \
+ 	Blowfish_expandstate \
+ 	Blowfish_expand0state \
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
deleted file mode 100644
index 38d366aeaf71..000000000000
--- a/security/openssh-portable/files/patch-auth2.c
+++ /dev/null
@@ -1,47 +0,0 @@
---- UTC
-r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/auth2.c
-
-Apply class-imposed login restrictions.
-
---- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
-+++ auth2.c	2020-11-16 13:55:25.222771000 -0800
-@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
- 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
- 	int r, authenticated = 0;
- 	double tstart = monotime_double();
-+#ifdef HAVE_LOGIN_CAP
-+	login_cap_t *lc;
-+	const char *from_host, *from_ip;
-+#endif
- 
- 	if (authctxt == NULL)
- 		fatal("input_userauth_request: no authctxt");
-@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		    "not allowed: (%s,%s) -> (%s,%s)",
- 		    authctxt->user, authctxt->service, user, service);
- 	}
-+
-+#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL &&
-+	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
-+		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+		from_ip = ssh_remote_ipaddr(ssh);
-+		if (!auth_hostok(lc, from_host, from_ip)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			    authctxt->pw->pw_name, from_host, from_ip);
-+			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
-+		}
-+		if (!auth_timeok(lc, time(NULL))) {
-+			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+			    authctxt->pw->pw_name, from_host);
-+			ssh_packet_disconnect(ssh, "Logins not available right now.");
-+		}
-+		login_close(lc);
-+	}
-+#endif  /* HAVE_LOGIN_CAP */
-+
- 	/* reset state */
- 	auth2_challenge_stop(ssh);
-