From nobody Wed May 25 13:34:26 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2C6441B45705; Wed, 25 May 2022 13:34:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L7X9H0jPGz3Pmc; Wed, 25 May 2022 13:34:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653485667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mBoS5GG8LgeZ+BbcGQ8jf+fkphc77ZkvqJh4PHpsJTA=; b=soyELlIwwdXBs8OxodcoJrzzFReZu9re3VTOeer5tmwCuXivHDemt1KRkTzbTx9G2+L8ha sMn6dK29jcWTAbiCmcjwYIgIZnFAWMtB02Yj4MsCpbzMZDIV0KIfsCpHD6HTY8Q7RY4Euo VwUCeSklhitnNOiFfo9cw7zjjoi7aQJ/2Ps/VlREkS0yKScsX3+M2EwU5Bp33n/FhHN+eZ Q/nCBpJiMnBiGWAPtDRhBB0AzGc8Wq+eQYJLfpmJZmdF2vbta0RUP+yRW7bYtcgSwqARIZ CxgxDJk1P/rGxBQbO+8NsMwLbMp1a12Tw5P+tBoS39JQs8MicOUhEGWpy4m+8Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EC2D819D65; Wed, 25 May 2022 13:34:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24PDYQ5E083850; Wed, 25 May 2022 13:34:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24PDYQh5083849; Wed, 25 May 2022 13:34:26 GMT (envelope-from git) Date: Wed, 25 May 2022 13:34:26 GMT Message-Id: <202205251334.24PDYQh5083849@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bryan Drewery Subject: git: 272dd07a309c - main - security/openssh-portable: Fix some capsicum issues List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bdrewery X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 272dd07a309c086a4bc97dc015ef7faf4fbf89ca Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653485667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mBoS5GG8LgeZ+BbcGQ8jf+fkphc77ZkvqJh4PHpsJTA=; b=g8Vv91pQL6hDVZoIA0o/Qxc8Fg0OjyvQFIOGpnKMae+rBYrhVG8dlhnDhwbdVdUgnLQQRF OGwQlZWywP7mjIt4zPHGwLR1+steQPjmC/wdqxoqAnKhrhIozpuwk8VH6W6sQ6XTVszabq l1ROjGExVWnyD4e49oJIjtTeWZv1vDc/1yo+dy0aPkqdeoI/+7HHQvyjv8xUR05WkYNmbB OSHrQhdE3TdgmMgJ+Nir1nQxmiwnrRjbRbTuEekfJdus7hvpFFUAu31CGAw8Jw2sGGXhth rWjcWUogc5upbAdiD8jhh+QRUf9XQE2S/MO+xu6AjSYaOoYe9Fo9reFx5hDWjw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653485667; a=rsa-sha256; cv=none; b=i0LDa5yVikZc9EKvPsOckHBNfrG2SdeQ8HLgDd1XdULtxr3emQ8JbnXHGz58JbllxL41jw Pu771IARL4d3dD5Ps64aU23IkDcIk8DTtsZc78j0Pd0WysZrV6OrjIVk222/DvuFW4oAFa kIttihjwuPeU9zPNugofZkhZ72JhjHBYvxMSUpiTZ1DVPOspmbOVn0d0aDvGy6vafNolGJ ePHohTT6zMK8Om9WlY7/jImwMzfeGV36E3x9qRB0/GuuFlcxCHC6YkM1oWjtaZEsZ8U+9l 9Nlv6s52dAJTyMf0rjuRN4LEazP+CZK36r0vOscSHE0UFtvybW/CPs/sPDTZ8Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by bdrewery: URL: https://cgit.FreeBSD.org/ports/commit/?id=272dd07a309c086a4bc97dc015ef7faf4fbf89ca commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca Author: Bryan Drewery AuthorDate: 2022-05-24 23:08:14 +0000 Commit: Bryan Drewery CommitDate: 2022-05-25 13:34:24 +0000 security/openssh-portable: Fix some capsicum issues - Brings in latest changes from base. See patches for details. - Version 9.0 is being worked on but I wanted to fix this issue before proceeding with bigger changes. PR: 263753 --- security/openssh-portable/Makefile | 2 +- .../files/patch-FreeBSD-caph_cache_tzdata | 43 ++++++++++++++ .../openssh-portable/files/patch-FreeBSD-logincap | 69 ++++++++++++++++++++++ security/openssh-portable/files/patch-auth2.c | 47 --------------- 4 files changed, 113 insertions(+), 48 deletions(-) diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 75f4d206e817..f55a7bd0c630 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -2,7 +2,7 @@ PORTNAME= openssh DISTVERSION= 8.9p1 -PORTREVISION= 3 +PORTREVISION= 4 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata new file mode 100644 index 000000000000..bf3889265b77 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata @@ -0,0 +1,43 @@ +commit fc3c19a9fceeea48a9259ac3833a125804342c0e +Author: Ed Maste +Date: Sat Oct 6 21:32:55 2018 +0000 + + sshd: address capsicum issues + + * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in + capability mode. + * Cache timezone data via caph_cache_tzdata() as we cannot access the + timezone file. + * Reverse resolve hostname before entering capability mode. + + PR: 231172 + Submitted by: naito.yuichiro@gmail.com + Reviewed by: cem, des + Approved by: re (rgrimes) + MFC after: 3 weeks + Differential Revision: https://reviews.freebsd.org/D17128 + +Notes: + svn path=/head/; revision=339216 + +diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c +index 5f41d526292b..f728abd18250 100644 +--- sandbox-capsicum.c ++++ sandbox-capsicum.c +@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); + #include + #include + #include ++#include + + #include "log.h" + #include "monitor.h" +@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) + struct rlimit rl_zero; + cap_rights_t rights; + ++ caph_cache_tzdata(); ++ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap new file mode 100644 index 000000000000..78d772e8a024 --- /dev/null +++ b/security/openssh-portable/files/patch-FreeBSD-logincap @@ -0,0 +1,69 @@ +(pulled from the PR) + +commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8 +Author: Ed Maste +Date: Tue Aug 31 15:30:50 2021 -0400 + + openssh: simplify login class restrictions + + Login class-based restrictions were introduced in 5b400a39b8ad. The + code was adapted for sshd's Capsicum sandbox and received many changes + over time, including at least fc3c19a9fcee, bd393de91cc3, and + e8c56fba2926. + + During an attempt to upstream the work a much simpler approach was + suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with + future updates. + + Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) + Obtained from: https://github.com/openssh/openssh-portable/pull/262 + Reviewed by: allanjude, kevans + MFC after: 2 weeks + Differential Revision: https://reviews.freebsd.org/D31760 + + +--- auth.c ++++ auth.c +@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user) + { + #ifdef HAVE_LOGIN_CAP + extern login_cap_t *lc; ++#ifdef HAVE_AUTH_HOSTOK ++ const char *from_host, *from_ip; ++#endif + #ifdef BSD_AUTH + auth_session_t *as; + #endif +@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user) + debug("unable to get login class: %s", user); + return (NULL); + } ++#ifdef HAVE_AUTH_HOSTOK ++ from_host = auth_get_canonical_hostname(ssh, options.use_dns); ++ from_ip = ssh_remote_ipaddr(ssh); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ debug("Denied connection for %.200s from %.200s [%.200s].", ++ pw->pw_name, from_host, from_ip); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_HOSTOK */ ++#ifdef HAVE_AUTH_TIMEOK ++ if (!auth_timeok(lc, time(NULL))) { ++ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name); ++ return (NULL); ++ } ++#endif /* HAVE_AUTH_TIMEOK */ + #ifdef BSD_AUTH + if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 || + auth_approval(as, lc, pw->pw_name, "ssh") <= 0) { +--- configure.ac ++++ configure.ac +@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG]) + + dnl Checks for library functions. Please keep in alphabetical order + AC_CHECK_FUNCS([ \ ++ auth_hostok \ ++ auth_timeok \ + Blowfish_initstate \ + Blowfish_expandstate \ + Blowfish_expand0state \ diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c deleted file mode 100644 index 38d366aeaf71..000000000000 --- a/security/openssh-portable/files/patch-auth2.c +++ /dev/null @@ -1,47 +0,0 @@ ---- UTC -r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines -Changed paths: - M /head/crypto/openssh/auth2.c - -Apply class-imposed login restrictions. - ---- auth2.c.orig 2020-09-27 00:25:01.000000000 -0700 -+++ auth2.c 2020-11-16 13:55:25.222771000 -0800 -@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct - char *user = NULL, *service = NULL, *method = NULL, *style = NULL; - int r, authenticated = 0; - double tstart = monotime_double(); -+#ifdef HAVE_LOGIN_CAP -+ login_cap_t *lc; -+ const char *from_host, *from_ip; -+#endif - - if (authctxt == NULL) - fatal("input_userauth_request: no authctxt"); -@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct - "not allowed: (%s,%s) -> (%s,%s)", - authctxt->user, authctxt->service, user, service); - } -+ -+#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL && -+ (lc = login_getpwclass(authctxt->pw)) != NULL) { -+ from_host = auth_get_canonical_hostname(ssh, options.use_dns); -+ from_ip = ssh_remote_ipaddr(ssh); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ ssh_packet_disconnect(ssh, "Logins not available right now."); -+ } -+ login_close(lc); -+ } -+#endif /* HAVE_LOGIN_CAP */ -+ - /* reset state */ - auth2_challenge_stop(ssh); -