git: 402562e2559e - main - security/openssh-portable: Update to 9.8p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 07 Jul 2024 15:37:21 UTC
The branch main has been updated by bdrewery:
URL: https://cgit.FreeBSD.org/ports/commit/?id=402562e2559e198c6660171dec58e7a25cc14ec2
commit 402562e2559e198c6660171dec58e7a25cc14ec2
Author: Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-07-06 17:03:16 +0000
Commit: Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-07-07 15:37:03 +0000
security/openssh-portable: Update to 9.8p1
Changes: https://www.openssh.com/txt/release-9.8
---
security/openssh-portable/Makefile | 6 +--
security/openssh-portable/distinfo | 8 ++-
security/openssh-portable/files/extra-patch-hpn | 63 +++++++++++-----------
.../openssh-portable/files/extra-patch-hpn-compat | 8 +--
.../openssh-portable/files/extra-patch-tcpwrappers | 25 ++++-----
security/openssh-portable/files/patch-9.8-cves | 56 -------------------
security/openssh-portable/files/patch-servconf.c | 25 ++++-----
security/openssh-portable/files/patch-serverloop.c | 52 ------------------
security/openssh-portable/files/patch-sshd.c | 20 +++----
.../openssh-portable/files/patch-sshd_config.5 | 24 ---------
security/openssh-portable/pkg-plist | 1 +
11 files changed, 75 insertions(+), 213 deletions(-)
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 9b1d44580f94..cdaad70b4195 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openssh
-DISTVERSION= 9.7p1
-PORTREVISION= 2
+DISTVERSION= 9.8p1
+PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security
MASTER_SITES= OPENBSD/OpenSSH/portable
@@ -102,7 +102,7 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
-#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
+BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet.
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
# Needed glue for applying HPN patch without conflict
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 6d5d064d68be..53b8c023cdd9 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,3 @@
-TIMESTAMP = 1710784635
-SHA256 (openssh-9.7p1.tar.gz) = 490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd
-SIZE (openssh-9.7p1.tar.gz) = 1848766
-SHA256 (openssh-9.7p1-gsskex-all-debian-rh-9.7p1.patch) = 30d9652a18851c0b7a80b8f07d70adc3a77267b656f784c9e89cb93171f22210
-SIZE (openssh-9.7p1-gsskex-all-debian-rh-9.7p1.patch) = 131397
+TIMESTAMP = 1719864470
+SHA256 (openssh-9.8p1.tar.gz) = dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3
+SIZE (openssh-9.8p1.tar.gz) = 1910393
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 56202ba8e1b3..bede23fdb4bf 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -905,9 +905,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
.It Fl r
Recursively copy entire directories when uploading and downloading.
Note that
---- work/openssh/ssh.c.orig 2021-04-15 20:55:25.000000000 -0700
-+++ work/openssh/ssh.c 2021-04-28 14:51:04.682167000 -0700
-@@ -1027,6 +1027,14 @@ main(int ac, char **av)
+--- work/openssh/ssh.c.orig 2024-06-30 21:36:28.000000000 -0700
++++ work/openssh/ssh.c 2024-07-01 13:58:31.555859000 -0700
+@@ -1070,6 +1070,14 @@ main(int ac, char **av)
break;
case 'T':
options.request_tty = REQUEST_TTY_NO;
@@ -922,7 +922,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
break;
case 'o':
line = xstrdup(optarg);
-@@ -2056,6 +2064,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
+@@ -2159,6 +2167,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
NULL, fileno(stdin), command, environ);
}
@@ -1001,9 +1001,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* open new channel for a session */
static int
ssh_session2_open(struct ssh *ssh)
-@@ -2082,9 +2162,17 @@ ssh_session2_open(struct ssh *ssh)
- if (!isatty(err))
- set_nonblock(err);
+@@ -2177,9 +2257,17 @@ ssh_session2_open(struct ssh *ssh)
+ if (in == -1 || out == -1 || err == -1)
+ fatal("dup() in/out/err failed");
+#ifdef HPN_ENABLED
+ window = options.hpn_buffer_size;
@@ -1019,9 +1019,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
window >>= 1;
packetmax >>= 1;
}
-@@ -2093,6 +2181,12 @@ ssh_session2_open(struct ssh *ssh)
+@@ -2188,6 +2276,12 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
+#ifdef HPN_ENABLED
+ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
@@ -1032,9 +1032,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
debug3_f("channel_new: %d", c->self);
channel_send_open(ssh, c->self);
-@@ -2108,6 +2202,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
+@@ -2203,6 +2297,15 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_in
{
- int r, id = -1;
+ int r, interactive, id = -1;
char *cp, *tun_fwd_ifname = NULL;
+
+#ifdef HPN_ENABLED
@@ -1170,9 +1170,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
if (ssh_packet_connection_is_on_socket(ssh)) {
verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
---- work/openssh/sshd.c.orig 2021-09-08 10:00:01.411822000 -0700
-+++ work/openssh/sshd.c 2021-09-08 10:03:02.820813000 -0700
-@@ -1042,6 +1042,10 @@ listen_on_addrs(struct listenaddr *la)
+--- work/openssh/sshd.c.orig 2024-06-30 21:36:28.000000000 -0700
++++ work/openssh/sshd.c 2024-07-01 14:03:40.471948000 -0700
+@@ -742,6 +742,10 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1183,21 +1183,21 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
for (ai = la->addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1087,6 +1091,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -786,6 +790,13 @@ listen_on_addrs(struct listenaddr *la)
+ sock_set_v6only(listen_sock);
debug("Bind to port %s on %s.", strport, ntop);
-
++
+#ifdef HPN_ENABLED
+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ debug("Server TCP RWIN socket size: %d", socksize);
+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
+#endif
-+
+
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
-@@ -1760,6 +1771,15 @@ main(int ac, char **av)
+@@ -1409,6 +1420,15 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1213,9 +1213,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/* Check that options are sensible */
if (options.authorized_keys_command_user == NULL &&
(options.authorized_keys_command != NULL &&
-@@ -2216,6 +2236,11 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
+@@ -1742,6 +1762,11 @@ main(int ac, char **av)
+ /* This is the child processing a new connection. */
+ setproctitle("%s", "[accepted]");
+#ifdef HPN_ENABLED
+ /* set the HPN options for the child */
@@ -1223,9 +1223,11 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
/*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
-@@ -2229,7 +2254,7 @@ main(int ac, char **av)
+ * Create a new session and process group since the 4.4BSD
+ * setlogin() affects the entire process group. We don't
+--- work.clean/openssh-9.8p1/sshd-session.c.orig 2024-07-01 13:54:25.745441000 -0700
++++ work/openssh-9.8p1/sshd-session.c 2024-07-01 13:54:57.335695000 -0700
+@@ -1305,7 +1305,7 @@ main(int ac, char **av)
alarm(options.login_grace_time);
if ((r = kex_exchange_identification(ssh, -1,
@@ -1234,18 +1236,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
sshpkt_fatal(ssh, r, "banner exchange");
ssh_packet_set_nonblocking(ssh);
-@@ -2392,6 +2417,11 @@ do_ssh2_kex(struct ssh *ssh)
- char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
+@@ -1444,6 +1444,10 @@ do_ssh2_kex(struct ssh *ssh)
struct kex *kex;
int r;
-+
+
+#ifdef NONE_CIPHER_ENABLED
+ if (options.none_enabled == 1)
+ debug ("WARNING: None cipher enabled");
+#endif
-
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
- options.kex_algorithms);
+ if (options.rekey_limit || options.rekey_interval)
+ ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
+ options.rekey_interval);
--- work.clean/openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
+++ work/openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index b3a5e0973609..2460c27491fa 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
{ NULL, oBadOption }
};
---- servconf.c.orig 2023-12-19 17:11:52.320491000 -0800
-+++ servconf.c 2023-12-19 17:12:43.950318000 -0800
-@@ -693,6 +693,10 @@
- { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+--- servconf.c.orig 2024-06-30 21:36:28.000000000 -0700
++++ servconf.c 2024-07-01 13:29:27.091708000 -0700
+@@ -739,6 +739,10 @@ static struct {
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
+ { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index ba7d2834a16a..5d9e8aced144 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -33,19 +33,11 @@ index 289e13d..e6a900b 100644
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
-diff --git sshd.c sshd.c
-index 0ade557..045f149 100644
---- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700
-+++ sshd.c 2018-04-04 15:40:20.964130000 -0700
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */
-+/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */
- /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -131,6 +131,13 @@
- #include "version.h"
- #include "ssherr.h"
+--- sshd-session.c.orig 2024-07-01 13:26:10.677919000 -0700
++++ sshd-session.c 2024-07-01 13:26:58.873906000 -0700
+@@ -110,6 +110,13 @@
+ #include "srclimit.h"
+ #include "dh.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
@@ -57,7 +49,7 @@ index 0ade557..045f149 100644
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-@@ -2072,6 +2079,25 @@ main(int ac, char **av)
+@@ -1256,7 +1263,26 @@ main(int ac, char **av)
#endif
rdomain = ssh_packet_rdomain_in(ssh);
@@ -68,7 +60,7 @@ index 0ade557..045f149 100644
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
-+
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
@@ -80,9 +72,10 @@ index 0ade557..045f149 100644
+ }
+ }
+#endif /* LIBWRAP */
-
++
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);
+ verbose("Connection from %s port %d on %s port %d%s%s%s",
--- configure.ac.orig 2022-02-23 03:31:11.000000000 -0800
+++ configure.ac 2022-03-02 12:47:49.958341000 -0800
@@ -1599,6 +1599,62 @@ else
diff --git a/security/openssh-portable/files/patch-9.8-cves b/security/openssh-portable/files/patch-9.8-cves
deleted file mode 100644
index 2e47d586edcd..000000000000
--- a/security/openssh-portable/files/patch-9.8-cves
+++ /dev/null
@@ -1,56 +0,0 @@
-https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
-
-Damien Miller djm at mindrot.org
-Mon Jul 1 18:21:11 AEST 2024
-Previous message (by thread): Announce: OpenSSH 9.8 released
-Next message (by thread): Announce: OpenSSH 9.8 released
-Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-Hi,
-
-Regarding the race condition fixed in OpenSSH 9.8. A mitigation to
-prevent exploitation of this bug is to disable the login grace timer
-by setting LoginGraceTime=0 in sshd_config. This will however make
-it much easier for an attacker to deny service to sshd.
-
-Similarly, the much more minor keystroke timing bug can be avoided
-by disabling the feature using ObscureKeystrokeTiming=0.
-
-Some users will understandably prefer to patch their OpenSSH rather
-than upgrade to the newest version, so here are minimal patches for
-both problems.
-
-1) Critical race condition in sshd
-
-2) Minor logic error in ObscureKeystrokeTiming
-
---- log.c.orig 2024-07-02 09:05:35.023051000 -0700
-+++ log.c 2024-07-02 09:05:54.881067000 -0700
-@@ -451,12 +451,14 @@ sshsigdie(const char *file, const char *func, int line
- sshsigdie(const char *file, const char *func, int line, int showfunc,
- LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
- va_list args;
-
- va_start(args, fmt);
- sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
- suffix, fmt, args);
- va_end(args);
-+#endif
- _exit(1);
- }
-
---- clientloop.c.orig 2024-07-02 09:06:09.736347000 -0700
-+++ clientloop.c 2024-07-02 09:06:41.414979000 -0700
-@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct tim
- if (timespeccmp(&now, &chaff_until, >=)) {
- /* Stop if there have been no keystrokes for a while */
- stop_reason = "chaff time expired";
-- } else if (timespeccmp(&now, &next_interval, >=)) {
-- /* Otherwise if we were due to send, then send chaff */
-+ } else if (timespeccmp(&now, &next_interval, >=) &&
-+ !ssh_packet_have_data_to_write(ssh)) {
-+ /* If due to send but have no data, then send chaff */
- if (send_chaff(ssh))
- nchaff++;
- }
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index 5a7e9b9f30fc..33ead18621bb 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -6,29 +6,30 @@ Changed paths:
Apply FreeBSD's configuration defaults.
---- servconf.c.orig 2018-06-27 17:18:19.513676000 -0700
-+++ servconf.c 2018-06-27 17:19:38.133882000 -0700
-@@ -41,6 +41,7 @@
- #include <util.h>
+--- servconf.c.orig 2024-07-01 13:30:30.284417000 -0700
++++ servconf.c 2024-07-01 13:31:20.040132000 -0700
+@@ -46,6 +46,7 @@
+ # include "openbsd-compat/glob.h"
#endif
+#include "version.h"
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
#include "ssh.h"
-@@ -251,7 +252,11 @@ fill_default_server_options(ServerOptions *options)
+@@ -295,7 +296,11 @@ fill_default_server_options(ServerOptions *options)
/* Portable-specific options */
if (options->use_pam == -1)
+- options->use_pam = 0;
+#ifdef USE_PAM
+ options->use_pam = 1;
+#else
- options->use_pam = 0;
++ options->use_pam = 0;
+#endif
+ if (options->pam_service_name == NULL)
+ options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
- /* Standard Options */
- if (options->num_host_key_files == 0) {
-@@ -291,7 +296,7 @@ fill_default_server_options(ServerOptions *options)
+@@ -339,7 +344,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -37,7 +38,7 @@ Apply FreeBSD's configuration defaults.
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -331,7 +336,11 @@ fill_default_server_options(ServerOptions *options)
+@@ -381,7 +386,11 @@ fill_default_server_options(ServerOptions *options)
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)
@@ -47,5 +48,5 @@ Apply FreeBSD's configuration defaults.
options->password_authentication = 1;
+#endif
if (options->kbd_interactive_authentication == -1)
- options->kbd_interactive_authentication = 0;
- if (options->challenge_response_authentication == -1)
+ options->kbd_interactive_authentication = 1;
+ if (options->permit_empty_passwd == -1)
diff --git a/security/openssh-portable/files/patch-serverloop.c b/security/openssh-portable/files/patch-serverloop.c
deleted file mode 100644
index 94a4609d712f..000000000000
--- a/security/openssh-portable/files/patch-serverloop.c
+++ /dev/null
@@ -1,52 +0,0 @@
-------------------------------------------------------------------------
-r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
-Changed paths:
- M /head/crypto/openssh/readconf.c
-
-Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
-Submitted upstream, no reaction.
-
-Submitted by: delphij
-[rewritten for 7.4 by bdrewery]
-[base removed this in 7.8 but it is still useful - bdrewery]
-
---- serverloop.c.orig 2020-09-27 00:25:01.000000000 -0700
-+++ serverloop.c 2020-11-16 12:58:44.823775000 -0800
-@@ -56,6 +56,8 @@
- #include <unistd.h>
- #include <stdarg.h>
-
-+#include <sys/sysctl.h>
-+
- #include "openbsd-compat/sys-queue.h"
- #include "xmalloc.h"
- #include "packet.h"
-@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *);
- /* requested tunnel forwarding interface(s), shared with session.c */
- char *tun_fwd_ifnames = NULL;
-
-+static int
-+ipport_reserved(void)
-+{
-+#ifdef __FreeBSD__
-+ int old;
-+ size_t len = sizeof(old);
-+
-+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+ &old, &len, NULL, 0) == 0)
-+ return (old + 1);
-+#endif
-+ return (IPPORT_RESERVED);
-+}
-+
- /* returns 1 if bind to specified port by specified user is permitted */
- static int
- bind_permitted(int port, uid_t uid)
- {
- if (use_privsep)
- return 1; /* allow system to decide */
-- if (port < IPPORT_RESERVED && uid != 0)
-+ if (port < ipport_reserved() && uid != 0)
- return 0;
- return 1;
- }
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 6374e22bbacc..6d522d520e90 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -33,9 +33,9 @@ of short-living parent. Only mark the master process that accepts
connections, do not protect connection handlers spawned from inetd.
---- sshd.c.orig 2021-04-27 11:49:55.540744000 -0700
-+++ sshd.c 2021-04-27 11:50:20.239225000 -0700
-@@ -46,6 +46,7 @@
+--- sshd.c.orig 2024-06-30 21:36:28.000000000 -0700
++++ sshd.c 2024-07-01 13:44:05.739756000 -0700
+@@ -28,6 +28,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -43,7 +43,7 @@ connections, do not protect connection handlers spawned from inetd.
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
-@@ -85,6 +86,13 @@
+@@ -69,6 +70,13 @@
#include <prot.h>
#endif
@@ -56,8 +56,8 @@ connections, do not protect connection handlers spawned from inetd.
+
#include "xmalloc.h"
#include "ssh.h"
- #include "ssh2.h"
-@@ -2007,7 +2015,30 @@ main(int ac, char **av)
+ #include "sshpty.h"
+@@ -1671,7 +1679,30 @@ main(int ac, char **av)
for (i = 0; i < options.num_log_verbose; i++)
log_verbose_add(options.log_verbose[i]);
@@ -88,14 +88,14 @@ connections, do not protect connection handlers spawned from inetd.
* If not in debugging mode, not started from inetd and not already
* daemonized (eg re-exec via SIGHUP), disconnect from the controlling
* terminal, and fork. The original process exits.
-@@ -2022,6 +2053,10 @@ main(int ac, char **av)
- }
+@@ -1687,6 +1718,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+
+
+ /* Avoid killing the process in high-pressure swapping environments. */
+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
+ debug("madvise(): %.200s", strerror(errno));
-
++
/*
* Chdir to the root directory so that the current disk can be
+ * unmounted if desired.
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 2936c7cdca1a..15d3ff7bf9d8 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -11,30 +11,6 @@
with successful public key client host authentication is allowed
(host-based authentication).
The default is
-@@ -1277,7 +1279,23 @@
- .It Cm PasswordAuthentication
- Specifies whether password authentication is allowed.
- The default is
-+.Cm no ,
-+unless
-+.Nm sshd
-+was built without PAM support, in which case the default is
- .Cm yes .
-+.Pp
-+Note that if
-+.Cm ChallengeResponseAuthentication
-+is
-+.Cm yes ,
-+and the PAM authentication policy for
-+.Nm sshd
-+includes
-+.Xr pam_unix 8 ,
-+password authentication will be allowed through the challenge-response
-+mechanism regardless of the value of
-+.Cm PasswordAuthentication .
- .It Cm PermitEmptyPasswords
- When password authentication is allowed, it specifies whether the
- server allows login to accounts with empty password strings.
@@ -1416,6 +1434,13 @@
.Cm ethernet .
The default is
diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist
index 991d1f830bbe..276fd4a7590d 100644
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@@ -14,6 +14,7 @@ libexec/sftp-server
libexec/ssh-keysign
libexec/ssh-pkcs11-helper
libexec/ssh-sk-helper
+libexec/sshd-session
share/man/man1/sftp.1.gz
share/man/man1/ssh-add.1.gz
share/man/man1/ssh-agent.1.gz