git: 96dd1bc15cbb - main - security/openssh-portable: Include ssh[d]_config.d/*.conf

From: Bryan Drewery <bdrewery_at_FreeBSD.org>
Date: Mon, 11 Nov 2024 02:39:59 UTC 
The branch main has been updated by bdrewery:

URL: https://cgit.FreeBSD.org/ports/commit/?id=96dd1bc15cbb8e743f761b19aaa8e88558c8d924

commit 96dd1bc15cbb8e743f761b19aaa8e88558c8d924
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-11-09 20:26:36 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-11-11 02:39:32 +0000

    security/openssh-portable: Include ssh[d]_config.d/*.conf
---
 security/openssh-portable/Makefile                  |  4 +++-
 security/openssh-portable/files/patch-ssh_config    | 11 +++++++++++
 security/openssh-portable/files/patch-sshd_config   | 15 +++++++--------
 security/openssh-portable/files/patch-sshd_config.5 |  8 +++++---
 security/openssh-portable/pkg-plist                 |  2 ++
 5 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 69edba17e8cc..676c1b750027 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	9.9p1
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -223,6 +223,8 @@ post-install:
 	    ${STAGEDIR}${ETCDIR}/ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
+	${MKDIR} ${STAGEDIR}${ETCDIR}/ssh_config.d \
+		 ${STAGEDIR}${ETCDIR}/sshd_config.d
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config
new file mode 100644
index 000000000000..ea5fafad4d30
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh_config
@@ -0,0 +1,11 @@
+--- ssh_config.orig	2024-09-19 15:20:48.000000000 -0700
++++ ssh_config	2024-11-09 12:23:47.263548000 -0800
+@@ -17,6 +17,8 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++Include ssh_config.d/*.conf
++
+ # Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index c19496486f4f..7b6bc14977c7 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,19 +1,18 @@
-!!!
-!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
-!!!
---- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
-+++ sshd_config	2022-02-11 18:52:31.639435000 +0000
-@@ -10,6 +10,9 @@
+--- sshd_config.orig	2024-11-09 12:22:03.414050000 -0800
++++ sshd_config	2024-11-09 12:25:59.964286000 -0800
+@@ -10,6 +10,11 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
  
 +# Note that some of FreeBSD's defaults differ from OpenBSD's, and
 +# FreeBSD has a few additional options.
++
++Include sshd_config.d/*.conf
 +
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -37,8 +40,7 @@
+@@ -37,8 +42,7 @@
  #PubkeyAuthentication yes
  
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -23,7 +22,7 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -84,7 +86,7 @@
+@@ -84,7 +88,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 15d3ff7bf9d8..f5297c2a42c2 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -11,7 +11,7 @@
  with successful public key client host authentication is allowed
  (host-based authentication).
  The default is
-@@ -1416,6 +1434,13 @@
+@@ -1416,6 +1434,15 @@
  .Cm ethernet .
  The default is
  .Cm no .
@@ -21,11 +21,13 @@
 +.Cm yes ,
 +the root user may be allowed in with its password even if
 +.Cm PermitRootLogin is set to
++.Cm prohibit-password
++or
 +.Cm without-password .
  .Pp
  Independent of this setting, the permissions of the selected
  .Xr tun 4
-@@ -1774,12 +1799,19 @@
+@@ -1774,12 +1801,19 @@
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -46,7 +48,7 @@
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's
-@@ -1793,7 +1825,7 @@
+@@ -1793,7 +1827,7 @@
  or
  .Cm no .
  The default is
diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist
index 276fd4a7590d..09c4267cc7ca 100644
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@@ -8,6 +8,8 @@ bin/ssh-keyscan
 @sample %%ETCDIR%%/moduli.sample
 @sample %%ETCDIR%%/ssh_config.sample
 @sample %%ETCDIR%%/sshd_config.sample
+@dir %%ETCDIR%%/ssh_config.d
+@dir %%ETCDIR%%/sshd_config.d
 @postexec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
 sbin/sshd
 libexec/sftp-server