ports/142824: [patch] security/openssh-portable: add VersionAddendum support
Scot Hetzel
swhetzel at gmail.com
Thu Jan 14 10:10:01 UTC 2010
>Number: 142824
>Category: ports
>Synopsis: [patch] security/openssh-portable: add VersionAddendum support
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 14 10:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Scot Hetzel
>Release: 8.0-Stable
>Organization:
>Environment:
FreeBSD dv8t01 8.0-STABLE FreeBSD 8.0-STABLE #10 r201599M: Tue Jan 5 14:29:56 CST 2010 swhetzel at dv8t01:/usr/obj/usr/src/8-stable/sys/GENERIC amd64
>Description:
The attached patch adds the VersionAddendum option to openssh-portable port. This allows the customization of the Version string to include OS and/or site specific information.
The patch sets the VersionAddendum to FreeBSD-${PKGNAME} by default.
This patch was obtained from the change made to the OpenSSH sources in the FreeBSD, and reworked to not conflict with the patches supplied by the openssh-portable port.
Note: The files/VersionAddendum* files were needed as they conflict with the X509 patch.
>How-To-Repeat:
>Fix:
Changed files:
M Makefile
M files/openssh-5.2p1-hpn13v6.diff
M files/patch-Makefile.in
M files/patch-readconf.c
M files/patch-servconf.c
M files/patch-ssh_config
M files/patch-sshd_config
New Files:
A files/VersionAddendum-ssh.1.patch
A files/VersionAddendum-ssh_config.5.patch
A files/VersionAddendum-sshd_config.5.patch
A files/patch-version.c
A files/patch-version.h
Patch attached with submission follows:
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/Makefile,v
retrieving revision 1.144
diff -u -r1.144 Makefile
--- Makefile 16 Dec 2009 16:43:21 -0000 1.144
+++ Makefile 14 Jan 2010 09:28:42 -0000
@@ -48,6 +48,7 @@
ssh_host_dsa_key.pub
ETCOLD= ${PREFIX}/etc
PORTABLE_SUFFIX= -portable
+SSH_VERSION= ${DISTVERSION}
SUDO?= # empty
MAKE_ENV+= SUDO="${SUDO}"
@@ -148,6 +149,7 @@
.if defined(WITH_HPN)
EXTRA_PATCHES+= ${FILESDIR}/openssh-5.2p1-hpn13v6.diff
+SSH_VERSION:= ${SSH_VERSION}-hpn13v6
.endif
# See http://dev.inversepath.com/trac/openssh-lpk
@@ -180,6 +182,9 @@
PATCHFILES+= openssh-5.2p1+x509-6.2.diff.gz
PLIST_SUB+= X509=""
.else
+EXTRA_PATCHES+= ${FILESDIR}/VersionAddendum-ssh.1.patch \
+ ${FILESDIR}/VersionAddendum-ssh_config.5.patch \
+ ${FILESDIR}/VersionAddendum-sshd_config.5.patch
PLIST_SUB+= X509="@comment "
.endif
@@ -227,18 +232,11 @@
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
- @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
- -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
- @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \
- ${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
- ${WRKSRC}/version.h
- @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
- ${WRKSRC}/version.h
-.if defined(WITH_HPN)
- @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
- ${WRKSRC}/version.h
-.endif
+.for f in ssh_config ssh_config.5 sshd_config sshd_config.5
+ @${REINPLACE_CMD} -e 's|%%ADDENDUM%%|${PKGNAME}|' ${WRKSRC}/${f}
+.endfor
+ @${REINPLACE_CMD} -e 's|%%SSH_VERSION%%|${SSH_VERSION}|' \
+ -e 's|%%ADDENDUM%%|${PKGNAME}|' ${WRKSRC}/version.h
pre-su-install:
@${MKDIR} ${EMPTYDIR}
Index: files/VersionAddendum-ssh.1.patch
===================================================================
RCS file: files/VersionAddendum-ssh.1.patch
diff -N files/VersionAddendum-ssh.1.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/VersionAddendum-ssh.1.patch 14 Jan 2010 08:57:09 -0000
@@ -0,0 +1,10 @@
+--- ssh.1.orig 2009-02-13 23:34:05.000000000 -0600
++++ ssh.1 2010-01-13 23:11:29.168549807 -0600
+@@ -507,6 +507,7 @@
+ .It User
+ .It UserKnownHostsFile
+ .It VerifyHostKeyDNS
++.It VersionAddendum
+ .It VisualHostKey
+ .It XAuthLocation
+ .El
Index: files/VersionAddendum-ssh_config.5.patch
===================================================================
RCS file: files/VersionAddendum-ssh_config.5.patch
diff -N files/VersionAddendum-ssh_config.5.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/VersionAddendum-ssh_config.5.patch 14 Jan 2010 09:15:13 -0000
@@ -0,0 +1,14 @@
+--- ssh_config.5.orig 2009-02-22 17:53:58.000000000 -0600
++++ ssh_config.5 2010-01-13 23:11:29.171550398 -0600
+@@ -1068,6 +1068,11 @@
+ .Sx VERIFYING HOST KEYS
+ in
+ .Xr ssh 1 .
++.It Cm VersionAddendum
++Specifies a string to append to the regular version string to identify
++OS- or site-specific modifications.
++The default is
++.Dq FreeBSD-%%ADDENDUM%% .
+ .It Cm VisualHostKey
+ If this flag is set to
+ .Dq yes ,
Index: files/VersionAddendum-sshd_config.5.patch
===================================================================
RCS file: files/VersionAddendum-sshd_config.5.patch
diff -N files/VersionAddendum-sshd_config.5.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/VersionAddendum-sshd_config.5.patch 14 Jan 2010 09:19:27 -0000
@@ -0,0 +1,14 @@
+--- sshd_config.5.orig 2009-02-22 18:00:24.000000000 -0600
++++ sshd_config.5 2010-01-13 23:11:29.175548602 -0600
+@@ -934,6 +965,11 @@
+ escalation by containing any corruption within the unprivileged processes.
+ The default is
+ .Dq yes .
++.It Cm VersionAddendum
++Specifies a string to append to the regular version string to identify
++OS- or site-specific modifications.
++The default is
++.Dq FreeBSD-%%ADDENDUM%% .
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
Index: files/openssh-5.2p1-hpn13v6.diff
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/openssh-5.2p1-hpn13v6.diff,v
retrieving revision 1.1
diff -u -r1.1 openssh-5.2p1-hpn13v6.diff
--- files/openssh-5.2p1-hpn13v6.diff 21 Jun 2009 20:36:15 -0000 1.1
+++ files/openssh-5.2p1-hpn13v6.diff 14 Jan 2010 06:49:46 -0000
@@ -3564,13 +3564,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff -NupwB version.h version.h
---- version.h 2009-02-22 19:09:26.000000000 -0500
-+++ version.h 2009-05-14 12:42:05.000000000 -0400
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_5.2"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn13v6"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
Index: files/patch-Makefile.in
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/patch-Makefile.in,v
retrieving revision 1.5
diff -u -r1.5 patch-Makefile.in
--- files/patch-Makefile.in 7 Feb 2006 20:07:54 -0000 1.5
+++ files/patch-Makefile.in 14 Jan 2010 07:43:44 -0000
@@ -1,6 +1,15 @@
---- Makefile.in.orig Fri Feb 25 18:12:38 2005
-+++ Makefile.in Sat Mar 19 19:53:44 2005
-@@ -230,7 +230,7 @@
+--- Makefile.in.orig 2008-11-04 23:20:46.000000000 -0600
++++ Makefile.in 2010-01-14 01:43:29.188757752 -0600
+@@ -62,7 +62,7 @@
+
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
+
+-LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
++LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o version.o \
+ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
+ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
+ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
+@@ -232,7 +232,7 @@
-rm -rf autom4te.cache
(cd scard && $(MAKE) -f Makefile.in distprep)
Index: files/patch-readconf.c
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/patch-readconf.c,v
retrieving revision 1.1
diff -u -r1.1 patch-readconf.c
--- files/patch-readconf.c 1 Oct 2006 02:15:00 -0000 1.1
+++ files/patch-readconf.c 14 Jan 2010 07:34:01 -0000
@@ -1,5 +1,43 @@
---- readconf.c.orig Fri Sep 1 02:38:37 2006
-+++ readconf.c Sat Sep 30 10:38:05 2006
+--- readconf.c.orig 2009-02-13 23:28:21.000000000 -0600
++++ readconf.c 2010-01-14 01:33:17.913145559 -0600
+@@ -42,6 +42,7 @@
+ #include "buffer.h"
+ #include "kex.h"
+ #include "mac.h"
++#include "version.h"
+
+ /* Format of the configuration file:
+
+@@ -130,6 +131,7 @@
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
++ oVersionAddendum,
+ oVisualHostKey, oZeroKnowledgePasswordAuthentication,
+ oDeprecated, oUnsupported
+ } OpCodes;
+@@ -235,6 +237,7 @@
+ { "zeroknowledgepasswordauthentication", oUnsupported },
+ #endif
+
++ { "versionaddendum", oVersionAddendum },
+ { NULL, oBadOption }
+ };
+
+@@ -914,6 +917,13 @@
+ intptr = &options->visual_host_key;
+ goto parse_flag;
+
++ case oVersionAddendum:
++ ssh_version_set_addendum(strtok(s, "\n"));
++ do {
++ arg = strdelim(&s);
++ } while (arg != NULL && *arg != '\0');
++ break;
++
+ case oDeprecated:
+ debug("%s line %d: Deprecated option \"%s\"",
+ filename, linenum, keyword);
@@ -1112,7 +1122,7 @@
if (options->batch_mode == -1)
options->batch_mode = 0;
Index: files/patch-servconf.c
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/patch-servconf.c,v
retrieving revision 1.1
diff -u -r1.1 patch-servconf.c
--- files/patch-servconf.c 1 Oct 2006 02:15:00 -0000 1.1
+++ files/patch-servconf.c 14 Jan 2010 08:10:55 -0000
@@ -1,6 +1,6 @@
---- servconf.c.orig Fri Aug 18 11:23:15 2006
-+++ servconf.c Sat Sep 30 21:54:26 2006
-@@ -129,7 +129,7 @@
+--- servconf.c.orig 2009-01-27 23:31:23.000000000 -0600
++++ servconf.c 2010-01-14 02:10:46.036137657 -0600
+@@ -135,7 +135,7 @@
{
/* Portable-specific options */
if (options->use_pam == -1)
@@ -9,7 +9,7 @@
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -159,7 +159,7 @@
+@@ -165,7 +165,7 @@
if (options->key_regeneration_time == -1)
options->key_regeneration_time = 3600;
if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,7 +18,7 @@
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
-@@ -169,7 +169,7 @@
+@@ -175,7 +175,7 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
@@ -27,7 +27,7 @@
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
-@@ -207,7 +207,11 @@
+@@ -213,7 +213,11 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
@@ -39,3 +39,33 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
+@@ -284,6 +288,7 @@
+ sUsePAM,
+ /* Standard Options */
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
++ sVersionAddendum,
+ sPermitRootLogin, sLogFacility, sLogLevel,
+ sRhostsRSAAuthentication, sRSAAuthentication,
+ sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+@@ -328,6 +333,7 @@
+ { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
+ /* Standard Options */
+ { "port", sPort, SSHCFG_GLOBAL },
++ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
+ { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
+ { "pidfile", sPidFile, SSHCFG_GLOBAL },
+@@ -1294,6 +1300,13 @@
+ *charptr = xstrdup(arg);
+ break;
+
++ case sVersionAddendum:
++ ssh_version_set_addendum(strtok(cp, "\n"));
++ do {
++ arg = strdelim(&cp);
++ } while (arg != NULL && *arg != '\0');
++ break;
++
+ case sDeprecated:
+ logit("%s line %d: Deprecated option %s",
+ filename, linenum, arg);
Index: files/patch-ssh_config
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/patch-ssh_config,v
retrieving revision 1.1
diff -u -r1.1 patch-ssh_config
--- files/patch-ssh_config 1 Oct 2006 02:15:00 -0000 1.1
+++ files/patch-ssh_config 14 Jan 2010 06:35:46 -0000
@@ -1,6 +1,6 @@
---- ssh_config.orig Tue Jun 13 00:01:10 2006
-+++ ssh_config Sat Sep 30 10:39:07 2006
-@@ -27,7 +28,7 @@
+--- ssh_config.orig 2009-02-20 19:45:02.000000000 -0600
++++ ssh_config 2010-01-13 23:11:29.169549026 -0600
+@@ -27,7 +27,7 @@
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
@@ -9,3 +9,8 @@
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
+@@ -44,3 +44,4 @@
+ # TunnelDevice any:any
+ # PermitLocalCommand no
+ # VisualHostKey no
++# VersionAddendum FreeBSD-%%ADDENDUM%%
Index: files/patch-sshd_config
===================================================================
RCS file: /home/ncvs/ports/security/openssh-portable/files/patch-sshd_config,v
retrieving revision 1.6
diff -u -r1.6 patch-sshd_config
--- files/patch-sshd_config 24 Mar 2009 17:26:18 -0000 1.6
+++ files/patch-sshd_config 14 Jan 2010 06:37:04 -0000
@@ -1,6 +1,15 @@
---- sshd_config.orig 2008-07-02 20:35:43.000000000 +0800
-+++ sshd_config 2008-11-07 23:40:56.957018978 +0800
-@@ -38,7 +38,7 @@
+--- sshd_config.orig 2008-07-02 07:35:43.000000000 -0500
++++ sshd_config 2010-01-13 23:11:29.173548767 -0600
+@@ -10,6 +10,8 @@
+ # possible, but leave them commented. Uncommented options change a
+ # default value.
+
++#VersionAddendum FreeBSD-%%ADDENDUM%%
++
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+@@ -38,7 +40,7 @@
# Authentication:
#LoginGraceTime 2m
@@ -9,7 +18,7 @@
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-@@ -57,11 +57,11 @@
+@@ -57,11 +59,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -24,7 +33,7 @@
#ChallengeResponseAuthentication yes
# Kerberos options
-@@ -74,7 +74,7 @@
+@@ -74,7 +76,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
@@ -33,7 +42,7 @@
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
-@@ -83,12 +83,12 @@
+@@ -83,12 +85,12 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
Index: files/patch-version.c
===================================================================
RCS file: files/patch-version.c
diff -N files/patch-version.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-version.c 14 Jan 2010 09:32:43 -0000
@@ -0,0 +1,65 @@
+--- version.c.orig 1969-12-31 18:00:00.000000000 -0600
++++ version.c 2010-01-13 23:11:29.177550043 -0600
+@@ -0,0 +1,62 @@
++/*-
++ * Copyright (c) 2001 Brian Fundakowski Feldman
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ */
++
++#include "includes.h"
++__RCSID("$FreeBSD$");
++
++#include <string.h>
++
++#include "version.h"
++#include "xmalloc.h"
++
++
++static char *version = NULL;
++
++const char *
++ssh_version_get(void) {
++
++ if (version == NULL)
++ version = xstrdup(SSH_VERSION_BASE " " SSH_VERSION_ADDENDUM);
++ return (version);
++}
++
++void
++ssh_version_set_addendum(const char *add) {
++ char *newvers;
++ size_t size;
++
++ if (add != NULL) {
++ size = strlen(SSH_VERSION_BASE) + 1 + strlen(add) + 1;
++ newvers = xmalloc(size);
++ snprintf(newvers, size, "%s %s", SSH_VERSION_BASE, add);
++ } else {
++ newvers = xstrdup(SSH_VERSION_BASE);
++ }
++ if (version != NULL)
++ xfree(version);
++ version = newvers;
++}
Index: files/patch-version.h
===================================================================
RCS file: files/patch-version.h
diff -N files/patch-version.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-version.h 14 Jan 2010 06:28:56 -0000
@@ -0,0 +1,19 @@
+--- version.h.orig 2009-02-22 18:09:26.000000000 -0600
++++ version.h 2010-01-14 00:09:24.057609101 -0600
+@@ -1,6 +1,12 @@
+-/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */
++/* $FreeBSD$ */
+
+-#define SSH_VERSION "OpenSSH_5.2"
++#ifndef SSH_VERSION
+
+-#define SSH_PORTABLE "p1"
+-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
++#define SSH_VERSION (ssh_version_get())
++#define SSH_RELEASE (ssh_version_get())
++#define SSH_VERSION_BASE "OpenSSH_%%SSH_VERSION%%"
++#define SSH_VERSION_ADDENDUM "FreeBSD-%%ADDENDUM%%"
++
++const char *ssh_version_get(void);
++void ssh_version_set_addendum(const char *);
++#endif /* SSH_VERSION */
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list