svn commit: r381981 - in head: . security/openssh-portable security/openssh-portable/files

Bryan Drewery bdrewery at FreeBSD.org
Mon Mar 23 04:23:11 UTC 2015 

Author: bdrewery
Date: Mon Mar 23 04:23:08 2015
New Revision: 381981
URL: https://svnweb.freebsd.org/changeset/ports/381981
QAT: https://qat.redports.org/buildarchive/r381981/

Log:
  Stop forcing the port version string into the server banner.
  
  The port now uses VersionAddendum in the sshd_config to allow overriding
  this value. Using "none" allows disabling the default of the port
  version string. The default is kept to show the port version string to
  remain close to the base version.
  
  Support for the client VersionAddendum may be added soon as well to better
  match base and not give surprises when switching from base to the port.
  
  PR:		193127
  Requested by:	many, including myself when this was broken years ago.

Modified:
  head/UPDATING
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/patch-servconf.c
  head/security/openssh-portable/files/patch-sshd_config.5

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Mon Mar 23 04:08:27 2015	(r381980)
+++ head/UPDATING	Mon Mar 23 04:23:08 2015	(r381981)
@@ -5,6 +5,14 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20150322:
+  AFFECTS: Users of security/openssh-portable
+  AUTHOR: bdrewery at FreeBSD.org
+
+  The port now uses VersionAddendum for the port version string. Setting
+  the value to "none" in your sshd_config and restarting openssh will allow
+  removing the version from the banner.
+
 20150321:
   AFFECTS: Users of x11-servers/xorg-server and other X servers
   AUTHOR: bapt at FreeBSD.org

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Mon Mar 23 04:08:27 2015	(r381980)
+++ head/security/openssh-portable/Makefile	Mon Mar 23 04:23:08 2015	(r381981)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	6.7p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -200,6 +200,8 @@ CONFIGURE_ARGS+=	--with-libs='${CONFIGUR
 .endif
 
 RC_SCRIPT_NAME=		openssh
+VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
+VERSION_ADDENDUM_SERVCONF_GREP=	"		options->version_addendum = xstrdup"
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@@ -212,18 +214,21 @@ post-patch:
 			${WRKSRC}/ssh_config.5
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
-	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	" FreeBSD-${PKGNAME}"' >> \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-.if ${PORT_OPTIONS:MHPN}
-	@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
+# Making this a patch conflicts with the X509 option. Use grep to force failure.
+	@${ECHO_CMD} "===> Applying VersionAddendum patch to servconf.c" && \
+	    ${GREP} -q ${VERSION_ADDENDUM_SERVCONF_GREP} \
+	    ${WRKSRC}/servconf.c && \
+	    ${REINPLACE_CMD} \
+	    -e 's|\(		${VERSION_ADDENDUM_SERVCONF_GREP}\).*);|\1(SSH_VERSION_FREEBSD_PORT);|' \
+	    ${WRKSRC}/servconf.c
+	@${REINPLACE_CMD} \
+	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config
+	@${REINPLACE_CMD} \
+	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config.5
+	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
-.endif
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \

Modified: head/security/openssh-portable/files/patch-servconf.c
==============================================================================
--- head/security/openssh-portable/files/patch-servconf.c	Mon Mar 23 04:08:27 2015	(r381980)
+++ head/security/openssh-portable/files/patch-servconf.c	Mon Mar 23 04:23:08 2015	(r381981)
@@ -1,6 +1,14 @@
---- servconf.c.orig	2013-05-12 21:26:30.642630751 -0500
-+++ servconf.c	2013-05-12 21:52:43.069625377 -0500
-@@ -162,7 +162,7 @@
+--- servconf.c.orig	2015-03-22 22:16:53.563005000 -0500
++++ servconf.c	2015-03-22 22:19:39.207917000 -0500
+@@ -54,6 +54,7 @@
+ #include "packet.h"
+ #include "hostfile.h"
+ #include "auth.h"
++#include "version.h"
+ 
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption
  
  	/* Portable-specific options */
  	if (options->use_pam == -1)
@@ -9,7 +17,7 @@
  
  	/* Standard Options */
  	if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -197,7 +197,7 @@
+@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption
  	if (options->key_regeneration_time == -1)
  		options->key_regeneration_time = 3600;
  	if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,7 +26,7 @@
  	if (options->ignore_rhosts == -1)
  		options->ignore_rhosts = 1;
  	if (options->ignore_user_known_hosts == -1)
-@@ -207,7 +207,7 @@
+@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
  	if (options->x11_forwarding == -1)
@@ -27,7 +35,7 @@
  	if (options->x11_display_offset == -1)
  		options->x11_display_offset = 10;
  	if (options->x11_use_localhost == -1)
-@@ -245,7 +245,11 @@
+@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
  	if (options->password_authentication == -1)
@@ -39,8 +47,8 @@
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
-@@ -335,7 +339,7 @@
- 		options->version_addendum = xstrdup("");
+@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption
+ 		options->fwd_opts.streamlocal_bind_unlink = 0;
  	/* Turn privilege separation on by default */
  	if (use_privsep == -1)
 -		use_privsep = PRIVSEP_NOSANDBOX;

Modified: head/security/openssh-portable/files/patch-sshd_config.5
==============================================================================
--- head/security/openssh-portable/files/patch-sshd_config.5	Mon Mar 23 04:08:27 2015	(r381980)
+++ head/security/openssh-portable/files/patch-sshd_config.5	Mon Mar 23 04:23:08 2015	(r381981)
@@ -1,6 +1,6 @@
 --- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
-+++ sshd_config.5	2014-11-03 16:49:35.943778119 -0600
-@@ -304,7 +304,9 @@
++++ sshd_config.5	2015-03-22 21:57:45.538655000 -0500
+@@ -304,7 +304,9 @@ By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
  PAM or through authentication styles supported in
@@ -11,7 +11,7 @@
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -615,7 +617,7 @@
+@@ -615,7 +617,7 @@ or
  .Pp
  .Pa /etc/hosts.equiv
  and
@@ -20,7 +20,7 @@
  are still used.
  The default is
  .Dq yes .
-@@ -977,7 +979,22 @@
+@@ -977,7 +979,22 @@ are refused if the number of unauthentic
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -43,7 +43,7 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -1023,7 +1040,14 @@
+@@ -1023,7 +1040,14 @@ The argument must be
  or
  .Dq no .
  The default is
@@ -59,7 +59,7 @@
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -1178,7 +1202,9 @@
+@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as 
  For more information on KRLs, see the KEY REVOCATION LISTS section in
  .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
@@ -70,7 +70,7 @@
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1343,7 +1369,7 @@
+@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -79,7 +79,19 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1379,7 +1405,7 @@
+@@ -1365,7 +1391,10 @@ restrictions.
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Dq none .
++.Dq %%SSH_VERSION_FREEBSD_PORT%% .
++The value
++.Dq none
++may be used to disable this.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
+@@ -1379,7 +1408,7 @@ The argument must be
  or
  .Dq no .
  The default is

More information about the svn-ports-all mailing list