PSARC 2014/078 OpenSSH 6.5
18205826 upgrade OpenSSH to 6.5p1
18268681 openssh has non-existent /usr/local/lib in its runpath
18435439 problem in UTILITY/OPENSSH
--- a/components/openssh/Makefile Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/Makefile Thu Mar 27 19:40:44 2014 -0700
@@ -23,18 +23,18 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= openssh
-COMPONENT_VERSION= 6.0p1
+COMPONENT_VERSION= 6.5p1
HUMAN_VERSION= $(COMPONENT_VERSION)
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
# Version for IPS. The encoding rules are:
# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION= 6.0.0.1
+IPS_COMPONENT_VERSION= 6.5.0.1
COMPONENT_PROJECT_URL= http://www.openssh.org/
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH= sha256:589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de
+COMPONENT_ARCHIVE_HASH= sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
COMPONENT_ARCHIVE_URL= http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB=utility/openssh
@@ -63,6 +63,7 @@
CONFIGURE_OPTIONS += --with-tcp-wrappers
CONFIGURE_OPTIONS += --with-4in6
CONFIGURE_OPTIONS += --enable-strip=no
+CONFIGURE_OPTIONS += --without-rpath
CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
--- a/components/openssh/openssh.p5m Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/openssh.p5m Thu Mar 27 19:40:44 2014 -0700
@@ -29,7 +29,7 @@
set name=pkg.human-version value=$(HUMAN_VERSION)
set name=com.oracle.info.description \
value="OpenSSH, a suite of tools that help secure network connections"
-set name=com.oracle.info.tpno value=8209
+set name=com.oracle.info.tpno value=16633
set name=info.classification \
value=org.opensolaris.category.2008:Applications/Internet \
value=org.opensolaris.category.2008:System/Security
@@ -51,32 +51,18 @@
mediator-implementation=openssh
link path=usr/bin/ssh-keyscan target=../lib/openssh/bin/ssh-keyscan \
mediator=ssh mediator-implementation=openssh
-# RUNPATH pkglint checking (userland.action001.3) ERRORs on these ELF files
-# are changed to INFO messages; remove this bypass when
-# usr/local/lib is removed from their runpaths
-file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555 \
- pkg.linted.userland.action001.3=true
-file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \
- mode=0555 \
- pkg.linted.userland.action001.3=true
-file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555 \
- pkg.linted.userland.action001.3=true
+file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555
+file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555
+file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555
+file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555
+file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555
+file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555
+file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555
+file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555
+file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555
+file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \
+ mode=0555
+file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555
link path=usr/lib/ssh/sftp-server target=../openssh/lib/sftp-server \
mediator=ssh mediator-implementation=openssh
link path=usr/lib/ssh/ssh-keysign target=../openssh/lib/ssh-keysign \
--- a/components/openssh/patches/004-broken_bsm_api.patch Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-#
-# OpenSSH has special hacks in the code to deal with Solaris private API
-# changes in audit (au_close, getacna) for S11. This patch merely modifies the
-# configure script to consider any S11+ a 'newer Solaris' too, not just S11.
-#
-# We reported this problem to the OpenSSH upstream community on Dec 06 2013.
-# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2178
-#
---- openssh-6.0p1/configure 2012-04-19 22:03:38.000000000 -0700
-+++ new/configure 2013-01-10 03:10:29.200564881 -0800
[email protected]@ -9393,7 +9393,7 @@
-
- $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h
-
-- if test "$sol2ver" -eq 11; then
-+ if test "$sol2ver" -ge 11; then
- SSHDLIBS="$SSHDLIBS -lscf"
-
- $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h
---- openssh-6.0p1/configure.ac 2013-12-05 05:31:15.809371483 -0800
-+++ new/configure.ac 2013-12-05 05:31:25.689099600 -0800
[email protected]@ -1483,7 +1483,7 @@
- # These are optional
- AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
- AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
-- if test "$sol2ver" -eq 11; then
-+ if test "$sol2ver" -ge 11; then
- SSHDLIBS="$SSHDLIBS -lscf"
- AC_DEFINE([BROKEN_BSM_API], [1],
- [The system has incomplete BSM API])
--- a/components/openssh/patches/005-openssh_krb5_build_fix.patch Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/005-openssh_krb5_build_fix.patch Thu Mar 27 19:40:44 2014 -0700
@@ -2,62 +2,28 @@
# This is to work around an unresloved symbol problem with the Kerberos
# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
# is not supported on Solaris, because it violates API abstraction. This
-# workaround disables delegated credentials storing on server side.
+# workaround disables delegated credentials storing on server side.
#
# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
-# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
+# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
# After that, function gss_krb5_copy_ccache() will be available in Solaris and
# the delegating credentials functionality will be made available using the
# upstream code.
#
-diff -ur old/configure new/configure
---- old/configure 2012-10-22 01:40:00.738542671 -0700
-+++ new/configure 2012-10-22 02:18:52.991019932 -0700
[email protected]@ -15022,6 +15022,12 @@
- fi
- K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
- K5LIBS="`$KRB5CONF --libs $k5confopts`"
-+
-+ # Oracle Solaris
-+ # OpenSSH is mixed-up gssapi AND krb5 aplication
-+ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
-+ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
-+
- CPPFLAGS="$CPPFLAGS $K5CFLAGS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
- $as_echo_n "checking whether we are using Heimdal... " >&6; }
-diff -ru old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h 2012-10-22 02:42:41.469718263 -0700
-+++ new/ssh-gss.h 2012-10-22 02:52:00.222302785 -0700
[email protected]@ -45,7 +45,13 @@
- /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
-
- #ifndef GSS_C_NT_HOSTBASED_SERVICE
-+/*
-+ * on Solaris in gssapi.h there is:
-+ * extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE;
-+ */
-+#ifndef KRB5_BUILD_FIX
- #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-+#endif /* KRB5_BUILD_FIX */
- #endif /* GSS_C_NT_... */
- #endif /* !HEIMDAL */
- #endif /* KRB5 */
-diff -u -r old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c 2011-05-04 21:04:11.000000000 -0700
-+++ new/auth2-gss.c 2012-10-25 02:57:42.332456661 -0700
+--- orig/auth2-gss.c Fri Mar 21 10:41:03 2014
++++ new/auth2-gss.c Fri Mar 21 11:13:57 2014
@@ -47,6 +47,10 @@
extern ServerOptions options;
+#ifdef KRB5_BUILD_FIX
-+ extern gss_OID_set g_supported;
++ extern gss_OID_set g_supported;
+#endif
+
static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
[email protected]@ -77,7 +81,12 @@
[email protected]@ -77,7 +81,13 @@
return (0);
}
@@ -67,13 +33,28 @@
+#else
ssh_gssapi_supported_oids(&supported);
+#endif
++
do {
mechs--;
-diff -u -r old/sshd.c new/sshd.c
---- old/sshd.c 2012-10-22 01:28:17.260247177 -0700
-+++ new/sshd.c 2012-10-25 02:53:41.663248837 -0700
[email protected]@ -257,6 +257,11 @@
+--- orig/configure Fri Mar 21 10:41:03 2014
++++ new/configure Fri Mar 21 11:02:11 2014
[email protected]@ -16634,6 +16634,12 @@
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ fi
++
++ # Oracle Solaris
++ # OpenSSH is mixed-up gssapi AND krb5 aplication
++ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
++ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
++
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
+ $as_echo_n "checking whether we are using Heimdal... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+--- orig/sshd.c Fri Mar 21 10:41:03 2014
++++ new/sshd.c Fri Mar 21 11:09:30 2014
[email protected]@ -259,6 +259,11 @@
/* Unprivileged user */
struct passwd *privsep_pw = NULL;
@@ -85,17 +66,18 @@
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
[email protected]@ -1351,6 +1356,9 @@
- compat_init_setproctitle(ac, av);
[email protected]@ -1407,6 +1412,10 @@
av = saved_argv;
#endif
+
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ OM_uint32 ms;
+#endif
-
++
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
[email protected]@ -1984,6 +1992,11 @@
+
[email protected]@ -2083,6 +2092,11 @@
buffer_init(&loginmsg);
auth_debug_reset();
@@ -104,16 +86,17 @@
+ ssh_gssapi_supported_oids(&g_supported);
+#endif
+
- if (use_privsep)
+ if (use_privsep) {
if (privsep_preauth(authctxt) == 1)
goto authenticated;
[email protected]@ -2018,6 +2031,9 @@
- close(startup_pipe);
[email protected]@ -2120,6 +2134,10 @@
startup_pipe = -1;
}
+
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ gss_release_oid_set(&ms, &g_supported);
+#endif
-
++
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_AUTH_SUCCESS);
+ #endif
--- a/components/openssh/patches/006-umac_align_fix.patch Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-#
-# This is to fix an alignment problem on Sparc. We reported the problem to the
-# OpenSSH upstream community with suggested fixes in May 2013. The upstream
-# accepted the union fix and has integrated the fix in the 6.3 release. In the
-# future, when we upgrade OpenSSH to 6.3 or later, we should remove this patch.
-# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2101
-#
---- orig/mac.c Fri Sep 20 14:53:41 2013
-+++ new/mac.c Fri Sep 20 15:04:13 2013
[email protected]@ -132,12 +132,15 @@
- u_char *
- mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
- {
-- static u_char m[EVP_MAX_MD_SIZE];
-+ static union {
-+ u_char m[EVP_MAX_MD_SIZE];
-+ u_int64_t for_align;
-+ } u;
- u_char b[4], nonce[8];
-
-- if (mac->mac_len > sizeof(m))
-+ if (mac->mac_len > sizeof(u))
- fatal("mac_compute: mac too long %u %lu",
-- mac->mac_len, (u_long)sizeof(m));
-+ mac->mac_len, (u_long)sizeof(u));
-
- switch (mac->type) {
- case SSH_EVP:
[email protected]@ -146,17 +149,17 @@
- HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
- HMAC_Update(&mac->evp_ctx, b, sizeof(b));
- HMAC_Update(&mac->evp_ctx, data, datalen);
-- HMAC_Final(&mac->evp_ctx, m, NULL);
-+ HMAC_Final(&mac->evp_ctx, u.m, NULL);
- break;
- case SSH_UMAC:
- put_u64(nonce, seqno);
- umac_update(mac->umac_ctx, data, datalen);
-- umac_final(mac->umac_ctx, m, nonce);
-+ umac_final(mac->umac_ctx, u.m, nonce);
- break;
- default:
- fatal("mac_compute: unknown MAC type");
- }
-- return (m);
-+ return (u.m);
- }
-
- void
--- a/components/openssh/patches/007-manpages.patch Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/007-manpages.patch Thu Mar 27 19:40:44 2014 -0700
@@ -5,12 +5,12 @@
# pages, the section numbers of some OpenSSH man pages are changed to be as
# same as their corresponding ones in SunSSH.
#
---- orig/moduli.5 Thu Jan 10 15:04:00 2013
-+++ new/moduli.5 Thu Jan 10 17:25:53 2013
+--- orig/moduli.5 Thu Feb 6 10:00:17 2014
++++ new/moduli.5 Thu Feb 6 10:08:07 2014
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .Dd $Mdocdate: October 14 2010 $
+ .Dd $Mdocdate: September 26 2012 $
-.Dt MODULI 5
+.Dt MODULI 4
.Os
@@ -60,21 +60,21 @@
.Xr ssh-keygen 1 ,
-.Xr sshd 8
+.Xr sshd 1M
+ .Sh STANDARDS
.Rs
- .%R RFC 4419
- .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
---- orig/sftp-server.8 Thu Jan 10 15:04:00 2013
-+++ new/sftp-server.8 Thu Jan 10 15:48:21 2013
+ .%A M. Friedl
+--- orig/sftp-server.8 Thu Feb 6 10:01:20 2014
++++ new/sftp-server.8 Thu Feb 6 10:09:59 2014
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
- .Dd $Mdocdate: January 9 2010 $
+ .Dd $Mdocdate: October 14 2013 $
-.Dt SFTP-SERVER 8
+.Dt SFTP-SERVER 1M
.Os
.Sh NAME
.Nm sftp-server
[email protected]@ -40,7 +40,7 @@
[email protected]@ -47,7 +47,7 @@
to stdout and expects client requests from stdin.
.Nm
is not intended to be called directly, but from
@@ -83,7 +83,7 @@
using the
.Cm Subsystem
option.
[email protected]@ -51,7 +51,7 @@
[email protected]@ -58,7 +58,7 @@
.Cm Subsystem
declaration.
See
@@ -92,7 +92,16 @@
for more information.
.Pp
Valid options are:
[email protected]@ -106,8 +106,8 @@
[email protected]@ -71,7 +71,7 @@
+ and %u is replaced by the username of that user.
+ The default is to use the user's home directory.
+ This option is useful in conjunction with the
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm ChrootDirectory
+ option.
+ .It Fl e
[email protected]@ -152,8 +152,8 @@
.Sh SEE ALSO
.Xr sftp 1 ,
.Xr ssh 1 ,
@@ -103,18 +112,18 @@
.Rs
.%A T. Ylonen
.%A S. Lehtinen
---- orig/ssh_config.5 Thu Jan 10 15:04:00 2013
-+++ new/ssh_config.5 Thu Jan 10 15:48:48 2013
+--- orig/ssh_config.5 Thu Feb 6 10:01:20 2014
++++ new/ssh_config.5 Thu Mar 27 16:37:50 2014
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $
- .Dd $Mdocdate: September 9 2011 $
+ .\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
+ .Dd $Mdocdate: January 19 2014 $
-.Dt SSH_CONFIG 5
+.Dt SSH_CONFIG 4
.Os
.Sh NAME
.Nm ssh_config
[email protected]@ -353,7 +353,7 @@
[email protected]@ -503,7 +503,7 @@
.Dq Fl O No exit
option).
If set to a time in seconds, or a time in any of the formats documented in
@@ -123,16 +132,16 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
[email protected]@ -473,7 +473,7 @@
[email protected]@ -622,7 +622,7 @@
+ Specify a timeout for untrusted X11 forwarding
using the format described in the
- .Sx TIME FORMATS
- section of
+ TIME FORMATS section of
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
X11 connections received by
.Xr ssh 1
after this time will be refused.
[email protected]@ -540,7 +540,7 @@
[email protected]@ -689,7 +689,7 @@
These hashed names may be used normally by
.Xr ssh 1
and
@@ -141,16 +150,16 @@
but they do not reveal identifying information should the file's contents
be disclosed.
The default is
[email protected]@ -885,7 +885,7 @@
- The command can be basically anything,
- and should read from its standard input and write to its standard output.
- It should eventually connect an
--.Xr sshd 8
-+.Xr sshd 1M
- server running on some machine, or execute
- .Ic sshd -i
- somewhere.
[email protected]@ -967,7 +967,7 @@
[email protected]@ -1122,7 +1122,7 @@
+ The optional second value is specified in seconds and may use any of the
+ units documented in the
+ TIME FORMATS section of
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ The default value for
+ .Cm RekeyLimit
+ is
[email protected]@ -1166,7 +1166,7 @@
will only succeed if the server's
.Cm GatewayPorts
option is enabled (see
@@ -159,7 +168,7 @@
.It Cm RequestTTY
Specifies whether to request a pseudo-tty for the session.
The argument may be one of:
[email protected]@ -1019,7 +1019,7 @@
[email protected]@ -1218,7 +1218,7 @@
Refer to
.Cm AcceptEnv
in
@@ -168,12 +177,12 @@
for how to configure the server.
Variables are specified by name, which may contain wildcard characters.
Multiple environment variables may be separated by whitespace or spread
---- orig/ssh-keysign.8 Thu Jan 10 15:04:00 2013
-+++ new/ssh-keysign.8 Thu Jan 10 15:49:23 2013
+--- orig/ssh-keysign.8 Thu Feb 6 10:01:20 2014
++++ new/ssh-keysign.8 Thu Feb 6 10:13:05 2014
@@ -23,7 +23,7 @@
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
- .Dd $Mdocdate: August 31 2010 $
+ .Dd $Mdocdate: December 7 2013 $
-.Dt SSH-KEYSIGN 8
+.Dt SSH-KEYSIGN 1M
.Os
@@ -188,7 +197,7 @@
for more information about host-based authentication.
.Sh FILES
.Bl -tag -width Ds -compact
[email protected]@ -81,8 +81,8 @@
[email protected]@ -83,8 +83,8 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
@@ -199,23 +208,23 @@
.Sh HISTORY
.Nm
first appeared in
---- orig/ssh-pkcs11-helper.8 Thu Jan 10 15:04:00 2013
-+++ new/ssh-pkcs11-helper.8 Thu Jan 10 15:49:48 2013
+--- orig/ssh-pkcs11-helper.8 Thu Feb 6 10:01:20 2014
++++ new/ssh-pkcs11-helper.8 Thu Feb 6 10:14:40 2014
@@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
- .Dd $Mdocdate: February 10 2010 $
+ .Dd $Mdocdate: July 16 2013 $
-.Dt SSH-PKCS11-HELPER 8
+.Dt SSH-PKCS11-HELPER 1M
.Os
.Sh NAME
.Nm ssh-pkcs11-helper
---- orig/sshd_config.5 Thu Jan 10 15:04:00 2013
-+++ new/sshd_config.5 Fri Jan 11 15:56:09 2013
+--- orig/sshd_config.5 Thu Feb 6 10:01:20 2014
++++ new/sshd_config.5 Thu Feb 6 10:17:21 2014
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
- .Dd $Mdocdate: September 9 2011 $
+ .\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
+ .Dd $Mdocdate: December 8 2013 $
-.Dt SSHD_CONFIG 5
+.Dt SSHD_CONFIG 4
.Os
@@ -248,43 +257,52 @@
Valid arguments are
.Dq any ,
.Dq inet
[email protected]@ -120,7 +120,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -118,7 +118,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted.
[email protected]@ -149,7 +149,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -158,7 +158,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
- .It Cm AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
[email protected]@ -157,7 +157,7 @@
+ .It Cm AuthenticationMethods
+ Specifies the authentication methods that must be successfully completed
[email protected]@ -202,7 +202,7 @@
+ It will be invoked with a single argument of the username
+ being authenticated, and should produce on standard output zero or
+ more lines of authorized_keys output (see AUTHORIZED_KEYS in
+-.Xr sshd 8 ) .
++.Xr sshd 1M ) .
+ If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+ and authorize the user then public key authentication continues using the usual
+ .Cm AuthorizedKeysFile
[email protected]@ -218,7 +218,7 @@
The format is described in the
- .Sx AUTHORIZED_KEYS FILE FORMAT
+ AUTHORIZED_KEYS FILE FORMAT
section of
-.Xr sshd 8 .
+.Xr sshd 1M .
.Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection
setup.
[email protected]@ -182,7 +182,7 @@
- in
- .Sx AUTHORIZED_KEYS FILE FORMAT
- in
[email protected]@ -241,7 +241,7 @@
+ to be accepted for authentication.
+ Names are listed one per line preceded by key options (as described
+ in AUTHORIZED_KEYS FILE FORMAT in
-.Xr sshd 8 ) .
+.Xr sshd 1M ) .
Empty lines and comments starting with
.Ql #
are ignored.
[email protected]@ -210,7 +210,7 @@
[email protected]@ -271,7 +271,7 @@
though the
.Cm principals=
key option offers a similar facility (see
@@ -293,7 +311,7 @@
for details).
.It Cm Banner
The contents of the specified file are sent to the remote user before
[email protected]@ -233,7 +233,7 @@
[email protected]@ -294,7 +294,7 @@
All components of the pathname must be root-owned directories that are
not writable by any other user or group.
After the chroot,
@@ -302,16 +320,7 @@
changes the working directory to the user's home directory.
.Pp
The pathname may contain the following tokens that are expanded at runtime once
[email protected]@ -266,7 +266,7 @@
- though sessions which use logging do require
- .Pa /dev/log
- inside the chroot directory (see
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- for details).
- .Pp
- The default is not to
[email protected]@ -297,7 +297,7 @@
[email protected]@ -370,7 +370,7 @@
.It Cm ClientAliveCountMax
Sets the number of client alive messages (see below) which may be
sent without
@@ -320,7 +329,7 @@
receiving any messages back from the client.
If this threshold is reached while client alive messages are being sent,
sshd will disconnect the client, terminating the session.
[email protected]@ -324,7 +324,7 @@
[email protected]@ -397,7 +397,7 @@
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
@@ -329,25 +338,25 @@
will send a message through the encrypted
channel to request a response from the client.
The default
[email protected]@ -357,7 +357,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -428,7 +428,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm DenyUsers
This keyword can be followed by a list of user name patterns, separated
[email protected]@ -378,7 +378,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -447,7 +447,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.It Cm ForceCommand
Forces the execution of the command specified by
[email protected]@ -403,7 +403,7 @@
[email protected]@ -472,7 +472,7 @@
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
@@ -356,7 +365,7 @@
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
[email protected]@ -451,7 +451,7 @@
[email protected]@ -520,7 +520,7 @@
A setting of
.Dq yes
means that
@@ -365,7 +374,7 @@
uses the name supplied by the client rather than
attempting to resolve the name from the TCP connection itself.
The default is
[email protected]@ -462,7 +462,7 @@
[email protected]@ -531,7 +531,7 @@
by
.Cm HostKey .
The default behaviour of
@@ -374,7 +383,7 @@
is not to load any certificates.
.It Cm HostKey
Specifies a file containing a private host key
[email protected]@ -476,7 +476,7 @@
[email protected]@ -546,7 +546,7 @@
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
Note that
@@ -383,7 +392,7 @@
will refuse to use a file if it is group/world-accessible.
It is possible to have multiple host key files.
.Dq rsa1
[email protected]@ -504,7 +504,7 @@
[email protected]@ -587,7 +587,7 @@
.Dq yes .
.It Cm IgnoreUserKnownHosts
Specifies whether
@@ -392,16 +401,7 @@
should ignore the user's
.Pa ~/.ssh/known_hosts
during
[email protected]@ -580,7 +580,7 @@
- Multiple algorithms must be comma-separated.
- The default is
- .Dq ecdh-sha2-nistp256 ,
--.Dq ecdh-sha2-nistp384 ,
-+.Dq ecdh-sha2-nistp834 ,
- .Dq ecdh-sha2-nistp521 ,
- .Dq diffie-hellman-group-exchange-sha256 ,
- .Dq diffie-hellman-group-exchange-sha1 ,
[email protected]@ -597,7 +597,7 @@
[email protected]@ -681,7 +681,7 @@
The default is 3600 (seconds).
.It Cm ListenAddress
Specifies the local addresses
@@ -410,7 +410,7 @@
should listen on.
The following forms may be used:
.Pp
[email protected]@ -640,7 +640,7 @@
[email protected]@ -724,7 +724,7 @@
The default is 120 seconds.
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
@@ -419,16 +419,16 @@
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
The default is INFO.
[email protected]@ -681,7 +681,7 @@
[email protected]@ -776,7 +776,7 @@
+ The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
- .Sx PATTERNS
- section of
+ PATTERNS section of
-.Xr ssh_config 5 .
+.Xr ssh_config 4 .
.Pp
The patterns in an
.Cm Address
[email protected]@ -751,7 +751,7 @@
[email protected]@ -856,7 +856,7 @@
the three colon separated values
.Dq start:rate:full
(e.g. "10:30:60").
@@ -437,7 +437,7 @@
will refuse connection attempts with a probability of
.Dq rate/100
(30%)
[email protected]@ -855,7 +855,7 @@
[email protected]@ -969,7 +969,7 @@
options in
.Pa ~/.ssh/authorized_keys
are processed by
@@ -446,7 +446,7 @@
The default is
.Dq no .
Enabling environment processing may enable users to bypass access
[email protected]@ -868,7 +868,7 @@
[email protected]@ -982,7 +982,7 @@
.Pa /var/run/sshd.pid .
.It Cm Port
Specifies the port number that
@@ -455,7 +455,7 @@
listens on.
The default is 22.
Multiple options of this type are permitted.
[email protected]@ -876,7 +876,7 @@
[email protected]@ -990,7 +990,7 @@
.Cm ListenAddress .
.It Cm PrintLastLog
Specifies whether
@@ -464,7 +464,7 @@
should print the date and time of the last user login when a user logs
in interactively.
The default is
[email protected]@ -883,7 +883,7 @@
[email protected]@ -997,7 +997,7 @@
.Dq yes .
.It Cm PrintMotd
Specifies whether
@@ -473,13 +473,8 @@
should print
.Pa /etc/motd
when a user logs in interactively.
[email protected]@ -891,10 +891,11 @@
- .Pa /etc/profile ,
- or equivalent.)
- The default is
--.Dq yes .
-+.Dq no
-+on Solaris.
[email protected]@ -1008,7 +1008,7 @@
+ .Dq yes .
.It Cm Protocol
Specifies the protocol versions
-.Xr sshd 8
@@ -487,7 +482,7 @@
supports.
The possible values are
.Sq 1
[email protected]@ -936,7 +937,7 @@
[email protected]@ -1081,7 +1081,7 @@
The minimum value is 512, and the default is 1024.
.It Cm StrictModes
Specifies whether
@@ -496,16 +491,7 @@
should check file modes and ownership of the
user's files and home directory before accepting login.
This is normally desirable because novices sometimes accidentally leave their
[email protected]@ -952,7 +953,7 @@
- to execute upon subsystem request.
- .Pp
- The command
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- implements the
- .Dq sftp
- file transfer subsystem.
[email protected]@ -970,7 +971,7 @@
[email protected]@ -1115,7 +1115,7 @@
Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
@@ -514,7 +500,7 @@
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
[email protected]@ -1013,7 +1014,7 @@
[email protected]@ -1156,7 +1156,7 @@
.Xr ssh-keygen 1 .
.It Cm UseDNS
Specifies whether
@@ -523,7 +509,7 @@
should look up the remote host name and check that
the resolved host name for the remote IP address maps back to the
very same IP address.
[email protected]@ -1058,13 +1059,14 @@
[email protected]@ -1201,13 +1201,13 @@
If
.Cm UsePAM
is enabled, you will not be able to run
@@ -531,9 +517,7 @@
+.Xr sshd 1M
as a non-root user.
The default is
--.Dq no .
-+.Dq yes
-+on Solaris.
+ .Dq no .
.It Cm UsePrivilegeSeparation
Specifies whether
-.Xr sshd 8
@@ -541,8 +525,8 @@
separates privileges by creating an unprivileged child process
to deal with incoming network traffic.
After successful authentication, another process will be created that has
[email protected]@ -1081,7 +1083,7 @@
- restrictions.
[email protected]@ -1229,7 +1229,7 @@
+ .Dq none .
.It Cm X11DisplayOffset
Specifies the first display number available for
-.Xr sshd 8 Ns 's
@@ -550,7 +534,7 @@
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
[email protected]@ -1096,7 +1098,7 @@
[email protected]@ -1244,7 +1244,7 @@
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
@@ -559,7 +543,7 @@
proxy display is configured to listen on the wildcard address (see
.Cm X11UseLocalhost
below), though this is not the default.
[email protected]@ -1107,7 +1109,7 @@
[email protected]@ -1255,7 +1255,7 @@
forwarding (see the warnings for
.Cm ForwardX11
in
@@ -568,7 +552,7 @@
A system administrator may have a stance in which they want to
protect clients that may expose themselves to attack by unwittingly
requesting X11 forwarding, which can warrant a
[email protected]@ -1121,7 +1123,7 @@
[email protected]@ -1269,7 +1269,7 @@
is enabled.
.It Cm X11UseLocalhost
Specifies whether
@@ -577,7 +561,7 @@
should bind the X11 forwarding server to the loopback address or to
the wildcard address.
By default,
[email protected]@ -1152,7 +1154,7 @@
[email protected]@ -1300,7 +1300,7 @@
.Pa /usr/X11R6/bin/xauth .
.El
.Sh TIME FORMATS
@@ -586,7 +570,7 @@
command-line arguments and configuration file options that specify time
may be expressed using a sequence of the form:
.Sm off
[email protected]@ -1196,12 +1198,12 @@
[email protected]@ -1344,12 +1344,12 @@
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
Contains configuration data for
@@ -601,18 +585,18 @@
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
---- orig/sshd.8 Thu Jan 10 15:04:00 2013
-+++ new/sshd.8 Thu Jan 10 15:53:31 2013
+--- orig/sshd.8 Thu Feb 6 10:01:20 2014
++++ new/sshd.8 Thu Feb 6 10:22:35 2014
@@ -35,7 +35,7 @@
.\"
- .\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
- .Dd $Mdocdate: September 23 2011 $
+ .\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
+ .Dd $Mdocdate: December 7 2013 $
-.Dt SSHD 8
+.Dt SSHD 1M
.Os
.Sh NAME
.Nm sshd
[email protected]@ -79,7 +79,7 @@
[email protected]@ -80,7 +80,7 @@
.Nm
can be configured using command-line options or a configuration file
(by default
@@ -621,7 +605,7 @@
command-line options override values specified in the
configuration file.
.Nm
[email protected]@ -204,7 +204,7 @@
[email protected]@ -210,7 +210,7 @@
This is useful for specifying options for which there is no separate
command-line flag.
For full details of the options, and their values, see
@@ -630,16 +614,16 @@
.It Fl p Ar port
Specifies the port on which the server listens for connections
(default 22).
[email protected]@ -274,7 +274,7 @@
[email protected]@ -280,7 +280,7 @@
though this can be changed via the
.Cm Protocol
option in
-.Xr sshd_config 5 .
+.Xr sshd_config 4 .
- Protocol 2 supports DSA, ECDSA and RSA keys;
+ Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
protocol 1 only supports RSA keys.
For both protocols,
[email protected]@ -399,7 +399,7 @@
[email protected]@ -405,7 +405,7 @@
See the
.Cm PermitUserEnvironment
option in
@@ -648,7 +632,7 @@
.It
Changes to user's home directory.
.It
[email protected]@ -542,7 +542,7 @@
[email protected]@ -550,7 +550,7 @@
environment variable.
Note that this option applies to shell, command or subsystem execution.
Also note that this command may be superseded by either a
@@ -657,16 +641,16 @@
.Cm ForceCommand
directive or a command embedded in a certificate.
.It Cm environment="NAME=value"
[email protected]@ -565,7 +565,7 @@
- See
- .Sx PATTERNS
- in
[email protected]@ -571,7 +571,7 @@
+ name of the remote host or its IP address must be present in the
+ comma-separated list of patterns.
+ See PATTERNS in
-.Xr ssh_config 5
+.Xr ssh_config 4
for more information on patterns.
.Pp
In addition to the wildcard matching that may be applied to hostnames or
[email protected]@ -859,7 +859,7 @@
[email protected]@ -865,7 +865,7 @@
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
@@ -675,7 +659,7 @@
.Pp
.It Pa /etc/motd
See
[email protected]@ -918,7 +918,7 @@
[email protected]@ -926,7 +926,7 @@
Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
@@ -684,7 +668,7 @@
.Pp
.It Pa /etc/ssh/sshrc
Similar to
[email protected]@ -954,10 +954,10 @@
[email protected]@ -962,10 +962,10 @@
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,
--- a/components/openssh/patches/008-deprecate_sunssh_opt.patch Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch Thu Mar 27 19:40:44 2014 -0700
@@ -6,32 +6,31 @@
# changed from deprecated to supported. Since this is for Solaris only, we will
# not contribute back this change to the upstream community.
#
---- orig/readconf.c Thu Nov 15 13:32:50 2012
-+++ new/readconf.c Wed Mar 27 14:51:55 2013
[email protected]@ -246,7 +246,26 @@
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
- { "requesttty", oRequestTTY },
+--- orig/readconf.c Wed Feb 5 17:16:20 2014
++++ new/readconf.c Fri Mar 14 09:52:42 2014
[email protected]@ -267,7 +267,25 @@
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+ { "ignoreunknown", oIgnoreUnknown },
-
+#ifdef DEPRECATE_SUNSSH_OPT
-+ /*
-+ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
-+ * as possible, we will deprecate SunSSH-only options in OpenSSH.
-+ * Therefore, on a system that is running OpenSSH with a deprecated
-+ * option from the user's config file (~/.ssh/config), the ssh
-+ * connection will proceed without the deprecated option. Note that
-+ * this is an interim enhancement to OpenSSH to make the transition
-+ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH
-+ * later, then it will be changed from deprecated to supported.
-+ */
-+ { "disablebanner", oDeprecated },
-+ { "gssapikeyexchange", oDeprecated },
-+ { "ignoreifunknown", oDeprecated },
-+ { "kmfpolicydatabase", oDeprecated },
-+ { "kmfpolicyname", oDeprecated },
-+ { "trustedanchorkeystore", oDeprecated },
-+ { "usefips140", oDeprecated },
-+ { "useopensslengine", oDeprecated },
++ /*
++ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
++ * as possible, we will deprecate SunSSH-only options in OpenSSH.
++ * Therefore, on a system that is running OpenSSH with a deprecated
++ * option from the user's config file (~/.ssh/config), the ssh
++ * connection will proceed without the deprecated option. Note that
++ * this is an interim enhancement to OpenSSH to make the transition
++ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH
++ * later, then it will be changed from deprecated to supported.
++ */
++ { "disablebanner", oDeprecated },
++ { "gssapikeyexchange", oDeprecated },
++ { "kmfpolicydatabase", oDeprecated },
++ { "kmfpolicyname", oDeprecated },
++ { "trustedanchorkeystore", oDeprecated },
++ { "usefips140", oDeprecated },
++ { "useopensslengine", oDeprecated },
+#endif
{ NULL, oBadOption }
};
--- a/components/openssh/patches/009-CVE-2010-5107.patch Thu Mar 27 12:02:39 2014 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-#
-# This is to fix the CVE-2010-5107 security bug. The bug fix code came from
-# OpenSSH and is in version 6.2 of OpenSSH. When we upgrade OpenSSH to
-# version 6.2 or later, we will remove this patch file.
-#
---- orig/servconf.c Wed Feb 27 16:03:18 2013
-+++ new/servconf.c Wed Feb 27 16:10:09 2013
[email protected]@ -248,11 +248,11 @@
- if (options->gateway_ports == -1)
- options->gateway_ports = 0;
- if (options->max_startups == -1)
-- options->max_startups = 10;
-+ options->max_startups = 100;
- if (options->max_startups_rate == -1)
-- options->max_startups_rate = 100; /* 100% */
-+ options->max_startups_rate = 30; /* 30% */
- if (options->max_startups_begin == -1)
-- options->max_startups_begin = options->max_startups;
-+ options->max_startups_begin = 10;
- if (options->max_authtries == -1)
- options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
- if (options->max_sessions == -1)
---- orig/sshd_config Wed Feb 27 16:05:01 2013
-+++ new/sshd_config Wed Feb 27 16:11:50 2013
[email protected]@ -104,7 +104,7 @@
- #ClientAliveCountMax 3
- #UseDNS yes
- #PidFile /var/run/sshd.pid
--#MaxStartups 10
-+#MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
-
---- orig/sshd_config.5 Wed Feb 27 16:04:36 2013
-+++ new/sshd_config.5 Wed Feb 27 16:15:03 2013
[email protected]@ -745,7 +745,7 @@
- Additional connections will be dropped until authentication succeeds or the
- .Cm LoginGraceTime
- expires for a connection.
--The default is 10.
-+The default is 10:30:100.
- .Pp
- Alternatively, random early drop can be enabled by specifying
- the three colon separated values
--- a/components/openssh/patches/010-gss_store_cred.patch Thu Mar 27 12:02:39 2014 -0700
+++ b/components/openssh/patches/010-gss_store_cred.patch Thu Mar 27 19:40:44 2014 -0700
@@ -13,13 +13,12 @@
# libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism
# directly built in the library and this function is not directly accessible.
#
-# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
+# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
# and GSSAPI_STORECREDS_NEEDS_RUID macros.
#
-diff -ur old/config.h.in new/config.h.in
---- old/config.h.in 2012-04-19 22:03:32.000000000 -0700
-+++ new/config.h.in 2014-03-12 06:47:38.667166593 -0700
[email protected]@ -1465,6 +1465,12 @@
+--- orig/config.h.in Fri Mar 21 11:42:17 2014
++++ new/config.h.in Fri Mar 21 11:46:26 2014
[email protected]@ -1616,6 +1616,12 @@
/* Use btmp to log bad logins */
#undef USE_BTMP
@@ -32,51 +31,49 @@
/* Use libedit for sftp */
#undef USE_LIBEDIT
-diff -ur old/configure new/configure
---- old/configure 2014-03-12 04:01:33.320409426 -0700
-+++ new/configure 2014-03-12 06:47:48.510155481 -0700
[email protected]@ -7201,6 +7201,9 @@
+--- orig/configure Fri Mar 21 11:42:24 2014
++++ new/configure Fri Mar 21 11:49:51 2014
[email protected]@ -7797,6 +7797,9 @@
fi
-+ $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
-+ $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
++ $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
++ $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
+
+ TEST_SHELL=$SHELL # let configure find us a capable shell
+ ;;
+ *-*-sunos4*)
+--- orig/configure.ac Fri Mar 21 11:42:28 2014
++++ new/configure.ac Fri Mar 21 16:32:28 2014
[email protected]@ -866,6 +866,8 @@
+ ],
+ )
+ TEST_SHELL=$SHELL # let configure find us a capable shell
++ AC_DEFINE([USE_GSS_STORE_CRED])
++ AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
;;
*-*-sunos4*)
CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -ur old/configure.ac new/configure.ac
---- old/configure.ac 2014-03-12 04:01:33.310743659 -0700
-+++ new/configure.ac 2014-03-12 06:47:59.218730468 -0700
[email protected]@ -802,6 +802,8 @@
- SP_MSG="yes" ], )
- ],
- )
-+ AC_DEFINE([USE_GSS_STORE_CRED])
-+ AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
- ;;
- *-*-sunos4*)
- CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -ur old/gss-serv-krb5.c new/gss-serv-krb5.c
---- old/gss-serv-krb5.c 2006-08-31 22:38:36.000000000 -0700
-+++ new/gss-serv-krb5.c 2014-03-17 06:25:36.218227736 -0700
[email protected]@ -109,6 +109,7 @@
+--- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014
++++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014
[email protected]@ -109,7 +109,7 @@
+ return retval;
}
-
+-
+#ifndef USE_GSS_STORE_CRED
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
[email protected]@ -183,6 +184,7 @@
[email protected]@ -195,6 +195,7 @@
return;
}
-+#endif /* #ifndef USE_GSS_STORE_CRED */
++#endif /* #ifndef USE_GSS_STORE_CRED */
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
[email protected]@ -191,7 +193,11 @@
[email protected]@ -203,7 +204,11 @@
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -88,10 +85,9 @@
};
#endif /* KRB5 */
-diff -ur old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c 2011-08-05 13:16:46.000000000 -0700
-+++ new/gss-serv.c 2014-03-12 05:55:42.368676287 -0700
[email protected]@ -292,22 +292,66 @@
+--- orig/gss-serv.c Fri Mar 21 11:42:53 2014
++++ new/gss-serv.c Fri Mar 21 15:59:43 2014
[email protected]@ -292,6 +292,9 @@
void
ssh_gssapi_cleanup_creds(void)
{
@@ -101,6 +97,7 @@
if (gssapi_client.store.filename != NULL) {
/* Unlink probably isn't sufficient */
debug("removing gssapi cred file\"%s\"",
[email protected]@ -298,6 +301,7 @@
gssapi_client.store.filename);
unlink(gssapi_client.store.filename);
}
@@ -108,6 +105,7 @@
}
/* As user */
[email protected]@ -304,10 +308,50 @@
void
ssh_gssapi_storecreds(void)
{
@@ -158,25 +156,23 @@
}
/* This allows GSSAPI methods to do things to the childs environment based
-diff -ur old/servconf.c new/servconf.c
---- old/servconf.c 2014-03-12 04:01:33.343205265 -0700
-+++ new/servconf.c 2014-03-12 04:01:33.400368192 -0700
[email protected]@ -386,7 +386,11 @@
+--- orig/servconf.c Fri Mar 21 11:43:02 2014
++++ new/servconf.c Fri Mar 21 16:02:54 2014
[email protected]@ -409,7 +409,11 @@
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+#ifdef USE_GSS_STORE_CRED
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+#else /* USE_GSS_STORE_CRED*/
++#else /* USE_GSS_STORE_CRED */
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+#endif /* USE_GSS_STORE_CRED*/
++#endif /* USE_GSS_STORE_CRED */
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-diff -ur old/sshd.c new/sshd.c
---- old/sshd.c 2014-03-12 04:01:33.321603394 -0700
-+++ new/sshd.c 2014-03-12 06:48:16.296909610 -0700
[email protected]@ -2041,9 +2041,23 @@
+--- orig/sshd.c Fri Mar 21 11:43:08 2014
++++ new/sshd.c Mon Mar 24 15:05:30 2014
[email protected]@ -2126,9 +2126,23 @@
#ifdef GSSAPI
if (options.gss_authentication) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/011-useprivilegedport_regression.patch Thu Mar 27 19:40:44 2014 -0700
@@ -0,0 +1,62 @@
+#
+# This is to fix a regression in OpenSSH6.5p1 for UsePrivilegedPort=yes. The
+# bug fix code came from OpenSSH.org. When we upgrade OpenSSH to version 6.6
+# or later, we will remove this patch file.
+#
+--- orig/sshconnect.c Mon Feb 10 13:56:07 2014
++++ new/sshconnect.c Mon Feb 10 17:10:54 2014
[email protected]@ -269,7 +269,7 @@
+ ssh_create_socket(int privileged, struct addrinfo *ai)
+ {
+ int sock, r, gaierr;
+- struct addrinfo hints, *res;
++ struct addrinfo hints, *res = NULL;
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (sock < 0) {
[email protected]@ -282,17 +282,19 @@
+ if (options.bind_address == NULL && !privileged)
+ return sock;
+
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = ai->ai_family;
+- hints.ai_socktype = ai->ai_socktype;
+- hints.ai_protocol = ai->ai_protocol;
+- hints.ai_flags = AI_PASSIVE;
+- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+- if (gaierr) {
++ if (options.bind_address) {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = ai->ai_family;
++ hints.ai_socktype = ai->ai_socktype;
++ hints.ai_protocol = ai->ai_protocol;
++ hints.ai_flags = AI_PASSIVE;
++ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
++ if (gaierr) {
+ error("getaddrinfo: %s: %s", options.bind_address,
+ ssh_gai_strerror(gaierr));
+ close(sock);
+ return -1;
++ }
+ }
+ /*
+ * If we are running as root and want to connect to a privileged
[email protected]@ -300,7 +302,7 @@
+ */
+ if (privileged) {
+ PRIV_START;
+- r = bindresvport_sa(sock, res->ai_addr);
++ r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
+ PRIV_END;
+ if (r < 0) {
+ error("bindresvport_sa: af=%d %s", ai->ai_family,
[email protected]@ -317,7 +319,8 @@
+ return -1;
+ }
+ }
+- freeaddrinfo(res);
++ if (res != NULL)
++ freeaddrinfo(res);
+ return sock;
+ }
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/012-acceptenv.patch Thu Mar 27 19:40:44 2014 -0700
@@ -0,0 +1,33 @@
+#
+# This is to fix a security bug (CVE-2014-2532) when using environment passing
+# with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6
+# could be tricked into accepting any enviornment variable that contains the
+# characters before the wildcard character. The bug fix code came from
+# OpenSSH.org. When we upgrade OpenSSH to version 6.6 or later, we will remove
+# this patch file.
+#
+--- orig/session.c Tue Mar 18 18:37:57 2014
++++ new/session.c Tue Mar 18 18:41:17 2014
[email protected]@ -978,6 +978,11 @@
+ u_int envsize;
+ u_int i, namelen;
+
++ if (strchr(name, '=') != NULL) {
++ error("Invalid environment variable \"%.100s\"", name);
++ return;
++ }
++
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+ * entry before continuing.
[email protected]@ -2225,8 +2230,8 @@
+ char *name, *val;
+ u_int name_len, val_len, i;
+
+- name = packet_get_string(&name_len);
+- val = packet_get_string(&val_len);
++ name = packet_get_cstring(&name_len);
++ val = packet_get_cstring(&val_len);
+ packet_check_eom();
+
+ /* Don't set too many environment variables */