From 438c6835a69efdeff3bf84db93f0a71436191ca6 Mon Sep 17 00:00:00 2001 From: Schrijvers Luc Date: Thu, 1 Feb 2024 08:16:40 +0100 Subject: [PATCH] openssh, bump version (#10029) --- ...nssh-9.3p1.recipe => openssh-9.6p1.recipe} | 2 +- ...-9.3p1.patchset => openssh-9.6p1.patchset} | 148 +++++++----------- 2 files changed, 59 insertions(+), 91 deletions(-) rename net-misc/openssh/{openssh-9.3p1.recipe => openssh-9.6p1.recipe} (98%) rename net-misc/openssh/patches/{openssh-9.3p1.patchset => openssh-9.6p1.patchset} (92%) diff --git a/net-misc/openssh/openssh-9.3p1.recipe b/net-misc/openssh/openssh-9.6p1.recipe similarity index 98% rename from net-misc/openssh/openssh-9.3p1.recipe rename to net-misc/openssh/openssh-9.6p1.recipe index 7f4e4e866..8d2f0a674 100644 --- a/net-misc/openssh/openssh-9.3p1.recipe +++ b/net-misc/openssh/openssh-9.6p1.recipe @@ -18,7 +18,7 @@ COPYRIGHT="2005-2020 Tatu Ylonen et al." LICENSE="OpenSSH" REVISION="1" SOURCE_URI="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$portVersion.tar.gz" -CHECKSUM_SHA256="e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" +CHECKSUM_SHA256="910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" PATCHES="openssh-$portVersion.patchset" ADDITIONAL_FILES=" sshd_keymaker.sh diff --git a/net-misc/openssh/patches/openssh-9.3p1.patchset b/net-misc/openssh/patches/openssh-9.6p1.patchset similarity index 92% rename from net-misc/openssh/patches/openssh-9.3p1.patchset rename to net-misc/openssh/patches/openssh-9.6p1.patchset index 5240799db..1d1612e32 100644 --- a/net-misc/openssh/patches/openssh-9.3p1.patchset +++ b/net-misc/openssh/patches/openssh-9.6p1.patchset @@ -1,4 +1,4 @@ -From d72aa2c359b14bf29f4b84e6a41ea55a2224b5fa Mon Sep 17 00:00:00 2001 +From 757c8db8e07aeaec1826a5644d3930c4def405e9 Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Thu, 16 Jul 2020 17:57:38 +0200 Subject: applying patch sshd_config.patch @@ -18,10 +18,10 @@ index 36894ac..c783c84 100644 #AuthorizedPrincipalsFile none -- -2.37.3 +2.42.1 -From f3271e55e745a03f6dd87799f8a2ddc1153ddd76 Mon Sep 17 00:00:00 2001 +From 67cdb7ddfaebf71b6ee6e460c7aba3d63317b23e Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Thu, 16 Jul 2020 17:57:38 +0200 Subject: applying patch pathnames.patch @@ -41,31 +41,29 @@ index f7ca5a7..828e43e 100644 /* * Per-user file containing host keys of known hosts. This file need not be -- -2.37.3 +2.42.1 -From 0c0df46eaec3fd088704cc191b81c693245e8174 Mon Sep 17 00:00:00 2001 +From 3105ff59ea826b1fb34b4bf297dc301556914d59 Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Thu, 16 Jul 2020 17:57:38 +0200 Subject: applying patch ssh-copy-id.patch diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -old mode 100644 -new mode 100755 -index cd122de..e5a320c +index da6bd18..866f467 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id -@@ -61,7 +61,7 @@ then +@@ -62,7 +62,7 @@ then fi # shellcheck disable=SC2010 -DEFAULT_PUB_ID_FILE=$(ls -t "${HOME}"/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) +DEFAULT_PUB_ID_FILE=$(ls -t `finddir B_USER_SETTINGS_DIRECTORY`/ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1) SSH="ssh -a -x" + TARGET_PATH=".ssh/authorized_keys" umask 0177 - -@@ -296,7 +296,7 @@ installkeys_via_sftp() { +@@ -313,7 +313,7 @@ installkeys_via_sftp() { # create a scratch dir for any temporary files needed @@ -75,10 +73,10 @@ index cd122de..e5a320c then chmod 0700 "$SCRATCH_DIR" -- -2.37.3 +2.42.1 -From 2a28504d2bb6f43d31200b2b3546e2334237816b Mon Sep 17 00:00:00 2001 +From 8866fd05b3498493e69936540c0ce5e876bf4f8b Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Thu, 16 Jul 2020 17:57:38 +0200 Subject: applying patch sha2-gcc2-build-fix.patch @@ -131,59 +129,29 @@ index 4f2ad8f..8946d87 100644 memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); #endif -- -2.37.3 +2.42.1 -From 2364d47154217df24ec1474099a87cf58a57621b Mon Sep 17 00:00:00 2001 -From: Adrien Destugues -Date: Thu, 16 Jul 2020 17:57:38 +0200 -Subject: applying patch pkcs11-gcc2-build-fix.patch - - -diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c -index cfd833d..9def20d 100644 ---- a/ssh-pkcs11-client.c -+++ b/ssh-pkcs11-client.c -@@ -248,6 +248,7 @@ pkcs11_start_helper_methods(void) - return (0); - - #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) -+{ - int (*orig_sign)(int, const unsigned char *, int, unsigned char *, - unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; - if (helper_ecdsa != NULL) -@@ -257,6 +258,7 @@ pkcs11_start_helper_methods(void) - return (-1); - EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); - EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); -+} - #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ - - if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) --- -2.37.3 - - -From ee7e0513d2facdae338b96786b68e500ee298e53 Mon Sep 17 00:00:00 2001 +From 1544b1f2ae8a746f475b82c5b16377fed23f386c Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Thu, 16 Jul 2020 18:08:27 +0200 Subject: Fix configuration path in manpages diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 -index c141a29..fd27f1d 100644 +index 74eec2f..35a6cc4 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 -@@ -54,7 +54,7 @@ this may result in you being repeatedly prompted for pass-phrases). - It then assembles a list of those that failed to log in, and using ssh, - enables logins with those keys on the remote server. By default it adds - the keys by appending them to the remote user's +@@ -58,7 +58,7 @@ It then assembles a list of those that failed to log in and, using + .Xr ssh 1 , + enables logins with those keys on the remote server. + By default it adds the keys by appending them to the remote user's -.Pa ~/.ssh/authorized_keys +.Pa ~/config/settings/settings/ssh/authorized_keys - (creating the file, and directory, if necessary). It is also capable - of detecting if the remote system is a NetScreen, and using its - .Ql set ssh pka-dsa key ... -@@ -124,9 +124,9 @@ will be used. + (creating the file, and directory, if necessary). + It is also capable of detecting if the remote system is a NetScreen, + and using its +@@ -144,9 +144,9 @@ will be used. The .Ic default_ID_file is the most recent file that matches: @@ -196,7 +164,7 @@ index c141a29..fd27f1d 100644 .Nm to use, just use diff --git a/ssh-add.0 b/ssh-add.0 -index ac7d079..8c0ea35 100644 +index fed9969..8b1e554 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -13,8 +13,8 @@ SYNOPSIS @@ -210,7 +178,7 @@ index ac7d079..8c0ea35 100644 ssh-add will try to load corresponding certificate information from the filename obtained by appending -cert.pub to the name of the private key file. Alternative file names can be given on the command line. -@@ -60,8 +60,8 @@ DESCRIPTION +@@ -63,8 +63,8 @@ DESCRIPTION destination-constrained keys via the -h flag. This option may be specified multiple times to allow multiple files to be searched. If no files are specified, ssh-add will use the default @@ -221,7 +189,7 @@ index ac7d079..8c0ea35 100644 /etc/ssh/ssh_known_hosts2. -h destination_constraint -@@ -173,12 +173,12 @@ ENVIRONMENT +@@ -180,12 +180,12 @@ ENVIRONMENT the built-in USB HID support. FILES @@ -241,10 +209,10 @@ index ac7d079..8c0ea35 100644 authenticator-hosted Ed25519 or RSA authentication identity of the user. diff --git a/ssh-add.1 b/ssh-add.1 -index 4601f59..2a4bf73 100644 +index f0186cd..b7f704f 100644 --- a/ssh-add.1 +++ b/ssh-add.1 -@@ -62,13 +62,13 @@ +@@ -64,13 +64,13 @@ adds private key identities to the authentication agent, .Xr ssh-agent 1 . When run without arguments, it adds the files @@ -264,7 +232,7 @@ index 4601f59..2a4bf73 100644 After loading a private key, .Nm will try to load corresponding certificate information from the -@@ -143,8 +143,8 @@ If no files are specified, +@@ -148,8 +148,8 @@ If no files are specified, will use the default .Xr ssh_config 5 known hosts files: @@ -275,7 +243,7 @@ index 4601f59..2a4bf73 100644 .Pa /etc/ssh/ssh_known_hosts , and .Pa /etc/ssh/ssh_known_hosts2 . -@@ -306,12 +306,12 @@ the built-in USB HID support. +@@ -314,12 +314,12 @@ the built-in USB HID support. .El .Sh FILES .Bl -tag -width Ds -compact @@ -295,7 +263,7 @@ index 4601f59..2a4bf73 100644 authenticator-hosted Ed25519 or RSA authentication identity of the user. .El diff --git a/ssh-keygen.0 b/ssh-keygen.0 -index 86cb91b..7d70666 100644 +index 95e4aa3..b8ece71 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -56,9 +56,9 @@ DESCRIPTION @@ -373,7 +341,7 @@ index 86cb91b..7d70666 100644 the contents of this file secret. diff --git a/ssh-keygen.1 b/ssh-keygen.1 -index 1be0822..9b37d22 100644 +index c392141..8038472 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -205,13 +205,13 @@ section for details. @@ -458,10 +426,10 @@ index 1be0822..9b37d22 100644 where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. diff --git a/ssh.0 b/ssh.0 -index 94a98ae..cc630d6 100644 +index 5b5e2ad..fd78948 100644 --- a/ssh.0 +++ b/ssh.0 -@@ -112,7 +112,7 @@ DESCRIPTION +@@ -113,7 +113,7 @@ DESCRIPTION Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The @@ -470,7 +438,7 @@ index 94a98ae..cc630d6 100644 set to M-bM-^@M-^\noneM-bM-^@M-^], no configuration files will be read. -f Requests ssh to go to background just before command execution. -@@ -143,9 +143,9 @@ DESCRIPTION +@@ -144,9 +144,9 @@ DESCRIPTION key authentication is read. You can also specify a public key file to use the corresponding private key that is loaded in ssh-agent(1) when the private key file is not present locally. @@ -483,7 +451,7 @@ index 94a98ae..cc630d6 100644 host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly -@@ -161,7 +161,7 @@ DESCRIPTION +@@ -162,7 +162,7 @@ DESCRIPTION is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified @@ -492,7 +460,7 @@ index 94a98ae..cc630d6 100644 hosts. -K Enables GSSAPI-based authentication and forwarding (delegation) -@@ -483,7 +483,7 @@ AUTHENTICATION +@@ -488,7 +488,7 @@ AUTHENTICATION the client machine and the name of the user on that machine, the user is considered for login. Additionally, the server must be able to verify the client's host key (see the description of /etc/ssh/ssh_known_hosts @@ -501,7 +469,7 @@ index 94a98ae..cc630d6 100644 authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing. [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are -@@ -499,7 +499,7 @@ AUTHENTICATION +@@ -504,7 +504,7 @@ AUTHENTICATION one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of ssl(8) contains a brief discussion of the DSA and RSA algorithms. @@ -510,7 +478,7 @@ index 94a98ae..cc630d6 100644 for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that -@@ -511,15 +511,15 @@ AUTHENTICATION +@@ -516,15 +516,15 @@ AUTHENTICATION DEBUG or higher (e.g. by using the -v flag). The user creates their key pair by running ssh-keygen(1). This stores @@ -534,7 +502,7 @@ index 94a98ae..cc630d6 100644 The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long. After this, the user can log in without giving the password. -@@ -547,7 +547,7 @@ AUTHENTICATION +@@ -552,7 +552,7 @@ AUTHENTICATION ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are @@ -543,7 +511,7 @@ index 94a98ae..cc630d6 100644 the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, ssh warns about this and disables -@@ -702,7 +702,7 @@ VERIFYING HOST KEYS +@@ -707,7 +707,7 @@ VERIFYING HOST KEYS To get a listing of the fingerprints along with their random art for all known hosts, the following command line can be used: @@ -552,7 +520,7 @@ index 94a98ae..cc630d6 100644 If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified by DNS. An additional resource -@@ -846,7 +846,7 @@ ENVIRONMENT +@@ -851,7 +851,7 @@ ENVIRONMENT USER Set to the name of the user logging in. @@ -561,7 +529,7 @@ index 94a98ae..cc630d6 100644 M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and users are allowed to change their environment. For more information, see the PermitUserEnvironment option in sshd_config(5). -@@ -866,36 +866,36 @@ FILES +@@ -871,36 +871,36 @@ FILES host-based authentication without permitting login with rlogin/rsh. @@ -608,7 +576,7 @@ index 94a98ae..cc630d6 100644 Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply -@@ -904,22 +904,22 @@ FILES +@@ -909,22 +909,22 @@ FILES will be used to encrypt the sensitive part of this file using AES-128. @@ -640,7 +608,7 @@ index 94a98ae..cc630d6 100644 just before the user's shell (or command) is started. See the sshd(8) manual page for more information. diff --git a/sshd.0 b/sshd.0 -index 00d6081..289345a 100644 +index 98855e8..80ff7b9 100644 --- a/sshd.0 +++ b/sshd.0 @@ -194,13 +194,13 @@ LOGIN PROCESS @@ -772,7 +740,7 @@ index 00d6081..289345a 100644 writable only by root, and should be world-readable. diff --git a/sshd.8 b/sshd.8 -index 9c8f2fc..cc33f4e 100644 +index 73d5e92..747ac84 100644 --- a/sshd.8 +++ b/sshd.8 @@ -360,7 +360,7 @@ Changes to run with normal user privileges. @@ -921,7 +889,7 @@ index 9c8f2fc..cc33f4e 100644 machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. diff --git a/sshd_config.5 b/sshd_config.5 -index 9a1578f..d40d609 100644 +index 7e1a56c..c00127a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -365,7 +365,7 @@ Note that @@ -984,20 +952,20 @@ index 9a1578f..d40d609 100644 and .Nm -- -2.37.3 +2.42.1 -From 7b823b2992244fa3b96601518e82c8df53117b75 Mon Sep 17 00:00:00 2001 +From c8ee4d0b0cb156f606599899460244d1a9cf1172 Mon Sep 17 00:00:00 2001 From: Zach Dykstra Date: Sun, 27 Dec 2020 21:38:07 -0600 Subject: mux.c: use rename instead of unsupported hard link diff --git a/mux.c b/mux.c -index b3ffde9..cd87d71 100644 +index d598a17..651e920 100644 --- a/mux.c +++ b/mux.c -@@ -1309,9 +1309,9 @@ muxserver_listen(struct ssh *ssh) +@@ -1325,9 +1325,9 @@ muxserver_listen(struct ssh *ssh) } /* Now atomically "move" the mux socket into position */ @@ -1009,7 +977,7 @@ index b3ffde9..cd87d71 100644 options.control_path, orig_control_path, strerror(errno)); } -@@ -1320,7 +1320,6 @@ muxserver_listen(struct ssh *ssh) +@@ -1336,7 +1336,6 @@ muxserver_listen(struct ssh *ssh) unlink(options.control_path); goto disable_mux_master; } @@ -1018,10 +986,10 @@ index b3ffde9..cd87d71 100644 options.control_path = orig_control_path; -- -2.37.3 +2.42.1 -From 7534d916c83b13f3b40d59e9386be21c70cebc4f Mon Sep 17 00:00:00 2001 +From a9429ac035afe9f14a7db9e56e333b742e326ea4 Mon Sep 17 00:00:00 2001 From: Jerome Duval Date: Tue, 8 Jun 2021 14:25:15 +0200 Subject: gcc2 patch sntrup761.c @@ -1048,10 +1016,10 @@ index 57368bd..1fe66d0 100644 while (i + p <= n - q) { for (j = i;j < i + p;++j) { -- -2.37.3 +2.42.1 -From 8d952a08372ad3678dcc4130c26d1a607c41ab6c Mon Sep 17 00:00:00 2001 +From d9d29a3defce982d6878938b808c0ab4e92c75c8 Mon Sep 17 00:00:00 2001 From: Sergei Reznikov Date: Wed, 20 Oct 2021 16:57:50 +0300 Subject: Use a link to take a backup while replacing the known_hosts file @@ -1075,10 +1043,10 @@ index c5669c7..7fa07ba 100644 error_f("link %.100s to %.100s: %s", filename, back, strerror(errno)); diff --git a/ssh-keygen.c b/ssh-keygen.c -index 2c0c9cd..42c13e1 100644 +index 5b945a8..e41fd04 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -1372,7 +1372,11 @@ do_known_hosts(struct passwd *pw, const char *name, int find_host, +@@ -1369,7 +1369,11 @@ do_known_hosts(struct passwd *pw, const char *name, int find_host, /* Backup existing file */ if (unlink(old) == -1 && errno != ENOENT) fatal("unlink %.100s: %s", old, strerror(errno)); @@ -1091,5 +1059,5 @@ index 2c0c9cd..42c13e1 100644 strerror(errno)); /* Move new one into place */ -- -2.37.3 +2.42.1