diff options
| author | Alexander Leidinger <netchild@FreeBSD.org> | 2004-01-04 14:03:52 +0000 |
|---|---|---|
| committer | Alexander Leidinger <netchild@FreeBSD.org> | 2004-01-04 14:03:52 +0000 |
| commit | 610d2986529afe32c3f498eb0138a8d2aec9e84f (patch) | |
| tree | 1b9d0bf17720692ec557b2e1343f249eab7f7b20 /security | |
| parent | Replace "/etc/nologin" with "/var/run/nologin" in manpage to reflect (diff) | |
HEADS-UP: Traditionally this port automatically installs a start-up script for
sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
are three ways to automatically start sshd2 and /etc/rc.conf is the
simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
fixed to not be tailored to the base sshd) this version of the port
is the last one to do so. Beginning with next version it will only
install a sample start-up script. To prevent foot shooting when
updating to the next version this port won't remove an existing
start-up scripting on deinstall. Please see also the pkg-message that
gets displayed on installation.
- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
version the only change worth mentioning since 3.2.5 is the addition of the
config option "DisableVersionFallback", see sshd2_config(5) for further
details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
external (static) one is much simpler to set up and maintain (using the
external one requires to install a copy of it in the home directory of the
anonymous sftp user which has to be manually updated when installing a newer
version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
and buggy but it's enough to e.g. do a bit of speed comparison when building
with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
the library search path when compiling, etc.).
Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
prority and shell, get motd, copyright, hushlogin and nologin, respect
ignorenologin and requirehome. This changes are roughly based on former
patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.
Submitted by: maintainer
Notes
Notes:
svn path=/head/; revision=97275
Diffstat (limited to 'security')
| -rw-r--r-- | security/ssh2/Makefile | 142 | ||||
| -rw-r--r-- | security/ssh2/distinfo | 2 | ||||
| -rw-r--r-- | security/ssh2/files/patch-HOWTO.anonymous.sftp | 117 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::Makefile.in | 52 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::ssh2_config.5 | 17 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::sshchsession.c | 282 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::sshd2.8 | 24 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::sshd2_config | 14 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::sshd2_config.5 | 23 | ||||
| -rw-r--r-- | security/ssh2/files/patch-apps::ssh::sshd2_subconfig.5 | 11 | ||||
| -rw-r--r-- | security/ssh2/files/patch-configure | 29 | ||||
| -rw-r--r-- | security/ssh2/files/patch-lib::sshapputil::sshuserfile.c | 20 | ||||
| -rw-r--r-- | security/ssh2/files/patch-lib::sshsession::sshunixuser.c | 69 | ||||
| -rw-r--r-- | security/ssh2/files/patch-startup::solaris::sshd2 | 58 | ||||
| -rw-r--r-- | security/ssh2/files/sshd.sh | 27 | ||||
| -rw-r--r-- | security/ssh2/pkg-message | 23 | ||||
| -rw-r--r-- | security/ssh2/pkg-plist | 46 |
17 files changed, 839 insertions, 117 deletions
diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile index 4866395530b9..9d246a4a26c3 100644 --- a/security/ssh2/Makefile +++ b/security/ssh2/Makefile @@ -6,32 +6,67 @@ # PORTNAME= ssh2 -PORTVERSION= 3.2.5 +PORTVERSION= 3.2.9.1 CATEGORIES= security ipv6 +# The list of official mirror sites is at: +# http://www.ssh.com/support/downloads/secureshellserver/non-commercial.html MASTER_SITES= ftp://ftp.ssh.com/pub/ssh/ \ - ftp://sunsite.unc.edu/pub/packages/security/ssh/ \ - ftp://ftp.keystealth.org/pub/ssh/ \ + ftp://ftp.wiretapped.net/pub/security/cryptography/apps/ssh/SSH/ \ + http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/SSH/ \ + ftp://gd.tuwien.ac.at/utils/shells/ssh/ \ + ftp://ftp.ut.ee/pub/unix/security/ssh/ \ + ftp://ftp.funet.fi/pub/mirrors/ftp.ssh.com/pub/ssh/ \ + ftp://ftp.crihan.fr/mirrors/ftp.ssh.com/ \ + http://ftp.crihan.fr/mirrors/ftp.ssh.com/ \ + ftp://ftp.cert.dfn.de/pub/tools/net/ssh/ \ + ftp://ftp.ntua.gr/pub/security/ssh/ \ + ftp://ftp.unina.it/pub/Unix/ssh/ \ + ftp://ftp.win.ne.jp/pub/ssh/ \ + ftp://core.ring.gr.jp/pub/net/ssh/ \ + http://core.ring.gr.jp/archives/net/ssh/ \ + ftp://ftp.ring.gr.jp/pub/net/ssh/ \ + http://www.ring.gr.jp/archives/net/ssh/ \ + ftp://ftp.ayamura.org/pub/ssh/ \ + ftp://linux.sarang.net/mirror/network/daemon/security/ssh/ \ + ftp://giswitch.sggw.waw.pl/pub/ssh/ \ + ftp://ftp.wsisiz.edu.pl/pub/Unix/ssh/ \ + ftp://ftp.kreonet.re.kr/pub/security/ssh/ \ + ftp://ftp.ulak.net.tr/ssh/ \ ftp://metalab.unc.edu/pub/packages/security/ssh/ \ - ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/ \ - ftp://ftp.cronyx.ru/mirror/ssh/ \ - ftp://ftp.univie.ac.at/applications/ssh.com/ + ftp://ftp.in-span.net/pub/mirrors/ftp.ssh.com/ \ + ftp://ftp.keystealth.org/pub/ssh/ \ + ftp://ftp.epix.net/pub/ssh/ \ + ftp://mirror.pa.msu.edu/ssh/ DISTNAME= ssh-${PORTVERSION} MAINTAINER= marius@alchemy.franken.de -COMMENT= Secure shell client and server (remote login program) +COMMENT= Secure shell client and server for V.2 SSH protocol CONFLICTS= openssh-* openssh-portable-* openssh-gssapi-* ssh-1.* -GNU_CONFIGURE= YES -USE_REINPLACE= YES -CONFIGURE_ARGS= --with-etcdir=${SSH2_ETC} --disable-debug +GNU_CONFIGURE= yes +USE_REINPLACE= yes +MANCOMPRESSED= no -SSH2_ETC= ${PREFIX}/etc/ssh2 -SSH2_RCD= ${PREFIX}/etc/rc.d -CONFIG_FILES= ssh2_config sshd2_config +MAN1= ssh2.1 ssh-keygen2.1 ssh-add2.1 ssh-agent2.1 scp2.1 sftp2.1 \ + sshregex.1 ssh-probe2.1 ssh-dummy-shell.1 +MAN5= ssh2_config.5 sshd-check-conf.5 sshd2_config.5 \ + sshd2_subconfig.5 +MAN8= sshd2.8 +MLINKS= ssh2.1 ssh.1 ssh-add2.1 ssh-add.1 ssh-agent2.1 ssh-agent.1 \ + ssh-keygen2.1 ssh-keygen.1 scp2.1 scp.1 sftp2.1 sftp.1 \ + ssh-probe2.1 ssh-probe.1 sshd2.8 sshd.8 +DOCS= CHANGES FAQ HOWTO.anonymous.sftp LICENSE NEWS README \ + REGEX-SYNTAX SSH2.QUICKSTART \ + RFC.authorization_program_protocol RFC.kbdint_plugin_protocol +EXAMPLES= ext_authorization_example.sh kbdint_plugin_example.sh .include <bsd.port.pre.mk> +CONFIGURE_ARGS+= --disable-debug --with-foreign-etcdir=${PREFIX}/etc \ + --with-libwrap +PKGMESSAGE= ${WRKDIR}/pkg-message + # Define if all your users are in their own group and their homedir # is writeable by that group. Beware the security implications! # @@ -47,63 +82,62 @@ CONFIGURE_ARGS+= --enable-group-writeability CONFIGURE_ARGS+= --with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer .endif -.if exists(/usr/include/tcpd.h) && !defined(WITHOUT_TCPWRAP) -CONFIGURE_ARGS+= --with-libwrap -.endif - -# This is necessary for a working ssh-chrootmgr. Added by mic@nethack.at. -# -.if defined(WITH_STATIC_SFTP) -CONFIGURE_ARGS+= --enable-static -PLIST_SUB= STATIC="" -.else -PLIST_SUB= STATIC="@comment " -.endif - .if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \ && exists(${X11BASE}/bin/xauth) && !defined(WITHOUT_X11)) -USE_XLIB= yes -PLIST_SUB+= WITH_X11:="" +USE_XLIB= yes +PLIST_SUB+= WITH_X11:="" .else CONFIGURE_ARGS+= --without-x -PLIST_SUB+= WITH_X11:="@comment " +PLIST_SUB+= WITH_X11:="@comment " .endif -MAN1= ssh2.1 ssh-keygen2.1 ssh-add2.1 ssh-agent2.1 scp2.1 sftp2.1 \ - sshregex.1 ssh-probe2.1 ssh-dummy-shell.1 -MAN5= ssh2_config.5 sshd-check-conf.5 sshd2_config.5 \ - sshd2_subconfig.5 -MAN8= sshd2.8 -MLINKS= ssh2.1 ssh.1 ssh-add2.1 ssh-add.1 ssh-agent2.1 ssh-agent.1 \ - ssh-keygen2.1 ssh-keygen.1 scp2.1 scp.1 sftp2.1 sftp.1 \ - ssh-probe2.1 ssh-probe.1 sshd2.8 sshd.8 -MANCOMPRESSED= no - -MYPORTDOCS= CHANGES FAQ INSTALL LICENSE MANIFEST NEWS README \ - REGEX-SYNTAX SSH2.QUICKSTART - post-patch: -.for i in ${MAN1} ${MAN5} ${MAN8} - @${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g;' \ +.for i in ${MAN1} ${MAN5} ${MAN8} ssh2_config sshd2_config + @${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g; \ + s|\/usr\/local|${LOCALBASE}|g' \ ${WRKSRC}/apps/ssh/${i} .endfor - @${REINPLACE_CMD} -E -e 's|\$$\(ETCDIR\)|${PREFIX}\/etc|g;' \ +.for i in anonymous.example host_ext.example host_int.example + @${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g' \ + ${WRKSRC}/apps/ssh/subconfig/${i} +.endfor + @${REINPLACE_CMD} -e 's|\/etc\/ssh2|${PREFIX}&|g' \ + ${WRKSRC}/HOWTO.anonymous.sftp + @${REINPLACE_CMD} -E -e 's|\$$\(ETCDIR\)|${PREFIX}\/etc|g' \ ${WRKSRC}/apps/ssh/ssh_dummy_shell.out + @${REINPLACE_CMD} -E -e 's|(^TESTS.+)(t-filecopy)|\1|g' \ + ${WRKSRC}/apps/ssh/tests/Makefile.in + @${REINPLACE_CMD} -E -e 's|(^ETCDIR=).+|\1${PREFIX}\/etc\/ssh2|; \ + s|(^SBINDIR=).+|\1${PREFIX}\/sbin|' \ + ${WRKSRC}/startup/solaris/sshd2 + @${SED} 's|%%PREFIX%%|${PREFIX}|g' \ + ${PKGDIR}/pkg-message > ${WRKDIR}/pkg-message post-install: + @${INSTALL_SCRIPT} ${WRKSRC}/startup/solaris/sshd2 \ + ${PREFIX}/etc/rc.d/sshd2.sh.sample + @${MKDIR} ${EXAMPLESDIR} +.for i in ${EXAMPLES} + @${INSTALL_DATA} ${WRKSRC}/$i ${EXAMPLESDIR} +.endfor .if !defined(NOPORTDOCS) - ${MKDIR} ${DOCSDIR} -.for i in ${MYPORTDOCS} - ${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR} + @${MKDIR} ${DOCSDIR} +.for i in ${DOCS} + @${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR} .endfor .endif - if [ "`${GREP} ssh /etc/inetd.conf | ${GREP} -v ^#ssh`" = "" ]; then \ - if [ ! -f ${SSH2_RCD}/sshd.sh ]; then \ - ${ECHO} "Installing ${SSH2_RCD}/sshd.sh startup file."; \ - ${SED} -e 's+!!PREFIX!!+${PREFIX}+' < ${FILESDIR}/sshd.sh \ - > ${SSH2_RCD}/sshd.sh; \ - ${CHMOD} 751 ${SSH2_RCD}/sshd.sh; \ + @if [ "`${GREP} ssh /etc/inetd.conf | ${GREP} -v ^#ssh`" = "" ]; then \ + if [ ! -f ${PREFIX}/etc/rc.d/sshd2.sh ]; then \ + ${ECHO_CMD} "Installing ${PREFIX}/etc/sshd2.sh startup file."; \ + ${INSTALL_SCRIPT} ${WRKSRC}/startup/solaris/sshd2 \ + ${PREFIX}/etc/rc.d/sshd2.sh; \ fi; \ fi + @${CAT} ${WRKDIR}/pkg-message + +test: build + @-cd ${WRKSRC}/lib/sshcrypto/tests && ${MAKE} check-TESTS + @-cd ${WRKSRC}/apps/ssh/lib/sshproto/tests && ${MAKE} check-TESTS + @-cd ${WRKSRC}/apps/ssh/tests && ${MAKE} check-TESTS .include <bsd.port.post.mk> diff --git a/security/ssh2/distinfo b/security/ssh2/distinfo index 60f0dd3cf395..e69233070f91 100644 --- a/security/ssh2/distinfo +++ b/security/ssh2/distinfo @@ -1 +1 @@ -MD5 (ssh-3.2.5.tar.gz) = 0d9da1d79e4ce9cff44daf93e5b66a11 +MD5 (ssh-3.2.9.1.tar.gz) = f3ed49f13419d97dc1d0d3bfb4bb99bf diff --git a/security/ssh2/files/patch-HOWTO.anonymous.sftp b/security/ssh2/files/patch-HOWTO.anonymous.sftp new file mode 100644 index 000000000000..64208861668d --- /dev/null +++ b/security/ssh2/files/patch-HOWTO.anonymous.sftp @@ -0,0 +1,117 @@ +--- HOWTO.anonymous.sftp.orig Wed Dec 3 14:17:17 2003 ++++ HOWTO.anonymous.sftp Thu Jan 1 19:18:54 2004 +@@ -3,57 +3,27 @@ + Author: Sami Lehtinen <sjl@ssh.com> + Created: Thu Oct 18 18:21:56 2001 + +-1. Follow the standard build process otherwise, except for the following ++1. Create a dedicated user account for the guest user (e.g. "ssh-guest"). + +- % ./configure --enable-static <your-flags-here> +- +- If your system doesn't support fully static binaries (atleast newer +- Solarises), you have to copy extra files after step 5, so that the +- necessary shared libraries and system configuration files can be +- found by ssh-dummy-shell and sftp-server in the chrooted +- environment. +- +- With internal sftp-server: +- You may also use the internal sftp-server. It simplifies logging and +- chrooting considerably. You don't need to build the static binaries. +- +-2. Create a dedicated user account for the guest user (e.g. "ssh-guest"). +- +- In RH Linux: +- +- % useradd [-d home_dir] [-u uid] [-g group] [-s default-shell] ssh-guest ++ % pw useradd ssh-guest -m -s /nonexistent [-d homedir] [-u uid] [-g group] + + Remember that the home directory will be the root ("/") of the + chrooted environment, so choose wisely (you can change it later, of + course). + +-3. Set some known password (e.g. "guest") for the account with "passwd". ++2. Set some known password (e.g. "guest") for the account with "passwd". + +-4. Change the user's shell to "ssh-dummy-shell" with "vipw". ++ % passwd ssh-guest + +- With internal sftp-server: +- If you're using the internal sftp-server, you can use /bin/false or +- whatever as the user's shell. The sftp service isn't executed with +- the shell in this case. The user's shell doesn't even need to exist. +- +-5. Run +- +- % ssh-chrootmgr -v ssh-guest # (or the account you created) +- +- This will copy necessary static binaries to the user's home directory. +- +- With internal sftp-server: +- You don't need this step if you don't need the static +- ssh-dummy-shell. +- +-6. Modify /etc/ssh2/sshd2_config. Add the following line: ++3. Modify /etc/ssh2/sshd2_config. Add the following line: + + ChRootUsers ssh-guest + +-7. If you wish, you may announce the existence of this account in your +- login banner message. The file /etc/ssh2/ssh_banner_message, if not +- empty, will be displayed to incoming users before they authenticate. Or +- you can change the default by modifying the sshd2_config: ++4. If you wish, you may announce the existence of this account in your ++ login banner message. The file /etc/ssh2/ssh_banner_message, ++ if not empty, will be displayed to incoming users before they ++ authenticate. Or you can change the default by modifying the ++ /etc/ssh2/sshd2_config: + + BannerMessageFile /etc/ssh2/some_other_ssh_banner_message + +@@ -74,7 +44,7 @@ + Remember that you may use subconfiguration files to change a banner + message based on e.g. user name (xxx example file). + +-8. You most probably want to restrict access to read-only. For this, ++5. You most probably want to restrict access to read-only. For this, + change the accounts owner to something else (e.g. root): + + % chown -R root:root ~ssh-guest +@@ -82,7 +52,7 @@ + If you want to give some directories write access, change ownership of + those to "ssh-guest". + +-9. To enable logging, you have to add the following line to sshd2_config ++6. To enable logging, you have to add the following line to sshd2_config + (or possibly to a subconfig file (see sshd2_subconfig(5))): + + SftpSysLogFacility <facility> +@@ -90,26 +60,11 @@ + <facility> could be LOCAL7, or whatever you wish. See sshd2_config(5) + for additional documentation. + +- Note, that logging in the chrooted environment with a separate +- binary for sftp-server is tricky. Most likely you have to create a +- /dev/log device under the chrooted jail, and add that to the listened +- devices (with the full path) of your syslogd. See the documentation of +- syslog daemon for this. However, see below. +- +- With internal sftp-server: +- Logging in the chrooted jail is much simpler with the internal +- sftp-server. Just specify the correct SftpSysLogFacility, and you are +- set. +- +-10. Add your sftp-server to sshd2_config (if not already there): +- +- subsystem-sftp sftp-server +- +- With internal sftp-server: ++7. Add your sftp-server to sshd2_config (if not already there): + + subsystem-sftp internal://sftp-server + +-11. Remember to restart the sshd2 daemon after you modify the configuration ++8. Remember to restart the sshd2 daemon after you modify the configuration + file for the changes to take effect! + + Have fun. diff --git a/security/ssh2/files/patch-apps::ssh::Makefile.in b/security/ssh2/files/patch-apps::ssh::Makefile.in new file mode 100644 index 000000000000..a5d483be0a60 --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::Makefile.in @@ -0,0 +1,52 @@ +--- apps/ssh/Makefile.in.orig Wed Dec 3 14:17:48 2003 ++++ apps/ssh/Makefile.in Fri Jan 2 09:23:14 2004 +@@ -1019,36 +1019,20 @@ + fi + + install-symlinks: +- -mv -f $(DESTDIR)$(bindir)/ssh $(DESTDIR)$(bindir)/ssh.old +- -mv -f $(DESTDIR)$(bindir)/ssh-agent $(DESTDIR)$(bindir)/ssh-agent.old +- -mv -f $(DESTDIR)$(bindir)/ssh-add $(DESTDIR)$(bindir)/ssh-add.old +- -mv -f $(DESTDIR)$(bindir)/ssh-askpass $(DESTDIR)$(bindir)/ssh-askpass.old +- -mv -f $(DESTDIR)$(bindir)/ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen.old +- -mv -f $(DESTDIR)$(bindir)/scp $(DESTDIR)$(bindir)/scp.old +- -mv -f $(DESTDIR)$(bindir)/sftp $(DESTDIR)$(bindir)/sftp.old +- -mv -f $(DESTDIR)$(bindir)/sftp-server $(DESTDIR)$(bindir)/sftp-server.old +- -mv -f $(DESTDIR)$(bindir)/ssh-signer $(DESTDIR)$(bindir)/ssh-signer.old +- -mv -f $(DESTDIR)$(bindir)/ssh-probe $(DESTDIR)$(bindir)/ssh-probe.old +- + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh2 ssh) + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-agent2 ssh-agent) + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-add2 ssh-add) +- (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-askpass2 ssh-askpass) ++ case x"@CONFPROGRAMS@" in \ ++ x*askpass*) \ ++ (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-askpass2 ssh-askpass) ;; \ ++ esac + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-keygen2 ssh-keygen) + (cd $(DESTDIR)$(bindir) && $(LN_S) scp2 scp) + (cd $(DESTDIR)$(bindir) && $(LN_S) sftp2 sftp) + (cd $(DESTDIR)$(bindir) && $(LN_S) sftp-server2 sftp-server) + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-signer2 ssh-signer) + (cd $(DESTDIR)$(bindir) && $(LN_S) ssh-probe2 ssh-probe) +- -mv -f $(DESTDIR)$(sbindir)/sshd $(DESTDIR)$(sbindir)/sshd.old + (cd $(DESTDIR)$(sbindir) && $(LN_S) sshd2 sshd) +- -mv -f $(DESTDIR)$(mandir)/man1/ssh.1 $(DESTDIR)$(mandir)/man1/ssh.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/ssh-add.1 $(DESTDIR)$(mandir)/man1/ssh-add.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/ssh-agent.1 $(DESTDIR)$(mandir)/man1/ssh-agent.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/ssh-keygen.1 $(DESTDIR)$(mandir)/man1/ssh-keygen.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/scp.1 $(DESTDIR)$(mandir)/man1/scp.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/sftp.1 $(DESTDIR)$(mandir)/man1/sftp.old.1 +- -mv -f $(DESTDIR)$(mandir)/man1/ssh-probe.1 $(DESTDIR)$(mandir)/man1/ssh-probe.old.1 + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) ssh2.1 ssh.1) + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) ssh-add2.1 ssh-add.1) + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) ssh-agent2.1 ssh-agent.1) +@@ -1056,7 +1040,6 @@ + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) scp2.1 scp.1) + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) sftp2.1 sftp.1) + (cd $(DESTDIR)$(mandir)/man1 && $(LN_S) ssh-probe2.1 ssh-probe.1) +- -mv -f $(DESTDIR)$(mandir)/man8/sshd.8 $(DESTDIR)$(mandir)/man8/sshd.old.8 + (cd $(DESTDIR)$(mandir)/man8 && $(LN_S) sshd2.8 sshd.8) + + clean-up-old: + diff --git a/security/ssh2/files/patch-apps::ssh::ssh2_config.5 b/security/ssh2/files/patch-apps::ssh::ssh2_config.5 new file mode 100644 index 000000000000..49c11e4cc85f --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::ssh2_config.5 @@ -0,0 +1,17 @@ +--- apps/ssh/ssh2_config.5.orig Wed Dec 3 17:05:48 2003 ++++ apps/ssh/ssh2_config.5 Wed Dec 3 17:06:25 2003 +@@ -136,14 +136,6 @@ + .ne 3 + + .TP +-.B Cert.RSA.Compat.HashScheme +-Older SSH Secure Shell clients and servers used hashes in an incoherent +-manner (sometimes MD5, sometimes SHA-1). With this option, you can set +-what hash is used. Valid values are "\fBmd5\fR" and "\fBsha1\fR". The +-default is "\fBmd5\fR" (works in most cases). +-.ne 3 +- +-.TP + .B Ciphers + Specifies the ciphers to use for encrypting the + session. Currently, diff --git a/security/ssh2/files/patch-apps::ssh::sshchsession.c b/security/ssh2/files/patch-apps::ssh::sshchsession.c index 36f18b967cbe..f503e324bc93 100644 --- a/security/ssh2/files/patch-apps::ssh::sshchsession.c +++ b/security/ssh2/files/patch-apps::ssh::sshchsession.c @@ -1,22 +1,276 @@ --- apps/ssh/sshchsession.c.orig Thu Jul 3 00:19:57 2003 +++ apps/ssh/sshchsession.c Thu Jul 3 00:21:12 2003 -@@ -218,8 +218,8 @@ - #ifdef _PATH_USERPATH - #define DEFAULT_PATH _PATH_USERPATH - #else --#ifdef _PATH_DEFPATH --#define DEFAULT_PATH _PATH_DEFPATH -+#ifdef _PATH_STDPATH -+#define DEFAULT_PATH _PATH_STDPATH - #else - #define DEFAULT_PATH "/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin" - #endif -@@ -502,7 +502,7 @@ +@@ -122,6 +122,11 @@ + + + ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#include <login_cap.h> ++#include <sys/copyright.h> ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ ++ + #define SSH_DEBUG_MODULE "Ssh2ChannelSession" + + #define SSH_SESSION_INTERACTIVE_WINDOW 10000 +@@ -487,6 +492,14 @@ + char *user_conf_dir = NULL; + int i; + ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ extern char **environ; ++ char *path, *newpath, **saveenv; ++ struct passwd *pw; ++ ++ pw = getpwuid(ssh_user_uid(session->common->user_data)); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ ++ + user_name = session->common->user; + + if (ssh_user_needs_chroot(session->common->user_data, session->common)) +@@ -502,7 +515,11 @@ ssh_child_set_env(envp, envsizep, "HOME", user_dir); ssh_child_set_env(envp, envsizep, "USER", user_name); ssh_child_set_env(envp, envsizep, "LOGNAME", user_name); -- ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH ":" SSH_BINDIR); -+ ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH SSH_BINDIR); ++#ifdef __FreeBSD__ ++ ssh_child_set_env(envp, envsizep, "PATH", _PATH_STDPATH SSH_BINDIR); ++#else + ssh_child_set_env(envp, envsizep, "PATH", DEFAULT_PATH ":" SSH_BINDIR); ++#endif #ifdef MAIL_SPOOL_DIRECTORY ssh_snprintf(buf, sizeof(buf), "%s/%s", MAIL_SPOOL_DIRECTORY, user_name); +@@ -529,6 +546,39 @@ + if (getenv("TZ")) + ssh_child_set_env(envp, envsizep, "TZ", getenv("TZ")); + ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ saveenv = environ; ++ environ = *envp; ++ ++ if (setusercontext(NULL, pw, ssh_user_uid(session->common->user_data), ++ LOGIN_SETPATH | LOGIN_SETENV) == 0) ++ { ++ if ((path = getenv("PATH")) == NULL) ++ newpath = ssh_xstrdup(SSH_BINDIR); ++ else if (strstr(path, SSH_BINDIR) == NULL) ++ ssh_dsprintf(&newpath, "%s:%s", path, SSH_BINDIR); ++ else ++ newpath = ssh_xstrdup(path); ++ ++ *envp = environ; ++ environ = saveenv; ++ for (*envsizep = 0; (*envp)[*envsizep] != NULL; (*envsizep)++) ++ ; /* nothing */ ++ *envsizep += 51; ++ (*envp) = ssh_xrealloc(*envp, (*envsizep) * sizeof(char *)); ++ ++ ssh_child_set_env(envp, envsizep, "PATH", newpath); ++ ssh_xfree(newpath); ++ } ++ else ++ { ++ *envp = environ; ++ environ = saveenv; ++ ssh_debug("setusercontext: unable to set user context"); ++ } ++ endpwent(); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ ++ + /* Set SSH_CLIENT. */ + ssh_snprintf(buf, sizeof(buf), "%s %s %s %s", + session->common->remote_ip, session->common->remote_port, +@@ -632,6 +682,11 @@ + FILE *f; + char *user_conf_dir = NULL; + ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ struct passwd *pw; ++ login_cap_t *lc; ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ ++ + #ifdef SSH_CHANNEL_X11 + const char *auth_protocol; + const char *auth_cookie; +@@ -643,6 +698,18 @@ + #endif /* SSH_CHANNEL_X11 */ + + shell = ssh_user_shell(session->common->user_data); ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ pw = getpwuid(ssh_user_uid(session->common->user_data)); ++ lc = login_getpwclass(pw); ++ if (lc == NULL) ++ ssh_debug("Unable to get login class: %s", session->common->user); ++ else ++ { ++ shell = login_getcapstr(lc, "shell", (char *) shell, (char *) shell); ++ login_close(lc); ++ } ++ endpwent(); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + user_conf_dir = ssh_user_conf_dir(session->common->user_data, + session->common->config); + +@@ -844,12 +911,24 @@ + extern char **environ; + unsigned int envsize; + int i; +- FILE *f; ++ FILE *f = NULL; + char *subsystem_path = NULL; + Boolean needs_chroot = FALSE, run_internal_sftp_server = FALSE; + const char *chroot_dir = NULL; + SshUserFDCloseCB close_fds = NULL_FNPTR; + SshConfig config = session->common->config; ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ struct passwd *pw; ++ login_cap_t *lc; ++ ++ pw = getpwuid(ssh_user_uid(session->common->user_data)); ++ lc = login_getpwclass(pw); ++ if (lc == NULL) ++ { ++ ssh_debug("Unable to get login class: %s", session->common->user); ++ exit(254); ++ } ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + + + +@@ -865,6 +944,11 @@ + #endif /* HAVE_IF */ + + /* Check /etc/nologin. */ ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) ++ f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, _PATH_NOLOGIN), ++ "r"); ++#else /* ! (__FreeBSD && HAVE_LOGIN_CAP_H) */ + if ((f = fopen("/etc/nologin", "r")) == NULL) + { + char hname[MAXHOSTNAMELEN]; +@@ -877,12 +961,17 @@ + ssh_debug("%s %s.", nologin_path, f ? "exists" : "does not exist"); + ssh_xfree(nologin_path); + } ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + + if (f) + { /* /etc/nologin exists. Print its contents and exit. */ + /* Print a message about /etc/nologin existing; I am getting + questions because of this every week. */ ++#ifdef __FreeBSD__ ++ ssh_warning("Logins are currently denied with " _PATH_NOLOGIN ":"); ++#else + ssh_warning("Logins are currently denied with /etc/nologin:"); ++#endif + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +@@ -963,8 +1052,8 @@ + { + if (chdir("/") < 0) + { +- ssh_debug("Chroot to user '%s' home directory failed!", +- session->common->user); ++ ssh_debug("Chroot to user '%s' home directory failed: %s", ++ session->common->user, strerror(errno)); + exit(254); + } + } +@@ -975,6 +1064,10 @@ + ssh_warning("Could not chdir to home directory %s: %s", + ssh_user_dir(session->common->user_data), + strerror(errno)); ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ if (login_getcapbool(lc, "requirehome", 0)) ++ exit(254); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + chdir("/"); + } + } +@@ -1128,6 +1221,12 @@ + + + shell = ssh_user_shell(session->common->user_data); ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ shell = login_getcapstr(lc, "shell", (char *) shell, (char *) shell); ++ login_close(lc); ++ endpwent(); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ ++ + argv[0] = (char *)shell; + argv[1] = "-c"; + argv[2] = (char *)session->common->forced_command; +@@ -1158,6 +1257,9 @@ + + /* Get the user's shell, and the last component of it. */ + shell = ssh_user_shell(session->common->user_data); ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ shell = login_getcapstr(lc, "shell", (char *) shell, (char *) shell); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + + shell_no_path = strrchr(shell, '/'); + if (shell_no_path) +@@ -1188,6 +1290,9 @@ + (needs_chroot ? "" : + ssh_user_dir(session->common->user_data))); + quiet_login = stat(linebuf, &st) >= 0; ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ quiet_login |= login_getcapbool(lc, "hushlogin", 0); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + + if (!quiet_login) + { +@@ -1217,11 +1322,28 @@ + ssh_xfree(time_string); + } + #endif /* HAVE_SIA */ ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ SSH_DEBUG(7, ("Printing copyright.")); ++ f = fopen(login_getcapstr(lc, "copyright", NULL, NULL), "r"); ++ if (f) ++ { ++ while (fgets(linebuf, sizeof(linebuf), f) != NULL) ++ fputs(linebuf, stdout); ++ fclose(f); ++ } ++ else ++ fputs(COPYRIGHT_UCB "\n", stdout); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + /* print motd, if "PrintMotd yes" and it exists */ + if (config->print_motd) + { + SSH_DEBUG(7, ("Printing MOTD.")); ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", ++ "/etc/motd"), "r"); ++#else /* ! (__FreeBSD && HAVE_LOGIN_CAP_H) */ + f = fopen("/etc/motd", "r"); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + if (f) + { + while (fgets(linebuf, sizeof(linebuf), f)) +@@ -1239,7 +1361,11 @@ + { + struct stat mailbuf; + if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) ++#ifndef __FreeBSD__ + printf("No mail.\n"); ++#else ++ ; /* nothing */ ++#endif + else if (mailbuf.st_atime > mailbuf.st_mtime) + printf("You have mail.\n"); + else +@@ -1248,6 +1374,11 @@ + } + } + } ++ ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ login_close(lc); ++ endpwent(); ++#endif /* __FreeBSD__ && HAVE_LOGIN_CAP_H */ + + execve(shell, argv, env); + /* Executing the shell failed. */ diff --git a/security/ssh2/files/patch-apps::ssh::sshd2.8 b/security/ssh2/files/patch-apps::ssh::sshd2.8 new file mode 100644 index 000000000000..98c3ddaf29dc --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::sshd2.8 @@ -0,0 +1,24 @@ +--- apps/ssh/sshd2.8.orig Wed Dec 3 14:17:23 2003 ++++ apps/ssh/sshd2.8 Sun Dec 28 17:09:32 2003 +@@ -241,20 +241,11 @@ + login time, message of the day and mailcheck.) + + .TP +-.I /etc/nologin ++.I /var/run/nologin + If this file exists, + .B sshd2 + refuses to let anyone except root log in. The contents of the file + is displayed to anyone trying to log in. The file should be world-readable. +- +-.TP +-.I /etc/nologin_<hostname> +-As above, but the filename is constructed from the name of the +-host. Check output of +-.B hostname +-to see what name you should use in the filename. This functionality is +-supposed to be used by clustered machines (which share +-.IR /etc ). + + .TP + .I \&$HOME/\s+2.\s0rhosts diff --git a/security/ssh2/files/patch-apps::ssh::sshd2_config b/security/ssh2/files/patch-apps::ssh::sshd2_config new file mode 100644 index 000000000000..b1db331e2fec --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::sshd2_config @@ -0,0 +1,14 @@ +--- apps/ssh/sshd2_config.orig Wed Dec 3 14:17:28 2003 ++++ apps/ssh/sshd2_config Thu Jan 1 19:33:35 2004 +@@ -188,9 +188,9 @@ + ## subsystem definitions + + # Subsystems don't have defaults, so this is needed here (uncommented). +- subsystem-sftp sftp-server ++# subsystem-sftp sftp-server + # Also internal sftp-server subsystem can be used. +-# subsystem-sftp internal://sftp-server ++ subsystem-sftp internal://sftp-server + + ## Subconfiguration + # There are no default subconfiguration files. When specified the last diff --git a/security/ssh2/files/patch-apps::ssh::sshd2_config.5 b/security/ssh2/files/patch-apps::ssh::sshd2_config.5 new file mode 100644 index 000000000000..a9c3be0414b9 --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::sshd2_config.5 @@ -0,0 +1,23 @@ +--- apps/ssh/sshd2_config.5.orig Wed Dec 3 17:08:53 2003 ++++ apps/ssh/sshd2_config.5 Wed Dec 3 17:09:35 2003 +@@ -288,20 +288,6 @@ + .ne 3 + + .TP +-.B Cert.RSA.Compat.HashScheme +-Older SSH Secure Shell clients and servers used hashes in an incoherent +-manner (sometimes MD5, sometimes SHA-1). With this option, you can set +-what hash is used. This option can be set in +-.BR HostSpecificConfig , +-and then reset in +-.BR UserSpecificConfig , +-in which case the value set in host-specific configuration will apply to +-the initial key exchange and during authentication the value in the +-user-specific configuration will be used. Valid values are "\fBmd5\fR" +-and "\fBsha1\fR". The default is "\fBmd5\fR" (works in most cases). +-.ne 3 +- +-.TP + .B CheckMail + Makes \fBsshd2\fR print information whether there is new mail or not + when a user logs in interactively. (On some systems this information diff --git a/security/ssh2/files/patch-apps::ssh::sshd2_subconfig.5 b/security/ssh2/files/patch-apps::ssh::sshd2_subconfig.5 new file mode 100644 index 000000000000..53bdc2f25536 --- /dev/null +++ b/security/ssh2/files/patch-apps::ssh::sshd2_subconfig.5 @@ -0,0 +1,11 @@ +--- apps/ssh/sshd2_subconfig.5.orig Wed Dec 3 17:13:11 2003 ++++ apps/ssh/sshd2_subconfig.5 Wed Dec 3 17:13:31 2003 +@@ -136,8 +136,6 @@ + .LP + .B AuthPublicKey.MinSize + .LP +-.B Cert.RSA.Compat.HashScheme +-.LP + .B CheckMail + .LP + .B DenyShosts diff --git a/security/ssh2/files/patch-configure b/security/ssh2/files/patch-configure new file mode 100644 index 000000000000..a1e3a8ac43cb --- /dev/null +++ b/security/ssh2/files/patch-configure @@ -0,0 +1,29 @@ +--- configure.orig Wed Dec 3 14:17:42 2003 ++++ configure Mon Dec 29 01:43:15 2003 +@@ -3773,7 +3773,7 @@ + # + + # So many systems seem to need this that it is better do it here automatically. +-LIBS="-L/usr/local/lib $LIBS" ++#LIBS="-L/usr/local/lib $LIBS" + + # Platform-specific stuff. + case "$target" in +@@ -10994,7 +10994,7 @@ + fi + if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 +- X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE" ++# X_PRE_LIBS="$X_PRE_LIBS -lSM -lICE" + else + echo "$ac_t""no" 1>&6 + fi +@@ -11112,7 +11112,7 @@ + #include "confdefs.h" + #include <$ac_hdr> + EOF +-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ++ac_try="$ac_cpp -I$x_includes conftest.$ac_ext >/dev/null 2>conftest.out" + { (eval echo configure:11117: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } + ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then diff --git a/security/ssh2/files/patch-lib::sshapputil::sshuserfile.c b/security/ssh2/files/patch-lib::sshapputil::sshuserfile.c new file mode 100644 index 000000000000..9886bee1a3ca --- /dev/null +++ b/security/ssh2/files/patch-lib::sshapputil::sshuserfile.c @@ -0,0 +1,20 @@ +--- lib/sshapputil/sshuserfile.c.orig Wed Dec 3 14:17:21 2003 ++++ lib/sshapputil/sshuserfile.c Mon Dec 29 20:58:27 2003 +@@ -742,12 +742,13 @@ + if (uid != geteuid() || uid != getuid()) + { + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) +- struct passwd * pw = getpwuid(uid); +- login_cap_t * lc = login_getuserclass(pw); +- if (setusercontext(lc, pw, uid, ++ struct passwd *pw; ++ ++ pw = getpwuid(uid); ++ if (setusercontext(NULL, pw, uid, + LOGIN_SETALL & ~(LOGIN_SETLOGIN | LOGIN_SETPATH | + LOGIN_SETENV)) < 0) +- ssh_fatal("setusercontext: %s", strerror(errno)); ++ ssh_fatal("setusercontext: unable to set user context"); + #else /* ! (__FreeBSD && HAVE_LOGIN_CAP_H) */ + if (setgid(gid) < 0) + ssh_fatal("setgid: %s", strerror(errno)); diff --git a/security/ssh2/files/patch-lib::sshsession::sshunixuser.c b/security/ssh2/files/patch-lib::sshsession::sshunixuser.c new file mode 100644 index 000000000000..ddd2a1b79b03 --- /dev/null +++ b/security/ssh2/files/patch-lib::sshsession::sshunixuser.c @@ -0,0 +1,69 @@ +--- lib/sshsession/sshunixuser.c.orig Wed Dec 3 14:17:21 2003 ++++ lib/sshsession/sshunixuser.c Mon Dec 29 20:57:45 2003 +@@ -104,6 +104,10 @@ + + #define SSH_DEBUG_MODULE "SshUnixUser" + ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#include <login_cap.h> ++#endif /* __FreeBSD && HAVE_LOGIN_CAP_H */ ++ + extern char *crypt(const char *key, const char *salt); + + /* Group structure. */ +@@ -1477,6 +1481,37 @@ + /* Set uid, gid, and groups. */ + if (getuid() == UID_ROOT || geteuid() == UID_ROOT) + { ++#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++ struct passwd *pw; ++ ++ pw = getpwuid(ssh_user_uid(uc)); ++ if (setusercontext(NULL, pw, ssh_user_uid(uc), ++ LOGIN_SETALL & ~(LOGIN_SETLOGIN | LOGIN_SETUSER | ++ LOGIN_SETPATH | LOGIN_SETENV)) < 0) ++ { ++ SSH_DEBUG(2, ("setusercontext: unable to set user context")); ++ return FALSE; ++ } ++ endgrent(); ++ ++ /* chrooting at this point. */ ++ if (chroot_dir) ++ { ++ if (chroot(chroot_dir) < 0) ++ { ++ ssh_warning("Chroot to '%s' failed: %s", chroot_dir, ++ strerror(errno)); ++ return FALSE; ++ } ++ } ++ ++ if (setusercontext(NULL, pw, ssh_user_uid(uc), LOGIN_SETUSER) < 0) ++ { ++ SSH_DEBUG(2, ("setusercontext: unable to set user context")); ++ return FALSE; ++ } ++ endpwent(); ++#else /* ! (__FreeBSD && HAVE_LOGIN_CAP_H) */ + if (setgid(ssh_user_gid(uc)) < 0) + { + SSH_DEBUG(2, ("setgid: %s", strerror(errno))); +@@ -1524,7 +1559,8 @@ + { + if (chroot(chroot_dir) < 0) + { +- ssh_warning("Chroot to '%s' failed!", chroot_dir); ++ ssh_warning("Chroot to '%s' failed: %s", chroot_dir, ++ strerror(errno)); + return FALSE; + } + } +@@ -1578,6 +1614,7 @@ + return FALSE; + } + #endif /* HAVE_SIA */ ++#endif /* __FreeBSD && HAVE_LOGIN_CAP_H */ + } + + #ifdef KERBEROS diff --git a/security/ssh2/files/patch-startup::solaris::sshd2 b/security/ssh2/files/patch-startup::solaris::sshd2 new file mode 100644 index 000000000000..74752fcbb013 --- /dev/null +++ b/security/ssh2/files/patch-startup::solaris::sshd2 @@ -0,0 +1,58 @@ +--- startup/solaris/sshd2.orig Wed Dec 3 14:17:18 2003 ++++ startup/solaris/sshd2 Tue Dec 30 12:38:16 2003 +@@ -22,9 +22,7 @@ + SBINDIR=/usr/local/sbin + + +-[ -f ${SBINDIR}/sshd2 ] || exit 0 +- +-PORT= ++[ -x ${SBINDIR}/sshd2 ] || exit 0 + + PORT=`grep Port ${ETCDIR}/sshd2_config | awk '{ x = $2 } END {print x}' -` + if [ "X$PORT" = "X" ] +@@ -37,31 +35,19 @@ + case "$1" in + start) + # Start daemons. +- echo "Starting sshd2 on port $PORT... " +- ${SBINDIR}/sshd2 ++ ${SBINDIR}/sshd2 2> /dev/null ++ echo -n ' sshd2' + ;; + stop) + # Stop daemons. + +- if [ -f /var/run/sshd2_$PORT.pid ] ++ if [ -r /var/run/sshd2_$PORT.pid ] + + then + +- echo "1 Shutting down sshd2 on port ${PORT}... " + kill `cat /var/run/sshd2_${PORT}.pid` + rm -f /var/run/sshd2_${PORT}.pid +- +- elif [ -f ${ETCDIR}/sshd2_${PORT}.pid ] +- +- then +- +- echo "Shutting down sshd2 on port ${PORT}... " +- kill `cat ${ETCDIR}/sshd2_${PORT}.pid` +- rm -f ${ETCDIR}/sshd2_${PORT}.pid +- +- else +- +- echo "sshd2 is not running" ++ echo -n ' sshd2' + + fi + +@@ -72,7 +58,7 @@ + $0 start + ;; + *) +- echo "Usage: sshd2 {start|stop|restart}" ++ echo "Usage: `basename $0` {start|stop|restart}" + exit 1 + esac + diff --git a/security/ssh2/files/sshd.sh b/security/ssh2/files/sshd.sh deleted file mode 100644 index b7c5ac8d80e3..000000000000 --- a/security/ssh2/files/sshd.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -case "$1" in - start) - !!PREFIX!!/sbin/sshd 2> /dev/null - echo -n ' sshd' - ;; - stop) - if [ -f /var/run/sshd2_22.pid ]; then - kill -TERM `cat /var/run/sshd2_22.pid` - rm -f /var/run/sshd2_22.pid - echo -n ' sshd' - fi - ;; - restart) - if [ -f /var/run/sshd2_22.pid ]; then - kill -HUP `cat /var/run/sshd2_22.pid` - echo 'sshd restarted' - fi - ;; - -h) - echo "Usage: `basename $0` { start | stop | restart }" - ;; - *) - !!PREFIX!!/sbin/sshd - echo -n ' sshd' - ;; -esac diff --git a/security/ssh2/pkg-message b/security/ssh2/pkg-message new file mode 100644 index 000000000000..092b8d57168d --- /dev/null +++ b/security/ssh2/pkg-message @@ -0,0 +1,23 @@ +=========================================================================== + +Depending on how you would like to start sshd2(8) you have three choices: +1) Copy the sample start-up script %%PREFIX%%/etc/rc.d/sshd2.sh.sample +to %%PREFIX%%/etc/rc.d/sshd2.sh. + +2) Add the following entries to your /etc/inetd.conf: +ssh stream tcp nowait root %%PREFIX%%/sbin/sshd2 sshd -i +ssh stream tcp6 nowait root %%PREFIX%%/sbin/sshd2 sshd -i + +3) On FreeBSD 4 only (on FreeBSD 5 with rcNG this currently doesn't work +properly) add the following entries to your /etc/rc.conf: +sshd_enable="YES" +sshd_program="%%PREFIX%%/sbin/sshd2" + +NOTE: This port traditionally sets up 1) automatically unless it detects 2). + If you want to use 2) or 3) you have to manually delete the start-up + script %%PREFIX%%/etc/rc.d/sshd2.sh. This version of the port is the + last one that does 1) automatically. To prevent foot shooting when + updating to the next version this port won't remove an existing + %%PREFIX%%/etc/rc.d/sshd2.sh on deinstallation. + +=========================================================================== diff --git a/security/ssh2/pkg-plist b/security/ssh2/pkg-plist index e336f3b5a16d..4bb3ecf2d02f 100644 --- a/security/ssh2/pkg-plist +++ b/security/ssh2/pkg-plist @@ -1,27 +1,27 @@ -bin/ssh2 +bin/scp bin/scp2 +bin/sftp bin/sftp2 -bin/ssh-agent2 -%%WITH_X11:%%bin/ssh-askpass2 -bin/ssh-keygen2 -bin/ssh-add2 -bin/ssh-signer2 -bin/ssh-probe2 +bin/sftp-server bin/sftp-server2 -%%STATIC%%bin/sftp-server2.static -bin/ssh-dummy-shell -%%STATIC%%bin/ssh-dummy-shell.static bin/ssh -bin/ssh-agent bin/ssh-add +bin/ssh-add2 +bin/ssh-agent +bin/ssh-agent2 %%WITH_X11:%%bin/ssh-askpass +%%WITH_X11:%%bin/ssh-askpass2 +bin/ssh-dummy-shell bin/ssh-keygen -bin/scp -bin/sftp -bin/sftp-server -bin/ssh-signer +bin/ssh-keygen2 bin/ssh-probe -etc/rc.d/sshd.sh +bin/ssh-probe2 +bin/ssh-signer +bin/ssh-signer2 +bin/ssh2 +etc/rc.d/sshd2.sh.sample +@exec if [ "`grep ssh /etc/inetd.conf | grep -v ^#ssh`" = "" ] & [ ! -f %B/sshd2.sh ]; then cp %B/%f %B/sshd2.sh; fi +@unexec if [ -f %B/sshd2.sh ]; then echo "If permanently deleting this package, %B/sshd2.sh must be removed manually."; fi @unexec if cmp -s %D/etc/ssh2/sshd2_config %D/etc/ssh2/sshd2_config.example; then rm -f %D/etc/ssh2/sshd2_config; fi etc/ssh2/sshd2_config.example @exec [ -f %B/sshd2_config ] || cp %B/%f %B/sshd2_config @@ -35,20 +35,24 @@ etc/ssh2/subconfig/host_int.example etc/ssh2/subconfig/user.example @exec [ -d %D/etc/ssh2/hostkeys ] || mkdir %D/etc/ssh2/hostkeys @exec [ -d %D/etc/ssh2/knownhosts ] || mkdir %D/etc/ssh2/knownhosts -sbin/sshd2 -sbin/sshd-check-conf -sbin/sshd @exec if [ ! -f %D/etc/ssh2/hostkey ]; then umask 022; echo "Generating host key."; %D/bin/ssh-keygen2 -P -t dsa "DSA hostkey" %D/etc/ssh2/hostkey; fi +sbin/sshd +sbin/sshd-check-conf +sbin/sshd2 %%PORTDOCS%%%%DOCSDIR%%/CHANGES %%PORTDOCS%%%%DOCSDIR%%/FAQ -%%PORTDOCS%%%%DOCSDIR%%/INSTALL +%%PORTDOCS%%%%DOCSDIR%%/HOWTO.anonymous.sftp %%PORTDOCS%%%%DOCSDIR%%/LICENSE -%%PORTDOCS%%%%DOCSDIR%%/MANIFEST %%PORTDOCS%%%%DOCSDIR%%/NEWS %%PORTDOCS%%%%DOCSDIR%%/README %%PORTDOCS%%%%DOCSDIR%%/REGEX-SYNTAX %%PORTDOCS%%%%DOCSDIR%%/SSH2.QUICKSTART +%%PORTDOCS%%%%DOCSDIR%%/RFC.authorization_program_protocol +%%PORTDOCS%%%%DOCSDIR%%/RFC.kbdint_plugin_protocol %%PORTDOCS%%@dirrm %%DOCSDIR%% +%%EXAMPLESDIR%%/ext_authorization_example.sh +%%EXAMPLESDIR%%/kbdint_plugin_example.sh +@dirrm %%EXAMPLESDIR%% @unexec rmdir %D/etc/ssh2/hostkeys 2> /dev/null || true @unexec rmdir %D/etc/ssh2/knownhosts 2> /dev/null || true @unexec rmdir %D/etc/ssh2/subconfig 2> /dev/null || true |