Ssh is a secure rlogin/rsh/rcp replacement with strong authentication

(.rhosts together with RSA based host authentication, and pure RSA
authentication) and improved privacy (all communications are automatically
and transparently encrypted).

13 files changed, 473 insertions, 0 deletions

diff --git a/security/ssh/Makefile b/security/ssh/Makefile
new file mode 100644
index 000000000000..9331a05c50a0
--- /dev/null
+++ b/security/ssh/Makefile
@@ -0,0 +1,90 @@
+# New ports collection makefile for:	ssh
+# Version required:	1.2.10
+# Date created:		30 Jul 1995
+# Whom:			torstenb@FreeBSD.ORG
+#
+# $Id$
+#
+
+DISTNAME=	ssh-1.2.10
+CATEGORIES=	security
+MASTER_SITES=	ftp://ftp.funet.fi/pub/unix/security/ \
+		ftp://ftp.cs.hut.fi/pub/ssh/snapshots/
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+DISTFILES=	${DISTNAME}.tar.gz rsaref2.tar.gz
+MASTER_SITES=	\
+	ftp://ftp.cs.hut.fi/pub/ssh/snapshots/ \
+	ftp://ftp.funet.fi/pub/unix/security/ \
+	ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
+	ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
+	ftp://ftp.dsi.unimi.it/pub/security/crypt/math/ \
+	ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
+	ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/
+.endif
+
+NO_PACKAGE=	YES
+IS_INTERACTIVE=	YES
+
+GNU_CONFIGURE=	YES
+
+CONFIGURE_ARGS= --prefix=${PREFIX} --with-etcdir=${PREFIX}/etc
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+CONFIGURE_ARGS+= --with-rsaref
+.endif
+
+# Include SOCKS firewall support
+# Warning: untested !
+.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
+CONFIGURE_ARGS+= --with-socks
+.endif
+
+# Include tcp-wrapper support and identd support
+# Warning: untested !
+.if defined(USE_TCPWRAP_AND_IDENTD) && ${USE_TCPWRAP_AND_IDENTD} == YES
+CONFIGURE_ARGS+= --with-libwrap
+.endif
+
+# Include support for the SecureID card
+# Warning: untested !
+.if defined(USE_SECUREID) && ${USE_SECUREID} == YES
+CONFIGURE_ARGS+= --with-secureid
+.endif
+
+# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
+# commercial use may require a licence in a number of countried
+# Warning: untested !
+.if defined(DONT_USE_IDEA) && ${DONT_USE_IDEA} == YES
+CONFIGURE_ARGS+= --without-idea
+.endif
+
+pre-patch:
+	@mv -f ${WRKSRC}/make-ssh-known-hosts.pl \
+	    ${WRKSRC}/make-ssh-known-hosts.pl.in
+
+fetch-depends:
+.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
+	@echo
+	@echo You must set variable USA_RESIDENT to YES if you are a USA
+	@echo resident.
+	@echo If you are a USA resident you have to get the RSAREF2
+	@echo library \(RSA Inc. holds a patent on RSA and public key
+	@echo cypto in general - using RSA implementations other thann
+	@echo RSAREF will violate the US patent law\)
+	@echo and extract it to ${WRKSRC}.
+	@false
+.endif
+
+post-extract:
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+	@mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
+.endif
+
+post-install:
+	gzip -9nf ${PREFIX}/man/man1/scp.1 ${PREFIX}/man/man1/ssh-add.1 \
+		${PREFIX}/man/man1/ssh-agent.1 ${PREFIX}/man/man1/ssh-keygen.1 \
+		${PREFIX}/man/man1/ssh.1 ${PREFIX}/man/man8/sshd.8 \
+		${PREFIX}/man/man1/make-ssh-known-hosts.1
+
+.include <bsd.port.mk>
diff --git a/security/ssh/distinfo b/security/ssh/distinfo
new file mode 100644
index 000000000000..ee5de3ad76f5
--- /dev/null
+++ b/security/ssh/distinfo
@@ -0,0 +1,2 @@
+MD5 (ssh-1.2.10.tar.gz) = 85b1938f462d13ccebe9d341c63bddbe
+MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
diff --git a/security/ssh/files/patch-aa b/security/ssh/files/patch-aa
new file mode 100644
index 000000000000..870fdd02bbbb
--- /dev/null
+++ b/security/ssh/files/patch-aa
@@ -0,0 +1,19 @@
+*** make-ssh-known-hosts.pl.in.orig	Fri Oct  6 21:12:34 1995
+--- make-ssh-known-hosts.pl.in	Fri Oct  6 21:14:28 1995
+***************
+*** 74,80 ****
+  $sshdisablepasswordoption="-o 'PasswordAuthentication no'";
+  $defserver = '';
+  $bell='\a';
+! $public_key = '/etc/ssh_host_key.pub';
+  if (!defined($ENV{'HOME'})) {
+      ($junk, $junk, $junk, $junk, $junk, $junk, $junk, $dir, $junk) =
+  	getpwuid($<);
+--- 74,80 ----
+  $sshdisablepasswordoption="-o 'PasswordAuthentication no'";
+  $defserver = '';
+  $bell='\a';
+! $public_key = '@ETCDIR@/ssh_host_key.pub';
+  if (!defined($ENV{'HOME'})) {
+      ($junk, $junk, $junk, $junk, $junk, $junk, $junk, $dir, $junk) =
+  	getpwuid($<);
diff --git a/security/ssh/pkg-comment b/security/ssh/pkg-comment
new file mode 100644
index 000000000000..fc8bc364039a
--- /dev/null
+++ b/security/ssh/pkg-comment
@@ -0,0 +1 @@
+ssh - secure shell client (remote login program)
diff --git a/security/ssh/pkg-descr b/security/ssh/pkg-descr
new file mode 100644
index 000000000000..fb9e196439ff
--- /dev/null
+++ b/security/ssh/pkg-descr
@@ -0,0 +1,96 @@
+Secure Shell is a program to log into another computer over a network,
+to execute commands in a remote machine, and to move files from one
+machine to another.  It provides strong authentication and secure
+communications over insecure channels.  It is inteded as a replacement
+for rlogin, rsh, and rcp.
+
+FEATURES
+
+ o  Complete replacement for rlogin, rsh, and rcp.
+
+ o  Strong authentication.  Closes several security holes (e.g., IP,
+    routing, and DNS spoofing).  New authentication methods: .rhosts
+    together with RSA based host authentication, and pure RSA
+    authentication.
+
+ o  Improved privacy.  All communications are automatically and
+    transparently encrypted.  RSA is used for key exchange, and a
+    conventional cipher (normally IDEA, DES, or triple-DES) for
+    encrypting the session.  Encryption is started before
+    authentication, and no passwords or other information is
+    transmitted in the clear.  Encryption is also used to protect
+    against spoofed packets.
+
+ o  Secure X11 sessions.  The program automatically sets DISPLAY on
+    the server machine, and forwards any X11 connections over the
+    secure channel.  Fake Xauthority information is automatically
+    generated and forwarded to the remote machine; the local client
+    automatically examines incoming X11 connections and replaces the
+    fake authorization data with the real data (never telling the 
+    remote machine the real information).
+
+ o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
+    in both directions (e.g., for e-cash transactions).
+
+ o  No retraining needed for normal users; everything happens
+    automatically, and old .rhosts files will work with strong
+    authentication if administration installs host key files.
+
+ o  Never trusts the network.  Minimal trust on the remote side of
+    the connection.  Minimal trust on domain name servers.  Pure RSA
+    authentication never trusts anything but the private key.
+
+ o  Client RSA-authenticates the server machine in the beginning of
+    every connection to prevent trojan horses (by routing or DNS
+    spoofing) and man-in-the-middle attacks, and the server
+    RSA-authenticates the client machine before accepting .rhosts or
+    /etc/hosts.equiv authentication (to prevent DNS, routing, or
+    IP-spoofing).
+
+ o  Host authentication key distribution can be centrally by the
+    administration, automatically when the first connection is made
+    to a machine (the key obtained on the first connection will be
+    recorded and used for authentication in the future), or manually
+    by each user for his/her own use.  The central and per-user host
+    key repositories are both used and complement each other.  Host
+    keys can be generated centrally or automatically when the software
+    is installed.  Host authentication keys are typically 1024 bits.
+
+ o  Any user can create any number of user authentication RSA keys for
+    his/her own use.  Each user has a file which lists the RSA public
+    keys for which proof of possession of the corresponding private
+    key is accepted as authentication.  User authentication keys are
+    typically 1024 bits.
+
+ o  The server program has its own server RSA key which is
+    automatically regenerated every hour.  This key is never saved in
+    any file.  Exchanged session keys are encrypted using both the
+    server key and the server host key.  The purpose of the separate
+    server key is to make it impossible to decipher a captured session by
+    breaking into the server machine at a later time; one hour from
+    the connection even the server machine cannot decipher the session
+    key.  The key regeneration interval is configurable.  The server
+    key is normally 768 bits.
+
+ o  An authentication agent, running in the user's laptop or local
+    workstation, can be used to hold the user's RSA authentication
+    keys.  Ssh automatically forwards the connection to the
+    authentication agent over any connections, and there is no need to
+    store the RSA authentication keys on any machine in the network
+    (except the user's own local machine).  The authentication
+    protocols never reveal the keys; they can only be used to verify
+    that the user's agent has a certain key.  Eventually the agent
+    could rely on a smart card to perform all authentication
+    computations.
+
+ o  The software can be installed and used (with restricted
+    functionality) even without root privileges.
+
+ o  The client is customizable in system-wide and per-user
+    configuration files.  Most aspects of the client's operation can
+    be configured.  Different options can be specified on a per-host basis.
+
+ o  Automatically executes conventional rsh (after displaying a
+    warning) if the server machine is not running sshd.
+
+
diff --git a/security/ssh/pkg-plist b/security/ssh/pkg-plist
new file mode 100644
index 000000000000..239bc7cce898
--- /dev/null
+++ b/security/ssh/pkg-plist
@@ -0,0 +1,19 @@
+bin/scp
+bin/slogin
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-askpass
+bin/ssh-keygen
+etc/ssh_config
+etc/ssh_host_key
+etc/ssh_host_key.pub
+etc/sshd_config
+man/man1/make-ssh-known-hosts.1.gz
+man/man1/scp.1.gz
+man/man1/ssh-add.1.gz
+man/man1/ssh-agent.1.gz
+man/man1/ssh-keygen.1.gz
+man/man1/ssh.1.gz
+man/man8/sshd.8.gz
+sbin/sshd
diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile
new file mode 100644
index 000000000000..9331a05c50a0
--- /dev/null
+++ b/security/ssh2/Makefile
@@ -0,0 +1,90 @@
+# New ports collection makefile for:	ssh
+# Version required:	1.2.10
+# Date created:		30 Jul 1995
+# Whom:			torstenb@FreeBSD.ORG
+#
+# $Id$
+#
+
+DISTNAME=	ssh-1.2.10
+CATEGORIES=	security
+MASTER_SITES=	ftp://ftp.funet.fi/pub/unix/security/ \
+		ftp://ftp.cs.hut.fi/pub/ssh/snapshots/
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+DISTFILES=	${DISTNAME}.tar.gz rsaref2.tar.gz
+MASTER_SITES=	\
+	ftp://ftp.cs.hut.fi/pub/ssh/snapshots/ \
+	ftp://ftp.funet.fi/pub/unix/security/ \
+	ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
+	ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
+	ftp://ftp.dsi.unimi.it/pub/security/crypt/math/ \
+	ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
+	ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/
+.endif
+
+NO_PACKAGE=	YES
+IS_INTERACTIVE=	YES
+
+GNU_CONFIGURE=	YES
+
+CONFIGURE_ARGS= --prefix=${PREFIX} --with-etcdir=${PREFIX}/etc
+
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+CONFIGURE_ARGS+= --with-rsaref
+.endif
+
+# Include SOCKS firewall support
+# Warning: untested !
+.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
+CONFIGURE_ARGS+= --with-socks
+.endif
+
+# Include tcp-wrapper support and identd support
+# Warning: untested !
+.if defined(USE_TCPWRAP_AND_IDENTD) && ${USE_TCPWRAP_AND_IDENTD} == YES
+CONFIGURE_ARGS+= --with-libwrap
+.endif
+
+# Include support for the SecureID card
+# Warning: untested !
+.if defined(USE_SECUREID) && ${USE_SECUREID} == YES
+CONFIGURE_ARGS+= --with-secureid
+.endif
+
+# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
+# commercial use may require a licence in a number of countried
+# Warning: untested !
+.if defined(DONT_USE_IDEA) && ${DONT_USE_IDEA} == YES
+CONFIGURE_ARGS+= --without-idea
+.endif
+
+pre-patch:
+	@mv -f ${WRKSRC}/make-ssh-known-hosts.pl \
+	    ${WRKSRC}/make-ssh-known-hosts.pl.in
+
+fetch-depends:
+.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
+	@echo
+	@echo You must set variable USA_RESIDENT to YES if you are a USA
+	@echo resident.
+	@echo If you are a USA resident you have to get the RSAREF2
+	@echo library \(RSA Inc. holds a patent on RSA and public key
+	@echo cypto in general - using RSA implementations other thann
+	@echo RSAREF will violate the US patent law\)
+	@echo and extract it to ${WRKSRC}.
+	@false
+.endif
+
+post-extract:
+.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
+	@mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
+.endif
+
+post-install:
+	gzip -9nf ${PREFIX}/man/man1/scp.1 ${PREFIX}/man/man1/ssh-add.1 \
+		${PREFIX}/man/man1/ssh-agent.1 ${PREFIX}/man/man1/ssh-keygen.1 \
+		${PREFIX}/man/man1/ssh.1 ${PREFIX}/man/man8/sshd.8 \
+		${PREFIX}/man/man1/make-ssh-known-hosts.1
+
+.include <bsd.port.mk>
diff --git a/security/ssh2/distinfo b/security/ssh2/distinfo
new file mode 100644
index 000000000000..ee5de3ad76f5
--- /dev/null
+++ b/security/ssh2/distinfo
@@ -0,0 +1,2 @@
+MD5 (ssh-1.2.10.tar.gz) = 85b1938f462d13ccebe9d341c63bddbe
+MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d
diff --git a/security/ssh2/files/patch-aa b/security/ssh2/files/patch-aa
new file mode 100644
index 000000000000..870fdd02bbbb
--- /dev/null
+++ b/security/ssh2/files/patch-aa
@@ -0,0 +1,19 @@
+*** make-ssh-known-hosts.pl.in.orig	Fri Oct  6 21:12:34 1995
+--- make-ssh-known-hosts.pl.in	Fri Oct  6 21:14:28 1995
+***************
+*** 74,80 ****
+  $sshdisablepasswordoption="-o 'PasswordAuthentication no'";
+  $defserver = '';
+  $bell='\a';
+! $public_key = '/etc/ssh_host_key.pub';
+  if (!defined($ENV{'HOME'})) {
+      ($junk, $junk, $junk, $junk, $junk, $junk, $junk, $dir, $junk) =
+  	getpwuid($<);
+--- 74,80 ----
+  $sshdisablepasswordoption="-o 'PasswordAuthentication no'";
+  $defserver = '';
+  $bell='\a';
+! $public_key = '@ETCDIR@/ssh_host_key.pub';
+  if (!defined($ENV{'HOME'})) {
+      ($junk, $junk, $junk, $junk, $junk, $junk, $junk, $dir, $junk) =
+  	getpwuid($<);
diff --git a/security/ssh2/files/patch-ab b/security/ssh2/files/patch-ab
new file mode 100644
index 000000000000..ac0c5136f0bb
--- /dev/null
+++ b/security/ssh2/files/patch-ab
@@ -0,0 +1,19 @@
+*** configure.orig	Fri Oct  6 21:16:53 1995
+--- configure	Fri Oct  6 21:17:16 1995
+***************
+*** 3621,3627 ****
+  EOF
+  cat >> $CONFIG_STATUS <<EOF
+  
+! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1"}
+  EOF
+  cat >> $CONFIG_STATUS <<\EOF
+  for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+--- 3621,3627 ----
+  EOF
+  cat >> $CONFIG_STATUS <<EOF
+  
+! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl"}
+  EOF
+  cat >> $CONFIG_STATUS <<\EOF
+  for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
diff --git a/security/ssh2/pkg-comment b/security/ssh2/pkg-comment
new file mode 100644
index 000000000000..fc8bc364039a
--- /dev/null
+++ b/security/ssh2/pkg-comment
@@ -0,0 +1 @@
+ssh - secure shell client (remote login program)
diff --git a/security/ssh2/pkg-descr b/security/ssh2/pkg-descr
new file mode 100644
index 000000000000..fb9e196439ff
--- /dev/null
+++ b/security/ssh2/pkg-descr
@@ -0,0 +1,96 @@
+Secure Shell is a program to log into another computer over a network,
+to execute commands in a remote machine, and to move files from one
+machine to another.  It provides strong authentication and secure
+communications over insecure channels.  It is inteded as a replacement
+for rlogin, rsh, and rcp.
+
+FEATURES
+
+ o  Complete replacement for rlogin, rsh, and rcp.
+
+ o  Strong authentication.  Closes several security holes (e.g., IP,
+    routing, and DNS spoofing).  New authentication methods: .rhosts
+    together with RSA based host authentication, and pure RSA
+    authentication.
+
+ o  Improved privacy.  All communications are automatically and
+    transparently encrypted.  RSA is used for key exchange, and a
+    conventional cipher (normally IDEA, DES, or triple-DES) for
+    encrypting the session.  Encryption is started before
+    authentication, and no passwords or other information is
+    transmitted in the clear.  Encryption is also used to protect
+    against spoofed packets.
+
+ o  Secure X11 sessions.  The program automatically sets DISPLAY on
+    the server machine, and forwards any X11 connections over the
+    secure channel.  Fake Xauthority information is automatically
+    generated and forwarded to the remote machine; the local client
+    automatically examines incoming X11 connections and replaces the
+    fake authorization data with the real data (never telling the 
+    remote machine the real information).
+
+ o  Arbitrary TCP/IP ports can be redirected through the encrypted channel
+    in both directions (e.g., for e-cash transactions).
+
+ o  No retraining needed for normal users; everything happens
+    automatically, and old .rhosts files will work with strong
+    authentication if administration installs host key files.
+
+ o  Never trusts the network.  Minimal trust on the remote side of
+    the connection.  Minimal trust on domain name servers.  Pure RSA
+    authentication never trusts anything but the private key.
+
+ o  Client RSA-authenticates the server machine in the beginning of
+    every connection to prevent trojan horses (by routing or DNS
+    spoofing) and man-in-the-middle attacks, and the server
+    RSA-authenticates the client machine before accepting .rhosts or
+    /etc/hosts.equiv authentication (to prevent DNS, routing, or
+    IP-spoofing).
+
+ o  Host authentication key distribution can be centrally by the
+    administration, automatically when the first connection is made
+    to a machine (the key obtained on the first connection will be
+    recorded and used for authentication in the future), or manually
+    by each user for his/her own use.  The central and per-user host
+    key repositories are both used and complement each other.  Host
+    keys can be generated centrally or automatically when the software
+    is installed.  Host authentication keys are typically 1024 bits.
+
+ o  Any user can create any number of user authentication RSA keys for
+    his/her own use.  Each user has a file which lists the RSA public
+    keys for which proof of possession of the corresponding private
+    key is accepted as authentication.  User authentication keys are
+    typically 1024 bits.
+
+ o  The server program has its own server RSA key which is
+    automatically regenerated every hour.  This key is never saved in
+    any file.  Exchanged session keys are encrypted using both the
+    server key and the server host key.  The purpose of the separate
+    server key is to make it impossible to decipher a captured session by
+    breaking into the server machine at a later time; one hour from
+    the connection even the server machine cannot decipher the session
+    key.  The key regeneration interval is configurable.  The server
+    key is normally 768 bits.
+
+ o  An authentication agent, running in the user's laptop or local
+    workstation, can be used to hold the user's RSA authentication
+    keys.  Ssh automatically forwards the connection to the
+    authentication agent over any connections, and there is no need to
+    store the RSA authentication keys on any machine in the network
+    (except the user's own local machine).  The authentication
+    protocols never reveal the keys; they can only be used to verify
+    that the user's agent has a certain key.  Eventually the agent
+    could rely on a smart card to perform all authentication
+    computations.
+
+ o  The software can be installed and used (with restricted
+    functionality) even without root privileges.
+
+ o  The client is customizable in system-wide and per-user
+    configuration files.  Most aspects of the client's operation can
+    be configured.  Different options can be specified on a per-host basis.
+
+ o  Automatically executes conventional rsh (after displaying a
+    warning) if the server machine is not running sshd.
+
+
diff --git a/security/ssh2/pkg-plist b/security/ssh2/pkg-plist
new file mode 100644
index 000000000000..239bc7cce898
--- /dev/null
+++ b/security/ssh2/pkg-plist
@@ -0,0 +1,19 @@
+bin/scp
+bin/slogin
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-askpass
+bin/ssh-keygen
+etc/ssh_config
+etc/ssh_host_key
+etc/ssh_host_key.pub
+etc/sshd_config
+man/man1/make-ssh-known-hosts.1.gz
+man/man1/scp.1.gz
+man/man1/ssh-add.1.gz
+man/man1/ssh-agent.1.gz
+man/man1/ssh-keygen.1.gz
+man/man1/ssh.1.gz
+man/man8/sshd.8.gz
+sbin/sshd