diff options
23 files changed, 441 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 887bfabf9cb0..00f2a3b92026 100644 --- a/security/Makefile +++ b/security/Makefile @@ -83,6 +83,7 @@ SUBDIR += opencl SUBDIR += openssh SUBDIR += openssh-askpass + SUBDIR += openssh-portable SUBDIR += openssl SUBDIR += outguess SUBDIR += p5-Authen-Krb4 diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile new file mode 100644 index 000000000000..1f155f8ae624 --- /dev/null +++ b/security/hpn-ssh/Makefile @@ -0,0 +1,37 @@ +# New ports collection makefile for: openssh +# Date created: 18 Mar 1999 +# Whom: dwcjr@inethouston.net +# +# $FreeBSD$ +# + +PORTNAME= openssh +PORTVERSION= 2.9p1 +CATEGORIES= security ipv6 +MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ + ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \ + ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ +PKGNAMESUFFIX= -portable + +MAINTAINER= dwcjr@inethouston.net + +MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 +MAN8= sftp-server.8 sshd.8 + +CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto +USE_OPENSSL= YES +GNU_CONFIGURE= yes +CONFIGURE_ARGS?= --prefix=${PREFIX} + +.if exists(/usr/include/security/pam_modules.h) +CONFIGURE_ARGS+= --with-pam +.endif + +.if exists(/usr/include/tcpd.h) +CONFIGURE_ARGS+= --with-tcp-wrappers +.endif + +post-install: + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.mk> diff --git a/security/hpn-ssh/distinfo b/security/hpn-ssh/distinfo new file mode 100644 index 000000000000..a02905b4e8e8 --- /dev/null +++ b/security/hpn-ssh/distinfo @@ -0,0 +1 @@ +MD5 (openssh-2.9p1.tar.gz) = 591a5f59962c5604c8be81e37090759f diff --git a/security/hpn-ssh/files/patch-auth.c b/security/hpn-ssh/files/patch-auth.c new file mode 100644 index 000000000000..99c9d0c1550e --- /dev/null +++ b/security/hpn-ssh/files/patch-auth.c @@ -0,0 +1,20 @@ +--- auth.c.orig Mon Mar 19 23:15:57 2001 ++++ auth.c Fri Jun 1 07:59:43 2001 +@@ -158,6 +158,17 @@ + } + #endif /* WITH_AIXAUTHENTICATE */ + ++#ifdef __FreeBSD__ ++ /* Fail if the account's expiration time has passed. */ ++ if (pw->pw_expire != 0) { ++ struct timeval tv; ++ ++ (void)gettimeofday(&tv, NULL); ++ if (tv.tv_sec >= pw->pw_expire) ++ return 0; ++ } ++#endif /* __FreeBSD__ */ ++ + /* We found no reason not to let this user try to log on... */ + return 1; + } diff --git a/security/hpn-ssh/files/patch-clientloop.c b/security/hpn-ssh/files/patch-clientloop.c new file mode 100644 index 000000000000..67fc4dcb4f6b --- /dev/null +++ b/security/hpn-ssh/files/patch-clientloop.c @@ -0,0 +1,11 @@ +--- clientloop.c.orig Fri Apr 20 09:17:51 2001 ++++ clientloop.c Sat May 26 15:18:51 2001 +@@ -1131,7 +1131,7 @@ + + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_request_forwarded_tcpip(ctype, rchan); +- } else if (strcmp(ctype, "x11") == 0) { ++ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { + c = client_request_x11(ctype, rchan); + } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { + c = client_request_agent(ctype, rchan); diff --git a/security/hpn-ssh/files/patch-misc.c b/security/hpn-ssh/files/patch-misc.c new file mode 100644 index 000000000000..0f8ef065fec0 --- /dev/null +++ b/security/hpn-ssh/files/patch-misc.c @@ -0,0 +1,13 @@ +--- misc.c.orig Thu Apr 12 22:09:37 2001 ++++ misc.c Sat May 26 15:39:25 2001 +@@ -111,6 +111,10 @@ + copy->pw_class = xstrdup(pw->pw_class); + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); ++#ifdef __FreeBSD__ ++ copy->pw_expire = pw->pw_expire; ++ copy->pw_change = pw->pw_change; ++#endif /* __FreeBSD__ */ + return copy; + } + diff --git a/security/hpn-ssh/files/patch-session.c b/security/hpn-ssh/files/patch-session.c new file mode 100644 index 000000000000..2fbf15d43128 --- /dev/null +++ b/security/hpn-ssh/files/patch-session.c @@ -0,0 +1,100 @@ +--- session.c.orig Tue Apr 17 21:34:25 2001 ++++ session.c Sat May 26 15:45:15 2001 +@@ -461,6 +467,13 @@ + log_init(__progname, options.log_level, options.log_facility, log_stderr); + + /* ++ * Using login and executing a specific "command" are mutually ++ * exclusive, so turn off use_login if there's a command. ++ */ ++ if (command != NULL) ++ options.use_login = 0; ++ ++ /* + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group. + */ +@@ -566,6 +579,13 @@ + /* Child. Reinitialize the log because the pid has changed. */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); + ++ /* ++ * Using login and executing a specific "command" are mutually ++ * exclusive, so turn off use_login if there's a command. ++ */ ++ if (command != NULL) ++ options.use_login = 0; ++ + /* Close the master side of the pseudo tty. */ + close(ptyfd); + +@@ -639,6 +659,11 @@ + time_t last_login_time; + struct passwd * pw = s->pw; + pid_t pid = getpid(); ++#ifdef HAVE_LOGIN_CAP ++ FILE *f; ++ char buf[256]; ++ char *fname; ++#endif /* HAVE_LOGIN_CAP */ + + /* + * Get IP address of client. If the connection is not a socket, let +@@ -679,6 +704,21 @@ + printf("Last login: %s from %s\r\n", time_string, hostname); + } + ++#ifdef HAVE_LOGIN_CAP ++ if (!options.use_login) { ++ fname = login_getcapstr(lc, "copyright", NULL, NULL); ++ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { ++ while (fgets(buf, sizeof(buf), f) != NULL) ++ fputs(buf, stdout); ++ fclose(f); ++ } else ++ (void)printf("%s\n\t%s %s\n", ++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", ++ "The Regents of the University of California. ", ++ "All rights reserved."); ++ } ++#endif /* HAVE_LOGIN_CAP */ ++ + do_motd(); + } + +@@ -1027,7 +1067,7 @@ + * initgroups, because at least on Solaris 2.3 it leaves file + * descriptors open. + */ +- for (i = 3; i < 64; i++) ++ for (i = 3; i < getdtablesize(); i++) + close(i); + + /* Change current directory to the user\'s home directory. */ +@@ -1051,6 +1091,26 @@ + * in this order). + */ + if (!options.use_login) { ++#ifdef __FreeBSD__ ++ /* ++ * If the password change time is set and has passed, give the ++ * user a password expiry notice and chance to change it. ++ */ ++ if (pw->pw_change != 0) { ++ struct timeval tv; ++ ++ (void)gettimeofday(&tv, NULL); ++ if (tv.tv_sec >= pw->pw_change) { ++ (void)printf( ++ "Sorry -- your password has expired.\n"); ++ syslog(LOG_INFO, ++ "%s Password expired - forcing change", ++ pw->pw_name); ++ if (system("/usr/bin/passwd") != 0) ++ perror("/usr/bin/passwd"); ++ } ++ } ++#endif /* __FreeBSD__ */ + /* ignore _PATH_SSH_USER_RC for subsystems */ + if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + if (debug_flag) diff --git a/security/hpn-ssh/files/patch-sshconnect.c b/security/hpn-ssh/files/patch-sshconnect.c new file mode 100644 index 000000000000..0d2e317b7147 --- /dev/null +++ b/security/hpn-ssh/files/patch-sshconnect.c @@ -0,0 +1,15 @@ +--- sshconnect.c.orig Fri Apr 13 01:34:36 2001 ++++ sshconnect.c Fri Jun 1 08:01:05 2001 +@@ -504,10 +504,12 @@ + local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); + break; ++#ifdef INET6 + case AF_INET6: + local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); + break; ++#endif + default: + local = 0; + salen = sizeof(struct sockaddr_storage); diff --git a/security/hpn-ssh/pkg-comment b/security/hpn-ssh/pkg-comment new file mode 100644 index 000000000000..d96c7bfa9b13 --- /dev/null +++ b/security/hpn-ssh/pkg-comment @@ -0,0 +1 @@ +The portable version of OpenBSD's OpenSSH diff --git a/security/hpn-ssh/pkg-descr b/security/hpn-ssh/pkg-descr new file mode 100644 index 000000000000..6b11fb954879 --- /dev/null +++ b/security/hpn-ssh/pkg-descr @@ -0,0 +1,3 @@ +OpenBSD's OpenSSH portable version + +WWW: http://www.openssh.com/portable.html diff --git a/security/hpn-ssh/pkg-message b/security/hpn-ssh/pkg-message new file mode 100644 index 000000000000..47f0f600972d --- /dev/null +++ b/security/hpn-ssh/pkg-message @@ -0,0 +1,10 @@ +To enable this port, please add sshd_program=/usr/local/sbin/sshd and make +sure +sshd_enable is set to YES in your /etc/rc.conf + +You may also want to put NO_OPENSSH= true in your /etc/make.conf +and make sure your path is setup to /usr/local/bin before /usr/bin so that +you +are running the port version of openssh and not the version that comes with +FreeBSD + diff --git a/security/hpn-ssh/pkg-plist b/security/hpn-ssh/pkg-plist new file mode 100644 index 000000000000..34b8ce62f885 --- /dev/null +++ b/security/hpn-ssh/pkg-plist @@ -0,0 +1,9 @@ +bin/ssh +bin/scp +bin/ssh-add +bin/ssh-agent +bin/ssh-keygen +bin/ssh-keyscan +bin/sftp +sbin/sshd +libexec/sftp-server diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile new file mode 100644 index 000000000000..1f155f8ae624 --- /dev/null +++ b/security/openssh-portable/Makefile @@ -0,0 +1,37 @@ +# New ports collection makefile for: openssh +# Date created: 18 Mar 1999 +# Whom: dwcjr@inethouston.net +# +# $FreeBSD$ +# + +PORTNAME= openssh +PORTVERSION= 2.9p1 +CATEGORIES= security ipv6 +MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ + ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \ + ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ +PKGNAMESUFFIX= -portable + +MAINTAINER= dwcjr@inethouston.net + +MAN1= sftp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 scp.1 ssh.1 +MAN8= sftp-server.8 sshd.8 + +CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto +USE_OPENSSL= YES +GNU_CONFIGURE= yes +CONFIGURE_ARGS?= --prefix=${PREFIX} + +.if exists(/usr/include/security/pam_modules.h) +CONFIGURE_ARGS+= --with-pam +.endif + +.if exists(/usr/include/tcpd.h) +CONFIGURE_ARGS+= --with-tcp-wrappers +.endif + +post-install: + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.mk> diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo new file mode 100644 index 000000000000..a02905b4e8e8 --- /dev/null +++ b/security/openssh-portable/distinfo @@ -0,0 +1 @@ +MD5 (openssh-2.9p1.tar.gz) = 591a5f59962c5604c8be81e37090759f diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c new file mode 100644 index 000000000000..99c9d0c1550e --- /dev/null +++ b/security/openssh-portable/files/patch-auth.c @@ -0,0 +1,20 @@ +--- auth.c.orig Mon Mar 19 23:15:57 2001 ++++ auth.c Fri Jun 1 07:59:43 2001 +@@ -158,6 +158,17 @@ + } + #endif /* WITH_AIXAUTHENTICATE */ + ++#ifdef __FreeBSD__ ++ /* Fail if the account's expiration time has passed. */ ++ if (pw->pw_expire != 0) { ++ struct timeval tv; ++ ++ (void)gettimeofday(&tv, NULL); ++ if (tv.tv_sec >= pw->pw_expire) ++ return 0; ++ } ++#endif /* __FreeBSD__ */ ++ + /* We found no reason not to let this user try to log on... */ + return 1; + } diff --git a/security/openssh-portable/files/patch-clientloop.c b/security/openssh-portable/files/patch-clientloop.c new file mode 100644 index 000000000000..67fc4dcb4f6b --- /dev/null +++ b/security/openssh-portable/files/patch-clientloop.c @@ -0,0 +1,11 @@ +--- clientloop.c.orig Fri Apr 20 09:17:51 2001 ++++ clientloop.c Sat May 26 15:18:51 2001 +@@ -1131,7 +1131,7 @@ + + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_request_forwarded_tcpip(ctype, rchan); +- } else if (strcmp(ctype, "x11") == 0) { ++ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { + c = client_request_x11(ctype, rchan); + } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { + c = client_request_agent(ctype, rchan); diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-misc.c new file mode 100644 index 000000000000..0f8ef065fec0 --- /dev/null +++ b/security/openssh-portable/files/patch-misc.c @@ -0,0 +1,13 @@ +--- misc.c.orig Thu Apr 12 22:09:37 2001 ++++ misc.c Sat May 26 15:39:25 2001 +@@ -111,6 +111,10 @@ + copy->pw_class = xstrdup(pw->pw_class); + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); ++#ifdef __FreeBSD__ ++ copy->pw_expire = pw->pw_expire; ++ copy->pw_change = pw->pw_change; ++#endif /* __FreeBSD__ */ + return copy; + } + diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c new file mode 100644 index 000000000000..2fbf15d43128 --- /dev/null +++ b/security/openssh-portable/files/patch-session.c @@ -0,0 +1,100 @@ +--- session.c.orig Tue Apr 17 21:34:25 2001 ++++ session.c Sat May 26 15:45:15 2001 +@@ -461,6 +467,13 @@ + log_init(__progname, options.log_level, options.log_facility, log_stderr); + + /* ++ * Using login and executing a specific "command" are mutually ++ * exclusive, so turn off use_login if there's a command. ++ */ ++ if (command != NULL) ++ options.use_login = 0; ++ ++ /* + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group. + */ +@@ -566,6 +579,13 @@ + /* Child. Reinitialize the log because the pid has changed. */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); + ++ /* ++ * Using login and executing a specific "command" are mutually ++ * exclusive, so turn off use_login if there's a command. ++ */ ++ if (command != NULL) ++ options.use_login = 0; ++ + /* Close the master side of the pseudo tty. */ + close(ptyfd); + +@@ -639,6 +659,11 @@ + time_t last_login_time; + struct passwd * pw = s->pw; + pid_t pid = getpid(); ++#ifdef HAVE_LOGIN_CAP ++ FILE *f; ++ char buf[256]; ++ char *fname; ++#endif /* HAVE_LOGIN_CAP */ + + /* + * Get IP address of client. If the connection is not a socket, let +@@ -679,6 +704,21 @@ + printf("Last login: %s from %s\r\n", time_string, hostname); + } + ++#ifdef HAVE_LOGIN_CAP ++ if (!options.use_login) { ++ fname = login_getcapstr(lc, "copyright", NULL, NULL); ++ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { ++ while (fgets(buf, sizeof(buf), f) != NULL) ++ fputs(buf, stdout); ++ fclose(f); ++ } else ++ (void)printf("%s\n\t%s %s\n", ++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", ++ "The Regents of the University of California. ", ++ "All rights reserved."); ++ } ++#endif /* HAVE_LOGIN_CAP */ ++ + do_motd(); + } + +@@ -1027,7 +1067,7 @@ + * initgroups, because at least on Solaris 2.3 it leaves file + * descriptors open. + */ +- for (i = 3; i < 64; i++) ++ for (i = 3; i < getdtablesize(); i++) + close(i); + + /* Change current directory to the user\'s home directory. */ +@@ -1051,6 +1091,26 @@ + * in this order). + */ + if (!options.use_login) { ++#ifdef __FreeBSD__ ++ /* ++ * If the password change time is set and has passed, give the ++ * user a password expiry notice and chance to change it. ++ */ ++ if (pw->pw_change != 0) { ++ struct timeval tv; ++ ++ (void)gettimeofday(&tv, NULL); ++ if (tv.tv_sec >= pw->pw_change) { ++ (void)printf( ++ "Sorry -- your password has expired.\n"); ++ syslog(LOG_INFO, ++ "%s Password expired - forcing change", ++ pw->pw_name); ++ if (system("/usr/bin/passwd") != 0) ++ perror("/usr/bin/passwd"); ++ } ++ } ++#endif /* __FreeBSD__ */ + /* ignore _PATH_SSH_USER_RC for subsystems */ + if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + if (debug_flag) diff --git a/security/openssh-portable/files/patch-sshconnect.c b/security/openssh-portable/files/patch-sshconnect.c new file mode 100644 index 000000000000..0d2e317b7147 --- /dev/null +++ b/security/openssh-portable/files/patch-sshconnect.c @@ -0,0 +1,15 @@ +--- sshconnect.c.orig Fri Apr 13 01:34:36 2001 ++++ sshconnect.c Fri Jun 1 08:01:05 2001 +@@ -504,10 +504,12 @@ + local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; + salen = sizeof(struct sockaddr_in); + break; ++#ifdef INET6 + case AF_INET6: + local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); + salen = sizeof(struct sockaddr_in6); + break; ++#endif + default: + local = 0; + salen = sizeof(struct sockaddr_storage); diff --git a/security/openssh-portable/pkg-comment b/security/openssh-portable/pkg-comment new file mode 100644 index 000000000000..d96c7bfa9b13 --- /dev/null +++ b/security/openssh-portable/pkg-comment @@ -0,0 +1 @@ +The portable version of OpenBSD's OpenSSH diff --git a/security/openssh-portable/pkg-descr b/security/openssh-portable/pkg-descr new file mode 100644 index 000000000000..6b11fb954879 --- /dev/null +++ b/security/openssh-portable/pkg-descr @@ -0,0 +1,3 @@ +OpenBSD's OpenSSH portable version + +WWW: http://www.openssh.com/portable.html diff --git a/security/openssh-portable/pkg-message b/security/openssh-portable/pkg-message new file mode 100644 index 000000000000..47f0f600972d --- /dev/null +++ b/security/openssh-portable/pkg-message @@ -0,0 +1,10 @@ +To enable this port, please add sshd_program=/usr/local/sbin/sshd and make +sure +sshd_enable is set to YES in your /etc/rc.conf + +You may also want to put NO_OPENSSH= true in your /etc/make.conf +and make sure your path is setup to /usr/local/bin before /usr/bin so that +you +are running the port version of openssh and not the version that comes with +FreeBSD + diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist new file mode 100644 index 000000000000..34b8ce62f885 --- /dev/null +++ b/security/openssh-portable/pkg-plist @@ -0,0 +1,9 @@ +bin/ssh +bin/scp +bin/ssh-add +bin/ssh-agent +bin/ssh-keygen +bin/ssh-keyscan +bin/sftp +sbin/sshd +libexec/sftp-server |