- Rework how the gssapi patch is fetched/mirrored so we can fetch
directly from debian.
PR: 239290
Submitted by: david@dcrosstech.com (based on)
Tested by: vrwmiller@gmail.com
- Fix patch URL for KERB_GSSAPI
- Add FLAVORs for x509 and gssapi since they are distinct types of
OpenSSH rather than feature flags.
Approved by: portmgr (implicit)
- DOCS is required for HPN but it's not exclusively a flavor so needs to be
in the default list.
- Fix a build-time OpenSSL version comparison [1]
PR: 233157 [1]
Reported by: Robert Schulze <rs@bytecamp.net> [1]
Obtained from: upstream c0a35265907533be10ca151ac797f34ae0d68969 [1]
- Bring in upstream patches post 7.7 to fix various issues [2]:
b81b2d120e9c8a83489e241620843687758925ad - Fix tunnel forwarding broken in 7.7p1
341727df910e12e26ef161508ed76d91c40a61eb - don't kill ssh-agent's listening socket entriely if we fail to accept a connection
85fe48fd49f2e81fa30902841b362cfbb7f1933b - don't free the %C expansion, it's used later for LocalCommand
868afa68469de50d8a43e5daf867d7c624a34d20 - Disable SSH2_MSG_DEBUG messages for Twisted Conch clients
f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 - Omit 3des-cbc if OpenSSL built without DES
PR: 227758 [1]
Submitted by: IWAMOTO Kouichi <sue@iwmt.org> [1]
PR: 227551 [2]
Reported by: rozhuk.im@gmail.com [2]
Obtained from: upstream mirror https://github.com/openssh/openssh-portable [2]
the command line added by patch-ssh.c misapplies to 7.7p1 and
moves from main() to to ssh_session2(). This breaks ssh SSHFP
support for non-canonical hostnames. For example, "ssh zinc"
correctly discovers the FQDN (zinc.ee.lbl.gov) and uses it to
look up A and AAAA records but the non-canonical version (zinc)
is used in the SSHFP record lookup which or course fails.
Regenerate the patch.
Reviewed by: bdrewery, ler (mentor)
Approved by: bdrewery, ler (mentor)
Differential Revision: https://reviews.freebsd.org/D15053
- Update x509 patch to 11.3
- Remove SCTP option as it has not had a patch available since 7.2.
Changes: https://www.openssh.com/txt/release-7.7
Notable changes:
* ssh(1)/sshd(8): Drop compatibility support for some very old SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
versions were all released in or before 2001 and predate the final
SSH RFCs. The support in question isn't necessary for RFC-compliant
SSH implementations.
This happens due to ldns-config --libs adding in too many libraries
(overlinking), and -lcrypto again, which causes some strange
conflict/corruption. By specifying the path to --with-ldns, configure only
adds in -ldns rather than every library ldns itself needs.
PR: 223000
Reported by: many
An unconditional dependency on groff was added in ports r441907 [1] as part
of bug 213725 (groff removal from base). OpenSSH release-5.7 notes the
following:
* Use mandoc as preferred manpage formatter if it is present, followed
by nroff and groff respectively.
This change removes groff as an unconditional dependency allowing mandoc
to be used, and reduces many subsequence dependencies accordingly.
It additionally explicitly sets 'mantype', which ensures that man pages
are installed in the same location (LOCALBASE/man) independently from the
generator used. Without this, a packaging (pkg-plist) error is observed
(installing man pages into LOCALBASE/doc not LOCALBASE/man), which was
presumably the genesis of the groff dependency addition in the first place.
[1] http://svnweb.freebsd.org/changeset/ports/441907
Reviewed by: bdrewery (maintainer), allanjude
Approved by: bdrewery (maintainer)
Differential Revision: D11793
- Update x509 patch to 11.0
- HPN/NONECIPHER do not apply currently and are disabled by default,
same as the base sshd. A compatibility patch is applied if
these options are disabled to prevent startup failures; the options
are kept as deprecated.
- SCTP patch does not apply.
Changes: https://www.openssh.com/txt/release-7.6
Notable changes:
- SSH version 1 support dropped.
- Dropped support for hmac-ripemd160 MAC.
- Dropped support for the ciphers arcfour, blowfish and CAST.
- RSA keys less than 1024 bits are refused.
