ports

sync/ports

Fork 0

mirror of https://git.freebsd.org/ports.git synced 2025-06-08 06:10:30 -04:00

Commit graph

Author	SHA1	Message	Date
Marius Strobl	d47f13ae97	- Cast the arguments of ssh_conn_send_channel_data_type() and ssh_encode_{array_alloc,buffer}() calls as appropriate in order to fix argument size problems on 64-bit platforms and that manifest themselves on amd64 and ia64. [1] - Allow the tcsetattr(3) calls in ssh_rl_{restore,set}_tty_modes_for_fd() to be interrupted by signal. This fixes occasional problems when connecting to a host for the first time. - Use the base zlib instead of the one shipping with SSH; although the latter has an enhancement allowing a minor SSH-specific optimization, using the base one has the benefit of not needing to track security vulnerabilities of zlib in this port (SSH 3.2.9.1 ships with zlib 1.1.4 which is not know to be vulnerable though). - Try to make the description of the WITHOUT_X11 option of the port Makefile to be more sentence-like. PR: 98016 [1] Approved by: netchild Obtained from: NetBSD [1]	2006-08-28 00:03:21 +00:00
Alexander Leidinger	610d298652	HEADS-UP: Traditionally this port automatically installs a start-up script for sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there are three ways to automatically start sshd2 and /etc/rc.conf is the simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is fixed to not be tailored to the base sshd) this version of the port is the last one to do so. Beginning with next version it will only install a sample start-up script. To prevent foot shooting when updating to the next version this port won't remove an existing start-up scripting on deinstall. Please see also the pkg-message that gets displayed on installation. - Update to 3.2.9.1. This is _not_ a security update. For the non-commercial version the only change worth mentioning since 3.2.5 is the addition of the config option "DisableVersionFallback", see sshd2_config(5) for further details. - Use sites from the official list of mirrors for MASTER_SITES. - Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3. - Revise list of installed documentation. No longer install MANIFEST (list of source files) and INSTALL, install RFCs referenced in sshd2_config(5) and HOWTO.anonymous.sftp (patched to better fit FreeBSD). - Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the external (static) one is much simpler to set up and maintain (using the external one requires to install a copy of it in the home directory of the anonymous sftp user which has to be manually updated when installing a newer version of the port). - Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2. - Install examples scripts for the ExternalAuthorizationProgram and AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for further information. - Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*. - Add a pkg-message displaying the different methods to automatically start sshd2. - Switch to the start-up script for Solaris which is part of the tarball, it handles the name of the pidfile better. - Fix detection of X11 headers, this enables compilation with support for X11 SECURITY extension. See TrustX11Applications in ssh2_config(5) for further information. - Add a test target to the Makefile of the port, the tests seem a bit outdated and buggy but it's enough to e.g. do a bit of speed comparison when building with different compilers. - Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to the library search path when compiling, etc.). Revive some local modifications lost with the update to 3.1.0: - Use login_cap(3)/login_class(3) facilities to set environment variables, prority and shell, get motd, copyright, hushlogin and nologin, respect ignorenologin and requirehome. This changes are roughly based on former patch-ah and patch-ai and patches of security/openssh. - Don't print "No mail.", it's not FreeBSD login style. Submitted by: maintainer	2004-01-04 14:03:52 +00:00
Alexander Leidinger	7b5c95f90d	Update to 3.2.5: * Fixed a critical security bug with RSA signature verification. Mitigating factors: DSA is used by default (not vulnerable). Also, the attack requires that attacker has the public key and the attacker needs to precompute the signature data so, that it looks like a valid PKCS#1 signature. This is a non-trivial task to perform without the private key. Nonetheless, all users should update their servers and clients as soon as convenient. Workarounds are to not use RSA keys as host keys (though connecting to existing hosts with RSA hostkeys poses a serious risk with a vulnerable client), and disabling publickey authentication. Update your clients and servers. Update MASTER_SITES, remove sites that are down or no langer carry ssh2 and add some new. - Turn Kerberos and group writeability support into knobs so one hasn't to edit the Makefile. - Remove dependency on security/tcp_wrapper for tcp-wrapper support on systems < FreeBSD 4.0, that port is no longer persistent. - Fix pkg-plist for WITH_STATIC_SFTP case. - Replace referneces to /etc/ssh2/* in man pages with references to PREFIX/etc/ssh2/* in order to better fit for FreeBSD. - Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc. - Remove duplicated mechanism for generating the host key if an old one isn't found in the post-install target in the Makefile of the port, this is already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile. - Fix differences between the install action done when installing the package versus installing the port. I.e. make the package create the host key with what ever bits ssh-keygen2 defaults to (currently 2048) instead of 1024 bits, copy over the configuration files for ssh2 and sshd2 from the examples if not already existent and create the directories for the global host keys and known hosts files. - Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2, i.e. configuration files that don't differ from the corresponding examples and empty directories. Inform the user to remove what's left over if any. - Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of "/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH and seems more usefull. One might want to patch ssh2 to also use login_cap(3) so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf. - Change MAINTAINER. - Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist. Submitted by: Marius Strobl <marius@alchemy.franken.de> Approved by: maintainer	2003-07-07 14:19:07 +00:00

Author

SHA1

Message

Date

Marius Strobl

d47f13ae97

- Cast the arguments of ssh_conn_send_channel_data_type() and

ssh_encode_{array_alloc,buffer}() calls as appropriate in order to
  fix argument size problems on 64-bit platforms and that manifest
  themselves on amd64 and ia64. [1]
- Allow the tcsetattr(3) calls in ssh_rl_{restore,set}_tty_modes_for_fd()
  to be interrupted by signal. This fixes occasional problems when
  connecting to a host for the first time.
- Use the base zlib instead of the one shipping with SSH; although the
  latter has an enhancement allowing a minor SSH-specific optimization,
  using the base one has the benefit of not needing to track security
  vulnerabilities of zlib in this port (SSH 3.2.9.1 ships with zlib
  1.1.4 which is not know to be vulnerable though).
- Try to make the description of the WITHOUT_X11 option of the port
  Makefile to be more sentence-like.

PR:		98016 [1]
Approved by:	netchild
Obtained from:	NetBSD [1]

2006-08-28 00:03:21 +00:00

Alexander Leidinger

610d298652

HEADS-UP: Traditionally this port automatically installs a start-up script for

sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
	  are three ways to automatically start sshd2 and /etc/rc.conf is the
	  simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
	  fixed to not be tailored to the base sshd) this version of the port
	  is the last one to do so. Beginning with next version it will only
	  install a sample start-up script. To prevent foot shooting when
	  updating to the next version this port won't remove an existing
	  start-up scripting on deinstall. Please see also the pkg-message that
	  gets displayed on installation.

- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
  version the only change worth mentioning since 3.2.5 is the addition of the
  config option "DisableVersionFallback", see sshd2_config(5) for further
  details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
  source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
  HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
  external (static) one is much simpler to set up and maintain (using the
  external one requires to install a copy of it in the home directory of the
  anonymous sftp user which has to be manually updated when installing a newer
  version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
  AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
  further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
  sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
  handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
  SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
  information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
  and buggy but it's enough to e.g. do a bit of speed comparison when building
  with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
  the library search path when compiling, etc.).

Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
  prority and shell, get motd, copyright, hushlogin and nologin, respect
  ignorenologin and requirehome. This changes are roughly based on former
  patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.

Submitted by:	maintainer

2004-01-04 14:03:52 +00:00

Alexander Leidinger

7b5c95f90d

Update to 3.2.5:

* Fixed a critical security bug with RSA signature
          verification. Mitigating factors: DSA is used by default (not
          vulnerable). Also, the attack requires that attacker has the
          public key and the attacker needs to precompute the signature
          data so, that it looks like a valid PKCS#1 signature. This is a
          non-trivial task to perform without the private
          key. Nonetheless, all users should update their servers and
          clients as soon as convenient. Workarounds are to not use RSA
          keys as host keys (though connecting to existing hosts with RSA
          hostkeys poses a serious risk with a vulnerable client), and
          disabling publickey authentication. Update your clients and
          servers.

 Update MASTER_SITES, remove sites that are down or no langer carry ssh2
  and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
  edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
  systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
  PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
  found in the post-install target in the Makefile of the port, this is
  already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
  package versus installing the port. I.e. make the package create the host
  key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
  of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
  the examples if not already existent and create the directories for the
  global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
  i.e. configuration files that don't differ from the corresponding examples
  and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
  set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
  "/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
  and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
  so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
- Change MAINTAINER.
- Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.

Submitted by:	Marius Strobl <marius@alchemy.franken.de>
Approved by:	maintainer

2003-07-07 14:19:07 +00:00

3 commits