Improve Kerberos support in ssh2:
- Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized
ssh2 automatically is built when MIT Kerberos is installed, unless the
WITHOUT_KERBEROS knob is defined.
- Check for a library unique to MIT Kerberos to make sure it's not Heimdal
that KRB5_HOME accidentally points to.
- Add dependency on security/krb5 when built with Kerberos support.
- When compiled with Kerberos support also turn it on by default in client
and server config files and set "PermitRootLogin" to "nopwd" to only allow
those with root tickets declared in ~root/.k5login" to login as root. [1]
Ssh2 now should work out of the box in an environment using MIT Kerberos.
Submitted by: Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*)
Tested by: Peter Losher <Peter_Losher@isc.org>
---snip---
Submitted by: maintainer
Strange commit log formatting to prevent
ambiguous "Submitted by" lines by: committer
sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
are three ways to automatically start sshd2 and /etc/rc.conf is the
simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
fixed to not be tailored to the base sshd) this version of the port
is the last one to do so. Beginning with next version it will only
install a sample start-up script. To prevent foot shooting when
updating to the next version this port won't remove an existing
start-up scripting on deinstall. Please see also the pkg-message that
gets displayed on installation.
- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
version the only change worth mentioning since 3.2.5 is the addition of the
config option "DisableVersionFallback", see sshd2_config(5) for further
details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
external (static) one is much simpler to set up and maintain (using the
external one requires to install a copy of it in the home directory of the
anonymous sftp user which has to be manually updated when installing a newer
version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
and buggy but it's enough to e.g. do a bit of speed comparison when building
with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
the library search path when compiling, etc.).
Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
prority and shell, get motd, copyright, hushlogin and nologin, respect
ignorenologin and requirehome. This changes are roughly based on former
patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.
Submitted by: maintainer
* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
Update MASTER_SITES, remove sites that are down or no langer carry ssh2
and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
found in the post-install target in the Makefile of the port, this is
already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
package versus installing the port. I.e. make the package create the host
key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
the examples if not already existent and create the directories for the
global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
i.e. configuration files that don't differ from the corresponding examples
and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
"/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
- Change MAINTAINER.
- Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.
Submitted by: Marius Strobl <marius@alchemy.franken.de>
Approved by: maintainer
2.) If libX11.a exists and xauth not, the build of ssh2 fails. This
patch fix this.
3.) ssh2/files/sshd.sh looks for the wrong pid file in /var/run.
This patch fix this and adds 2> /dev/null to the sshd2 startup
PR: 46012
Submitted by: maintainer
stopping the server.
Martti's submission did not include -h, which I added because if I had
added the scripts the way he submitted them, the server wouldn't be
started on startup.
PR: 10196
Submitted by: Martti Kuparinen <martti.kuparinen@ericsson.com>
Reviewed by: kris (partially)
No response: maintainers (PR opened February 22, 1999)
Ssh 2.0.9 has bugs abount updating utmp/wtmp file.
2. Now you can compile ssh2 to support TCP_Wrapper
(security/tcp_wrapper) when you define USE_TCPWRAP=YES
3. Fix typo in MASTER_SITES
(Thanks to Chris Piazza <norn@home.net>)
4. Use /usr/lib/libz.so.* instead of libz in ssh2 source file.
5. Delete some obsolute pathes.
PR: ports/8916
Submitted by: issei@jp.FreeBSD.ORG
OpenBSD and FreeBSD now both use rresvport. This is a nop for
FreeBSD, but for OpenBSD this picks random port numbers.
Submitted by: deraadt@cvs.openbsd.org
1) pw->pw_class was always zero since not copied
2) login_getuserclass() used instead of login_getclass(), so
default class always returned
3) env pointer can be redefined at the moment of setusercontext() call
regenerated them to fix the line numbers. Also, I added two commented out
options in Makefile, one to tell sshd that a group writeable homedir
is OK because all users are in their own group, and the other is to allow
an unencrypted connection (which is dangerous since it can lead to
compromise of keys), but on a secure network it's damn useful for backups
etc.
ignores it's argument (it's meaningless, the kernel keeps the state), but
2.1.x use it. ssh was effectively giving a random port to 2.1.
Originally noticed by: John Polstra <jdp@polstra.com>
reporting bug which happens if the remote end uses tcp_wrappers to control
sshd access (it says something like "read: no such file or directory" or
"read: permission denied" instead of "connection closed"). I already sent it
in to the ssh mailing list.
Submitted by: fenner
ssh for transport. FreeBSD does not have the implementation bugs that some
other systems appear to have, this option only hurts us.
Reviewed by: torstenb
ssh-askpass no longer uses wish, so chop the make rules that attempt to
locate it.
Go further to try and protect the ssh_host_key, since it's critical to
the operation and security of the machine.
security problems.
Also re-do the method we use for disconnecting ourselves from the supplied
gmp and z libraries so that this can be maintained in the future (sigh!).
