Re: security/openssh-portable: how to best test GSSAPI?

[Rick Miller]

On Thu, Jul 18, 2019 at 5:34 PM Rick Miller  wrote:

> Hi,
>
> security/openssh-portable was recently updated to 8.0p1 and breaks GSSAPI.
> I'd like to test the Debian GSSAPI patch for 8.0p1[1] submitting the result
> to the openssh-portable maintainer. Poudriere already sets the appropriate
> options for KERB_GSSAPI here so the intent is to leverage Poudriere. For
> example, create a new poudriere ports tree (poudriere ports -c), update
> security/openssh-portable/Makefile in that ports tree (patch below),
> subsequently run `make makesum` to update distinfo, then build the tree
> (poudriere bulk -f).
>
> I get to the point of running `make makesum` and distinfo is not updated
> with the GSSAPI patch's patchfile's info (similar to the current distinfo)
> and no error is printed. `make fetch` will retrieve openssh-portable
> sources if they're not already present, but not the GSSAPI patchfile. Can
> the patch be tested in place like this or am I going about this completely
> wrong?
> >
>

Defining OPTIONS_DEFAULT in the environment for make makesum got around
this behavior.



-- 
Take care
Rick Miller
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

security/openssh-portable: how to best test GSSAPI?

[Rick Miller]

Hi,

security/openssh-portable was recently updated to 8.0p1 and breaks GSSAPI.
I'd like to test the Debian GSSAPI patch for 8.0p1[1] submitting the result
to the openssh-portable maintainer. Poudriere already sets the appropriate
options for KERB_GSSAPI here so the intent is to leverage Poudriere. For
example, create a new poudriere ports tree (poudriere ports -c), update
security/openssh-portable/Makefile in that ports tree (patch below),
subsequently run `make makesum` to update distinfo, then build the tree
(poudriere bulk -f).

I get to the point of running `make makesum` and distinfo is not updated
with the GSSAPI patch's patchfile's info (similar to the current distinfo)
and no error is printed. `make fetch` will retrieve openssh-portable
sources if they're not already present, but not the GSSAPI patchfile. Can
the patch be tested in place like this or am I going about this completely
wrong? Does the file need to be

--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -101,7 +101,8 @@ ETCDIR?=${PREFIX}/etc/ssh

 .include 

-PATCH_SITES+=
http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
+PATCH_SITES+=
http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \
+
https://sources.debian.org/data/main/o/openssh/1:8.0p1-3/debian/patches/:gsskex

 # X509 patch includes TCP Wrapper support already
 .if ${PORT_OPTIONS:MX509}
@@ -120,7 +121,7 @@ EXTRA_PATCHES:=
${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
-PATCHFILES+=
openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex
+PATCHFILES+=   gssapi.patch:-p1:gsskex
 .endif


[1]
https://sources.debian.org/data/main/o/openssh/1:8.0p1-3/debian/patches/gssapi.patch

-- 
Take care
Rick Miller
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: security/openssh-portable and KERB_GSSAPI

[Rick Miller]

On Tue, Apr 24, 2018 at 11:55 AM Kurt Jaeger  wrote:

> Hello,
>
> > > Thanks in advance for taking a look at this.
>
> Can you please upload it to bugs.freebsd.org and post the PR number
> here ? The re-formatted patch is very difficult to read.


Indeed, it is.

Please disregard. It was determined that HPN was mistakenly enabled and
disabling it resolves the problem.


-- 
Take care
Rick Miller
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: security/openssh-portable and KERB_GSSAPI

[Kurt Jaeger]

Hello,

> > Thanks in advance for taking a look at this.

Can you please upload it to bugs.freebsd.org and post the PR number
here ? The re-formatted patch is very difficult to read.

-- 
p...@opsec.eu+49 171 31013722 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: security/openssh-portable and KERB_GSSAPI

[Rick Miller]

On Tue, Apr 24, 2018 at 7:46 AM Rick Miller <vrwmil...@gmail.com> wrote:

> Hi,
>
> Thanks in advance for taking a look at this.
>
>  I need help understanding how to test a port patch and submit it to the
> port maintainer. Port in question is security/openssh-portable, for which
> KERB_GSSAPI is broken. Upstream has a patch, but Poudriere is failing in
> the fetch phase after my updates.
>
> security/openssh-portable/Makefile is updated according to the patch below
> in order to test, but Poudriere fails citing the error below.
>
> root@server # svn diff
>
> Index: security/openssh-portable/Makefile
>
> ===========
>
> --- security/openssh-portable/Makefile  (revision 460698)
>
> +++ security/openssh-portable/Makefile   (working copy)
>
> @@ -2,8 +2,8 @@
>
> # $FreeBSD$
>
>  PORTNAME=openssh
>
> -DISTVERSION= 7.6p1
>
> -PORTREVISION= 3
>
> +DISTVERSION= 7.7p1
>
> +PORTREVISION=4
>
> PORTEPOCH=   1
>
> CATEGORIES=   security ipv6
>
> MASTER_SITES=  OPENBSD/OpenSSH/portable
>
> @@ -89,7 +89,9 @@
>
>  .include 
>
> -PATCH_SITES+=
> http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
>
> +#PATCH_SITES+=
> http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex \
>
> +PATCH_SITES+=
> http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \
>
> +
> http://sources.debian.net/data/main/o/openssh/1:7.7p1-2/debian/patches/:gsskex
>
>  # X509 patch includes TCP Wrapper support already
>
> .if ${PORT_OPTIONS:MX509}
>
> @@ -98,7 +100,6 @@
>
>  # Must add this patch before HPN due to conflicts
>
> .if ${PORT_OPTIONS:MKERB_GSSAPI}
>
> -BROKEN=   No patch for 7.6 yet.
>
> # Patch from:
>
> #
> http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
>
> # which was originally based on 5.7 patch from
>
> @@ -108,12 +109,13 @@
>
> # Needed glue for applying HPN patch without conflict
>
> EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue
>
> .  endif
>
> -PATCHFILES+=
> openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
>
> +#PATCHFILES+=
> openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex
>
> +PATCHFILES+= gssapi.patch:-p1:gsskex
>
> .endif
>
>  # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh
> https://github.com/rapier1/openssh-portable
>
> .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
>
> -BROKEN=       Not yet updated for
> 7.6+ and disabled in base
>
> +#BROKEN=       Not yet updated for 7.6+
> and disabled in base
>
> PORTDOCS+=   HPN-README
>
> HPN_VERSION=   14v5
>
> HPN_DISTVERSION=  6.7p1
>
> Index: security/openssh-portable/distinfo
>
> ===
>
> --- security/openssh-portable/distinfo(revision 460698)
>
> +++ security/openssh-portable/distinfo (working copy)
>
> @@ -1,7 +1,3 @@
>
> -TIMESTAMP = 1507833573
>
> -SHA256 (openssh-7.6p1.tar.gz) =
> a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
>
> -SIZE (openssh-7.6p1.tar.gz) = 1489788
>
> -SHA256 (openssh-7.2_p1-sctp.patch.gz) =
> fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
>
> -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
>
> -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) =
> bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e
>
> -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219
>
> +TIMESTAMP = 1524506053
>
> +SHA256 (openssh-7.7p1.tar.gz) =
> d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
>
> +SIZE (openssh-7.7p1.tar.gz) = 1536900
>
>
>
> Poudrière fails to build the port citing:
>
>
>
> ===
>
> => gssapi.patch is not in /usr/ports/security/openssh-portable/distinfo.
>
> => Either /usr/ports/security/openssh-portable/distinfo is out of date, or
>
> => gssapi.patch is spelled incorrectly.
>
> *** Error code 1
>
>
>
> Stop.
>
> make: stopped in /usr/ports/security/openssh-portable
>
> Surely this is something I’m not doing right. Just need help
> understanding. Do you have feedback?
>

Apparently, the mail client munged the patches. Disregard the formatting
created by the client; Most notably the extra, undesirable line breaks and
the ‘3D’s.
-- 
Take care
Rick Miller
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

security/openssh-portable and KERB_GSSAPI

[Rick Miller]

Hi,

Thanks in advance for taking a look at this.

 I need help understanding how to test a port patch and submit it to the
port maintainer. Port in question is security/openssh-portable, for which
KERB_GSSAPI is broken. Upstream has a patch, but Poudriere is failing in
the fetch phase after my updates.

security/openssh-portable/Makefile is updated according to the patch below
in order to test, but Poudriere fails citing the error below.

root@server # svn diff

Index: security/openssh-portable/Makefile

===

--- security/openssh-portable/Makefile  (revision 460698)

+++ security/openssh-portable/Makefile   (working copy)

@@ -2,8 +2,8 @@

# $FreeBSD$

 PORTNAME=openssh

-DISTVERSION= 7.6p1

-PORTREVISION= 3

+DISTVERSION= 7.7p1

+PORTREVISION=4

PORTEPOCH=   1

CATEGORIES=   security ipv6

MASTER_SITES=  OPENBSD/OpenSSH/portable

@@ -89,7 +89,9 @@

 .include 

-PATCH_SITES+=
http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex

+#PATCH_SITES+=
http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex \

+PATCH_SITES+=
http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \

+
http://sources.debian.net/data/main/o/openssh/1:7.7p1-2/debian/patches/:gsskex

 # X509 patch includes TCP Wrapper support already

.if ${PORT_OPTIONS:MX509}

@@ -98,7 +100,6 @@

 # Must add this patch before HPN due to conflicts

.if ${PORT_OPTIONS:MKERB_GSSAPI}

-BROKEN=   No patch for 7.6 yet.

# Patch from:

#
http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch

# which was originally based on 5.7 patch from

@@ -108,12 +109,13 @@

# Needed glue for applying HPN patch without conflict

EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue

.  endif

-PATCHFILES+=
openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex

+#PATCHFILES+=
openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex

+PATCHFILES+= gssapi.patch:-p1:gsskex

.endif

 # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh
https://github.com/rapier1/openssh-portable

.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}

-BROKEN=   Not yet updated for 7.6+
and disabled in base

+#BROKEN=   Not yet updated for 7.6+
and disabled in base

PORTDOCS+=   HPN-README

HPN_VERSION=   14v5

HPN_DISTVERSION=  6.7p1

Index: security/openssh-portable/distinfo

===

--- security/openssh-portable/distinfo(revision 460698)

+++ security/openssh-portable/distinfo (working copy)

@@ -1,7 +1,3 @@

-TIMESTAMP = 1507833573

-SHA256 (openssh-7.6p1.tar.gz) =
a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723

-SIZE (openssh-7.6p1.tar.gz) = 1489788

-SHA256 (openssh-7.2_p1-sctp.patch.gz) =
fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc

-SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501

-SHA256 (openssh-7.6p1+x509-11.0.diff.gz) =
bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e

-SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219

+TIMESTAMP = 1524506053

+SHA256 (openssh-7.7p1.tar.gz) =
d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f

+SIZE (openssh-7.7p1.tar.gz) = 1536900



Poudrière fails to build the port citing:



===

=> gssapi.patch is not in /usr/ports/security/openssh-portable/distinfo.

=> Either /usr/ports/security/openssh-portable/distinfo is out of date, or

=> gssapi.patch is spelled incorrectly.

*** Error code 1



Stop.

make: stopped in /usr/ports/security/openssh-portable

Surely this is something I’m not doing right. Just need help understanding.
Do you have feedback?


-- 
Take care
Rick Miller
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [ports/security/openssh-portable] Fix SCTP patch

[Eduardo Morras via freebsd-ports]

On Fri, 13 Jan 2017 13:43:50 -0800
 wrote:

> 
> My point is that it might be a good idea to commit SCTP support
> into base system's openssh. Then we(I) won't need the port at all.
> The protocol first appeared in FreeBSD, yet there is not a single
> program that uses it. This can change.

I use it in 2 apps and was posponing the next versions because sctp were 
dropped by openssh and libressl.

Nice to see more people are using it and port list cares about it.

Thanks!

---   ---
Eduardo Morras 
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [ports/security/openssh-portable] Fix SCTP patch

[soralx]

> >  Could someone update the SCTP patch for
> > ports/security/openssh-portable? Fixed version attached (very basic
> > changes: account for "oIdentityAgent" config option and "-J" flag
> > that appeared in openssh-7.3).  
> The proper place to send this patch is to the upstream bug tracker where
> the patch originated from:
> https://bugzilla.mindrot.org/show_bug.cgi?id=1604

OK, noted for future. But it seems like their bug tracker requires
registration, too. I suppose I could email the author directly...

> I will review and commit it though.

Thanks.

> >  I use SCTP all the time (makes a _huge_ difference on fast but crappy
> >  connections with packet loss), so having the port fixed would be much
> >  appreciated.
> Letting upstream know how useful it is would be great.

My point is that it might be a good idea to commit SCTP support
into base system's openssh. Then we(I) won't need the port at all.
The protocol first appeared in FreeBSD, yet there is not a single
program that uses it. This can change.

> >  BTW, I wonder why noone bothered to add SCTP to base system's
> > OpenSSH? Right now there is not a single program that uses SCTP in
> > FreeBSD, while the protocol itself is quite nice and useful.

-- 
[SorAlx]  ridin' VN2000 Classic LT
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [ports/security/openssh-portable] Fix SCTP patch

[Bryan Drewery]

On 1/13/17 1:31 PM, Bryan Drewery wrote:
> On 12/27/16 9:39 PM, sor...@cydem.org wrote:
>>
>> Howdy!
>>
>>  Could someone update the SCTP patch for ports/security/openssh-portable?
>>  Fixed version attached (very basic changes: account for "oIdentityAgent"
>>  config option and "-J" flag that appeared in openssh-7.3).
> 
> The proper place to send this patch is to the upstream bug tracker where
> the patch originated from: https://bugzilla.mindrot.org/show_bug.cgi?id=1604
> 
> I will review and commit it though.
> 

Thanks too.

I am about to update the port to 7.4 and there are other conflicts now
as well (before your 2 fixes):

1 out of 5 hunks failed--saving rejects to readconf.c.rej
2 out of 9 hunks failed--saving rejects to servconf.c.rej
1 out of 2 hunks failed--saving rejects to servconf.h.rej
1 out of 3 hunks failed--saving rejects to ssh.c.rej
1 out of 1 hunks failed--saving rejects to ssh_config.5.rej
1 out of 4 hunks failed--saving rejects to sshd.c.rej
1 out of 1 hunks failed--saving rejects to sshd_config.5.rej


>>
>>  I use SCTP all the time (makes a _huge_ difference on fast but crappy
>>  connections with packet loss), so having the port fixed would be much
>>  appreciated.
>>
> 
> Letting upstream know how useful it is would be great.
> 
>>  BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH?
>>  Right now there is not a single program that uses SCTP in FreeBSD, while
>>  the protocol itself is quite nice and useful.
>>
>> SHA256 (openssh-7.3_p1-sctp.patch.gz) = 
>> 0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20
>> SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507
>>
> 
> 


-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: [ports/security/openssh-portable] Fix SCTP patch

[Bryan Drewery]

On 12/27/16 9:39 PM, sor...@cydem.org wrote:
> 
> Howdy!
> 
>  Could someone update the SCTP patch for ports/security/openssh-portable?
>  Fixed version attached (very basic changes: account for "oIdentityAgent"
>  config option and "-J" flag that appeared in openssh-7.3).

The proper place to send this patch is to the upstream bug tracker where
the patch originated from: https://bugzilla.mindrot.org/show_bug.cgi?id=1604

I will review and commit it though.

> 
>  I use SCTP all the time (makes a _huge_ difference on fast but crappy
>  connections with packet loss), so having the port fixed would be much
>  appreciated.
> 

Letting upstream know how useful it is would be great.

>  BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH?
>  Right now there is not a single program that uses SCTP in FreeBSD, while
>  the protocol itself is quite nice and useful.
> 
> SHA256 (openssh-7.3_p1-sctp.patch.gz) = 
> 0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20
> SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507
> 


-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: [ports/security/openssh-portable] Fix SCTP patch

[soralx]

> Hi!
> 
> >  Could someone update the SCTP patch for
> > ports/security/openssh-portable?  
> 
> Now a major motion picture at
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215632

Great! I will be cheering for all the main characters.

-- 
[SorAlx]  ridin' VN2000 Classic LT
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [ports/security/openssh-portable] Fix SCTP patch

[Kurt Jaeger]

Hi!

>  Could someone update the SCTP patch for ports/security/openssh-portable?

Now a major motion picture at

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215632

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

[ports/security/openssh-portable] Fix SCTP patch

[soralx]

Howdy!

 Could someone update the SCTP patch for ports/security/openssh-portable?
 Fixed version attached (very basic changes: account for "oIdentityAgent"
 config option and "-J" flag that appeared in openssh-7.3).

 I use SCTP all the time (makes a _huge_ difference on fast but crappy
 connections with packet loss), so having the port fixed would be much
 appreciated.

 BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH?
 Right now there is not a single program that uses SCTP in FreeBSD, while
 the protocol itself is quite nice and useful.

SHA256 (openssh-7.3_p1-sctp.patch.gz) = 
0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20
SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507

-- 
[SorAlx]  ridin' VN2000 Classic LT
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: [CFT] security/openssh-portable 6.5

[Bryan Drewery]

On 2/2/2014 8:57 PM, Bryan Drewery wrote:
 The pending update to 6.5 is on my github:
 https://github.com/bdrewery/openssh/
 
 I will commit in the next few days. Please test and comment back in private.
 
 The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way
 to test. It needs refactoring as the key handling/API has changed a bit
 for 6.5. It's marked BROKEN for now and I suggest not updating if you
 depend on that.
 

This has been committed.

-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: [CFT] security/openssh-portable 6.5

[Bryan Drewery]

On 2/4/2014 7:41 PM, Bryan Drewery wrote:
 On 2/2/2014 8:57 PM, Bryan Drewery wrote:
 The pending update to 6.5 is on my github:
 https://github.com/bdrewery/openssh/

 I will commit in the next few days. Please test and comment back in private.

 The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way
 to test. It needs refactoring as the key handling/API has changed a bit
 for 6.5. It's marked BROKEN for now and I suggest not updating if you
 depend on that.

 
 This has been committed.
 

Dumb error in RC script:

 # service openssh restart
 [: missing ]
 eval: -f: not found

Fix committed.

-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

[CFT] security/openssh-portable 6.5

[Bryan Drewery]

The pending update to 6.5 is on my github:
https://github.com/bdrewery/openssh/

I will commit in the next few days. Please test and comment back in private.

The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way
to test. It needs refactoring as the key handling/API has changed a bit
for 6.5. It's marked BROKEN for now and I suggest not updating if you
depend on that.

-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: port security/openssh-portable compile error.

[Bryan Drewery]

On 9/2/2013 3:14 AM, Frederico Costa wrote:
 Hi all...
 
 Not sure if this is the correct way of asking for a bit of help, but i
 have been trying to upgrade the ports in one of my servers, and when i
 am trying to upgrade the port security/openssh-portable to the following
 version:
 
 openssh-portable-6.2.p2_3,1
 
 It will fail to compile, with the standard options set for the config
 with the following:
 
 ...
 
 cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o 
 audit.o audit-bsm.o audit-linux.o platform.o  sshpty.o sshlogin.o
 servconf.o serverloop.o  auth.o auth1.o auth2.o auth-options.o session.o
 auth-chall.o auth2-chall.o groupaccess.o  auth-skey.o auth-bsdauth.o
 auth2-hostbased.o auth2-kbdint.o  auth2-none.o auth2-passwd.o
 auth2-pubkey.o auth2-jpake.o  monitor_mm.o monitor.o monitor_wrap.o
 kexdhs.o kexgexs.o kexecdhs.o  auth-krb5.o  auth2-gss.o gss-serv.o
 gss-serv-krb5.o  loginrec.o auth-pam.o auth-shadow.o auth-sia.o
 md5crypt.o  sftp-server.o sftp-common.o  roaming_common.o roaming_serv.o
 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o 
 sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib 
 -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat
 -lwrap -lpam -lcrypto -lz  -lutil -lcrypt
 cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/
 -L/usr/local/lib  -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh
 -lopenbsd-compat -lcrypto -lz  -lutil -lcrypt
 loginrec.o: In function `syslogin_write_entry':
 loginrec.c:(.text+0x2f1): undefined reference to `login'
 loginrec.c:(.text+0x31b): undefined reference to `logout'
 loginrec.c:(.text+0x34e): undefined reference to `logwtmp'
 *** [sshd] Error code 1

I have committed a fix to the ports tree for this.

It was due to a recent Templates/config.site update having some utmp
references.


-- 
Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: port security/openssh-portable compile error.

[Frederico Costa]

Hi there...

Thanks, Just checked your change and applied to my ports tree, and now 
it compiles without a problem.


Thanks once again...

Fred

On 2013-09-03 12:39, Bryan Drewery wrote:

On 9/2/2013 3:14 AM, Frederico Costa wrote:

Hi all...

Not sure if this is the correct way of asking for a bit of help, but 
i
have been trying to upgrade the ports in one of my servers, and when 
i
am trying to upgrade the port security/openssh-portable to the 
following

version:

openssh-portable-6.2.p2_3,1

It will fail to compile, with the standard options set for the config
with the following:

...

cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o 
auth-rh-rsa.o

audit.o audit-bsm.o audit-linux.o platform.o  sshpty.o sshlogin.o
servconf.o serverloop.o  auth.o auth1.o auth2.o auth-options.o 
session.o

auth-chall.o auth2-chall.o groupaccess.o  auth-skey.o auth-bsdauth.o
auth2-hostbased.o auth2-kbdint.o  auth2-none.o auth2-passwd.o
auth2-pubkey.o auth2-jpake.o  monitor_mm.o monitor.o monitor_wrap.o
kexdhs.o kexgexs.o kexecdhs.o  auth-krb5.o  auth2-gss.o gss-serv.o
gss-serv-krb5.o  loginrec.o auth-pam.o auth-shadow.o auth-sia.o
md5crypt.o  sftp-server.o sftp-common.o  roaming_common.o 
roaming_serv.o

sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o
sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib
-Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh 
-lopenbsd-compat

-lwrap -lpam -lcrypto -lz  -lutil -lcrypt
cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/
-L/usr/local/lib  -Wl,-rpath=/usr/local/lib -fstack-protector-all 
-lssh

-lopenbsd-compat -lcrypto -lz  -lutil -lcrypt
loginrec.o: In function `syslogin_write_entry':
loginrec.c:(.text+0x2f1): undefined reference to `login'
loginrec.c:(.text+0x31b): undefined reference to `logout'
loginrec.c:(.text+0x34e): undefined reference to `logwtmp'
*** [sshd] Error code 1


I have committed a fix to the ports tree for this.

It was due to a recent Templates/config.site update having some utmp
references.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

port security/openssh-portable compile error.

[Frederico Costa]

Hi all...

Not sure if this is the correct way of asking for a bit of help, but i 
have been trying to upgrade the ports in one of my servers, and when i 
am trying to upgrade the port security/openssh-portable to the following 
version:


openssh-portable-6.2.p2_3,1

It will fail to compile, with the standard options set for the config 
with the following:


...

cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o  
audit.o audit-bsm.o audit-linux.o platform.o  sshpty.o sshlogin.o 
servconf.o serverloop.o  auth.o auth1.o auth2.o auth-options.o session.o 
auth-chall.o auth2-chall.o groupaccess.o  auth-skey.o auth-bsdauth.o 
auth2-hostbased.o auth2-kbdint.o  auth2-none.o auth2-passwd.o 
auth2-pubkey.o auth2-jpake.o  monitor_mm.o monitor.o monitor_wrap.o 
kexdhs.o kexgexs.o kexecdhs.o  auth-krb5.o  auth2-gss.o gss-serv.o 
gss-serv-krb5.o  loginrec.o auth-pam.o auth-shadow.o auth-sia.o 
md5crypt.o  sftp-server.o sftp-common.o  roaming_common.o roaming_serv.o 
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o  
sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib  
-Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat 
-lwrap -lpam -lcrypto -lz  -lutil -lcrypt
cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ 
-L/usr/local/lib  -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh 
-lopenbsd-compat -lcrypto -lz  -lutil -lcrypt

loginrec.o: In function `syslogin_write_entry':
loginrec.c:(.text+0x2f1): undefined reference to `login'
loginrec.c:(.text+0x31b): undefined reference to `logout'
loginrec.c:(.text+0x34e): undefined reference to `logwtmp'
*** [sshd] Error code 1
1 error
=== Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the 
failure to

the maintainer.
*** [do-build] Error code 1

--

In terms of config options for the port i have set:

LIBEDIT
OVERWRITE_BASE
PAM
TCP_WRAPPERS

And i am using FreeBSD 9.1-RELEASE-p6.

I checked by downloading a source code from openssh, with no freebsd 
patches, and the it compiles without any problem.


Is someone able to help me in debugging this compilation error?
Of course if you need more information about this error, please let me 
know and i should be able to get it.


Thanks in advance

Fred

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[J. Hellenthal]

As stated in the subject

if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
echo You already have a Elliptic Curve DSA host key \
in /usr/local/etc/ssh/ssh_host_ecdsa_key
echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
else
/usr/local/bin/ssh-keygen -t dsa \
-f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
fi


Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
-t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
in a different file.

-- 

 - (2^(N-1))


pgpaSaWWSuR7X.pgp
Description: PGP signature

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[Robert Simmons]

On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal jhellent...@dataix.net wrote:

 As stated in the subject

 if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
        echo You already have a Elliptic Curve DSA host key \
                in /usr/local/etc/ssh/ssh_host_ecdsa_key
        echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
 else
        /usr/local/bin/ssh-keygen -t dsa \
                -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
 fi


 Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
 -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
 in a different file.

Good eye.  I'm in the process of updating that port to 6.0p1.  There
are quite a lot of local patches that are part of the port.  At the
moment I'm muddling through what they do and whether they can be
removed or not.  I didn't even notice this problem.

I've attached a pair of patches that correct this problem.  Open a PR
about this, and you can attach these patches to it.  I'm not the
maintainer nor do I have commit privileges, but if you open a PR, I'm
sure someone will make the change.


Makefile.diff
Description: Binary data


openssh.in.diff
Description: Binary data
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[Sunpoet Po-Chuan Hsieh]

On Mon, Jun 25, 2012 at 1:17 AM, J. Hellenthal jhellent...@dataix.net wrote:

 As stated in the subject

 if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
        echo You already have a Elliptic Curve DSA host key \
                in /usr/local/etc/ssh/ssh_host_ecdsa_key
        echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
 else
        /usr/local/bin/ssh-keygen -t dsa \
                -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
 fi


 Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
 -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
 in a different file.

 --

  - (2^(N-1))

Committed. Thanks!
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[J. Hellenthal]

On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
 On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal jhellent...@dataix.net wrote:
 
  As stated in the subject
 
  if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
         echo You already have a Elliptic Curve DSA host key \
                 in /usr/local/etc/ssh/ssh_host_ecdsa_key
         echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
  else
         /usr/local/bin/ssh-keygen -t dsa \
                 -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
  fi
 
 
  Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
  -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
  in a different file.
 
 Good eye.  I'm in the process of updating that port to 6.0p1.  There
 are quite a lot of local patches that are part of the port.  At the
 moment I'm muddling through what they do and whether they can be
 removed or not.  I didn't even notice this problem.
 
 I've attached a pair of patches that correct this problem.  Open a PR
 about this, and you can attach these patches to it.  I'm not the
 maintainer nor do I have commit privileges, but if you open a PR, I'm
 sure someone will make the change.


Yeah I have been there too. The current port 5.8 I updated to 5.9. Some
of the patches do not work but the diff I have is attached for the
functions I use out of it.

Also attached is my config for that port. But when I made it I did not
have GSSAPI turned on. That does work but just have not adjusted it.



-- 

 - (2^(N-1))
=== The following configuration options are available for 
openssh-portable-5.9.p1_2,1:
 BSM=on: Enable OpenBSM Auditing
 FILECONTROL=off: Enable file control patch (broken)
 HPN=on: Enable HPN-SSH patch
 KERBEROS=off: Enable kerberos (autodetection)
 KERB_GSSAPI=off: Enable Kerberos/GSSAPI patch (req: GSSAPI)
 LIBEDIT=on: Enable readline support to sftp(1)
 LPK=off: Enable LDAP Public Key (LPK) patch
 OPENSSH_CHROOT=on: Enable CHROOT support
 OVERWRITE_BASE=off: OpenSSH overwrite base
 PAM=on: Enable pam(3) support
 TCP_WRAPPERS=on: Enable tcp_wrappers support
 X509=off: Enable x509 certificate patch
=== Use 'make config' to modify these settings
diff -urN security/openssh-portable-5.8p2/Makefile security/openssh-portable/Makefile
--- security/openssh-portable-5.8p2/Makefile	2012-05-01 05:56:31.0 -0400
+++ security/openssh-portable/Makefile	2012-05-30 20:01:26.493449509 -0400
@@ -6,9 +6,9 @@
 #
 
 PORTNAME=	openssh
-DISTVERSION=	5.8p2
-PORTREVISION=	2
-PORTEPOCH=	1
+DISTVERSION=	5.9p1
+PORTREVISION=   2
+PORTEPOCH=  1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
 MASTER_SITE_SUBDIR=	OpenSSH/portable
@@ -42,7 +42,6 @@
 OPTIONS=	PAM		Enable pam(3) supporton \
 		TCP_WRAPPERS	Enable tcp_wrappers support			on \
 		LIBEDIT		Enable readline support to sftp(1)		on \
-		SUID_SSH	Enable suid SSH (Recommended off)		off \
 		BSM		Enable OpenBSM Auditing			off \
 		KERBEROS	Enable kerberos (autodetection)		off \
 		KERB_GSSAPI	Enable Kerberos/GSSAPI patch (req: GSSAPI)	off \
@@ -87,10 +86,6 @@
 CONFIGURE_ARGS+=	--with-libedit
 .endif
 
-.if !defined(WITH_SUID_SSH)
-CONFIGURE_ARGS+=	--disable-suid-ssh
-.endif
-
 .if defined(WITH_BSM)
 CONFIGURE_ARGS+=	--with-audit=bsm
 .endif
@@ -119,7 +114,7 @@
 
 .if defined(WITH_HPN)
 PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
-PATCHFILES+=		${PORTNAME}-5.8p1-hpn13v11.diff.gz
+PATCHFILES+=		${PORTNAME}-5.9p1-hpn13v12.diff.gz
 PATCH_DIST_STRIP=
 .endif
 
@@ -194,11 +189,9 @@
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
 	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
 		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	 FreeBSD-${PKGNAME}'  \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION'  \
+	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE'  \
 		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION'  \
+	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE'  \
 		${WRKSRC}/version.h
 .if defined(WITH_HPN)
 	@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
diff -urN security/openssh-portable-5.8p2/distinfo security/openssh-portable/distinfo
--- security/openssh-portable-5.8p2/distinfo	2011-10-21 12:18:56.0 -0400
+++ security/openssh-portable/distinfo	2012-05-30 19:07:47.129970365 -0400
@@ -1,8 +1,4 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[J. Hellenthal]

On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
 On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal jhellent...@dataix.net wrote:
 
  As stated in the subject
 
  if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
         echo You already have a Elliptic Curve DSA host key \
                 in /usr/local/etc/ssh/ssh_host_ecdsa_key
         echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
  else
         /usr/local/bin/ssh-keygen -t dsa \
                 -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
  fi
 
 
  Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
  -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
  in a different file.
 
 Good eye.  I'm in the process of updating that port to 6.0p1.  There
 are quite a lot of local patches that are part of the port.  At the
 moment I'm muddling through what they do and whether they can be
 removed or not.  I didn't even notice this problem.
 
 I've attached a pair of patches that correct this problem.  Open a PR
 about this, and you can attach these patches to it.  I'm not the
 maintainer nor do I have commit privileges, but if you open a PR, I'm
 sure someone will make the change.

Should have also said the changes were already committed.

 ___
 freebsd-ports@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ports
 To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org


-- 

 - (2^(N-1))
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[Robert Simmons]

On Sun, Jun 24, 2012 at 2:24 PM, J. Hellenthal jhellent...@dataix.net wrote:
 On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
 On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal jhellent...@dataix.net 
 wrote:
 
  As stated in the subject
 
  if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
         echo You already have a Elliptic Curve DSA host key \
                 in /usr/local/etc/ssh/ssh_host_ecdsa_key
         echo Skipping protocol version 2 Elliptic Curve DSA Key Generation
  else
         /usr/local/bin/ssh-keygen -t dsa \
                 -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
  fi
 
 
  Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
  -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
  in a different file.

 Good eye.  I'm in the process of updating that port to 6.0p1.  There
 are quite a lot of local patches that are part of the port.  At the
 moment I'm muddling through what they do and whether they can be
 removed or not.  I didn't even notice this problem.

 I've attached a pair of patches that correct this problem.  Open a PR
 about this, and you can attach these patches to it.  I'm not the
 maintainer nor do I have commit privileges, but if you open a PR, I'm
 sure someone will make the change.

 Should have also said the changes were already committed.

I also want to see what can be pushed upstream.  I understand that the
OpenBSD/OpenSSH people are touchy about outside patches, but I think
they should at least accept a patch to configure so that FreeBSD's
native openpty() is detected properly.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA

[J. Hellenthal]

On Sun, Jun 24, 2012 at 02:38:54PM -0400, Robert Simmons wrote:
 On Sun, Jun 24, 2012 at 2:24 PM, J. Hellenthal jhellent...@dataix.net wrote:
  On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote:
  On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal jhellent...@dataix.net 
  wrote:
  
   As stated in the subject
  
   if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then
          echo You already have a Elliptic Curve DSA host key \
                  in /usr/local/etc/ssh/ssh_host_ecdsa_key
          echo Skipping protocol version 2 Elliptic Curve DSA Key 
   Generation
   else
          /usr/local/bin/ssh-keygen -t dsa \
                  -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N ''
   fi
  
  
   Specifically /usr/local/bin/ssh-keygen -t dsa needs to be changed to
   -t ecdsa to be correct. Otherwise we are just reimplementing a DSA key
   in a different file.
 
  Good eye.  I'm in the process of updating that port to 6.0p1.  There
  are quite a lot of local patches that are part of the port.  At the
  moment I'm muddling through what they do and whether they can be
  removed or not.  I didn't even notice this problem.
 
  I've attached a pair of patches that correct this problem.  Open a PR
  about this, and you can attach these patches to it.  I'm not the
  maintainer nor do I have commit privileges, but if you open a PR, I'm
  sure someone will make the change.
 
  Should have also said the changes were already committed.
 
 I also want to see what can be pushed upstream.  I understand that the
 OpenBSD/OpenSSH people are touchy about outside patches, but I think
 they should at least accept a patch to configure so that FreeBSD's
 native openpty() is detected properly.

Agree'd. openssh-portable team would be the ones to contact.

-- 

 - (2^(N-1))
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable HPN 404

[Jason Hellenthal]

Yeah I was told about that earlier on today. This version is closer to
5.8 so its an easy patch to fix multiple vulns. Not really meant as an
end solution.

On Thu, May 31, 2012 at 05:51:19AM +, Michael Scheidell wrote:
 There is a pr already for 6.0 that needs submitter fixes. Search gnats for 
 prs owned by scheidell.
 
 --
 Michael Scheidell, CTO
 |SECNAP Network Security
 
 
 -Original message-
 From: Jason Hellenthal jhellent...@dataix.net
 To: Michael Scheidell scheid...@freebsd.org
 Cc: freebsd-ports@freebsd.org freebsd-ports@freebsd.org
 Sent: Thu, May 31, 2012 03:38:32 GMT+00:00
 Subject: Re: security/openssh-portable HPN 404
 
 
 You guys may want to try these out...
 
  This updates to openssh-portable-5.9p1_2,1
 
  See the attached config file for the options I tested with. If you want
  something else and it does not work feel free to email me directly and
  I will see what I can do.
 
  I don't have time to put this up publicly yet but will soon.
 
 On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote:
 
 
  On 5/30/12 9:25 PM, Bryan Drewery wrote:
   cd /usr/ports/security/openssh-portable
   fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1
   patch  patch-openssh-hpn-mirror.txt
  
  actually, the  in the command line mucks things up.
 
  this should work:
  cd /usr/ports/security/openssh-portable
  fetch -o -
  'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1'
  | patch
 
  (-o is output file.. unless you want a strange file hanging around, -
  means stdout, | patch just pipes standard out to in and to patch.
 
  --
  Michael Scheidell, CTO
   *| * SECNAP Network Security Corporation
  d: +1.561.948.2259
  w: http://people.freebsd.org/~scheidell
  ___
  freebsd-ports@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-ports
  To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
 
 --
 
  - (2^(N-1))

-- 

 - (2^(N-1))
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable HPN 404

[Bryan Drewery]

Hi,

On 5/30/2012 6:38 PM, Michael wrote:
 Hi, I found problem on FreeBSd 9.0 RELEASE p2
 
 dev# cd /usr/ports/security/openssh-portable
 dev# make deinstall
 ===  Deinstalling for security/openssh-portable
 ===   openssh-portable not installed, skipping
 dev# make clean
 ===  Cleaning for openssh-portable-5.8.p2_2,1
 dev# make
 ===  License check disabled, port has not defined LICENSE
 ===  Found saved configuration for openssh-portable-5.8.p2_2,1
 = openssh-5.8p1-hpn13v11.diff.gz doesn't seem to exist in
 /usr/ports/distfiles/.
 = Attempting to fetch
 http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.8p1-hpn13v11.diff.g
 z
 fetch:
 http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.8p1-hpn13v11.diff.g
 z: Not Found
 = Attempting to fetch
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/openssh-5.8p1-hpn13v11.dif
 f.gz
 fetch:
 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/openssh-5.8p1-hpn13v11.dif
 f.gz: File unavailable (e.g., file not found, no access)
 = Couldn't fetch it - please try to retrieve this
 = port manually into /usr/ports/distfiles/ and try again.
 *** Error code 1
 
 Stop in /usr/ports/security/openssh-portable.
 *** Error code 1
 
 Stop in /usr/ports/security/openssh-portable.
 
 As we see it no longer can fetch sources.
 Can the port maintainer please fix this?
 

Best to email po...@freebsd.org, not freebsd-ports-bugs@.

There is a patch for this problem in ports/168306:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/168306

cd /usr/ports/security/openssh-portable
fetch http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1
patch  patch-openssh-hpn-mirror.txt

Currently there is no maintainer of security/openssh-portable, but there
are some patches to upgrade to 5.9/6.0 in the works.

Regards,
Bryan Drewery



signature.asc
Description: OpenPGP digital signature

Re: security/openssh-portable HPN 404

[Michael Scheidell]

On 5/30/12 9:25 PM, Bryan Drewery wrote:

cd /usr/ports/security/openssh-portable
fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1
patch  patch-openssh-hpn-mirror.txt


actually, the  in the command line mucks things up.

this should work:
cd /usr/ports/security/openssh-portable
fetch -o - 
'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1'  
| patch


(-o is output file.. unless you want a strange file hanging around, - 
means stdout, | patch just pipes standard out to in and to patch.


--
Michael Scheidell, CTO
*| * SECNAP Network Security Corporation
d: +1.561.948.2259
w: http://people.freebsd.org/~scheidell
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable HPN 404

[Jason Hellenthal]

You guys may want to try these out...

 This updates to openssh-portable-5.9p1_2,1

 See the attached config file for the options I tested with. If you want
 something else and it does not work feel free to email me directly and
 I will see what I can do.

 I don't have time to put this up publicly yet but will soon.

On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote:
 
 
 On 5/30/12 9:25 PM, Bryan Drewery wrote:
  cd /usr/ports/security/openssh-portable
  fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1
  patch  patch-openssh-hpn-mirror.txt
 
 actually, the  in the command line mucks things up.
 
 this should work:
 cd /usr/ports/security/openssh-portable
 fetch -o - 
 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1'  
 | patch
 
 (-o is output file.. unless you want a strange file hanging around, - 
 means stdout, | patch just pipes standard out to in and to patch.
 
 -- 
 Michael Scheidell, CTO
  *| * SECNAP Network Security Corporation
 d: +1.561.948.2259
 w: http://people.freebsd.org/~scheidell
 ___
 freebsd-ports@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ports
 To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

-- 

 - (2^(N-1))
=== The following configuration options are available for 
openssh-portable-5.9.p1_2,1:
 BSM=on: Enable OpenBSM Auditing
 FILECONTROL=off: Enable file control patch (broken)
 HPN=on: Enable HPN-SSH patch
 KERBEROS=off: Enable kerberos (autodetection)
 KERB_GSSAPI=off: Enable Kerberos/GSSAPI patch (req: GSSAPI)
 LIBEDIT=on: Enable readline support to sftp(1)
 LPK=off: Enable LDAP Public Key (LPK) patch
 OPENSSH_CHROOT=on: Enable CHROOT support
 OVERWRITE_BASE=off: OpenSSH overwrite base
 PAM=on: Enable pam(3) support
 TCP_WRAPPERS=on: Enable tcp_wrappers support
 X509=off: Enable x509 certificate patch
=== Use 'make config' to modify these settings
diff -urN security/openssh-portable-5.8p2/Makefile security/openssh-portable/Makefile
--- security/openssh-portable-5.8p2/Makefile	2012-05-01 05:56:31.0 -0400
+++ security/openssh-portable/Makefile	2012-05-30 20:01:26.493449509 -0400
@@ -6,9 +6,9 @@
 #
 
 PORTNAME=	openssh
-DISTVERSION=	5.8p2
-PORTREVISION=	2
-PORTEPOCH=	1
+DISTVERSION=	5.9p1
+PORTREVISION=   2
+PORTEPOCH=  1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
 MASTER_SITE_SUBDIR=	OpenSSH/portable
@@ -42,7 +42,6 @@
 OPTIONS=	PAM		Enable pam(3) supporton \
 		TCP_WRAPPERS	Enable tcp_wrappers support			on \
 		LIBEDIT		Enable readline support to sftp(1)		on \
-		SUID_SSH	Enable suid SSH (Recommended off)		off \
 		BSM		Enable OpenBSM Auditing			off \
 		KERBEROS	Enable kerberos (autodetection)		off \
 		KERB_GSSAPI	Enable Kerberos/GSSAPI patch (req: GSSAPI)	off \
@@ -87,10 +86,6 @@
 CONFIGURE_ARGS+=	--with-libedit
 .endif
 
-.if !defined(WITH_SUID_SSH)
-CONFIGURE_ARGS+=	--disable-suid-ssh
-.endif
-
 .if defined(WITH_BSM)
 CONFIGURE_ARGS+=	--with-audit=bsm
 .endif
@@ -119,7 +114,7 @@
 
 .if defined(WITH_HPN)
 PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
-PATCHFILES+=		${PORTNAME}-5.8p1-hpn13v11.diff.gz
+PATCHFILES+=		${PORTNAME}-5.9p1-hpn13v12.diff.gz
 PATCH_DIST_STRIP=
 .endif
 
@@ -194,11 +189,9 @@
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
 	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
 		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	 FreeBSD-${PKGNAME}'  \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION'  \
+	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE'  \
 		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION'  \
+	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE'  \
 		${WRKSRC}/version.h
 .if defined(WITH_HPN)
 	@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
diff -urN security/openssh-portable-5.8p2/distinfo security/openssh-portable/distinfo
--- security/openssh-portable-5.8p2/distinfo	2011-10-21 12:18:56.0 -0400
+++ security/openssh-portable/distinfo	2012-05-30 19:07:47.129970365 -0400
@@ -1,8 +1,4 @@
-SHA256 (openssh-5.8p2.tar.gz) = 5c35ec7c966ce05cc4497ac59c0b54a556e55ae7368165cc8c4129694654f314
-SIZE (openssh-5.8p2.tar.gz) = 1115475
-SHA256 (openssh-5.8p1-hpn13v11.diff.gz) = 62b500d29d8889ce76c8b596eb65731d8ac3469d89d9c6eb29fec2a845159df7
-SIZE (openssh-5.8p1-hpn13v11.diff.gz) = 22993
-SHA256 (openssh-5.8p1+x509-7.0.diff.gz) = 3b578cbf69f25e630e8da52b6586a36c62c0c7ce026f95acda91c023dc47c85b
-SIZE (openssh-5.8p1+x509-7.0.diff.gz) = 184277
-SHA256 (openssh-5.7p1-gsskex-all-20110125.patch) = bfdc72c3d7d5d4f9f8a78b649988dff8fad780cfa72bad4a69eb94c54de9a359
-SIZE (openssh-5.7p1-gsskex-all-20110125.patch) = 91889
+SHA256 (openssh

Re: security/openssh-portable HPN 404

[Michael Scheidell]

There is a pr already for 6.0 that needs submitter fixes. Search gnats for prs 
owned by scheidell.

--
Michael Scheidell, CTO
|SECNAP Network Security


-Original message-
From: Jason Hellenthal jhellent...@dataix.net
To: Michael Scheidell scheid...@freebsd.org
Cc: freebsd-ports@freebsd.org freebsd-ports@freebsd.org
Sent: Thu, May 31, 2012 03:38:32 GMT+00:00
Subject: Re: security/openssh-portable HPN 404


You guys may want to try these out...

 This updates to openssh-portable-5.9p1_2,1

 See the attached config file for the options I tested with. If you want
 something else and it does not work feel free to email me directly and
 I will see what I can do.

 I don't have time to put this up publicly yet but will soon.

On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote:


 On 5/30/12 9:25 PM, Bryan Drewery wrote:
  cd /usr/ports/security/openssh-portable
  fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1
  patch  patch-openssh-hpn-mirror.txt
 
 actually, the  in the command line mucks things up.

 this should work:
 cd /usr/ports/security/openssh-portable
 fetch -o -
 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306getpatch=1'
 | patch

 (-o is output file.. unless you want a strange file hanging around, -
 means stdout, | patch just pipes standard out to in and to patch.

 --
 Michael Scheidell, CTO
  *| * SECNAP Network Security Corporation
 d: +1.561.948.2259
 w: http://people.freebsd.org/~scheidell
 ___
 freebsd-ports@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ports
 To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

--

 - (2^(N-1))
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable

[Grzegorz Blach]

On 03/14/2012 09:01 PM, Cy Schubert wrote:

In message4f60ef46.2040...@acsalaska.net, Mel Flynn writes:

Hello Cy,

On 3/14/2012 08:57, Cy Schubert wrote:

[snip]


What I propose to do is remove the GSSAPI
patch from security/openssh-portable and for those who need the GSSAPI
server key exchange, create a new port (through a repocopy of course) which



includes the illinois.edu GSI patch with reworked FreeBSD patches resolving



patch conflicts, calling it security/openssh-portable-gsi. Does this make
any sense to anyone?

Or, instead of the above, just include the GSI patch by default in a
one-size-fits-all openssh-portable port? (Meaning that the GSI patch is
applied regardless.) Does this make more sense to people?


Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I
don't find that an issue, but others may.


Given that the current LPK patch is unmaintained by our upstream, I think
it should be removed and we either move toward a one size fits all port or
have a second port with the one-size-fits-all GSI patch. Basically the
current hodgepodge of patches in this port are unmaintainable, which is why
this port is usually slow to be updated.

We can address the KRB5 requirement with an ifdefs.

I'm leaning toward gutting a one-size-fits-all approach with patches that
are maintainable. Secondly, if there are requirements for an insecure
backlevel port, we could repocopy it. I'm not entirely enamoured with that
idea, caveat emptor of course.



I'm also keeping a local fix you might want to properly integrate into
the LPK patch: it fixes a bug that TLS cannot be turned off if
LPKLdapConf is used.


If I go ahead and have the port repocopied and move forward with this, I'll
see if I can include this patch.

I'll give it another day before making the repocopy request. The current
port should be repocopied to openssh-portable58 and the new port assume the
openssh-portable name.

I've yet to hear from the maintainer of this port for his thoughts on this.




I (maintainer of security/openssh-portable) need one or two days to 
review GSI patch and other patches which are available for openssh-5.9.

But repocopy security/openssh-portable to security/openssh-portable58
and upgrade security/openssh-portable to 5.9 sound reasonable.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

RE: security/openssh-portable

[Dewayne Geraghty]

Cy,

If the option of splitting openssh into two ports means that one of those
ports is closer to the base system's openssh, and the base system's openssh
requires the FreeBSD patch-set, for base, then this is a commendable
suggestion.  Otherwise, I would vote for one kit, subject of course to
Grzegorz' nod.

Like Mel, I enjoy the benefit of HPN and keys only.

Kind regards, Dewayne.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable

[Grzegorz Blach]

I (maintainer of security/openssh-portable) need one or two days to 
review GSI patch and other patches which are available for openssh-5.9.

But repocopy security/openssh-portable to security/openssh-portable58
and upgrade security/openssh-portable to 5.9 sound reasonable for me.

Beginning from FreeBSD 9.0 openssh in base system has applied HPN 
patches, so I think it isn't a good idea to maintain port which is very 
close to system's openssh. In this case simply use openssh from base system.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

security/openssh-portable

[Cy Schubert]

Hi all,

Our openssh-portable port hasn't been updated to 5.9p1, so I took advantage 
of a free evening to see if I could update it. Unfortunately Simon 
Wilkinson's GSSAPI patch no longer applies, as it hasn't been updated since 
OpenSSH 5.8. It has been superceeded by the NCSA illinois.edu GSI patch, 
which not only include the Wilkinson's GSSAPI Patch but also the HPN patch, 
among others. Unfortunately this patch also conflicts with some of our own 
FreeBSD patches in the port. What I propose to do is remove the GSSAPI 
patch from security/openssh-portable and for those who need the GSSAPI 
server key exchange, create a new port (through a repocopy of course) which 
includes the illinois.edu GSI patch with reworked FreeBSD patches resolving 
patch conflicts, calling it security/openssh-portable-gsi. Does this make 
any sense to anyone?

Or, instead of the above, just include the GSI patch by default in a 
one-size-fits-all openssh-portable port? (Meaning that the GSI patch is 
applied regardless.) Does this make more sense to people?


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org


___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable

[Mel Flynn]

Hello Cy,

On 3/14/2012 08:57, Cy Schubert wrote:

[snip]

 What I propose to do is remove the GSSAPI
 patch from security/openssh-portable and for those who need the GSSAPI 
 server key exchange, create a new port (through a repocopy of course) which 
 includes the illinois.edu GSI patch with reworked FreeBSD patches resolving 
 patch conflicts, calling it security/openssh-portable-gsi. Does this make 
 any sense to anyone?
 
 Or, instead of the above, just include the GSI patch by default in a 
 one-size-fits-all openssh-portable port? (Meaning that the GSI patch is 
 applied regardless.) Does this make more sense to people?

Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I
don't find that an issue, but others may.

I'm also keeping a local fix you might want to properly integrate into
the LPK patch: it fixes a bug that TLS cannot be turned off if
LPKLdapConf is used.
-- 
Mel
Index: Makefile
===
RCS file: /home/ncvs/ports/security/openssh-portable/Makefile,v
retrieving revision 1.157
diff -u -r1.157 Makefile
--- Makefile23 Dec 2011 12:52:28 -  1.157
+++ Makefile14 Mar 2012 19:09:36 -
@@ -205,6 +205,9 @@
@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION 
SSH_PORTABLE SSH_HPN|' \
${WRKSRC}/version.h
 .endif
+.if defined(WITH_LPK)
+   @${PATCH} ${PATCH_DIST_ARGS}  ${FILESDIR}/fix-lpk-tls.patch
+.endif
 
 pre-su-install:
@${MKDIR} ${EMPTYDIR}
Index: files/fix-lpk-tls.patch
===
RCS file: files/fix-lpk-tls.patch
diff -N files/fix-lpk-tls.patch
--- /dev/null   1 Jan 1970 00:00:00 -
+++ files/fix-lpk-tls.patch 2 Jan 2012 17:26:37 -
@@ -0,0 +1,11 @@
+--- ldapauth.c.prev2012-01-02 07:15:19.0 -0900
 ldapauth.c 2012-01-02 08:21:23.0 -0900
+@@ -565,6 +565,8 @@
+ else if (!strcasecmp (k, ssl)) {
+ if (!strcasecmp (v, start_tls))
+ l-tls = 1;
++  else if (!strcasecmp(v, off))
++  l-tls = 0;
+ }
+ }
+ 
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable

[Cy Schubert]

In message 4f60ef46.2040...@acsalaska.net, Mel Flynn writes:
 Hello Cy,
 
 On 3/14/2012 08:57, Cy Schubert wrote:
 
 [snip]
 
  What I propose to do is remove the GSSAPI
  patch from security/openssh-portable and for those who need the GSSAPI 
  server key exchange, create a new port (through a repocopy of course) which
  
  includes the illinois.edu GSI patch with reworked FreeBSD patches resolving
  
  patch conflicts, calling it security/openssh-portable-gsi. Does this make 
  any sense to anyone?
  
  Or, instead of the above, just include the GSI patch by default in a 
  one-size-fits-all openssh-portable port? (Meaning that the GSI patch is 
  applied regardless.) Does this make more sense to people?
 
 Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I
 don't find that an issue, but others may.

Given that the current LPK patch is unmaintained by our upstream, I think 
it should be removed and we either move toward a one size fits all port or 
have a second port with the one-size-fits-all GSI patch. Basically the 
current hodgepodge of patches in this port are unmaintainable, which is why 
this port is usually slow to be updated.

We can address the KRB5 requirement with an ifdefs.

I'm leaning toward gutting a one-size-fits-all approach with patches that 
are maintainable. Secondly, if there are requirements for an insecure 
backlevel port, we could repocopy it. I'm not entirely enamoured with that 
idea, caveat emptor of course.

 
 I'm also keeping a local fix you might want to properly integrate into
 the LPK patch: it fixes a bug that TLS cannot be turned off if
 LPKLdapConf is used.

If I go ahead and have the port repocopied and move forward with this, I'll 
see if I can include this patch.

I'll give it another day before making the repocopy request. The current 
port should be repocopied to openssh-portable58 and the new port assume the 
openssh-portable name.

I've yet to hear from the maintainer of this port for his thoughts on this.


-- 
Cheers,
Cy Schubert cy.schub...@komquats.com
FreeBSD UNIX:  c...@freebsd.org   Web:  http://www.FreeBSD.org



___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: CFT: security/openssh-portable 5.8p2

[Gleb Smirnoff]

On Sun, Oct 09, 2011 at 06:38:10PM +0200, Grzegorz Blach wrote:
G New snapshot is ready to testing:
G 
https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t2.shar
G In this version WITH_LPK knob is fixed.
G Thanks to Gleb Smirnoff.

btw, one more issue with the port is that configure autodetects
wtmp/utmp/lastlog stuff, using not only header include files, but
also actual logs in /var.

So, compiling openssh-portable on a 9.x or 10.x system, that was once
upgraded from 8.x or earlier, would lead to incorrect autodetection
of logging API. Even if you have run 'make delete-old', since the
latter doesn't delete anything from /var.

Thus, before compiling port, one needs to:

# rm /var/log/wtmp /var/run/utmp /var/log/lastlog

-- 
Totus tuus, Glebius.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: CFT: security/openssh-portable 5.8p2

[Grzegorz Blach]

New snapshot is ready to testing:
https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t2.shar

In this version WITH_LPK knob is fixed.
Thanks to Gleb Smirnoff.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: CFT: security/openssh-portable 5.8p2

[Grzegorz Blach]

Mainly features introduced by external patches should be tested.
They work for me, but maybe someone will find some regressions.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: CFT: security/openssh-portable 5.8p2

[Frederico Costa (Ports)]

Hi there...

Thanks for making this available.

I have been monitoring this list, and i would help in testing this.

Is there anything you want me to test in particular?

I am using in both of my systems FreeBSD 8.2 amd64 and both have the
base openssh 5.4p1.

My plan is to upgrade to the ports version with your 5.8. Of course i
will do this in my test system first and i will report any problems.

Thanks once more for this work.

Fred

---
Frederico Costa
fredpo...@mufley.com

On Mon, 12 Sep 2011 00:24:05 +0200, Grzegorz Blach wrote:

After became a new maintainer of security/openssh-portable,
I updated it to 5.8p2 version.
My paches fixes several problems repoted to this port:
- ports/144597: Kerberos knob work again
- ports/150493: Port updated to (almost) recent version
- ports/160389: Port build fine on FreeBSD 9.x
- ports/156926: Suffix isn't changed with knobs

Next problem can't be fixed:
- ports/155456: LPK patch wasn't updated upstream



Current snapshot can be downloaded from:

https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar

Anyone who have time and desire, please check if everything is 
working

in this port and report bugs to me.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to 
freebsd-ports-unsubscr...@freebsd.org


___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: CFT: security/openssh-portable 5.8p2

[Frederico Costa (Ports)]

Hi there...

Thanks for making this available.

I have been monitoring this list, and i would help in testing this.

Is there anything you want me to test in particular?

I am using in both of my systems FreeBSD 8.2 amd64 and both have the
base openssh 5.4p1.

My plan is to upgrade to the ports version with your 5.8. Of course i
will do this in my test system first and i will report any problems.

Thanks once more for this work.

Fred

---
Frederico Costa
fredpo...@mufley.com

On Mon, 12 Sep 2011 00:24:05 +0200, Grzegorz Blach wrote:

After became a new maintainer of security/openssh-portable,
I updated it to 5.8p2 version.
My paches fixes several problems repoted to this port:
- ports/144597: Kerberos knob work again
- ports/150493: Port updated to (almost) recent version
- ports/160389: Port build fine on FreeBSD 9.x
- ports/156926: Suffix isn't changed with knobs

Next problem can't be fixed:
- ports/155456: LPK patch wasn't updated upstream



Current snapshot can be downloaded from:

https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar

Anyone who have time and desire, please check if everything is 
working

in this port and report bugs to me.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to 
freebsd-ports-unsubscr...@freebsd.org


___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

CFT: security/openssh-portable 5.8p2

[Grzegorz Blach]

After became a new maintainer of security/openssh-portable,
I updated it to 5.8p2 version.
My paches fixes several problems repoted to this port:
- ports/144597: Kerberos knob work again
- ports/150493: Port updated to (almost) recent version
- ports/160389: Port build fine on FreeBSD 9.x
- ports/156926: Suffix isn't changed with knobs

Next problem can't be fixed:
- ports/155456: LPK patch wasn't updated upstream



Current snapshot can be downloaded from:
https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar

Anyone who have time and desire, please check if everything is working
in this port and report bugs to me.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/144597: security/openssh-portable fails to compile with KERBEROS enabled

[Chris Rees]

On 16 Jul 2011 00:23, Jason Hellenthal jh...@dataix.net wrote:



 On Wed, Jul 13, 2011 at 11:39:01PM -0500, Stephen Montgomery-Smith wrote:
  Hey people,
 
  I was looking over old unresolved PR's.  I came across this one:
 
  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597
 
  When I sent a message to the submitter of the PR, the email bounced back
  suggesting that the submitter no longer uses that email address.
 
  I don't think it would be too hard to make the port build under the
  circumstances he describes.  But is ANYONE interested?  Would it be
  worth investing effort to make this work?
 
  Note that the port has ports@ as its maintainer, so it doesn't look like
  there is a lot of interest.
 
  Thanks, Stephen
 
  P.S. This one is related:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498
 
  Is this a big bag of worms?
 
  I can see that seems to be fixed, for example, in mail/fetchmail.

 Considering that the port version is 5.2p1 and the current version in
 stable/8 is 5.4p1 and greater than that for HEAD I would say it would be
 much more of a benefit to get the port updated to the latest version and
 then work on it from there, otherwise its a loss of time for an outdated
 version.

 Last time I looked at this port it was a mess with a collection of third
 party patches from all over the place which I think lead to a
 discrepancy in the update of the port but that's just my opinion. It
 would be nice to see a simplified version of this port so it isn't such a
 monster to update and have an option for a user supplied patches
 directory that stands outside of the tree (user configured path) and it
 just blindly attempts to apply what is in that directory. I think this
 would help slim it down a little so it can consistently be bumped to a
 new revision without hassle.


 Something like:

 # Defaults to /usr/ports/patches unless path is user specified.
 WITH_PATCH_TREE?=/usr/ports/patches

 /usr/ports/patches/ # Distributed empty. everything else user created.
 |-- net
 |   `-- wireshark
 `-- security
|-- gnupg
`-- openssh-portable


 Things like this would certainly make it easier for a consistent user
 supplied patch to be kept local for build machines. I can't count the
 times on 2 hands and 2 feet that I wanted to patch a port with a local
 patch and had to continuously cp(1) a patch back to a ports tree using
 rsync(1)

Not really, because that would encourage people to have local patches that
quickly go stale. You should have to manually record the patches, because
you should be checking they're still current each time.

Otherwise we could end up with numerous bug reports because of this.

Or do everyone a favour and link them to an OPTION with extra patches!

Chris
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: ports/144597: security/openssh-portable fails to compile with KERBEROS enabled

[Stephen Montgomery-Smith]

On 07/15/2011 06:28 PM, Stephen Montgomery-Smith wrote:

On 07/15/2011 06:23 PM, Jason Hellenthal wrote:



On Wed, Jul 13, 2011 at 11:39:01PM -0500, Stephen Montgomery-Smith wrote:

Hey people,

I was looking over old unresolved PR's.  I came across this one:

http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597

When I sent a message to the submitter of the PR, the email bounced back
suggesting that the submitter no longer uses that email address.

I don't think it would be too hard to make the port build under the
circumstances he describes.  But is ANYONE interested?  Would it be
worth investing effort to make this work?

Note that the port has ports@ as its maintainer, so it doesn't look like
there is a lot of interest.

Thanks, Stephen

P.S. This one is related:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498

Is this a big bag of worms?

I can see that seems to be fixed, for example, in mail/fetchmail.


Considering that the port version is 5.2p1 and the current version in
stable/8 is 5.4p1 and greater than that for HEAD I would say it would be
much more of a benefit to get the port updated to the latest version and
then work on it from there, otherwise its a loss of time for an outdated
version.

Last time I looked at this port it was a mess with a collection of third
party patches from all over the place which I think lead to a
discrepancy in the update of the port but that's just my opinion. It
would be nice to see a simplified version of this port so it isn't such a
monster to update and have an option for a user supplied patches
directory that stands outside of the tree (user configured path) and it
just blindly attempts to apply what is in that directory. I think this
would help slim it down a little so it can consistently be bumped to a
new revision without hassle.


Something like:

# Defaults to /usr/ports/patches unless path is user specified.
WITH_PATCH_TREE?=/usr/ports/patches

/usr/ports/patches/ # Distributed empty. everything else user created.
|-- net
|   `-- wireshark
`-- security
  |-- gnupg
  `-- openssh-portable


Things like this would certainly make it easier for a consistent user
supplied patch to be kept local for build machines. I can't count the
times on 2 hands and 2 feet that I wanted to patch a port with a local
patch and had to continuously cp(1) a patch back to a ports tree using
rsync(1)


All these are good ideas, but I am not the person to do it.  I don't use
this software.  I'm going to relinquish responsibility for this PR.


I found some possible maintainers of this port at 
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/150493.  If either of 
them reply, then I'll pick it up again.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

ports/144597: security/openssh-portable fails to compile with KERBEROS enabled

[Stephen Montgomery-Smith]

Hey people,

I was looking over old unresolved PR's.  I came across this one:

http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597

When I sent a message to the submitter of the PR, the email bounced back 
suggesting that the submitter no longer uses that email address.


I don't think it would be too hard to make the port build under the 
circumstances he describes.  But is ANYONE interested?  Would it be 
worth investing effort to make this work?


Note that the port has ports@ as its maintainer, so it doesn't look like 
there is a lot of interest.


Thanks, Stephen

P.S. This one is related:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498

Is this a big bag of worms?

I can see that seems to be fixed, for example, in mail/fetchmail.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: security/openssh-portable maintainer

[Mark Linimon]

Please see ports/150493 for someone who seems to be looking at it.

mcl
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

security/openssh-portable maintainer

[Chris]

Hi, I see this port has no maintainer now and is now out of date.  I
have attempted myself to update the port but have hit a number of
problems.

1 - some of the contrib patches dont exist for the new version of the
app. I assume support would need to be dropped t least emporarily on
an update.
2 - one of the freebsd patches in the files dir fails to patch, the
rest are reported as syccessful however when checking the files in the
work dir they are not patched.
3 - the hpn patch on the dev website is gzipped, the ports system
seems to assume a patch must be uncompressed when downloading?
4 - the hpn patch initially on the old version is just in the files
dir however I couldnt find a way to use -p1 with it, so I set it to
download as a dist patch but because of problem #3 I used my own
webspace to download a uncompressed patch.

What I am asking is, can someone please take over this port, my skill
set is not high enough to do it at least without some help.
Failing that can someone help me with the freebed patches in the files
dir to patch ok on openssh 5.6p1.

Chris
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

patch for security/openssh-portable

[jhell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Request.

Attached is a patch against security/openssh-portable Makefile to remove 
FreeBSD version and openssl version from its version reply string.


This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1

I would rather leave a prober guessing rather than giving the information 
he needs to analyze a large number of hosts quickly.


- -- 


 Wed Jan 13 08:06:17 2010

 jhell

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)

iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV
uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D
81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN
yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL
Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8
i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY=
=fKHX
-END PGP SIGNATURE Makefile.orig   2009-12-30 15:14:04.646162156 -0500
+++ Makefile2009-12-30 15:15:36.939692199 -0500
@@ -229,11 +229,9 @@
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-   @${ECHO_CMD} '#define FREEBSD_PORT_VERSION   FreeBSD-${PKGNAME}' 
 \
+   @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE' 
 \
${WRKSRC}/version.h
-   @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE 
FREEBSD_PORT_VERSION'  \
-   ${WRKSRC}/version.h
-   @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE 
FREEBSD_PORT_VERSION'  \
+   @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE' 
 \
${WRKSRC}/version.h
 .if defined(WITH_HPN)
@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION 
SSH_PORTABLE SSH_HPN|' \
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Denis Barov]

Probably you want VersionAddendum option in sshd_config?

Wed, Jan 13, 2010 at 08:14 -0500 jhell:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 
 Request.
 
 Attached is a patch against security/openssh-portable Makefile to remove 
 FreeBSD version and openssl version from its version reply string.
 
 This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1
 
 I would rather leave a prober guessing rather than giving the information 
 he needs to analyze a large number of hosts quickly.
 
 - -- 
 
   Wed Jan 13 08:06:17 2010
 
   jhell
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.14 (FreeBSD)
 
 iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV
 uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D
 81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN
 yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL
 Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8
 i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY=
 =fKHX
 -END PGP SIGNATURE-

 --- Makefile.orig 2009-12-30 15:14:04.646162156 -0500
 +++ Makefile  2009-12-30 15:15:36.939692199 -0500
 @@ -229,11 +229,9 @@
   -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
   @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
   -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
 - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION   FreeBSD-${PKGNAME}' 
  \
 + @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE' 
  \
   ${WRKSRC}/version.h
 - @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE 
 FREEBSD_PORT_VERSION'  \
 - ${WRKSRC}/version.h
 - @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE 
 FREEBSD_PORT_VERSION'  \
 + @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE' 
  \
   ${WRKSRC}/version.h
  .if defined(WITH_HPN)
   @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION 
 SSH_PORTABLE SSH_HPN|' \


-- 
Cheers
Denis Barov
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[jhell]

On Wed, 13 Jan 2010 08:29, dindin@ wrote:

Probably you want VersionAddendum option in sshd_config?



No.

To my understanding and my last tests VersionAddendum and is only a 
Addendum or did not work which spurred me to patch up the Makefile in the 
first place.


Thanks for the thought though but I did not miss that option.


Wed, Jan 13, 2010 at 08:14 -0500 jhell:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Request.

Attached is a patch against security/openssh-portable Makefile to remove
FreeBSD version and openssl version from its version reply string.

This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1

I would rather leave a prober guessing rather than giving the information
he needs to analyze a large number of hosts quickly.

- --

  Wed Jan 13 08:06:17 2010

  jhell

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (FreeBSD)

iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV
uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D
81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN
yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL
Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8
i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY=
=fKHX
-END PGP SIGNATURE-



--- Makefile.orig   2009-12-30 15:14:04.646162156 -0500
+++ Makefile2009-12-30 15:15:36.939692199 -0500
@@ -229,11 +229,9 @@
-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-   @${ECHO_CMD} '#define FREEBSD_PORT_VERSION   FreeBSD-${PKGNAME}' 
 \
+   @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE' 
 \
${WRKSRC}/version.h
-   @${ECHO_CMD} '#define SSH_VERSION   TMP_SSH_VERSION SSH_PORTABLE 
FREEBSD_PORT_VERSION'  \
-   ${WRKSRC}/version.h
-   @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE 
FREEBSD_PORT_VERSION'  \
+   @${ECHO_CMD} '#define SSH_RELEASE   TMP_SSH_VERSION SSH_PORTABLE' 
 \
${WRKSRC}/version.h
 .if defined(WITH_HPN)
@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION 
SSH_PORTABLE SSH_HPN|' \









--

 Wed Jan 13 08:38:24 2010

 It may not be able to take your machine down, but it can fill up your
 Internet Pipe.

 jhell

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[jhell]

On Wed, 13 Jan 2010 08:40, jhell@ wrote:


On Wed, 13 Jan 2010 08:29, dindin@ wrote:

Probably you want VersionAddendum option in sshd_config?



No.

To my understanding and my last tests VersionAddendum and is only a Addendum 
or did not work which spurred me to patch up the Makefile in the first place.


Thanks for the thought though but I did not miss that option.



This is the output of the add VersionAddendum in the current ports openssh

centel# service openssh restart
/usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: 
VersionAdendum

/usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options

? So like I was saying It does not work that way.

--

 Wed Jan 13 08:43:08 2010

 jhell

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Denny Lin]

 Probably you want VersionAddendum option in sshd_config?
 
 
 No.
 
 To my understanding and my last tests VersionAddendum and is only a 
 Addendum or did not work which spurred me to patch up the Makefile in the 
 first place.

I put VersionAddendum into sshd_config (with nothing trailing behind it),
and it works as expected:
telnet foo 22
Trying 192.168.0.1...
Connected to foo
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2p1

I'm using OpenSSH from base, but it should be the same with ports.

-- 
Denny Lin
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Denny Lin]

 centel# service openssh restart
 /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: 
 VersionAdendum
 /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options
 
 ? So like I was saying It does not work that way.

Looks like you have a typo. It should be VersionAddendum, not
VersionAdendum (missing a d).

-- 
Denny Lin
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Sergey V. Dyatko]

On Wed, 13 Jan 2010 08:45:36 -0500
jhell jh...@dataix.net wrote:

J centel# service openssh restart
J /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: 
J VersionAdendum
^ VersionAddendum
J /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration
J options
J 
J ? So like I was saying It does not work that way.
J 
J --
J 
J   Wed Jan 13 08:43:08 2010
J 
J   jhell

--
wbr, tiger
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Andrea Venturoli]

Il 01/13/10 14:45, jhell ha scritto:


centel# service openssh restart
/usr/local/etc/ssh/sshd_config: line 13: Bad configuration option:
VersionAdendum
/usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options

? So like I was saying It does not work that way.


You spelt it incorrectly. Throw another d in.

 bye
av.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[jhell]

On Wed, 13 Jan 2010 08:45, jhell@ wrote:


On Wed, 13 Jan 2010 08:40, jhell@ wrote:


On Wed, 13 Jan 2010 08:29, dindin@ wrote:

Probably you want VersionAddendum option in sshd_config?



No.

To my understanding and my last tests VersionAddendum and is only a 
Addendum or did not work which spurred me to patch up the Makefile in the 
first place.


Thanks for the thought though but I did not miss that option.



This is the output of the add VersionAddendum in the current ports openssh

centel# service openssh restart
/usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: 
VersionAdendum

/usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options

? So like I was saying It does not work that way.



My apologies. I did use VersionAddendum with the correct spelling but I 
pasted my first try at this with the incorrect spelling.


With the correct spelling it still gives the above output.

--

 Wed Jan 13 08:49:14 2010

 It may not be able to take your machine down, but it can fill up your
 Internet Pipe.

 jhell

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[Miroslav Lachman]

Denny Lin wrote:



Probably you want VersionAddendum option in sshd_config?



No.

To my understanding and my last tests VersionAddendum and is only a
Addendum or did not work which spurred me to patch up the Makefile in the
first place.


I put VersionAddendum into sshd_config (with nothing trailing behind it),
and it works as expected:
telnet foo 22
Trying 192.168.0.1...
Connected to foo
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2p1

I'm using OpenSSH from base, but it should be the same with ports.


I am not sure, but I think VersionAddendum is option available only in 
base SSH, not in portable from ports.


Miroslav Lachman

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: patch for security/openssh-portable

[jhell]

On Wed, 13 Jan 2010 09:03, 000.fbsd@ wrote:

Denny Lin wrote:



Probably you want VersionAddendum option in sshd_config?



No.

To my understanding and my last tests VersionAddendum and is only a
Addendum or did not work which spurred me to patch up the Makefile in the
first place.


I put VersionAddendum into sshd_config (with nothing trailing behind it),
and it works as expected:
telnet foo 22
Trying 192.168.0.1...
Connected to foo
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2p1

I'm using OpenSSH from base, but it should be the same with ports.


I am not sure, but I think VersionAddendum is option available only in base 
SSH, not in portable from ports.




That's correct as far as I have seen so far. Personally I think that since 
openssh-portable is in ports why worry about a VersionAddendum at all and 
just patch it with the patch I submitted. Seems like a more secure option 
but that's only me.



--

 jhell

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: support for DESTDIR: security/openssh-portable

[Gábor Kövesdán]

Brooks Davis wrote:

On Thu, Aug 10, 2006 at 03:25:38PM +0200, G?bor K?vesd?n wrote:
  

Brooks Davis wrote:


On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote:
 
  

John E Hein wrote at 17:43 -0600 on Aug  9, 2006:


Well, the part that makes it annoying to duplicate in all ports is not
the two separate words (CHROOT DESTDIR), but that you have to test
defined(DESTDIR)  !empty(DESTDIR) before you can figure out whether
to use ${CHROOT} ${DESTDIR} or not.

So having that test to assign CHROOTDESTDIR or leave it empty in
bsd.port.mk allows the port writer to just always invoke it without
having to worry about testing for DESTDIR.
  

You could pass this var to pkg-install scripts, too (put it in the
standard *SUB* lists).

That way you don't have to do the dance that was added to
security/clamav/files/pkg-install.in:

if [ -n %%DESTDIR%% ]; then
   PW=/usr/sbin/chroot %%DESTDIR%% pw
   CHOWN=/usr/sbin/chroot %%DESTDIR%% chown
   MKDIR=/usr/sbin/chroot %%DESTDIR%% mkdir -p
else
   PW=pw
   CHOWN=chown
   MKDIR=mkdir -p
fi

but rather just:

PW=%%CHROOTDESTDIR%% pw
CHOWN=%%CHROOTDESTDIR%% chown
MKDIR=%%CHROOTDESTDIR%% mkdir -p
   


This seems bogus.  I can't think of any good reason why packages should
differ based on the valid of DESTDIR.  Instead the pkg-install script
should be run inside the chroot.

-- Brooks
 
  
We wanted to go that way with garga when working on security/clamav, but 
we realized that we can't just do chroot /foo pkg-install, since the 
script is not located in the chroot itself. Do you have an another idea, 
how to chroot those scripts?



My inclination would be something like:

PKG_INSTALL_TEMP=`mktemp ${DESTDIR}/tmp/pkg_install`  \
(${CAT} ${PKG_INSTALL}  ${PKG_INSTALL_TEMP}; \
 ${SH} ${PKG_INSTALL_TEMP}; \
 ${RM} ${PKG_INSTALL_TEMP})

I think we should ideally introduce a feature to allow ports to
automatically run pkg-install and stuff the code in bsd.port.mk so ports
don't have to know about DESTDIR in this case.  Actually, ports where
pkg-install and the pre/post-install targets duplicate code (often
slightly differently) drive me nuts so I'd prefer a NO_AUTOPKGINSTALL,
but that would take some real work so a positive flag is probably better
initially.

-- Brooks
  
This is a good idea, but there's a big mess in this area as you already 
said, so I think it would be a long term goal. I find John's solution 
pretty good for now. An another item for automatization would be to 
install PORTDOCS into DOCSDIR in post-install phase. and introduce 
NO_PORTDOCSINSTALL or something like that to turn this off. But both of 
them needs a lot of modification in affected ports as well.


--
Cheers,

Gabor

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: support for DESTDIR: security/openssh-portable

[Brooks Davis]

On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote:
 John E Hein wrote at 17:43 -0600 on Aug  9, 2006:
   Well, the part that makes it annoying to duplicate in all ports is not
   the two separate words (CHROOT DESTDIR), but that you have to test
   defined(DESTDIR)  !empty(DESTDIR) before you can figure out whether
   to use ${CHROOT} ${DESTDIR} or not.
   
   So having that test to assign CHROOTDESTDIR or leave it empty in
   bsd.port.mk allows the port writer to just always invoke it without
   having to worry about testing for DESTDIR.
 
 You could pass this var to pkg-install scripts, too (put it in the
 standard *SUB* lists).
 
 That way you don't have to do the dance that was added to
 security/clamav/files/pkg-install.in:
 
 if [ -n %%DESTDIR%% ]; then
 PW=/usr/sbin/chroot %%DESTDIR%% pw
 CHOWN=/usr/sbin/chroot %%DESTDIR%% chown
 MKDIR=/usr/sbin/chroot %%DESTDIR%% mkdir -p
 else
 PW=pw
 CHOWN=chown
 MKDIR=mkdir -p
 fi
 
 but rather just:
 
 PW=%%CHROOTDESTDIR%% pw
 CHOWN=%%CHROOTDESTDIR%% chown
 MKDIR=%%CHROOTDESTDIR%% mkdir -p

This seems bogus.  I can't think of any good reason why packages should
differ based on the valid of DESTDIR.  Instead the pkg-install script
should be run inside the chroot.

-- Brooks


pgpUoot7abdHh.pgp
Description: PGP signature

Re: support for DESTDIR: security/openssh-portable

[Gábor Kövesdán]

Brooks Davis wrote:

On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote:
  

John E Hein wrote at 17:43 -0600 on Aug  9, 2006:
  Well, the part that makes it annoying to duplicate in all ports is not
  the two separate words (CHROOT DESTDIR), but that you have to test
  defined(DESTDIR)  !empty(DESTDIR) before you can figure out whether
  to use ${CHROOT} ${DESTDIR} or not.
  
  So having that test to assign CHROOTDESTDIR or leave it empty in

  bsd.port.mk allows the port writer to just always invoke it without
  having to worry about testing for DESTDIR.

You could pass this var to pkg-install scripts, too (put it in the
standard *SUB* lists).

That way you don't have to do the dance that was added to
security/clamav/files/pkg-install.in:

if [ -n %%DESTDIR%% ]; then
PW=/usr/sbin/chroot %%DESTDIR%% pw
CHOWN=/usr/sbin/chroot %%DESTDIR%% chown
MKDIR=/usr/sbin/chroot %%DESTDIR%% mkdir -p
else
PW=pw
CHOWN=chown
MKDIR=mkdir -p
fi

but rather just:

PW=%%CHROOTDESTDIR%% pw
CHOWN=%%CHROOTDESTDIR%% chown
MKDIR=%%CHROOTDESTDIR%% mkdir -p



This seems bogus.  I can't think of any good reason why packages should
differ based on the valid of DESTDIR.  Instead the pkg-install script
should be run inside the chroot.

-- Brooks
  
We wanted to go that way with garga when working on security/clamav, but 
we realized that we can't just do chroot /foo pkg-install, since the 
script is not located in the chroot itself. Do you have an another idea, 
how to chroot those scripts?


--
Cheers,

Gabor

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: support for DESTDIR: security/openssh-portable

[John E Hein]

Gábor Kövesdán wrote at 01:29 +0200 on Aug 10, 2006:
  John E Hein wrote:
   John E Hein wrote at 16:31 -0600 on Aug  9, 2006:
 Now that ports/Mk does the right thing for DESTDIR (thanks to Gábor),
 here's a patch that supports DESTDIR properly for
 security/openssh-portable:
 
   [snip]
 @@ -171,29 +171,33 @@ post-extract:
  post-patch:
 @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
  
 +.if defined(DESTDIR)  !empty(DESTDIR)
 +CHROOTDESTDIR=${CHROOT} ${DESTDIR}
 +.endif
 +
   [snip]
  .endif
 -   if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi
 -   if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \
 +   if ! ${CHROOTDESTDIR} pw groupshow sshd; then ${CHROOTDESTDIR} 
   pw groupadd sshd -g 22; fi
 +   if ! ${CHROOTDESTDIR} pw usershow sshd; then ${CHROOTDESTDIR} 
   pw useradd sshd -g sshd -u 22 \
 -h - -d ${EMPTYDIR} -s /nonexistent -c sshd privilege 
   separation; fi
  
   Gabor, you may want to define CHROOTDESTDIR (or name it whatever you
   want) as a convenience var in bsd.port.mk
  
   I suspect lots of ports will want to use it.
 
  Might be good, but personally I think ${CHROOT} ${DESTDIR} is more 
  trivial (easier to read and understand) and only longer with 4 
  characters. One might wonder at first look what CHROOTDESTDIR is.

Well, the part that makes it annoying to duplicate in all ports is not
the two separate words (CHROOT DESTDIR), but that you have to test
defined(DESTDIR)  !empty(DESTDIR) before you can figure out whether
to use ${CHROOT} ${DESTDIR} or not.

So having that test to assign CHROOTDESTDIR or leave it empty in
bsd.port.mk allows the port writer to just always invoke it without
having to worry about testing for DESTDIR.
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: support for DESTDIR: security/openssh-portable

[John E Hein]

John E Hein wrote at 17:43 -0600 on Aug  9, 2006:
  Well, the part that makes it annoying to duplicate in all ports is not
  the two separate words (CHROOT DESTDIR), but that you have to test
  defined(DESTDIR)  !empty(DESTDIR) before you can figure out whether
  to use ${CHROOT} ${DESTDIR} or not.
  
  So having that test to assign CHROOTDESTDIR or leave it empty in
  bsd.port.mk allows the port writer to just always invoke it without
  having to worry about testing for DESTDIR.

You could pass this var to pkg-install scripts, too (put it in the
standard *SUB* lists).

That way you don't have to do the dance that was added to
security/clamav/files/pkg-install.in:

if [ -n %%DESTDIR%% ]; then
PW=/usr/sbin/chroot %%DESTDIR%% pw
CHOWN=/usr/sbin/chroot %%DESTDIR%% chown
MKDIR=/usr/sbin/chroot %%DESTDIR%% mkdir -p
else
PW=pw
CHOWN=chown
MKDIR=mkdir -p
fi

but rather just:

PW=%%CHROOTDESTDIR%% pw
CHOWN=%%CHROOTDESTDIR%% chown
MKDIR=%%CHROOTDESTDIR%% mkdir -p
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: support for DESTDIR: security/openssh-portable

[John E Hein]

Gábor Kövesdán wrote at 01:47 +0200 on Aug 10, 2006:
  Ah, you mean defining CHROOTDESTDIR only when DESTDIR is set and leave 
  it empty when not? It sounds reasonable then. I'll work this out after 
  some hours of sleeping. :)

Yep... that's it.

___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to [EMAIL PROTECTED]