diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 33a05ab1f4..3b24e7e3b8 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,4 +1,4 @@ -DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09 -DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1 -DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029 -DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc +DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626 +DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29 +DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751 +DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch deleted file mode 100644 index 393ea998ca..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig 2015-08-24 11:17:05.379280954 -0700 -+++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch 2015-08-24 11:19:30.788424050 -0700 -@@ -80,7 +80,7 @@ - + else - + fatal("Pre-authentication none cipher requests are not allowed."); - + } -- debug("kex: %s %s %s %s", -+ debug("kex: %s cipher: %s MAC: %s compression: %s", - ctos ? "client->server" : "server->client", - newkeys->enc.name, - diff --git a/myproposal.h b/myproposal.h diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch deleted file mode 100644 index 29e94e4363..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,106 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - ---- openssh-7.2p1/readconf.c -+++ openssh-7.2p1/readconf.c -@@ -148,6 +148,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -194,9 +195,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -930,6 +933,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1649,6 +1656,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1779,6 +1787,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) ---- openssh-7.2p1/readconf.h -+++ openssh-7.2p1/readconf.h -@@ -46,6 +46,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ ---- openssh-7.2p1/ssh_config.5 -+++ openssh-7.2p1/ssh_config.5 -@@ -830,6 +830,16 @@ - Forward (delegate) credentials to the server. - The default is - .Dq no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 ---- openssh-7.2p1/sshconnect2.c -+++ openssh-7.2p1/sshconnect2.c -@@ -656,6 +656,12 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -668,7 +674,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch deleted file mode 100644 index 2884ee92ce..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- openssh-7.2_p1-sctp.patch -+++ openssh-7.2_p1-sctp.patch -@@ -195,14 +195,6 @@ - .Op Fl c Ar cipher - .Op Fl F Ar ssh_config - .Op Fl i Ar identity_file --@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User - @@ -222,6 +223,8 @@ and - to print debugging messages about their progress. - This is helpful in -@@ -477,19 +469,11 @@ - .Sh SYNOPSIS - .Nm ssh - .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy -++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz - .Op Fl b Ar bind_address - .Op Fl c Ar cipher_spec - .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UpdateHostKeys - @@ -770,6 +771,8 @@ controls. - .Pp - .It Fl y -@@ -501,7 +485,7 @@ - index f9ff91f..d0d92ce 100644 - --- a/ssh.c - +++ b/ssh.c --@@ -195,12 +195,17 @@ extern int muxserver_sock; -+@@ -195,11 +195,16 @@ extern int muxserver_sock; - extern u_int muxclient_command; - - /* Prints a help message to the user. This function never returns. */ -@@ -515,18 +499,17 @@ - usage(void) - { - fprintf(stderr, ---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" --+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" -+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n" -- " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" - @@ -605,7 +610,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+ # define ENGCONFIG "" -+ #endif - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -845,6 +850,11 @@ main(int ac, char **av) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch deleted file mode 100644 index 806b36d0ca..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,351 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - ---- a/readconf.c -+++ b/readconf.c -@@ -148,6 +148,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -194,9 +195,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -930,6 +933,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1649,6 +1656,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1779,6 +1787,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) ---- a/readconf.h -+++ b/readconf.h -@@ -46,6 +46,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -830,6 +830,16 @@ - Forward (delegate) credentials to the server. - The default is - .Dq no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -656,6 +656,13 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(active_state, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -668,7 +674,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; - -need to move these two funcs back to canohost so they're available to clients -and the server. auth.c is only used in the server. - ---- a/auth.c -+++ b/auth.c -@@ -784,117 +784,3 @@ fakepw(void) - - return (&fake); - } -- --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch deleted file mode 100644 index 784cd2aa7e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch +++ /dev/null @@ -1,29 +0,0 @@ -https://bugs.gentoo.org/595342 - -Backport of -https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 - ---- openssh-7.3p1/kex.c -+++ openssh-7.3p1/kex.c -@@ -419,6 +419,8 @@ - ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); - if ((r = sshpkt_get_end(ssh)) != 0) - return r; -+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) -+ return r; - kex->done = 1; - sshbuf_reset(kex->peer); - /* sshbuf_reset(kex->my); */ ---- openssh-7.3p1/packet.c -+++ openssh-7.3p1/packet.c -@@ -1919,9 +1919,7 @@ - return r; - return SSH_ERR_PROTOCOL_ERROR; - } -- if (*typep == SSH2_MSG_NEWKEYS) -- r = ssh_set_newkeys(ssh, MODE_IN); -- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) -+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) - r = ssh_packet_enable_delayed_compress(ssh); - else - r = 0; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch deleted file mode 100644 index 8603601ca7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch +++ /dev/null @@ -1,32 +0,0 @@ -https://bugs.gentoo.org/597360 - -From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 -From: "markus@openbsd.org" -Date: Mon, 10 Oct 2016 19:28:48 +0000 -Subject: [PATCH] upstream commit - -Unregister the KEXINIT handler after message has been -received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause -allocation of up to 128MB -- until the connection is closed. Reported by -shilei-c at 360.cn - -Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 ---- - kex.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kex.c b/kex.c -index 3f97f8c00919..6a94bc535bd7 100644 ---- a/kex.c -+++ b/kex.c -@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) - if (kex == NULL) - return SSH_ERR_INVALID_ARGUMENT; - -+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); - ptr = sshpkt_ptr(ssh, &dlen); - if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) - return r; --- -2.11.0.rc2 - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch deleted file mode 100644 index 7fb0d8069b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://bugs.gentoo.org/592122 - -From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001 -From: "dtucker@openbsd.org" -Date: Wed, 3 Aug 2016 04:23:55 +0000 -Subject: [PATCH] upstream commit - -Fix bug introduced in rev 1.467 which causes -"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 -and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol -2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, -ok deraadt@ - -Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc ---- - sshd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sshd.c b/sshd.c -index 799c7711f49c..9fc829a91bc8 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - } else - #endif -- if ((r = sshbuf_put_u32(m, 1)) != 0) -+ if ((r = sshbuf_put_u32(m, 0)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - - #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) --- -2.11.0.rc2 - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch deleted file mode 100644 index 0602307128..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch +++ /dev/null @@ -1,39 +0,0 @@ ---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch -+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch -@@ -1155,7 +1155,7 @@ - @@ -44,7 +44,7 @@ - LD=@LD@ - CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ ---- a/0004-support-dynamically-sized-receive-buffers.patch -+++ b/0004-support-dynamically-sized-receive-buffers.patch -@@ -2144,9 +2144,9 @@ - @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); -@@ -2163,9 +2163,9 @@ - @@ -432,7 +432,7 @@ - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", --- major, minor, SSH_VERSION, --+ major, minor, SSH_RELEASE, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -+- major, minor, SSH_VERSION, comment, -++ major, minor, SSH_RELEASE, comment, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch deleted file mode 100644 index 9cc7b61a6a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch +++ /dev/null @@ -1,245 +0,0 @@ -diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c -index fdc9b2f..300cd90 100644 ---- a/cipher-ctr-mt.c -+++ b/cipher-ctr-mt.c -@@ -127,7 +127,7 @@ struct kq { - u_char keys[KQLEN][AES_BLOCK_SIZE]; - u_char ctr[AES_BLOCK_SIZE]; - u_char pad0[CACHELINE_LEN]; -- volatile int qstate; -+ int qstate; - pthread_mutex_t lock; - pthread_cond_t cond; - u_char pad1[CACHELINE_LEN]; -@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx - STATS_STRUCT(stats); - u_char aes_counter[AES_BLOCK_SIZE]; - pthread_t tid[CIPHER_THREADS]; -+ pthread_rwlock_t tid_lock; -+#ifdef __APPLE__ -+ pthread_rwlock_t stop_lock; -+ int exit_flag; -+#endif /* __APPLE__ */ - int state; - int qidx; - int ridx; -@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x) - pthread_mutex_unlock((pthread_mutex_t *)x); - } - -+#ifdef __APPLE__ -+/* Check if we should exit, we are doing both cancel and exit condition -+ * since on OSX threads seem to occasionally fail to notice when they have -+ * been cancelled. We want to have a backup to make sure that we won't hang -+ * when the main process join()-s the cancelled thread. -+ */ -+static void -+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) -+{ -+ int exit_flag; -+ -+ pthread_rwlock_rdlock(&c->stop_lock); -+ exit_flag = c->exit_flag; -+ pthread_rwlock_unlock(&c->stop_lock); -+ -+ if (exit_flag) -+ pthread_exit(NULL); -+} -+#else -+# define thread_loop_check_exit(s) -+#endif /* __APPLE__ */ -+ -+/* -+ * Helper function to terminate the helper threads -+ */ -+static void -+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c) -+{ -+ int i; -+ -+#ifdef __APPLE__ -+ /* notify threads that they should exit */ -+ pthread_rwlock_wrlock(&c->stop_lock); -+ c->exit_flag = TRUE; -+ pthread_rwlock_unlock(&c->stop_lock); -+#endif /* __APPLE__ */ -+ -+ /* Cancel pregen threads */ -+ for (i = 0; i < CIPHER_THREADS; i++) { -+ pthread_cancel(c->tid[i]); -+ } -+ for (i = 0; i < NUMKQ; i++) { -+ pthread_mutex_lock(&c->q[i].lock); -+ pthread_cond_broadcast(&c->q[i].cond); -+ pthread_mutex_unlock(&c->q[i].lock); -+ } -+ for (i = 0; i < CIPHER_THREADS; i++) { -+ pthread_join(c->tid[i], NULL); -+ } -+} -+ - /* - * The life of a pregen thread: - * Find empty keystream queues and fill them using their counter. -@@ -201,6 +257,7 @@ thread_loop(void *x) - struct kq *q; - int i; - int qidx; -+ pthread_t first_tid; - - /* Threads stats on cancellation */ - STATS_INIT(stats); -@@ -211,11 +268,15 @@ thread_loop(void *x) - /* Thread local copy of AES key */ - memcpy(&key, &c->aes_ctx, sizeof(key)); - -+ pthread_rwlock_rdlock(&c->tid_lock); -+ first_tid = c->tid[0]; -+ pthread_rwlock_unlock(&c->tid_lock); -+ - /* - * Handle the special case of startup, one thread must fill - * the first KQ then mark it as draining. Lock held throughout. - */ -- if (pthread_equal(pthread_self(), c->tid[0])) { -+ if (pthread_equal(pthread_self(), first_tid)) { - q = &c->q[0]; - pthread_mutex_lock(&q->lock); - if (q->qstate == KQINIT) { -@@ -245,12 +306,16 @@ thread_loop(void *x) - /* Check if I was cancelled, also checked in cond_wait */ - pthread_testcancel(); - -+ /* Check if we should exit as well */ -+ thread_loop_check_exit(c); -+ - /* Lock queue and block if its draining */ - q = &c->q[qidx]; - pthread_mutex_lock(&q->lock); - pthread_cleanup_push(thread_loop_cleanup, &q->lock); - while (q->qstate == KQDRAINING || q->qstate == KQINIT) { - STATS_WAIT(stats); -+ thread_loop_check_exit(c); - pthread_cond_wait(&q->cond, &q->lock); - } - pthread_cleanup_pop(0); -@@ -268,6 +333,7 @@ thread_loop(void *x) - * can see that it's being filled. - */ - q->qstate = KQFILLING; -+ pthread_cond_broadcast(&q->cond); - pthread_mutex_unlock(&q->lock); - for (i = 0; i < KQLEN; i++) { - AES_encrypt(q->ctr, q->keys[i], &key); -@@ -279,7 +345,7 @@ thread_loop(void *x) - ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); - q->qstate = KQFULL; - STATS_FILL(stats); -- pthread_cond_signal(&q->cond); -+ pthread_cond_broadcast(&q->cond); - pthread_mutex_unlock(&q->lock); - } - -@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, - pthread_cond_wait(&q->cond, &q->lock); - } - q->qstate = KQDRAINING; -+ pthread_cond_broadcast(&q->cond); - pthread_mutex_unlock(&q->lock); - - /* Mark consumed queue empty and signal producers */ -@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, - - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { - c = xmalloc(sizeof(*c)); -+ pthread_rwlock_init(&c->tid_lock, NULL); -+#ifdef __APPLE__ -+ pthread_rwlock_init(&c->stop_lock, NULL); -+ c->exit_flag = FALSE; -+#endif /* __APPLE__ */ - - c->state = HAVE_NONE; - for (i = 0; i < NUMKQ; i++) { -@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, - } - - if (c->state == (HAVE_KEY | HAVE_IV)) { -- /* Cancel pregen threads */ -- for (i = 0; i < CIPHER_THREADS; i++) -- pthread_cancel(c->tid[i]); -- for (i = 0; i < CIPHER_THREADS; i++) -- pthread_join(c->tid[i], NULL); -+ /* tell the pregen threads to exit */ -+ stop_and_join_pregen_threads(c); -+ -+#ifdef __APPLE__ -+ /* reset the exit flag */ -+ c->exit_flag = FALSE; -+#endif /* __APPLE__ */ -+ - /* Start over getting key & iv */ - c->state = HAVE_NONE; - } -@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, - /* Start threads */ - for (i = 0; i < CIPHER_THREADS; i++) { - debug("spawned a thread"); -+ pthread_rwlock_wrlock(&c->tid_lock); - pthread_create(&c->tid[i], NULL, thread_loop, c); -+ pthread_rwlock_unlock(&c->tid_lock); - } - pthread_mutex_lock(&c->q[0].lock); -- while (c->q[0].qstate != KQDRAINING) -+ while (c->q[0].qstate == KQINIT) - pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); - pthread_mutex_unlock(&c->q[0].lock); - } -@@ -461,15 +538,10 @@ void - ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) - { - struct ssh_aes_ctr_ctx *c; -- int i; -+ - c = EVP_CIPHER_CTX_get_app_data(ctx); -- /* destroy threads */ -- for (i = 0; i < CIPHER_THREADS; i++) { -- pthread_cancel(c->tid[i]); -- } -- for (i = 0; i < CIPHER_THREADS; i++) { -- pthread_join(c->tid[i], NULL); -- } -+ -+ stop_and_join_pregen_threads(c); - } - - void -@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) - /* reconstruct threads */ - for (i = 0; i < CIPHER_THREADS; i++) { - debug("spawned a thread"); -+ pthread_rwlock_wrlock(&c->tid_lock); - pthread_create(&c->tid[i], NULL, thread_loop, c); -+ pthread_rwlock_unlock(&c->tid_lock); - } - } - -@@ -489,18 +563,13 @@ static int - ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) - { - struct ssh_aes_ctr_ctx *c; -- int i; - - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { - #ifdef CIPHER_THREAD_STATS - debug("main thread: %u drains, %u waits", c->stats.drains, - c->stats.waits); - #endif -- /* Cancel pregen threads */ -- for (i = 0; i < CIPHER_THREADS; i++) -- pthread_cancel(c->tid[i]); -- for (i = 0; i < CIPHER_THREADS; i++) -- pthread_join(c->tid[i], NULL); -+ stop_and_join_pregen_threads(c); - - memset(c, 0, sizeof(*c)); - free(c); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch deleted file mode 100644 index f077c0517f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700 -+++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700 -@@ -1155,7 +1155,7 @@ - @@ -44,7 +44,7 @@ - LD=@LD@ - CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -2144,12 +2144,12 @@ - /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && !privileged) - return sock; --@@ -527,10 +555,10 @@ -+@@ -555,10 +583,10 @@ - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); -@@ -2163,9 +2163,9 @@ - @@ -432,7 +432,7 @@ - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", --- major, minor, SSH_VERSION, --+ major, minor, SSH_RELEASE, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -+- major, minor, SSH_VERSION, comment, -++ major, minor, SSH_RELEASE, comment, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch deleted file mode 100644 index d458e9efd7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700 -+++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700 -@@ -141,7 +141,7 @@ - @@ -44,7 +44,7 @@ CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -2098,7 +2098,7 @@ - @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", - - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); - + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); - } else { -@@ -2196,9 +2196,9 @@ - @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out) - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", --- major, minor, SSH_VERSION, --+ major, minor, SSH_RELEASE, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -+- major, minor, SSH_VERSION, comment, -++ major, minor, SSH_RELEASE, comment, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch deleted file mode 100644 index 2def6993e6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,67 +0,0 @@ ---- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700 -+++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700 -@@ -226,14 +226,6 @@ - .Op Fl c Ar cipher - .Op Fl F Ar ssh_config - .Op Fl i Ar identity_file --@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User - @@ -224,6 +225,8 @@ and - to print debugging messages about their progress. - This is helpful in -@@ -493,19 +485,11 @@ - .Sh SYNOPSIS - .Nm ssh - .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy -++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz - .Op Fl b Ar bind_address - .Op Fl c Ar cipher_spec - .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UpdateHostKeys - @@ -795,6 +796,8 @@ controls. - .Pp - .It Fl y -@@ -533,18 +517,18 @@ - usage(void) - { - fprintf(stderr, ---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" --+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" -+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" -- " [-F configfile] [-I pkcs11] [-i identity_file]\n" -- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" -+ " [-F configfile]\n" -+ #ifdef USE_OPENSSL_ENGINE - @@ -608,7 +613,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+ # define ENGCONFIG "" -+ #endif - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -857,6 +862,11 @@ main(int ac, char **av) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch deleted file mode 100644 index 528dc6f22a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch +++ /dev/null @@ -1,109 +0,0 @@ -diff --git a/kex.c b/kex.c -index 143227a..c9b84c2 100644 ---- a/kex.c -+++ b/kex.c -@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh) - static int - kex_send_ext_info(struct ssh *ssh) - { -+#ifdef EXPERIMENTAL_RSA_SHA2_256 - int r; - --#ifdef EXPERIMENTAL_RSA_SHA2_256 - /* IMPORTANT NOTE: - * Do not offer rsa-sha2-* until is resolved misconfiguration issue - * with allowed public key algorithms! -diff --git a/key-eng.c b/key-eng.c -index 9bc50fd..bc0d03d 100644 ---- a/key-eng.c -+++ b/key-eng.c -@@ -786,7 +786,6 @@ ssh_engines_shutdown() { - while (buffer_len(&eng_list) > 0) { - u_int k = 0; - char *s; -- ENGINE *e; - - s = buffer_get_cstring_ret(&eng_list, &k); - ssh_engine_reset(s); -diff --git a/monitor.c b/monitor.c -index 345d3df..0de30ad 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m) - (r = sshbuf_get_string(m, &p, &datlen)) != 0 || - (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); -- if (keyid > INT_MAX) -+ if (keyid32 > INT_MAX) - fatal("%s: invalid key ID", __func__); - - keyid = keyid32; /*save cast*/ -diff --git a/readconf.c b/readconf.c -index beb38a0..1cbda7e 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1459,7 +1459,9 @@ parse_int: - - case oHostKeyAlgorithms: - charptr = &options->hostkeyalgorithms; -+# if 0 - parse_keytypes: -+# endif - arg = strdelim(&s); - if (!arg || *arg == '\0') - fatal("%.200s line %d: Missing argument.", -diff --git a/servconf.c b/servconf.c -index a540138..e77a344 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -1574,7 +1573,9 @@ parse_string: - - case sHostKeyAlgorithms: - charptr = &options->hostkeyalgorithms; -+# if 0 - parse_keytypes: -+#endif - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: Missing argument.", -diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c -index 50f04b7..3f9a7bf 100644 ---- a/ssh-pkcs11.c -+++ b/ssh-pkcs11.c -@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa) - } - - #ifdef OPENSSL_HAS_ECC -+#ifdef HAVE_EC_KEY_METHOD_NEW - /* openssl callback for freeing an EC key */ - static void - pkcs11_ec_finish(EC_KEY *ec) - { - struct pkcs11_key *k11; - --#ifdef HAVE_EC_KEY_METHOD_NEW - k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); - EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); --#else -- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); -- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); --#endif - pkcs11_key_free(k11); - } -+#endif /*def HAVE_EC_KEY_METHOD_NEW*/ - #endif /*def OPENSSL_HAS_ECC*/ - - -diff --git a/sshconnect.c b/sshconnect.c -index fd2a70e..0960be1 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1) - { - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n", -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch deleted file mode 100644 index 3e02b6f8cc..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch +++ /dev/null @@ -1,29 +0,0 @@ -https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html - -From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Mon, 19 Dec 2016 15:59:00 -0500 -Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test - -The test command uses = for string compares, not ==. Using some POSIX -shells will reject this statement with an error about an unknown operator. ---- - regress/allow-deny-users.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh -index 32a269afa97c..86805e19322b 100644 ---- a/regress/allow-deny-users.sh -+++ b/regress/allow-deny-users.sh -@@ -4,7 +4,7 @@ - tid="AllowUsers/DenyUsers" - - me="$LOGNAME" --if [ "x$me" == "x" ]; then -+if [ "x$me" = "x" ]; then - me=`whoami` - fi - other="nobody" --- -2.11.0.rc2 - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch index ec2a6d8949..6b1e6dd35a 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch @@ -16,13 +16,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008 { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, + { "gssapitrustdns", oGssTrustDns }, - #else + # else { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, + { "gssapitrustdns", oUnsupported }, #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, + #ifdef ENABLE_PKCS11 + { "smartcarddevice", oPKCS11Provider }, @@ -930,6 +933,10 @@ intptr = &options->gss_deleg_creds; goto parse_flag; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch new file mode 100644 index 0000000000..d55656aae9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch @@ -0,0 +1,50 @@ +--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:02:11.850912525 -0700 ++++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:35:06.223424844 -0700 +@@ -907,9 +907,9 @@ + @@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); + if (atomicio(vwrite, connection_out, client_version_string, + strlen(client_version_string)) != strlen(client_version_string)) + fatal("write: %.100s", strerror(errno)); +@@ -918,11 +918,11 @@ + --- a/sshd.c + +++ b/sshd.c + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) +- char remote_version[256]; /* Must be at least as big as buf. */ ++ } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment, +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum); + +@@ -982,13 +982,14 @@ + index e093f623..83f0932d 100644 + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,5 @@ ++@@ -3,3 +3,6 @@ + #define SSH_VERSION "OpenSSH_7.6" + +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" +++#define SSH_PORTABLE "p1" + +#define SSH_HPN "-hpn14v12" +++#define SSH_X509 "-PKIXSSH-11.0" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +++#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN + -- + 2.14.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch new file mode 100644 index 0000000000..5843dd162c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch @@ -0,0 +1,12 @@ +diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c +index 3af8f4a7..7f6bc7fa 100644 +--- a/openbsd-compat/freezero.c ++++ b/openbsd-compat/freezero.c +@@ -14,6 +14,7 @@ + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + ++#include + #include "includes.h" + + #ifndef HAVE_FREEZERO diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch new file mode 100644 index 0000000000..b84ee64e4f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch @@ -0,0 +1,11 @@ +--- a/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:28.334140140 -0800 ++++ b/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:55.338223563 -0800 +@@ -54732,7 +54732,7 @@ + +int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations); + + + +typedef char SSHXSTOREPATH; +-+#if OPENSSL_VERSION_NUMBER < 0x10100000L +++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + +DECLARE_STACK_OF(SSHXSTOREPATH) + +# define sk_SSHXSTOREPATH_new_null() SKM_sk_new_null(SSHXSTOREPATH) + +# define sk_SSHXSTOREPATH_num(st) SKM_sk_num(SSHXSTOREPATH, (st)) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd new file mode 100644 index 0000000000..28952b4a28 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.rc6.4 b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.rc6.4 new file mode 100644 index 0000000000..5e30142036 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,84 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket index d19f34be86..94b9533180 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket @@ -5,7 +5,6 @@ Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes -TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild index 3d15e17c8d..8bf5847656 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild @@ -1,56 +1,58 @@ # Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -EAPI="5" +EAPI=6 -inherit eutils user flag-o-matic multilib autotools pam systemd versionator +inherit user flag-o-matic multilib autotools pam systemd versionator # Make it more portable between straight releases # and _p? releases. PARCH=${P/_} -#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz" -SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" -LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz" -X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" +#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz" +X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="http://www.openssh.org/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}} ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) - ssh1? ( ssl ) static? ( !kerberos !pam ) - X509? ( !hpn !ldap !sctp ssl ) + X509? ( !ldap !sctp ssl ) test? ( ssl )" LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) ldns? ( - net-libs/ldns[ecdsa,ssl,static-libs(+)] + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) ) - libedit? ( dev-libs/libedit[static-libs(+)] ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( - >=dev-libs/openssl-0.9.8f:0[-bindist(-)] - dev-libs/openssl:0[static-libs(+)] + >=dev-libs/openssl-1.0.1:0=[bindist=] + dev-libs/openssl:0=[static-libs(+)] ) - libressl? ( dev-libs/libressl[static-libs(+)] ) + libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) - >=sys-libs/zlib-1.2.3[static-libs(+)]" + >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) pam? ( virtual/pam ) @@ -66,7 +68,7 @@ RDEPEND="${RDEPEND} userland_GNU? ( virtual/shadow ) X? ( x11-apps/xauth )" -S=${WORKDIR}/${PARCH} +S="${WORKDIR}/${PARCH}" pkg_pretend() { # this sucks, but i'd rather have people unable to `emerge -u openssh` @@ -107,30 +109,35 @@ src_prepare() { # this file. cp version.h version.h.pristine + eapply "${FILESDIR}/${P}-warnings.patch" + # don't break .ssh/authorized_keys2 for fun sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die if use X509 ; then - epatch "${WORKDIR}"/${X509_PATCH%.*} - # We no longer allow X509 to be used with anything else. - #save_version X509 + if use hpn ; then + pushd "${WORKDIR}" >/dev/null + eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch + eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch + popd >/dev/null + fi + save_version X509 + eapply "${WORKDIR}"/${X509_PATCH%.*} fi if use ldap ; then - epatch "${WORKDIR}"/${LDAP_PATCH%.*} + eapply "${WORKDIR}"/${LDAP_PATCH%.*} save_version LPK fi - epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} - epatch "${FILESDIR}"/${P}-test-bashism.patch - use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*} + use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch if use hpn ; then - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + elog "Applying HPN patchset ..." + eapply "${WORKDIR}"/${HPN_PATCH%.*.*} save_version HPN fi @@ -153,14 +160,14 @@ src_prepare() { ) sed -i "${sed_args[@]}" configure{.ac,} || die - epatch_user #473004 + eapply_user #473004 # Now we can build a sane merged version.h ( sed '/^#define SSH_RELEASE/d' version.h.* | sort -u macros=() - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}" ) > version.h eautoreconf @@ -181,6 +188,7 @@ src_configure() { --datadir="${EPREFIX}"/usr/share/openssh --with-privsep-path="${EPREFIX}"/var/empty --with-privsep-user=sshd + $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) # We apply the ldap patch conditionally, so can't pass --without-ldap # unconditionally else we get unknown flag warnings. @@ -192,7 +200,6 @@ src_configure() { $(use X509 || use_with sctp) $(use_with selinux) $(use_with skey) - $(use_with ssh1) $(use_with ssl openssl) $(use_with ssl md5-passwords) $(use_with ssl ssl-engine) @@ -208,7 +215,8 @@ src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config dobin contrib/ssh-copy-id - keepdir /var/empty + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd newpamd "${FILESDIR}"/sshd.pam_include.2 sshd if use pam ; then @@ -294,9 +302,6 @@ pkg_postinst() { elog "algorithm (ECDSA). You are encouraged to manually update your stored" elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." fi - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." - fi if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." elog "Make sure to update any configs that you might have. Note that xinetd might" @@ -313,9 +318,19 @@ pkg_postinst() { elog "to 'prohibit-password'. That means password auth for root users no longer works" elog "out of the box. If you need this, please update your sshd_config explicitly." fi + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then elog "Be aware that by disabling openssl support in openssh, the server and clients" elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" elog "and update all clients/servers that utilize them." fi + + # remove this if aes-ctr-mt gets fixed + if use hpn; then + elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch" + elog "set since it does not (yet) work with >=openssh-7.6p1." + fi }