Re: security/openssh-portable: how to best test GSSAPI?
On Thu, Jul 18, 2019 at 5:34 PM Rick Miller wrote: > Hi, > > security/openssh-portable was recently updated to 8.0p1 and breaks GSSAPI. > I'd like to test the Debian GSSAPI patch for 8.0p1[1] submitting the result > to the openssh-portable maintainer. Poudriere already sets the appropriate > options for KERB_GSSAPI here so the intent is to leverage Poudriere. For > example, create a new poudriere ports tree (poudriere ports -c), update > security/openssh-portable/Makefile in that ports tree (patch below), > subsequently run `make makesum` to update distinfo, then build the tree > (poudriere bulk -f). > > I get to the point of running `make makesum` and distinfo is not updated > with the GSSAPI patch's patchfile's info (similar to the current distinfo) > and no error is printed. `make fetch` will retrieve openssh-portable > sources if they're not already present, but not the GSSAPI patchfile. Can > the patch be tested in place like this or am I going about this completely > wrong? > > > Defining OPTIONS_DEFAULT in the environment for make makesum got around this behavior. -- Take care Rick Miller ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
security/openssh-portable: how to best test GSSAPI?
Hi, security/openssh-portable was recently updated to 8.0p1 and breaks GSSAPI. I'd like to test the Debian GSSAPI patch for 8.0p1[1] submitting the result to the openssh-portable maintainer. Poudriere already sets the appropriate options for KERB_GSSAPI here so the intent is to leverage Poudriere. For example, create a new poudriere ports tree (poudriere ports -c), update security/openssh-portable/Makefile in that ports tree (patch below), subsequently run `make makesum` to update distinfo, then build the tree (poudriere bulk -f). I get to the point of running `make makesum` and distinfo is not updated with the GSSAPI patch's patchfile's info (similar to the current distinfo) and no error is printed. `make fetch` will retrieve openssh-portable sources if they're not already present, but not the GSSAPI patchfile. Can the patch be tested in place like this or am I going about this completely wrong? Does the file need to be --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -101,7 +101,8 @@ ETCDIR?=${PREFIX}/etc/ssh .include -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \ + https://sources.debian.org/data/main/o/openssh/1:8.0p1-3/debian/patches/:gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} @@ -120,7 +121,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue . endif -PATCHFILES+= openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex +PATCHFILES+= gssapi.patch:-p1:gsskex .endif [1] https://sources.debian.org/data/main/o/openssh/1:8.0p1-3/debian/patches/gssapi.patch -- Take care Rick Miller ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable and KERB_GSSAPI
On Tue, Apr 24, 2018 at 11:55 AM Kurt Jaeger wrote: > Hello, > > > > Thanks in advance for taking a look at this. > > Can you please upload it to bugs.freebsd.org and post the PR number > here ? The re-formatted patch is very difficult to read. Indeed, it is. Please disregard. It was determined that HPN was mistakenly enabled and disabling it resolves the problem. -- Take care Rick Miller ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable and KERB_GSSAPI
Hello, > > Thanks in advance for taking a look at this. Can you please upload it to bugs.freebsd.org and post the PR number here ? The re-formatted patch is very difficult to read. -- p...@opsec.eu+49 171 31013722 years to go ! ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable and KERB_GSSAPI
On Tue, Apr 24, 2018 at 7:46 AM Rick Miller wrote: > Hi, > > Thanks in advance for taking a look at this. > > I need help understanding how to test a port patch and submit it to the > port maintainer. Port in question is security/openssh-portable, for which > KERB_GSSAPI is broken. Upstream has a patch, but Poudriere is failing in > the fetch phase after my updates. > > security/openssh-portable/Makefile is updated according to the patch below > in order to test, but Poudriere fails citing the error below. > > root@server # svn diff > > Index: security/openssh-portable/Makefile > > ======= > > --- security/openssh-portable/Makefile (revision 460698) > > +++ security/openssh-portable/Makefile (working copy) > > @@ -2,8 +2,8 @@ > > # $FreeBSD$ > > PORTNAME=openssh > > -DISTVERSION= 7.6p1 > > -PORTREVISION= 3 > > +DISTVERSION= 7.7p1 > > +PORTREVISION=4 > > PORTEPOCH= 1 > > CATEGORIES= security ipv6 > > MASTER_SITES= OPENBSD/OpenSSH/portable > > @@ -89,7 +89,9 @@ > > .include > > -PATCH_SITES+= > http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex > > +#PATCH_SITES+= > http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex \ > > +PATCH_SITES+= > http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \ > > + > http://sources.debian.net/data/main/o/openssh/1:7.7p1-2/debian/patches/:gsskex > > # X509 patch includes TCP Wrapper support already > > .if ${PORT_OPTIONS:MX509} > > @@ -98,7 +100,6 @@ > > # Must add this patch before HPN due to conflicts > > .if ${PORT_OPTIONS:MKERB_GSSAPI} > > -BROKEN= No patch for 7.6 yet. > > # Patch from: > > # > http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch > > # which was originally based on 5.7 patch from > > @@ -108,12 +109,13 @@ > > # Needed glue for applying HPN patch without conflict > > EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue > > . endif > > -PATCHFILES+= > openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex > > +#PATCHFILES+= > openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex > > +PATCHFILES+= gssapi.patch:-p1:gsskex > > .endif > > # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh > https://github.com/rapier1/openssh-portable > > .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} > > -BROKEN= Not yet updated for > 7.6+ and disabled in base > > +#BROKEN= Not yet updated for 7.6+ > and disabled in base > > PORTDOCS+= HPN-README > > HPN_VERSION= 14v5 > > HPN_DISTVERSION= 6.7p1 > > Index: security/openssh-portable/distinfo > > === > > --- security/openssh-portable/distinfo(revision 460698) > > +++ security/openssh-portable/distinfo (working copy) > > @@ -1,7 +1,3 @@ > > -TIMESTAMP = 1507833573 > > -SHA256 (openssh-7.6p1.tar.gz) = > a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 > > -SIZE (openssh-7.6p1.tar.gz) = 1489788 > > -SHA256 (openssh-7.2_p1-sctp.patch.gz) = > fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc > > -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 > > -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = > bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e > > -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 > > +TIMESTAMP = 1524506053 > > +SHA256 (openssh-7.7p1.tar.gz) = > d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f > > +SIZE (openssh-7.7p1.tar.gz) = 1536900 > > > > Poudrière fails to build the port citing: > > > > === > > => gssapi.patch is not in /usr/ports/security/openssh-portable/distinfo. > > => Either /usr/ports/security/openssh-portable/distinfo is out of date, or > > => gssapi.patch is spelled incorrectly. > > *** Error code 1 > > > > Stop. > > make: stopped in /usr/ports/security/openssh-portable > > Surely this is something I’m not doing right. Just need help > understanding. Do you have feedback? > Apparently, the mail client munged the patches. Disregard the formatting created by the client; Most notably the extra, undesirable line breaks and the ‘3D’s. -- Take care Rick Miller ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
security/openssh-portable and KERB_GSSAPI
Hi, Thanks in advance for taking a look at this. I need help understanding how to test a port patch and submit it to the port maintainer. Port in question is security/openssh-portable, for which KERB_GSSAPI is broken. Upstream has a patch, but Poudriere is failing in the fetch phase after my updates. security/openssh-portable/Makefile is updated according to the patch below in order to test, but Poudriere fails citing the error below. root@server # svn diff Index: security/openssh-portable/Makefile === --- security/openssh-portable/Makefile (revision 460698) +++ security/openssh-portable/Makefile (working copy) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME=openssh -DISTVERSION= 7.6p1 -PORTREVISION= 3 +DISTVERSION= 7.7p1 +PORTREVISION=4 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -89,7 +89,9 @@ .include -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex +#PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex \ +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn \ + http://sources.debian.net/data/main/o/openssh/1:7.7p1-2/debian/patches/:gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} @@ -98,7 +100,6 @@ # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} -BROKEN= No patch for 7.6 yet. # Patch from: # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch # which was originally based on 5.7 patch from @@ -108,12 +109,13 @@ # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+=${FILESDIR}/extra-patch-hpn-gss-glue . endif -PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex +#PATCHFILES+= openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:gsskex +PATCHFILES+= gssapi.patch:-p1:gsskex .endif # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -BROKEN= Not yet updated for 7.6+ and disabled in base +#BROKEN= Not yet updated for 7.6+ and disabled in base PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 Index: security/openssh-portable/distinfo === --- security/openssh-portable/distinfo(revision 460698) +++ security/openssh-portable/distinfo (working copy) @@ -1,7 +1,3 @@ -TIMESTAMP = 1507833573 -SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 -SIZE (openssh-7.6p1.tar.gz) = 1489788 -SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc -SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501 -SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e -SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219 +TIMESTAMP = 1524506053 +SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f +SIZE (openssh-7.7p1.tar.gz) = 1536900 Poudrière fails to build the port citing: === => gssapi.patch is not in /usr/ports/security/openssh-portable/distinfo. => Either /usr/ports/security/openssh-portable/distinfo is out of date, or => gssapi.patch is spelled incorrectly. *** Error code 1 Stop. make: stopped in /usr/ports/security/openssh-portable Surely this is something I’m not doing right. Just need help understanding. Do you have feedback? -- Take care Rick Miller ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [ports/security/openssh-portable] Fix SCTP patch
On Fri, 13 Jan 2017 13:43:50 -0800 wrote: > > My point is that it might be a good idea to commit SCTP support > into base system's openssh. Then we(I) won't need the port at all. > The protocol first appeared in FreeBSD, yet there is not a single > program that uses it. This can change. I use it in 2 apps and was posponing the next versions because sctp were dropped by openssh and libressl. Nice to see more people are using it and port list cares about it. Thanks! --- --- Eduardo Morras ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [ports/security/openssh-portable] Fix SCTP patch
> > Could someone update the SCTP patch for > > ports/security/openssh-portable? Fixed version attached (very basic > > changes: account for "oIdentityAgent" config option and "-J" flag > > that appeared in openssh-7.3). > The proper place to send this patch is to the upstream bug tracker where > the patch originated from: > https://bugzilla.mindrot.org/show_bug.cgi?id=1604 OK, noted for future. But it seems like their bug tracker requires registration, too. I suppose I could email the author directly... > I will review and commit it though. Thanks. > > I use SCTP all the time (makes a _huge_ difference on fast but crappy > > connections with packet loss), so having the port fixed would be much > > appreciated. > Letting upstream know how useful it is would be great. My point is that it might be a good idea to commit SCTP support into base system's openssh. Then we(I) won't need the port at all. The protocol first appeared in FreeBSD, yet there is not a single program that uses it. This can change. > > BTW, I wonder why noone bothered to add SCTP to base system's > > OpenSSH? Right now there is not a single program that uses SCTP in > > FreeBSD, while the protocol itself is quite nice and useful. -- [SorAlx] ridin' VN2000 Classic LT ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [ports/security/openssh-portable] Fix SCTP patch
On 1/13/17 1:31 PM, Bryan Drewery wrote: > On 12/27/16 9:39 PM, sor...@cydem.org wrote: >> >> Howdy! >> >> Could someone update the SCTP patch for ports/security/openssh-portable? >> Fixed version attached (very basic changes: account for "oIdentityAgent" >> config option and "-J" flag that appeared in openssh-7.3). > > The proper place to send this patch is to the upstream bug tracker where > the patch originated from: https://bugzilla.mindrot.org/show_bug.cgi?id=1604 > > I will review and commit it though. > Thanks too. I am about to update the port to 7.4 and there are other conflicts now as well (before your 2 fixes): 1 out of 5 hunks failed--saving rejects to readconf.c.rej 2 out of 9 hunks failed--saving rejects to servconf.c.rej 1 out of 2 hunks failed--saving rejects to servconf.h.rej 1 out of 3 hunks failed--saving rejects to ssh.c.rej 1 out of 1 hunks failed--saving rejects to ssh_config.5.rej 1 out of 4 hunks failed--saving rejects to sshd.c.rej 1 out of 1 hunks failed--saving rejects to sshd_config.5.rej >> >> I use SCTP all the time (makes a _huge_ difference on fast but crappy >> connections with packet loss), so having the port fixed would be much >> appreciated. >> > > Letting upstream know how useful it is would be great. > >> BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH? >> Right now there is not a single program that uses SCTP in FreeBSD, while >> the protocol itself is quite nice and useful. >> >> SHA256 (openssh-7.3_p1-sctp.patch.gz) = >> 0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20 >> SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507 >> > > -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: [ports/security/openssh-portable] Fix SCTP patch
On 12/27/16 9:39 PM, sor...@cydem.org wrote: > > Howdy! > > Could someone update the SCTP patch for ports/security/openssh-portable? > Fixed version attached (very basic changes: account for "oIdentityAgent" > config option and "-J" flag that appeared in openssh-7.3). The proper place to send this patch is to the upstream bug tracker where the patch originated from: https://bugzilla.mindrot.org/show_bug.cgi?id=1604 I will review and commit it though. > > I use SCTP all the time (makes a _huge_ difference on fast but crappy > connections with packet loss), so having the port fixed would be much > appreciated. > Letting upstream know how useful it is would be great. > BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH? > Right now there is not a single program that uses SCTP in FreeBSD, while > the protocol itself is quite nice and useful. > > SHA256 (openssh-7.3_p1-sctp.patch.gz) = > 0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20 > SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507 > -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: [ports/security/openssh-portable] Fix SCTP patch
> Hi! > > > Could someone update the SCTP patch for > > ports/security/openssh-portable? > > Now a major motion picture at > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215632 Great! I will be cheering for all the main characters. -- [SorAlx] ridin' VN2000 Classic LT ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [ports/security/openssh-portable] Fix SCTP patch
Hi! > Could someone update the SCTP patch for ports/security/openssh-portable? Now a major motion picture at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215632 -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
[ports/security/openssh-portable] Fix SCTP patch
Howdy! Could someone update the SCTP patch for ports/security/openssh-portable? Fixed version attached (very basic changes: account for "oIdentityAgent" config option and "-J" flag that appeared in openssh-7.3). I use SCTP all the time (makes a _huge_ difference on fast but crappy connections with packet loss), so having the port fixed would be much appreciated. BTW, I wonder why noone bothered to add SCTP to base system's OpenSSH? Right now there is not a single program that uses SCTP in FreeBSD, while the protocol itself is quite nice and useful. SHA256 (openssh-7.3_p1-sctp.patch.gz) = 0bfa4769db0982e81ac808e7bfb6904a86a10a251735f8b81f4e6a1430cd9b20 SIZE (openssh-7.3_p1-sctp.patch.gz) = 8507 -- [SorAlx] ridin' VN2000 Classic LT ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: [CFT] security/openssh-portable 6.5
On 2/4/2014 7:41 PM, Bryan Drewery wrote: > On 2/2/2014 8:57 PM, Bryan Drewery wrote: >> The pending update to 6.5 is on my github: >> https://github.com/bdrewery/openssh/ >> >> I will commit in the next few days. Please test and comment back in private. >> >> The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way >> to test. It needs refactoring as the key handling/API has changed a bit >> for 6.5. It's marked BROKEN for now and I suggest not updating if you >> depend on that. >> > > This has been committed. > Dumb error in RC script: > # service openssh restart > [: missing ] > eval: -f: not found Fix committed. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: [CFT] security/openssh-portable 6.5
On 2/2/2014 8:57 PM, Bryan Drewery wrote: > The pending update to 6.5 is on my github: > https://github.com/bdrewery/openssh/ > > I will commit in the next few days. Please test and comment back in private. > > The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way > to test. It needs refactoring as the key handling/API has changed a bit > for 6.5. It's marked BROKEN for now and I suggest not updating if you > depend on that. > This has been committed. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
[CFT] security/openssh-portable 6.5
The pending update to 6.5 is on my github: https://github.com/bdrewery/openssh/ I will commit in the next few days. Please test and comment back in private. The KERB_GSSAPI is beyond hope. It lacks an upstream and I have no way to test. It needs refactoring as the key handling/API has changed a bit for 6.5. It's marked BROKEN for now and I suggest not updating if you depend on that. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: port security/openssh-portable compile error.
Hi there... Thanks, Just checked your change and applied to my ports tree, and now it compiles without a problem. Thanks once again... Fred On 2013-09-03 12:39, Bryan Drewery wrote: On 9/2/2013 3:14 AM, Frederico Costa wrote: Hi all... Not sure if this is the correct way of asking for a bit of help, but i have been trying to upgrade the ports in one of my servers, and when i am trying to upgrade the port security/openssh-portable to the following version: openssh-portable-6.2.p2_3,1 It will fail to compile, with the standard options set for the config with the following: ... cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat -lwrap -lpam -lcrypto -lz -lutil -lcrypt cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ -L/usr/local/lib -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat -lcrypto -lz -lutil -lcrypt loginrec.o: In function `syslogin_write_entry': loginrec.c:(.text+0x2f1): undefined reference to `login' loginrec.c:(.text+0x31b): undefined reference to `logout' loginrec.c:(.text+0x34e): undefined reference to `logwtmp' *** [sshd] Error code 1 I have committed a fix to the ports tree for this. It was due to a recent Templates/config.site update having some utmp references. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: port security/openssh-portable compile error.
On 9/2/2013 3:14 AM, Frederico Costa wrote: > Hi all... > > Not sure if this is the correct way of asking for a bit of help, but i > have been trying to upgrade the ports in one of my servers, and when i > am trying to upgrade the port security/openssh-portable to the following > version: > > openssh-portable-6.2.p2_3,1 > > It will fail to compile, with the standard options set for the config > with the following: > > ... > > cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o > audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o > servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o > auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o > auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o > auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o > kexdhs.o kexgexs.o kexecdhs.o auth-krb5.o auth2-gss.o gss-serv.o > gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o > md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o > sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o > sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib > -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat > -lwrap -lpam -lcrypto -lz -lutil -lcrypt > cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ > -L/usr/local/lib -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh > -lopenbsd-compat -lcrypto -lz -lutil -lcrypt > loginrec.o: In function `syslogin_write_entry': > loginrec.c:(.text+0x2f1): undefined reference to `login' > loginrec.c:(.text+0x31b): undefined reference to `logout' > loginrec.c:(.text+0x34e): undefined reference to `logwtmp' > *** [sshd] Error code 1 I have committed a fix to the ports tree for this. It was due to a recent Templates/config.site update having some utmp references. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
port security/openssh-portable compile error.
Hi all... Not sure if this is the correct way of asking for a bit of help, but i have been trying to upgrade the ports in one of my servers, and when i am trying to upgrade the port security/openssh-portable to the following version: openssh-portable-6.2.p2_3,1 It will fail to compile, with the standard options set for the config with the following: ... cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -L/usr/local/lib -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat -lwrap -lpam -lcrypto -lz -lutil -lcrypt cc -o scp scp.o progressmeter.o bufaux.o -L. -Lopenbsd-compat/ -L/usr/local/lib -Wl,-rpath=/usr/local/lib -fstack-protector-all -lssh -lopenbsd-compat -lcrypto -lz -lutil -lcrypt loginrec.o: In function `syslogin_write_entry': loginrec.c:(.text+0x2f1): undefined reference to `login' loginrec.c:(.text+0x31b): undefined reference to `logout' loginrec.c:(.text+0x34e): undefined reference to `logwtmp' *** [sshd] Error code 1 1 error ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** [do-build] Error code 1 -- In terms of config options for the port i have set: LIBEDIT OVERWRITE_BASE PAM TCP_WRAPPERS And i am using FreeBSD 9.1-RELEASE-p6. I checked by downloading a source code from openssh, with no freebsd patches, and the it compiles without any problem. Is someone able to help me in debugging this compilation error? Of course if you need more information about this error, please let me know and i should be able to get it. Thanks in advance Fred ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Sun, Jun 24, 2012 at 02:38:54PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 2:24 PM, J. Hellenthal wrote: > > On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote: > >> On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal > >> wrote: > >> > > >> > As stated in the subject > >> > > >> > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then > >> > echo "You already have a Elliptic Curve DSA host key" \ > >> > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" > >> > echo "Skipping protocol version 2 Elliptic Curve DSA Key > >> > Generation" > >> > else > >> > /usr/local/bin/ssh-keygen -t dsa \ > >> > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' > >> > fi > >> > > >> > > >> > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to > >> > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key > >> > in a different file. > >> > >> Good eye. I'm in the process of updating that port to 6.0p1. There > >> are quite a lot of local patches that are part of the port. At the > >> moment I'm muddling through what they do and whether they can be > >> removed or not. I didn't even notice this problem. > >> > >> I've attached a pair of patches that correct this problem. Open a PR > >> about this, and you can attach these patches to it. I'm not the > >> maintainer nor do I have commit privileges, but if you open a PR, I'm > >> sure someone will make the change. > > > > Should have also said the changes were already committed. > > I also want to see what can be pushed upstream. I understand that the > OpenBSD/OpenSSH people are touchy about outside patches, but I think > they should at least accept a patch to configure so that FreeBSD's > native openpty() is detected properly. Agree'd. openssh-portable team would be the ones to contact. -- - (2^(N-1)) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Sun, Jun 24, 2012 at 2:24 PM, J. Hellenthal wrote: > On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote: >> On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal >> wrote: >> > >> > As stated in the subject >> > >> > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then >> > echo "You already have a Elliptic Curve DSA host key" \ >> > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" >> > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" >> > else >> > /usr/local/bin/ssh-keygen -t dsa \ >> > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' >> > fi >> > >> > >> > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to >> > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key >> > in a different file. >> >> Good eye. I'm in the process of updating that port to 6.0p1. There >> are quite a lot of local patches that are part of the port. At the >> moment I'm muddling through what they do and whether they can be >> removed or not. I didn't even notice this problem. >> >> I've attached a pair of patches that correct this problem. Open a PR >> about this, and you can attach these patches to it. I'm not the >> maintainer nor do I have commit privileges, but if you open a PR, I'm >> sure someone will make the change. > > Should have also said the changes were already committed. I also want to see what can be pushed upstream. I understand that the OpenBSD/OpenSSH people are touchy about outside patches, but I think they should at least accept a patch to configure so that FreeBSD's native openpty() is detected properly. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal wrote: > > > > As stated in the subject > > > > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then > > echo "You already have a Elliptic Curve DSA host key" \ > > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" > > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" > > else > > /usr/local/bin/ssh-keygen -t dsa \ > > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' > > fi > > > > > > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to > > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key > > in a different file. > > Good eye. I'm in the process of updating that port to 6.0p1. There > are quite a lot of local patches that are part of the port. At the > moment I'm muddling through what they do and whether they can be > removed or not. I didn't even notice this problem. > > I've attached a pair of patches that correct this problem. Open a PR > about this, and you can attach these patches to it. I'm not the > maintainer nor do I have commit privileges, but if you open a PR, I'm > sure someone will make the change. Should have also said the changes were already committed. > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- - (2^(N-1)) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Sun, Jun 24, 2012 at 01:46:20PM -0400, Robert Simmons wrote: > On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal wrote: > > > > As stated in the subject > > > > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then > > echo "You already have a Elliptic Curve DSA host key" \ > > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" > > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" > > else > > /usr/local/bin/ssh-keygen -t dsa \ > > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' > > fi > > > > > > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to > > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key > > in a different file. > > Good eye. I'm in the process of updating that port to 6.0p1. There > are quite a lot of local patches that are part of the port. At the > moment I'm muddling through what they do and whether they can be > removed or not. I didn't even notice this problem. > > I've attached a pair of patches that correct this problem. Open a PR > about this, and you can attach these patches to it. I'm not the > maintainer nor do I have commit privileges, but if you open a PR, I'm > sure someone will make the change. Yeah I have been there too. The current port 5.8 I updated to 5.9. Some of the patches do not work but the diff I have is attached for the functions I use out of it. Also attached is my config for that port. But when I made it I did not have GSSAPI turned on. That does work but just have not adjusted it. -- - (2^(N-1)) ===> The following configuration options are available for openssh-portable-5.9.p1_2,1: BSM=on: "Enable OpenBSM Auditing" FILECONTROL=off: "Enable file control patch (broken)" HPN=on: "Enable HPN-SSH patch" KERBEROS=off: "Enable kerberos (autodetection)" KERB_GSSAPI=off: "Enable Kerberos/GSSAPI patch (req: GSSAPI)" LIBEDIT=on: "Enable readline support to sftp(1)" LPK=off: "Enable LDAP Public Key (LPK) patch" OPENSSH_CHROOT=on: "Enable CHROOT support" OVERWRITE_BASE=off: "OpenSSH overwrite base" PAM=on: "Enable pam(3) support" TCP_WRAPPERS=on: "Enable tcp_wrappers support" X509=off: "Enable x509 certificate patch" ===> Use 'make config' to modify these settings diff -urN security/openssh-portable-5.8p2/Makefile security/openssh-portable/Makefile --- security/openssh-portable-5.8p2/Makefile 2012-05-01 05:56:31.0 -0400 +++ security/openssh-portable/Makefile 2012-05-30 20:01:26.493449509 -0400 @@ -6,9 +6,9 @@ # PORTNAME= openssh -DISTVERSION= 5.8p2 -PORTREVISION= 2 -PORTEPOCH= 1 +DISTVERSION= 5.9p1 +PORTREVISION= 2 +PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} MASTER_SITE_SUBDIR= OpenSSH/portable @@ -42,7 +42,6 @@ OPTIONS= PAM "Enable pam(3) support"on \ TCP_WRAPPERS "Enable tcp_wrappers support" on \ LIBEDIT "Enable readline support to sftp(1)" on \ - SUID_SSH "Enable suid SSH (Recommended off)" off \ BSM "Enable OpenBSM Auditing" off \ KERBEROS "Enable kerberos (autodetection)" off \ KERB_GSSAPI "Enable Kerberos/GSSAPI patch (req: GSSAPI)" off \ @@ -87,10 +86,6 @@ CONFIGURE_ARGS+= --with-libedit .endif -.if !defined(WITH_SUID_SSH) -CONFIGURE_ARGS+= --disable-suid-ssh -.endif - .if defined(WITH_BSM) CONFIGURE_ARGS+= --with-audit=bsm .endif @@ -119,7 +114,7 @@ .if defined(WITH_HPN) PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/ -PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz +PATCHFILES+= ${PORTNAME}-5.9p1-hpn13v12.diff.gz PATCH_DIST_STRIP= .endif @@ -194,11 +189,9 @@ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h .if defined(WITH_HPN) @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ diff -urN securit
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Mon, Jun 25, 2012 at 1:17 AM, J. Hellenthal wrote: > > As stated in the subject > > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then > echo "You already have a Elliptic Curve DSA host key" \ > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" > else > /usr/local/bin/ssh-keygen -t dsa \ > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' > fi > > > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key > in a different file. > > -- > > - (2^(N-1)) Committed. Thanks! ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
On Sun, Jun 24, 2012 at 1:17 PM, J. Hellenthal wrote: > > As stated in the subject > > if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then > echo "You already have a Elliptic Curve DSA host key" \ > "in /usr/local/etc/ssh/ssh_host_ecdsa_key" > echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" > else > /usr/local/bin/ssh-keygen -t dsa \ > -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' > fi > > > Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to > "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key > in a different file. Good eye. I'm in the process of updating that port to 6.0p1. There are quite a lot of local patches that are part of the port. At the moment I'm muddling through what they do and whether they can be removed or not. I didn't even notice this problem. I've attached a pair of patches that correct this problem. Open a PR about this, and you can attach these patches to it. I'm not the maintainer nor do I have commit privileges, but if you open a PR, I'm sure someone will make the change. Makefile.diff Description: Binary data openssh.in.diff Description: Binary data ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
security/openssh-portable line # 82 of rc.d/openssh generates DSA not ECDSA
As stated in the subject if [ -f /usr/local/etc/ssh/ssh_host_ecdsa_key ]; then echo "You already have a Elliptic Curve DSA host key" \ "in /usr/local/etc/ssh/ssh_host_ecdsa_key" echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation" else /usr/local/bin/ssh-keygen -t dsa \ -f /usr/local/etc/ssh/ssh_host_ecdsa_key -N '' fi Specifically "/usr/local/bin/ssh-keygen -t dsa" needs to be changed to "-t ecdsa" to be correct. Otherwise we are just reimplementing a DSA key in a different file. -- - (2^(N-1)) pgpaSaWWSuR7X.pgp Description: PGP signature
Re: security/openssh-portable HPN 404
Yeah I was told about that earlier on today. This version is closer to 5.8 so its an easy patch to fix multiple vulns. Not really meant as an end solution. On Thu, May 31, 2012 at 05:51:19AM +, Michael Scheidell wrote: > There is a pr already for 6.0 that needs submitter fixes. Search gnats for > prs owned by scheidell. > > -- > Michael Scheidell, CTO > >|SECNAP Network Security > > > -Original message- > From: Jason Hellenthal > To: Michael Scheidell > Cc: "freebsd-ports@freebsd.org" > Sent: Thu, May 31, 2012 03:38:32 GMT+00:00 > Subject: Re: security/openssh-portable HPN 404 > > > You guys may want to try these out... > > This updates to openssh-portable-5.9p1_2,1 > > See the attached config file for the options I tested with. If you want > something else and it does not work feel free to email me directly and > I will see what I can do. > > I don't have time to put this up publicly yet but will soon. > > On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote: > > > > > > On 5/30/12 9:25 PM, Bryan Drewery wrote: > > > cd /usr/ports/security/openssh-portable > > > fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1 > > > patch< patch-openssh-hpn-mirror.txt > > > > > actually, the & in the command line mucks things up. > > > > this should work: > > cd /usr/ports/security/openssh-portable > > fetch -o - > > 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1' > > | patch > > > > (-o is output file.. unless you want a strange file hanging around, - > > means stdout, | patch just pipes standard out to in and to patch. > > > > -- > > Michael Scheidell, CTO > > >*| * SECNAP Network Security Corporation > > d: +1.561.948.2259 > > w: http://people.freebsd.org/~scheidell > > ___ > > freebsd-ports@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > > -- > > - (2^(N-1)) -- - (2^(N-1)) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable HPN 404
There is a pr already for 6.0 that needs submitter fixes. Search gnats for prs owned by scheidell. -- Michael Scheidell, CTO >|SECNAP Network Security -Original message- From: Jason Hellenthal To: Michael Scheidell Cc: "freebsd-ports@freebsd.org" Sent: Thu, May 31, 2012 03:38:32 GMT+00:00 Subject: Re: security/openssh-portable HPN 404 You guys may want to try these out... This updates to openssh-portable-5.9p1_2,1 See the attached config file for the options I tested with. If you want something else and it does not work feel free to email me directly and I will see what I can do. I don't have time to put this up publicly yet but will soon. On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote: > > > On 5/30/12 9:25 PM, Bryan Drewery wrote: > > cd /usr/ports/security/openssh-portable > > fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1 > > patch< patch-openssh-hpn-mirror.txt > > > actually, the & in the command line mucks things up. > > this should work: > cd /usr/ports/security/openssh-portable > fetch -o - > 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1' > | patch > > (-o is output file.. unless you want a strange file hanging around, - > means stdout, | patch just pipes standard out to in and to patch. > > -- > Michael Scheidell, CTO > >*| * SECNAP Network Security Corporation > d: +1.561.948.2259 > w: http://people.freebsd.org/~scheidell > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- - (2^(N-1)) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable HPN 404
You guys may want to try these out... This updates to openssh-portable-5.9p1_2,1 See the attached config file for the options I tested with. If you want something else and it does not work feel free to email me directly and I will see what I can do. I don't have time to put this up publicly yet but will soon. On Wed, May 30, 2012 at 09:44:13PM -0400, Michael Scheidell wrote: > > > On 5/30/12 9:25 PM, Bryan Drewery wrote: > > cd /usr/ports/security/openssh-portable > > fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1 > > patch< patch-openssh-hpn-mirror.txt > > > actually, the & in the command line mucks things up. > > this should work: > cd /usr/ports/security/openssh-portable > fetch -o - > 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1' > | patch > > (-o is output file.. unless you want a strange file hanging around, - > means stdout, | patch just pipes standard out to in and to patch. > > -- > Michael Scheidell, CTO > >*| * SECNAP Network Security Corporation > d: +1.561.948.2259 > w: http://people.freebsd.org/~scheidell > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" -- - (2^(N-1)) ===> The following configuration options are available for openssh-portable-5.9.p1_2,1: BSM=on: "Enable OpenBSM Auditing" FILECONTROL=off: "Enable file control patch (broken)" HPN=on: "Enable HPN-SSH patch" KERBEROS=off: "Enable kerberos (autodetection)" KERB_GSSAPI=off: "Enable Kerberos/GSSAPI patch (req: GSSAPI)" LIBEDIT=on: "Enable readline support to sftp(1)" LPK=off: "Enable LDAP Public Key (LPK) patch" OPENSSH_CHROOT=on: "Enable CHROOT support" OVERWRITE_BASE=off: "OpenSSH overwrite base" PAM=on: "Enable pam(3) support" TCP_WRAPPERS=on: "Enable tcp_wrappers support" X509=off: "Enable x509 certificate patch" ===> Use 'make config' to modify these settings diff -urN security/openssh-portable-5.8p2/Makefile security/openssh-portable/Makefile --- security/openssh-portable-5.8p2/Makefile 2012-05-01 05:56:31.0 -0400 +++ security/openssh-portable/Makefile 2012-05-30 20:01:26.493449509 -0400 @@ -6,9 +6,9 @@ # PORTNAME= openssh -DISTVERSION= 5.8p2 -PORTREVISION= 2 -PORTEPOCH= 1 +DISTVERSION= 5.9p1 +PORTREVISION= 2 +PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} MASTER_SITE_SUBDIR= OpenSSH/portable @@ -42,7 +42,6 @@ OPTIONS= PAM "Enable pam(3) support"on \ TCP_WRAPPERS "Enable tcp_wrappers support" on \ LIBEDIT "Enable readline support to sftp(1)" on \ - SUID_SSH "Enable suid SSH (Recommended off)" off \ BSM "Enable OpenBSM Auditing" off \ KERBEROS "Enable kerberos (autodetection)" off \ KERB_GSSAPI "Enable Kerberos/GSSAPI patch (req: GSSAPI)" off \ @@ -87,10 +86,6 @@ CONFIGURE_ARGS+= --with-libedit .endif -.if !defined(WITH_SUID_SSH) -CONFIGURE_ARGS+= --disable-suid-ssh -.endif - .if defined(WITH_BSM) CONFIGURE_ARGS+= --with-audit=bsm .endif @@ -119,7 +114,7 @@ .if defined(WITH_HPN) PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/ -PATCHFILES+= ${PORTNAME}-5.8p1-hpn13v11.diff.gz +PATCHFILES+= ${PORTNAME}-5.9p1-hpn13v12.diff.gz PATCH_DIST_STRIP= .endif @@ -194,11 +189,9 @@ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h .if defined(WITH_HPN) @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ diff -urN security/openssh-portable-5.8p2/distinfo security/openssh-portable/distinfo --- security/openssh-portable-5.8p2/distinfo 2011-10-21 12:18:56.0 -0400 +++ security/openssh-portable/distinfo 2012-05-30 19:07:47.129970365 -0400 @@ -1,8 +1,4 @@ -SHA256 (openssh-5.8p2.t
Re: security/openssh-portable HPN 404
On 5/30/12 9:25 PM, Bryan Drewery wrote: cd /usr/ports/security/openssh-portable fetchhttp://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1 patch< patch-openssh-hpn-mirror.txt actually, the & in the command line mucks things up. this should work: cd /usr/ports/security/openssh-portable fetch -o - 'http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1' | patch (-o is output file.. unless you want a strange file hanging around, - means stdout, | patch just pipes standard out to in and to patch. -- Michael Scheidell, CTO >*| * SECNAP Network Security Corporation d: +1.561.948.2259 w: http://people.freebsd.org/~scheidell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable HPN 404
Hi, On 5/30/2012 6:38 PM, Michael wrote: > Hi, I found problem on FreeBSd 9.0 RELEASE p2 > > dev# cd /usr/ports/security/openssh-portable > dev# make deinstall > ===> Deinstalling for security/openssh-portable > ===> openssh-portable not installed, skipping > dev# make clean > ===> Cleaning for openssh-portable-5.8.p2_2,1 > dev# make > ===> License check disabled, port has not defined LICENSE > ===> Found saved configuration for openssh-portable-5.8.p2_2,1 > => openssh-5.8p1-hpn13v11.diff.gz doesn't seem to exist in > /usr/ports/distfiles/. > => Attempting to fetch > http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.8p1-hpn13v11.diff.g > z > fetch: > http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.8p1-hpn13v11.diff.g > z: Not Found > => Attempting to fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/openssh-5.8p1-hpn13v11.dif > f.gz > fetch: > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/openssh-5.8p1-hpn13v11.dif > f.gz: File unavailable (e.g., file not found, no access) > => Couldn't fetch it - please try to retrieve this > => port manually into /usr/ports/distfiles/ and try again. > *** Error code 1 > > Stop in /usr/ports/security/openssh-portable. > *** Error code 1 > > Stop in /usr/ports/security/openssh-portable. > > As we see it no longer can fetch sources. > Can the port maintainer please fix this? > Best to email po...@freebsd.org, not freebsd-ports-bugs@. There is a patch for this problem in ports/168306: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/168306 cd /usr/ports/security/openssh-portable fetch http://www.freebsd.org/cgi/query-pr.cgi?pr=ports%2F168306&getpatch=1 patch < patch-openssh-hpn-mirror.txt Currently there is no maintainer of security/openssh-portable, but there are some patches to upgrade to 5.9/6.0 in the works. Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: security/openssh-portable
I (maintainer of security/openssh-portable) need one or two days to review GSI patch and other patches which are available for openssh-5.9. But repocopy security/openssh-portable to security/openssh-portable58 and upgrade security/openssh-portable to 5.9 sound reasonable for me. Beginning from FreeBSD 9.0 openssh in base system has applied HPN patches, so I think it isn't a good idea to maintain port which is very close to system's openssh. In this case simply use openssh from base system. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
RE: security/openssh-portable
Cy, If the option of splitting openssh into two ports means that one of those ports is closer to the base system's openssh, and the base system's openssh requires the FreeBSD patch-set, for base, then this is a commendable suggestion. Otherwise, I would vote for one kit, subject of course to Grzegorz' nod. Like Mel, I enjoy the benefit of HPN and keys only. Kind regards, Dewayne. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable
On 03/14/2012 09:01 PM, Cy Schubert wrote: In message<4f60ef46.2040...@acsalaska.net>, Mel Flynn writes: Hello Cy, On 3/14/2012 08:57, Cy Schubert wrote: [snip] What I propose to do is remove the GSSAPI patch from security/openssh-portable and for those who need the GSSAPI server key exchange, create a new port (through a repocopy of course) which includes the illinois.edu GSI patch with reworked FreeBSD patches resolving patch conflicts, calling it security/openssh-portable-gsi. Does this make any sense to anyone? Or, instead of the above, just include the GSI patch by default in a one-size-fits-all openssh-portable port? (Meaning that the GSI patch is applied regardless.) Does this make more sense to people? Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I don't find that an issue, but others may. Given that the current LPK patch is unmaintained by our upstream, I think it should be removed and we either move toward a one size fits all port or have a second port with the one-size-fits-all GSI patch. Basically the current hodgepodge of patches in this port are unmaintainable, which is why this port is usually slow to be updated. We can address the KRB5 requirement with an ifdefs. I'm leaning toward gutting a one-size-fits-all approach with patches that are maintainable. Secondly, if there are requirements for an insecure backlevel port, we could repocopy it. I'm not entirely enamoured with that idea, caveat emptor of course. I'm also keeping a local fix you might want to properly integrate into the LPK patch: it fixes a bug that TLS cannot be turned off if LPKLdapConf is used. If I go ahead and have the port repocopied and move forward with this, I'll see if I can include this patch. I'll give it another day before making the repocopy request. The current port should be repocopied to openssh-portable58 and the new port assume the openssh-portable name. I've yet to hear from the maintainer of this port for his thoughts on this. I (maintainer of security/openssh-portable) need one or two days to review GSI patch and other patches which are available for openssh-5.9. But repocopy security/openssh-portable to security/openssh-portable58 and upgrade security/openssh-portable to 5.9 sound reasonable. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable
In message <4f60ef46.2040...@acsalaska.net>, Mel Flynn writes: > Hello Cy, > > On 3/14/2012 08:57, Cy Schubert wrote: > > [snip] > > > What I propose to do is remove the GSSAPI > > patch from security/openssh-portable and for those who need the GSSAPI > > server key exchange, create a new port (through a repocopy of course) which > > > includes the illinois.edu GSI patch with reworked FreeBSD patches resolving > > > patch conflicts, calling it security/openssh-portable-gsi. Does this make > > any sense to anyone? > > > > Or, instead of the above, just include the GSI patch by default in a > > one-size-fits-all openssh-portable port? (Meaning that the GSI patch is > > applied regardless.) Does this make more sense to people? > > Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I > don't find that an issue, but others may. Given that the current LPK patch is unmaintained by our upstream, I think it should be removed and we either move toward a one size fits all port or have a second port with the one-size-fits-all GSI patch. Basically the current hodgepodge of patches in this port are unmaintainable, which is why this port is usually slow to be updated. We can address the KRB5 requirement with an ifdefs. I'm leaning toward gutting a one-size-fits-all approach with patches that are maintainable. Secondly, if there are requirements for an insecure backlevel port, we could repocopy it. I'm not entirely enamoured with that idea, caveat emptor of course. > > I'm also keeping a local fix you might want to properly integrate into > the LPK patch: it fixes a bug that TLS cannot be turned off if > LPKLdapConf is used. If I go ahead and have the port repocopied and move forward with this, I'll see if I can include this patch. I'll give it another day before making the repocopy request. The current port should be repocopied to openssh-portable58 and the new port assume the openssh-portable name. I've yet to hear from the maintainer of this port for his thoughts on this. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable
Hello Cy, On 3/14/2012 08:57, Cy Schubert wrote: [snip] > What I propose to do is remove the GSSAPI > patch from security/openssh-portable and for those who need the GSSAPI > server key exchange, create a new port (through a repocopy of course) which > includes the illinois.edu GSI patch with reworked FreeBSD patches resolving > patch conflicts, calling it security/openssh-portable-gsi. Does this make > any sense to anyone? > > Or, instead of the above, just include the GSI patch by default in a > one-size-fits-all openssh-portable port? (Meaning that the GSI patch is > applied regardless.) Does this make more sense to people? Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I don't find that an issue, but others may. I'm also keeping a local fix you might want to properly integrate into the LPK patch: it fixes a bug that TLS cannot be turned off if LPKLdapConf is used. -- Mel Index: Makefile ======= RCS file: /home/ncvs/ports/security/openssh-portable/Makefile,v retrieving revision 1.157 diff -u -r1.157 Makefile --- Makefile23 Dec 2011 12:52:28 - 1.157 +++ Makefile14 Mar 2012 19:09:36 - @@ -205,6 +205,9 @@ @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ ${WRKSRC}/version.h .endif +.if defined(WITH_LPK) + @${PATCH} ${PATCH_DIST_ARGS} < ${FILESDIR}/fix-lpk-tls.patch +.endif pre-su-install: @${MKDIR} ${EMPTYDIR} Index: files/fix-lpk-tls.patch === RCS file: files/fix-lpk-tls.patch diff -N files/fix-lpk-tls.patch --- /dev/null 1 Jan 1970 00:00:00 - +++ files/fix-lpk-tls.patch 2 Jan 2012 17:26:37 - @@ -0,0 +1,11 @@ +--- ldapauth.c.prev2012-01-02 07:15:19.0 -0900 ldapauth.c 2012-01-02 08:21:23.0 -0900 +@@ -565,6 +565,8 @@ + else if (!strcasecmp (k, "ssl")) { + if (!strcasecmp (v, "start_tls")) + l->tls = 1; ++ else if (!strcasecmp(v, "off")) ++ l->tls = 0; + } + } + ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
security/openssh-portable
Hi all, Our openssh-portable port hasn't been updated to 5.9p1, so I took advantage of a free evening to see if I could update it. Unfortunately Simon Wilkinson's GSSAPI patch no longer applies, as it hasn't been updated since OpenSSH 5.8. It has been superceeded by the NCSA illinois.edu GSI patch, which not only include the Wilkinson's GSSAPI Patch but also the HPN patch, among others. Unfortunately this patch also conflicts with some of our own FreeBSD patches in the port. What I propose to do is remove the GSSAPI patch from security/openssh-portable and for those who need the GSSAPI server key exchange, create a new port (through a repocopy of course) which includes the illinois.edu GSI patch with reworked FreeBSD patches resolving patch conflicts, calling it security/openssh-portable-gsi. Does this make any sense to anyone? Or, instead of the above, just include the GSI patch by default in a one-size-fits-all openssh-portable port? (Meaning that the GSI patch is applied regardless.) Does this make more sense to people? -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: CFT: security/openssh-portable 5.8p2
On Sun, Oct 09, 2011 at 06:38:10PM +0200, Grzegorz Blach wrote: G> New snapshot is ready to testing: G> https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t2.shar G> In this version WITH_LPK knob is fixed. G> Thanks to Gleb Smirnoff. btw, one more issue with the port is that configure autodetects wtmp/utmp/lastlog stuff, using not only header include files, but also actual logs in /var. So, compiling openssh-portable on a 9.x or 10.x system, that was once upgraded from 8.x or earlier, would lead to incorrect autodetection of logging API. Even if you have run 'make delete-old', since the latter doesn't delete anything from /var. Thus, before compiling port, one needs to: # rm /var/log/wtmp /var/run/utmp /var/log/lastlog -- Totus tuus, Glebius. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: CFT: security/openssh-portable 5.8p2
New snapshot is ready to testing: https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t2.shar In this version WITH_LPK knob is fixed. Thanks to Gleb Smirnoff. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: CFT: security/openssh-portable 5.8p2
Mainly features introduced by external patches should be tested. They work for me, but maybe someone will find some regressions. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: CFT: security/openssh-portable 5.8p2
Hi there... Thanks for making this available. I have been monitoring this list, and i would help in testing this. Is there anything you want me to test in particular? I am using in both of my systems FreeBSD 8.2 amd64 and both have the base openssh 5.4p1. My plan is to upgrade to the ports version with your 5.8. Of course i will do this in my test system first and i will report any problems. Thanks once more for this work. Fred --- Frederico Costa fredpo...@mufley.com On Mon, 12 Sep 2011 00:24:05 +0200, Grzegorz Blach wrote: After became a new maintainer of security/openssh-portable, I updated it to 5.8p2 version. My paches fixes several problems repoted to this port: - ports/144597: Kerberos knob work again - ports/150493: Port updated to (almost) recent version - ports/160389: Port build fine on FreeBSD 9.x - ports/156926: Suffix isn't changed with knobs Next problem can't be fixed: - ports/155456: LPK patch wasn't updated upstream Current snapshot can be downloaded from: https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar Anyone who have time and desire, please check if everything is working in this port and report bugs to me. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: CFT: security/openssh-portable 5.8p2
Hi there... Thanks for making this available. I have been monitoring this list, and i would help in testing this. Is there anything you want me to test in particular? I am using in both of my systems FreeBSD 8.2 amd64 and both have the base openssh 5.4p1. My plan is to upgrade to the ports version with your 5.8. Of course i will do this in my test system first and i will report any problems. Thanks once more for this work. Fred --- Frederico Costa fredpo...@mufley.com On Mon, 12 Sep 2011 00:24:05 +0200, Grzegorz Blach wrote: After became a new maintainer of security/openssh-portable, I updated it to 5.8p2 version. My paches fixes several problems repoted to this port: - ports/144597: Kerberos knob work again - ports/150493: Port updated to (almost) recent version - ports/160389: Port build fine on FreeBSD 9.x - ports/156926: Suffix isn't changed with knobs Next problem can't be fixed: - ports/155456: LPK patch wasn't updated upstream Current snapshot can be downloaded from: https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar Anyone who have time and desire, please check if everything is working in this port and report bugs to me. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
CFT: security/openssh-portable 5.8p2
After became a new maintainer of security/openssh-portable, I updated it to 5.8p2 version. My paches fixes several problems repoted to this port: - ports/144597: Kerberos knob work again - ports/150493: Port updated to (almost) recent version - ports/160389: Port build fine on FreeBSD 9.x - ports/156926: Suffix isn't changed with knobs Next problem can't be fixed: - ports/155456: LPK patch wasn't updated upstream Current snapshot can be downloaded from: https://github.com/downloads/Roorback/mgk_ports/openssh-portable-5.8p2-t1.shar Anyone who have time and desire, please check if everything is working in this port and report bugs to me. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ports/144597: security/openssh-portable fails to compile with KERBEROS enabled
On 16 Jul 2011 00:23, "Jason Hellenthal" wrote: > > > > On Wed, Jul 13, 2011 at 11:39:01PM -0500, Stephen Montgomery-Smith wrote: > > Hey people, > > > > I was looking over old unresolved PR's. I came across this one: > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597 > > > > When I sent a message to the submitter of the PR, the email bounced back > > suggesting that the submitter no longer uses that email address. > > > > I don't think it would be too hard to make the port build under the > > circumstances he describes. But is ANYONE interested? Would it be > > worth investing effort to make this work? > > > > Note that the port has ports@ as its maintainer, so it doesn't look like > > there is a lot of interest. > > > > Thanks, Stephen > > > > P.S. This one is related: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498 > > > > Is this a big bag of worms? > > > > I can see that seems to be fixed, for example, in mail/fetchmail. > > Considering that the port version is 5.2p1 and the current version in > stable/8 is 5.4p1 and greater than that for HEAD I would say it would be > much more of a benefit to get the port updated to the latest version and > then work on it from there, otherwise its a loss of time for an outdated > version. > > Last time I looked at this port it was a mess with a collection of third > party patches from all over the place which I think lead to a > discrepancy in the update of the port but that's just my opinion. It > would be nice to see a simplified version of this port so it isn't such a > monster to update and have an option for a user supplied patches > directory that stands outside of the tree (user configured path) and it > just blindly attempts to apply what is in that directory. I think this > would help slim it down a little so it can consistently be bumped to a > new revision without hassle. > > > Something like: > > # Defaults to /usr/ports/patches unless path is user specified. > WITH_PATCH_TREE?=/usr/ports/patches > > /usr/ports/patches/ # Distributed empty. everything else user created. > |-- net > | `-- wireshark > `-- security >|-- gnupg >`-- openssh-portable > > > Things like this would certainly make it easier for a consistent user > supplied patch to be kept local for build machines. I can't count the > times on 2 hands and 2 feet that I wanted to patch a port with a local > patch and had to continuously cp(1) a patch back to a ports tree using > rsync(1) Not really, because that would encourage people to have local patches that quickly go stale. You should have to manually record the patches, because you should be checking they're still current each time. Otherwise we could end up with numerous bug reports because of this. Or do everyone a favour and link them to an OPTION with extra patches! Chris ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ports/144597: security/openssh-portable fails to compile with KERBEROS enabled
On 07/15/2011 06:28 PM, Stephen Montgomery-Smith wrote: On 07/15/2011 06:23 PM, Jason Hellenthal wrote: On Wed, Jul 13, 2011 at 11:39:01PM -0500, Stephen Montgomery-Smith wrote: Hey people, I was looking over old unresolved PR's. I came across this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597 When I sent a message to the submitter of the PR, the email bounced back suggesting that the submitter no longer uses that email address. I don't think it would be too hard to make the port build under the circumstances he describes. But is ANYONE interested? Would it be worth investing effort to make this work? Note that the port has ports@ as its maintainer, so it doesn't look like there is a lot of interest. Thanks, Stephen P.S. This one is related: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498 Is this a big bag of worms? I can see that seems to be fixed, for example, in mail/fetchmail. Considering that the port version is 5.2p1 and the current version in stable/8 is 5.4p1 and greater than that for HEAD I would say it would be much more of a benefit to get the port updated to the latest version and then work on it from there, otherwise its a loss of time for an outdated version. Last time I looked at this port it was a mess with a collection of third party patches from all over the place which I think lead to a discrepancy in the update of the port but that's just my opinion. It would be nice to see a simplified version of this port so it isn't such a monster to update and have an option for a user supplied patches directory that stands outside of the tree (user configured path) and it just blindly attempts to apply what is in that directory. I think this would help slim it down a little so it can consistently be bumped to a new revision without hassle. Something like: # Defaults to /usr/ports/patches unless path is user specified. WITH_PATCH_TREE?=/usr/ports/patches /usr/ports/patches/ # Distributed empty. everything else user created. |-- net | `-- wireshark `-- security |-- gnupg `-- openssh-portable Things like this would certainly make it easier for a consistent user supplied patch to be kept local for build machines. I can't count the times on 2 hands and 2 feet that I wanted to patch a port with a local patch and had to continuously cp(1) a patch back to a ports tree using rsync(1) All these are good ideas, but I am not the person to do it. I don't use this software. I'm going to relinquish responsibility for this PR. I found some possible maintainers of this port at http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/150493. If either of them reply, then I'll pick it up again. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: ports/144597: security/openssh-portable fails to compile with KERBEROS enabled
On 07/15/2011 06:23 PM, Jason Hellenthal wrote: On Wed, Jul 13, 2011 at 11:39:01PM -0500, Stephen Montgomery-Smith wrote: Hey people, I was looking over old unresolved PR's. I came across this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597 When I sent a message to the submitter of the PR, the email bounced back suggesting that the submitter no longer uses that email address. I don't think it would be too hard to make the port build under the circumstances he describes. But is ANYONE interested? Would it be worth investing effort to make this work? Note that the port has ports@ as its maintainer, so it doesn't look like there is a lot of interest. Thanks, Stephen P.S. This one is related: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498 Is this a big bag of worms? I can see that seems to be fixed, for example, in mail/fetchmail. Considering that the port version is 5.2p1 and the current version in stable/8 is 5.4p1 and greater than that for HEAD I would say it would be much more of a benefit to get the port updated to the latest version and then work on it from there, otherwise its a loss of time for an outdated version. Last time I looked at this port it was a mess with a collection of third party patches from all over the place which I think lead to a discrepancy in the update of the port but that's just my opinion. It would be nice to see a simplified version of this port so it isn't such a monster to update and have an option for a user supplied patches directory that stands outside of the tree (user configured path) and it just blindly attempts to apply what is in that directory. I think this would help slim it down a little so it can consistently be bumped to a new revision without hassle. Something like: # Defaults to /usr/ports/patches unless path is user specified. WITH_PATCH_TREE?=/usr/ports/patches /usr/ports/patches/ # Distributed empty. everything else user created. |-- net | `-- wireshark `-- security |-- gnupg `-- openssh-portable Things like this would certainly make it easier for a consistent user supplied patch to be kept local for build machines. I can't count the times on 2 hands and 2 feet that I wanted to patch a port with a local patch and had to continuously cp(1) a patch back to a ports tree using rsync(1) All these are good ideas, but I am not the person to do it. I don't use this software. I'm going to relinquish responsibility for this PR. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
ports/144597: security/openssh-portable fails to compile with KERBEROS enabled
Hey people, I was looking over old unresolved PR's. I came across this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/144597 When I sent a message to the submitter of the PR, the email bounced back suggesting that the submitter no longer uses that email address. I don't think it would be too hard to make the port build under the circumstances he describes. But is ANYONE interested? Would it be worth investing effort to make this work? Note that the port has ports@ as its maintainer, so it doesn't look like there is a lot of interest. Thanks, Stephen P.S. This one is related: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/57498 Is this a big bag of worms? I can see that seems to be fixed, for example, in mail/fetchmail. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: security/openssh-portable maintainer
Please see ports/150493 for someone who seems to be looking at it. mcl ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
security/openssh-portable maintainer
Hi, I see this port has no maintainer now and is now out of date. I have attempted myself to update the port but have hit a number of problems. 1 - some of the contrib patches dont exist for the new version of the app. I assume support would need to be dropped t least emporarily on an update. 2 - one of the freebsd patches in the files dir fails to patch, the rest are reported as syccessful however when checking the files in the work dir they are not patched. 3 - the hpn patch on the dev website is gzipped, the ports system seems to assume a patch must be uncompressed when downloading? 4 - the hpn patch initially on the old version is just in the files dir however I couldnt find a way to use -p1 with it, so I set it to download as a dist patch but because of problem #3 I used my own webspace to download a uncompressed patch. What I am asking is, can someone please take over this port, my skill set is not high enough to do it at least without some help. Failing that can someone help me with the freebed patches in the files dir to patch ok on openssh 5.6p1. Chris ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
port security/openssh-portable fails to build
Hi, I see on http://portsmon.freebsd.org/portoverview.py?category=security&portname=openssh-portable that openssh-portable doesn't build anywhere, not just on my ia64 and sparc. cc -O2 -pipe -fno-strict-aliasing -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c bsd-openpty.c bsd-openpty.c: In function 'openpty': bsd-openpty.c:128: error: 'I_PUSH' undeclared (first use in this function) bsd-openpty.c:128: error: (Each undeclared identifier is reported only once bsd-openpty.c:128: error: for each function it appears in.) *** Error code 1 Stop in /usr/ports/security/openssh-portable/work/openssh-5.2p1/openbsd-compat. *** Error code 1 I'm surprised there is nothing appearing on this in the lists, or have I missed it all? anton -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
On Wed, 13 Jan 2010 09:03, 000.fbsd@ wrote: Denny Lin wrote: Probably you want VersionAddendum option in sshd_config? No. To my understanding and my last tests VersionAddendum and is only a Addendum or did not work which spurred me to patch up the Makefile in the first place. I put VersionAddendum into sshd_config (with nothing trailing behind it), and it works as expected: telnet foo 22 Trying 192.168.0.1... Connected to foo Escape character is '^]'. SSH-2.0-OpenSSH_5.2p1 I'm using OpenSSH from base, but it should be the same with ports. I am not sure, but I think VersionAddendum is option available only in base SSH, not in portable from ports. That's correct as far as I have seen so far. Personally I think that since openssh-portable is in ports why worry about a VersionAddendum at all and just patch it with the patch I submitted. Seems like a more secure option but that's only me. -- jhell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
Denny Lin wrote: Probably you want VersionAddendum option in sshd_config? No. To my understanding and my last tests VersionAddendum and is only a Addendum or did not work which spurred me to patch up the Makefile in the first place. I put VersionAddendum into sshd_config (with nothing trailing behind it), and it works as expected: telnet foo 22 Trying 192.168.0.1... Connected to foo Escape character is '^]'. SSH-2.0-OpenSSH_5.2p1 I'm using OpenSSH from base, but it should be the same with ports. I am not sure, but I think VersionAddendum is option available only in base SSH, not in portable from ports. Miroslav Lachman ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
On Wed, 13 Jan 2010 08:45, jhell@ wrote: On Wed, 13 Jan 2010 08:40, jhell@ wrote: On Wed, 13 Jan 2010 08:29, dindin@ wrote: Probably you want VersionAddendum option in sshd_config? No. To my understanding and my last tests VersionAddendum and is only a Addendum or did not work which spurred me to patch up the Makefile in the first place. Thanks for the thought though but I did not miss that option. This is the output of the add VersionAddendum in the current ports openssh centel# service openssh restart /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: VersionAdendum /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options ? So like I was saying "It does not work that way". My apologies. I did use "VersionAddendum" with the correct spelling but I pasted my first try at this with the incorrect spelling. With the correct spelling it still gives the above output. -- Wed Jan 13 08:49:14 2010 It may not be able to take your machine down, but it can fill up your Internet Pipe. jhell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
Il 01/13/10 14:45, jhell ha scritto: centel# service openssh restart /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: VersionAdendum /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options ? So like I was saying "It does not work that way". You spelt it incorrectly. Throw another "d" in. bye av. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
On Wed, 13 Jan 2010 08:45:36 -0500 jhell wrote: J> centel# service openssh restart J> /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: J> VersionAdendum ^ "VersionAddendum" J> /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration J> options J> J> ? So like I was saying "It does not work that way". J> J> -- J> J> Wed Jan 13 08:43:08 2010 J> J> jhell -- wbr, tiger ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
> centel# service openssh restart > /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: > VersionAdendum > /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options > > ? So like I was saying "It does not work that way". Looks like you have a typo. It should be "VersionAddendum", not "VersionAdendum" (missing a d). -- Denny Lin ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
> >Probably you want VersionAddendum option in sshd_config? > > > > No. > > To my understanding and my last tests VersionAddendum and is only a > Addendum or did not work which spurred me to patch up the Makefile in the > first place. I put VersionAddendum into sshd_config (with nothing trailing behind it), and it works as expected: telnet foo 22 Trying 192.168.0.1... Connected to foo Escape character is '^]'. SSH-2.0-OpenSSH_5.2p1 I'm using OpenSSH from base, but it should be the same with ports. -- Denny Lin ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
On Wed, 13 Jan 2010 08:40, jhell@ wrote: On Wed, 13 Jan 2010 08:29, dindin@ wrote: Probably you want VersionAddendum option in sshd_config? No. To my understanding and my last tests VersionAddendum and is only a Addendum or did not work which spurred me to patch up the Makefile in the first place. Thanks for the thought though but I did not miss that option. This is the output of the add VersionAddendum in the current ports openssh centel# service openssh restart /usr/local/etc/ssh/sshd_config: line 13: Bad configuration option: VersionAdendum /usr/local/etc/ssh/sshd_config: terminating, 1 bad configuration options ? So like I was saying "It does not work that way". -- Wed Jan 13 08:43:08 2010 jhell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
On Wed, 13 Jan 2010 08:29, dindin@ wrote: Probably you want VersionAddendum option in sshd_config? No. To my understanding and my last tests VersionAddendum and is only a Addendum or did not work which spurred me to patch up the Makefile in the first place. Thanks for the thought though but I did not miss that option. Wed, Jan 13, 2010 at 08:14 -0500 jhell: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Request. Attached is a patch against security/openssh-portable Makefile to remove FreeBSD version and openssl version from its version reply string. This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1 I would rather leave a prober guessing rather than giving the information he needs to analyze a large number of hosts quickly. - -- Wed Jan 13 08:06:17 2010 jhell -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D 81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8 i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY= =fKHX -END PGP SIGNATURE- --- Makefile.orig 2009-12-30 15:14:04.646162156 -0500 +++ Makefile2009-12-30 15:15:36.939692199 -0500 @@ -229,11 +229,9 @@ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h .if defined(WITH_HPN) @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ -- Wed Jan 13 08:38:24 2010 It may not be able to take your machine down, but it can fill up your Internet Pipe. jhell ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: patch for security/openssh-portable
Probably you want VersionAddendum option in sshd_config? Wed, Jan 13, 2010 at 08:14 -0500 jhell: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > Request. > > Attached is a patch against security/openssh-portable Makefile to remove > FreeBSD version and openssl version from its version reply string. > > This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1 > > I would rather leave a prober guessing rather than giving the information > he needs to analyze a large number of hosts quickly. > > - -- > > Wed Jan 13 08:06:17 2010 > > jhell > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (FreeBSD) > > iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV > uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D > 81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN > yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL > Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8 > i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY= > =fKHX > -END PGP SIGNATURE- > --- Makefile.orig 2009-12-30 15:14:04.646162156 -0500 > +++ Makefile 2009-12-30 15:15:36.939692199 -0500 > @@ -229,11 +229,9 @@ > -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 > @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ > -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h > - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' > >> \ > + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' > >> \ > ${WRKSRC}/version.h > - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE > FREEBSD_PORT_VERSION' >> \ > - ${WRKSRC}/version.h > - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE > FREEBSD_PORT_VERSION' >> \ > + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' > >> \ > ${WRKSRC}/version.h > .if defined(WITH_HPN) > @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION > SSH_PORTABLE SSH_HPN|' \ -- Cheers Denis Barov ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
patch for security/openssh-portable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Request. Attached is a patch against security/openssh-portable Makefile to remove FreeBSD version and openssl version from its version reply string. This changes it from its default reply to: SSH-2.0-OpenSSH_5.2p1 I would rather leave a prober guessing rather than giving the information he needs to analyze a large number of hosts quickly. - -- Wed Jan 13 08:06:17 2010 jhell -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLTceJAAoJEJBXh4mJ2FR+nrMH/jzYBXWyUXueQFrGYJnovskV uSDme/bxd+iwVlsAyGPNK8Ub8oQC9725ohh0a8N6rcotENODPJyXRh0c9Gz5Kr3D 81opHf+qE6Z0Awhb3FcNYf/jCve4TOj5MZpzdy1peZ6pwJXA8BM7YbrP1+OFlQRN yu3HuNg/LQyx0Rk0kVzVISLInpdmndC/OBtCjLwBuGb0Np/WYshuNOr739jOodcL Odqa94apkhZpm8yI5+P6tQdf/RMOpn/PgB0MidLt3hH2Ayxpm903Wrs9p4d6xzc8 i2tZR8crdHCwjO5TRHITWmc273XZychU24P8HIC06GP56pG8jClFR1XSqBCpZMY= =fKHX -END PGP SIGNATURE Makefile.orig 2009-12-30 15:14:04.646162156 -0500 +++ Makefile2009-12-30 15:15:36.939692199 -0500 @@ -229,11 +229,9 @@ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h - @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ - ${WRKSRC}/version.h - @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE' >> \ ${WRKSRC}/version.h .if defined(WITH_HPN) @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: support for DESTDIR: security/openssh-portable
Brooks Davis wrote: On Thu, Aug 10, 2006 at 03:25:38PM +0200, G?bor K?vesd?n wrote: Brooks Davis wrote: On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote: John E Hein wrote at 17:43 -0600 on Aug 9, 2006: Well, the part that makes it annoying to duplicate in all ports is not the two separate words (CHROOT DESTDIR), but that you have to test defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether to use ${CHROOT} ${DESTDIR} or not. So having that test to assign CHROOTDESTDIR or leave it empty in bsd.port.mk allows the port writer to just always invoke it without having to worry about testing for DESTDIR. You could pass this var to pkg-install scripts, too (put it in the standard *SUB* lists). That way you don't have to do the dance that was added to security/clamav/files/pkg-install.in: if [ -n "%%DESTDIR%%" ]; then PW="/usr/sbin/chroot %%DESTDIR%% pw" CHOWN="/usr/sbin/chroot %%DESTDIR%% chown" MKDIR="/usr/sbin/chroot %%DESTDIR%% mkdir -p" else PW="pw" CHOWN="chown" MKDIR="mkdir -p" fi but rather just: PW="%%CHROOTDESTDIR%% pw" CHOWN="%%CHROOTDESTDIR%% chown" MKDIR="%%CHROOTDESTDIR%% mkdir -p" This seems bogus. I can't think of any good reason why packages should differ based on the valid of DESTDIR. Instead the pkg-install script should be run inside the chroot. -- Brooks We wanted to go that way with garga when working on security/clamav, but we realized that we can't just do chroot /foo pkg-install, since the script is not located in the chroot itself. Do you have an another idea, how to chroot those scripts? My inclination would be something like: PKG_INSTALL_TEMP=`mktemp ${DESTDIR}/tmp/pkg_install` && \ (${CAT} ${PKG_INSTALL} > ${PKG_INSTALL_TEMP}; \ ${SH} ${PKG_INSTALL_TEMP}; \ ${RM} ${PKG_INSTALL_TEMP}) I think we should ideally introduce a feature to allow ports to automatically run pkg-install and stuff the code in bsd.port.mk so ports don't have to know about DESTDIR in this case. Actually, ports where pkg-install and the pre/post-install targets duplicate code (often slightly differently) drive me nuts so I'd prefer a NO_AUTOPKGINSTALL, but that would take some real work so a positive flag is probably better initially. -- Brooks This is a good idea, but there's a big mess in this area as you already said, so I think it would be a long term goal. I find John's solution pretty good for now. An another item for automatization would be to install PORTDOCS into DOCSDIR in post-install phase. and introduce NO_PORTDOCSINSTALL or something like that to turn this off. But both of them needs a lot of modification in affected ports as well. -- Cheers, Gabor ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
Brooks Davis wrote at 09:05 -0500 on Aug 10, 2006: > My inclination would be something like: > > PKG_INSTALL_TEMP=`mktemp ${DESTDIR}/tmp/pkg_install` && \ > (${CAT} ${PKG_INSTALL} > ${PKG_INSTALL_TEMP}; \ > ${SH} ${PKG_INSTALL_TEMP}; \ > ${RM} ${PKG_INSTALL_TEMP}) I would just put PKG_INSTALL_TEMP in WRKDIR and not worry about mktemp & rm. I do something similar in my local tree for a pkg-install that is slightly different when run from the 'install' target than the one installed in PKG_DBDIR. > I think we should ideally introduce a feature to allow ports to > automatically run pkg-install and stuff the code in bsd.port.mk so > ports don't have to know about DESTDIR in this case. Yes. That'd be nice. > Actually, ports where pkg-install and the pre/post-install targets > duplicate code (often slightly differently) drive me nuts so I'd > prefer a NO_AUTOPKGINSTALL, but that would take some real work so a > positive flag is probably better initially. Agreed. That duplication is definitely a candidate for cleanup. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
John E Hein wrote at 11:55 -0600 on Aug 10, 2006: > Brooks Davis wrote at 09:05 -0500 on Aug 10, 2006: > > I think we should ideally introduce a feature to allow ports to > > automatically run pkg-install and stuff the code in bsd.port.mk so > > ports don't have to know about DESTDIR in this case. > > Yes. That'd be nice. Clarifying 'nice'... As you know, many custom install targets do: ${INSTALL_PROGRAM} foo ${PREFIX}/bin Those should change to ${INSTALL_PROGRAM} foo ${DESTDIR}${PREFIX}/bin or the shorthand: ${INSTALL_PROGRAM} foo ${TARGETDIR}/bin So those ports need to know about DESTDIR anyway. But I can't think of any reason offhand not to have the pkg-install scripts run in the DESTDIR chroot so they wouldn't have to know about DESTDIR. And standardizing (in bsd.port.mk) how pkg-install is run from custom *install targets would make the task of getting ports properly DESTDIR compliant much easier. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
On Thu, Aug 10, 2006 at 03:25:38PM +0200, G?bor K?vesd?n wrote: > Brooks Davis wrote: > >On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote: > > > >>John E Hein wrote at 17:43 -0600 on Aug 9, 2006: > >> > Well, the part that makes it annoying to duplicate in all ports is not > >> > the two separate words (CHROOT DESTDIR), but that you have to test > >> > defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether > >> > to use ${CHROOT} ${DESTDIR} or not. > >> > > >> > So having that test to assign CHROOTDESTDIR or leave it empty in > >> > bsd.port.mk allows the port writer to just always invoke it without > >> > having to worry about testing for DESTDIR. > >> > >>You could pass this var to pkg-install scripts, too (put it in the > >>standard *SUB* lists). > >> > >>That way you don't have to do the dance that was added to > >>security/clamav/files/pkg-install.in: > >> > >>if [ -n "%%DESTDIR%%" ]; then > >>PW="/usr/sbin/chroot %%DESTDIR%% pw" > >>CHOWN="/usr/sbin/chroot %%DESTDIR%% chown" > >>MKDIR="/usr/sbin/chroot %%DESTDIR%% mkdir -p" > >>else > >>PW="pw" > >>CHOWN="chown" > >>MKDIR="mkdir -p" > >>fi > >> > >>but rather just: > >> > >>PW="%%CHROOTDESTDIR%% pw" > >>CHOWN="%%CHROOTDESTDIR%% chown" > >>MKDIR="%%CHROOTDESTDIR%% mkdir -p" > >> > > > >This seems bogus. I can't think of any good reason why packages should > >differ based on the valid of DESTDIR. Instead the pkg-install script > >should be run inside the chroot. > > > >-- Brooks > > > We wanted to go that way with garga when working on security/clamav, but > we realized that we can't just do chroot /foo pkg-install, since the > script is not located in the chroot itself. Do you have an another idea, > how to chroot those scripts? My inclination would be something like: PKG_INSTALL_TEMP=`mktemp ${DESTDIR}/tmp/pkg_install` && \ (${CAT} ${PKG_INSTALL} > ${PKG_INSTALL_TEMP}; \ ${SH} ${PKG_INSTALL_TEMP}; \ ${RM} ${PKG_INSTALL_TEMP}) I think we should ideally introduce a feature to allow ports to automatically run pkg-install and stuff the code in bsd.port.mk so ports don't have to know about DESTDIR in this case. Actually, ports where pkg-install and the pre/post-install targets duplicate code (often slightly differently) drive me nuts so I'd prefer a NO_AUTOPKGINSTALL, but that would take some real work so a positive flag is probably better initially. -- Brooks pgpsghQwjN56j.pgp Description: PGP signature
Re: support for DESTDIR: security/openssh-portable
Brooks Davis wrote: On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote: John E Hein wrote at 17:43 -0600 on Aug 9, 2006: > Well, the part that makes it annoying to duplicate in all ports is not > the two separate words (CHROOT DESTDIR), but that you have to test > defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether > to use ${CHROOT} ${DESTDIR} or not. > > So having that test to assign CHROOTDESTDIR or leave it empty in > bsd.port.mk allows the port writer to just always invoke it without > having to worry about testing for DESTDIR. You could pass this var to pkg-install scripts, too (put it in the standard *SUB* lists). That way you don't have to do the dance that was added to security/clamav/files/pkg-install.in: if [ -n "%%DESTDIR%%" ]; then PW="/usr/sbin/chroot %%DESTDIR%% pw" CHOWN="/usr/sbin/chroot %%DESTDIR%% chown" MKDIR="/usr/sbin/chroot %%DESTDIR%% mkdir -p" else PW="pw" CHOWN="chown" MKDIR="mkdir -p" fi but rather just: PW="%%CHROOTDESTDIR%% pw" CHOWN="%%CHROOTDESTDIR%% chown" MKDIR="%%CHROOTDESTDIR%% mkdir -p" This seems bogus. I can't think of any good reason why packages should differ based on the valid of DESTDIR. Instead the pkg-install script should be run inside the chroot. -- Brooks We wanted to go that way with garga when working on security/clamav, but we realized that we can't just do chroot /foo pkg-install, since the script is not located in the chroot itself. Do you have an another idea, how to chroot those scripts? -- Cheers, Gabor ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
On Wed, Aug 09, 2006 at 05:59:18PM -0600, John E Hein wrote: > John E Hein wrote at 17:43 -0600 on Aug 9, 2006: > > Well, the part that makes it annoying to duplicate in all ports is not > > the two separate words (CHROOT DESTDIR), but that you have to test > > defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether > > to use ${CHROOT} ${DESTDIR} or not. > > > > So having that test to assign CHROOTDESTDIR or leave it empty in > > bsd.port.mk allows the port writer to just always invoke it without > > having to worry about testing for DESTDIR. > > You could pass this var to pkg-install scripts, too (put it in the > standard *SUB* lists). > > That way you don't have to do the dance that was added to > security/clamav/files/pkg-install.in: > > if [ -n "%%DESTDIR%%" ]; then > PW="/usr/sbin/chroot %%DESTDIR%% pw" > CHOWN="/usr/sbin/chroot %%DESTDIR%% chown" > MKDIR="/usr/sbin/chroot %%DESTDIR%% mkdir -p" > else > PW="pw" > CHOWN="chown" > MKDIR="mkdir -p" > fi > > but rather just: > > PW="%%CHROOTDESTDIR%% pw" > CHOWN="%%CHROOTDESTDIR%% chown" > MKDIR="%%CHROOTDESTDIR%% mkdir -p" This seems bogus. I can't think of any good reason why packages should differ based on the valid of DESTDIR. Instead the pkg-install script should be run inside the chroot. -- Brooks pgpUoot7abdHh.pgp Description: PGP signature
Re: support for DESTDIR: security/openssh-portable
Gábor Kövesdán wrote at 01:47 +0200 on Aug 10, 2006: > Ah, you mean defining CHROOTDESTDIR only when DESTDIR is set and leave > it empty when not? It sounds reasonable then. I'll work this out after > some hours of sleeping. :) Yep... that's it. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
John E Hein wrote at 17:43 -0600 on Aug 9, 2006: > Well, the part that makes it annoying to duplicate in all ports is not > the two separate words (CHROOT DESTDIR), but that you have to test > defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether > to use ${CHROOT} ${DESTDIR} or not. > > So having that test to assign CHROOTDESTDIR or leave it empty in > bsd.port.mk allows the port writer to just always invoke it without > having to worry about testing for DESTDIR. You could pass this var to pkg-install scripts, too (put it in the standard *SUB* lists). That way you don't have to do the dance that was added to security/clamav/files/pkg-install.in: if [ -n "%%DESTDIR%%" ]; then PW="/usr/sbin/chroot %%DESTDIR%% pw" CHOWN="/usr/sbin/chroot %%DESTDIR%% chown" MKDIR="/usr/sbin/chroot %%DESTDIR%% mkdir -p" else PW="pw" CHOWN="chown" MKDIR="mkdir -p" fi but rather just: PW="%%CHROOTDESTDIR%% pw" CHOWN="%%CHROOTDESTDIR%% chown" MKDIR="%%CHROOTDESTDIR%% mkdir -p" ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
John E Hein wrote: Gábor Kövesdán wrote at 01:29 +0200 on Aug 10, 2006: > John E Hein wrote: > > John E Hein wrote at 16:31 -0600 on Aug 9, 2006: > > > Now that ports/Mk does the right thing for DESTDIR (thanks to Gábor), > > > here's a patch that supports DESTDIR properly for > > > security/openssh-portable: > > > > > [snip] > > > @@ -171,29 +171,33 @@ post-extract: > > > post-patch: > > >@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure > > > > > > +.if defined(DESTDIR) && !empty(DESTDIR) > > > +CHROOTDESTDIR=${CHROOT} ${DESTDIR} > > > +.endif > > > + > > [snip] > > > .endif > > > - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi > > > - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ > > > + if ! ${CHROOTDESTDIR} pw groupshow sshd; then ${CHROOTDESTDIR} pw groupadd sshd -g 22; fi > > > + if ! ${CHROOTDESTDIR} pw usershow sshd; then ${CHROOTDESTDIR} pw useradd sshd -g sshd -u 22 \ > > >-h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi > > > > Gabor, you may want to define CHROOTDESTDIR (or name it whatever you > > want) as a convenience var in bsd.port.mk > > > > I suspect lots of ports will want to use it. > > > Might be good, but personally I think ${CHROOT} ${DESTDIR} is more > trivial (easier to read and understand) and only longer with 4 > characters. One might wonder at first look what CHROOTDESTDIR is. Well, the part that makes it annoying to duplicate in all ports is not the two separate words (CHROOT DESTDIR), but that you have to test defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether to use ${CHROOT} ${DESTDIR} or not. So having that test to assign CHROOTDESTDIR or leave it empty in bsd.port.mk allows the port writer to just always invoke it without having to worry about testing for DESTDIR. Ah, you mean defining CHROOTDESTDIR only when DESTDIR is set and leave it empty when not? It sounds reasonable then. I'll work this out after some hours of sleeping. :) -- Cheers, Gabor ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
Gábor Kövesdán wrote at 01:29 +0200 on Aug 10, 2006: > John E Hein wrote: > > John E Hein wrote at 16:31 -0600 on Aug 9, 2006: > > > Now that ports/Mk does the right thing for DESTDIR (thanks to Gábor), > > > here's a patch that supports DESTDIR properly for > > > security/openssh-portable: > > > > > [snip] > > > @@ -171,29 +171,33 @@ post-extract: > > > post-patch: > > > @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure > > > > > > +.if defined(DESTDIR) && !empty(DESTDIR) > > > +CHROOTDESTDIR=${CHROOT} ${DESTDIR} > > > +.endif > > > + > > [snip] > > > .endif > > > - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi > > > - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ > > > + if ! ${CHROOTDESTDIR} pw groupshow sshd; then ${CHROOTDESTDIR} > > pw groupadd sshd -g 22; fi > > > + if ! ${CHROOTDESTDIR} pw usershow sshd; then ${CHROOTDESTDIR} > > pw useradd sshd -g sshd -u 22 \ > > > -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege > > separation"; fi > > > > Gabor, you may want to define CHROOTDESTDIR (or name it whatever you > > want) as a convenience var in bsd.port.mk > > > > I suspect lots of ports will want to use it. > > > Might be good, but personally I think ${CHROOT} ${DESTDIR} is more > trivial (easier to read and understand) and only longer with 4 > characters. One might wonder at first look what CHROOTDESTDIR is. Well, the part that makes it annoying to duplicate in all ports is not the two separate words (CHROOT DESTDIR), but that you have to test defined(DESTDIR) && !empty(DESTDIR) before you can figure out whether to use ${CHROOT} ${DESTDIR} or not. So having that test to assign CHROOTDESTDIR or leave it empty in bsd.port.mk allows the port writer to just always invoke it without having to worry about testing for DESTDIR. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: support for DESTDIR: security/openssh-portable
John E Hein wrote: John E Hein wrote at 16:31 -0600 on Aug 9, 2006: > Now that ports/Mk does the right thing for DESTDIR (thanks to Gábor), > here's a patch that supports DESTDIR properly for > security/openssh-portable: > [snip] > @@ -171,29 +171,33 @@ post-extract: > post-patch: > @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure > > +.if defined(DESTDIR) && !empty(DESTDIR) > +CHROOTDESTDIR=${CHROOT} ${DESTDIR} > +.endif > + [snip] > .endif > - if ! pw groupshow sshd; then pw groupadd sshd -g 22; fi > - if ! pw usershow sshd; then pw useradd sshd -g sshd -u 22 \ > + if ! ${CHROOTDESTDIR} pw groupshow sshd; then ${CHROOTDESTDIR} pw groupadd sshd -g 22; fi > + if ! ${CHROOTDESTDIR} pw usershow sshd; then ${CHROOTDESTDIR} pw useradd sshd -g sshd -u 22 \ > -h - -d ${EMPTYDIR} -s /nonexistent -c "sshd privilege separation"; fi Gabor, you may want to define CHROOTDESTDIR (or name it whatever you want) as a convenience var in bsd.port.mk I suspect lots of ports will want to use it. Might be good, but personally I think ${CHROOT} ${DESTDIR} is more trivial (easier to read and understand) and only longer with 4 characters. One might wonder at first look what CHROOTDESTDIR is. CC'd to ports@ to see what others think. -- Cheers, Gabor ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"