summaryrefslogtreecommitdiffstats
path: root/patches/source/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/openssh')
-rw-r--r--patches/source/openssh/doinst.sh49
-rw-r--r--patches/source/openssh/openssh-7.4p1-libwrap.diff137
-rw-r--r--patches/source/openssh/openssh.CVE-2017-15906.patch19
-rwxr-xr-xpatches/source/openssh/openssh.SlackBuild169
-rw-r--r--patches/source/openssh/rc.sshd59
-rw-r--r--patches/source/openssh/slack-desc19
6 files changed, 452 insertions, 0 deletions
diff --git a/patches/source/openssh/doinst.sh b/patches/source/openssh/doinst.sh
new file mode 100644
index 00000000..73ce6283
--- /dev/null
+++ b/patches/source/openssh/doinst.sh
@@ -0,0 +1,49 @@
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+preserve_perms() {
+ NEW="$1"
+ OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+ if [ -e ${OLD} ]; then
+ cp -a ${OLD} ${NEW}.incoming
+ cat ${NEW} > ${NEW}.incoming
+ touch -r ${NEW} ${NEW}.incoming
+ mv ${NEW}.incoming ${NEW}
+ fi
+ config ${NEW}
+}
+
+config etc/ssh/ssh_config.new
+config etc/ssh/sshd_config.new
+preserve_perms etc/rc.d/rc.sshd.new
+if [ -e etc/rc.d/rc.sshd.new ]; then
+ mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd
+fi
+
+# If the sshd user/group/shadow don't exist, add them:
+
+if ! grep -q "^sshd:" etc/passwd ; then
+ echo "sshd:x:33:33:sshd:/:" >> etc/passwd
+fi
+
+if ! grep -q "^sshd:" etc/group ; then
+ echo "sshd::33:sshd" >> etc/group
+fi
+
+if ! grep -q "^sshd:" etc/shadow ; then
+ echo "sshd:*:9797:0:::::" >> etc/shadow
+fi
+
+# Add a btmp file to store login failure if one doesn't exist:
+if [ ! -r var/log/btmp ]; then
+ ( cd var/log ; umask 077 ; touch btmp )
+fi
+
diff --git a/patches/source/openssh/openssh-7.4p1-libwrap.diff b/patches/source/openssh/openssh-7.4p1-libwrap.diff
new file mode 100644
index 00000000..d1025e43
--- /dev/null
+++ b/patches/source/openssh/openssh-7.4p1-libwrap.diff
@@ -0,0 +1,137 @@
+--- ./configure.ac.orig 2016-12-18 22:59:41.000000000 -0600
++++ ./configure.ac 2016-12-23 12:58:04.200707728 -0600
+@@ -1467,6 +1467,62 @@
+ ]
+ )
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval} ${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap -lnsl $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap -lnsl"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5081,6 +5137,7 @@
+ echo " SELinux support: $SELINUX_MSG"
+ echo " Smartcard support: $SCARD_MSG"
+ echo " S/KEY support: $SKEY_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " MD5 password support: $MD5_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+--- ./sshd.c.orig 2016-12-18 22:59:41.000000000 -0600
++++ ./sshd.c 2016-12-23 12:58:40.847710372 -0600
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
+@@ -1971,6 +1978,24 @@
+ #ifdef SSH_AUDIT_EVENTS
+ audit_connection_from(remote_ip, remote_port);
+ #endif
++#ifdef LIBWRAP
++ allow_severity = options.log_facility|LOG_INFO;
++ deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (packet_connection_is_on_socket()) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
+
+ /* Log the connection. */
+ laddr = get_local_ipaddr(sock_in);
+--- ./sshd.8.orig 2016-12-18 22:59:41.000000000 -0600
++++ ./sshd.8 2016-12-23 12:58:04.208707729 -0600
+@@ -825,6 +825,12 @@
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -929,6 +935,7 @@
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/patches/source/openssh/openssh.CVE-2017-15906.patch b/patches/source/openssh/openssh.CVE-2017-15906.patch
new file mode 100644
index 00000000..fdb963f7
--- /dev/null
+++ b/patches/source/openssh/openssh.CVE-2017-15906.patch
@@ -0,0 +1,19 @@
+--- ./sftp-server.c.orig 2016-12-18 22:59:41.000000000 -0600
++++ ./sftp-server.c 2018-03-07 19:18:19.275984210 -0600
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
+ *
+@@ -691,8 +691,8 @@
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+- ((flags & O_ACCMODE) == O_WRONLY ||
+- (flags & O_ACCMODE) == O_RDWR)) {
++ ((flags & O_ACCMODE) != O_RDONLY ||
++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ verbose("Refusing open request in read-only mode");
+ status = SSH2_FX_PERMISSION_DENIED;
+ } else {
diff --git a/patches/source/openssh/openssh.SlackBuild b/patches/source/openssh/openssh.SlackBuild
new file mode 100755
index 00000000..d786d572
--- /dev/null
+++ b/patches/source/openssh/openssh.SlackBuild
@@ -0,0 +1,169 @@
+#!/bin/sh
+
+# Copyright 2000 BSDi, Inc. Concord, CA, USA
+# Copyright 2001, 2002, 2003, 2004 Slackware Linux, Inc. Concord, CA, USA
+# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# Set initial variables:
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-openssh
+
+VERSION=${VERSION:-$(echo openssh-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-2_slack14.1}
+
+NUMJOBS=${NUMJOBS:--j6}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+elif [ "$ARCH" = "arm" ]; then
+ SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
+elif [ "$ARCH" = "armel" ]; then
+ SLKCFLAGS="-O2 -march=armv4t"
+else
+ SLKCFLAGS="-O2"
+fi
+
+# Clean target location:
+rm -rf $PKG
+mkdir -p $PKG
+
+# Prepare the framework and extract the package:
+cd $TMP
+rm -rf $PKG openssh-$VERSION
+tar xvf $CWD/openssh-$VERSION.tar.gz || tar xvf $CWD/openssh-$VERSION.tar.?z* || exit 1
+cd openssh-$VERSION
+chown -R root:root .
+
+zcat $CWD/openssh.CVE-2017-15906.patch.gz | patch -p1 --verbose || exit 1
+
+# Restore support for tcpwrappers:
+zcat $CWD/openssh-7.4p1-libwrap.diff.gz | patch -p1 --verbose || exit 1
+autoreconf -vif
+
+# Compile package:
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --mandir=/usr/man \
+ --sysconfdir=/etc/ssh \
+ --without-pam \
+ --with-md5-passwords \
+ --with-tcp-wrappers \
+ --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
+ --with-privsep-path=/var/empty \
+ --with-privsep-user=sshd \
+ --build=$ARCH-slackware-linux
+
+make $NUMJOBS || make || exit 1
+
+# Install the package:
+make install DESTDIR=$PKG
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+# Compress and if needed symlink the man pages:
+if [ -d $PKG/usr/man ]; then
+ ( cd $PKG/usr/man
+ for manpagedir in $(find . -type d -name "man*") ; do
+ ( cd $manpagedir
+ for eachpage in $( find . -type l -maxdepth 1) ; do
+ ln -s $( readlink $eachpage ).gz $eachpage.gz
+ rm $eachpage
+ done
+ gzip -9 *.?
+ )
+ done
+ )
+fi
+
+# Install directory used with PrivilegeSeparation option:
+mkdir -p $PKG/var/empty
+chmod 755 $PKG/var/empty
+
+# Install docs:
+mkdir -p $PKG/usr/doc/openssh-$VERSION
+cp -a \
+ CREDITS ChangeLog INSTALL LICENCE OVERVIEW \
+ README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG \
+ $PKG/usr/doc/openssh-$VERSION
+chmod 644 $PKG/usr/doc/openssh-$VERSION/*
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+ cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+ touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+# Install also 'ssh-copy-id' and its manpage from contrib:
+( cd contrib
+ cp -a ssh-copy-id $PKG/usr/bin/ssh-copy-id
+ chmod 755 $PKG/usr/bin/ssh-copy-id
+ cat ssh-copy-id.1 | gzip -9c > $PKG/usr/man/man1/ssh-copy-id.1.gz
+)
+
+( cd $PKG
+
+ # Ditch the new host keys, since these have to be uniquely prepared on each machine:
+ rm -f etc/ssh/ssh_host_dsa_key
+ rm -f etc/ssh/ssh_host_dsa_key.pub
+ rm -f etc/ssh/ssh_host_rsa_key
+ rm -f etc/ssh/ssh_host_rsa_key.pub
+ rm -f etc/ssh/ssh_host_key
+ rm -f etc/ssh/ssh_host_key.pub
+
+ # Set up the config script installation:
+ mv etc/ssh/ssh_config etc/ssh/ssh_config.new
+ mv etc/ssh/sshd_config etc/ssh/sshd_config.new
+
+ # Add the init script:
+ mkdir -p etc/rc.d
+ cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new
+ chmod 755 etc/rc.d/rc.sshd.new
+
+ # Copy runtime installation files:
+ mkdir -p install
+ zcat $CWD/doinst.sh.gz > install/doinst.sh
+ cat $CWD/slack-desc > install/slack-desc
+)
+
+# Create the package itself:
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/openssh-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/openssh/rc.sshd b/patches/source/openssh/rc.sshd
new file mode 100644
index 00000000..2da2ab30
--- /dev/null
+++ b/patches/source/openssh/rc.sshd
@@ -0,0 +1,59 @@
+#!/bin/sh
+# Start/stop/restart the secure shell server:
+
+sshd_start() {
+ # Create host keys if needed.
+ if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
+ /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+ fi
+ if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+ /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+ fi
+ if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+ /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+ fi
+ if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+ /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
+ fi
+ # Catch any new host key types not yet created above:
+ /usr/bin/ssh-keygen -A
+ # Start the sshd daemon:
+ /usr/sbin/sshd
+}
+
+sshd_stop() {
+ killall sshd
+}
+
+sshd_restart() {
+ if [ -r /var/run/sshd.pid ]; then
+ echo "WARNING: killing listener process only. To kill every sshd process, you must"
+ echo " use 'rc.sshd stop'. 'rc.sshd restart' kills only the parent sshd to"
+ echo " allow an admin logged in through sshd to use 'rc.sshd restart' without"
+ echo " being cut off. If sshd has been upgraded, new connections will now"
+ echo " use the new version, which should be a safe enough approach."
+ kill `cat /var/run/sshd.pid`
+ else
+ echo "WARNING: There does not appear to be a parent instance of sshd running."
+ echo " If you really want to kill all running instances of sshd (including"
+ echo " any sessions currently in use), run '/etc/rc.d/rc.sshd stop' instead."
+ exit 1
+ fi
+ sleep 1
+ sshd_start
+}
+
+case "$1" in
+'start')
+ sshd_start
+ ;;
+'stop')
+ sshd_stop
+ ;;
+'restart')
+ sshd_restart
+ ;;
+*)
+ echo "usage $0 start|stop|restart"
+esac
+
diff --git a/patches/source/openssh/slack-desc b/patches/source/openssh/slack-desc
new file mode 100644
index 00000000..04277a72
--- /dev/null
+++ b/patches/source/openssh/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+openssh: openssh (Secure Shell daemon and clients)
+openssh:
+openssh: ssh (Secure Shell) is a program for logging into a remote machine and
+openssh: for executing commands on a remote machine. It is intended to replace
+openssh: rlogin and rsh, and provide secure encrypted communications between
+openssh: two untrusted hosts over an insecure network. sshd (SSH Daemon) is
+openssh: the daemon program for ssh. OpenSSH is based on the last free version
+openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron
+openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and
+openssh: Dug Song. It has a homepage at http://www.openssh.com/
+openssh: