Merge pull request #3429 from citrus-it/pkgopensshr48

openssh - update from 9.4p1 to 9.6p1 (r151048)

build/openssh/build.sh

@@ -18,7 +18,7 @@
 . ../../lib/build.sh
 
 PROG=openssh
-VER=9.4p1
+VER=9.6p1
 PKG=network/openssh
 SUMMARY="OpenSSH Client and utilities"
 DESC="OpenSSH Secure Shell protocol Client and associated Utilities"

build/openssh/patches/0002-PAM-Support.patch

@@ -26,7 +26,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 
  	/* Standard Options */
  	if (options->num_host_key_files == 0) {
-@@ -1399,8 +1404,17 @@ process_server_config_line_depth(ServerO
+@@ -1366,8 +1371,17 @@ process_server_config_line_depth(ServerO
  	switch (opcode) {
  	/* Portable-specific options */
  	case sUsePAM:

build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch

@@ -6,7 +6,7 @@ Subject: [PATCH 06/34] GSS store creds for Solaris
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1151,6 +1151,9 @@ mips-sony-bsd|mips-sony-newsos4)
+@@ -1161,6 +1161,9 @@ mips-sony-bsd|mips-sony-newsos4)
  		],
  	)
  	TEST_SHELL=$SHELL	# let configure find us a capable shell

build/openssh/patches/0008-Add-DisableBanner-option.patch

@@ -21,7 +21,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
  	{ "localcommand", oLocalCommand },
-@@ -1005,6 +1011,17 @@ parse_multistate_value(const char *arg,
+@@ -1011,6 +1017,17 @@ parse_multistate_value(const char *arg,
  	return -1;
  }
 
@@ -39,9 +39,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
-@@ -2280,6 +2297,13 @@ parse_pubkey_algos:
- 		intptr = &options->required_rsa_size;
- 		goto parse_int;
+@@ -2353,6 +2370,13 @@ parse_pubkey_algos:
+ 		}
+ 		break;
 
 +#ifdef DISABLE_BANNER
 +	case oDisableBanner:
@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
-@@ -2516,6 +2540,9 @@ initialize_options(Options * options)
+@@ -2589,6 +2613,9 @@ initialize_options(Options * options)
  	options->stdin_null = -1;
  	options->fork_after_authentication = -1;
  	options->proxy_use_fdpass = -1;
@@ -63,7 +63,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
-@@ -2718,6 +2745,10 @@ fill_default_options(Options * options)
+@@ -2794,6 +2821,10 @@ fill_default_options(Options * options)
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@@ -77,8 +77,8 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
 --- a~/readconf.h	1970-01-01 00:00:00
 +++ a/readconf.h	1970-01-01 00:00:00
-@@ -182,6 +182,9 @@ typedef struct {
- 	int	enable_escape_commandline;	/* ~C commandline */
+@@ -186,6 +186,9 @@ typedef struct {
+ 	u_int	num_channel_timeouts;
 
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -87,9 +87,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
  }       Options;
 
  #define SSH_PUBKEY_AUTH_NO	0x00
-@@ -222,6 +225,12 @@ typedef struct {
- #define SSH_STRICT_HOSTKEY_YES	2
- #define SSH_STRICT_HOSTKEY_ASK	3
+@@ -231,6 +234,12 @@ typedef struct {
+ #define SSH_KEYSTROKE_CHAFF_MIN_MS		1024
+ #define SSH_KEYSTROKE_CHAFF_RNG_MS		2048
 
 +#ifdef DISABLE_BANNER
 +#define SSH_DISABLEBANNER_NO		0
@@ -99,11 +99,11 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
 +
  const char *kex_default_pk_alg(void);
  char	*ssh_connection_hash(const char *thishost, const char *host,
-     const char *portstr, const char *user);
+     const char *portstr, const char *user, const char *jump_host);
 diff -wpruN --no-dereference '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
 --- a~/ssh_config.5	1970-01-01 00:00:00
 +++ a/ssh_config.5	1970-01-01 00:00:00
-@@ -633,6 +633,14 @@ If set to a time in seconds, or a time i
+@@ -700,6 +700,14 @@ If set to a time in seconds, or a time i
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
@@ -132,7 +132,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
  /*
   * SSH2 key exchange
   */
-@@ -585,8 +589,28 @@ input_userauth_banner(int type, u_int32_
+@@ -586,8 +590,28 @@ input_userauth_banner(int type, u_int32_
  	if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 ||
  	    (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0)
  		goto out;

build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch

@@ -161,7 +161,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth.h a/auth.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 --- a~/auth2.c	1970-01-01 00:00:00
 +++ a/auth2.c	1970-01-01 00:00:00
-@@ -294,9 +294,17 @@ input_userauth_request(int type, u_int32
+@@ -305,9 +305,17 @@ input_userauth_request(int type, u_int32
  #endif
  		}
  #ifdef USE_PAM
@@ -180,7 +180,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		ssh_packet_set_log_preamble(ssh, "%suser %s",
  		    authctxt->valid ? "authenticating " : "invalid ", user);
  		setproctitle("%s%s", authctxt->valid ? user : "unknown",
-@@ -331,6 +339,18 @@ input_userauth_request(int type, u_int32
+@@ -344,6 +352,18 @@ input_userauth_request(int type, u_int32
  	/* try to authenticate user */
  	m = authmethod_lookup(authctxt, method);
  	if (m != NULL && authctxt->failures < options.max_authtries) {
@@ -199,7 +199,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		debug2("input_userauth_request: try method %s", method);
  		authenticated =	m->userauth(ssh, method);
  	}
-@@ -356,6 +376,10 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -369,6 +389,10 @@ userauth_finish(struct ssh *ssh, int aut
  	char *methods;
  	int r, partial = 0;
 
@@ -210,7 +210,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  	if (authenticated) {
  		if (!authctxt->valid) {
  			fatal("INTERNAL ERROR: authenticated invalid user %s",
-@@ -379,6 +403,25 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -392,6 +416,25 @@ userauth_finish(struct ssh *ssh, int aut
  	}
 
  	if (authenticated && options.num_auth_methods != 0) {
@@ -236,7 +236,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
  		if (!auth2_update_methods_lists(authctxt, method, submethod)) {
  			authenticated = 0;
  			partial = 1;
-@@ -396,7 +439,19 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -409,7 +452,19 @@ userauth_finish(struct ssh *ssh, int aut
  		return;
 
  #ifdef USE_PAM
@@ -335,7 +335,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  				struct sshbuf *m;
 
  				if ((m = sshbuf_new()) == NULL)
-@@ -797,6 +839,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -802,6 +844,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 
@@ -347,7 +347,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  #ifdef USE_PAM
  	if (options.use_pam)
  		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
-@@ -820,6 +867,27 @@ int mm_answer_auth2_read_banner(struct s
+@@ -825,6 +872,27 @@ int mm_answer_auth2_read_banner(struct s
  	return (0);
  }
 
@@ -472,7 +472,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
-@@ -2575,6 +2600,37 @@ process_server_config_line_depth(ServerO
+@@ -2558,6 +2583,37 @@ process_server_config_line_depth(ServerO
  		}
  		goto parse_time;
 
@@ -513,7 +513,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 --- a~/servconf.h	1970-01-01 00:00:00
 +++ a/servconf.h	1970-01-01 00:00:00
-@@ -73,6 +73,10 @@ struct listenaddr {
+@@ -71,6 +71,10 @@ struct listenaddr {
  	struct addrinfo *addrs;
  };
 
@@ -524,7 +524,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
  typedef struct {
  	u_int	num_ports;
  	u_int	ports_from_cmdline;
-@@ -225,6 +229,12 @@ typedef struct {
+@@ -223,6 +227,12 @@ typedef struct {
  	u_int	num_auth_methods;
  	char   **auth_methods;
 

build/openssh/patches/0013-Solaris-Auditing-support.patch

@@ -699,7 +699,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/audit.h a/audit.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1751,7 +1751,7 @@ AC_ARG_WITH([libedit],
+@@ -1761,7 +1761,7 @@ AC_ARG_WITH([libedit],
 
  AUDIT_MODULE=none
  AC_ARG_WITH([audit],
@@ -708,7 +708,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  	[
  	  AC_MSG_CHECKING([for supported audit module])
  	  case "$withval" in
-@@ -1788,6 +1788,13 @@ AC_ARG_WITH([audit],
+@@ -1798,6 +1798,13 @@ AC_ARG_WITH([audit],
  		SSHDLIBS="$SSHDLIBS -laudit"
  		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
  		;;

build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch

@@ -78,7 +78,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hos
 diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 --- a~/auth2.c	1970-01-01 00:00:00
 +++ a/auth2.c	1970-01-01 00:00:00
-@@ -402,6 +402,14 @@ userauth_finish(struct ssh *ssh, int aut
+@@ -415,6 +415,14 @@ userauth_finish(struct ssh *ssh, int aut
  #endif
  	}
 
@@ -96,7 +96,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
 --- a~/monitor.c	1970-01-01 00:00:00
 +++ a/monitor.c	1970-01-01 00:00:00
-@@ -386,6 +386,12 @@ monitor_child_preauth(struct ssh *ssh, s
+@@ -391,6 +391,12 @@ monitor_child_preauth(struct ssh *ssh, s
  		}
  	}
 
@@ -109,7 +109,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	if (!authctxt->valid)
  		fatal_f("authenticated invalid user");
  	if (strcmp(auth_method, "unknown") == 0)
-@@ -589,14 +595,16 @@ monitor_reset_key_state(void)
+@@ -594,14 +600,16 @@ monitor_reset_key_state(void)
  {
  	/* reset state */
  	free(key_blob);
@@ -127,7 +127,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	hostbased_chost = NULL;
  }
 
-@@ -1069,6 +1077,11 @@ mm_answer_pam_account(struct ssh *ssh, i
+@@ -1074,6 +1082,11 @@ mm_answer_pam_account(struct ssh *ssh, i
  	if (!options.use_pam)
  		fatal("%s: PAM not enabled", __func__);
 

build/openssh/patches/0018-Per-session-xauthfile.patch

@@ -196,7 +196,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/session.c a/session.c
  static char *
  sig2name(int sig)
  {
-@@ -2446,6 +2569,9 @@ session_close(struct ssh *ssh, Session *
+@@ -2453,6 +2576,9 @@ session_close(struct ssh *ssh, Session *
  	free(s->auth_display);
  	free(s->auth_data);
  	free(s->auth_proto);
@@ -206,7 +206,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/session.c a/session.c
  	free(s->subsys);
  	if (s->env != NULL) {
  		for (i = 0; i < s->num_env; i++) {
-@@ -2701,6 +2827,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au
+@@ -2708,6 +2834,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au
  		auth_info_file = NULL;
  	}
 

build/openssh/patches/0019-PubKeyPlugin-support.patch

@@ -215,7 +215,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
  	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
-@@ -2631,6 +2634,18 @@ process_server_config_line_depth(ServerO
+@@ -2614,6 +2617,18 @@ process_server_config_line_depth(ServerO
  		}
  		break;
 
@@ -237,7 +237,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 --- a~/servconf.h	1970-01-01 00:00:00
 +++ a/servconf.h	1970-01-01 00:00:00
-@@ -237,6 +237,7 @@ typedef struct {
+@@ -235,6 +235,7 @@ typedef struct {
 
  	int	fingerprint_hash;
  	int	expose_userauth_info;

build/openssh/patches/0026-Don-t-use-krb5-config-to-check-for-GSSAPI-on-illumos.patch

@@ -6,7 +6,7 @@ Subject: [PATCH 26/34] Don't use krb5-config to check for GSSAPI on illumos
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -4705,6 +4705,11 @@ AC_ARG_WITH([kerberos5],
+@@ -4739,6 +4739,11 @@ AC_ARG_WITH([kerberos5],
  			AC_PATH_TOOL([KRB5CONF], [krb5-config],
  				     [$KRB5ROOT/bin/krb5-config],
  				     [$KRB5ROOT/bin:$PATH])
@@ -18,7 +18,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  			if test -x $KRB5CONF ; then
  				K5CFLAGS="`$KRB5CONF --cflags`"
  				K5LIBS="`$KRB5CONF --libs`"
-@@ -4746,7 +4751,7 @@ AC_ARG_WITH([kerberos5],
+@@ -4780,7 +4785,7 @@ AC_ARG_WITH([kerberos5],
  						 AC_CHECK_LIB([des], [des_cbc_encrypt],
  						   [K5LIBS="$K5LIBS -ldes"])
  					       ], [ AC_MSG_RESULT([no])

build/openssh/patches/0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch

@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	if (options->client_alive_interval == -1)
  		options->client_alive_interval = 0;
  	if (options->client_alive_count_max == -1)
-@@ -2204,8 +2231,12 @@ process_server_config_line_depth(ServerO
+@@ -2186,8 +2213,12 @@ process_server_config_line_depth(ServerO
  			if (*arg == '\0' || strchr(arg, '=') != NULL)
  				fatal("%s line %d: Invalid environment name.",
  				    filename, linenum);
@@ -66,7 +66,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  			opt_array_append(filename, linenum, keyword,
  			    &options->accept_env, &options->num_accept_env,
  			    arg);
-@@ -2900,7 +2931,7 @@ copy_set_server_options(ServerOptions *d
+@@ -2924,7 +2955,7 @@ copy_set_server_options(ServerOptions *d
  } while(0)
  #define M_CP_STRARRAYOPT(s, num_s) do {\
  	u_int i; \

build/openssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch

@@ -1,7 +1,7 @@
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1646,6 +1646,62 @@ else
+@@ -1656,6 +1656,62 @@ else
  	AC_MSG_RESULT([no])
  fi
 
@@ -64,7 +64,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5617,6 +5673,7 @@ echo "                       PAM support
+@@ -5660,6 +5716,7 @@ echo "                       PAM support
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"

build/openssh/patches/series

@@ -20,4 +20,3 @@ sshd_config.patch
 0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch
 0031-Restore-tcpwrappers-libwrap-support.patch
 test.patch
-zlib-check.patch