Merge pull request #3428 from citrus-it/pkgopensshr46

openssh - update from 9.3p2 to 9.6p1 (r151046)
omniosorg · Dec 20, 2023 · e74f3f0 · e74f3f0
2 parents 8848ffa + 0acf5fa
commit e74f3f0
Show file tree

Hide file tree

Showing 25 changed files with 144 additions and 262 deletions.
diff --git a/build/openssh/build.sh b/build/openssh/build.sh
@@ -18,7 +18,7 @@
 . ../../lib/build.sh
 
 PROG=openssh
-VER=9.3p2
+VER=9.6p1
 PKG=network/openssh
 SUMMARY="OpenSSH Client and utilities"
 DESC="OpenSSH Secure Shell protocol Client and associated Utilities"

diff --git a/build/openssh/patches/0001-Skip-config-check.patch b/build/openssh/patches/0001-Skip-config-check.patch
@@ -10,7 +10,7 @@ Subject: [PATCH 01/34] Skip config check
 # they are not suitable in a build system.  This is for Solaris only, so we
 # will not contribute back this change to the upstream community.
 #
-diff -wpruN --no-dereference '--exclude=*.orig' a~/Makefile.in a/Makefile.in
+diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 --- a~/Makefile.in	1970-01-01 00:00:00
 +++ a/Makefile.in	1970-01-01 00:00:00
 @@ -382,7 +382,16 @@ install-nokeys: $(CONFIGFILES) $(MANPAGE

diff --git a/build/openssh/patches/0002-PAM-Support.patch b/build/openssh/patches/0002-PAM-Support.patch
@@ -10,10 +10,10 @@ Subject: [PATCH 02/34] PAM Support
 #
 
 *** orig/servconf.c	Mon Dec  5 17:23:03 2011
-diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
+diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -280,7 +280,12 @@ fill_default_server_options(ServerOption
+@@ -279,7 +279,12 @@ fill_default_server_options(ServerOption
 
  	/* Portable-specific options */
  	if (options->use_pam == -1)
@@ -26,7 +26,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 
  	/* Standard Options */
  	if (options->num_host_key_files == 0) {
-@@ -1398,8 +1403,17 @@ process_server_config_line_depth(ServerO
+@@ -1366,8 +1371,17 @@ process_server_config_line_depth(ServerO
  	switch (opcode) {
  	/* Portable-specific options */
  	case sUsePAM:

diff --git a/build/openssh/patches/0003-lastlogin.patch b/build/openssh/patches/0003-lastlogin.patch
@@ -3,7 +3,7 @@ From: oracle <[email protected]>
 Date: Mon, 3 Aug 2015 14:34:41 -0700
 Subject: [PATCH 03/34] lastlogin
 
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
+diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
 --- a~/sshd_config.5	1970-01-01 00:00:00
 +++ a/sshd_config.5	1970-01-01 00:00:00
 @@ -1568,8 +1568,8 @@ Specifies whether
@@ -17,7 +17,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
  .It Cm PrintMotd
  Specifies whether
  .Xr sshd 8
-@@ -2074,7 +2074,8 @@ This file should be writable by root onl
+@@ -2078,7 +2078,8 @@ This file should be writable by root onl
  .El
  .Sh SEE ALSO
  .Xr sftp-server 8 ,

diff --git a/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch b/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch
@@ -3,10 +3,10 @@ From: oracle <[email protected]>
 Date: Mon, 3 Aug 2015 14:35:34 -0700
 Subject: [PATCH 06/34] GSS store creds for Solaris
 
-diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
+diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1151,6 +1151,9 @@ mips-sony-bsd|mips-sony-newsos4)
+@@ -1161,6 +1161,9 @@ mips-sony-bsd|mips-sony-newsos4)
  		],
  	)
  	TEST_SHELL=$SHELL	# let configure find us a capable shell
@@ -16,7 +16,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  	;;
  *-*-sunos4*)
  	CPPFLAGS="$CPPFLAGS -DSUNOS4"
-diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-krb5.c
+diff -wpruN '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-krb5.c
 --- a~/gss-serv-krb5.c	1970-01-01 00:00:00
 +++ a/gss-serv-krb5.c	1970-01-01 00:00:00
 @@ -109,7 +109,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -48,7 +48,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv-krb5.c a/gss-serv-kr
  };
 
  #endif /* KRB5 */
-diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
+diff -wpruN '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
 --- a~/gss-serv.c	1970-01-01 00:00:00
 +++ a/gss-serv.c	1970-01-01 00:00:00
 @@ -319,22 +319,66 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
@@ -118,10 +118,10 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
  }
 
  /* This allows GSSAPI methods to do things to the child's environment based
-diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
+diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -605,7 +605,11 @@ static struct {
+@@ -604,7 +604,11 @@ static struct {
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -133,7 +133,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
  #else
  	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd.c a/sshd.c
+diff -wpruN '--exclude=*.orig' a~/sshd.c a/sshd.c
 --- a~/sshd.c	1970-01-01 00:00:00
 +++ a/sshd.c	1970-01-01 00:00:00
 @@ -2291,9 +2291,23 @@ main(int ac, char **av)

diff --git a/build/openssh/patches/0007-DTrace-support-for-SFTP.patch b/build/openssh/patches/0007-DTrace-support-for-SFTP.patch
@@ -3,7 +3,7 @@ From: oracle <[email protected]>
 Date: Mon, 3 Aug 2015 14:35:43 -0700
 Subject: [PATCH 07/34] DTrace support for SFTP
 
-diff -wpruN --no-dereference '--exclude=*.orig' a~/Makefile.in a/Makefile.in
+diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 --- a~/Makefile.in	1970-01-01 00:00:00
 +++ a/Makefile.in	1970-01-01 00:00:00
 @@ -103,6 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -65,7 +65,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/Makefile.in a/Makefile.in
 
  install-sysconf:
  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
+diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
 --- a~/sftp-server.c	1970-01-01 00:00:00
 +++ a/sftp-server.c	1970-01-01 00:00:00
 @@ -56,6 +56,9 @@
@@ -159,7 +159,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c
  			if (ret == -1) {
  				status = errno_to_portable(errno);
  				error_f("write \"%.100s\": %s",
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp64.d a/sftp64.d
+diff -wpruN '--exclude=*.orig' a~/sftp64.d a/sftp64.d
 --- a~/sftp64.d	1970-01-01 00:00:00
 +++ a/sftp64.d	1970-01-01 00:00:00
 @@ -0,0 +1,56 @@
@@ -219,7 +219,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp64.d a/sftp64.d
 +	sfi_pathname = copyinstr((uintptr_t)*(uint64_t *)copyin(
 +	    (uintptr_t)&s->sftp_pathname, sizeof (uint64_t)));
 +};
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp_provider.d a/sftp_provider.d
+diff -wpruN '--exclude=*.orig' a~/sftp_provider.d a/sftp_provider.d
 --- a~/sftp_provider.d	1970-01-01 00:00:00
 +++ a/sftp_provider.d	1970-01-01 00:00:00
 @@ -0,0 +1,61 @@
@@ -284,7 +284,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp_provider.d a/sftp_provid
 +#pragma D attributes Private/Private/Unknown provider sftp function
 +#pragma D attributes Private/Private/ISA provider sftp name
 +#pragma D attributes Evolving/Evolving/ISA provider sftp args
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sftp_provider_impl.h a/sftp_provider_impl.h
+diff -wpruN '--exclude=*.orig' a~/sftp_provider_impl.h a/sftp_provider_impl.h
 --- a~/sftp_provider_impl.h	1970-01-01 00:00:00
 +++ a/sftp_provider_impl.h	1970-01-01 00:00:00
 @@ -0,0 +1,73 @@

diff --git a/build/openssh/patches/0008-Add-DisableBanner-option.patch b/build/openssh/patches/0008-Add-DisableBanner-option.patch
@@ -1,7 +1,7 @@
-diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
+diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c
 --- a~/readconf.c	1970-01-01 00:00:00
 +++ a/readconf.c	1970-01-01 00:00:00
-@@ -163,6 +163,9 @@ typedef enum {
+@@ -167,6 +167,9 @@ typedef enum {
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
@@ -11,7 +11,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	oTunnel, oTunnelDevice,
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
  	oVisualHostKey,
-@@ -289,6 +292,9 @@ static struct {
+@@ -294,6 +297,9 @@ static struct {
  	{ "controlpersist", oControlPersist },
  	{ "hashknownhosts", oHashKnownHosts },
  	{ "include", oInclude },
@@ -21,7 +21,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
  	{ "localcommand", oLocalCommand },
-@@ -922,6 +928,17 @@ parse_multistate_value(const char *arg,
+@@ -1011,6 +1017,17 @@ parse_multistate_value(const char *arg,
  	return -1;
  }
 
@@ -39,9 +39,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
-@@ -2188,6 +2205,13 @@ parse_pubkey_algos:
- 		intptr = &options->required_rsa_size;
- 		goto parse_int;
+@@ -2353,6 +2370,13 @@ parse_pubkey_algos:
+ 		}
+ 		break;
 
 +#ifdef DISABLE_BANNER
 +	case oDisableBanner:
@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
-@@ -2424,6 +2448,9 @@ initialize_options(Options * options)
+@@ -2589,6 +2613,9 @@ initialize_options(Options * options)
  	options->stdin_null = -1;
  	options->fork_after_authentication = -1;
  	options->proxy_use_fdpass = -1;
@@ -63,7 +63,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
-@@ -2625,6 +2652,10 @@ fill_default_options(Options * options)
+@@ -2794,6 +2821,10 @@ fill_default_options(Options * options)
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@@ -74,11 +74,11 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	if (options->fingerprint_hash == -1)
  		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
  #ifdef ENABLE_SK_INTERNAL
-diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
+diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h
 --- a~/readconf.h	1970-01-01 00:00:00
 +++ a/readconf.h	1970-01-01 00:00:00
-@@ -181,6 +181,9 @@ typedef struct {
- 	int	enable_escape_commandline;	/* ~C commandline */
+@@ -186,6 +186,9 @@ typedef struct {
+ 	u_int	num_channel_timeouts;
 
  	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
 +#ifdef DISABLE_BANNER
@@ -87,9 +87,9 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
  }       Options;
 
  #define SSH_PUBKEY_AUTH_NO	0x00
-@@ -221,6 +224,12 @@ typedef struct {
- #define SSH_STRICT_HOSTKEY_YES	2
- #define SSH_STRICT_HOSTKEY_ASK	3
+@@ -231,6 +234,12 @@ typedef struct {
+ #define SSH_KEYSTROKE_CHAFF_MIN_MS		1024
+ #define SSH_KEYSTROKE_CHAFF_RNG_MS		2048
 
 +#ifdef DISABLE_BANNER
 +#define SSH_DISABLEBANNER_NO		0
@@ -99,11 +99,11 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.h a/readconf.h
 +
  const char *kex_default_pk_alg(void);
  char	*ssh_connection_hash(const char *thishost, const char *host,
-     const char *portstr, const char *user);
-diff -wpruN --no-dereference '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
+     const char *portstr, const char *user, const char *jump_host);
+diff -wpruN '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
 --- a~/ssh_config.5	1970-01-01 00:00:00
 +++ a/ssh_config.5	1970-01-01 00:00:00
-@@ -611,6 +611,14 @@ If set to a time in seconds, or a time i
+@@ -700,6 +700,14 @@ If set to a time in seconds, or a time i
  then the backgrounded master connection will automatically terminate
  after it has remained idle (with no client connections) for the
  specified time.
@@ -118,7 +118,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5
  .It Cm DynamicForward
  Specifies that a TCP port on the local machine be forwarded
  over the secure channel, and the application
-diff -wpruN --no-dereference '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
+diff -wpruN '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
 --- a~/sshconnect2.c	1970-01-01 00:00:00
 +++ a/sshconnect2.c	1970-01-01 00:00:00
 @@ -84,6 +84,10 @@ extern char *client_version_string;
@@ -132,7 +132,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
  /*
   * SSH2 key exchange
   */
-@@ -585,8 +589,28 @@ input_userauth_banner(int type, u_int32_
+@@ -586,8 +590,28 @@ input_userauth_banner(int type, u_int32_
  	if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 ||
  	    (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0)
  		goto out;

diff --git a/build/openssh/patches/0009-PAM-conversation-fix.patch b/build/openssh/patches/0009-PAM-conversation-fix.patch
@@ -3,10 +3,10 @@ From: oracle <[email protected]>
 Date: Mon, 3 Aug 2015 14:36:13 -0700
 Subject: [PATCH 09/34] PAM conversation fix
 
-diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
+diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
 --- a~/auth-pam.c	1970-01-01 00:00:00
 +++ a/auth-pam.c	1970-01-01 00:00:00
-@@ -1279,11 +1279,13 @@ free_pam_environment(char **env)
+@@ -1281,11 +1281,13 @@ free_pam_environment(char **env)
  	free(env);
  }
 
@@ -20,7 +20,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
  static int
  sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
      struct pam_response **resp, void *data)
-@@ -1305,12 +1307,24 @@ sshpam_passwd_conv(int n, sshpam_const s
+@@ -1307,12 +1309,24 @@ sshpam_passwd_conv(int n, sshpam_const s
  	for (i = 0; i < n; ++i) {
  		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
  		case PAM_PROMPT_ECHO_OFF:
@@ -45,7 +45,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
  		case PAM_ERROR_MSG:
  		case PAM_TEXT_INFO:
  			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-@@ -1347,6 +1361,9 @@ static struct pam_conv passwd_conv = { s
+@@ -1349,6 +1363,9 @@ static struct pam_conv passwd_conv = { s
  int
  sshpam_auth_passwd(Authctxt *authctxt, const char *password)
  {
@@ -55,7 +55,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
  	int flags = (options.permit_empty_passwd == 0 ?
  	    PAM_DISALLOW_NULL_AUTHTOK : 0);
  	char *fake = NULL;
-@@ -1367,6 +1384,15 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+@@ -1369,6 +1386,15 @@ sshpam_auth_passwd(Authctxt *authctxt, c
  	    options.permit_root_login != PERMIT_YES))
  		sshpam_password = fake = fake_password(password);
 
@@ -71,7 +71,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c
  	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
  	    (const void *)&passwd_conv);
  	if (sshpam_err != PAM_SUCCESS)
-@@ -1378,6 +1404,16 @@ sshpam_auth_passwd(Authctxt *authctxt, c
+@@ -1380,6 +1406,16 @@ sshpam_auth_passwd(Authctxt *authctxt, c
  	free(fake);
  	if (sshpam_err == PAM_MAXTRIES)
  		sshpam_set_maxtries_reached(1);