openssh - update from 9.8p1 to 9.9p1

omniosorg · Sep 30, 2024 · 311d2cf · 311d2cf
1 parent b70bef2
commit 311d2cf
Show file tree

Hide file tree

Showing 16 changed files with 79 additions and 68 deletions.
diff --git a/build/openssh/build.sh b/build/openssh/build.sh
@@ -18,7 +18,7 @@
 . ../../lib/build.sh
 
 PROG=openssh
-VER=9.8p1
+VER=9.9p1
 PKG=network/openssh
 SUMMARY="OpenSSH Client and utilities"
 DESC="OpenSSH Secure Shell protocol Client and associated Utilities"

diff --git a/build/openssh/patches/0002-PAM-Support.patch b/build/openssh/patches/0002-PAM-Support.patch
@@ -13,7 +13,7 @@ Subject: [PATCH 02/34] PAM Support
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -295,7 +295,12 @@ fill_default_server_options(ServerOption
+@@ -297,7 +297,12 @@ fill_default_server_options(ServerOption
 
  	/* Portable-specific options */
  	if (options->use_pam == -1)
@@ -26,7 +26,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	if (options->pam_service_name == NULL)
  		options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
 
-@@ -1325,8 +1330,17 @@ process_server_config_line_depth(ServerO
+@@ -1345,8 +1350,17 @@ process_server_config_line_depth(ServerO
  	switch (opcode) {
  	/* Portable-specific options */
  	case sUsePAM:

diff --git a/build/openssh/patches/0003-lastlogin.patch b/build/openssh/patches/0003-lastlogin.patch
@@ -6,7 +6,7 @@ Subject: [PATCH 03/34] lastlogin
 diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
 --- a~/sshd_config.5	1970-01-01 00:00:00
 +++ a/sshd_config.5	1970-01-01 00:00:00
-@@ -1670,8 +1670,8 @@ Specifies whether
+@@ -1683,8 +1683,8 @@ Specifies whether
  .Xr sshd 8
  should print the date and time of the last user login when a user logs
  in interactively.
@@ -17,7 +17,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
  .It Cm PrintMotd
  Specifies whether
  .Xr sshd 8
-@@ -2195,7 +2195,8 @@ This file should be writable by root onl
+@@ -2220,7 +2220,8 @@ This file should be writable by root onl
  .El
  .Sh SEE ALSO
  .Xr sftp-server 8 ,

diff --git a/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch b/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch
@@ -129,7 +129,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 --- a~/servconf.c	1970-01-01 00:00:00
 +++ a/servconf.c	1970-01-01 00:00:00
-@@ -647,7 +647,11 @@ static struct {
+@@ -653,7 +653,11 @@ static struct {
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -144,7 +144,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd-session.c a/sshd-session.c
 --- a~/sshd-session.c	1970-01-01 00:00:00
 +++ a/sshd-session.c	1970-01-01 00:00:00
-@@ -1339,9 +1339,23 @@ main(int ac, char **av)
+@@ -1353,9 +1353,23 @@ main(int ac, char **av)
 
  #ifdef GSSAPI
  	if (options.gss_authentication) {

diff --git a/build/openssh/patches/0008-Add-DisableBanner-option.patch b/build/openssh/patches/0008-Add-DisableBanner-option.patch
@@ -21,7 +21,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	{ "tunnel", oTunnel },
  	{ "tunneldevice", oTunnelDevice },
  	{ "localcommand", oLocalCommand },
-@@ -1025,6 +1031,17 @@ parse_multistate_value(const char *arg,
+@@ -1054,6 +1060,17 @@ parse_multistate_value(const char *arg,
  	return -1;
  }
 
@@ -39,7 +39,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  /*
   * Processes a single option line as used in the configuration files. This
   * only sets those values that have not already been set.
-@@ -2388,6 +2405,13 @@ parse_pubkey_algos:
+@@ -2422,6 +2439,13 @@ parse_pubkey_algos:
  		}
  		break;
 
@@ -53,7 +53,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	case oDeprecated:
  		debug("%s line %d: Deprecated option \"%s\"",
  		    filename, linenum, keyword);
-@@ -2626,6 +2650,9 @@ initialize_options(Options * options)
+@@ -2660,6 +2684,9 @@ initialize_options(Options * options)
  	options->stdin_null = -1;
  	options->fork_after_authentication = -1;
  	options->proxy_use_fdpass = -1;
@@ -63,7 +63,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/readconf.c a/readconf.c
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
  	options->num_permitted_cnames = 0;
-@@ -2833,6 +2860,10 @@ fill_default_options(Options * options)
+@@ -2867,6 +2894,10 @@ fill_default_options(Options * options)
  		options->canonicalize_fallback_local = 1;
  	if (options->canonicalize_hostname == -1)
  		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@@ -132,7 +132,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c
  /*
   * SSH2 key exchange
   */
-@@ -575,8 +579,28 @@ input_userauth_banner(int type, u_int32_
+@@ -576,8 +580,28 @@ input_userauth_banner(int type, u_int32_
  	if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 ||
  	    (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0)
  		goto out;

diff --git a/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch b/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch
@@ -268,7 +268,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2.c a/auth2.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
 --- a~/monitor.c	1970-01-01 00:00:00
 +++ a/monitor.c	1970-01-01 00:00:00
-@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
+@@ -118,6 +118,9 @@ int mm_answer_sign(struct ssh *, int, st
  int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
  int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
  int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -278,7 +278,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
  int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
  int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -189,10 +192,17 @@ struct mon_table mon_dispatch_proto20[]
+@@ -190,10 +193,17 @@ struct mon_table mon_dispatch_proto20[]
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -296,7 +296,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
      {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
      {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx},
      {MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query},
-@@ -303,6 +313,23 @@ monitor_child_preauth(struct ssh *ssh, s
+@@ -304,6 +314,23 @@ monitor_child_preauth(struct ssh *ssh, s
 
  		/* Special handling for multiple required authentications */
  		if (options.num_auth_methods != 0) {
@@ -320,7 +320,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  			if (authenticated &&
  			    !auth2_update_methods_lists(authctxt,
  			    auth_method, auth_submethod)) {
-@@ -320,8 +347,21 @@ monitor_child_preauth(struct ssh *ssh, s
+@@ -321,8 +348,21 @@ monitor_child_preauth(struct ssh *ssh, s
  			    !auth_root_allowed(ssh, auth_method))
  				authenticated = 0;
  #ifdef USE_PAM
@@ -342,7 +342,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  				struct sshbuf *m;
 
  				if ((m = sshbuf_new()) == NULL)
-@@ -816,6 +856,10 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -826,6 +866,10 @@ mm_answer_pwnamallow(struct ssh *ssh, in
  	/* Allow service/style information on the auth context */
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
@@ -353,7 +353,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
 
  #ifdef USE_PAM
  	if (options.use_pam)
-@@ -840,6 +884,27 @@ int mm_answer_auth2_read_banner(struct s
+@@ -850,6 +894,27 @@ int mm_answer_auth2_read_banner(struct s
  	return (0);
  }
 
@@ -443,7 +443,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 
  	/* Standard Options */
  	options->num_ports = 0;
-@@ -301,8 +312,13 @@ fill_default_server_options(ServerOption
+@@ -303,8 +314,13 @@ fill_default_server_options(ServerOption
  #else
  		options->use_pam = 0;
  #endif
@@ -457,7 +457,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 
  	/* Standard Options */
  	if (options->num_host_key_files == 0) {
-@@ -543,6 +559,9 @@ typedef enum {
+@@ -549,6 +565,9 @@ typedef enum {
  	sBadOption,		/* == unknown option */
  	/* Portable-specific options */
  	sUsePAM, sPAMServiceName,
@@ -467,7 +467,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	/* Standard Options */
  	sPort, sHostKeyFile, sLoginGraceTime,
  	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-@@ -595,10 +614,20 @@ static struct {
+@@ -601,10 +620,20 @@ static struct {
  	/* Portable-specific options */
  #ifdef USE_PAM
  	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -488,7 +488,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  #endif
  	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  	/* Standard Options */
-@@ -1345,6 +1374,21 @@ process_server_config_line_depth(ServerO
+@@ -1365,6 +1394,21 @@ process_server_config_line_depth(ServerO
  		intptr = &options->use_pam;
  		goto parse_flag;
  #endif
@@ -510,7 +510,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
  	case sPAMServiceName:
  		charptr = &options->pam_service_name;
  		arg = argv_next(&ac, &av);
-@@ -1352,8 +1396,20 @@ process_server_config_line_depth(ServerO
+@@ -1372,8 +1416,20 @@ process_server_config_line_depth(ServerO
  			fatal("%s line %d: missing argument.",
  			    filename, linenum);
  		}
@@ -534,7 +534,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c
 diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 --- a~/servconf.h	1970-01-01 00:00:00
 +++ a/servconf.h	1970-01-01 00:00:00
-@@ -211,6 +211,10 @@ typedef struct {
+@@ -212,6 +212,10 @@ typedef struct {
 
  	int	use_pam;		/* Enable auth via PAM */
  	char   *pam_service_name;
@@ -548,7 +548,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.h a/servconf.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd.8 a/sshd.8
 --- a~/sshd.8	1970-01-01 00:00:00
 +++ a/sshd.8	1970-01-01 00:00:00
-@@ -1014,6 +1014,31 @@ concurrently for different ports, this c
+@@ -1018,6 +1018,31 @@ concurrently for different ports, this c
  started last).
  The content of this file is not sensitive; it can be world-readable.
  .El
@@ -583,15 +583,15 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd.8 a/sshd.8
 diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
 --- a~/sshd_config.5	1970-01-01 00:00:00
 +++ a/sshd_config.5	1970-01-01 00:00:00
-@@ -1308,6 +1308,7 @@ Available keywords are
+@@ -1315,6 +1315,7 @@ Available keywords are
  .Cm MaxAuthTries ,
  .Cm MaxSessions ,
  .Cm PAMServiceName ,
 +.Cm PAMServicePrefix ,
  .Cm PasswordAuthentication ,
  .Cm PermitEmptyPasswords ,
  .Cm PermitListen ,
-@@ -1375,12 +1376,34 @@ key exchange methods.
+@@ -1383,12 +1384,34 @@ key exchange methods.
  The default is
  .Pa /etc/moduli .
  .It Cm PAMServiceName
@@ -632,7 +632,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
-@@ -2011,8 +2034,7 @@ If
+@@ -2036,8 +2059,7 @@ If
  is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.

diff --git a/build/openssh/patches/0013-Solaris-Auditing-support.patch b/build/openssh/patches/0013-Solaris-Auditing-support.patch
@@ -699,7 +699,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/audit.h a/audit.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
 --- a~/configure.ac	1970-01-01 00:00:00
 +++ a/configure.ac	1970-01-01 00:00:00
-@@ -1770,7 +1770,7 @@ AC_ARG_WITH([libedit],
+@@ -1777,7 +1777,7 @@ AC_ARG_WITH([libedit],
 
  AUDIT_MODULE=none
  AC_ARG_WITH([audit],
@@ -708,7 +708,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
  	[
  	  AC_MSG_CHECKING([for supported audit module])
  	  case "$withval" in
-@@ -1807,6 +1807,13 @@ AC_ARG_WITH([audit],
+@@ -1814,6 +1814,13 @@ AC_ARG_WITH([audit],
  		SSHDLIBS="$SSHDLIBS -laudit"
  		AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
  		;;
@@ -740,7 +740,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/defines.h a/defines.h
 diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd-session.c a/sshd-session.c
 --- a~/sshd-session.c	1970-01-01 00:00:00
 +++ a/sshd-session.c	1970-01-01 00:00:00
-@@ -1252,7 +1252,7 @@ main(int ac, char **av)
+@@ -1254,7 +1254,7 @@ main(int ac, char **av)
  	remote_ip = ssh_remote_ipaddr(ssh);
 
  #ifdef SSH_AUDIT_EVENTS
@@ -749,7 +749,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd-session.c a/sshd-session
  #endif
 
  	rdomain = ssh_packet_rdomain_in(ssh);
-@@ -1334,8 +1334,10 @@ main(int ac, char **av)
+@@ -1348,8 +1348,10 @@ main(int ac, char **av)
  		set_process_rdomain(ssh, options.routing_domain);
 
  #ifdef SSH_AUDIT_EVENTS

diff --git a/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch b/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch
@@ -78,7 +78,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hos
 diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
 --- a~/monitor.c	1970-01-01 00:00:00
 +++ a/monitor.c	1970-01-01 00:00:00
-@@ -392,6 +392,12 @@ monitor_child_preauth(struct ssh *ssh, s
+@@ -393,6 +393,12 @@ monitor_child_preauth(struct ssh *ssh, s
  		}
  	}
 
@@ -91,7 +91,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	if (!authctxt->valid)
  		fatal_f("authenticated invalid user");
  	if (strcmp(auth_method, "unknown") == 0)
-@@ -596,14 +602,16 @@ monitor_reset_key_state(void)
+@@ -597,14 +603,16 @@ monitor_reset_key_state(void)
  {
  	/* reset state */
  	free(key_blob);
@@ -109,7 +109,7 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/monitor.c a/monitor.c
  	hostbased_chost = NULL;
  }
 
-@@ -1086,6 +1094,11 @@ mm_answer_pam_account(struct ssh *ssh, i
+@@ -1096,6 +1104,11 @@ mm_answer_pam_account(struct ssh *ssh, i
  	if (!options.use_pam)
  		fatal("%s: PAM not enabled", __func__);