summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorwiz <wiz>2005-04-28 14:10:04 +0000
committerwiz <wiz>2005-04-28 14:10:04 +0000
commit84074bb4bab6a6a59df1d93511d7b930b0abfc6d (patch)
tree13acc47c6f261e36791c990446bec2ba1df6b4b4 /security
parent48b80454cddb39303b74bae8239395cb12d4526d (diff)
downloadpkgsrc-84074bb4bab6a6a59df1d93511d7b930b0abfc6d.tar.gz
Update to 2.0.1:
News for the 2.0.1 release Fixed denial of service bug in lshd. Fixed a bug in lsh-make-seed, which could make the program go into an infinite loop on read errors. lsh now asks for passwords also in quite (-q) mode, as described in the manual. Control character filtering used to sometimes consider newline as a dangerous control character. Now newlines should be displayed normally. Removed support for the non-standard alias "diffie-hellman-group2-sha1". The standardized name is for this key exchange method is "diffie-hellman-group14-sha1". News for the 2.0 release Several programs have new default behaviour: * lshd enables X11 forwarding by default (lsh still does not). * lsh-keygen generates RSA rather than DSA keys by default. * lsh-writekey encrypts the private key by default, using aes256-cbc. Unless the --server flag is used. Improved the lcp script. It is now installed by default. Implemented the client side of "keyboard-interactive" user authentication. Support keyexchange with diffie-hellman-group14-sha1/diffie-hellman-group2-sha1 (the standardized name is at the moment not decided). Fixes to the utf8 encoder, and in particular interactions between utf8 and control character filtering. News for the 1.5.5 release Added SOCKS-style proxying to lsh and lshg. See the new -D command line option. Supports both SOCKS-4 and SOCKS-5. The lsh client no longer sets its stdio file descriptors into non-blocking mode, which should avoid a bunch of problems. As a consequence, the --cvs-workaround command line option has been deleted. In the user lookup code, lshd now ignores the shadow database if getspnam returns NULL. In the server pty setup code, use the group "system" as a fallback if the group "tty" doesn't exist. This is the case on AIX. (There are however more problems on AIX, which makes it uncertain that lshd will work out of the box). Deleted the --ssh1-fallback option for lshd. I hope ssh1 is dead by now; if it isn't, you have to run ssh1d and lshd on different ports. Deleted code for bug-compatibility with ancient versions of Datafellow's SSH2. There are zero bug-compatibility hacks in this version. News for the 1.5.4 release Added logging of tcpip-forward requests. Includes nettle-1.9, which have had some portability fixes and optimizations. In particular, arcfour on x86 should be much faster. Implemented flow control on the raw ssh connection. Enforce limits on the amount of buffered data waiting to be written to the socket. Moved all destructive string operations to a separate file lsh_string.c, which has exclusive rights of accessing string internals. Should make the code more robust, as buffer size and index calculations elsewhere in the code should hit an assert in lsh_string.c before doing damage. Some general simplification and cleanup of the code. News for the 1.5.3 release Fixed heap buffer overrun with potential remote root compromise. Initial bug report by Bennett Todd. Fixed a similar bug in the check for channel number allocation failure in the handling of channel_open, and in the experimental client SRP code. lshd now has an experimental mode similar to telnet, where it accepts the 'none' authentication method and automatically disables services such as X and TCP forwarding. This can be useful in environment where it's required that /bin/login or some other program handle authentication and session setup (e.g. handle security contexts and so on). News for the 1.5.2 release Encrypted private keys works again. New client escape sequence RET ~ ?, which lists all available escape sequences. Also fixed the werror functions so that they use \r\n to terminate lines when writing to a tty in raw mode. Implemented handling of multiple --interface options to lshd. As a side effect, The -p option must now be given before --interface to have any effect. Connecting to machines with multiple IP-adresses is smarter, it connects to a few addresses at a time, in parallel. Fixed a file descriptor leak in the server tcpip forwarding code. Lots of portability fixes. News for the 1.5.1 release Incompatible change to key format, to comply with the current spki structure draft. You can use the script lsh-upgrade to copy and convert the information in the old .lsh/known-hosts to the new file .lsh/host-acls. The new code uses libspki. Fixed IPv6 bug reported by Simon Kowallik. lshd now does the equivalence of ulimit -n unlimited, this is inherited by processes started upon client requests. If you don't want this, you should use /etc/{profile,login,whatever} to set limits for your users. Do note that PAM-based solutions will NOT work as PAM is used from a separate process that terminates as soon as the authentication is finished (this of course goes for environment variables too). lsh and and lshg now parses options from LSHFLAGS and LSHGFLAGS, these are parsed before and can be overridden by the command line. News for the 1.5 release Implemented the server side of X11 forwarding. Try lshd --x11-forward. There's one known bug: The server may start sending data on the session channel (typically your first shell prompt) before it has sent the reply to the client's "shell" or "exec" request. lsh will complain about, and ignore that data. As part of the X11 hacking, the socket code have been reorganized. Deleted one of the ipv6 configure tests. Now lsh will happily build ipv6 support even if ipv6 is not available at run-time on the build machine. Fixed bug preventing -c none from working. Another bug fix, call setsid even in the non-pty case. Various bug fixes.
Diffstat (limited to 'security')
-rw-r--r--security/lsh/Makefile16
-rw-r--r--security/lsh/PLIST42
-rw-r--r--security/lsh/distinfo8
3 files changed, 50 insertions, 16 deletions
diff --git a/security/lsh/Makefile b/security/lsh/Makefile
index 710b5699440..e6b85dd6b35 100644
--- a/security/lsh/Makefile
+++ b/security/lsh/Makefile
@@ -1,18 +1,26 @@
-# $NetBSD: Makefile,v 1.6 2005/04/11 21:47:13 tv Exp $
+# $NetBSD: Makefile,v 1.7 2005/04/28 14:10:04 wiz Exp $
#
-DISTNAME= lsh-1.4.3
-PKGREVISION= 1
+DISTNAME= lsh-2.0.1
CATEGORIES= security
MASTER_SITES= ftp://ftp.lysator.liu.se/pub/security/lsh/
MAINTAINER= tech-pkg@NetBSD.org
HOMEPAGE= http://www.lysator.liu.se/~nisse/lsh/
-COMMENT= ssh2 client/server
+COMMENT= SSH2 client/server
GNU_CONFIGURE= yes
USE_GNU_TOOLS+= make
+# man/man8/sftp-server.8
+CONFLICTS+= openssh-[0-9]* openssh+gssapi-[0-9]*
+
+# src/nettle/examples/nettle-openssl.c needs des_key*
+USE_OLD_DES_API= yes
+
+INFO_FILES= lsh.info nettle.info
+
.include "../../devel/gmp/buildlink3.mk"
.include "../../devel/liboop/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
diff --git a/security/lsh/PLIST b/security/lsh/PLIST
index 177da6375a5..c32f4d543e5 100644
--- a/security/lsh/PLIST
+++ b/security/lsh/PLIST
@@ -1,49 +1,75 @@
-@comment $NetBSD: PLIST,v 1.1.1.1 2004/01/12 15:55:11 drochner Exp $
+@comment $NetBSD: PLIST,v 1.2 2005/04/28 14:10:04 wiz Exp $
+bin/lcp
bin/lsftp
bin/lsh
bin/lsh-authorize
bin/lsh-decode-key
+bin/lsh-decrypt-key
bin/lsh-export-key
bin/lsh-keygen
bin/lsh-make-seed
+bin/lsh-upgrade
+bin/lsh-upgrade-key
bin/lsh-writekey
bin/lshg
+bin/nettle-lfib-stream
bin/sexp-conv
bin/srp-gen
bin/ssh-conv
include/nettle/aes.h
include/nettle/arcfour.h
+include/nettle/arctwo.h
+include/nettle/base16.h
include/nettle/base64.h
+include/nettle/bignum.h
include/nettle/blowfish.h
+include/nettle/buffer.h
include/nettle/cast128.h
include/nettle/cbc.h
include/nettle/des-compat.h
include/nettle/des.h
+include/nettle/dsa.h
include/nettle/hmac.h
include/nettle/knuth-lfib.h
+include/nettle/macros.h
+include/nettle/md2.h
+include/nettle/md4.h
include/nettle/md5-compat.h
include/nettle/md5.h
+include/nettle/memxor.h
include/nettle/nettle-meta.h
+include/nettle/nettle-types.h
+include/nettle/pgp.h
+include/nettle/pkcs1.h
+include/nettle/realloc.h
+include/nettle/rsa-compat.h
include/nettle/rsa.h
include/nettle/serpent.h
+include/nettle/sexp.h
include/nettle/sha.h
include/nettle/twofish.h
include/nettle/yarrow.h
-info/lsh.info
-info/nettle.info
-info/nettle.info-1
-info/nettle.info-2
lib/libnettle.a
+man/man1/lsftp.1
+man/man1/lsh-authorize.1
+man/man1/lsh-decode-key.1
+man/man1/lsh-decrypt-key.1
+man/man1/lsh-export-key.1
+man/man1/lsh-keygen.1
+man/man1/lsh-make-seed.1
+man/man1/lsh-upgrade-key.1
+man/man1/lsh-upgrade.1
+man/man1/lsh-writekey.1
man/man1/lsh.1
-man/man1/lsh_keygen.1
-man/man1/lsh_writekey.1
+man/man1/lshg.1
+man/man1/ssh-conv.1
man/man5/DSA.5
man/man5/SHA.5
man/man5/SPKI.5
man/man5/secsh.5
man/man8/lshd.8
+man/man8/sftp-server.8
sbin/lsh-execuv
-sbin/lsh_proxy
sbin/lshd
sbin/sftp-server
@dirrm include/nettle
diff --git a/security/lsh/distinfo b/security/lsh/distinfo
index 24b0b30b7d7..3349a1e72e4 100644
--- a/security/lsh/distinfo
+++ b/security/lsh/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.2 2005/02/24 13:10:08 agc Exp $
+$NetBSD: distinfo,v 1.3 2005/04/28 14:10:04 wiz Exp $
-SHA1 (lsh-1.4.3.tar.gz) = 25cb15a0851b3209cc5b3552344fedf80221ad6f
-RMD160 (lsh-1.4.3.tar.gz) = c5bc410396f6426e2e609ded97296424d8a3bd46
-Size (lsh-1.4.3.tar.gz) = 1414008 bytes
+SHA1 (lsh-2.0.1.tar.gz) = 58f4829f29b12c1b96463c2b0efcba6d6e553081
+RMD160 (lsh-2.0.1.tar.gz) = 61541e8e8b6fb8f026059eaf0a2dc6f396aaa4cf
+Size (lsh-2.0.1.tar.gz) = 1866063 bytes
SHA1 (patch-aa) = 08cb6cf3f28ae2281d109e20dc9585111009ea50
SHA1 (patch-ab) = 179647434ecf7a4b42e301f1ac1c794f217d69d0