summaryrefslogtreecommitdiff
path: root/security/openssh
AgeCommit message (Collapse)AuthorFilesLines
2004-10-24tell configure where to find xauth(1) so that X forwarding over sshgrant1-2/+9
works when using pkgsrc X11. bump PKGREVISION.
2004-10-03Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10tv1-1/+2
in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
2004-08-31Update to 3.9p1:wiz14-89/+89
* Added new "IdentitiesOnly" option to ssh(1), which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent(1) * Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment variables between the client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in ssh_config(5) for details * Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum number of authentication attempts permitted per connection * Added support for cancellation of active remote port forwarding sessions. This may be performed using the ~C escape character, see "Escape Characters" in ssh(1) for details * Many sftp(1) interface improvements, including greatly enhanced "ls" support and the ability to cancel active transfers using SIGINT (^C) * Implement session multiplexing: a single ssh(1) connection can now carry multiple login/command/file transfer sessions. Refer to the "ControlMaster" and "ControlPath" options in ssh_config(5) for more information * The sftp-server has improved support for non-POSIX filesystems (e.g. FAT) * Portable OpenSSH: Re-introduce support for PAM password authentication, in addition to the keyboard-interactive driver. PAM password authentication is less flexible, and doesn't support pre-authentication password expiry but runs in-process so Kerberos tokens, etc are retained * Improved and more extensive regression tests * Many bugfixes and small improvements
2004-08-04Make openssh build on Interix. Currently only the client (ssh) wasminskim17-19/+372
tested. The server (sshd) still needs more patches especially because of non-zero Administrator uid/gid issues.
2004-07-25add CONFLICT with ssh2-nox11.grant1-2/+3
2004-05-21Only use the NetBSD-specific MESSAGE.urandom for NetBSD.reed1-1/+3
It says to use "pseudo-device rnd" kernel configuration. TODO: if the above instructions are fine for other operating systems with /dev/urandom then add.
2004-05-21The makefile had a comment saying PAM authentication causes memoryreed1-13/+12
faults, and haven't tracked down why yet. No allow PAM authentication if Linux (and USE_PAM is defined). This will close my 20846 PR from March 2003. Also, install the contrib/sshd.pam.generic file as the example sshd.pam instead of the FreeBSD version, but this okay since it was commented out in the first place. TODO: test the PAM support on other platforms and allow if USE_PAM is defined.
2004-05-10Not needed after 3.8.1p1 update.wiz3-41/+0
2004-05-10Update to 3.8.1p1:wiz5-56/+24
Minor bugfixes.
2004-05-02Enable md5 passwords support in Linux. This closes PR pkg/25322 byxtraeme1-1/+4
Piotr Meyer.
2004-04-28The buildlink3.mk file for the Kerberos 5 implementation used willjlam1-2/+1
automatically pass the correct -I flags to the compiler.
2004-04-28This version of OpenSSH actually no longer supports building withjlam1-7/+1
Kerberos 4 support, so remove those Makefile checks.
2004-04-28Fix up OpenSSH sources to allow building with S/Key support on NetBSD asjlam5-10/+55
well. Bump the PKGREVISION. XXX The right fix is to create a autoconf check for the number of args XXX that skeychallenge takes and do the right thing accordingly.
2004-04-28Building with Kerberos 4 support doesn't work when using mit-krb5. Onlyjlam1-11/+10
allow building with Kerberos 4 support when using Heimdal and if the kerberosIV headers exist.
2004-04-27Add the .endif I missed off last night.markd1-1/+2
2004-04-27Don't support the updating the in-tree openssh via pkgsrc. pkgsrc reallyjlam2-61/+1
has no business trying to update parts of the base system.
2004-04-27Add handling of utmpx/wtmpx on NetBSD-current.markd6-11/+154
Bump PKGREVISION.
2004-04-27Something in our framework interferes with configure disabling utmp/wtmpmarkd1-1/+5
handling on Solaris >= 8 so do it explicitly.
2004-04-27Use krb5.buildlink3.mk to find krb5 locations.markd1-5/+7
2004-04-27Teach about recent NetBSD versions.markd1-4/+5
Finish buildlink3 changes. Obscure LOCALBASE path so that base system compilers dont match the prefix otherwise compiler.mk then wants to build the pkgsrc gcc package. (ick)
2004-04-25Convert to bl3; update comments in Makefile.intree.wiz2-11/+11
2004-04-23mk/bsd.pkg.install.mk now automatically registersreed2-5/+2
the RCD_SCRIPTS rc.d script(s) to the PLIST. This GENERATE_PLIST idea is part of Greg A. Woods' PR #22954. This helps when the RC_SCRIPTS are installed to a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later, the default RCD_SCRIPTS_EXAMPLEDIR will be changed to be more clear that they are the examples.) These patches also remove the etc/rc.d/ scripts from PLISTs (of packages that use RCD_SCRIPTS). (This also removes now unused references from openssh* makefiles. Note that qmail package has not been changed yet.) I have been doing automatic PLIST registration for RC_SCRIPTS for over a year. Not all of these packages have been tested, but many have been tested and used. Somethings maybe to do: - a few packages still manually install the rc.d scripts to hard-coded etc/rc.d. These need to be fixed. - maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
2004-03-26PKGREVISION bump after openssl-security-fix-update to 0.9.6m.wiz1-1/+2
Buildlink files: RECOMMENDED version changed to current version.
2004-03-12Update to 3.8p1:wiz5-27/+27
This version features many improvements and bugfixes.
2004-02-21Force manual pages installation, because some systems like IRIX willxtraeme1-1/+2
install them like preformatted manual pages (cat). Reported by Georg Schwarz in PR pkg/24428.
2004-02-07Don't set LD=${CC} globally, but only pass it to CONFIGURE_ENV, which isjlam1-2/+2
the only relevant place that wants it.
2003-11-12PKGREVISION++ after openssl update.jschauma1-2/+2
2003-10-18Add RCS IDscjep1-0/+1
2003-10-12set LD=CC again for all platforms with an appropriate comment - Igrant1-9/+11
don't know why this didn't originally work as it should, but I've just tested it with gcc3 and Forte 8 on Solaris and I couldn't make it fail. fixes coredump problem on Solaris observed by some, and also PR pkg/23120 from Alex Gerasimoff. bump PKGREVISION to differentiate between broken and unbroken package.
2003-10-12add a missing .elif OPSYS == NetBSD, which was resulting in passinggrant1-1/+2
"--with-skey=... --without-skey" on Solaris :)
2003-10-08Improve message (because on some systems it is okay to install to thereed1-2/+2
PAM directory too).
2003-09-23On non-SunOS, bring backjschauma1-1/+4
LD=${CC}
2003-09-23This version of OpenSSH doesn't need special flags for Irix anymore.jschauma1-4/+1
2003-09-23Update to 3.7.1p2:jschauma4-26/+13
Most important chcanges: security relevant bug fixes in new PAM authentication code Changes since OpenSSH 3.7.1p1: ============================== * This release disables PAM by default. To enable it, set "UsePAM yes" in sshd_config. Due to complexity, inconsistencies in the specification and differences between vendors' PAM implementations we recommend that PAM be left disabled in sshd_config unless there is a need for its use. Sites using only public key or simple password authentication usually have little need to enable PAM support. * This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems. * Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes are not supported for older OpenSSL versions. * Fix compilation problems on systems with a missing or lacking inet_ntoa() function. * Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms. * Fix compilation on older OpenBSD systems. * Fix handling of password-less authentication (PermitEmptyPasswords=yes) that has not worked since the 3.7p1 release.
2003-09-22as this pkg now calls the linker directly, we need to explicitlygrant1-3/+5
specify -lc on Solaris. remove a bogus hack setting LD=${CC} which was also breaking the build on Solaris.
2003-09-18Ok, so we can make this work on Irix by addingjschauma3-12/+15
-DSETEUID_BREAKS_SETUID -DBROKEN_SETREUID -DBROKEN_SETREGID to the CFLAGS. Wuppi.
2003-09-17Mark OpenSSH-3.7x as *not available for IRIX*!jschauma1-1/+11
# OpenSSH 3.7x currently does *not* work on IRIX! # To compile, we would need to remove the extraneous inclusion of the # ``inet_ntoa.h'' header in openbsd-compat/inet_ntoa.c, but even though # sshd will not work: It seems the connection is closed by the daemon # when it tries to spawn off a child to handle the incoming connection # # If you need the latest security patches for your openssh, I'm afraid you'll # have to apply them by hand to the 3.6.1p2 version. (Now wouldn't it be nice if we had a NOT_FOR_PLATFORM_REASON that is displayed automatically?)
2003-09-16move ftp.openssh.com to the top, as it's the only site which has thegrant1-3/+3
new distfile so far.
2003-09-16Update openssh to 3.7.1p1.grant2-6/+6
Changes since 3.7p1: more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU
2003-09-16Update openssh to 3.7p1.grant3-16/+15
Large number of changes since 3.6.1p2, the most pertinent being: * do not expand buffer before attempting to reallocate it (buffer.c) note that NetBSD-current already includes this fix. other changes include: * portability fixes * regression test fixes * add GSSAPI support and remove kerberos support from ssh1, retaining kerberos passwd auth for ssh1 and 2 * man page fixes * general bug fixes see the ChangeLog for full details.
2003-09-11Garbage-collect USE_OPENSSL_VERSION now that openssl/buildlink2.mk supportsjlam1-4/+1
just setting BUILDLINK_DEPENDS.openssl. USE_OPENSSL_VERSION wasn't actually needed here anyway since the minimum version allowed by openssl/buildlink2.mk exceeded the version requested here.
2003-08-30Add definitions for DEINSTALL_EXTRA_TMPL and INSTALL_EXTRA_TMPL ifjlam1-1/+3
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically pick up a INSTALL/DEINSTALL script in the package directory and assume that you want it for the corresponding *_EXTRA_TMPL variable.
2003-08-30Prepare for pkgviews by making sure that passing VIEW-INSTALL orjlam1-16/+16
VIEW-DEINSTALL to the INSTALL/DEINSTALL scripts don't cause errors.
2003-07-30drop unneeded parensgrant1-2/+2
2003-07-24Bump ${PKGREVISION} for re-enabled kerberos support.jwise1-1/+2
2003-07-24Fix kerberos support in this package (kerberos support in the Makefilejwise1-6/+10
was commented out because it didn't work with recent openssh, is now fiexed and commented back in). This support is conditional on ${KERBEROS} being set, and currently enables support for both kerberos 4 and 5. This should be refined. This has been tested and confirmed on -current and 1.6. Testing on other platforms (if any? solaris?) in which we support kerberos in pkgsrc should be done.
2003-07-24Mark conflicts with openssh+gssapi.jwise1-1/+2
2003-07-17s/netbsd.org/NetBSD.org/grant1-2/+2
2003-06-10Upgrade to 3.6.1p2:jschauma3-15/+15
- (djm) Add back radix.o (used by AFS support), after it went missing from Makefile many moons ago - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer - (djm) Fix blibpath specification for AIX/gcc - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org (This last fix makes this compile on IRIX again.)
2003-06-02Use tech-pkg@ in favor of packages@ as MAINTAINER for orphaned packages.jschauma1-2/+2
Should anybody feel like they could be the maintainer for any of thewe packages, please adjust.