diff options
| -rw-r--r-- | security/openssh/Makefile | 4 | ||||
| -rw-r--r-- | security/openssh/files/patch-an | 149 | ||||
| -rw-r--r-- | security/openssh/files/patch-ao | 13 | ||||
| -rw-r--r-- | security/openssh/files/patch-ap | 138 | ||||
| -rw-r--r-- | security/openssh/files/patch-ar | 46 |
5 files changed, 328 insertions, 22 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 9459fcb..a30fbd5 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -118,9 +118,9 @@ do-extract: @${CP} ${FILESDIR}/pam_ssh.c ${WRKSRC}/pam_ssh/ post-patch: - @${PERL} -pi.orig -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h \ + @${PERL} -pi -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h \ ${WRKSRC}/sshd_config ${WRKSRC}/pam_ssh/pam_ssh.c - @${PERL} -pi.openssl -e \ + @${PERL} -pi -e \ 's:^(\s*#\s*include\s+<)ssl(/\w+\.h>\s*)$$:$$1openssl$$2:g' \ ${WRKSRC}/*.[ch] diff --git a/security/openssh/files/patch-an b/security/openssh/files/patch-an index 9110383..c102d36 100644 --- a/security/openssh/files/patch-an +++ b/security/openssh/files/patch-an @@ -1,6 +1,14 @@ --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.c Sun Nov 28 16:50:26 1999 -+++ sshd.c Sun Nov 28 17:22:27 1999 -@@ -32,6 +32,16 @@ ++++ sshd.c Mon Dec 6 00:54:51 1999 +@@ -24,6 +24,7 @@ + #include "servconf.h" + #include "uidswap.h" + #include "compat.h" ++#include <time.h> + + #ifdef LIBWRAP + #include <tcpd.h> +@@ -32,6 +33,16 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ @@ -17,7 +25,108 @@ #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -1048,6 +1058,14 @@ +@@ -118,6 +129,32 @@ + the private key. */ + RSA *public_key; + ++/* These are used to implement connections_per_period. */ ++struct magic_connection { ++ struct timeval connections_begin; ++ unsigned int connections_this_period; ++} *magic_connections; ++/* Magic number, too! TODO: this doesn't have to be static. */ ++const size_t MAGIC_CONNECTIONS_SIZE = 1; ++ ++static __inline int ++magic_hash(struct sockaddr_in *sin) { ++ ++ return 0; ++} ++ ++static __inline struct timeval ++timevaldiff(struct timeval *tv1, struct timeval *tv2) { ++ struct timeval diff; ++ int carry; ++ ++ carry = tv1->tv_usec > tv2->tv_usec; ++ diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1); ++ diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0); ++ ++ return diff; ++} ++ + /* Prototypes for various functions defined later in this file. */ + void do_connection(); + void do_authentication(char *user); +@@ -278,6 +315,7 @@ + extern char *optarg; + extern int optind; + int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1; ++ int connections_per_period_exceeded = 0; + int remote_major, remote_minor; + int silentrsa = 0; + struct sockaddr_in sin; +@@ -542,6 +580,12 @@ + /* Arrange SIGCHLD to be caught. */ + signal(SIGCHLD, main_sigchld_handler); + ++ /* Initialize the magic_connections table. It's magical! */ ++ magic_connections = calloc(MAGIC_CONNECTIONS_SIZE, ++ sizeof(struct magic_connection)); ++ if (magic_connections == NULL) ++ fatal("calloc: %s", strerror(errno)); ++ + /* + * Stay listening for connections until the system crashes or + * the daemon is killed with a signal. +@@ -560,9 +604,31 @@ + error("accept: %.100s", strerror(errno)); + continue; + } ++ if (options.connections_per_period != 0) { ++ struct timeval diff, connections_end; ++ struct magic_connection *mc; ++ ++ (void)gettimeofday(&connections_end, NULL); ++ mc = &magic_connections[magic_hash(&sin)]; ++ diff = timevaldiff(&mc->connections_begin, &connections_end); ++ if (diff.tv_sec >= options.connections_period) { ++ /* ++ * Slide the window forward only after completely ++ * leaving it. ++ */ ++ mc->connections_begin = connections_end; ++ mc->connections_this_period = 1; ++ } else { ++ if (++mc->connections_this_period > ++ options.connections_per_period) ++ connections_per_period_exceeded = 1; ++ } ++ } ++ + /* +- * Got connection. Fork a child to handle it, unless +- * we are in debugging mode. ++ * Got connection. Fork a child to handle it unless ++ * we are in debugging mode or the maximum number of ++ * connections per period has been exceeded. + */ + if (debug_flag) { + /* +@@ -576,6 +642,12 @@ + sock_out = newsock; + pid = getpid(); + break; ++ } else if (connections_per_period_exceeded) { ++ log("Connection rate limit of %u/%us has been exceeded; " ++ "dropping connection from %s.", ++ options.connections_per_period, options.connections_period, ++ inet_ntoa(sin.sin_addr)); ++ connections_per_period_exceeded = 0; + } else { + /* + * Normal production daemon. Fork, and have +@@ -1048,6 +1120,14 @@ return 0; } } @@ -32,7 +141,7 @@ /* We found no reason not to let this user try to log on... */ return 1; } -@@ -1083,6 +1101,9 @@ +@@ -1083,6 +1163,9 @@ pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); @@ -42,7 +151,7 @@ pw = &pwcopy; /* -@@ -1871,6 +1892,10 @@ +@@ -1871,6 +1954,10 @@ struct sockaddr_in from; int fromlen; struct pty_cleanup_context cleanup_context; @@ -53,7 +162,7 @@ /* Get remote host name. */ hostname = get_canonical_hostname(); -@@ -1935,6 +1960,12 @@ +@@ -1935,6 +2022,12 @@ /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; @@ -66,7 +175,7 @@ /* * If the user has logged in before, display the time of last -@@ -1958,6 +1989,20 @@ +@@ -1958,6 +2051,20 @@ else printf("Last login: %s from %s\r\n", time_string, buf); } @@ -87,7 +196,7 @@ /* * Print /etc/motd unless a command was specified or printing * it was disabled in server options or login(1) will be -@@ -1966,14 +2011,22 @@ +@@ -1966,14 +2073,22 @@ */ if (command == NULL && options.print_motd && !quiet_login && !options.use_login) { @@ -111,7 +220,17 @@ /* Do common processing for the child, such as execing the command. */ do_child(command, pw, term, display, auth_proto, auth_data, ttyname); /* NOTREACHED */ -@@ -2117,15 +2170,34 @@ +@@ -2109,7 +2224,8 @@ + const char *display, const char *auth_proto, + const char *auth_data, const char *ttyname) + { +- const char *shell, *cp = NULL; ++ char *shell; ++ const char *cp = NULL; + char buf[256]; + FILE *f; + unsigned int envsize, i; +@@ -2117,15 +2233,34 @@ extern char **environ; struct stat st; char *argv[10]; @@ -151,7 +270,7 @@ } /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) -@@ -2135,6 +2207,13 @@ +@@ -2135,6 +2270,13 @@ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { @@ -165,7 +284,7 @@ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); -@@ -2157,7 +2236,14 @@ +@@ -2157,7 +2299,14 @@ * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. */ @@ -180,7 +299,7 @@ #ifdef AFS /* Try to get AFS tokens for the local cell. */ -@@ -2181,7 +2267,12 @@ +@@ -2181,7 +2330,12 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -193,7 +312,7 @@ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); -@@ -2271,6 +2362,9 @@ +@@ -2271,6 +2425,9 @@ */ endpwent(); endhostent(); @@ -203,7 +322,7 @@ /* * Close any extra open file descriptors so that we don\'t have them -@@ -2278,7 +2372,7 @@ +@@ -2278,7 +2435,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ @@ -212,7 +331,7 @@ close(i); /* Change current directory to the user\'s home directory. */ -@@ -2297,6 +2391,26 @@ +@@ -2297,6 +2454,26 @@ * in this order). */ if (!options.use_login) { diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao index 3e8278e..7ca746e 100644 --- a/security/openssh/files/patch-ao +++ b/security/openssh/files/patch-ao @@ -1,6 +1,6 @@ --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd_config Thu Nov 11 17:58:39 1999 -+++ ./sshd_config Tue Nov 23 19:31:58 1999 -@@ -3,11 +3,11 @@ ++++ sshd_config Sun Dec 5 13:37:20 1999 +@@ -2,12 +2,13 @@ Port 22 ListenAddress 0.0.0.0 @@ -8,10 +8,13 @@ +HostKey __PREFIX__/etc/ssh_host_key ServerKeyBits 768 -LoginGraceTime 600 -+LoginGraceTime 30 ++LoginGraceTime 60 KeyRegenerationInterval 3600 -PermitRootLogin yes -+PermitRootLogin no - # +-# ++PermitRootLogin no ++# Rate-limit sshd connections to 5 connections per 10 seconds ++ConnectionsPerPeriod 5/10 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes + # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap new file mode 100644 index 0000000..101b456 --- /dev/null +++ b/security/openssh/files/patch-ap @@ -0,0 +1,138 @@ +--- servconf.c.orig Sun Dec 5 01:48:12 1999 ++++ servconf.c Sun Dec 5 01:57:57 1999 +@@ -63,6 +63,8 @@ + options->num_deny_users = 0; + options->num_allow_groups = 0; + options->num_deny_groups = 0; ++ options->connections_per_period = 0; ++ options->connections_period = 0; + } + + void +@@ -161,7 +163,7 @@ + sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, + sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, +- sIgnoreUserKnownHosts ++ sIgnoreUserKnownHosts, sConnectionsPerPeriod + } ServerOpCodes; + + /* Textual representation of the tokens. */ +@@ -209,6 +211,7 @@ + { "denyusers", sDenyUsers }, + { "allowgroups", sAllowGroups }, + { "denygroups", sDenyGroups }, ++ { "connectionsperperiod", sConnectionsPerPeriod }, + { NULL, 0 } + }; + +@@ -270,7 +273,11 @@ + filename, linenum); + exit(1); + } +- value = atoi(cp); ++ if (sscanf(cp, " %d ", &value) != 1) { ++ fprintf(stderr, "%s line %d: invalid integer value.\n", ++ filename, linenum); ++ exit(1); ++ } + if (*intptr == -1) + *intptr = value; + break; +@@ -466,63 +473,65 @@ + + case sAllowUsers: + while ((cp = strtok(NULL, WHITESPACE))) { +- if (options->num_allow_users >= MAX_ALLOW_USERS) { +- fprintf(stderr, "%s line %d: too many allow users.\n", +- filename, linenum); +- exit(1); +- } ++ if (options->num_allow_users >= MAX_ALLOW_USERS) ++ fatal("%.200s line %d: too many allow users.\n", filename, ++ linenum); + options->allow_users[options->num_allow_users++] = xstrdup(cp); + } + break; + + case sDenyUsers: + while ((cp = strtok(NULL, WHITESPACE))) { +- if (options->num_deny_users >= MAX_DENY_USERS) { +- fprintf(stderr, "%s line %d: too many deny users.\n", +- filename, linenum); +- exit(1); +- } ++ if (options->num_deny_users >= MAX_DENY_USERS) ++ fatal("%.200s line %d: too many deny users.\n", filename, ++ linenum); + options->deny_users[options->num_deny_users++] = xstrdup(cp); + } + break; + + case sAllowGroups: + while ((cp = strtok(NULL, WHITESPACE))) { +- if (options->num_allow_groups >= MAX_ALLOW_GROUPS) { +- fprintf(stderr, "%s line %d: too many allow groups.\n", +- filename, linenum); +- exit(1); +- } ++ if (options->num_allow_groups >= MAX_ALLOW_GROUPS) ++ fatal("%.200s line %d: too many allow groups.\n", filename, ++ linenum); + options->allow_groups[options->num_allow_groups++] = xstrdup(cp); + } + break; + + case sDenyGroups: + while ((cp = strtok(NULL, WHITESPACE))) { +- if (options->num_deny_groups >= MAX_DENY_GROUPS) { +- fprintf(stderr, "%s line %d: too many deny groups.\n", +- filename, linenum); +- exit(1); +- } ++ if (options->num_deny_groups >= MAX_DENY_GROUPS) ++ fatal("%.200s line %d: too many deny groups.\n", filename, ++ linenum); + options->deny_groups[options->num_deny_groups++] = xstrdup(cp); + } + break; + ++ case sConnectionsPerPeriod: ++ cp = strtok(NULL, WHITESPACE); ++ if (cp == NULL) ++ fatal("%.200s line %d: missing (>= 0) number argument.\n", ++ filename, linenum); ++ if (sscanf(cp, " %u/%u ", &options->connections_per_period, ++ &options->connections_period) != 2) ++ fatal("%.200s line %d: invalid numerical argument(s).\n", ++ filename, linenum); ++ if (options->connections_per_period != 0 && ++ options->connections_period == 0) ++ fatal("%.200s line %d: invalid connections period.\n", ++ filename, linenum); ++ break; ++ + default: +- fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", ++ fatal("%.200s line %d: Missing handler for opcode %s (%d)\n", + filename, linenum, cp, opcode); +- exit(1); +- } +- if (strtok(NULL, WHITESPACE) != NULL) { +- fprintf(stderr, "%s line %d: garbage at end of line.\n", +- filename, linenum); +- exit(1); + } ++ if (strtok(NULL, WHITESPACE) != NULL) ++ fatal("%.200s line %d: garbage at end of line.\n", filename, ++ linenum); + } + fclose(f); +- if (bad_options > 0) { +- fprintf(stderr, "%s: terminating, %d bad configuration options\n", ++ if (bad_options > 0) ++ fatal("%.200s: terminating, %d bad configuration options\n", + filename, bad_options); +- exit(1); +- } + } diff --git a/security/openssh/files/patch-ar b/security/openssh/files/patch-ar new file mode 100644 index 0000000..2795e96 --- /dev/null +++ b/security/openssh/files/patch-ar @@ -0,0 +1,46 @@ +--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8 Tue Nov 23 18:58:38 1999 ++++ sshd.8 Sun Dec 5 22:59:58 1999 +@@ -220,6 +220,31 @@ + should check for new mail for interactive logins. + The default is + .Dq no . ++.It Cm ConnectionsPerPeriod ++This keyword allows for rate-limiting of connections, and ++is followed by two numbers in the format ++.Dq n/s , ++where ++.Ar n ++is the number of connections from a certain address group ++accepted per period of ++.Ar s ++seconds. Any connection after the number ++.Ar n ++connection in the period of ++.Ar s ++seconds will be dropped, and an informational message will be logged. ++A connection will belong to a certain group, of which there are 13 ++by default, according to its IP address. ++The default for this keyword is ++.Dq 0/0 , ++and rate-limiting can be explicitly turned off by using an ++.Ar n ++parameter of ++.Ql 0 ++and any ++.Ar s ++parameter. + .It Cm DenyGroups + This keyword can be followed by a number of group names, separated + by spaces. Users whose primary group matches one of the patterns +@@ -453,8 +478,9 @@ + If the login is on a tty, records login time. + .It + Checks +-.Pa /etc/nologin ; +-if it exists, prints contents and quits ++.Pa /etc/nologin and ++.Pa /var/run/nologin ; ++if one exists, it prints the contents and quits + (unless root). + .It + Changes to run with normal user privileges. |
