* Fixed a critical security bug with RSA signature
verification. Mitigating factors: DSA is used by default (not
vulnerable). Also, the attack requires that attacker has the
public key and the attacker needs to precompute the signature
data so, that it looks like a valid PKCS#1 signature. This is a
non-trivial task to perform without the private
key. Nonetheless, all users should update their servers and
clients as soon as convenient. Workarounds are to not use RSA
keys as host keys (though connecting to existing hosts with RSA
hostkeys poses a serious risk with a vulnerable client), and
disabling publickey authentication. Update your clients and
servers.
Update MASTER_SITES, remove sites that are down or no langer carry ssh2
and add some new.
- Turn Kerberos and group writeability support into knobs so one hasn't to
edit the Makefile.
- Remove dependency on security/tcp_wrapper for tcp-wrapper support on
systems < FreeBSD 4.0, that port is no longer persistent.
- Fix pkg-plist for WITH_STATIC_SFTP case.
- Replace referneces to /etc/ssh2/* in man pages with references to
PREFIX/etc/ssh2/* in order to better fit for FreeBSD.
- Replace "$(ETCDIR)" in ssh_dummy_shell.out with PREFIX/etc.
- Remove duplicated mechanism for generating the host key if an old one isn't
found in the post-install target in the Makefile of the port, this is
already done by the generate-host-key target in WRKSRC/apps/ssh/Makefile.
- Fix differences between the install action done when installing the
package versus installing the port. I.e. make the package create the host
key with what ever bits ssh-keygen2 defaults to (currently 2048) instead
of 1024 bits, copy over the configuration files for ssh2 and sshd2 from
the examples if not already existent and create the directories for the
global host keys and known hosts files.
- Add some foo to pkg-plist to remove as much as possible from PREFIX/etc/ssh2,
i.e. configuration files that don't differ from the corresponding examples
and empty directories. Inform the user to remove what's left over if any.
- Use _PATH_STDPATH instead of _PATH_DEFPATH so that the default PATH gets
set to "/usr/bin:/bin:/usr/sbin:/sbin:PREFIX/bin" instead of
"/usr/bin:/bin:PREFIX/bin". Using _PATH_STDPATH is consistent with OpenSSH
and seems more usefull. One might want to patch ssh2 to also use login_cap(3)
so that e.g. PATH gets picked up from whatever is defined in /etc/login.conf.
- Change MAINTAINER.
- Replace "share/doc/ssh2" with %%DATADIR%% in pkg-plist.
Submitted by: Marius Strobl <marius@alchemy.franken.de>
Approved by: maintainer
2.) If libX11.a exists and xauth not, the build of ssh2 fails. This
patch fix this.
3.) ssh2/files/sshd.sh looks for the wrong pid file in /var/run.
This patch fix this and adds 2> /dev/null to the sshd2 startup
PR: 46012
Submitted by: maintainer
Note: The PR includes diffs to cope with WITHOUT_X11 env,
but this was already committed by knu-san.
So I just added CONFIGURE_ARGS line, please verify it.
PR: ports/35385
Submitted by: maintainer
stopping the server.
Martti's submission did not include -h, which I added because if I had
added the scripts the way he submitted them, the server wouldn't be
started on startup.
PR: 10196
Submitted by: Martti Kuparinen <martti.kuparinen@ericsson.com>
Reviewed by: kris (partially)
No response: maintainers (PR opened February 22, 1999)
[Has anyone figured-out what makes the number 393 so interesting to PW, now?]
I wonder what was going through Jordan's head during his infamous
$Id$-smashing commit.
Before I forget....
Thanks to naddy@mips.rhein-neckar.de (Christian Weisgerber) for prompting
this commit. See msg-id: 7geokh$tje$1@mips.rhein-neckar.de
Ssh 2.0.9 has bugs abount updating utmp/wtmp file.
2. Now you can compile ssh2 to support TCP_Wrapper
(security/tcp_wrapper) when you define USE_TCPWRAP=YES
3. Fix typo in MASTER_SITES
(Thanks to Chris Piazza <norn@home.net>)
4. Use /usr/lib/libz.so.* instead of libz in ssh2 source file.
5. Delete some obsolute pathes.
PR: ports/8916
Submitted by: issei@jp.FreeBSD.ORG
