diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 3753542e345..0d59ae8545c 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.8 2015/09/04 21:05:55 sthen Exp $ +# $OpenBSD: Makefile,v 1.9 2015/10/09 14:47:40 sthen Exp $ COMMENT= server implementing the AnyConnect SSL VPN protocol -DISTNAME= ocserv-0.10.8 +DISTNAME= ocserv-0.10.9 EXTRACT_SUFX= .tar.xz CATEGORIES= net @@ -14,7 +14,7 @@ MAINTAINER= Stuart Henderson # GPLv2+ PERMIT_PACKAGE_CDROM= Yes -WANTLIB += c gnutls lz4 ncurses pam protobuf-c pthread readline talloc +WANTLIB += c gnutls lz4 ncurses oath pam protobuf-c pthread readline talloc MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ @@ -23,6 +23,7 @@ LIB_DEPENDS= archivers/lz4 \ devel/protobuf-c \ devel/libtalloc \ security/gnutls \ + security/oath-toolkit \ security/openpam CONFIGURE_STYLE= autoconf diff --git a/net/ocserv/distinfo b/net/ocserv/distinfo index 46b209d76dc..bffc750d5ad 100644 --- a/net/ocserv/distinfo +++ b/net/ocserv/distinfo @@ -1,2 +1,2 @@ -SHA256 (ocserv-0.10.8.tar.xz) = r5ifJ1hdNWciH/xAuruzg7zQymh55Su83uasOpBghFQ= -SIZE (ocserv-0.10.8.tar.xz) = 714404 +SHA256 (ocserv-0.10.9.tar.xz) = ltDqIugRpw5GVh/+KcTmscwBTuJNNTwDZ8py7c7fUzw= +SIZE (ocserv-0.10.9.tar.xz) = 718004 diff --git a/net/ocserv/patches/patch-doc_sample_config b/net/ocserv/patches/patch-doc_sample_config index 52c6f6ce165..06f6650cca7 100644 --- a/net/ocserv/patches/patch-doc_sample_config +++ b/net/ocserv/patches/patch-doc_sample_config @@ -1,10 +1,10 @@ -$OpenBSD: patch-doc_sample_config,v 1.6 2015/09/04 21:05:55 sthen Exp $ +$OpenBSD: patch-doc_sample_config,v 1.7 2015/10/09 14:47:40 sthen Exp $ no freeradius-client in ports yet (also disabled in autoconf) no seccomp, gssapi ---- doc/sample.config.orig Mon Aug 31 20:19:45 2015 -+++ doc/sample.config Fri Sep 4 22:01:20 2015 +--- doc/sample.config.orig Sun Sep 27 07:32:39 2015 ++++ doc/sample.config Fri Oct 9 15:45:23 2015 @@ -1,7 +1,7 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use @@ -14,10 +14,11 @@ no seccomp, gssapi # # Note that authentication methods cannot be changed with reload. -@@ -19,42 +19,17 @@ - # One entry must be listed per line, and 'ocpasswd' should be used - # to generate password entries. - # +@@ -20,47 +20,26 @@ + # to generate password entries. The 'otp' suboption allows to specify + # an oath password file to be used for one time passwords; the format of + # the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile +-# -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: -# The radius option requires specifying freeradius-client configuration -# file. If the groupconfig option is set, then config-per-user will be overriden, @@ -35,6 +36,7 @@ no seccomp, gssapi #auth = "pam" #auth = "pam[gid-min=1000]" + #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" auth = "plain[passwd=./sample.passwd]" #auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" @@ -46,18 +48,22 @@ no seccomp, gssapi -#enable-auth = "gssapi" -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" --# Accounting methods available: + # Accounting methods available: -# radius: can be combined with any authentication method, it provides -# radius accounting to available users (see also stats-report-time). -# --# Only one accounting method can be specified. --#acct = "pam" + # pam: can be combined with any authentication method, it provides + # a validation of the connecting user's name using PAM. It is + # superfluous to use this method when authentication is already + # PAM. + # + # Only one accounting method can be specified. -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" -- ++#acct = "pam" + # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. - #listen-host = [IP|HOSTNAME] -@@ -76,8 +51,8 @@ udp-port = 443 +@@ -83,8 +62,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). @@ -68,7 +74,7 @@ no seccomp, gssapi # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -86,7 +61,7 @@ run-as-group = daemon +@@ -93,7 +72,7 @@ run-as-group = daemon # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. @@ -77,7 +83,7 @@ no seccomp, gssapi # The default server directory. Does not require any devices present. #chroot-dir = /path/to/chroot -@@ -101,8 +76,8 @@ socket-file = /var/run/ocserv-socket +@@ -108,8 +87,8 @@ socket-file = /var/run/ocserv-socket # # There may be multiple server-cert and server-key directives, # but each key should correspond to the preceding certificate. @@ -88,7 +94,7 @@ no seccomp, gssapi # Diffie-Hellman parameters. Only needed if you require support # for the DHE ciphersuites (by default this server supports ECDHE). -@@ -128,18 +103,12 @@ server-key = ../tests/server-key.pem +@@ -135,18 +114,12 @@ server-key = ../tests/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. @@ -108,7 +114,7 @@ no seccomp, gssapi # A banner to be displayed on clients #banner = "Welcome" -@@ -168,8 +137,7 @@ max-same-clients = 2 +@@ -175,8 +148,7 @@ max-same-clients = 2 # Stats report time. The number of seconds after which each # worker process will report its usage statistics (number of @@ -118,7 +124,7 @@ no seccomp, gssapi #stats-report-time = 360 # Keepalive in seconds -@@ -267,9 +235,8 @@ min-reauth-time = 300 +@@ -276,9 +248,8 @@ min-reauth-time = 300 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, @@ -130,7 +136,7 @@ no seccomp, gssapi # # Score banning cannot be reliably used when receiving proxied connections # locally from an HTTP server (i.e., when listen-clear-file is used). -@@ -283,7 +250,6 @@ ban-reset-time = 300 +@@ -292,7 +263,6 @@ ban-reset-time = 300 # In case you'd like to change the default points. #ban-points-wrong-password = 10 #ban-points-connection = 1 @@ -138,7 +144,7 @@ no seccomp, gssapi # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -@@ -345,7 +311,7 @@ rekey-method = ssl +@@ -354,7 +324,7 @@ rekey-method = ssl use-occtl = true # PID file. It can be overriden in the command line. @@ -147,7 +153,7 @@ no seccomp, gssapi # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest -@@ -373,7 +339,7 @@ predictable-ips = true +@@ -382,7 +352,7 @@ predictable-ips = true default-domain = example.com # The pool of addresses that leases will be given from. If the leases @@ -156,7 +162,7 @@ no seccomp, gssapi # these network values should contain a network with at least a single # address that will remain under the full control of ocserv (that is # to be able to assign the local part of the tun device address). -@@ -486,20 +452,6 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -498,20 +468,6 @@ no-route = 192.168.5.0/255.255.255.0 # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/