# HG changeset patch # User Pascal Bellard # Date 1587449643 0 # Node ID d66b1a0c782a301f492a9e2a656a02b86fbc5978 # Parent 759c9acb4a954b751f13cabb053cbe8882404862 Up openssh (8.2p1) diff -r 759c9acb4a95 -r d66b1a0c782a openssh-pam/receipt --- a/openssh-pam/receipt Mon Apr 20 17:10:16 2020 +0100 +++ b/openssh-pam/receipt Tue Apr 21 06:14:03 2020 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="openssh-pam" -VERSION="7.9p1" +VERSION="8.2p1" CATEGORY="security" SHORT_DESC="Openbsd Secure Shell using PAM." MAINTAINER="pascal.bellard@slitaz.org" @@ -28,7 +28,6 @@ # Rules to configure and make the package. compile_rules() { - patch -p1 < $WOK/$SOURCE/stuff/knock.u unset LD # for cross compiling with --disable-strip ./configure \ --prefix=/usr \ @@ -73,7 +72,7 @@ # From https://wiki.gentoo.org/wiki/SSH_jump_host Host *+* - ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /') + ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /') EOT } diff -r 759c9acb4a95 -r d66b1a0c782a openssh/receipt --- a/openssh/receipt Mon Apr 20 17:10:16 2020 +0100 +++ b/openssh/receipt Tue Apr 21 06:14:03 2020 +0000 @@ -28,7 +28,6 @@ # Rules to configure and make the package. compile_rules() { - patch -p1 < $stuff/knock.u unset LD # for cross compiling with --disable-strip ./configure \ --prefix=/usr \ @@ -71,7 +70,7 @@ # From https://wiki.gentoo.org/wiki/SSH_jump_host Host *+* - ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /') + ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /') EOT } diff -r 759c9acb4a95 -r d66b1a0c782a openssh/stuff/knock.u --- a/openssh/stuff/knock.u Mon Apr 20 17:10:16 2020 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,515 +0,0 @@ -From https://gnunet.org/knock : -https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff ---- a/readconf.c -+++ b/readconf.c -@@ -173,6 +173,9 @@ - oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, - oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, - oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, -+#ifdef TCP_STEALTH -+ oTCPStealthSecret, -+#endif - oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported - } OpCodes; - -@@ -309,6 +312,9 @@ - { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, - { "ignoreunknown", oIgnoreUnknown }, - { "proxyjump", oProxyJump }, -+#ifdef TCP_STEALTH -+ oTCPStealthSecret, -+#endif - - { NULL, oBadOption } - }; -@@ -1722,6 +1728,23 @@ - *charptr = xstrdup(arg); - break; - -+#ifdef TCP_STEALTH -+ case oTCPStealthSecret: -+ charptr = &options->tcp_stealth_secret; -+ -+ arg = strdelim(&s); -+ if (!arg || *arg == '\0') -+ fatal("%.200s line %d: Missing argument.", -+ filename, linenum); -+ -+ if (*activep && *charptr == NULL) { -+ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); -+ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); -+ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); -+ } -+ -+ break; -+#endif - case oDeprecated: - debug("%s line %d: Deprecated option \"%s\"", - filename, linenum, keyword); -@@ -1926,6 +1949,9 @@ - options->update_hostkeys = -1; - options->hostbased_key_types = NULL; - options->pubkey_key_types = NULL; -+#ifdef TCP_STEALTH -+ options->tcp_stealth_secret = NULL; -+#endif - } - - /* ---- a/readconf.h -+++ b/readconf.h -@@ -166,6 +166,10 @@ - char *jump_extra; - - char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ -+ -+#ifdef TCP_STEALTH -+ char *tcp_stealth_secret; -+#endif - } Options; - - #define SSH_CANONICALISE_NO 0 ---- a/servconf.c -+++ b/servconf.c -@@ -180,6 +180,9 @@ - options->fingerprint_hash = -1; - options->disable_forwarding = -1; - options->expose_userauth_info = -1; -+#ifdef TCP_STEALTH -+ options->tcp_stealth_secret = NULL; -+#endif - } - - /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -497,6 +500,9 @@ - sStreamLocalBindMask, sStreamLocalBindUnlink, - sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, - sExposeAuthInfo, sRDomain, -+#ifdef TCP_STEALTH -+ sTCPStealthSecret, -+#endif - sDeprecated, sIgnore, sUnsupported - } ServerOpCodes; - -@@ -645,6 +651,9 @@ - { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, - { "rdomain", sRDomain, SSHCFG_ALL }, - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, -+#ifdef TCP_STEALTH -+ { "tcpstealthsecret", sTCPStealthSecret }, -+#endif - { NULL, sBadOption, 0 } - }; - -@@ -2149,6 +2158,23 @@ - *charptr = xstrdup(arg); - break; - -+#ifdef TCP_STEALTH -+ case sTCPStealthSecret: -+ charptr = &options->tcp_stealth_secret; -+ -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: Missing argument.", -+ filename, linenum); -+ -+ if (*activep && *charptr == NULL) { -+ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); -+ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); -+ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); -+ } -+ -+ break; -+#endif - case sDeprecated: - case sIgnore: - case sUnsupported: ---- a/servconf.h -+++ b/servconf.h -@@ -210,6 +210,9 @@ - int fingerprint_hash; - int expose_userauth_info; - u_int64_t timing_secret; -+#ifdef TCP_STEALTH -+ char *tcp_stealth_secret; -+#endif - } ServerOptions; - - /* Information about the incoming connection as used by Match */ -@@ -232,6 +235,11 @@ - * NB. an option must appear in servconf.c:copy_set_server_options() or - * COPY_MATCH_STRING_OPTS here but never both. - */ -+#ifdef TCP_STEALTH -+#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X); -+#else -+#define M_CP_STEALTHSCRT(X) -+#endif - #define COPY_MATCH_STRING_OPTS() do { \ - M_CP_STROPT(banner); \ - M_CP_STROPT(trusted_user_ca_keys); \ -@@ -255,6 +263,7 @@ - M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ - M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \ - M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \ -+ M_CP_STEALTHSCRT(tcp_stealth_secret); \ - } while (0) - - struct connection_info *get_connection_info(int, int); ---- a/ssh.0 -+++ b/ssh.0 -@@ -9,8 +9,8 @@ - [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] - [-J destination] [-L address] [-l login_name] [-m mac_spec] - [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] -- [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination -- [command] -+ [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] -+ [-z tcp_stealth_secret] destination [command] - - DESCRIPTION - ssh (SSH client) is a program for logging into a remote machine and for -@@ -436,6 +436,20 @@ - - -y Send log information using the syslog(3) system module. By - default this information is sent to stderr. -+ -+ -z tcp_stealth_secret -+ Specifies the shared secret which is needed to connect to a stealth -+ SSH TCP server. Any string specified will be truncated to or padded -+ with zeroes to 64 bytes. This option needs kernel support and is -+ therefore only available if the required setsockopt() call is -+ available. -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ -+ for details. -+ -+ IMPORTANT: This option should only be used for the purpose of -+ testing as other users could easily read out the secret from the -+ command line arguments. The TCPStealthSecret configuration option -+ is the preferred way of specifying the TCP Stealth secret. - - ssh may additionally obtain configuration data from a per-user - configuration file and a system-wide configuration file. The file format ---- a/ssh.1 -+++ b/ssh.1 -@@ -64,6 +64,7 @@ - .Op Fl S Ar ctl_path - .Op Fl W Ar host : Ns Ar port - .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun -+.Op Fl z Ar tcp_stealth_secret - .Ar destination - .Op Ar command - .Sh DESCRIPTION -@@ -536,6 +537,7 @@ - .It StreamLocalBindUnlink - .It StrictHostKeyChecking - .It TCPKeepAlive -+.It TCPStealthSecret - .It Tunnel - .It TunnelDevice - .It UpdateHostKeys -@@ -795,6 +797,21 @@ - .Xr syslog 3 - system module. - By default this information is sent to stderr. -+.It Fl z Ar tcp_stealth_secret -+Specifies the shared secret which is needed to connect to a stealth SSH TCP -+server. Any string specified will be truncated to or padded with zeroes to 64 -+bytes. This option needs kernel support and is therefore only available if the -+required -+.Xr setsockopt 2 -+call is available. -+.Pp -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. -+.Pp -+.Cm IMPORTANT: -+This option should only be used for the purpose of testing as other users could -+easily read out the secret from the command line arguments. The -+.Cm TCPStealthSecret -+configuration option is the preferred way of specifying the TCP Stealth secret. - .El - .Pp - .Nm ---- a/ssh.c -+++ b/ssh.c -@@ -190,6 +190,14 @@ - extern int muxserver_sock; - extern u_int muxclient_command; - -+#ifdef TCP_STEALTH -+#define OPT_STEALTH "[-z tcp_stealth_secret] " -+#define GETOPT_STEALTH "z:" -+#else -+#define OPT_STEALTH "" -+#define GETOPT_STEALTH "" -+#endif -+ - /* Prints a help message to the user. This function never returns. */ - - static void -@@ -202,7 +210,7 @@ - " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" - " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" - " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" --" [-w local_tun[:remote_tun]] destination [command]\n" -+" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n" - ); - exit(255); - } -@@ -657,7 +665,7 @@ - - again: - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" -- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { - switch (opt) { - case '1': - fatal("SSH protocol v.1 is no longer supported"); -@@ -979,6 +987,14 @@ - case 'F': - config = optarg; - break; -+#ifdef TCP_STEALTH -+ case 'z': -+ options.tcp_stealth_secret = -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); -+ strncpy(options.tcp_stealth_secret, optarg, -+ TCP_STEALTH_SECRET_SIZE); -+ break; -+#endif - default: - usage(); - } ---- a/ssh_config.0 -+++ b/ssh_config.0 -@@ -945,6 +945,15 @@ - To disable TCP keepalive messages, the value should be set to no. - See also ServerAliveInterval for protocol-level keepalives. - -+ TCPStealthSecret -+ Specifies the shared secret which is needed to connect to a stealth -+ SSH TCP Server. Any string specified will be truncated to or padded -+ with zeroes to 64 bytes. This option needs kernel support and is -+ therefore only available if the required setsockopt() call is -+ available. -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ -+ for details. -+ - Tunnel Request tun(4) device forwarding between the client and the - server. The argument must be yes, point-to-point (layer 3), - ethernet (layer 2), or no (the default). Specifying yes requests ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -1548,6 +1548,15 @@ - See also - .Cm ServerAliveInterval - for protocol-level keepalives. -+.It Cm TCPStealthSecret -+Specifies the shared secret which is needed to connect to a stealth SSH TCP -+Server. Any string specified will be truncated to or padded with zeroes to 64 -+bytes. This option needs kernel support and is therefore only available if the -+required -+.Xr setsockopt 2 -+call is available. -+.Pp -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. - .It Cm Tunnel - Request - .Xr tun 4 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -349,6 +349,18 @@ - } - fcntl(sock, F_SETFD, FD_CLOEXEC); - -+#ifdef TCP_STEALTH -+ if (options.tcp_stealth_secret) { -+ if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH, -+ options.tcp_stealth_secret, -+ TCP_STEALTH_SECRET_SIZE) == -1) { -+ error("setsockopt TCP_STEALTH: %s", strerror(errno)); -+ close(sock); -+ return -1; -+ } -+ } -+#endif -+ - /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && options.bind_interface == NULL) - return sock; ---- a/sshd.0 -+++ b/sshd.0 -@@ -7,6 +7,7 @@ - sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] - [-E log_file] [-f config_file] [-g login_grace_time] - [-h host_key_file] [-o option] [-p port] [-u len] -+ [-z tcp_stealth_secret] - - DESCRIPTION - sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these -@@ -122,6 +123,20 @@ - from="pattern-list" option in a key file. Configuration options - that require DNS include using a USER@HOST pattern in AllowUsers - or DenyUsers. -+ -z tcp_stealth_secret -+ Turns this SSH server into a Stealth SSH TCP Server. This option -+ specifies the shared secret which is needed by the clients in order -+ to be able to connect to the port the SSH server is listening on. -+ Any string specified will be truncated or padded with zeroes to 64 -+ bytes. This option needs kernel support and is therefore only -+ available if the required setsockopt() call is available. -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ -+ for details. -+ -+ IMPORTANT: This option should only be used for the purpose of -+ testing as other users could easily read out the secret from the -+ command line arguments. The TCPStealthSecret configuration option -+ is the preferred way of specifying the TCP Stealth secret. - - AUTHENTICATION - The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a ---- a/sshd.8 -+++ b/sshd.8 -@@ -53,6 +53,7 @@ - .Op Fl o Ar option - .Op Fl p Ar port - .Op Fl u Ar len -+.Op Fl z Ar tcp_stealth_secret - .Ek - .Sh DESCRIPTION - .Nm -@@ -244,6 +245,24 @@ - .Cm AllowUsers - or - .Cm DenyUsers . -+.It Fl z Ar tcp_stealth_secret -+Turns this SSH server into a stealth SSH TCP server. This option specifies the -+shared secret which is needed by the clients in order to be able to connect to -+the port the SSH server is listening on. Any string specified will be truncated -+or padded with zeroes to 64 bytes. This option needs kernel support and is -+therefore only available if the required -+.Xr setsockopt 2 -+call is available. -+.Pp -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. -+ -+.Cm IMPORTANT: -+This option should only be used for the purpose of -+testing as other users could easily read out the secret from the -+command line arguments. The -+.Cm TCPStealthSecret -+configuration option -+is the preferred way of specifying the TCP Stealth secret. - .El - .Sh AUTHENTICATION - The OpenSSH SSH daemon supports SSH protocol 2 only. ---- a/sshd.c -+++ b/sshd.c -@@ -911,6 +911,14 @@ - return (r < p) ? 1 : 0; - } - -+#ifdef TCP_STEALTH -+#define OPT_STEALTH " [-z tcp_stealth_secret]" -+#define GETOPT_STEALTH "z:" -+#else -+#define OPT_STEALTH "" -+#define GETOPT_STEALTH "" -+#endif -+ - static void - usage(void) - { -@@ -926,6 +934,7 @@ - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" - " [-E log_file] [-f config_file] [-g login_grace_time]\n" - " [-h host_key_file] [-o option] [-p port] [-u len]\n" -+" " OPT_STEALTH "\n" - ); - exit(1); - } -@@ -1075,6 +1084,16 @@ - continue; - } - -+#ifdef TCP_STEALTH -+ if (options.tcp_stealth_secret != NULL) { -+ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, -+ options.tcp_stealth_secret, -+ TCP_STEALTH_SECRET_SIZE) == -1) -+ error("setsockopt TCP_STEALTH: %s", -+ strerror(errno)); -+ } -+#endif -+ - /* Only communicate in IPv6 over AF_INET6 sockets. */ - if (ai->ai_family == AF_INET6) - sock_set_v6only(listen_sock); -@@ -1515,7 +1534,7 @@ - - /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, -- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { -+ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { - switch (opt) { - case '4': - options.address_family = AF_INET; -@@ -1616,6 +1635,14 @@ - exit(1); - free(line); - break; -+#ifdef TCP_STEALTH -+ case 'z': -+ options.tcp_stealth_secret = -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); -+ strncpy(options.tcp_stealth_secret, optarg, -+ TCP_STEALTH_SECRET_SIZE); -+ break; -+#endif - case '?': - default: - usage(); ---- a/sshd_config.0 -+++ b/sshd_config.0 -@@ -937,6 +937,19 @@ - - To disable TCP keepalive messages, the value should be set to no. - -+ TCPStealthSecret -+ Turns this SSH server into a stealth SSH TCP server. This -+ configuration option specifies the shared secret needed by the -+ clients in order to be able to connect to the port the SSH server -+ is listening on. This means that port scanners will receive a -+ TCP RST and thus will not recognize this TCP port being open. -+ -+ Any string specified will be truncated or padded with zeroes to 64 -+ bytes. This option needs kernel support and is therefore only -+ available if the required setsockopt() call is available. -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ -+ for details. -+ - TrustedUserCAKeys - Specifies a file containing public keys of certificate - authorities that are trusted to sign user certificates for ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -1567,6 +1567,18 @@ - .Pp - To disable TCP keepalive messages, the value should be set to - .Cm no . -+.It Cm TCPStealthSecret -+Turns this SSH server into a stealth SSH TCP server. This configuration option -+specifies the shared secret needed by the clients in order to be able to connect -+to the port the SSH server is listening on. This means that port scanners will -+receive a TCP RST and thus will not recognize this TCP port being open. Any -+string specified will be truncated or padded with zeroes to 64 bytes. This -+option needs kernel support and is therefore only available if the required -+.Xr setsockopt 2 -+call is available. -+.Pp -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. -+ - .It Cm TrustedUserCAKeys - Specifies a file containing public keys of certificate authorities that are - trusted to sign user certificates for authentication, or diff -r 759c9acb4a95 -r d66b1a0c782a sftp-server/receipt --- a/sftp-server/receipt Mon Apr 20 17:10:16 2020 +0100 +++ b/sftp-server/receipt Tue Apr 21 06:14:03 2020 +0000 @@ -8,9 +8,9 @@ MAINTAINER="pascal.bellard@slitaz.org" LICENSE="BSD" WEB_SITE="http://www.openssh.org/" +WANTED="openssh" DEPENDS="libcrypto zlib" -WANTED="openssh" HOST_ARCH="i486 arm"