wok rev 20877

openssh: add ssh-copy-id (again)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat Feb 23 23:59:15 2019 +0100 (23 months ago)
parents 07197587ca55
children 8244d340f239
files openssh-pam/receipt openssh/receipt openssh/stuff/knock.u
line diff
     1.1 --- a/openssh-pam/receipt	Sat Feb 23 23:00:18 2019 +0100
     1.2 +++ b/openssh-pam/receipt	Sat Feb 23 23:59:15 2019 +0100
     1.3 @@ -22,7 +22,7 @@
     1.4  # Rules to configure and make the package.
     1.5  compile_rules()
     1.6  {
     1.7 -	patch -p1 < ../$SOURCE/stuff/knock.u
     1.8 +	patch -p1 < $wanted_stuff/knock.u
     1.9  	unset LD # for cross compiling with --disable-strip
    1.10  	./configure \
    1.11  		--prefix=/usr \
    1.12 @@ -40,7 +40,7 @@
    1.13  	install -m 644 $src/[A-Z][A-Z]* $DESTDIR/usr/share/doc
    1.14  	cd contrib &&
    1.15  	cc -Wall $(pkg-config --cflags gtk+-2.0) gnome-ssh-askpass2.c \
    1.16 -		-o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) &&
    1.17 +		-o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) -lX11 &&
    1.18  	cp gnome-ssh-askpass $DESTDIR/usr/bin/ssh-askpass
    1.19  }
    1.20  
     2.1 --- a/openssh/receipt	Sat Feb 23 23:00:18 2019 +0100
     2.2 +++ b/openssh/receipt	Sat Feb 23 23:59:15 2019 +0100
     2.3 @@ -40,7 +40,7 @@
     2.4  	install -m 644 $src/[A-Z][A-Z]* $DESTDIR/usr/share/doc
     2.5  	cd contrib &&
     2.6  	cc -Wall $(pkg-config --cflags gtk+-2.0) gnome-ssh-askpass2.c \
     2.7 -		-o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) &&
     2.8 +		-o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) -lX11 &&
     2.9  	cp gnome-ssh-askpass $DESTDIR/usr/bin/ssh-askpass
    2.10  }
    2.11  
     3.1 --- a/openssh/stuff/knock.u	Sat Feb 23 23:00:18 2019 +0100
     3.2 +++ b/openssh/stuff/knock.u	Sat Feb 23 23:59:15 2019 +0100
     3.3 @@ -2,29 +2,29 @@
     3.4  https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
     3.5  --- a/readconf.c
     3.6  +++ b/readconf.c
     3.7 -@@ -172,6 +172,9 @@
     3.8 +@@ -173,6 +173,9 @@
     3.9   	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
    3.10   	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
    3.11 - 	oPubkeyAcceptedKeyTypes, oProxyJump,
    3.12 + 	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
    3.13  +#ifdef TCP_STEALTH
    3.14  +	oTCPStealthSecret,
    3.15  +#endif
    3.16   	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
    3.17   } OpCodes;
    3.18   
    3.19 -@@ -305,6 +308,9 @@
    3.20 +@@ -309,6 +312,9 @@
    3.21   	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
    3.22   	{ "ignoreunknown", oIgnoreUnknown },
    3.23   	{ "proxyjump", oProxyJump },
    3.24  +#ifdef TCP_STEALTH
    3.25 -+	{ "tcpstealthsecret", oTCPStealthSecret },
    3.26 ++	oTCPStealthSecret,
    3.27  +#endif
    3.28   
    3.29   	{ NULL, oBadOption }
    3.30   };
    3.31 -@@ -1669,6 +1675,23 @@
    3.32 - 		charptr = &options->identity_agent;
    3.33 - 		goto parse_string;
    3.34 +@@ -1722,6 +1728,23 @@
    3.35 + 			*charptr = xstrdup(arg);
    3.36 + 		break;
    3.37   
    3.38  +#ifdef TCP_STEALTH
    3.39  +	case oTCPStealthSecret:
    3.40 @@ -46,7 +46,7 @@
    3.41   	case oDeprecated:
    3.42   		debug("%s line %d: Deprecated option \"%s\"",
    3.43   		    filename, linenum, keyword);
    3.44 -@@ -1869,6 +1892,9 @@
    3.45 +@@ -1926,6 +1949,9 @@
    3.46   	options->update_hostkeys = -1;
    3.47   	options->hostbased_key_types = NULL;
    3.48   	options->pubkey_key_types = NULL;
    3.49 @@ -58,7 +58,7 @@
    3.50   /*
    3.51  --- a/readconf.h
    3.52  +++ b/readconf.h
    3.53 -@@ -164,6 +164,10 @@
    3.54 +@@ -166,6 +166,10 @@
    3.55   	char   *jump_extra;
    3.56   
    3.57   	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
    3.58 @@ -71,7 +71,7 @@
    3.59   #define SSH_CANONICALISE_NO	0
    3.60  --- a/servconf.c
    3.61  +++ b/servconf.c
    3.62 -@@ -165,6 +165,9 @@
    3.63 +@@ -180,6 +180,9 @@
    3.64   	options->fingerprint_hash = -1;
    3.65   	options->disable_forwarding = -1;
    3.66   	options->expose_userauth_info = -1;
    3.67 @@ -81,29 +81,29 @@
    3.68   }
    3.69   
    3.70   /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
    3.71 -@@ -422,6 +425,9 @@
    3.72 +@@ -497,6 +500,9 @@
    3.73   	sStreamLocalBindMask, sStreamLocalBindUnlink,
    3.74   	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
    3.75 - 	sExposeAuthInfo,
    3.76 + 	sExposeAuthInfo, sRDomain,
    3.77  +#ifdef TCP_STEALTH
    3.78  +	sTCPStealthSecret,
    3.79  +#endif
    3.80   	sDeprecated, sIgnore, sUnsupported
    3.81   } ServerOpCodes;
    3.82   
    3.83 -@@ -566,6 +572,9 @@
    3.84 - 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
    3.85 - 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
    3.86 +@@ -645,6 +651,9 @@
    3.87   	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
    3.88 + 	{ "rdomain", sRDomain, SSHCFG_ALL },
    3.89 + 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
    3.90  +#ifdef TCP_STEALTH
    3.91  +	{ "tcpstealthsecret", sTCPStealthSecret },
    3.92  +#endif
    3.93   	{ NULL, sBadOption, 0 }
    3.94   };
    3.95   
    3.96 -@@ -1883,6 +1892,23 @@
    3.97 - 		intptr = &options->expose_userauth_info;
    3.98 - 		goto parse_flag;
    3.99 +@@ -2149,6 +2158,23 @@
   3.100 + 			*charptr = xstrdup(arg);
   3.101 + 		break;
   3.102   
   3.103  +#ifdef TCP_STEALTH
   3.104  +	case sTCPStealthSecret:
   3.105 @@ -127,18 +127,17 @@
   3.106   	case sUnsupported:
   3.107  --- a/servconf.h
   3.108  +++ b/servconf.h
   3.109 -@@ -198,6 +198,10 @@
   3.110 - 
   3.111 +@@ -210,6 +210,9 @@
   3.112   	int	fingerprint_hash;
   3.113   	int	expose_userauth_info;
   3.114 -+
   3.115 + 	u_int64_t timing_secret;
   3.116  +#ifdef TCP_STEALTH
   3.117  +	char	*tcp_stealth_secret;
   3.118  +#endif
   3.119   }       ServerOptions;
   3.120   
   3.121   /* Information about the incoming connection as used by Match */
   3.122 -@@ -219,6 +223,11 @@
   3.123 +@@ -232,6 +235,11 @@
   3.124    * NB. an option must appear in servconf.c:copy_set_server_options() or
   3.125    * COPY_MATCH_STRING_OPTS here but never both.
   3.126    */
   3.127 @@ -150,205 +149,32 @@
   3.128   #define COPY_MATCH_STRING_OPTS() do { \
   3.129   		M_CP_STROPT(banner); \
   3.130   		M_CP_STROPT(trusted_user_ca_keys); \
   3.131 -@@ -238,6 +247,7 @@
   3.132 - 		M_CP_STRARRAYOPT(accept_env, num_accept_env); \
   3.133 +@@ -255,6 +263,7 @@
   3.134   		M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
   3.135 - 		M_CP_STRARRAYOPT_ALLOC(permitted_opens, num_permitted_opens); \
   3.136 + 		M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
   3.137 + 		M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
   3.138  +		M_CP_STEALTHSCRT(tcp_stealth_secret); \
   3.139   	} while (0)
   3.140   
   3.141   struct connection_info *get_connection_info(int, int);
   3.142 ---- a/ssh.c
   3.143 -+++ b/ssh.c
   3.144 -@@ -191,6 +191,14 @@
   3.145 - extern int muxserver_sock;
   3.146 - extern u_int muxclient_command;
   3.147 - 
   3.148 -+#ifdef TCP_STEALTH
   3.149 -+#define OPT_STEALTH	"[-z tcp_stealth_secret] "
   3.150 -+#define GETOPT_STEALTH	"z:"
   3.151 -+#else
   3.152 -+#define OPT_STEALTH	""
   3.153 -+#define GETOPT_STEALTH	""
   3.154 -+#endif
   3.155 -+
   3.156 - /* Prints a help message to the user.  This function never returns. */
   3.157 - 
   3.158 - static void
   3.159 -@@ -203,7 +211,7 @@
   3.160 - "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
   3.161 - "           [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]\n"
   3.162 - "           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
   3.163 --"           [user@]hostname [command]\n"
   3.164 -+"           " OPT_STEALTH "[user@]hostname [command]\n"
   3.165 - 	);
   3.166 - 	exit(255);
   3.167 - }
   3.168 -@@ -612,7 +620,7 @@
   3.169 - 
   3.170 -  again:
   3.171 - 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
   3.172 --	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
   3.173 -+	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
   3.174 - 		switch (opt) {
   3.175 - 		case '1':
   3.176 - 			fatal("SSH protocol v.1 is no longer supported");
   3.177 -@@ -921,6 +929,14 @@
   3.178 - 		case 'F':
   3.179 - 			config = optarg;
   3.180 - 			break;
   3.181 -+#ifdef TCP_STEALTH
   3.182 -+		case 'z':
   3.183 -+			options.tcp_stealth_secret =
   3.184 -+				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.185 -+			strncpy(options.tcp_stealth_secret, optarg,
   3.186 -+				TCP_STEALTH_SECRET_SIZE);
   3.187 -+			break;
   3.188 -+#endif
   3.189 - 		default:
   3.190 - 			usage();
   3.191 - 		}
   3.192 ---- a/sshd.c
   3.193 -+++ b/sshd.c
   3.194 -@@ -896,6 +896,14 @@
   3.195 - 	return (r < p) ? 1 : 0;
   3.196 - }
   3.197 - 
   3.198 -+#ifdef TCP_STEALTH
   3.199 -+#define OPT_STEALTH	" [-z tcp_stealth_secret]"
   3.200 -+#define GETOPT_STEALTH	"z:"
   3.201 -+#else
   3.202 -+#define OPT_STEALTH	""
   3.203 -+#define GETOPT_STEALTH	""
   3.204 -+#endif
   3.205 -+
   3.206 - static void
   3.207 - usage(void)
   3.208 - {
   3.209 -@@ -911,6 +919,7 @@
   3.210 - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
   3.211 - "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
   3.212 - "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
   3.213 -+"            " OPT_STEALTH "\n"
   3.214 - 	);
   3.215 - 	exit(1);
   3.216 - }
   3.217 -@@ -1057,6 +1066,15 @@
   3.218 - 		if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
   3.219 - 		    &on, sizeof(on)) == -1)
   3.220 - 			error("setsockopt SO_REUSEADDR: %s", strerror(errno));
   3.221 -+#ifdef TCP_STEALTH
   3.222 -+		if (options.tcp_stealth_secret != NULL) {
   3.223 -+			if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
   3.224 -+			    options.tcp_stealth_secret,
   3.225 -+			    TCP_STEALTH_SECRET_SIZE) == -1)
   3.226 -+				error("setsockopt TCP_STEALTH: %s",
   3.227 -+				      strerror(errno));
   3.228 -+		}
   3.229 -+#endif
   3.230 - 
   3.231 - 		/* Only communicate in IPv6 over AF_INET6 sockets. */
   3.232 - 		if (ai->ai_family == AF_INET6)
   3.233 -@@ -1404,7 +1422,7 @@
   3.234 - 
   3.235 - 	/* Parse command-line arguments. */
   3.236 - 	while ((opt = getopt(ac, av,
   3.237 --	    "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.238 -+	    GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.239 - 		switch (opt) {
   3.240 - 		case '4':
   3.241 - 			options.address_family = AF_INET;
   3.242 -@@ -1512,6 +1530,14 @@
   3.243 - 				exit(1);
   3.244 - 			free(line);
   3.245 - 			break;
   3.246 -+#ifdef TCP_STEALTH
   3.247 -+		case 'z':
   3.248 -+			options.tcp_stealth_secret =
   3.249 -+				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.250 -+			strncpy(options.tcp_stealth_secret, optarg,
   3.251 -+				TCP_STEALTH_SECRET_SIZE);
   3.252 -+			break;
   3.253 -+#endif
   3.254 - 		case '?':
   3.255 - 		default:
   3.256 - 			usage();
   3.257 ---- a/ssh_config.5
   3.258 -+++ b/ssh_config.5
   3.259 -@@ -1509,6 +1509,15 @@
   3.260 - .Pp
   3.261 - To disable TCP keepalive messages, the value should be set to
   3.262 - .Cm no .
   3.263 -+.It Cm TCPStealthSecret
   3.264 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP
   3.265 -+Server. Any string specified will be truncated to or padded with zeroes to 64
   3.266 -+bytes. This option needs kernel support and is therefore only available if the
   3.267 -+required
   3.268 -+.Xr setsockopt 2
   3.269 -+call is available.
   3.270 -+.Pp
   3.271 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.272 - .It Cm Tunnel
   3.273 - Request
   3.274 - .Xr tun 4
   3.275 ---- a/sshd_config.5
   3.276 -+++ b/sshd_config.5
   3.277 -@@ -1444,6 +1444,18 @@
   3.278 - .Pp
   3.279 - To disable TCP keepalive messages, the value should be set to
   3.280 - .Cm no .
   3.281 -+.It Cm TCPStealthSecret
   3.282 -+Turns this SSH server into a stealth SSH TCP server. This configuration option
   3.283 -+specifies the shared secret needed by the clients in order to be able to connect
   3.284 -+to the port the SSH server is listening on. This means that port scanners will
   3.285 -+receive a TCP RST and thus will not recognize this TCP port being open.  Any
   3.286 -+string specified will be truncated or padded with zeroes to 64 bytes. This
   3.287 -+option needs kernel support and is therefore only available if the required
   3.288 -+.Xr setsockopt 2
   3.289 -+call is available.
   3.290 -+.Pp
   3.291 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.292 -+
   3.293 - .It Cm TrustedUserCAKeys
   3.294 - Specifies a file containing public keys of certificate authorities that are
   3.295 - trusted to sign user certificates for authentication, or
   3.296 ---- a/sshd.0
   3.297 -+++ b/sshd.0
   3.298 -@@ -7,6 +7,7 @@
   3.299 -      sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
   3.300 -           [-E log_file] [-f config_file] [-g login_grace_time]
   3.301 -           [-h host_key_file] [-o option] [-p port] [-u len]
   3.302 -+          [-z tcp_stealth_secret]
   3.303 +--- a/ssh.0
   3.304 ++++ b/ssh.0
   3.305 +@@ -9,8 +9,8 @@
   3.306 +          [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
   3.307 +          [-J destination] [-L address] [-l login_name] [-m mac_spec]
   3.308 +          [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
   3.309 +-         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
   3.310 +-         [command]
   3.311 ++         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 
   3.312 ++         [-z tcp_stealth_secret] destination [command]
   3.313   
   3.314   DESCRIPTION
   3.315 -      sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
   3.316 -@@ -121,6 +122,20 @@
   3.317 -              from="pattern-list" option in a key file.  Configuration options
   3.318 -              that require DNS include using a USER@HOST pattern in AllowUsers
   3.319 -              or DenyUsers.
   3.320 -+     -z tcp_stealth_secret
   3.321 -+             Turns this SSH server into a Stealth SSH TCP Server. This option
   3.322 -+             specifies the shared secret which is needed by the clients in order
   3.323 -+             to be able to connect to the port the SSH server is listening on.
   3.324 -+             Any string specified will be truncated or padded with zeroes to 64
   3.325 -+             bytes. This option needs kernel support and is therefore only
   3.326 -+             available if the required setsockopt() call is available.
   3.327 -+             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.328 -+             for details.
   3.329 -+
   3.330 -+             IMPORTANT: This option should only be used for the purpose of
   3.331 -+             testing as other users could easily read out the secret from the
   3.332 -+             command line arguments. The TCPStealthSecret configuration option
   3.333 -+             is the preferred way of specifying the TCP Stealth secret.
   3.334 +      ssh (SSH client) is a program for logging into a remote machine and for
   3.335 +@@ -436,6 +436,20 @@
   3.336   
   3.337 - AUTHENTICATION
   3.338 -      The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host has a
   3.339 ---- openssh-6.7p1/ssh.0	2014-10-05 23:39:37.000000000 -0400
   3.340 -+++ openssh-6.7p1-knock/ssh.0	2014-11-05 20:35:44.216514377 -0500
   3.341 -@@ -425,6 +425,20 @@ DESCRIPTION
   3.342        -y      Send log information using the syslog(3) system module.  By
   3.343                default this information is sent to stderr.
   3.344 - 
   3.345 ++
   3.346  +     -z tcp_stealth_secret
   3.347  +             Specifies the shared secret which is needed to connect to a stealth
   3.348  +             SSH TCP server. Any string specified will be truncated to or padded
   3.349 @@ -362,21 +188,20 @@
   3.350  +             testing as other users could easily read out the secret from the
   3.351  +             command line arguments. The TCPStealthSecret configuration option
   3.352  +             is the preferred way of specifying the TCP Stealth secret.
   3.353 -+
   3.354 + 
   3.355        ssh may additionally obtain configuration data from a per-user
   3.356        configuration file and a system-wide configuration file.  The file format
   3.357 -      and configuration options are described in ssh_config(5).
   3.358 ---- openssh-6.7p1/ssh.1	2014-07-29 22:32:28.000000000 -0400
   3.359 -+++ openssh-6.7p1-knock/ssh.1	2014-11-07 13:56:02.022226289 -0500
   3.360 +--- a/ssh.1
   3.361 ++++ b/ssh.1
   3.362  @@ -64,6 +64,7 @@
   3.363   .Op Fl S Ar ctl_path
   3.364   .Op Fl W Ar host : Ns Ar port
   3.365   .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
   3.366  +.Op Fl z Ar tcp_stealth_secret
   3.367 - .Oo Ar user Ns @ Oc Ns Ar hostname
   3.368 + .Ar destination
   3.369   .Op Ar command
   3.370 - .Ek
   3.371 -@@ -528,6 +529,7 @@ For full details of the options listed b
   3.372 + .Sh DESCRIPTION
   3.373 +@@ -536,6 +537,7 @@
   3.374   .It StreamLocalBindUnlink
   3.375   .It StrictHostKeyChecking
   3.376   .It TCPKeepAlive
   3.377 @@ -384,7 +209,7 @@
   3.378   .It Tunnel
   3.379   .It TunnelDevice
   3.380   .It UpdateHostKeys
   3.381 -@@ -777,6 +779,21 @@ Send log information using the
   3.382 +@@ -795,6 +797,21 @@
   3.383   .Xr syslog 3
   3.384   system module.
   3.385   By default this information is sent to stderr.
   3.386 @@ -406,11 +231,61 @@
   3.387   .El
   3.388   .Pp
   3.389   .Nm
   3.390 ---- openssh-6.7p1/ssh_config.0	2014-10-05 23:39:38.000000000 -0400
   3.391 -+++ openssh-6.7p1-knock/ssh_config.0	2014-11-05 20:48:17.064514377 -0500
   3.392 -@@ -919,6 +919,15 @@ DESCRIPTION
   3.393 +--- a/ssh.c
   3.394 ++++ b/ssh.c
   3.395 +@@ -190,6 +190,14 @@
   3.396 + extern int muxserver_sock;
   3.397 + extern u_int muxclient_command;
   3.398   
   3.399 ++#ifdef TCP_STEALTH
   3.400 ++#define OPT_STEALTH	"[-z tcp_stealth_secret] "
   3.401 ++#define GETOPT_STEALTH	"z:"
   3.402 ++#else
   3.403 ++#define OPT_STEALTH	""
   3.404 ++#define GETOPT_STEALTH	""
   3.405 ++#endif
   3.406 ++
   3.407 + /* Prints a help message to the user.  This function never returns. */
   3.408 + 
   3.409 + static void
   3.410 +@@ -202,7 +210,7 @@
   3.411 + "           [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
   3.412 + "           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
   3.413 + "           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
   3.414 +-"           [-w local_tun[:remote_tun]] destination [command]\n"
   3.415 ++"           [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n"
   3.416 + 	);
   3.417 + 	exit(255);
   3.418 + }
   3.419 +@@ -657,7 +665,7 @@
   3.420 + 
   3.421 +  again:
   3.422 + 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
   3.423 +-	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
   3.424 ++	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
   3.425 + 		switch (opt) {
   3.426 + 		case '1':
   3.427 + 			fatal("SSH protocol v.1 is no longer supported");
   3.428 +@@ -979,6 +987,14 @@
   3.429 + 		case 'F':
   3.430 + 			config = optarg;
   3.431 + 			break;
   3.432 ++#ifdef TCP_STEALTH
   3.433 ++		case 'z':
   3.434 ++			options.tcp_stealth_secret =
   3.435 ++				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.436 ++			strncpy(options.tcp_stealth_secret, optarg,
   3.437 ++				TCP_STEALTH_SECRET_SIZE);
   3.438 ++			break;
   3.439 ++#endif
   3.440 + 		default:
   3.441 + 			usage();
   3.442 + 		}
   3.443 +--- a/ssh_config.0
   3.444 ++++ b/ssh_config.0
   3.445 +@@ -945,6 +945,15 @@
   3.446                To disable TCP keepalive messages, the value should be set to no.
   3.447 +              See also ServerAliveInterval for protocol-level keepalives.
   3.448   
   3.449  +     TCPStealthSecret
   3.450  +             Specifies the shared secret which is needed to connect to a stealth
   3.451 @@ -424,9 +299,27 @@
   3.452        Tunnel  Request tun(4) device forwarding between the client and the
   3.453                server.  The argument must be yes, point-to-point (layer 3),
   3.454                ethernet (layer 2), or no (the default).  Specifying yes requests
   3.455 ---- openssh-6.7p1/sshconnect.c	2014-07-18 00:11:26.000000000 -0400
   3.456 -+++ openssh-6.7p1-knock/sshconnect.c	2014-11-07 14:07:11.342196835 -0500
   3.457 -@@ -286,6 +286,18 @@ ssh_create_socket(int privileged, struct
   3.458 +--- a/ssh_config.5
   3.459 ++++ b/ssh_config.5
   3.460 +@@ -1548,6 +1548,15 @@
   3.461 + See also
   3.462 + .Cm ServerAliveInterval
   3.463 + for protocol-level keepalives.
   3.464 ++.It Cm TCPStealthSecret
   3.465 ++Specifies the shared secret which is needed to connect to a stealth SSH TCP
   3.466 ++Server. Any string specified will be truncated to or padded with zeroes to 64
   3.467 ++bytes. This option needs kernel support and is therefore only available if the
   3.468 ++required
   3.469 ++.Xr setsockopt 2
   3.470 ++call is available.
   3.471 ++.Pp
   3.472 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.473 + .It Cm Tunnel
   3.474 + Request
   3.475 + .Xr tun 4
   3.476 +--- a/sshconnect.c
   3.477 ++++ b/sshconnect.c
   3.478 +@@ -349,6 +349,18 @@
   3.479   	}
   3.480   	fcntl(sock, F_SETFD, FD_CLOEXEC);
   3.481   
   3.482 @@ -443,10 +336,41 @@
   3.483  +#endif
   3.484  +
   3.485   	/* Bind the socket to an alternative local IP address */
   3.486 - 	if (options.bind_address == NULL && !privileged)
   3.487 + 	if (options.bind_address == NULL && options.bind_interface == NULL)
   3.488   		return sock;
   3.489 ---- openssh-6.7p1/sshd.8	2014-07-03 19:00:04.000000000 -0400
   3.490 -+++ openssh-6.7p1-knock/sshd.8	2014-11-07 14:00:14.506215178 -0500
   3.491 +--- a/sshd.0
   3.492 ++++ b/sshd.0
   3.493 +@@ -7,6 +7,7 @@
   3.494 +      sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
   3.495 +           [-E log_file] [-f config_file] [-g login_grace_time]
   3.496 +           [-h host_key_file] [-o option] [-p port] [-u len]
   3.497 ++          [-z tcp_stealth_secret]
   3.498 + 
   3.499 + DESCRIPTION
   3.500 +      sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
   3.501 +@@ -122,6 +123,20 @@
   3.502 +              from="pattern-list" option in a key file.  Configuration options
   3.503 +              that require DNS include using a USER@HOST pattern in AllowUsers
   3.504 +              or DenyUsers.
   3.505 ++     -z tcp_stealth_secret
   3.506 ++             Turns this SSH server into a Stealth SSH TCP Server. This option
   3.507 ++             specifies the shared secret which is needed by the clients in order
   3.508 ++             to be able to connect to the port the SSH server is listening on.
   3.509 ++             Any string specified will be truncated or padded with zeroes to 64
   3.510 ++             bytes. This option needs kernel support and is therefore only
   3.511 ++             available if the required setsockopt() call is available.
   3.512 ++             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.513 ++             for details.
   3.514 ++
   3.515 ++             IMPORTANT: This option should only be used for the purpose of
   3.516 ++             testing as other users could easily read out the secret from the
   3.517 ++             command line arguments. The TCPStealthSecret configuration option
   3.518 ++             is the preferred way of specifying the TCP Stealth secret.
   3.519 + 
   3.520 + AUTHENTICATION
   3.521 +      The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host has a
   3.522 +--- a/sshd.8
   3.523 ++++ b/sshd.8
   3.524  @@ -53,6 +53,7 @@
   3.525   .Op Fl o Ar option
   3.526   .Op Fl p Ar port
   3.527 @@ -455,7 +379,7 @@
   3.528   .Ek
   3.529   .Sh DESCRIPTION
   3.530   .Nm
   3.531 -@@ -243,6 +244,24 @@ USER@HOST pattern in
   3.532 +@@ -244,6 +245,24 @@
   3.533   .Cm AllowUsers
   3.534   or
   3.535   .Cm DenyUsers .
   3.536 @@ -480,9 +404,75 @@
   3.537   .El
   3.538   .Sh AUTHENTICATION
   3.539   The OpenSSH SSH daemon supports SSH protocol 2 only.
   3.540 ---- openssh-6.7p1/sshd_config.0	2014-10-05 23:39:38.000000000 -0400
   3.541 -+++ openssh-6.7p1-knock/sshd_config.0	2014-11-07 14:01:07.530212845 -0500
   3.542 -@@ -872,6 +872,19 @@ DESCRIPTION
   3.543 +--- a/sshd.c
   3.544 ++++ b/sshd.c
   3.545 +@@ -911,6 +911,14 @@
   3.546 + 	return (r < p) ? 1 : 0;
   3.547 + }
   3.548 + 
   3.549 ++#ifdef TCP_STEALTH
   3.550 ++#define OPT_STEALTH	" [-z tcp_stealth_secret]"
   3.551 ++#define GETOPT_STEALTH	"z:"
   3.552 ++#else
   3.553 ++#define OPT_STEALTH	""
   3.554 ++#define GETOPT_STEALTH	""
   3.555 ++#endif
   3.556 ++
   3.557 + static void
   3.558 + usage(void)
   3.559 + {
   3.560 +@@ -926,6 +934,7 @@
   3.561 + "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
   3.562 + "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
   3.563 + "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
   3.564 ++"            " OPT_STEALTH "\n"
   3.565 + 	);
   3.566 + 	exit(1);
   3.567 + }
   3.568 +@@ -1075,6 +1084,16 @@
   3.569 + 			continue;
   3.570 + 		}
   3.571 + 
   3.572 ++#ifdef TCP_STEALTH
   3.573 ++		if (options.tcp_stealth_secret != NULL) {
   3.574 ++			if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
   3.575 ++			    options.tcp_stealth_secret,
   3.576 ++			    TCP_STEALTH_SECRET_SIZE) == -1)
   3.577 ++				error("setsockopt TCP_STEALTH: %s",
   3.578 ++				      strerror(errno));
   3.579 ++		}
   3.580 ++#endif
   3.581 ++
   3.582 + 		/* Only communicate in IPv6 over AF_INET6 sockets. */
   3.583 + 		if (ai->ai_family == AF_INET6)
   3.584 + 			sock_set_v6only(listen_sock);
   3.585 +@@ -1515,7 +1534,7 @@
   3.586 + 
   3.587 + 	/* Parse command-line arguments. */
   3.588 + 	while ((opt = getopt(ac, av,
   3.589 +-	    "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.590 ++	    GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.591 + 		switch (opt) {
   3.592 + 		case '4':
   3.593 + 			options.address_family = AF_INET;
   3.594 +@@ -1616,6 +1635,14 @@
   3.595 + 				exit(1);
   3.596 + 			free(line);
   3.597 + 			break;
   3.598 ++#ifdef TCP_STEALTH
   3.599 ++		case 'z':
   3.600 ++			options.tcp_stealth_secret =
   3.601 ++				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.602 ++			strncpy(options.tcp_stealth_secret, optarg,
   3.603 ++				TCP_STEALTH_SECRET_SIZE);
   3.604 ++			break;
   3.605 ++#endif
   3.606 + 		case '?':
   3.607 + 		default:
   3.608 + 			usage();
   3.609 +--- a/sshd_config.0
   3.610 ++++ b/sshd_config.0
   3.611 +@@ -937,6 +937,19 @@
   3.612   
   3.613                To disable TCP keepalive messages, the value should be set to no.
   3.614   
   3.615 @@ -502,3 +492,24 @@
   3.616        TrustedUserCAKeys
   3.617                Specifies a file containing public keys of certificate
   3.618                authorities that are trusted to sign user certificates for
   3.619 +--- a/sshd_config.5
   3.620 ++++ b/sshd_config.5
   3.621 +@@ -1567,6 +1567,18 @@
   3.622 + .Pp
   3.623 + To disable TCP keepalive messages, the value should be set to
   3.624 + .Cm no .
   3.625 ++.It Cm TCPStealthSecret
   3.626 ++Turns this SSH server into a stealth SSH TCP server. This configuration option
   3.627 ++specifies the shared secret needed by the clients in order to be able to connect
   3.628 ++to the port the SSH server is listening on. This means that port scanners will
   3.629 ++receive a TCP RST and thus will not recognize this TCP port being open.  Any
   3.630 ++string specified will be truncated or padded with zeroes to 64 bytes. This
   3.631 ++option needs kernel support and is therefore only available if the required
   3.632 ++.Xr setsockopt 2
   3.633 ++call is available.
   3.634 ++.Pp
   3.635 ++See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.636 ++
   3.637 + .It Cm TrustedUserCAKeys
   3.638 + Specifies a file containing public keys of certificate authorities that are
   3.639 + trusted to sign user certificates for authentication, or