wok rev 23654
Up openssh (8.2p1)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Tue Apr 21 06:14:03 2020 +0000 (2020-04-21) |
| parents | 759c9acb4a95 |
| children | 1d84e90f8d94 |
| files | openssh-pam/receipt openssh/receipt openssh/stuff/knock.u sftp-server/receipt |
line diff
1.1 --- a/openssh-pam/receipt Mon Apr 20 17:10:16 2020 +0100 1.2 +++ b/openssh-pam/receipt Tue Apr 21 06:14:03 2020 +0000 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="openssh-pam" 1.7 -VERSION="7.9p1" 1.8 +VERSION="8.2p1" 1.9 CATEGORY="security" 1.10 SHORT_DESC="Openbsd Secure Shell using PAM." 1.11 MAINTAINER="pascal.bellard@slitaz.org" 1.12 @@ -28,7 +28,6 @@ 1.13 # Rules to configure and make the package. 1.14 compile_rules() 1.15 { 1.16 - patch -p1 < $WOK/$SOURCE/stuff/knock.u 1.17 unset LD # for cross compiling with --disable-strip 1.18 ./configure \ 1.19 --prefix=/usr \ 1.20 @@ -73,7 +72,7 @@ 1.21 1.22 # From https://wiki.gentoo.org/wiki/SSH_jump_host 1.23 Host *+* 1.24 - ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /') 1.25 + ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /') 1.26 1.27 EOT 1.28 }
2.1 --- a/openssh/receipt Mon Apr 20 17:10:16 2020 +0100 2.2 +++ b/openssh/receipt Tue Apr 21 06:14:03 2020 +0000 2.3 @@ -28,7 +28,6 @@ 2.4 # Rules to configure and make the package. 2.5 compile_rules() 2.6 { 2.7 - patch -p1 < $stuff/knock.u 2.8 unset LD # for cross compiling with --disable-strip 2.9 ./configure \ 2.10 --prefix=/usr \ 2.11 @@ -71,7 +70,7 @@ 2.12 2.13 # From https://wiki.gentoo.org/wiki/SSH_jump_host 2.14 Host *+* 2.15 - ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /') 2.16 + ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /') 2.17 2.18 EOT 2.19 }
3.1 --- a/openssh/stuff/knock.u Mon Apr 20 17:10:16 2020 +0100 3.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 3.3 @@ -1,515 +0,0 @@ 3.4 -From https://gnunet.org/knock : 3.5 -https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff 3.6 ---- a/readconf.c 3.7 -+++ b/readconf.c 3.8 -@@ -173,6 +173,9 @@ 3.9 - oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 3.10 - oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 3.11 - oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, 3.12 -+#ifdef TCP_STEALTH 3.13 -+ oTCPStealthSecret, 3.14 -+#endif 3.15 - oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 3.16 - } OpCodes; 3.17 - 3.18 -@@ -309,6 +312,9 @@ 3.19 - { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 3.20 - { "ignoreunknown", oIgnoreUnknown }, 3.21 - { "proxyjump", oProxyJump }, 3.22 -+#ifdef TCP_STEALTH 3.23 -+ oTCPStealthSecret, 3.24 -+#endif 3.25 - 3.26 - { NULL, oBadOption } 3.27 - }; 3.28 -@@ -1722,6 +1728,23 @@ 3.29 - *charptr = xstrdup(arg); 3.30 - break; 3.31 - 3.32 -+#ifdef TCP_STEALTH 3.33 -+ case oTCPStealthSecret: 3.34 -+ charptr = &options->tcp_stealth_secret; 3.35 -+ 3.36 -+ arg = strdelim(&s); 3.37 -+ if (!arg || *arg == '\0') 3.38 -+ fatal("%.200s line %d: Missing argument.", 3.39 -+ filename, linenum); 3.40 -+ 3.41 -+ if (*activep && *charptr == NULL) { 3.42 -+ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 3.43 -+ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 3.44 -+ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 3.45 -+ } 3.46 -+ 3.47 -+ break; 3.48 -+#endif 3.49 - case oDeprecated: 3.50 - debug("%s line %d: Deprecated option \"%s\"", 3.51 - filename, linenum, keyword); 3.52 -@@ -1926,6 +1949,9 @@ 3.53 - options->update_hostkeys = -1; 3.54 - options->hostbased_key_types = NULL; 3.55 - options->pubkey_key_types = NULL; 3.56 -+#ifdef TCP_STEALTH 3.57 -+ options->tcp_stealth_secret = NULL; 3.58 -+#endif 3.59 - } 3.60 - 3.61 - /* 3.62 ---- a/readconf.h 3.63 -+++ b/readconf.h 3.64 -@@ -166,6 +166,10 @@ 3.65 - char *jump_extra; 3.66 - 3.67 - char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ 3.68 -+ 3.69 -+#ifdef TCP_STEALTH 3.70 -+ char *tcp_stealth_secret; 3.71 -+#endif 3.72 - } Options; 3.73 - 3.74 - #define SSH_CANONICALISE_NO 0 3.75 ---- a/servconf.c 3.76 -+++ b/servconf.c 3.77 -@@ -180,6 +180,9 @@ 3.78 - options->fingerprint_hash = -1; 3.79 - options->disable_forwarding = -1; 3.80 - options->expose_userauth_info = -1; 3.81 -+#ifdef TCP_STEALTH 3.82 -+ options->tcp_stealth_secret = NULL; 3.83 -+#endif 3.84 - } 3.85 - 3.86 - /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 3.87 -@@ -497,6 +500,9 @@ 3.88 - sStreamLocalBindMask, sStreamLocalBindUnlink, 3.89 - sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 3.90 - sExposeAuthInfo, sRDomain, 3.91 -+#ifdef TCP_STEALTH 3.92 -+ sTCPStealthSecret, 3.93 -+#endif 3.94 - sDeprecated, sIgnore, sUnsupported 3.95 - } ServerOpCodes; 3.96 - 3.97 -@@ -645,6 +651,9 @@ 3.98 - { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 3.99 - { "rdomain", sRDomain, SSHCFG_ALL }, 3.100 - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 3.101 -+#ifdef TCP_STEALTH 3.102 -+ { "tcpstealthsecret", sTCPStealthSecret }, 3.103 -+#endif 3.104 - { NULL, sBadOption, 0 } 3.105 - }; 3.106 - 3.107 -@@ -2149,6 +2158,23 @@ 3.108 - *charptr = xstrdup(arg); 3.109 - break; 3.110 - 3.111 -+#ifdef TCP_STEALTH 3.112 -+ case sTCPStealthSecret: 3.113 -+ charptr = &options->tcp_stealth_secret; 3.114 -+ 3.115 -+ arg = strdelim(&cp); 3.116 -+ if (!arg || *arg == '\0') 3.117 -+ fatal("%s line %d: Missing argument.", 3.118 -+ filename, linenum); 3.119 -+ 3.120 -+ if (*activep && *charptr == NULL) { 3.121 -+ *charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1); 3.122 -+ memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1); 3.123 -+ strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE); 3.124 -+ } 3.125 -+ 3.126 -+ break; 3.127 -+#endif 3.128 - case sDeprecated: 3.129 - case sIgnore: 3.130 - case sUnsupported: 3.131 ---- a/servconf.h 3.132 -+++ b/servconf.h 3.133 -@@ -210,6 +210,9 @@ 3.134 - int fingerprint_hash; 3.135 - int expose_userauth_info; 3.136 - u_int64_t timing_secret; 3.137 -+#ifdef TCP_STEALTH 3.138 -+ char *tcp_stealth_secret; 3.139 -+#endif 3.140 - } ServerOptions; 3.141 - 3.142 - /* Information about the incoming connection as used by Match */ 3.143 -@@ -232,6 +235,11 @@ 3.144 - * NB. an option must appear in servconf.c:copy_set_server_options() or 3.145 - * COPY_MATCH_STRING_OPTS here but never both. 3.146 - */ 3.147 -+#ifdef TCP_STEALTH 3.148 -+#define M_CP_STEALTHSCRT(X) M_CP_STROPT(X); 3.149 -+#else 3.150 -+#define M_CP_STEALTHSCRT(X) 3.151 -+#endif 3.152 - #define COPY_MATCH_STRING_OPTS() do { \ 3.153 - M_CP_STROPT(banner); \ 3.154 - M_CP_STROPT(trusted_user_ca_keys); \ 3.155 -@@ -255,6 +263,7 @@ 3.156 - M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \ 3.157 - M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \ 3.158 - M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \ 3.159 -+ M_CP_STEALTHSCRT(tcp_stealth_secret); \ 3.160 - } while (0) 3.161 - 3.162 - struct connection_info *get_connection_info(int, int); 3.163 ---- a/ssh.0 3.164 -+++ b/ssh.0 3.165 -@@ -9,8 +9,8 @@ 3.166 - [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] 3.167 - [-J destination] [-L address] [-l login_name] [-m mac_spec] 3.168 - [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] 3.169 -- [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination 3.170 -- [command] 3.171 -+ [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 3.172 -+ [-z tcp_stealth_secret] destination [command] 3.173 - 3.174 - DESCRIPTION 3.175 - ssh (SSH client) is a program for logging into a remote machine and for 3.176 -@@ -436,6 +436,20 @@ 3.177 - 3.178 - -y Send log information using the syslog(3) system module. By 3.179 - default this information is sent to stderr. 3.180 -+ 3.181 -+ -z tcp_stealth_secret 3.182 -+ Specifies the shared secret which is needed to connect to a stealth 3.183 -+ SSH TCP server. Any string specified will be truncated to or padded 3.184 -+ with zeroes to 64 bytes. This option needs kernel support and is 3.185 -+ therefore only available if the required setsockopt() call is 3.186 -+ available. 3.187 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.188 -+ for details. 3.189 -+ 3.190 -+ IMPORTANT: This option should only be used for the purpose of 3.191 -+ testing as other users could easily read out the secret from the 3.192 -+ command line arguments. The TCPStealthSecret configuration option 3.193 -+ is the preferred way of specifying the TCP Stealth secret. 3.194 - 3.195 - ssh may additionally obtain configuration data from a per-user 3.196 - configuration file and a system-wide configuration file. The file format 3.197 ---- a/ssh.1 3.198 -+++ b/ssh.1 3.199 -@@ -64,6 +64,7 @@ 3.200 - .Op Fl S Ar ctl_path 3.201 - .Op Fl W Ar host : Ns Ar port 3.202 - .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun 3.203 -+.Op Fl z Ar tcp_stealth_secret 3.204 - .Ar destination 3.205 - .Op Ar command 3.206 - .Sh DESCRIPTION 3.207 -@@ -536,6 +537,7 @@ 3.208 - .It StreamLocalBindUnlink 3.209 - .It StrictHostKeyChecking 3.210 - .It TCPKeepAlive 3.211 -+.It TCPStealthSecret 3.212 - .It Tunnel 3.213 - .It TunnelDevice 3.214 - .It UpdateHostKeys 3.215 -@@ -795,6 +797,21 @@ 3.216 - .Xr syslog 3 3.217 - system module. 3.218 - By default this information is sent to stderr. 3.219 -+.It Fl z Ar tcp_stealth_secret 3.220 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP 3.221 -+server. Any string specified will be truncated to or padded with zeroes to 64 3.222 -+bytes. This option needs kernel support and is therefore only available if the 3.223 -+required 3.224 -+.Xr setsockopt 2 3.225 -+call is available. 3.226 -+.Pp 3.227 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.228 -+.Pp 3.229 -+.Cm IMPORTANT: 3.230 -+This option should only be used for the purpose of testing as other users could 3.231 -+easily read out the secret from the command line arguments. The 3.232 -+.Cm TCPStealthSecret 3.233 -+configuration option is the preferred way of specifying the TCP Stealth secret. 3.234 - .El 3.235 - .Pp 3.236 - .Nm 3.237 ---- a/ssh.c 3.238 -+++ b/ssh.c 3.239 -@@ -190,6 +190,14 @@ 3.240 - extern int muxserver_sock; 3.241 - extern u_int muxclient_command; 3.242 - 3.243 -+#ifdef TCP_STEALTH 3.244 -+#define OPT_STEALTH "[-z tcp_stealth_secret] " 3.245 -+#define GETOPT_STEALTH "z:" 3.246 -+#else 3.247 -+#define OPT_STEALTH "" 3.248 -+#define GETOPT_STEALTH "" 3.249 -+#endif 3.250 -+ 3.251 - /* Prints a help message to the user. This function never returns. */ 3.252 - 3.253 - static void 3.254 -@@ -202,7 +210,7 @@ 3.255 - " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" 3.256 - " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" 3.257 - " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" 3.258 --" [-w local_tun[:remote_tun]] destination [command]\n" 3.259 -+" [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n" 3.260 - ); 3.261 - exit(255); 3.262 - } 3.263 -@@ -657,7 +665,7 @@ 3.264 - 3.265 - again: 3.266 - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" 3.267 -- "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { 3.268 -+ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) { 3.269 - switch (opt) { 3.270 - case '1': 3.271 - fatal("SSH protocol v.1 is no longer supported"); 3.272 -@@ -979,6 +987,14 @@ 3.273 - case 'F': 3.274 - config = optarg; 3.275 - break; 3.276 -+#ifdef TCP_STEALTH 3.277 -+ case 'z': 3.278 -+ options.tcp_stealth_secret = 3.279 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.280 -+ strncpy(options.tcp_stealth_secret, optarg, 3.281 -+ TCP_STEALTH_SECRET_SIZE); 3.282 -+ break; 3.283 -+#endif 3.284 - default: 3.285 - usage(); 3.286 - } 3.287 ---- a/ssh_config.0 3.288 -+++ b/ssh_config.0 3.289 -@@ -945,6 +945,15 @@ 3.290 - To disable TCP keepalive messages, the value should be set to no. 3.291 - See also ServerAliveInterval for protocol-level keepalives. 3.292 - 3.293 -+ TCPStealthSecret 3.294 -+ Specifies the shared secret which is needed to connect to a stealth 3.295 -+ SSH TCP Server. Any string specified will be truncated to or padded 3.296 -+ with zeroes to 64 bytes. This option needs kernel support and is 3.297 -+ therefore only available if the required setsockopt() call is 3.298 -+ available. 3.299 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.300 -+ for details. 3.301 -+ 3.302 - Tunnel Request tun(4) device forwarding between the client and the 3.303 - server. The argument must be yes, point-to-point (layer 3), 3.304 - ethernet (layer 2), or no (the default). Specifying yes requests 3.305 ---- a/ssh_config.5 3.306 -+++ b/ssh_config.5 3.307 -@@ -1548,6 +1548,15 @@ 3.308 - See also 3.309 - .Cm ServerAliveInterval 3.310 - for protocol-level keepalives. 3.311 -+.It Cm TCPStealthSecret 3.312 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP 3.313 -+Server. Any string specified will be truncated to or padded with zeroes to 64 3.314 -+bytes. This option needs kernel support and is therefore only available if the 3.315 -+required 3.316 -+.Xr setsockopt 2 3.317 -+call is available. 3.318 -+.Pp 3.319 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.320 - .It Cm Tunnel 3.321 - Request 3.322 - .Xr tun 4 3.323 ---- a/sshconnect.c 3.324 -+++ b/sshconnect.c 3.325 -@@ -349,6 +349,18 @@ 3.326 - } 3.327 - fcntl(sock, F_SETFD, FD_CLOEXEC); 3.328 - 3.329 -+#ifdef TCP_STEALTH 3.330 -+ if (options.tcp_stealth_secret) { 3.331 -+ if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH, 3.332 -+ options.tcp_stealth_secret, 3.333 -+ TCP_STEALTH_SECRET_SIZE) == -1) { 3.334 -+ error("setsockopt TCP_STEALTH: %s", strerror(errno)); 3.335 -+ close(sock); 3.336 -+ return -1; 3.337 -+ } 3.338 -+ } 3.339 -+#endif 3.340 -+ 3.341 - /* Bind the socket to an alternative local IP address */ 3.342 - if (options.bind_address == NULL && options.bind_interface == NULL) 3.343 - return sock; 3.344 ---- a/sshd.0 3.345 -+++ b/sshd.0 3.346 -@@ -7,6 +7,7 @@ 3.347 - sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 3.348 - [-E log_file] [-f config_file] [-g login_grace_time] 3.349 - [-h host_key_file] [-o option] [-p port] [-u len] 3.350 -+ [-z tcp_stealth_secret] 3.351 - 3.352 - DESCRIPTION 3.353 - sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 3.354 -@@ -122,6 +123,20 @@ 3.355 - from="pattern-list" option in a key file. Configuration options 3.356 - that require DNS include using a USER@HOST pattern in AllowUsers 3.357 - or DenyUsers. 3.358 -+ -z tcp_stealth_secret 3.359 -+ Turns this SSH server into a Stealth SSH TCP Server. This option 3.360 -+ specifies the shared secret which is needed by the clients in order 3.361 -+ to be able to connect to the port the SSH server is listening on. 3.362 -+ Any string specified will be truncated or padded with zeroes to 64 3.363 -+ bytes. This option needs kernel support and is therefore only 3.364 -+ available if the required setsockopt() call is available. 3.365 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.366 -+ for details. 3.367 -+ 3.368 -+ IMPORTANT: This option should only be used for the purpose of 3.369 -+ testing as other users could easily read out the secret from the 3.370 -+ command line arguments. The TCPStealthSecret configuration option 3.371 -+ is the preferred way of specifying the TCP Stealth secret. 3.372 - 3.373 - AUTHENTICATION 3.374 - The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a 3.375 ---- a/sshd.8 3.376 -+++ b/sshd.8 3.377 -@@ -53,6 +53,7 @@ 3.378 - .Op Fl o Ar option 3.379 - .Op Fl p Ar port 3.380 - .Op Fl u Ar len 3.381 -+.Op Fl z Ar tcp_stealth_secret 3.382 - .Ek 3.383 - .Sh DESCRIPTION 3.384 - .Nm 3.385 -@@ -244,6 +245,24 @@ 3.386 - .Cm AllowUsers 3.387 - or 3.388 - .Cm DenyUsers . 3.389 -+.It Fl z Ar tcp_stealth_secret 3.390 -+Turns this SSH server into a stealth SSH TCP server. This option specifies the 3.391 -+shared secret which is needed by the clients in order to be able to connect to 3.392 -+the port the SSH server is listening on. Any string specified will be truncated 3.393 -+or padded with zeroes to 64 bytes. This option needs kernel support and is 3.394 -+therefore only available if the required 3.395 -+.Xr setsockopt 2 3.396 -+call is available. 3.397 -+.Pp 3.398 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.399 -+ 3.400 -+.Cm IMPORTANT: 3.401 -+This option should only be used for the purpose of 3.402 -+testing as other users could easily read out the secret from the 3.403 -+command line arguments. The 3.404 -+.Cm TCPStealthSecret 3.405 -+configuration option 3.406 -+is the preferred way of specifying the TCP Stealth secret. 3.407 - .El 3.408 - .Sh AUTHENTICATION 3.409 - The OpenSSH SSH daemon supports SSH protocol 2 only. 3.410 ---- a/sshd.c 3.411 -+++ b/sshd.c 3.412 -@@ -911,6 +911,14 @@ 3.413 - return (r < p) ? 1 : 0; 3.414 - } 3.415 - 3.416 -+#ifdef TCP_STEALTH 3.417 -+#define OPT_STEALTH " [-z tcp_stealth_secret]" 3.418 -+#define GETOPT_STEALTH "z:" 3.419 -+#else 3.420 -+#define OPT_STEALTH "" 3.421 -+#define GETOPT_STEALTH "" 3.422 -+#endif 3.423 -+ 3.424 - static void 3.425 - usage(void) 3.426 - { 3.427 -@@ -926,6 +934,7 @@ 3.428 - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" 3.429 - " [-E log_file] [-f config_file] [-g login_grace_time]\n" 3.430 - " [-h host_key_file] [-o option] [-p port] [-u len]\n" 3.431 -+" " OPT_STEALTH "\n" 3.432 - ); 3.433 - exit(1); 3.434 - } 3.435 -@@ -1075,6 +1084,16 @@ 3.436 - continue; 3.437 - } 3.438 - 3.439 -+#ifdef TCP_STEALTH 3.440 -+ if (options.tcp_stealth_secret != NULL) { 3.441 -+ if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH, 3.442 -+ options.tcp_stealth_secret, 3.443 -+ TCP_STEALTH_SECRET_SIZE) == -1) 3.444 -+ error("setsockopt TCP_STEALTH: %s", 3.445 -+ strerror(errno)); 3.446 -+ } 3.447 -+#endif 3.448 -+ 3.449 - /* Only communicate in IPv6 over AF_INET6 sockets. */ 3.450 - if (ai->ai_family == AF_INET6) 3.451 - sock_set_v6only(listen_sock); 3.452 -@@ -1515,7 +1534,7 @@ 3.453 - 3.454 - /* Parse command-line arguments. */ 3.455 - while ((opt = getopt(ac, av, 3.456 -- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.457 -+ GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { 3.458 - switch (opt) { 3.459 - case '4': 3.460 - options.address_family = AF_INET; 3.461 -@@ -1616,6 +1635,14 @@ 3.462 - exit(1); 3.463 - free(line); 3.464 - break; 3.465 -+#ifdef TCP_STEALTH 3.466 -+ case 'z': 3.467 -+ options.tcp_stealth_secret = 3.468 -+ xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t)); 3.469 -+ strncpy(options.tcp_stealth_secret, optarg, 3.470 -+ TCP_STEALTH_SECRET_SIZE); 3.471 -+ break; 3.472 -+#endif 3.473 - case '?': 3.474 - default: 3.475 - usage(); 3.476 ---- a/sshd_config.0 3.477 -+++ b/sshd_config.0 3.478 -@@ -937,6 +937,19 @@ 3.479 - 3.480 - To disable TCP keepalive messages, the value should be set to no. 3.481 - 3.482 -+ TCPStealthSecret 3.483 -+ Turns this SSH server into a stealth SSH TCP server. This 3.484 -+ configuration option specifies the shared secret needed by the 3.485 -+ clients in order to be able to connect to the port the SSH server 3.486 -+ is listening on. This means that port scanners will receive a 3.487 -+ TCP RST and thus will not recognize this TCP port being open. 3.488 -+ 3.489 -+ Any string specified will be truncated or padded with zeroes to 64 3.490 -+ bytes. This option needs kernel support and is therefore only 3.491 -+ available if the required setsockopt() call is available. 3.492 -+ See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ 3.493 -+ for details. 3.494 -+ 3.495 - TrustedUserCAKeys 3.496 - Specifies a file containing public keys of certificate 3.497 - authorities that are trusted to sign user certificates for 3.498 ---- a/sshd_config.5 3.499 -+++ b/sshd_config.5 3.500 -@@ -1567,6 +1567,18 @@ 3.501 - .Pp 3.502 - To disable TCP keepalive messages, the value should be set to 3.503 - .Cm no . 3.504 -+.It Cm TCPStealthSecret 3.505 -+Turns this SSH server into a stealth SSH TCP server. This configuration option 3.506 -+specifies the shared secret needed by the clients in order to be able to connect 3.507 -+to the port the SSH server is listening on. This means that port scanners will 3.508 -+receive a TCP RST and thus will not recognize this TCP port being open. Any 3.509 -+string specified will be truncated or padded with zeroes to 64 bytes. This 3.510 -+option needs kernel support and is therefore only available if the required 3.511 -+.Xr setsockopt 2 3.512 -+call is available. 3.513 -+.Pp 3.514 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details. 3.515 -+ 3.516 - .It Cm TrustedUserCAKeys 3.517 - Specifies a file containing public keys of certificate authorities that are 3.518 - trusted to sign user certificates for authentication, or
4.1 --- a/sftp-server/receipt Mon Apr 20 17:10:16 2020 +0100 4.2 +++ b/sftp-server/receipt Tue Apr 21 06:14:03 2020 +0000 4.3 @@ -8,9 +8,9 @@ 4.4 MAINTAINER="pascal.bellard@slitaz.org" 4.5 LICENSE="BSD" 4.6 WEB_SITE="http://www.openssh.org/" 4.7 +WANTED="openssh" 4.8 4.9 DEPENDS="libcrypto zlib" 4.10 -WANTED="openssh" 4.11 4.12 HOST_ARCH="i486 arm" 4.13