wok rev 23654

Up openssh (8.2p1)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Tue Apr 21 06:14:03 2020 +0000 (17 months ago)
parents 759c9acb4a95
children 1d84e90f8d94
files openssh-pam/receipt openssh/receipt openssh/stuff/knock.u sftp-server/receipt
line diff
     1.1 --- a/openssh-pam/receipt	Mon Apr 20 17:10:16 2020 +0100
     1.2 +++ b/openssh-pam/receipt	Tue Apr 21 06:14:03 2020 +0000
     1.3 @@ -1,7 +1,7 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="openssh-pam"
     1.7 -VERSION="7.9p1"
     1.8 +VERSION="8.2p1"
     1.9  CATEGORY="security"
    1.10  SHORT_DESC="Openbsd Secure Shell using PAM."
    1.11  MAINTAINER="pascal.bellard@slitaz.org"
    1.12 @@ -28,7 +28,6 @@
    1.13  # Rules to configure and make the package.
    1.14  compile_rules()
    1.15  {
    1.16 -	patch -p1 < $WOK/$SOURCE/stuff/knock.u
    1.17  	unset LD # for cross compiling with --disable-strip
    1.18  	./configure \
    1.19  		--prefix=/usr \
    1.20 @@ -73,7 +72,7 @@
    1.21  
    1.22  # From https://wiki.gentoo.org/wiki/SSH_jump_host  
    1.23  Host *+*
    1.24 -  ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /')
    1.25 +  ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /')
    1.26  
    1.27  EOT
    1.28  }
     2.1 --- a/openssh/receipt	Mon Apr 20 17:10:16 2020 +0100
     2.2 +++ b/openssh/receipt	Tue Apr 21 06:14:03 2020 +0000
     2.3 @@ -28,7 +28,6 @@
     2.4  # Rules to configure and make the package.
     2.5  compile_rules()
     2.6  {
     2.7 -	patch -p1 < $stuff/knock.u
     2.8  	unset LD # for cross compiling with --disable-strip
     2.9  	./configure \
    2.10  		--prefix=/usr \
    2.11 @@ -71,7 +70,7 @@
    2.12  
    2.13  # From https://wiki.gentoo.org/wiki/SSH_jump_host  
    2.14  Host *+*
    2.15 -  ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') exec nc -w1 $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /')
    2.16 +  ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /')
    2.17  
    2.18  EOT
    2.19  }
     3.1 --- a/openssh/stuff/knock.u	Mon Apr 20 17:10:16 2020 +0100
     3.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.3 @@ -1,515 +0,0 @@
     3.4 -From https://gnunet.org/knock :
     3.5 -https://gnunet.org/sites/default/files/openssh-linux-knock-patch.diff
     3.6 ---- a/readconf.c
     3.7 -+++ b/readconf.c
     3.8 -@@ -173,6 +173,9 @@
     3.9 - 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
    3.10 - 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
    3.11 - 	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
    3.12 -+#ifdef TCP_STEALTH
    3.13 -+	oTCPStealthSecret,
    3.14 -+#endif
    3.15 - 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
    3.16 - } OpCodes;
    3.17 - 
    3.18 -@@ -309,6 +312,9 @@
    3.19 - 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
    3.20 - 	{ "ignoreunknown", oIgnoreUnknown },
    3.21 - 	{ "proxyjump", oProxyJump },
    3.22 -+#ifdef TCP_STEALTH
    3.23 -+	oTCPStealthSecret,
    3.24 -+#endif
    3.25 - 
    3.26 - 	{ NULL, oBadOption }
    3.27 - };
    3.28 -@@ -1722,6 +1728,23 @@
    3.29 - 			*charptr = xstrdup(arg);
    3.30 - 		break;
    3.31 - 
    3.32 -+#ifdef TCP_STEALTH
    3.33 -+	case oTCPStealthSecret:
    3.34 -+		charptr = &options->tcp_stealth_secret;
    3.35 -+
    3.36 -+		arg = strdelim(&s);
    3.37 -+		if (!arg || *arg == '\0')
    3.38 -+			fatal("%.200s line %d: Missing argument.",
    3.39 -+				filename, linenum);
    3.40 -+
    3.41 -+		if (*activep && *charptr == NULL) {
    3.42 -+			*charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
    3.43 -+			memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
    3.44 -+			strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
    3.45 -+		}
    3.46 -+
    3.47 -+		break;
    3.48 -+#endif
    3.49 - 	case oDeprecated:
    3.50 - 		debug("%s line %d: Deprecated option \"%s\"",
    3.51 - 		    filename, linenum, keyword);
    3.52 -@@ -1926,6 +1949,9 @@
    3.53 - 	options->update_hostkeys = -1;
    3.54 - 	options->hostbased_key_types = NULL;
    3.55 - 	options->pubkey_key_types = NULL;
    3.56 -+#ifdef TCP_STEALTH
    3.57 -+	options->tcp_stealth_secret = NULL;
    3.58 -+#endif
    3.59 - }
    3.60 - 
    3.61 - /*
    3.62 ---- a/readconf.h
    3.63 -+++ b/readconf.h
    3.64 -@@ -166,6 +166,10 @@
    3.65 - 	char   *jump_extra;
    3.66 - 
    3.67 - 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
    3.68 -+
    3.69 -+#ifdef TCP_STEALTH
    3.70 -+	char	*tcp_stealth_secret;
    3.71 -+#endif
    3.72 - }       Options;
    3.73 - 
    3.74 - #define SSH_CANONICALISE_NO	0
    3.75 ---- a/servconf.c
    3.76 -+++ b/servconf.c
    3.77 -@@ -180,6 +180,9 @@
    3.78 - 	options->fingerprint_hash = -1;
    3.79 - 	options->disable_forwarding = -1;
    3.80 - 	options->expose_userauth_info = -1;
    3.81 -+#ifdef TCP_STEALTH
    3.82 -+	options->tcp_stealth_secret = NULL;
    3.83 -+#endif
    3.84 - }
    3.85 - 
    3.86 - /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
    3.87 -@@ -497,6 +500,9 @@
    3.88 - 	sStreamLocalBindMask, sStreamLocalBindUnlink,
    3.89 - 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
    3.90 - 	sExposeAuthInfo, sRDomain,
    3.91 -+#ifdef TCP_STEALTH
    3.92 -+	sTCPStealthSecret,
    3.93 -+#endif
    3.94 - 	sDeprecated, sIgnore, sUnsupported
    3.95 - } ServerOpCodes;
    3.96 - 
    3.97 -@@ -645,6 +651,9 @@
    3.98 - 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
    3.99 - 	{ "rdomain", sRDomain, SSHCFG_ALL },
   3.100 - 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
   3.101 -+#ifdef TCP_STEALTH
   3.102 -+	{ "tcpstealthsecret", sTCPStealthSecret },
   3.103 -+#endif
   3.104 - 	{ NULL, sBadOption, 0 }
   3.105 - };
   3.106 - 
   3.107 -@@ -2149,6 +2158,23 @@
   3.108 - 			*charptr = xstrdup(arg);
   3.109 - 		break;
   3.110 - 
   3.111 -+#ifdef TCP_STEALTH
   3.112 -+	case sTCPStealthSecret:
   3.113 -+		charptr = &options->tcp_stealth_secret;
   3.114 -+
   3.115 -+		arg = strdelim(&cp);
   3.116 -+		if (!arg || *arg == '\0')
   3.117 -+			fatal("%s line %d: Missing argument.",
   3.118 -+				filename, linenum);
   3.119 -+
   3.120 -+		if (*activep && *charptr == NULL) {
   3.121 -+			*charptr = xmalloc(TCP_STEALTH_SECRET_SIZE + 1);
   3.122 -+			memset(*charptr, 0x00, TCP_STEALTH_SECRET_SIZE + 1);
   3.123 -+			strncpy(*charptr, arg, TCP_STEALTH_SECRET_SIZE);
   3.124 -+		}
   3.125 -+
   3.126 -+		break;
   3.127 -+#endif
   3.128 - 	case sDeprecated:
   3.129 - 	case sIgnore:
   3.130 - 	case sUnsupported:
   3.131 ---- a/servconf.h
   3.132 -+++ b/servconf.h
   3.133 -@@ -210,6 +210,9 @@
   3.134 - 	int	fingerprint_hash;
   3.135 - 	int	expose_userauth_info;
   3.136 - 	u_int64_t timing_secret;
   3.137 -+#ifdef TCP_STEALTH
   3.138 -+	char	*tcp_stealth_secret;
   3.139 -+#endif
   3.140 - }       ServerOptions;
   3.141 - 
   3.142 - /* Information about the incoming connection as used by Match */
   3.143 -@@ -232,6 +235,11 @@
   3.144 -  * NB. an option must appear in servconf.c:copy_set_server_options() or
   3.145 -  * COPY_MATCH_STRING_OPTS here but never both.
   3.146 -  */
   3.147 -+#ifdef TCP_STEALTH
   3.148 -+#define M_CP_STEALTHSCRT(X)	M_CP_STROPT(X);
   3.149 -+#else
   3.150 -+#define M_CP_STEALTHSCRT(X)
   3.151 -+#endif
   3.152 - #define COPY_MATCH_STRING_OPTS() do { \
   3.153 - 		M_CP_STROPT(banner); \
   3.154 - 		M_CP_STROPT(trusted_user_ca_keys); \
   3.155 -@@ -255,6 +263,7 @@
   3.156 - 		M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
   3.157 - 		M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
   3.158 - 		M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
   3.159 -+		M_CP_STEALTHSCRT(tcp_stealth_secret); \
   3.160 - 	} while (0)
   3.161 - 
   3.162 - struct connection_info *get_connection_info(int, int);
   3.163 ---- a/ssh.0
   3.164 -+++ b/ssh.0
   3.165 -@@ -9,8 +9,8 @@
   3.166 -          [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
   3.167 -          [-J destination] [-L address] [-l login_name] [-m mac_spec]
   3.168 -          [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
   3.169 --         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
   3.170 --         [command]
   3.171 -+         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 
   3.172 -+         [-z tcp_stealth_secret] destination [command]
   3.173 - 
   3.174 - DESCRIPTION
   3.175 -      ssh (SSH client) is a program for logging into a remote machine and for
   3.176 -@@ -436,6 +436,20 @@
   3.177 - 
   3.178 -      -y      Send log information using the syslog(3) system module.  By
   3.179 -              default this information is sent to stderr.
   3.180 -+
   3.181 -+     -z tcp_stealth_secret
   3.182 -+             Specifies the shared secret which is needed to connect to a stealth
   3.183 -+             SSH TCP server. Any string specified will be truncated to or padded
   3.184 -+             with zeroes to 64 bytes. This option needs kernel support and is
   3.185 -+             therefore only available if the required setsockopt() call is
   3.186 -+             available.
   3.187 -+             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.188 -+             for details.
   3.189 -+
   3.190 -+             IMPORTANT: This option should only be used for the purpose of
   3.191 -+             testing as other users could easily read out the secret from the
   3.192 -+             command line arguments. The TCPStealthSecret configuration option
   3.193 -+             is the preferred way of specifying the TCP Stealth secret.
   3.194 - 
   3.195 -      ssh may additionally obtain configuration data from a per-user
   3.196 -      configuration file and a system-wide configuration file.  The file format
   3.197 ---- a/ssh.1
   3.198 -+++ b/ssh.1
   3.199 -@@ -64,6 +64,7 @@
   3.200 - .Op Fl S Ar ctl_path
   3.201 - .Op Fl W Ar host : Ns Ar port
   3.202 - .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
   3.203 -+.Op Fl z Ar tcp_stealth_secret
   3.204 - .Ar destination
   3.205 - .Op Ar command
   3.206 - .Sh DESCRIPTION
   3.207 -@@ -536,6 +537,7 @@
   3.208 - .It StreamLocalBindUnlink
   3.209 - .It StrictHostKeyChecking
   3.210 - .It TCPKeepAlive
   3.211 -+.It TCPStealthSecret
   3.212 - .It Tunnel
   3.213 - .It TunnelDevice
   3.214 - .It UpdateHostKeys
   3.215 -@@ -795,6 +797,21 @@
   3.216 - .Xr syslog 3
   3.217 - system module.
   3.218 - By default this information is sent to stderr.
   3.219 -+.It Fl z Ar tcp_stealth_secret
   3.220 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP
   3.221 -+server. Any string specified will be truncated to or padded with zeroes to 64
   3.222 -+bytes. This option needs kernel support and is therefore only available if the
   3.223 -+required
   3.224 -+.Xr setsockopt 2
   3.225 -+call is available.
   3.226 -+.Pp
   3.227 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.228 -+.Pp
   3.229 -+.Cm IMPORTANT:
   3.230 -+This option should only be used for the purpose of testing as other users could
   3.231 -+easily read out the secret from the command line arguments. The
   3.232 -+.Cm TCPStealthSecret
   3.233 -+configuration option is the preferred way of specifying the TCP Stealth secret.
   3.234 - .El
   3.235 - .Pp
   3.236 - .Nm
   3.237 ---- a/ssh.c
   3.238 -+++ b/ssh.c
   3.239 -@@ -190,6 +190,14 @@
   3.240 - extern int muxserver_sock;
   3.241 - extern u_int muxclient_command;
   3.242 - 
   3.243 -+#ifdef TCP_STEALTH
   3.244 -+#define OPT_STEALTH	"[-z tcp_stealth_secret] "
   3.245 -+#define GETOPT_STEALTH	"z:"
   3.246 -+#else
   3.247 -+#define OPT_STEALTH	""
   3.248 -+#define GETOPT_STEALTH	""
   3.249 -+#endif
   3.250 -+
   3.251 - /* Prints a help message to the user.  This function never returns. */
   3.252 - 
   3.253 - static void
   3.254 -@@ -202,7 +210,7 @@
   3.255 - "           [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
   3.256 - "           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
   3.257 - "           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
   3.258 --"           [-w local_tun[:remote_tun]] destination [command]\n"
   3.259 -+"           [-w local_tun[:remote_tun]] " OPT_STEALTH "destination [command]\n"
   3.260 - 	);
   3.261 - 	exit(255);
   3.262 - }
   3.263 -@@ -657,7 +665,7 @@
   3.264 - 
   3.265 -  again:
   3.266 - 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
   3.267 --	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
   3.268 -+	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy" GETOPT_STEALTH)) != -1) {
   3.269 - 		switch (opt) {
   3.270 - 		case '1':
   3.271 - 			fatal("SSH protocol v.1 is no longer supported");
   3.272 -@@ -979,6 +987,14 @@
   3.273 - 		case 'F':
   3.274 - 			config = optarg;
   3.275 - 			break;
   3.276 -+#ifdef TCP_STEALTH
   3.277 -+		case 'z':
   3.278 -+			options.tcp_stealth_secret =
   3.279 -+				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.280 -+			strncpy(options.tcp_stealth_secret, optarg,
   3.281 -+				TCP_STEALTH_SECRET_SIZE);
   3.282 -+			break;
   3.283 -+#endif
   3.284 - 		default:
   3.285 - 			usage();
   3.286 - 		}
   3.287 ---- a/ssh_config.0
   3.288 -+++ b/ssh_config.0
   3.289 -@@ -945,6 +945,15 @@
   3.290 -              To disable TCP keepalive messages, the value should be set to no.
   3.291 -              See also ServerAliveInterval for protocol-level keepalives.
   3.292 - 
   3.293 -+     TCPStealthSecret
   3.294 -+             Specifies the shared secret which is needed to connect to a stealth
   3.295 -+             SSH TCP Server. Any string specified will be truncated to or padded
   3.296 -+             with zeroes to 64 bytes. This option needs kernel support and is
   3.297 -+             therefore only available if the required setsockopt() call is
   3.298 -+             available.
   3.299 -+             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.300 -+             for details.
   3.301 -+
   3.302 -      Tunnel  Request tun(4) device forwarding between the client and the
   3.303 -              server.  The argument must be yes, point-to-point (layer 3),
   3.304 -              ethernet (layer 2), or no (the default).  Specifying yes requests
   3.305 ---- a/ssh_config.5
   3.306 -+++ b/ssh_config.5
   3.307 -@@ -1548,6 +1548,15 @@
   3.308 - See also
   3.309 - .Cm ServerAliveInterval
   3.310 - for protocol-level keepalives.
   3.311 -+.It Cm TCPStealthSecret
   3.312 -+Specifies the shared secret which is needed to connect to a stealth SSH TCP
   3.313 -+Server. Any string specified will be truncated to or padded with zeroes to 64
   3.314 -+bytes. This option needs kernel support and is therefore only available if the
   3.315 -+required
   3.316 -+.Xr setsockopt 2
   3.317 -+call is available.
   3.318 -+.Pp
   3.319 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.320 - .It Cm Tunnel
   3.321 - Request
   3.322 - .Xr tun 4
   3.323 ---- a/sshconnect.c
   3.324 -+++ b/sshconnect.c
   3.325 -@@ -349,6 +349,18 @@
   3.326 - 	}
   3.327 - 	fcntl(sock, F_SETFD, FD_CLOEXEC);
   3.328 - 
   3.329 -+#ifdef TCP_STEALTH
   3.330 -+	if (options.tcp_stealth_secret) {
   3.331 -+		if (setsockopt(sock, IPPROTO_TCP, TCP_STEALTH,
   3.332 -+			       options.tcp_stealth_secret,
   3.333 -+			       TCP_STEALTH_SECRET_SIZE) == -1) {
   3.334 -+			error("setsockopt TCP_STEALTH: %s", strerror(errno));
   3.335 -+			close(sock);
   3.336 -+			return -1;
   3.337 -+		}
   3.338 -+	}
   3.339 -+#endif
   3.340 -+
   3.341 - 	/* Bind the socket to an alternative local IP address */
   3.342 - 	if (options.bind_address == NULL && options.bind_interface == NULL)
   3.343 - 		return sock;
   3.344 ---- a/sshd.0
   3.345 -+++ b/sshd.0
   3.346 -@@ -7,6 +7,7 @@
   3.347 -      sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
   3.348 -           [-E log_file] [-f config_file] [-g login_grace_time]
   3.349 -           [-h host_key_file] [-o option] [-p port] [-u len]
   3.350 -+          [-z tcp_stealth_secret]
   3.351 - 
   3.352 - DESCRIPTION
   3.353 -      sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
   3.354 -@@ -122,6 +123,20 @@
   3.355 -              from="pattern-list" option in a key file.  Configuration options
   3.356 -              that require DNS include using a USER@HOST pattern in AllowUsers
   3.357 -              or DenyUsers.
   3.358 -+     -z tcp_stealth_secret
   3.359 -+             Turns this SSH server into a Stealth SSH TCP Server. This option
   3.360 -+             specifies the shared secret which is needed by the clients in order
   3.361 -+             to be able to connect to the port the SSH server is listening on.
   3.362 -+             Any string specified will be truncated or padded with zeroes to 64
   3.363 -+             bytes. This option needs kernel support and is therefore only
   3.364 -+             available if the required setsockopt() call is available.
   3.365 -+             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.366 -+             for details.
   3.367 -+
   3.368 -+             IMPORTANT: This option should only be used for the purpose of
   3.369 -+             testing as other users could easily read out the secret from the
   3.370 -+             command line arguments. The TCPStealthSecret configuration option
   3.371 -+             is the preferred way of specifying the TCP Stealth secret.
   3.372 - 
   3.373 - AUTHENTICATION
   3.374 -      The OpenSSH SSH daemon supports SSH protocol 2 only.  Each host has a
   3.375 ---- a/sshd.8
   3.376 -+++ b/sshd.8
   3.377 -@@ -53,6 +53,7 @@
   3.378 - .Op Fl o Ar option
   3.379 - .Op Fl p Ar port
   3.380 - .Op Fl u Ar len
   3.381 -+.Op Fl z Ar tcp_stealth_secret
   3.382 - .Ek
   3.383 - .Sh DESCRIPTION
   3.384 - .Nm
   3.385 -@@ -244,6 +245,24 @@
   3.386 - .Cm AllowUsers
   3.387 - or
   3.388 - .Cm DenyUsers .
   3.389 -+.It Fl z Ar tcp_stealth_secret
   3.390 -+Turns this SSH server into a stealth SSH TCP server. This option specifies the
   3.391 -+shared secret which is needed by the clients in order to be able to connect to
   3.392 -+the port the SSH server is listening on.  Any string specified will be truncated
   3.393 -+or padded with zeroes to 64 bytes. This option needs kernel support and is
   3.394 -+therefore only available if the required
   3.395 -+.Xr setsockopt 2
   3.396 -+call is available.
   3.397 -+.Pp
   3.398 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.399 -+
   3.400 -+.Cm IMPORTANT:
   3.401 -+This option should only be used for the purpose of
   3.402 -+testing as other users could easily read out the secret from the
   3.403 -+command line arguments. The
   3.404 -+.Cm TCPStealthSecret
   3.405 -+configuration option
   3.406 -+is the preferred way of specifying the TCP Stealth secret.
   3.407 - .El
   3.408 - .Sh AUTHENTICATION
   3.409 - The OpenSSH SSH daemon supports SSH protocol 2 only.
   3.410 ---- a/sshd.c
   3.411 -+++ b/sshd.c
   3.412 -@@ -911,6 +911,14 @@
   3.413 - 	return (r < p) ? 1 : 0;
   3.414 - }
   3.415 - 
   3.416 -+#ifdef TCP_STEALTH
   3.417 -+#define OPT_STEALTH	" [-z tcp_stealth_secret]"
   3.418 -+#define GETOPT_STEALTH	"z:"
   3.419 -+#else
   3.420 -+#define OPT_STEALTH	""
   3.421 -+#define GETOPT_STEALTH	""
   3.422 -+#endif
   3.423 -+
   3.424 - static void
   3.425 - usage(void)
   3.426 - {
   3.427 -@@ -926,6 +934,7 @@
   3.428 - "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
   3.429 - "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
   3.430 - "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
   3.431 -+"            " OPT_STEALTH "\n"
   3.432 - 	);
   3.433 - 	exit(1);
   3.434 - }
   3.435 -@@ -1075,6 +1084,16 @@
   3.436 - 			continue;
   3.437 - 		}
   3.438 - 
   3.439 -+#ifdef TCP_STEALTH
   3.440 -+		if (options.tcp_stealth_secret != NULL) {
   3.441 -+			if (setsockopt(listen_sock, IPPROTO_TCP, TCP_STEALTH,
   3.442 -+			    options.tcp_stealth_secret,
   3.443 -+			    TCP_STEALTH_SECRET_SIZE) == -1)
   3.444 -+				error("setsockopt TCP_STEALTH: %s",
   3.445 -+				      strerror(errno));
   3.446 -+		}
   3.447 -+#endif
   3.448 -+
   3.449 - 		/* Only communicate in IPv6 over AF_INET6 sockets. */
   3.450 - 		if (ai->ai_family == AF_INET6)
   3.451 - 			sock_set_v6only(listen_sock);
   3.452 -@@ -1515,7 +1534,7 @@
   3.453 - 
   3.454 - 	/* Parse command-line arguments. */
   3.455 - 	while ((opt = getopt(ac, av,
   3.456 --	    "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.457 -+	    GETOPT_STEALTH "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
   3.458 - 		switch (opt) {
   3.459 - 		case '4':
   3.460 - 			options.address_family = AF_INET;
   3.461 -@@ -1616,6 +1635,14 @@
   3.462 - 				exit(1);
   3.463 - 			free(line);
   3.464 - 			break;
   3.465 -+#ifdef TCP_STEALTH
   3.466 -+		case 'z':
   3.467 -+			options.tcp_stealth_secret =
   3.468 -+				xcalloc(TCP_STEALTH_SECRET_SIZE + 1, sizeof(u_int8_t));
   3.469 -+			strncpy(options.tcp_stealth_secret, optarg,
   3.470 -+				TCP_STEALTH_SECRET_SIZE);
   3.471 -+			break;
   3.472 -+#endif
   3.473 - 		case '?':
   3.474 - 		default:
   3.475 - 			usage();
   3.476 ---- a/sshd_config.0
   3.477 -+++ b/sshd_config.0
   3.478 -@@ -937,6 +937,19 @@
   3.479 - 
   3.480 -              To disable TCP keepalive messages, the value should be set to no.
   3.481 - 
   3.482 -+     TCPStealthSecret
   3.483 -+             Turns this SSH server into a stealth SSH TCP server. This
   3.484 -+             configuration option specifies the shared secret needed by the
   3.485 -+             clients in order to be able to connect to the port the SSH server
   3.486 -+             is listening on. This means that port scanners will receive a
   3.487 -+             TCP RST and thus will not recognize this TCP port being open.
   3.488 -+
   3.489 -+             Any string specified will be truncated or padded with zeroes to 64
   3.490 -+             bytes. This option needs kernel support and is therefore only
   3.491 -+             available if the required setsockopt() call is available.
   3.492 -+             See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/
   3.493 -+             for details.
   3.494 -+
   3.495 -      TrustedUserCAKeys
   3.496 -              Specifies a file containing public keys of certificate
   3.497 -              authorities that are trusted to sign user certificates for
   3.498 ---- a/sshd_config.5
   3.499 -+++ b/sshd_config.5
   3.500 -@@ -1567,6 +1567,18 @@
   3.501 - .Pp
   3.502 - To disable TCP keepalive messages, the value should be set to
   3.503 - .Cm no .
   3.504 -+.It Cm TCPStealthSecret
   3.505 -+Turns this SSH server into a stealth SSH TCP server. This configuration option
   3.506 -+specifies the shared secret needed by the clients in order to be able to connect
   3.507 -+to the port the SSH server is listening on. This means that port scanners will
   3.508 -+receive a TCP RST and thus will not recognize this TCP port being open.  Any
   3.509 -+string specified will be truncated or padded with zeroes to 64 bytes. This
   3.510 -+option needs kernel support and is therefore only available if the required
   3.511 -+.Xr setsockopt 2
   3.512 -+call is available.
   3.513 -+.Pp
   3.514 -+See http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ for details.
   3.515 -+
   3.516 - .It Cm TrustedUserCAKeys
   3.517 - Specifies a file containing public keys of certificate authorities that are
   3.518 - trusted to sign user certificates for authentication, or
     4.1 --- a/sftp-server/receipt	Mon Apr 20 17:10:16 2020 +0100
     4.2 +++ b/sftp-server/receipt	Tue Apr 21 06:14:03 2020 +0000
     4.3 @@ -8,9 +8,9 @@
     4.4  MAINTAINER="pascal.bellard@slitaz.org"
     4.5  LICENSE="BSD"
     4.6  WEB_SITE="http://www.openssh.org/"
     4.7 +WANTED="openssh"
     4.8  
     4.9  DEPENDS="libcrypto zlib"
    4.10 -WANTED="openssh"
    4.11  
    4.12  HOST_ARCH="i486 arm"
    4.13