UPDATE security/dropbear

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE security/dropbear

Björn Ketelaars
An update is available for dropbear which fixes multiple issues.
Changelog can be found at https://matt.ucc.asn.au/dropbear/CHANGES

While here add dropbear.rc, which generates a key upon first connection
(-R), and attaches to 127.0.0.1:8022.

Comments/OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/security/dropbear/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- Makefile 4 Dec 2017 17:56:27 -0000 1.4
+++ Makefile 6 Mar 2018 07:02:38 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= small SSH server and client
 
-DISTNAME= dropbear-2017.75
+DISTNAME= dropbear-2018.76
 EXTRACT_SUFX= .tar.bz2
 
 CATEGORIES= security net
@@ -21,7 +21,10 @@ USE_GMAKE= Yes
 CONFIGURE_STYLE= gnu
 #NO_TEST= Yes
 
+post-extract:
+ cp ${WRKDIST}/default_options.h ${WRKDIST}/localoptions.h
+
 post-configure:
- ${SUBST_CMD} ${WRKSRC}/options.h
+ ${SUBST_CMD} ${WRKSRC}/localoptions.h
 
 .include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/dropbear/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 23 May 2017 13:44:13 -0000 1.3
+++ distinfo 6 Mar 2018 07:02:38 -0000
@@ -1,2 +1,2 @@
-SHA256 (dropbear-2017.75.tar.bz2) = bLwdyxyXCdIm3/Zp5WBBcqGM9dv5ogFHTVYYrkRlCYw=
-SIZE (dropbear-2017.75.tar.bz2) = 1623392
+SHA256 (dropbear-2018.76.tar.bz2) = 8vuRZ+yoz5NFal/B1Pr3CZAqOrcN1E41LzrLw//a6mU=
+SIZE (dropbear-2018.76.tar.bz2) = 2688697
Index: patches/patch-localoptions_h
===================================================================
RCS file: patches/patch-localoptions_h
diff -N patches/patch-localoptions_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-localoptions_h 6 Mar 2018 07:02:38 -0000
@@ -0,0 +1,53 @@
+$OpenBSD$
+
+Index: localoptions.h
+--- localoptions.h.orig
++++ localoptions.h
+@@ -19,9 +19,9 @@ IMPORTANT: Some options will require "make clean" afte
+ #define DROPBEAR_DEFADDRESS ""
+
+ /* Default hostkey paths - these can be specified on the command line */
+-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+-#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
++#define DSS_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_dss_host_key"
++#define RSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_rsa_host_key"
++#define ECDSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_ecdsa_host_key"
+
+ /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
+  * on chosen ports and keeps accepting connections. This is the default.
+@@ -44,7 +44,7 @@ IMPORTANT: Some options will require "make clean" afte
+  * several kB in binary size however will make the symmetrical ciphers and hashes
+  * slower, perhaps by 50%. Recommended for small systems that aren't doing
+  * much traffic. */
+-#define DROPBEAR_SMALL_CODE 1
++#define DROPBEAR_SMALL_CODE 0
+
+ /* Enable X11 Forwarding - server only */
+ #define DROPBEAR_X11FWD 1
+@@ -243,7 +243,7 @@ Homedir is prepended unless path begins with / */
+
+ /* The command to invoke for xauth when using X11 forwarding.
+  * "-q" for quiet */
+-#define XAUTH_COMMAND "/usr/bin/xauth -q"
++#define XAUTH_COMMAND "${X11BASE}/bin/xauth -q"
+
+
+ /* if you want to enable running an sftp server (such as the one included with
+@@ -254,7 +254,7 @@ Homedir is prepended unless path begins with / */
+
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++#define DROPBEAR_PATH_SSH_PROGRAM "${TRUEPREFIX}//bin/dbclient"
+
+ /* Whether to log commands executed by a client. This only logs the
+  * (single) command sent to the server, not what a user did in a
+@@ -290,6 +290,6 @@ be overridden at runtime with -I. 0 disables idle time
+ #define DEFAULT_IDLE_TIMEOUT 0
+
+ /* The default path. This will often get replaced by the shell */
+-#define DEFAULT_PATH "/usr/bin:/bin"
++#define DEFAULT_PATH "/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin"
+
+ #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
Index: patches/patch-options_h
===================================================================
RCS file: patches/patch-options_h
diff -N patches/patch-options_h
--- patches/patch-options_h 6 Apr 2016 22:03:15 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,56 +0,0 @@
-$OpenBSD: patch-options_h,v 1.1.1.1 2016/04/06 22:03:15 sthen Exp $
---- options.h.orig Fri Mar 18 14:44:43 2016
-+++ options.h Wed Apr  6 21:47:42 2016
-@@ -21,13 +21,13 @@
-
- /* Default hostkey paths - these can be specified on the command line */
- #ifndef DSS_PRIV_FILENAME
--#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
-+#define DSS_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_dss_host_key"
- #endif
- #ifndef RSA_PRIV_FILENAME
--#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
-+#define RSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_rsa_host_key"
- #endif
- #ifndef ECDSA_PRIV_FILENAME
--#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
-+#define ECDSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_ecdsa_host_key"
- #endif
-
- /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
-@@ -52,7 +52,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
--#define DROPBEAR_SMALL_CODE
-+// #define DROPBEAR_SMALL_CODE
-
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
-@@ -293,7 +293,7 @@ Homedir is prepended unless path begins with / */
- /* The command to invoke for xauth when using X11 forwarding.
-  * "-q" for quiet */
- #ifndef XAUTH_COMMAND
--#define XAUTH_COMMAND "/usr/bin/xauth -q"
-+#define XAUTH_COMMAND "${X11BASE}/bin/xauth -q"
- #endif
-
- /* if you want to enable running an sftp server (such as the one included with
-@@ -305,7 +305,7 @@ Homedir is prepended unless path begins with / */
-
- /* This is used by the scp binary when used as a client binary. If you're
-  * not using the Dropbear client, you'll need to change it */
--#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-+#define DROPBEAR_PATH_SSH_PROGRAM "${TRUEPREFIX}/bin/dbclient"
-
- /* Whether to log commands executed by a client. This only logs the
-  * (single) command sent to the server, not what a user did in a
-@@ -347,7 +347,7 @@ be overridden at runtime with -I. 0 disables idle time
- #define DEFAULT_IDLE_TIMEOUT 0
-
- /* The default path. This will often get replaced by the shell */
--#define DEFAULT_PATH "/usr/bin:/bin"
-+#define DEFAULT_PATH "/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin"
-
- /* Some other defines (that mostly should be left alone) are defined
-  * in sysoptions.h */
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/dropbear/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 6 Apr 2016 22:03:15 -0000 1.1.1.1
+++ pkg/PLIST 6 Mar 2018 07:02:38 -0000
@@ -11,3 +11,4 @@
 @man man/man8/dropbear.8
 @bin sbin/dropbear
 @sample ${SYSCONFDIR}/dropbear/
+@rcscript ${RCDIR}/dropbear
Index: pkg/dropbear.rc
===================================================================
RCS file: pkg/dropbear.rc
diff -N pkg/dropbear.rc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/dropbear.rc 6 Mar 2018 07:02:38 -0000
@@ -0,0 +1,12 @@
+#!/bin/ksh
+#
+# $OpenBSD$
+
+daemon="${TRUEPREFIX}/sbin/dropbear"
+daemon_flags="-p 127.0.0.1:8022 -R"
+
+. /etc/rc.d/rc.subr
+
+rc_reload=NO
+
+rc_cmd $1

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE security/dropbear

Björn Ketelaars
On Tue 06/03/2018 08:11, Björn Ketelaars wrote:
> An update is available for dropbear which fixes multiple issues.
> Changelog can be found at https://matt.ucc.asn.au/dropbear/CHANGES
>
> While here add dropbear.rc, which generates a key upon first connection
> (-R), and attaches to 127.0.0.1:8022.

New diff, which addresses comments from sthen@.

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/security/dropbear/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- Makefile 4 Dec 2017 17:56:27 -0000 1.4
+++ Makefile 12 Mar 2018 20:36:25 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= small SSH server and client
 
-DISTNAME= dropbear-2017.75
+DISTNAME= dropbear-2018.76
 EXTRACT_SUFX= .tar.bz2
 
 CATEGORIES= security net
@@ -22,6 +22,6 @@ CONFIGURE_STYLE= gnu
 #NO_TEST= Yes
 
 post-configure:
- ${SUBST_CMD} ${WRKSRC}/options.h
+ ${SUBST_CMD} ${WRKSRC}/default_options.h
 
 .include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/dropbear/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 23 May 2017 13:44:13 -0000 1.3
+++ distinfo 12 Mar 2018 20:36:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (dropbear-2017.75.tar.bz2) = bLwdyxyXCdIm3/Zp5WBBcqGM9dv5ogFHTVYYrkRlCYw=
-SIZE (dropbear-2017.75.tar.bz2) = 1623392
+SHA256 (dropbear-2018.76.tar.bz2) = 8vuRZ+yoz5NFal/B1Pr3CZAqOrcN1E41LzrLw//a6mU=
+SIZE (dropbear-2018.76.tar.bz2) = 2688697
Index: patches/patch-default_options_h
===================================================================
RCS file: patches/patch-default_options_h
diff -N patches/patch-default_options_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-default_options_h 12 Mar 2018 20:36:25 -0000
@@ -0,0 +1,58 @@
+$OpenBSD$
+
+Index: default_options.h
+--- default_options.h.orig
++++ default_options.h
+@@ -19,9 +19,9 @@ IMPORTANT: Some options will require "make clean" afte
+ #define DROPBEAR_DEFADDRESS ""
+
+ /* Default hostkey paths - these can be specified on the command line */
+-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+-#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
++#define DSS_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_dss_host_key"
++#define RSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_rsa_host_key"
++#define ECDSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_ecdsa_host_key"
+
+ /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
+  * on chosen ports and keeps accepting connections. This is the default.
+@@ -44,7 +44,7 @@ IMPORTANT: Some options will require "make clean" afte
+  * several kB in binary size however will make the symmetrical ciphers and hashes
+  * slower, perhaps by 50%. Recommended for small systems that aren't doing
+  * much traffic. */
+-#define DROPBEAR_SMALL_CODE 1
++#define DROPBEAR_SMALL_CODE 0
+
+ /* Enable X11 Forwarding - server only */
+ #define DROPBEAR_X11FWD 1
+@@ -239,11 +239,11 @@ Homedir is prepended unless path begins with / */
+
+ /* The default file to store the daemon's process ID, for shutdown
+    scripts etc. This can be overridden with the -P flag */
+-#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
++#define DROPBEAR_PIDFILE "${LOCALSTATEDIR}/run/dropbear.pid"
+
+ /* The command to invoke for xauth when using X11 forwarding.
+  * "-q" for quiet */
+-#define XAUTH_COMMAND "/usr/bin/xauth -q"
++#define XAUTH_COMMAND "${X11BASE}/bin/xauth -q"
+
+
+ /* if you want to enable running an sftp server (such as the one included with
+@@ -254,7 +254,7 @@ Homedir is prepended unless path begins with / */
+
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++#define DROPBEAR_PATH_SSH_PROGRAM "${TRUEPREFIX}/bin/dbclient"
+
+ /* Whether to log commands executed by a client. This only logs the
+  * (single) command sent to the server, not what a user did in a
+@@ -290,6 +290,6 @@ be overridden at runtime with -I. 0 disables idle time
+ #define DEFAULT_IDLE_TIMEOUT 0
+
+ /* The default path. This will often get replaced by the shell */
+-#define DEFAULT_PATH "/usr/bin:/bin"
++#define DEFAULT_PATH "/usr/bin:/bin:/usr/sbin:/sbin:${X11BASE}/bin:${TRUEPREFIX}/bin:${TRUEPREFIX}/sbin"
+
+ #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
Index: patches/patch-options_h
===================================================================
RCS file: patches/patch-options_h
diff -N patches/patch-options_h
--- patches/patch-options_h 6 Apr 2016 22:03:15 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,56 +0,0 @@
-$OpenBSD: patch-options_h,v 1.1.1.1 2016/04/06 22:03:15 sthen Exp $
---- options.h.orig Fri Mar 18 14:44:43 2016
-+++ options.h Wed Apr  6 21:47:42 2016
-@@ -21,13 +21,13 @@
-
- /* Default hostkey paths - these can be specified on the command line */
- #ifndef DSS_PRIV_FILENAME
--#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
-+#define DSS_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_dss_host_key"
- #endif
- #ifndef RSA_PRIV_FILENAME
--#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
-+#define RSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_rsa_host_key"
- #endif
- #ifndef ECDSA_PRIV_FILENAME
--#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
-+#define ECDSA_PRIV_FILENAME "${SYSCONFDIR}/dropbear/dropbear_ecdsa_host_key"
- #endif
-
- /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
-@@ -52,7 +52,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
--#define DROPBEAR_SMALL_CODE
-+// #define DROPBEAR_SMALL_CODE
-
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
-@@ -293,7 +293,7 @@ Homedir is prepended unless path begins with / */
- /* The command to invoke for xauth when using X11 forwarding.
-  * "-q" for quiet */
- #ifndef XAUTH_COMMAND
--#define XAUTH_COMMAND "/usr/bin/xauth -q"
-+#define XAUTH_COMMAND "${X11BASE}/bin/xauth -q"
- #endif
-
- /* if you want to enable running an sftp server (such as the one included with
-@@ -305,7 +305,7 @@ Homedir is prepended unless path begins with / */
-
- /* This is used by the scp binary when used as a client binary. If you're
-  * not using the Dropbear client, you'll need to change it */
--#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
-+#define DROPBEAR_PATH_SSH_PROGRAM "${TRUEPREFIX}/bin/dbclient"
-
- /* Whether to log commands executed by a client. This only logs the
-  * (single) command sent to the server, not what a user did in a
-@@ -347,7 +347,7 @@ be overridden at runtime with -I. 0 disables idle time
- #define DEFAULT_IDLE_TIMEOUT 0
-
- /* The default path. This will often get replaced by the shell */
--#define DEFAULT_PATH "/usr/bin:/bin"
-+#define DEFAULT_PATH "/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin"
-
- /* Some other defines (that mostly should be left alone) are defined
-  * in sysoptions.h */
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/dropbear/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 6 Apr 2016 22:03:15 -0000 1.1.1.1
+++ pkg/PLIST 12 Mar 2018 20:36:25 -0000
@@ -11,3 +11,4 @@
 @man man/man8/dropbear.8
 @bin sbin/dropbear
 @sample ${SYSCONFDIR}/dropbear/
+@rcscript ${RCDIR}/dropbear
Index: pkg/dropbear.rc
===================================================================
RCS file: pkg/dropbear.rc
diff -N pkg/dropbear.rc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/dropbear.rc 12 Mar 2018 20:36:25 -0000
@@ -0,0 +1,12 @@
+#!/bin/ksh
+#
+# $OpenBSD$
+
+daemon="${TRUEPREFIX}/sbin/dropbear"
+daemon_flags="-p 127.0.0.1:8022 -R"
+
+. /etc/rc.d/rc.subr
+
+rc_reload=NO
+
+rc_cmd $1