Opened 3 years ago
Closed 3 years ago
#64748 closed update (fixed)
update OpenSSH to 8.9p1
Reported by: | artkiver (グレェ) | Owned by: | artkiver (グレェ) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | thetrial (alabay), cooljeanius (Eric Gallager) | |
Port: | openssh |
Description
OpenSSH 8.9p1 was released on February 23, 2022.
Release notes here:
https://www.openssh.com/txt/release-8.9
In addition to adding some new functionality, this release mitigates a "near miss" almost vulnerability.
Salient excerpt from the release notes:
"fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions." …
"Thanks to Malcolm Stagg for finding and reporting this bug."
Attachments (2)
Change History (23)
Changed 3 years ago by artkiver (グレェ)
Attachment: | Portfile-openssh8.9p1.diff added |
---|
comment:1 follow-up: 2 Changed 3 years ago by artkiver (グレェ)
When I attempt to create a PR on GitHub via the GitHub CLI tool I receive the following error, presumably because of the open PR related to updating libressl-devel:
" gh pr create a pull request for branch "artkiver:master" into branch "master" already exists: https://github.com/macports/macports-ports/pull/14158"
Perhaps there is a way to have multiple PRs open on GitHub? I still do not profess to be a git nor GitHub wizard.
Regardless, the Portfile diff is attached to this ticket and port lint --nitpick and other preliminary test installs seem to work OK on my system for the time being.
Thanks!
comment:2 Changed 3 years ago by jmroot (Joshua Root)
Replying to artkiver:
When I attempt to create a PR on GitHub via the GitHub CLI tool I receive the following error, presumably because of the open PR related to updating libressl-devel:
" gh pr create a pull request for branch "artkiver:master" into branch "master" already exists: https://github.com/macports/macports-ports/pull/14158"
Perhaps there is a way to have multiple PRs open on GitHub? I still do not profess to be a git nor GitHub wizard.
You should create a new branch for every PR. See WorkingWithGit.
comment:3 Changed 3 years ago by artkiver (グレェ)
Ah, thanks for the tip!
With that recommendation in mind, the PR on GitHub is: https://github.com/macports/macports-ports/pull/14167
comment:4 Changed 3 years ago by thetrial (alabay)
Hm, though it says this builds under El Capitan 10.11 … something goes wrong here:
:info:patch Command failed: cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_openssh/openssh/work/openssh-8.9p1" && /usr/bin/patch -p0 -p1 < '/opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/openssh/files/openssh-8.8p1-gsskex.patch' :info:patch Exit code: 1 :error:patch Failed to patch openssh: command execution failed
8.9p1 and 8.8p1 patch?!
comment:5 Changed 3 years ago by thetrial (alabay)
Cc: | thetrial added |
---|
comment:6 Changed 3 years ago by artkiver (グレェ)
Ah, thanks for pointing that out! We probably don't need to be attempting to apply a patch for 8.8p1 to 8.9p1.
Anyway, that makes sense why it errors out (though perhaps less sense why it functioned on Monterey where I tested it personally). I think I still have a system with El Capitan I can dig up and see about omitting the patch parameters to the Portfile to test, though others are welcome to give it a go as well, it may take me some time to get to that system to try it personally.
comment:7 Changed 3 years ago by artkiver (グレェ)
Hmm, after digging up my OS X El Capitan system and running sudo port -v selfupdate && port -v upgrade outdated I get:
ssh -V OpenSSH_8.9p1, OpenSSL 3.0.1 14 Dec 2021
uname -a Darwin adominnoenbipi13.local 15.6.0 Darwin Kernel Version 15.6.0: Thu Jun 23 18:25:34 PDT 2016; root:xnu-3248.60.10~1/RELEASE_X86_64 x86_64
That's on OS X El Capitan 10.11.6 (15G31). macOS 10.11.6 15G31 x86_64
Looking over the Portfile, some of the other patches appear to be for HPN (related to FreeBSD's HPN diffs presumably? I think OpenSSH may have made performance improvements which obviate those).
From your error message it appears as if it is related to: " variant gsskex requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
patchfiles-append openssh-8.8p1-gsskex.patch
"
So, for the gsskex variant?
Can you try installing OpenSSH8.9p1 with -gsskex and see if it functions OK?
I realize, that isn't a fix so much as it will help confirm which part is breaking for you.
Thanks!
Changed 3 years ago by artkiver (グレェ)
Attachment: | Portfile.openssh8.9.p1.gsskexfix.diff added |
---|
Portfile diff for OpenSSH 8.9p1 to omit the 8.8p1 patch for the +gsskex variant tested on OS X El Capitan.
comment:8 Changed 3 years ago by artkiver (グレェ)
OK, I attached a diff for the 8.9p1 Portfile which omits the 8.8p1 patch for the gsskex variant to address the issue raised by thetrial (alabay). It seems to function OK on my El Capitan system.
I'll do some additional testing to make sure it also functions on macOS Monterey before submitting another PR. In the meantime, please feel free to use the attached diff and see how it functions on your system.
e.g.
cd /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/openssh sudo patch Portfile Portfile.openssh8.9.p1.gsskexfix.diff sudo port -dv install openssh +gsskex
At least in my tests I get an install without errors and here is the output of ssh -V:
ssh -V OpenSSH_8.9p1, LibreSSL 3.5.0
(Note: your TLS library may default to OpenSSL. I also decided to try testing the libressl-devel port in conjunction with this, which is why the above lists LibreSSL 3.5.0).
comment:9 Changed 3 years ago by artkiver (グレェ)
OK, I have now successfully tested the new diff on macOS Monterey 12.2.1.
ssh -V OpenSSH_8.9p1, LibreSSL 3.5.0
uname -a Darwin enbie132020enuan.local 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan 5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T8101 arm64
I'm going to continue to take the steps to submit a new PR which removes the 8.8p1 patch on the Portfile. Hopefully other tests on other OS versions goes OK (it appears as if MacPorts goes back to at least Leopard, though I would have to hit up my storage unit to dig up a G4 PPC PowerBook to test that far back at the moment which would take me even longer, so I will trust the build automation tools and user feedback).
Thanks again for bringing this issue to my attention! Sorry I didn't catch it initially!
comment:10 Changed 3 years ago by artkiver (グレェ)
OK, new PR submitted as: https://github.com/macports/macports-ports/pull/14191
One note:
When running port test it seems to hang, output as follows:
root@enbie132020enuan openssh # port test ---> Computing dependencies for openssh ---> Fetching distfiles for openssh ---> Verifying checksums for openssh ---> Extracting openssh ---> Applying patches to openssh ---> Configuring openssh Warning: Configuration logfiles contain indications of -Wimplicit-function-declaration; check that features were not accidentally disabled: strchr: found in openssh-8.9p1/config.log ---> Building openssh ---> Testing openssh [ • • • • • • • • • • • • ]
When using control-t to check on the status, here is the output:
load: 1.64 cmd: netcat 52766 waiting 0.00u 0.00s
However, doing some basic testing, it appears as if ssh is functioning OK as a client. I did not do exhaustive testing though, so it is possible I may have missed something else?
I realize, maybe removing some other lines in the Portfile mentioning the gsskex patch from 8.8p1 would also be acceptable, but at least in my tests, this seems to function with OS X El Capitan.
Hopefully this will suffice for now?
Thanks!
comment:11 follow-up: 14 Changed 3 years ago by artkiver (グレェ)
Closed that PR and created a new PR: https://github.com/macports/macports-ports/pull/14192 which also performed:
git rm openssh-8.8p1-gsskex.patch
Under the files subdirectory since that patch should not be needed for 8.9p1.
Hopefully this one is sufficient?
Please let me know of any other issues encountered!
Thanks!
comment:12 Changed 3 years ago by artkiver (グレェ)
Argh, I omitted a git commit after I had issued the git rm command before I made the git push with that last PR.
The *new* PR is: https://github.com/macports/macports-ports/pull/14193
Hopefully that will actually be correct?
Regardless, I should probably stop staring at the screen before I introduce more errors unintentionally.
Nth time is the charm? smdh, it never seems to fail! https://xkcd.com/1597/ (mutters something about how "with features like cheap local branching" still do not come close to real filesystem block level snapshots.)
comment:13 Changed 3 years ago by artkiver (グレェ)
Ah, I should probably make mention somewhere to thank Herby Gillot for bringing to my attention that the patch file under files could be removed as well!
comment:14 follow-up: 16 Changed 3 years ago by thetrial (alabay)
Replying to artkiver:
git rm openssh-8.8p1-gsskex.patchUnder the files subdirectory since that patch should not be needed for 8.9p1.
Is it shure this patch isn’t needed anymore? Of course one can delete the corresponding line in the portfile – but what is the consequence of that patch not being implemented? Why not simply renaming the patch file? Is the content of the patch file irrelevant now?
comment:15 Changed 3 years ago by cooljeanius (Eric Gallager)
Cc: | cooljeanius added |
---|
comment:16 Changed 3 years ago by artkiver (グレェ)
Hi thetrial/ (alabay) I am uncertain if git rm in the PR removes the patch for previous versions? If so, then that seems unwise, but it is my guess that if following instructions such as https://trac.macports.org/wiki/howto/InstallingOlderPort that since it specifies checking out a specific commit, that presumably the 8.8p1 and patch would be made available for users who may still wish to utilize that GSSAPI/gsskex patch with 8.8p1 instead of using 8.9p1?
Alas, I am probably not the right person to attempt to refactor the GSSAPI/gsskex patch at this moment. While I have certainly used OpenSSH with things such as DuoSec tokens, OATH-TOTP (using Google Authenticator tokens), yubico tokens (e.g. the yubico-pam MacPort) and even RSA SecurID tokens (via lib-pam-radius-auth some years ago) and I think Bob Beck's work with utilizing kerberos and OpenBSD for ethernet authentication to provide something not entirely dissimilar to 802.1X port level authentication using libre/free open source software (I think he may have even later iterated that to use authpf?) as cited here: https://cvs.afresh1.com/~andrew/o/events.html#lisa99 I personally, do not have any GSSAPI infrastructure against which I can test even the previous version of the patch.
Moreover, based upon the, IMHO, rather strong cautionary language of why the upstream OpenSSH project, did not merge the https://github.com/openssh-gsskex patches, as well as the fact that they themselves do not appear to have updated their codebase in several months, as well as my general tendency to reduce dependencies and attack surfaces and thus my own personal choice in using the OpenSSH port is to -kerberos5 -gsskex -xauth variants for example, I am probably not really of the general mindset even think that refactoring the previous patch for the current version of OpenSSH is a wise idea without a lot more convincing, and given that my interest in updating the port was predominantly to keep it in alignment with the openssh.com current release, and I am merely a volunteer without commit access, I would encourage you to seek out other guidance since I doubt I will be able to be of much additional assistance given my present circumstances.
If you want to see this patch updated, I would suggest maybe reaching out to individuals who did work on previous iterations might be a better approach, such as found in https://trac.macports.org/ticket/27250 or https://trac.macports.org/ticket/60959 ?
I apologize in advance if that is not a particularly helpful answer, but it is the best I can offer at this moment.
Replying to thetrial:
Replying to artkiver:
git rm openssh-8.8p1-gsskex.patchUnder the files subdirectory since that patch should not be needed for 8.9p1.
Is it shure this patch isn’t needed anymore? Of course one can delete the corresponding line in the portfile – but what is the consequence of that patch not being implemented? Why not simply renaming the patch file? Is the content of the patch file irrelevant now?
comment:17 follow-up: 18 Changed 3 years ago by thetrial (alabay)
Long story short: What is now the situation? A separate ticket? Waiting? Lost and over? I did not understand that quite right and I’m not so deep in it to sort out what to do.
comment:18 Changed 3 years ago by artkiver (グレェ)
Replying to thetrial:
Long story short: What is now the situation? A separate ticket? Waiting? Lost and over? I did not understand that quite right and I’m not so deep in it to sort out what to do.
The situation is presently unchanged.
I am not going to refactor the GSSAPI patch.
It has been rejected by the upstream OpenSSH project for over two decades.
The original GSSAPI patch author, Simon Wilkinson, has also abandoned the patch and http://www.sxw.org.uk/computing/patches/ currently redirects to something entirely unrelated (a stage lighting and design webpage related to his primary field of interest apparently).
While I can and should probably follow Herby's recommended changes in the PR, I think I may also attempt to do some cleanup and remove the deprecated HPN patches from the files subdirectory, since they are also no longer in use by any current variants.
I am not sure who the last port maintainer of OpenSSH was, but clearly the port has been left in a not so great state, my intention is to bring it closer to -current and in alignment with OpenBSD and OpenSSH's upstream branches, not maintain rejected, plausibly insecure patchsets for a limited subset of portable users.
As suggested before, if you want that patchset to be brought up to date with 8.9p1, you are better off seeking out the individuals who originally attempted to maintain that patchset and variant, I will not be of much help.
comment:19 follow-up: 20 Changed 3 years ago by thetrial (alabay)
comment:20 Changed 3 years ago by artkiver (グレェ)
Replying to thetrial:
I just remembered that we had that before: #63598. So I filed this: #64835. Kind of openssh caroussel. I just wonder if I am the only one using this variant.
I couldn't say whether you're the only one using that variant, though presumably others have used it if it was created in the first place?
There was a little bit of discourse on the macports-dev list from my post here, albeit it doesn't appear as if others mentioned much in the way of using that particular variant either: https://lists.macports.org/pipermail/macports-dev/2022-March/044179.html
Since you've filed that ticket. I am going to suggest that it is OK to close this one (which I do not seem to be able to do), as well as the associated PR (which I can do, and should probably should be iterated a bit more with the HPN patches also removed for example by whomever cares to do such things as mentioned in 64835).
comment:21 Changed 3 years ago by artkiver (グレェ)
Owner: | set to artkiver |
---|---|
Resolution: | → fixed |
Status: | new → closed |
diff updating the Portfile from 8.8p1 to 8.9p1