Upgrade openssh

Dockerfile

@@ -3,7 +3,7 @@ MAINTAINER Erik Osterman "erik@cloudposse.com"
 
 USER root
 
-ARG OPENSSH_VERSION=V_7_4_P1
+ARG OPENSSH_VERSION=V_7_8_P1
 
 RUN apk --update add linux-pam libssl1.0 shadow ca-certificates openssl && \
     update-ca-certificates && \

patches/openssh/bsd-compatible-realpath.diff

@@ -0,0 +1,197 @@
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -80,17 +80,7 @@ void *reallocarray(void *, size_t, size_t);
+ void *recallocarray(void *, size_t, size_t, size_t);
+ #endif
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+-/*
+- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
+- * compat version.
+- */
+-# ifdef BROKEN_REALPATH
+-#  define realpath(x, y) _ssh_compat_realpath(x, y)
+-# endif
+-
+-char *realpath(const char *path, char *resolved);
+-#endif
++char *ssh_realpath(const char *path, char *resolved);
+
+ #ifndef HAVE_RRESVPORT_AF
+ int rresvport_af(int *alport, sa_family_t af);
+diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
+index a2f090e5..979e3a8e 100644
+--- a/openbsd-compat/realpath.c
++++ b/openbsd-compat/realpath.c
+@@ -31,7 +31,7 @@
+
+ #include "includes.h"
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
++#if 1
+
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -58,7 +58,7 @@
+  * in which case the path which caused trouble is left in (resolved).
+  */
+ char *
+-realpath(const char *path, char *resolved)
++ssh_realpath(const char *path, char *resolved)
+ {
+        struct stat sb;
+        char *p, *q, *s;
+diff --git a/sftp-server.c b/sftp-server.c
+index ab1b063f..2e06b384 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1158,7 +1158,7 @@ process_realpath(u_int32_t id)
+        }
+        debug3("request %u: realpath", id);
+        verbose("realpath \"%s\"", path);
+-       if (realpath(path, resolvedname) == NULL) {
++       if (ssh_realpath(path, resolvedname) == NULL) {
+
+Aliaksandr_Babai@EPBYGROW0276 MINGW64 ~/workspace/openssh-portable (master)
+$ git diff
+diff --git a/configure.ac b/configure.ac
+index 83e53075..80e71183 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2029,7 +2029,7 @@ AC_CHECK_FUNCS([setresgid], [
+        )
+ ])
+
+-AC_CHECK_FUNCS([realpath], [
++AC_CHECK_FUNCS([ssh_realpath], [
+        dnl the sftp v3 spec says SSH_FXP_REALPATH will "canonicalize any given
+        dnl path name", however some implementations of realpath (and some
+        dnl versions of the POSIX spec) do not work on non-existent files,
+@@ -2042,7 +2042,7 @@ AC_CHECK_FUNCS([realpath], [
+ #include <errno.h>
+                ]], [[
+                char buf[PATH_MAX];
+-               if (realpath("/opensshnonexistentfilename1234", buf) == NULL)
++               if (ssh_realpath("/opensshnonexistentfilename1234", buf) == NULL)
+                        if (errno == ENOENT)
+                                exit(1);
+                exit(0);
+diff --git a/misc.c b/misc.c
+index ae4d29b8..edd4226a 100644
+--- a/misc.c
++++ b/misc.c
+@@ -1770,7 +1770,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+        int comparehome = 0;
+        struct stat st;
+
+-       if (realpath(name, buf) == NULL) {
++       if (ssh_realpath(name, buf) == NULL) {
+                snprintf(err, errlen, "realpath %s failed: %s", name,
+                    strerror(errno));
+                return -1;
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index f5c833bf..e2ccf20e 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -80,17 +80,7 @@ void *reallocarray(void *, size_t, size_t);
+ void *recallocarray(void *, size_t, size_t, size_t);
+ #endif
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+-/*
+- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
+- * compat version.
+- */
+-# ifdef BROKEN_REALPATH
+-#  define realpath(x, y) _ssh_compat_realpath(x, y)
+-# endif
+-
+-char *realpath(const char *path, char *resolved);
+-#endif
++char *ssh_realpath(const char *path, char *resolved);
+
+ #ifndef HAVE_RRESVPORT_AF
+ int rresvport_af(int *alport, sa_family_t af);
+diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
+index a2f090e5..453540a5 100644
+--- a/openbsd-compat/realpath.c
++++ b/openbsd-compat/realpath.c
+@@ -31,7 +31,7 @@
+
+ #include "includes.h"
+
+-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
++#if 1
+
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -51,14 +51,14 @@
+ /* A slightly modified copy of this file exists in libexec/ld.so */
+
+ /*
+- * char *realpath(const char *path, char resolved[PATH_MAX]);
++ * char *ssh_realpath(const char *path, char resolved[PATH_MAX]);
+  *
+  * Find the real name of path, by removing all ".", ".." and symlink
+  * components.  Returns (resolved) on success, or (NULL) on failure,
+  * in which case the path which caused trouble is left in (resolved).
+  */
+ char *
+-realpath(const char *path, char *resolved)
++ssh_realpath(const char *path, char *resolved)
+ {
+        struct stat sb;
+        char *p, *q, *s;
+diff --git a/regress/check-perm.c b/regress/check-perm.c
+index dac307d2..eb6a006e 100644
+--- a/regress/check-perm.c
++++ b/regress/check-perm.c
+@@ -99,7 +99,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+        int comparehome = 0;
+        struct stat st;
+
+-       if (realpath(name, buf) == NULL) {
++       if (ssh_realpath(name, buf) == NULL) {
+                snprintf(err, errlen, "realpath %s failed: %s", name,
+                    strerror(errno));
+                return -1;
+diff --git a/sftp-server.c b/sftp-server.c
+index ab1b063f..2e06b384 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1158,7 +1158,7 @@ process_realpath(u_int32_t id)
+        }
+        debug3("request %u: realpath", id);
+        verbose("realpath \"%s\"", path);
+-       if (realpath(path, resolvedname) == NULL) {
++       if (ssh_realpath(path, resolvedname) == NULL) {
+                send_status(id, errno_to_portable(errno));
+        } else {
+                Stat s;
+diff --git a/ssh-agent.c b/ssh-agent.c
+index d8a8260f..6050ff1a 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -585,7 +585,7 @@ process_add_smartcard_key(SocketEntry *e)
+                        goto send;
+                }
+        }
+-       if (realpath(provider, canonical_provider) == NULL) {
++       if (ssh_realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+                goto send;
+@@ -638,7 +638,7 @@ process_remove_smartcard_key(SocketEntry *e)
+        }
+        free(pin);
+
+-       if (realpath(provider, canonical_provider) == NULL) {
++       if (ssh_realpath(provider, canonical_provider) == NULL) {
+                verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+                    provider, strerror(errno));
+                goto send;

patches/openssh/disable-forwarding-by-default.diff

@@ -0,0 +1,16 @@
+--- openssh-7.7p1/sshd_config.old	2018-04-02 00:38:28.000000000 -0500
++++ openssh-7.7p1/sshd_config	2018-07-29 03:08:16.340000000 -0500
+@@ -82,9 +82,10 @@
+ #UsePAM no
+
+ #AllowAgentForwarding yes
+-#AllowTcpForwarding yes
+-#GatewayPorts no
+-#X11Forwarding no
++# Feel free to re-enable these if your use case requires them.
++AllowTcpForwarding no
++GatewayPorts no
++X11Forwarding no
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes

patches/openssh/obfuscate-version.diff

@@ -1,12 +1,12 @@
 diff --git a/version.h b/version.h
-index 269ebcd..5768131 100644
+index f1bbf00f..502661dc 100644
 --- a/version.h
 +++ b/version.h
 @@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.78 2016/12/19 04:55:51 djm Exp $ */
- 
--#define SSH_VERSION	"OpenSSH_7.4"
-+#define SSH_VERSION	"SERVER"
- 
- #define SSH_PORTABLE	"p1"
- #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+ /* $OpenBSD: version.h,v 1.82 2018/07/03 11:42:12 djm Exp $ */
+
+-#define SSH_VERSION    "OpenSSH_7.8"
++#define SSH_VERSION    "SERVER"
+
+ #define SSH_PORTABLE   "p1"
+ #define SSH_RELEASE    SSH_VERSION SSH_PORTABLE