---- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200
-+++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200
-@@ -41,7 +41,9 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c
+--- openssh-8.4p1.org/servconf.c 2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.c 2021-03-01 11:30:33.634174889 +0100
+@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->use_pam = -1;
/* Standard Options */
options->num_ports = 0;
options->ports_from_cmdline = 0;
-@@ -112,6 +114,9 @@
+@@ -301,6 +303,9 @@ fill_default_server_options(ServerOption
if (options->use_pam == -1)
options->use_pam = 0;
+ options->use_chroot = 0;
+
/* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
- options->protocol = SSH_PROTO_1|SSH_PROTO_2;
-@@ -245,6 +250,7 @@
+ if (options->num_host_key_files == 0) {
+ /* fill default hostkeys for protocols */
+@@ -502,6 +507,7 @@ typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
sUsePAM,
+ sUseChroot,
/* Standard Options */
- sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -278,6 +284,11 @@
+@@ -556,6 +562,11 @@ static struct {
#else
- { "usepam", sUnsupported },
+ { "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
+#ifdef CHROOT
-+ { "usechroot", sUseChroot },
++ { "usechroot", sUseChroot, SSHCFG_GLOBAL },
+#else
-+ { "usechroot", sUnsupported },
++ { "usechroot", sUnsupported, SSHCFG_GLOBAL },
+#endif /* CHROOT */
- { "pamauthenticationviakbdint", sDeprecated },
+ { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
- { "port", sPort },
-@@ -437,6 +448,10 @@
+ { "port", sPort, SSHCFG_GLOBAL },
+@@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO
intptr = &options->use_pam;
goto parse_flag;
/* Standard Options */
case sBadOption:
return -1;
---- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
-+++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
-@@ -109,6 +109,7 @@
- int max_startups_rate;
- int max_startups;
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h
+--- openssh-8.4p1.org/servconf.h 2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.h 2021-03-01 11:30:33.637508395 +0100
+@@ -178,6 +178,7 @@ typedef struct {
+ int max_authtries;
+ int max_sessions;
char *banner; /* SSH-2 banner message */
+ int use_chroot; /* Enable chrooted enviroment support */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
---- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200
-+++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200
-@@ -1231,6 +1231,10 @@
- void
+diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c
+--- openssh-8.4p1.org/session.c 2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/session.c 2021-03-01 11:30:33.637508395 +0100
+@@ -1367,6 +1367,10 @@ void
do_setusercontext(struct passwd *pw)
{
+ char uidstr[32], *chroot_path, *tmp;
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
- #ifndef HAVE_CYGWIN
- if (getuid() == 0 || geteuid() == 0)
- #endif /* HAVE_CYGWIN */
-@@ -1268,6 +1272,28 @@
- exit(1);
- }
- endgrent();
-+
+
+ platform_setusercontext(pw);
+
+@@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw)
+ free(options.chroot_directory);
+ options.chroot_directory = NULL;
+ in_chroot = 1;
+#ifdef CHROOT
-+ if (options.use_chroot) {
++ } else if (!in_chroot && options.use_chroot) {
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
-+ while((new_root = strchr(new_root, '.')) != NULL) {
++ while ((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
-+ if(strncmp(new_root, "/./", 3) == 0) {
++ if (strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
-+ if(chroot(user_dir) != 0)
-+ fatal("Couldn't chroot to user directory % s", user_dir);
-+ pw->pw_dir = new_root;
-+ break;
-+ }
-+ new_root += 2;
++ if (chroot(user_dir) != 0)
++ fatal("Couldn't chroot to user directory %s", user_dir);
++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
++ free(pw->pw_dir);
++ pw->pw_dir = xstrdup(new_root);
++ in_chroot = 1;
++ break;
++ }
++ new_root += 2;
+ }
-+ }
++ free(user_dir);
+#endif /* CHROOT */
-+
- # ifdef USE_PAM
- /*
- * PAM credentials may take the form of supplementary groups.
---- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
-+++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
-@@ -71,6 +71,10 @@
- # bypass the setting of 'PasswordAuthentication'
- #UsePAM yes
+ }
+
+ #ifdef HAVE_LOGIN_CAP
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
+--- openssh-8.4p1.org/sshd_config 2021-03-01 11:30:33.370827964 +0100
++++ openssh-8.4p1/sshd_config 2021-03-01 11:30:33.637508395 +0100
+@@ -85,6 +85,10 @@ GSSAPIAuthentication yes
+ # and ChallengeResponseAuthentication to 'no'.
+ UsePAM yes
+# Set this to 'yes' to enable support for chrooted user environment.
-+# You must create such environment before you can use this feature.
++# You must create such environment before you can use this feature.
+#UseChroot yes
+
- #AllowTcpForwarding yes
- #GatewayPorts no
- #X11Forwarding no
---- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200
-+++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200
-@@ -349,6 +349,16 @@
- CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
- fault is AUTH.
+ #AllowAgentForwarding yes
+ # Security advisory:
+ # http://securitytracker.com/alerts/2004/Sep/1011143.html
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0
+--- openssh-8.4p1.org/sshd_config.0 2020-09-27 09:42:11.000000000 +0200
++++ openssh-8.4p1/sshd_config.0 2021-03-01 11:30:33.637508395 +0100
+@@ -1011,6 +1011,16 @@ DESCRIPTION
+ TrustedUserCAKeys. For more details on certificates, see the
+ CERTIFICATES section in ssh-keygen(1).
+ UseChroot
+ Specifies whether to use chroot-jail environment with ssh/sftp,
+ For this to work properly you have to create special chroot-jail
+ environment in a /path/to/chroot directory.
+
- UseDNS Specifies whether sshd should lookup the remote host name and
- check that the resolved host name for the remote IP address maps
- back to the very same IP address. The default is ``yes''.
---- openssh-3.7.1p2/sshd_config.5 2003-09-02 14:57:05.000000000 +0200
-+++ openssh-3.7.1p2.pius/sshd_config.5 2003-10-07 20:49:08.000000000 +0200
-@@ -580,6 +580,16 @@
+ UseDNS Specifies whether sshd(8) should look up the remote host name,
+ and to check that the resolved host name for the remote IP
+ address maps back to the very same IP address.
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5
+--- openssh-8.4p1.org/sshd_config.5 2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/sshd_config.5 2021-03-01 11:30:33.637508395 +0100
+@@ -1640,6 +1640,16 @@ Gives the facility code that is used whe
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
- .It Cm UseDNS
- Specifies whether
- .Nm sshd
+ .It Cm TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages to the
+ other side.