~alpine/aports

5 2

[alpine-aports] [PATCH] main/openssh: upgrade to 7.6_p1

Details
Message ID
<20171223164949.16984-1-sir@cmpwn.com>
Sender timestamp
1514047789
DKIM signature
missing
Download raw message
Patch: +4 -908
---
 main/openssh/APKBUILD                    |  23 +-
 main/openssh/CVE-2017-15906.patch        |  31 --
 main/openssh/openssh-7.5p1-sandbox.patch |  23 -
 main/openssh/openssh7.4-dynwindows.patch | 835 -------------------------------
 4 files changed, 4 insertions(+), 908 deletions(-)
 delete mode 100644 main/openssh/CVE-2017-15906.patch
 delete mode 100644 main/openssh/openssh-7.5p1-sandbox.patch
 delete mode 100644 main/openssh/openssh7.4-dynwindows.patch

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index bffda04bba..7b66dfd009 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=7.5_p1
pkgver=7.6_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=8
pkgrel=0
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -31,24 +31,12 @@ done

source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
	openssh7.4-peaktput.patch
	openssh7.4-dynwindows.patch
	fix-utmp.patch
	bsd-compatible-realpath.patch
	sshd.initd
	sshd.confd
	sftp-interactive.patch
	openssh-7.5p1-sandbox.patch
	CVE-2017-15906.patch
	"
# secfixes:
#   7.5_p1-r0:
#     - CVE-2017-15906
#   7.5_p1-r8:
#     - CVE-2016-10009
#     - CVE-2016-10010
#     - CVE-2016-10011
#     - CVE-2016-10012

# HPN patches are from: http://hpnssh.sourceforge.net/

builddir="$srcdir"/$pkgname-$_myver
@@ -197,13 +185,10 @@ _pkg_flavour() {
	done
}

sha512sums="58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81  openssh-7.5p1.tar.gz
sha512sums="de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72  openssh-7.6p1.tar.gz
398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6  openssh7.4-peaktput.patch
b9d736eae9b43de91fa3eb277ba8abc6290a8436b0fb00ae3b0f1b2eabba9983e4d2a1e3c68f5514247d0a3f120037f0795fd88fbf302aabd2d1b54a325a04ee  openssh7.4-dynwindows.patch
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1  fix-utmp.patch
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f  sshd.initd
ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
15c5478bcae56c019a2fbd82ec04808537fd4ba1f1ba4a0a88c0343c16c698c45dbfac59eebc3fcfd3c15b302ebec43e60ffa02442a6c77673b14818ad3f7b60  openssh-7.5p1-sandbox.patch
e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320  CVE-2017-15906.patch"
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch"
diff --git a/main/openssh/CVE-2017-15906.patch b/main/openssh/CVE-2017-15906.patch
deleted file mode 100644
index a80047d49d..0000000000
--- a/main/openssh/CVE-2017-15906.patch
@@ -1,31 +0,0 @@
From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 4 Apr 2017 00:24:56 +0000
Subject: [PATCH] disallow creation (of empty files) in read-only mode;
 reported by Michal Zalewski, feedback & ok deraadt@

---
 usr.bin/ssh/sftp-server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sftp-server.c b/sftp-server.c
index 2510d234a3a..42249ebd60d 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
 /*
  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
  *
@@ -683,8 +683,8 @@ process_open(u_int32_t id)
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-	    ((flags & O_ACCMODE) == O_WRONLY ||
-	    (flags & O_ACCMODE) == O_RDWR)) {
+	    ((flags & O_ACCMODE) != O_RDONLY ||
+	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
 		verbose("Refusing open request in read-only mode");
 		status = SSH2_FX_PERMISSION_DENIED;
 	} else {
diff --git a/main/openssh/openssh-7.5p1-sandbox.patch b/main/openssh/openssh-7.5p1-sandbox.patch
deleted file mode 100644
index 7d09632c8f..0000000000
--- a/main/openssh/openssh-7.5p1-sandbox.patch
@@ -1,23 +0,0 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 3a1aedce72c2..a8d472a63ccb 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -50,6 +50,9 @@
 #include <elf.h>
 
 #include <asm/unistd.h>
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
 
 #include <errno.h>
 #include <signal.h>
@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
 	 * x86-64 syscall under some circumstances, e.g.
 	 * https://bugs.debian.org/849923
 	 */
-	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
+	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
 #endif
 
 	/* Default deny */
diff --git a/main/openssh/openssh7.4-dynwindows.patch b/main/openssh/openssh7.4-dynwindows.patch
deleted file mode 100644
index 45c42159ea..0000000000
--- a/main/openssh/openssh7.4-dynwindows.patch
@@ -1,835 +0,0 @@
--- a/buffer.h
+++ b/buffer.h
@@ -16,6 +16,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* move the following to a more appropriate place and name */
+#define BUFFER_MAX_LEN_HPN          0x4000000  /* 64MB */
+
 /* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
 
 #ifndef BUFFER_H
--- a/channels.c
+++ b/channels.c
@@ -191,8 +191,14 @@
 static int connect_next(struct channel_connect *);
 static void channel_connect_ctx_free(struct channel_connect *);
 
+
+static int hpn_disabled = 0;
+static int hpn_buffer_size = 2 * 1024 * 1024;
+
 /* -- channel core */
 
+
+
 Channel *
 channel_by_id(int id)
 {
@@ -356,6 +362,7 @@
 	c->local_window_max = window;
 	c->local_consumed = 0;
 	c->local_maxpacket = maxpack;
+	c->dynamic_window = 0;
 	c->remote_id = -1;
 	c->remote_name = xstrdup(remote_name);
 	c->remote_window = 0;
@@ -904,11 +911,35 @@
 		FD_SET(c->sock, writeset);
 }
 
+int channel_tcpwinsz () {
+        u_int32_t tcpwinsz = 0;
+        socklen_t optsz = sizeof(tcpwinsz);
+	int ret = -1;
+
+	/* if we aren't on a socket return 128KB*/
+	if(!packet_connection_is_on_socket())
+	    return(128*1024);
+	ret = getsockopt(packet_get_connection_in(),
+			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+	/* return no more than 64MB */
+	if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
+	    tcpwinsz = BUFFER_MAX_LEN_HPN;
+	debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
+	       packet_get_connection_in());
+	return(tcpwinsz);
+}
+
 static void
 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
 	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
+	/* check buffer limits */
+	if ((!c->tcpwinsz) || (c->dynamic_window > 0))
+		c->tcpwinsz = channel_tcpwinsz();
+
+	limit = MIN(limit, 2 * c->tcpwinsz);
+
 	if (c->istate == CHAN_INPUT_OPEN &&
 	    limit > 0 &&
 	    buffer_len(&c->input) < limit &&
@@ -1926,14 +1957,21 @@
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
+		u_int addition = 0;
+		/* adjust max window size if we are in a dynamic environment */
+		if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
+			/* grow the window somewhat aggressively to maintain pressure */
+			addition = 1.5*(c->tcpwinsz - c->local_window_max);
+			c->local_window_max += addition;
+		}
 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
 		packet_put_int(c->remote_id);
-		packet_put_int(c->local_consumed);
+		packet_put_int(c->local_consumed + addition);
 		packet_send();
 		debug2("channel %d: window %d sent adjust %d",
 		    c->self, c->local_window,
 		    c->local_consumed);
-		c->local_window += c->local_consumed;
+		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -3179,6 +3217,15 @@
 	return addr;
 }
 
+
+void
+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
+{
+	hpn_disabled = external_hpn_disabled;
+	hpn_buffer_size = external_hpn_buffer_size;
+	debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
+}
+
 static int
 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
@@ -3307,9 +3354,15 @@
 		}
 
 		/* Allocate a channel number for the socket. */
+		/* explicitly test for hpn disabled option. if true use smaller window size */
+		if (hpn_disabled)
 		c = channel_new("port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, "port listener", 1);
+ 		else
+ 			c = channel_new("port listener", type, sock, sock, -1,
+ 			  hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+ 			  0, "port listener", 1);
 		c->path = xstrdup(host);
 		c->host_port = fwd->connect_port;
 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -4313,10 +4366,17 @@
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
+		/* Is this really necassary? */
+		if (hpn_disabled)
 		nc = channel_new("x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 		    0, "X11 inet listener", 1);
+		else
+			nc = channel_new("x11 listener",
+			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+			    0, "X11 inet listener", 1);
 		nc->single_connection = single_connection;
 		(*chanids)[n] = nc->self;
 	}
--- a/channels.h
+++ b/channels.h
@@ -135,8 +135,10 @@
 	u_int	local_window_max;
 	u_int	local_consumed;
 	u_int	local_maxpacket;
+	int	dynamic_window;
 	int     extended_usage;
 	int	single_connection;
+	u_int	tcpwinsz;
 
 	char   *ctype;		/* type */
 
@@ -173,8 +175,10 @@
 /* default window/packet sizes for tcp/x11-fwd-channel */
 #define CHAN_SES_PACKET_DEFAULT	(32*1024)
 #define CHAN_SES_WINDOW_DEFAULT	(64*CHAN_SES_PACKET_DEFAULT)
+
 #define CHAN_TCP_PACKET_DEFAULT	(32*1024)
 #define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
+
 #define CHAN_X11_PACKET_DEFAULT	(16*1024)
 #define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
 
@@ -318,5 +322,8 @@
 void	 chan_rcvd_ieof(Channel *);
 void	 chan_write_failed(Channel *);
 void	 chan_obuf_empty(Channel *);
+
+/* hpn handler */
+void     channel_set_hpn(int, int);
 
 #endif
--- a/clientloop.c
+++ b/clientloop.c
@@ -1990,9 +1990,15 @@
 	sock = x11_connect_display();
 	if (sock < 0)
 		return NULL;
+	/* again is this really necessary for X11? */
+	if (options.hpn_disabled)
 	c = channel_new("x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+	else
+		c = channel_new("x11",
+		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -2015,10 +2021,16 @@
 			    __func__, ssh_err(r));
 		return NULL;
 	}
+	if (options.hpn_disabled)
 	c = channel_new("authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
-	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
 	    "authentication agent connection", 1);
+	else
+	c = channel_new("authentication agent connection",
+	    SSH_CHANNEL_OPEN, sock, sock, -1,
+	    options.hpn_buffer_size, options.hpn_buffer_size, 0,
+ 	    "authentication agent connection", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -2045,9 +2057,17 @@
 		return -1;
 	}
 
+	if(options.hpn_disabled)
 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+				CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+				0, "tun", 1);
+	else
+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+				options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+				0, "tun", 1);
 	c->datagram = 1;
+
+
 
 #if defined(SSH_TUN_FILTER)
 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
--- a/compat.c
+++ b/compat.c
@@ -40,7 +40,7 @@
 
 int compat13 = 0;
 int compat20 = 0;
-int datafellows = 0;
+unsigned int datafellows = 0;
 
 void
 enable_compat20(void)
@@ -63,7 +63,7 @@ compat_datafellows(const char *version)
 	int i;
 	static struct {
 		char	*pat;
-		int	bugs;
+		unsigned int	bugs;
 	} check[] = {
 		{ "OpenSSH-2.0*,"
 		  "OpenSSH-2.1*,"
@@ -210,6 +210,12 @@ compat_datafellows(const char *version)
 			debug("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
 			datafellows = check[i].bugs;	/* XXX for now */
+			/* Check to see if the remote side is OpenSSH and not HPN */
+			if (strstr(version,"OpenSSH") != NULL &&
+			    strstr(version,"hpn") == NULL) {
+				datafellows |= SSH_BUG_LARGEWINDOW;
+				debug("Remote is NON-HPN aware");
+			}
 			return check[i].bugs;
 		}
 	}
diff --git a/compat.h b/compat.h
index 2be290a..453c85e 100644
--- a/compat.h
+++ b/compat.h
@@ -62,6 +62,7 @@
 #define SSH_BUG_CURVE25519PAD	0x10000000
 #define SSH_BUG_HOSTKEYS	0x20000000
 #define SSH_BUG_DHGEX_LARGE	0x40000000
+#define SSH_BUG_LARGEWINDOW     0x80000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
@@ -73,5 +74,5 @@ char	*compat_kex_proposal(char *);
 
 extern int compat13;
 extern int compat20;
-extern int datafellows;
+extern unsigned int datafellows;
 #endif
--- a/readconf.c
+++ b/readconf.c
@@ -154,6 +154,7 @@
 	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
 	oPubkeyAuthentication,
+	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
@@ -297,6 +298,11 @@
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
 
+	{ "tcprcvbufpoll", oTcpRcvBufPoll },
+	{ "tcprcvbuf", oTcpRcvBuf },
+	{ "hpndisabled", oHPNDisabled },
+	{ "hpnbuffersize", oHPNBufferSize },
+
 	{ NULL, oBadOption }
 };
 
@@ -973,6 +979,18 @@
 		intptr = &options->check_host_ip;
 		goto parse_flag;
 
+	case oHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case oHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
+
+	case oTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
 	case oVerifyHostKeyDNS:
 		intptr = &options->verify_host_key_dns;
 		multistate_ptr = multistate_yesnoask;
@@ -1165,6 +1183,10 @@
 		intptr = &options->connection_attempts;
 		goto parse_int;
 
+	case oTcpRcvBuf:
+		intptr = &options->tcp_rcv_buf;
+		goto parse_int;
+
 	case oCipher:
 		intptr = &options->cipher;
 		arg = strdelim(&s);
@@ -1845,6 +1867,10 @@
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->request_tty = -1;
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
+	options->tcp_rcv_buf_poll = -1;
+	options->tcp_rcv_buf = -1;
 	options->proxy_use_fdpass = -1;
 	options->ignored_unknown = NULL;
 	options->num_canonical_domains = 0;
@@ -2008,6 +2034,28 @@
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
 		options->server_alive_count_max = 3;
+	if (options->hpn_disabled == -1)
+	        options->hpn_disabled = 0;
+	if (options->hpn_buffer_size > -1)
+	{
+	  /* if a user tries to set the size to 0 set it to 1KB */
+		if (options->hpn_buffer_size == 0)
+		options->hpn_buffer_size = 1;
+		/*limit the buffer to 64MB*/
+		if (options->hpn_buffer_size > 64*1024)
+		{
+			options->hpn_buffer_size = 64*1024*1024;
+			debug("User requested buffer larger than 64MB. Request reverted to 64MB");
+		}
+		else options->hpn_buffer_size *= 1024;
+		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
+	}
+	if (options->tcp_rcv_buf == 0)
+		options->tcp_rcv_buf = 1;
+	if (options->tcp_rcv_buf > -1)
+		options->tcp_rcv_buf *=1024;
+	if (options->tcp_rcv_buf_poll == -1)
+		options->tcp_rcv_buf_poll = 1;
 	if (options->control_master == -1)
 		options->control_master = 0;
 	if (options->control_persist == -1) {
--- a/readconf.h
+++ b/readconf.h
@@ -57,6 +57,10 @@ typedef struct {
 	int     compression_level;	/* Compression level 1 (fast) to 9
 					 * (best). */
 	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
+	int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
+	int     tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
+	int     hpn_disabled;    /* Switch to disable HPN buffer management */
+	int     hpn_buffer_size; /* User definable size for HPN buffer window */
 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
 	LogLevel log_level;	/* Level for logging. */
--- a/scp.c
+++ b/scp.c
@@ -763,7 +763,7 @@
 	off_t i, statbytes;
 	size_t amt, nr;
 	int fd = -1, haderr, indx;
-	char *last, *name, buf[2048], encname[PATH_MAX];
+	char *last, *name, buf[16384], encname[PATH_MAX];
 	int len;
 
 	for (indx = 0; indx < argc; ++indx) {
@@ -931,7 +931,7 @@
 	off_t size, statbytes;
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
-	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
 	struct timeval tv[2];
 
 #define	atime	tv[0]
--- a/servconf.c
+++ b/servconf.c
@@ -159,6 +159,9 @@
 	options->authorized_principals_file = NULL;
 	options->authorized_principals_command = NULL;
 	options->authorized_principals_command_user = NULL;
+	options->tcp_rcv_buf_poll = -1;
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
@@ -190,6 +193,7 @@
 void
 fill_default_server_options(ServerOptions *options)
 {
+	int sock, socksize, socksizelen = sizeof(int);
 	int i;
 
 	/* Portable-specific options */
@@ -319,6 +323,41 @@
 	}
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
+       if (options->hpn_disabled == -1)
+               options->hpn_disabled = 0;
+
+       if (options->hpn_buffer_size == -1) {
+		/* option not explicitly set. Now we have to figure out */
+		/* what value to use */
+		if (options->hpn_disabled == 1) {
+			options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+		} else {
+			/* get the current RCV size and set it to that */
+			/*create a socket but don't connect it */
+			/* we use that the get the rcv socket size */
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+			close(sock);
+			options->hpn_buffer_size = socksize;
+			debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
+		}
+	} else {
+		/* we have to do this incase the user sets both values in a contradictory */
+		/* manner. hpn_disabled overrrides hpn_buffer_size*/
+		if (options->hpn_disabled <= 0) {
+			if (options->hpn_buffer_size == 0)
+				options->hpn_buffer_size = 1;
+			/* limit the maximum buffer to 64MB */
+			if (options->hpn_buffer_size > 64*1024) {
+				options->hpn_buffer_size = 64*1024*1024;
+			} else {
+				options->hpn_buffer_size *= 1024;
+			}
+		} else
+			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+	}
+
 	if (options->ip_qos_interactive == -1)
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
@@ -413,6 +452,7 @@
 	sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
@@ -548,6 +588,9 @@
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
+	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
+	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@@ -587,6 +630,7 @@
 
 	for (i = 0; keywords[i].name; i++)
 		if (strcasecmp(cp, keywords[i].name) == 0) {
+			debug ("Config token is %s", keywords[i].name);
 			*flags = keywords[i].flags;
 			return keywords[i].opcode;
 		}
@@ -1148,6 +1192,19 @@
 		if (*activep && *intptr == -1)
 			*intptr = value;
 		break;
+
+
+	case sTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
+	case sHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case sHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
 
 	case sIgnoreUserKnownHosts:
 		intptr = &options->ignore_user_known_hosts;
--- a/servconf.h
+++ b/servconf.h
@@ -166,6 +166,9 @@
 	char   *adm_forced_command;
 
 	int	use_pam;		/* Enable auth via PAM */
+        int     tcp_rcv_buf_poll;       /* poll tcp rcv window in autotuning kernels*/
+	int	hpn_disabled;		/* disable hpn functionality. false by default */
+	int	hpn_buffer_size;	/* set the hpn buffer size - default 3MB */
 
 	int	permit_tun;
 
--- a/serverloop.c
+++ b/serverloop.c
@@ -526,8 +526,12 @@
 	sock = tun_open(tun, mode);
 	if (sock < 0)
 		goto done;
+	if (options.hpn_disabled)
 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+	else
+		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 #if defined(SSH_TUN_FILTER)
 	if (mode == SSH_TUNMODE_POINTOPOINT)
@@ -563,6 +567,8 @@
 	c = channel_new("session", SSH_CHANNEL_LARVAL,
 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
 	    0, "server-session", 1);
+	if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
+		c->dynamic_window = 1;
 	if (session_open(the_authctxt, c->self) != 1) {
 		debug("session open failed, free channel %d", c->self);
 		channel_free(c);
--- a/session.c
+++ b/session.c
@@ -220,6 +220,7 @@
 		goto authsock_err;
 
 	/* Allocate a channel for the authentication agent socket. */
+	/* this shouldn't matter if its hpn or not - cjr */
 	nc = channel_new("auth socket",
 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
@@ -2121,10 +2122,16 @@
 	 */
 	if (s->chanid == -1)
 		fatal("no channel for session %d", s->self);
+	if (options.hpn_disabled)
 	channel_set_fds(s->chanid,
 	    fdout, fdin, fderr,
 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
+	else
+		channel_set_fds(s->chanid,
+		    fdout, fdin, fderr,
+		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+		    1, is_tty, options.hpn_buffer_size);
 }
 
 /*
--- a/sftp.1
+++ b/sftp.1
@@ -266,7 +266,8 @@
 Specify how many requests may be outstanding at any one time.
 Increasing this may slightly improve file transfer speed
 but will increase memory usage.
-The default is 64 outstanding requests.
+The default is 256 outstanding requests providing for 8MB
+of outstanding data with a 32KB buffer.
 .It Fl r
 Recursively copy entire directories when uploading and downloading.
 Note that
--- a/sftp.c
+++ b/sftp.c
@@ -72,7 +72,7 @@
 #include "sftp-client.h"
 
 #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
-#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
 
 /* File to read commands from */
 FILE* infile;
--- a/ssh.c
+++ b/ssh.c
@@ -1910,6 +1910,9 @@
 {
 	Channel *c;
 	int window, packetmax, in, out, err;
+	int sock;
+	int socksize;
+	int socksizelen = sizeof(int);
 
 	if (stdin_null_flag) {
 		in = open(_PATH_DEVNULL, O_RDONLY);
@@ -1930,9 +1933,74 @@
 	if (!isatty(err))
 		set_nonblock(err);
 
-	window = CHAN_SES_WINDOW_DEFAULT;
+	/* we need to check to see if what they want to do about buffer */
+	/* sizes here. In a hpn to nonhpn connection we want to limit */
+	/* the window size to something reasonable in case the far side */
+	/* has the large window bug. In hpn to hpn connection we want to */
+	/* use the max window size but allow the user to override it */
+	/* lastly if they disabled hpn then use the ssh std window size */
+
+	/* so why don't we just do a getsockopt() here and set the */
+	/* ssh window to that? In the case of a autotuning receive */
+	/* window the window would get stuck at the initial buffer */
+	/* size generally less than 96k. Therefore we need to set the */
+	/* maximum ssh window size to the maximum hpn buffer size */
+	/* unless the user has specifically set the tcprcvbufpoll */
+	/* to no. In which case we *can* just set the window to the */
+	/* minimum of the hpn buffer size and tcp receive buffer size */
+
+	if (tty_flag)
+		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+	else
+		options.hpn_buffer_size = 2*1024*1024;
+
+	if (datafellows & SSH_BUG_LARGEWINDOW)
+	{
+		debug("HPN to Non-HPN Connection");
+	}
+	else
+	{
+		if (options.tcp_rcv_buf_poll <= 0)
+		{
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+			close(sock);
+			debug("socksize %d", socksize);
+			options.hpn_buffer_size = socksize;
+			debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+		}
+		else
+		{
+			if (options.tcp_rcv_buf > 0)
+			{
+				/*create a socket but don't connect it */
+				/* we use that the get the rcv socket size */
+				sock = socket(AF_INET, SOCK_STREAM, 0);
+				/* if they are using the tcp_rcv_buf option */
+				/* attempt to set the buffer size to that */
+				if (options.tcp_rcv_buf)
+					setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (void *)&options.tcp_rcv_buf,
+						   sizeof(options.tcp_rcv_buf));
+				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+					   &socksize, &socksizelen);
+				close(sock);
+				debug("socksize %d", socksize);
+				options.hpn_buffer_size = socksize;
+				debug ("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+			}
+ 		}
+	}
+
+	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+
+	window = options.hpn_buffer_size;
+
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+
 	packetmax = CHAN_SES_PACKET_DEFAULT;
 	if (tty_flag) {
+		window = 4*CHAN_SES_PACKET_DEFAULT;
 		window >>= 1;
 		packetmax >>= 1;
 	}
@@ -1941,6 +2009,10 @@
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
 
+	if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
+		c->dynamic_window = 1;
+		debug ("Enabled Dynamic Window Scaling");
+	}
 	debug3("ssh_session2_open: channel_new: %d", c->self);
 
 	channel_send_open(c->self);
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -267,6 +267,31 @@
 }
 
 /*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
+ * so winscale is negotiated properly -cjr
+ */
+static void
+ssh_set_socket_recvbuf(int sock)
+{
+	void *buf = (void *)&options.tcp_rcv_buf;
+	int sz = sizeof(options.tcp_rcv_buf);
+	int socksize;
+	int socksizelen = sizeof(int);
+
+	debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
+	  getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
+	  debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
+	}
+	else
+		error("Couldn't set socket receive buffer to %d: %.100s",
+		    options.tcp_rcv_buf, strerror(errno));
+}
+
+
+/*
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
 static int
@@ -282,6 +307,9 @@
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
+	if (options.tcp_rcv_buf > 0)
+		ssh_set_socket_recvbuf(sock);
+
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL && !privileged)
 		return sock;
@@ -526,10 +554,10 @@
 	/* Send our own protocol version identification. */
 	if (compat20) {
 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
 	} else {
 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
-		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+		    PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
 	}
 	if (atomicio(vwrite, connection_out, client_version_string,
 	    strlen(client_version_string)) != strlen(client_version_string))
--- a/sshd.c
+++ b/sshd.c
@@ -1020,6 +1020,8 @@
 	int ret, listen_sock, on = 1;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int socksize;
+	int socksizelen = sizeof(int);
 
 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1060,6 +1062,11 @@
 
 		debug("Bind to port %s on %s.", strport, ntop);
 
+		getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+		debug("Server TCP RWIN socket size: %d", socksize);
+		debug("HPN Buffer Size: %d", options.hpn_buffer_size);
+
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 			error("Bind to port %s on %s failed: %.200s.",
@@ -1977,6 +1984,9 @@
 	verbose("Connection from %s port %d on %s port %d",
 	    remote_ip, remote_port, laddr,  ssh_local_port(ssh));
 	free(laddr);
+
+	/* set the HPN options for the child */
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
 
 	/*
 	 * We don't want to listen forever unless the other side
--- a/sshd_config
+++ b/sshd_config
@@ -99,7 +99,7 @@
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
@@ -109,7 +109,18 @@
 #Banner none
 
 # override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+ 
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
--- a/version.h
+++ b/version.h
@@ -3,4 +3,5 @@
 #define SSH_VERSION	"OpenSSH_7.4"
 
 #define SSH_PORTABLE	"p1"
-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+#define SSH_HPN		"-hpn14v4"
+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
-- 
2.15.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Details
Message ID
<20171225145733.GB2967@cirno.my.domain>
In-Reply-To
<20171225145410.4885e60f@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1514213854
DKIM signature
missing
Download raw message
On 2017-12-25 , Natanael Copa wrote:
> I don't think that we want remove the dynwindows patch, which
> significantly improves scp performance.

After further investigation, I understand the purpose of these patches
better, and I disagree with their inclusion. For one, it would block
releasing openssh 7.6_p1, as the patches have not been ported forward.
However, I question their inclusion at all - why are we pulling along a
huge patchset in a core (and security sensitive) package that upstream
has been refusing for years?

--
Drew DeVault


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20171225145410.4885e60f@ncopa-desktop.copa.dup.pw>
In-Reply-To
<20171223164949.16984-1-sir@cmpwn.com> (view parent)
Sender timestamp
1514210050
DKIM signature
missing
Download raw message
On Sat, 23 Dec 2017 08:49:49 -0800
Drew DeVault <sir@cmpwn.com> wrote:

> ---
>  main/openssh/APKBUILD                    |  23 +-
>  main/openssh/CVE-2017-15906.patch        |  31 --
>  main/openssh/openssh-7.5p1-sandbox.patch |  23 -
>  main/openssh/openssh7.4-dynwindows.patch | 835 -------------------------------
>  4 files changed, 4 insertions(+), 908 deletions(-)
>  delete mode 100644 main/openssh/CVE-2017-15906.patch
>  delete mode 100644 main/openssh/openssh-7.5p1-sandbox.patch
>  delete mode 100644 main/openssh/openssh7.4-dynwindows.patch
> 
> diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
> index bffda04bba..7b66dfd009 100644
> --- a/main/openssh/APKBUILD
> +++ b/main/openssh/APKBUILD
> @@ -2,9 +2,9 @@
>  # Contributor: Valery Kartel <valery.kartel@gmail.com>
>  # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
>  pkgname=openssh
> -pkgver=7.5_p1
> +pkgver=7.6_p1
>  _myver=${pkgver%_*}${pkgver#*_}
> -pkgrel=8
> +pkgrel=0
>  pkgdesc="Port of OpenBSD's free SSH release"
>  url="http://www.openssh.org/portable.html"
>  arch="all"
> @@ -31,24 +31,12 @@ done
>  
>  source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
>  	openssh7.4-peaktput.patch
> -	openssh7.4-dynwindows.patch

I don't think that we want remove the dynwindows patch, which
significantly improves scp performance.

-nc


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Details
Message ID
<20171227021831.GB3081@cirno.my.domain>
In-Reply-To
<20171225145733.GB2967@cirno.my.domain> (view parent)
Sender timestamp
1514341112
DKIM signature
missing
Download raw message
On 2017-12-25 , Drew DeVault wrote:
> On 2017-12-25 , Natanael Copa wrote:
> > I don't think that we want remove the dynwindows patch, which
> > significantly improves scp performance.
> 
> After further investigation, I understand the purpose of these patches
> better, and I disagree with their inclusion. For one, it would block
> releasing openssh 7.6_p1, as the patches have not been ported forward.
> However, I question their inclusion at all - why are we pulling along a
> huge patchset in a core (and security sensitive) package that upstream
> has been refusing for years?

I came across this article today supporting my point, albeit for FreeBSD:

https://vez.mrsk.me/freebsd-defaults.txt

It doesn't seem that it's even necessary for good performance on scp
these days. Holding back OpenSSH so we have time to backport
highly questionable patches is a really bad idea. Please consider
merging my patch to remove it from the package and upgrade OpenSSH -
though initially a mistake, this is now intentional.


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Details
Message ID
<20171228151128.GA1541@homura>
In-Reply-To
<20171228135652.4043e83d@ncopa-desktop.copa.dup.pw> (view parent)
Sender timestamp
1514473888
DKIM signature
missing
Download raw message
On 2017-12-28  1:56 PM, Natanael Copa wrote:
> I think you are right. Lets drop HPN in edge and see what happens.

Cheers, thanks!


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20171228135652.4043e83d@ncopa-desktop.copa.dup.pw>
In-Reply-To
<20171227021831.GB3081@cirno.my.domain> (view parent)
Sender timestamp
1514465812
DKIM signature
missing
Download raw message
On Tue, 26 Dec 2017 20:18:32 -0600
Drew DeVault <sir@cmpwn.com> wrote:

> On 2017-12-25 , Drew DeVault wrote:
> > On 2017-12-25 , Natanael Copa wrote:  
> > > I don't think that we want remove the dynwindows patch, which
> > > significantly improves scp performance.  
> > 
> > After further investigation, I understand the purpose of these patches
> > better, and I disagree with their inclusion. For one, it would block
> > releasing openssh 7.6_p1, as the patches have not been ported forward.
> > However, I question their inclusion at all - why are we pulling along a
> > huge patchset in a core (and security sensitive) package that upstream
> > has been refusing for years?  
> 
> I came across this article today supporting my point, albeit for FreeBSD:
> 
> https://vez.mrsk.me/freebsd-defaults.txt
> 
> It doesn't seem that it's even necessary for good performance on scp
> these days. Holding back OpenSSH so we have time to backport
> highly questionable patches is a really bad idea. Please consider
> merging my patch to remove it from the package and upgrade OpenSSH -
> though initially a mistake, this is now intentional.
> 

I think you are right. Lets drop HPN in edge and see what happens.

-nc


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)