diff options
Diffstat (limited to 'net-misc/openssh')
29 files changed, 2735 insertions, 0 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest new file mode 100644 index 000000000000..7daff628968e --- /dev/null +++ b/net-misc/openssh/Manifest @@ -0,0 +1,15 @@ +DIST openssh-6.7_p1-sctp.patch.xz 7408 SHA256 b33e82309195f2a3f21a9fb14e6da2080b096dcf0d6f1c36c93cdeac683fdd59 SHA512 35da5e58f857e8b24e63b4058e946b71fdf0fecc637cb7af0ba8913869e5aadf8317805838936c84dc24421f03c5c91e1670761bed152fdf325c5a509f1b5d04 WHIRLPOOL cc7bace4aa60d720914e3a6a4ff650b7543d9e4963deab12c19cb5d798547b4fe547690946ff8955e121339e9a3d0ebe06f3ff758cca4bb81a09ac43fc877f58 +DIST openssh-6.7p1+x509-8.2.diff.gz 241798 SHA256 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SHA512 d33ece7ddf382235b032875cf961845b308dc5e4cd1888cb68fee11c95066bb90938f9043cb9410f372efb578b61dfd5d50341da95a92fab5a4c209ac54e1f5e WHIRLPOOL b1fe2b88f0e77312099171f5c83dc670abc4c40d215fdff1e43161e44f806de9e0537cfa3a0001e1c7bbc0d0aed555079455f88b8ff313b00d8e9a19dabcb7d8 +DIST openssh-6.7p1-hpnssh14v5.tar.xz 25652 SHA256 7284db65548b6b04142930da86972f96b1f5aa8ad3fc125134412f904f369d7e SHA512 21929805f40c79684ee3ecdb2b495d3204dca90b932aa633c4e0f6a093a417259cdeee10b3e49f3dff426febc6792f45ee23cc0688f05bf047630f3016e0926a WHIRLPOOL 5515cd4c745b061a3e92ac03e8121fb3ffc4b2ff116140625ca7ab2c0211c673b6345e5b08134df8b1743e03f9964017e789e1f0b9da99a0fd5970e14665e681 +DIST openssh-6.7p1.tar.gz 1351367 SHA256 b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SHA512 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d WHIRLPOOL ac8ce86d0f6c78c4cb3624b480f189f951d508db38b22d7a5550b7302d5277c1c7d18eaa713d52139abc0f77edacfdb03ced2603125e3ddf9bc09c69e6b70518 +DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476 +DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73 +DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b +DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3 +DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a +DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2 +DIST openssh-6.9p1-hpnssh14v5.tar.xz 25164 SHA256 67c0b043525c838522d17ba8ed3ffa81aa212ae0f43c3d989a3e649fd0a2ca48 SHA512 bef32f6dd97e949e0973d30248401b86233ca66ace750c5050158a748fe279db46c8ee59b6f3de2193f52bab3a1c19372296b86136d7d65a312769008d0acf3a WHIRLPOOL 65241de2409bfe452b0bcf6282f0571a2bbf6d02d4d5cb97db78bd42e8be439c47da8a54d33272a85d50d648e2e4af56b574bc8add56c65e2ff9ccd59b90f65c +DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7 +DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f +DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73 +DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..c81ae5cb706d --- /dev/null +++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch @@ -0,0 +1,127 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +Index: readconf.c +=================================================================== +RCS file: /cvs/openssh/readconf.c,v +retrieving revision 1.135 +diff -u -r1.135 readconf.c +--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 ++++ readconf.c 19 Aug 2006 11:59:52 -0000 +@@ -126,6 +126,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -163,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -444,6 +447,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1010,6 +1017,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1100,6 +1108,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +Index: readconf.h +=================================================================== +RCS file: /cvs/openssh/readconf.h,v +retrieving revision 1.63 +diff -u -r1.63 readconf.h +--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 ++++ readconf.h 19 Aug 2006 11:59:52 -0000 +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +Index: ssh_config.5 +=================================================================== +RCS file: /cvs/openssh/ssh_config.5,v +retrieving revision 1.97 +diff -u -r1.97 ssh_config.5 +--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 ++++ ssh_config.5 19 Aug 2006 11:59:53 -0000 +@@ -483,7 +483,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +Index: sshconnect2.c +=================================================================== +RCS file: /cvs/openssh/sshconnect2.c,v +retrieving revision 1.151 +diff -u -r1.151 sshconnect2.c +--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 ++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 +@@ -499,6 +499,12 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -511,7 +517,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch new file mode 100644 index 000000000000..c3647d5aa232 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch @@ -0,0 +1,51 @@ +--- openssh-6.3p1/Makefile.in ++++ openssh-6.3p1/Makefile.in +@@ -45,7 +45,7 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + K5LIBS=@K5LIBS@ + GSSLIBS=@GSSLIBS@ +@@ -53,6 +53,7 @@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- openssh-6.3p1/sshconnect.c ++++ openssh-6.3p1/sshconnect.c +@@ -465,7 +465,7 @@ + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", +--- openssh-6.3p1/sshd.c ++++ openssh-6.3p1/sshd.c +@@ -472,8 +472,8 @@ + comment = ""; + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", +- major, minor, SSH_VERSION, comment, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", ++ major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +--- openssh-6.3p1/version.h ++++ openssh-6.3p1/version.h +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_6.3" + + #define SSH_PORTABLE "p1" ++#define SSH_X509 " PKIX" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch new file mode 100644 index 000000000000..2a34ee96d55e --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch @@ -0,0 +1,17 @@ +Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. + +--- openssh-6.6p1+x509-8.0.diff ++++ openssh-6.6p1+x509-8.0.diff +@@ -16337,10 +16337,10 @@ + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in +-@@ -499,6 +576,16 @@ ++@@ -514,6 +591,16 @@ ++ This facility is provided to assist with operation on multi homed machines. + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch new file mode 100644 index 000000000000..beb22926aed0 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch @@ -0,0 +1,26 @@ +make the hpn patch apply when the x509 patch has also been applied + +--- openssh-6.6.1p1-hpnssh14v5.diff ++++ openssh-6.6.1p1-hpnssh14v5.diff +@@ -1742,18 +1742,14 @@ + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +-@@ -345,9 +392,10 @@ ++@@ -345,6 +392,7 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, +-- sAuthenticationMethods, sHostKeyAgent, +-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, +- sDeprecated, sUnsupported +- } ServerOpCodes; +- ++ sAuthenticationMethods, sHostKeyAgent, + @@ -468,6 +516,10 @@ + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000000000000..fa33af39b6f8 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch new file mode 100644 index 000000000000..bd0b7ce12b66 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch @@ -0,0 +1,42 @@ +--- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800 ++++ openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800 +@@ -195,14 +195,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -178,6 +178,7 @@ For full details of the options listed b +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UsePrivilegedPort +- .It User +- .It UserKnownHostsFile + @@ -218,6 +219,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -482,14 +474,6 @@ + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -473,6 +473,7 @@ For full details of the options listed b +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UsePrivilegedPort + @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte + controls. + .It Fl y +@@ -527,7 +511,7 @@ +- again: ++ + - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" + + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 000000000000..96818e42ec52 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,162 @@ +https://bugs.gentoo.org/378361 +https://bugzilla.mindrot.org/show_bug.cgi?id=928 + +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[NI_MAXHOST]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, sizeof(lname))) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +--- a/servconf.c ++++ b/servconf.c +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +--- a/servconf.h ++++ b/servconf.h +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +--- a/sshd_config ++++ b/sshd_config +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch new file mode 100644 index 000000000000..71b9c517311f --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch @@ -0,0 +1,46 @@ +--- openssh-6.7p1.orig/sshd_config.5 2014-11-24 10:24:29.356244415 -0800 ++++ openssh-6.7p1/sshd_config.5 2014-11-24 10:23:49.415029039 -0800 +@@ -610,21 +610,6 @@ + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. +-.It Cm GSSAPIStrictAcceptorCheck +-Determines whether to be strict about the identity of the GSSAPI acceptor +-a client authenticates against. +-If set to +-.Dq yes +-then the client must authenticate against the +-.Pa host +-service on the current hostname. +-If set to +-.Dq no +-then the client may authenticate against any service key stored in the +-machine's default store. +-This facility is provided to assist with operation on multi homed machines. +-The default is +-.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed +@@ -651,6 +636,21 @@ + attempting to resolve the name from the TCP connection itself. + The default is + .Dq no . ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostCertificate + Specifies a file containing a public host certificate. + The certificate's public key must match a private host key already specified diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch new file mode 100644 index 000000000000..170031daad36 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch @@ -0,0 +1,11 @@ +diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c +--- openssh-6.7p1.orig/ssh-rsa.c 2015-02-24 14:52:54.512197868 -0800 ++++ openssh-6.7p1/ssh-rsa.c 2015-02-27 11:48:54.173951646 -0800 +@@ -34,6 +34,7 @@ + #include "sshkey.h" + #include "digest.h" + #include "evp-compat.h" ++#include "xmalloc.h" + + /*NOTE: Do not define USE_LEGACY_RSA_... if build + is with FIPS capable OpenSSL */ diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch new file mode 100644 index 000000000000..7b12e9a67cf0 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch @@ -0,0 +1,90 @@ +--- openssh-6.8_p1-sctp.patch.orig 2015-03-18 17:52:40.563506822 -0700 ++++ openssh-6.8_p1-sctp.patch 2015-03-18 18:14:30.919753194 -0700 +@@ -184,34 +184,6 @@ + int port; /* Port to connect. */ + int address_family; + int connection_attempts; /* Max attempts (seconds) before +---- a/scp.1 +-+++ b/scp.1 +-@@ -19,7 +19,7 @@ +- .Sh SYNOPSIS +- .Nm scp +- .Bk -words +--.Op Fl 12346BCpqrv +-+.Op Fl 12346BCpqrvz +- .Op Fl c Ar cipher +- .Op Fl F Ar ssh_config +- .Op Fl i Ar identity_file +-@@ -178,6 +178,7 @@ For full details of the options listed b +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User +-@@ -218,6 +219,8 @@ and +- to print debugging messages about their progress. +- This is helpful in +- debugging connection, authentication, and configuration problems. +-+.It Fl z +-+Use the SCTP protocol for connection instead of TCP which is the default. +- .El +- .Sh EXIT STATUS +- .Ex -std scp + --- a/scp.c + +++ b/scp.c + @@ -395,7 +395,11 @@ main(int argc, char **argv) +@@ -471,34 +443,6 @@ + int protocol; /* Supported protocol versions. */ + struct ForwardOptions fwd_opts; /* forwarding options */ + SyslogFacility log_facility; /* Facility for system logging. */ +---- a/ssh.1 +-+++ b/ssh.1 +-@@ -43,7 +43,7 @@ +- .Sh SYNOPSIS +- .Nm ssh +- .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz +- .Op Fl b Ar bind_address +- .Op Fl c Ar cipher_spec +- .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -473,6 +473,7 @@ For full details of the options listed b +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UsePrivilegedPort +-@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte +- controls. +- .It Fl y +- Send log information using the +-+.It Fl z +-+Use the SCTP protocol for connection instead of TCP which is the default. +- .Xr syslog 3 +- system module. +- By default this information is sent to stderr. + --- a/ssh.c + +++ b/ssh.c + @@ -194,12 +194,17 @@ extern int muxserver_sock; +@@ -520,13 +464,11 @@ + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" + " [-F configfile] [-I pkcs11] [-i identity_file]\n" + " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" +-@@ -506,7 +512,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++@@ -506,4 +512,4 @@ main(int ac, char **av) + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch new file mode 100644 index 000000000000..e14a728f43a3 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch @@ -0,0 +1,40 @@ +https://bugs.gentoo.org/544078 +https://bugzilla.mindrot.org/show_bug.cgi?id=2369 + +From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 23 Mar 2015 06:06:38 +0000 +Subject: [PATCH] upstream commit + +for ssh-keygen -A, don't try (and fail) to generate ssh + v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled + without OpenSSL based on patch by Mike Frysinger; bz#2369 +--- + ssh-keygen.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/ssh-keygen.c b/ssh-keygen.c +index a3c2362..96dd8b4 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw) + char *key_type_display; + char *path; + } key_types[] = { ++#ifdef WITH_OPENSSL ++#ifdef WITH_SSH1 + { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, ++#endif /* WITH_SSH1 */ + { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, + { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, + #ifdef OPENSSL_HAS_ECC + { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, +-#endif ++#endif /* OPENSSL_HAS_ECC */ ++#endif /* WITH_OPENSSL */ + { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, + { NULL, NULL, NULL } + }; +-- +2.3.3 + diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 000000000000..48fce1e2c294 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,162 @@ +https://bugs.gentoo.org/378361 +https://bugzilla.mindrot.org/show_bug.cgi?id=928 + +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[NI_MAXHOST]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, sizeof(lname))) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +--- a/servconf.c ++++ b/servconf.c +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +--- a/servconf.h ++++ b/servconf.h +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +--- a/sshd_config ++++ b/sshd_config +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication + as a comma-separated pattern list. diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch new file mode 100644 index 000000000000..9fad386ccb6c --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch @@ -0,0 +1,31 @@ +From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Wed, 18 Mar 2015 12:37:24 -0400 +Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is + set + +--- + configure.ac | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b4d6598..7806d20 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2276,10 +2276,10 @@ openssl_engine=no + AC_ARG_WITH([ssl-engine], + [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], + [ +- if test "x$openssl" = "xno" ; then +- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) +- fi + if test "x$withval" != "xno" ; then ++ if test "x$openssl" = "xno" ; then ++ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) ++ fi + openssl_engine=yes + fi + ] +-- +2.3.2 + diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch new file mode 100644 index 000000000000..e72b1e6bafaa --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch @@ -0,0 +1,15 @@ +--- a/0005-support-dynamically-sized-receive-buffers.patch ++++ b/0005-support-dynamically-sized-receive-buffers.patch +@@ -411,10 +411,10 @@ index af2f007..41b782b 100644 + --- a/compat.h + +++ b/compat.h + @@ -60,6 +60,7 @@ +- #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 + #define SSH_BUG_CURVE25519PAD 0x10000000 +-+#define SSH_BUG_LARGEWINDOW 0x20000000 ++ #define SSH_BUG_HOSTKEYS 0x20000000 +++#define SSH_BUG_LARGEWINDOW 0x40000000 + + void enable_compat13(void); + void enable_compat20(void); diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch new file mode 100644 index 000000000000..f99e92f29e33 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch @@ -0,0 +1,69 @@ +https://bugs.gentoo.org/547944 + +From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 10 Apr 2015 05:16:50 +0000 +Subject: [PATCH] upstream commit + +Don't send hostkey advertisments + (hostkeys-00@openssh.com) to current versions of Tera Term as they can't + handle them. Newer versions should be OK. Patch from Bryan Drewery and + IWAMOTO Kouichi, ok djm@ +--- + compat.c | 13 ++++++++++++- + compat.h | 3 ++- + sshd.c | 6 +++++- + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/compat.c b/compat.c +index 2498168..0934de9 100644 +--- a/compat.c ++++ b/compat.c +@@ -167,6 +167,17 @@ compat_datafellows(const char *version) + SSH_BUG_SCANNER }, + { "Probe-*", + SSH_BUG_PROBE }, ++ { "TeraTerm SSH*," ++ "TTSSH/1.5.*," ++ "TTSSH/2.1*," ++ "TTSSH/2.2*," ++ "TTSSH/2.3*," ++ "TTSSH/2.4*," ++ "TTSSH/2.5*," ++ "TTSSH/2.6*," ++ "TTSSH/2.70*," ++ "TTSSH/2.71*," ++ "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, + { NULL, 0 } + }; + +diff --git a/compat.h b/compat.h +index af2f007..83507f0 100644 +--- a/compat.h ++++ b/compat.h +@@ -60,6 +60,7 @@ + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 + #define SSH_BUG_CURVE25519PAD 0x10000000 ++#define SSH_BUG_HOSTKEYS 0x20000000 + + void enable_compat13(void); + void enable_compat20(void); +diff --git a/sshd.c b/sshd.c +index 6aa17fa..60b0cd4 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh) + int i, nkeys, r; + char *fp; + ++ /* Some clients cannot cope with the hostkeys message, skip those. */ ++ if (datafellows & SSH_BUG_HOSTKEYS) ++ return; ++ + if ((buf = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new", __func__); + for (i = nkeys = 0; i < options.num_host_key_files; i++) { +-- +2.3.6 + diff --git a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch new file mode 100644 index 000000000000..9ce2967af425 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch @@ -0,0 +1,24 @@ +diff -ur openssh-6.9p1.orig/sshconnect2.c openssh-6.9p1/sshconnect2.c +--- openssh-6.9p1.orig/sshconnect2.c 2015-07-01 14:56:26.766316866 -0700 ++++ openssh-6.9p1/sshconnect2.c 2015-07-01 14:59:22.828692366 -0700 +@@ -1404,7 +1404,7 @@ + static int + get_allowed_keytype(Key *k) { + char *pattern; +- char *alg; ++ const char *alg; + + if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC) + return KEY_UNSPEC; +diff -ur openssh-6.9p1.orig/x509_nm_cmp.c openssh-6.9p1/x509_nm_cmp.c +--- openssh-6.9p1.orig/x509_nm_cmp.c 2015-07-01 14:56:26.129311890 -0700 ++++ openssh-6.9p1/x509_nm_cmp.c 2015-07-01 14:59:14.086624068 -0700 +@@ -133,7 +133,7 @@ + tag = M_ASN1_STRING_type(in); + if (tag != V_ASN1_UTF8STRING) { + /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/ +- return(ASN1_STRING_to_UTF8(out, in)); ++ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in)); + } + + l = M_ASN1_STRING_length(in); diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 000000000000..28952b4a285a --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 000000000000..b801aaafa0f9 --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100755 index 000000000000..34e19706de07 --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 000000000000..b5e96b3a251f --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 000000000000..94b9533180da --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 000000000000..2645ad047cc6 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml new file mode 100644 index 000000000000..ec8bad168c76 --- /dev/null +++ b/net-misc/openssh/metadata.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <herd>base-system</herd> + <maintainer restrict="net-misc/openssh[ldap]"> + <email>robbat2@gentoo.org</email> + <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> + </maintainer> + <longdescription> +OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that +increasing numbers of people on the Internet are coming to rely on. Many users of telnet, +rlogin, ftp, and other such programs might not realize that their password is transmitted +across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) +to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety +of authentication methods. + +The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which +replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of +the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, +ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. +</longdescription> + <use> + <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> + <flag name="hpn">Enable high performance ssh</flag> + <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> + <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> + <flag name="sctp">Support for Stream Control Transmission Protocol</flag> + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> + <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> + <flag name="X509">Adds support for X.509 certificate authentication</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> + <remote-id type="sourceforge">hpnssh</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-misc/openssh/openssh-6.7_p1-r4.ebuild b/net-misc/openssh/openssh-6.7_p1-r4.ebuild new file mode 100644 index 000000000000..eebb41098df4 --- /dev/null +++ b/net-misc/openssh/openssh-6.7_p1-r4.ebuild @@ -0,0 +1,324 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz" +X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${P}-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509" +REQUIRED_USE="pie? ( !static )" + +LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${FILESDIR}"/${P}-x509-glue.patch + epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + epatch "${FILESDIR}"/${PN}-6.7_p1-xmalloc-include.patch + save_version X509 + fi + if ! use X509 ; then + if [[ -n ${LDAP_PATCH} ]] && use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + else + use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch + if [[ -n ${HPN_PATCH} ]] && use hpn; then + epatch "${WORKDIR}"/${HPN_PATCH%.*}/* + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +static_use_with() { + local flag=$1 + if use static && use ${flag} ; then + ewarn "Disabling '${flag}' support because of USE='static'" + # rebuild args so that we invert the first one (USE flag) + # but otherwise leave everything else working so we can + # just leverage use_with + shift + [[ -z $1 ]] && flag="${flag} ${flag}" + set -- !${flag} "$@" + fi + use_with "$@" +} + +src_configure() { + local myconf=() + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys #skey configure code triggers this + + use static && append-ldflags -static + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run \ + --sysconfdir="${EPREFIX}"/etc/ssh \ + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \ + --datadir="${EPREFIX}"/usr/share/openssh \ + --with-privsep-path="${EPREFIX}"/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --with-ssl-engine \ + $(static_use_with pam) \ + $(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \ + ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ + $(use_with ldns) \ + $(use_with libedit) \ + $(use_with pie) \ + $(use_with sctp) \ + $(use_with selinux) \ + $(use_with skey) \ + "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + # not all openssl installs support ecc, or are functional #352645 + if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then + elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support" + sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die + fi + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed" + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} diff --git a/net-misc/openssh/openssh-6.7_p1.ebuild b/net-misc/openssh/openssh-6.7_p1.ebuild new file mode 100644 index 000000000000..b6b44a3f1768 --- /dev/null +++ b/net-misc/openssh/openssh-6.7_p1.ebuild @@ -0,0 +1,323 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz" +#X509_VER="8.1" X509_PATCH="${PARCH/6.7/6.6}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${P}-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam +pie sctp selinux skey static X X509" +REQUIRED_USE="pie? ( !static )" + +LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-glue.patch + use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v5-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + save_version X509 + fi + if ! use X509 ; then + if [[ -n ${LDAP_PATCH} ]] && use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + else + use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch + if [[ -n ${HPN_PATCH} ]] && use hpn; then + epatch "${WORKDIR}"/${HPN_PATCH%.*}/* + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +static_use_with() { + local flag=$1 + if use static && use ${flag} ; then + ewarn "Disabling '${flag}' support because of USE='static'" + # rebuild args so that we invert the first one (USE flag) + # but otherwise leave everything else working so we can + # just leverage use_with + shift + [[ -z $1 ]] && flag="${flag} ${flag}" + set -- !${flag} "$@" + fi + use_with "$@" +} + +src_configure() { + local myconf=() + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys #skey configure code triggers this + + use static && append-ldflags -static + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --with-pid-dir="${EPREFIX}"/var/run \ + --sysconfdir="${EPREFIX}"/etc/ssh \ + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \ + --datadir="${EPREFIX}"/usr/share/openssh \ + --with-privsep-path="${EPREFIX}"/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --with-ssl-engine \ + $(static_use_with pam) \ + $(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \ + ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ + $(use_with ldns) \ + $(use_with libedit) \ + $(use_with pie) \ + $(use_with sctp) \ + $(use_with selinux) \ + $(use_with skey) \ + "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + # not all openssl installs support ecc, or are functional #352645 + if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then + elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support" + sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die + fi + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed" + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild new file mode 100644 index 000000000000..532c18893e62 --- /dev/null +++ b/net-misc/openssh/openssh-6.8_p1-r5.ebuild @@ -0,0 +1,332 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" +X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${P}-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( + http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} + mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz + )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +# Probably want to drop ssh1/ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509" +REQUIRED_USE="pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl )" + +LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + ssl? ( + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + die "USE=tcpd no longer works" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch + epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + save_version X509 + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078 + epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944 + # The X509 patchset fixes this independently. + use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch + epatch "${WORKDIR}"/${P}-sctp.patch + if use hpn ; then + # The teraterm patch pulled in an upstream update. + pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null + epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch + popd >/dev/null + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys # skey configure code triggers this + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + # The X509 patch deletes this option entirely. + $(use X509 || use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} diff --git a/net-misc/openssh/openssh-6.9_p1-r1.ebuild b/net-misc/openssh/openssh-6.9_p1-r1.ebuild new file mode 100644 index 000000000000..99d258da53ee --- /dev/null +++ b/net-misc/openssh/openssh-6.9_p1-r1.ebuild @@ -0,0 +1,323 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.9p1-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" +X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509" +REQUIRED_USE="pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl )" + +LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + ssl? ( + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + die "USE=tcpd no longer works" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch + epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch + save_version X509 + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + # The X509 patchset fixes this independently. + use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch + epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys # skey configure code triggers this + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + # The X509 patch deletes this option entirely. + $(use X509 || use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild new file mode 100644 index 000000000000..fe41c28bf472 --- /dev/null +++ b/net-misc/openssh/openssh-6.9_p1-r2.ebuild @@ -0,0 +1,312 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" +X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + die "USE=tcpd no longer works" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch + epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch + save_version X509 + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + # The X509 patchset fixes this independently. + use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch + epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys # skey configure code triggers this + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + # The X509 patch deletes this option entirely. + $(use X509 || use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} |