net-misc/openssh: new package
This commit is contained in:
parent
1d9e843a81
commit
24e166f5cf
21
net-misc/openssh/Manifest
Normal file
21
net-misc/openssh/Manifest
Normal file
|
@ -0,0 +1,21 @@
|
|||
DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
|
||||
DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
|
||||
DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
|
||||
DIST openssh-8.9p1.tar.gz.asc 833 BLAKE2B fd44a5545bd0795ee335e480011dbe3c12011dc05b8722fb257bf4c7e8067ab4b515293cf73d23d57b6cf6980eb4e49251b026af9498a237365c5b0440226898 SHA512 fd0bbd285ff2f8791f5a512f087f32bce026b716d5ac213cd4ef28f08722601fb943514bee71b2ac4b9f9363e2f120ce6c60fed952d1d8e53dbcf2a6fe2e706b
|
||||
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
|
||||
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
|
||||
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
|
||||
DIST openssh-9.0p1+x509-13.4.1.diff.gz 1146757 BLAKE2B 070d6bc23179a581e4fe79412274f11399009ba69ad643cc354ec9cd6392ffb0a651fd2d7f310c52c60a9c626140b9c823e2f19c600f15ac9cdf992707274bcb SHA512 4aaa86c1a785741b28c5e2738cf6de6fa7965ac8692165a8b18fe7677aeb0996979f23b45306781e6be75d34fb39294659be5ae016ab4a82ef2a73bedcc6e8e7
|
||||
DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
|
||||
DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
|
||||
DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
|
||||
DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
|
||||
DIST openssh-9.1_p1-X509-glue-14.0.1.patch.xz 1096 BLAKE2B cf5568982c9b2b69ee9f99f3e80459aed7b89f1350362e550ae8db3e5eee4a6d2e07879f962262a05c9745d39f34a3ae83792595c61f0ac287226ee9e0ec2a1b SHA512 18c65c97cc8c436fa8e28c0ad9f0a3874f1fb745d75e0bfb76c180bc148ae14a5f6cc5c2b2fa7261d76a8e1234f28fe869bd7f64ed282bf39c88cc3f20932be5
|
||||
DIST openssh-9.1_p1-hpn-15.2-X509-14.0.1-glue.patch.xz 5536 BLAKE2B 4629e62287f2bc36fe1eb830e4c47c5482e36650c1e725978e150e4f2a233d58b5bd1286024bdbef4d05586bb3e5d13c51fbd191dfe7429fdb06a278c564a777 SHA512 03467605b57ab3fb7ef2a9be175cf3708fa92234f3f0abfa74ea371c9ee90f2c01a3311022e282823c7bb67249d65aabf89f1574b917dc798c51847e57b0e33f
|
||||
DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
|
||||
DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
|
||||
DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
|
||||
DIST openssh-9.1p1+x509-14.0.1.diff.gz 1236304 BLAKE2B 389e652a7cca4d7322d784e516a9454b0c6cb540a64aa47c0b14ac80bd9ad5aa7aa72a00dbc9024aa7c1186b19f2c62f179b8a6463085dd1bdde15fd44e451e5 SHA512 da754497f3f7d173b273f710dab2e7dbc5bf5257c95e661687ff4dd6b5e1c696ac031785850d9a9eb5669f728cbe4fe26d256a7cbd6f137ecadaf38f153770d1
|
||||
DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
|
||||
DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
|
||||
DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd
|
|
@ -0,0 +1,17 @@
|
|||
the last nibble of the openssl version represents the status. that is,
|
||||
whether it is a beta or release. when it comes to version checks in
|
||||
openssh, this component does not matter, so ignore it.
|
||||
|
||||
https://bugzilla.mindrot.org/show_bug.cgi?id=2212
|
||||
|
||||
--- a/openbsd-compat/openssl-compat.c
|
||||
+++ b/openbsd-compat/openssl-compat.c
|
||||
@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
|
||||
* For versions >= 1.0.0, major,minor,status must match and library
|
||||
* fix version must be equal to or newer than the header.
|
||||
*/
|
||||
- mask = 0xfff0000fL; /* major,minor,status */
|
||||
+ mask = 0xfff00000L; /* major,minor,status */
|
||||
hfix = (headerver & 0x000ff000) >> 12;
|
||||
lfix = (libver & 0x000ff000) >> 12;
|
||||
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
|
|
@ -0,0 +1,20 @@
|
|||
Disable conch interop tests which are failing when called
|
||||
via portage for yet unknown reason and because using conch
|
||||
seems to be flaky (test is failing when using Python2 but
|
||||
passing when using Python3).
|
||||
|
||||
Bug: https://bugs.gentoo.org/605446
|
||||
|
||||
--- a/regress/conch-ciphers.sh
|
||||
+++ b/regress/conch-ciphers.sh
|
||||
@@ -3,6 +3,10 @@
|
||||
|
||||
tid="conch ciphers"
|
||||
|
||||
+# https://bugs.gentoo.org/605446
|
||||
+echo "conch interop tests skipped due to Gentoo bug #605446"
|
||||
+exit 0
|
||||
+
|
||||
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
|
||||
echo "conch interop tests not enabled"
|
||||
exit 0
|
48
net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
Normal file
48
net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
Normal file
|
@ -0,0 +1,48 @@
|
|||
diff --git a/auth-options.c b/auth-options.c
|
||||
index b05d6d6f..d1f42f04 100644
|
||||
--- a/auth-options.c
|
||||
+++ b/auth-options.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include <stdarg.h>
|
||||
#include <ctype.h>
|
||||
#include <limits.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
diff --git a/hmac.c b/hmac.c
|
||||
index 1c879640..a29f32c5 100644
|
||||
--- a/hmac.c
|
||||
+++ b/hmac.c
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
diff --git a/krl.c b/krl.c
|
||||
index 8e2d5d5d..c32e147a 100644
|
||||
--- a/krl.c
|
||||
+++ b/krl.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "sshbuf.h"
|
||||
#include "ssherr.h"
|
||||
diff --git a/mac.c b/mac.c
|
||||
index 51dc11d7..3d11eba6 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "digest.h"
|
||||
#include "hmac.h"
|
|
@ -0,0 +1,31 @@
|
|||
From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
|
||||
From: Lonnie Abelbeck <lonnie@abelbeck.com>
|
||||
Date: Tue, 1 Oct 2019 09:05:09 -0500
|
||||
Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
|
||||
|
||||
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
|
||||
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
|
||||
---
|
||||
sandbox-seccomp-filter.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 840c5232b..39dc289e3 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_stat64
|
||||
SC_DENY(__NR_stat64, EACCES),
|
||||
#endif
|
||||
+#ifdef __NR_shmget
|
||||
+ SC_DENY(__NR_shmget, EACCES),
|
||||
+#endif
|
||||
+#ifdef __NR_shmat
|
||||
+ SC_DENY(__NR_shmat, EACCES),
|
||||
+#endif
|
||||
+#ifdef __NR_shmdt
|
||||
+ SC_DENY(__NR_shmdt, EACCES),
|
||||
+#endif
|
||||
|
||||
/* Syscalls to permit */
|
||||
#ifdef __NR_brk
|
57
net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
Normal file
57
net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
Normal file
|
@ -0,0 +1,57 @@
|
|||
Make sure that host keys are already accepted before
|
||||
running tests.
|
||||
|
||||
https://bugs.gentoo.org/493866
|
||||
|
||||
--- a/regress/putty-ciphers.sh
|
||||
+++ b/regress/putty-ciphers.sh
|
||||
@@ -10,11 +10,17 @@ fi
|
||||
|
||||
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
|
||||
verbose "$tid: cipher $c"
|
||||
+ rm -f ${COPY}
|
||||
cp ${OBJ}/.putty/sessions/localhost_proxy \
|
||||
${OBJ}/.putty/sessions/cipher_$c
|
||||
echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
|
||||
|
||||
- rm -f ${COPY}
|
||||
+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
|
||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ fail "failed to pre-cache host key"
|
||||
+ fi
|
||||
+
|
||||
env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
|
||||
cat ${DATA} > ${COPY}
|
||||
if [ $? -ne 0 ]; then
|
||||
--- a/regress/putty-kex.sh
|
||||
+++ b/regress/putty-kex.sh
|
||||
@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
|
||||
${OBJ}/.putty/sessions/kex_$k
|
||||
echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
|
||||
|
||||
+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
|
||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ fail "failed to pre-cache host key"
|
||||
+ fi
|
||||
+
|
||||
env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "KEX $k failed"
|
||||
--- a/regress/putty-transfer.sh
|
||||
+++ b/regress/putty-transfer.sh
|
||||
@@ -14,6 +14,13 @@ for c in 0 1 ; do
|
||||
cp ${OBJ}/.putty/sessions/localhost_proxy \
|
||||
${OBJ}/.putty/sessions/compression_$c
|
||||
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
|
||||
+
|
||||
+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
|
||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ fail "failed to pre-cache host key"
|
||||
+ fi
|
||||
+
|
||||
env HOME=$PWD ${PLINK} -load compression_$c -batch \
|
||||
-i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
|
||||
if [ $? -ne 0 ]; then
|
|
@ -0,0 +1,18 @@
|
|||
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
|
||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
|
||||
@@ -1414,14 +1414,3 @@
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
-diff --git a/version.h b/version.h
|
||||
-index 6b4fa372..332fb486 100644
|
||||
---- a/version.h
|
||||
-+++ b/version.h
|
||||
-@@ -3,4 +3,5 @@
|
||||
- #define SSH_VERSION "OpenSSH_8.5"
|
||||
-
|
||||
- #define SSH_PORTABLE "p1"
|
||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
-+#define SSH_HPN "-hpn15v2"
|
||||
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
13
net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
Normal file
13
net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
Normal file
|
@ -0,0 +1,13 @@
|
|||
diff --git a/kex.c b/kex.c
|
||||
index 34808b5c..88d7ccac 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||
if (version_addendum != NULL && *version_addendum == '\0')
|
||||
version_addendum = NULL;
|
||||
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
||||
version_addendum == NULL ? "" : " ",
|
||||
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
||||
oerrno = errno;
|
357
net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
Normal file
357
net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
Normal file
|
@ -0,0 +1,357 @@
|
|||
diff --git a/auth.c b/auth.c
|
||||
index 00b168b4..8ee93581 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -729,118 +729,6 @@ fakepw(void)
|
||||
return (&fake);
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Returns the remote DNS hostname as a string. The returned string must not
|
||||
- * be freed. NB. this will usually trigger a DNS query the first time it is
|
||||
- * called.
|
||||
- * This function does additional checks on the hostname to mitigate some
|
||||
- * attacks on based on conflation of hostnames and IP addresses.
|
||||
- */
|
||||
-
|
||||
-static char *
|
||||
-remote_hostname(struct ssh *ssh)
|
||||
-{
|
||||
- struct sockaddr_storage from;
|
||||
- socklen_t fromlen;
|
||||
- struct addrinfo hints, *ai, *aitop;
|
||||
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
|
||||
- const char *ntop = ssh_remote_ipaddr(ssh);
|
||||
-
|
||||
- /* Get IP address of client. */
|
||||
- fromlen = sizeof(from);
|
||||
- memset(&from, 0, sizeof(from));
|
||||
- if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||
- (struct sockaddr *)&from, &fromlen) == -1) {
|
||||
- debug("getpeername failed: %.100s", strerror(errno));
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- ipv64_normalise_mapped(&from, &fromlen);
|
||||
- if (from.ss_family == AF_INET6)
|
||||
- fromlen = sizeof(struct sockaddr_in6);
|
||||
-
|
||||
- debug3("Trying to reverse map address %.100s.", ntop);
|
||||
- /* Map the IP address to a host name. */
|
||||
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||
- NULL, 0, NI_NAMEREQD) != 0) {
|
||||
- /* Host name not found. Use ip address. */
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * if reverse lookup result looks like a numeric hostname,
|
||||
- * someone is trying to trick us by PTR record like following:
|
||||
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
|
||||
- */
|
||||
- memset(&hints, 0, sizeof(hints));
|
||||
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
- hints.ai_flags = AI_NUMERICHOST;
|
||||
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
|
||||
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||
- name, ntop);
|
||||
- freeaddrinfo(ai);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
-
|
||||
- /* Names are stored in lowercase. */
|
||||
- lowercase(name);
|
||||
-
|
||||
- /*
|
||||
- * Map it back to an IP address and check that the given
|
||||
- * address actually is an address of this host. This is
|
||||
- * necessary because anyone with access to a name server can
|
||||
- * define arbitrary names for an IP address. Mapping from
|
||||
- * name to IP address can be trusted better (but can still be
|
||||
- * fooled if the intruder has access to the name server of
|
||||
- * the domain).
|
||||
- */
|
||||
- memset(&hints, 0, sizeof(hints));
|
||||
- hints.ai_family = from.ss_family;
|
||||
- hints.ai_socktype = SOCK_STREAM;
|
||||
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||
- logit("reverse mapping checking getaddrinfo for %.700s "
|
||||
- "[%s] failed.", name, ntop);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
- /* Look for the address from the list of addresses. */
|
||||
- for (ai = aitop; ai; ai = ai->ai_next) {
|
||||
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
|
||||
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
|
||||
- (strcmp(ntop, ntop2) == 0))
|
||||
- break;
|
||||
- }
|
||||
- freeaddrinfo(aitop);
|
||||
- /* If we reached the end of the list, the address was not there. */
|
||||
- if (ai == NULL) {
|
||||
- /* Address not found for the host name. */
|
||||
- logit("Address %.100s maps to %.600s, but this does not "
|
||||
- "map back to the address.", ntop, name);
|
||||
- return xstrdup(ntop);
|
||||
- }
|
||||
- return xstrdup(name);
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Return the canonical name of the host in the other side of the current
|
||||
- * connection. The host name is cached, so it is efficient to call this
|
||||
- * several times.
|
||||
- */
|
||||
-
|
||||
-const char *
|
||||
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
|
||||
-{
|
||||
- static char *dnsname;
|
||||
-
|
||||
- if (!use_dns)
|
||||
- return ssh_remote_ipaddr(ssh);
|
||||
- else if (dnsname != NULL)
|
||||
- return dnsname;
|
||||
- else {
|
||||
- dnsname = remote_hostname(ssh);
|
||||
- return dnsname;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
/* These functions link key/cert options to the auth framework */
|
||||
|
||||
/* Log sshauthopt options locally and (optionally) for remote transmission */
|
||||
diff --git a/canohost.c b/canohost.c
|
||||
index a810da0e..18e9d8d4 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -202,3 +202,117 @@ get_local_port(int sock)
|
||||
{
|
||||
return get_sock_port(sock, 1);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Returns the remote DNS hostname as a string. The returned string must not
|
||||
+ * be freed. NB. this will usually trigger a DNS query the first time it is
|
||||
+ * called.
|
||||
+ * This function does additional checks on the hostname to mitigate some
|
||||
+ * attacks on legacy rhosts-style authentication.
|
||||
+ * XXX is RhostsRSAAuthentication vulnerable to these?
|
||||
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
|
||||
+ */
|
||||
+
|
||||
+static char *
|
||||
+remote_hostname(struct ssh *ssh)
|
||||
+{
|
||||
+ struct sockaddr_storage from;
|
||||
+ socklen_t fromlen;
|
||||
+ struct addrinfo hints, *ai, *aitop;
|
||||
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
|
||||
+ const char *ntop = ssh_remote_ipaddr(ssh);
|
||||
+
|
||||
+ /* Get IP address of client. */
|
||||
+ fromlen = sizeof(from);
|
||||
+ memset(&from, 0, sizeof(from));
|
||||
+ if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||
+ (struct sockaddr *)&from, &fromlen) == -1) {
|
||||
+ debug("getpeername failed: %.100s", strerror(errno));
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ ipv64_normalise_mapped(&from, &fromlen);
|
||||
+ if (from.ss_family == AF_INET6)
|
||||
+ fromlen = sizeof(struct sockaddr_in6);
|
||||
+
|
||||
+ debug3("Trying to reverse map address %.100s.", ntop);
|
||||
+ /* Map the IP address to a host name. */
|
||||
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||
+ NULL, 0, NI_NAMEREQD) != 0) {
|
||||
+ /* Host name not found. Use ip address. */
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * if reverse lookup result looks like a numeric hostname,
|
||||
+ * someone is trying to trick us by PTR record like following:
|
||||
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
|
||||
+ */
|
||||
+ memset(&hints, 0, sizeof(hints));
|
||||
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
+ hints.ai_flags = AI_NUMERICHOST;
|
||||
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
|
||||
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||
+ name, ntop);
|
||||
+ freeaddrinfo(ai);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+
|
||||
+ /* Names are stored in lowercase. */
|
||||
+ lowercase(name);
|
||||
+
|
||||
+ /*
|
||||
+ * Map it back to an IP address and check that the given
|
||||
+ * address actually is an address of this host. This is
|
||||
+ * necessary because anyone with access to a name server can
|
||||
+ * define arbitrary names for an IP address. Mapping from
|
||||
+ * name to IP address can be trusted better (but can still be
|
||||
+ * fooled if the intruder has access to the name server of
|
||||
+ * the domain).
|
||||
+ */
|
||||
+ memset(&hints, 0, sizeof(hints));
|
||||
+ hints.ai_family = from.ss_family;
|
||||
+ hints.ai_socktype = SOCK_STREAM;
|
||||
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||
+ logit("reverse mapping checking getaddrinfo for %.700s "
|
||||
+ "[%s] failed.", name, ntop);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+ /* Look for the address from the list of addresses. */
|
||||
+ for (ai = aitop; ai; ai = ai->ai_next) {
|
||||
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
|
||||
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
|
||||
+ (strcmp(ntop, ntop2) == 0))
|
||||
+ break;
|
||||
+ }
|
||||
+ freeaddrinfo(aitop);
|
||||
+ /* If we reached the end of the list, the address was not there. */
|
||||
+ if (ai == NULL) {
|
||||
+ /* Address not found for the host name. */
|
||||
+ logit("Address %.100s maps to %.600s, but this does not "
|
||||
+ "map back to the address.", ntop, name);
|
||||
+ return xstrdup(ntop);
|
||||
+ }
|
||||
+ return xstrdup(name);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Return the canonical name of the host in the other side of the current
|
||||
+ * connection. The host name is cached, so it is efficient to call this
|
||||
+ * several times.
|
||||
+ */
|
||||
+
|
||||
+const char *
|
||||
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
|
||||
+{
|
||||
+ static char *dnsname;
|
||||
+
|
||||
+ if (!use_dns)
|
||||
+ return ssh_remote_ipaddr(ssh);
|
||||
+ else if (dnsname != NULL)
|
||||
+ return dnsname;
|
||||
+ else {
|
||||
+ dnsname = remote_hostname(ssh);
|
||||
+ return dnsname;
|
||||
+ }
|
||||
+}
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 03369a08..b45898ce 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -161,6 +161,7 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
+ oGssTrustDns,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -207,9 +208,11 @@ static struct {
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
||||
+ { "gssapitrustdns", oGssTrustDns },
|
||||
# else
|
||||
{ "gssapiauthentication", oUnsupported },
|
||||
{ "gssapidelegatecredentials", oUnsupported },
|
||||
+ { "gssapitrustdns", oUnsupported },
|
||||
#endif
|
||||
#ifdef ENABLE_PKCS11
|
||||
{ "pkcs11provider", oPKCS11Provider },
|
||||
@@ -1117,6 +1120,10 @@ parse_time:
|
||||
intptr = &options->gss_deleg_creds;
|
||||
goto parse_flag;
|
||||
|
||||
+ case oGssTrustDns:
|
||||
+ intptr = &options->gss_trust_dns;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
options->gss_deleg_creds = -1;
|
||||
+ options->gss_trust_dns = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_deleg_creds == -1)
|
||||
options->gss_deleg_creds = 0;
|
||||
+ if (options->gss_trust_dns == -1)
|
||||
+ options->gss_trust_dns = 0;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index f7d53b06..c3a91898 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -40,6 +40,7 @@ typedef struct {
|
||||
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
||||
int gss_authentication; /* Try GSS authentication */
|
||||
int gss_deleg_creds; /* Delegate GSS credentials */
|
||||
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index cd0eea86..27101943 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -832,6 +832,16 @@ The default is
|
||||
Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
.Cm no .
|
||||
+Note that this option applies to protocol version 2 connections using GSSAPI.
|
||||
+.It Cm GSSAPITrustDns
|
||||
+Set to
|
||||
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||
+the name of the host being connected to. If
|
||||
+.Dq no, the hostname entered on the
|
||||
+command line will be passed untouched to the GSSAPI library.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index fea50fab..aeff639b 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
|
||||
OM_uint32 min;
|
||||
int r, ok = 0;
|
||||
gss_OID mech = NULL;
|
||||
+ const char *gss_host;
|
||||
+
|
||||
+ if (options.gss_trust_dns) {
|
||||
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
|
||||
+ gss_host = auth_get_canonical_hostname(ssh, 1);
|
||||
+ } else
|
||||
+ gss_host = authctxt->host;
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
|
||||
elements[authctxt->mech_tried];
|
||||
/* My DER encoding requires length<128 */
|
||||
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
|
||||
- mech, authctxt->host)) {
|
||||
+ mech, gss_host)) {
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
authctxt->mech_tried++;
|
126
net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
Normal file
126
net-misc/openssh/files/openssh-8.9_p1-X509-glue-13.3.1.patch
Normal file
|
@ -0,0 +1,126 @@
|
|||
diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
|
||||
--- a/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:49:32.673126122 -0800
|
||||
+++ b/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:52:52.581776560 -0800
|
||||
@@ -1002,15 +1002,16 @@
|
||||
char b[512];
|
||||
- size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
|
||||
- u_char *hash = xmalloc(len);
|
||||
+- double delay;
|
||||
+ int digest_alg;
|
||||
+ size_t len;
|
||||
+ u_char *hash;
|
||||
- double delay;
|
||||
-
|
||||
++ double delay = 0;
|
||||
++
|
||||
+ digest_alg = ssh_digest_maxbytes();
|
||||
+ len = ssh_digest_bytes(digest_alg);
|
||||
+ hash = xmalloc(len);
|
||||
-+
|
||||
+
|
||||
(void)snprintf(b, sizeof b, "%llu%s",
|
||||
(unsigned long long)options.timing_secret, user);
|
||||
- if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
|
||||
@@ -44746,8 +44747,8 @@
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
|
||||
+- if (gethostname(lname, HOST_NAME_MAX)) {
|
||||
++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
@@ -52143,7 +52144,7 @@
|
||||
diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
|
||||
--- openssh-8.9p1/m4/openssh.m4 2022-02-23 13:31:11.000000000 +0200
|
||||
+++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4 1970-01-01 02:00:00.000000000 +0200
|
||||
-@@ -1,200 +0,0 @@
|
||||
+@@ -1,203 +0,0 @@
|
||||
-dnl OpenSSH-specific autoconf macros
|
||||
-dnl
|
||||
-
|
||||
@@ -52160,6 +52161,8 @@
|
||||
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
||||
-#include <stdlib.h>
|
||||
-#include <stdio.h>
|
||||
+-/* Trivial function to help test for -fzero-call-used-regs */
|
||||
+-void f(int n) {}
|
||||
-int main(int argc, char **argv) {
|
||||
- (void)argv;
|
||||
- /* Some math to catch -ftrapv problems in the toolchain */
|
||||
@@ -52167,6 +52170,7 @@
|
||||
- float l = i * 2.1;
|
||||
- double m = l / 0.5;
|
||||
- long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
|
||||
+- f(0);
|
||||
- printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
|
||||
- /*
|
||||
- * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
|
||||
@@ -52884,12 +52888,11 @@
|
||||
|
||||
install-files:
|
||||
$(MKDIR_P) $(DESTDIR)$(bindir)
|
||||
-@@ -396,6 +372,8 @@
|
||||
+@@ -396,6 +372,7 @@
|
||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
|
||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||
$(MKDIR_P) $(DESTDIR)$(libexecdir)
|
||||
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
|
||||
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
|
||||
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||
@@ -73836,7 +73839,7 @@
|
||||
+if test "$sshd_type" = "pkix" ; then
|
||||
+ unset_arg=''
|
||||
+else
|
||||
-+ unset_arg=none
|
||||
++ unset_arg=
|
||||
+fi
|
||||
+
|
||||
cat > $OBJ/sshd_config.i << _EOF
|
||||
@@ -79691,25 +79694,6 @@
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
-@@ -267,15 +273,15 @@
|
||||
- #ifdef __NR_clock_nanosleep_time64
|
||||
- SC_ALLOW(__NR_clock_nanosleep_time64),
|
||||
- #endif
|
||||
--#ifdef __NR_clock_gettime64
|
||||
-- SC_ALLOW(__NR_clock_gettime64),
|
||||
--#endif
|
||||
- #ifdef __NR__newselect
|
||||
- SC_ALLOW(__NR__newselect),
|
||||
- #endif
|
||||
- #ifdef __NR_ppoll
|
||||
- SC_ALLOW(__NR_ppoll),
|
||||
- #endif
|
||||
-+#ifdef __NR_ppoll_time64
|
||||
-+ SC_ALLOW(__NR_ppoll_time64),
|
||||
-+#endif
|
||||
- #ifdef __NR_poll
|
||||
- SC_ALLOW(__NR_poll),
|
||||
- #endif
|
||||
@@ -288,6 +294,9 @@
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(__NR_read),
|
||||
@@ -137848,16 +137832,6 @@
|
||||
+int asnmprintf(char **, size_t, int *, const char *, ...)
|
||||
__attribute__((format(printf, 4, 5)));
|
||||
void msetlocale(void);
|
||||
-diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
|
||||
---- openssh-8.9p1/version.h 2022-02-23 13:31:11.000000000 +0200
|
||||
-+++ openssh-8.9p1+x509-13.3.1/version.h 2022-03-05 10:07:00.000000000 +0200
|
||||
-@@ -2,5 +2,4 @@
|
||||
-
|
||||
- #define SSH_VERSION "OpenSSH_8.9"
|
||||
-
|
||||
--#define SSH_PORTABLE "p1"
|
||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
|
||||
diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
|
||||
--- openssh-8.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200
|
||||
+++ openssh-8.9p1+x509-13.3.1/version.m4 2022-03-05 10:07:00.000000000 +0200
|
|
@ -0,0 +1,14 @@
|
|||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 2e065ba3..4ce80cb2 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_ppoll
|
||||
SC_ALLOW(__NR_ppoll),
|
||||
#endif
|
||||
+#ifdef __NR_ppoll_time64
|
||||
+ SC_ALLOW(__NR_ppoll_time64),
|
||||
+#endif
|
||||
#ifdef __NR_poll
|
||||
SC_ALLOW(__NR_poll),
|
||||
#endif
|
|
@ -0,0 +1,32 @@
|
|||
From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Thu, 24 Feb 2022 16:04:18 +0000
|
||||
Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
|
||||
|
||||
GCC doesn't tell us whether this option is supported unless it runs into
|
||||
the situation where it would need to emit corresponding code.
|
||||
---
|
||||
m4/openssh.m4 | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/m4/openssh.m4 b/m4/openssh.m4
|
||||
index 4f9c3792dc1..8c33c701b8b 100644
|
||||
--- a/m4/openssh.m4
|
||||
+++ b/m4/openssh.m4
|
||||
@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
|
||||
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
+/* Trivial function to help test for -fzero-call-used-regs */
|
||||
+void f(int n) {}
|
||||
int main(int argc, char **argv) {
|
||||
(void)argv;
|
||||
/* Some math to catch -ftrapv problems in the toolchain */
|
||||
@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
|
||||
float l = i * 2.1;
|
||||
double m = l / 0.5;
|
||||
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
|
||||
+ f(0);
|
||||
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
|
||||
/*
|
||||
* Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
|
|
@ -0,0 +1,13 @@
|
|||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index b5d4bb2d..00e3d118 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
+ if (gethostname(lname, HOST_NAME_MAX)) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
431
net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
Normal file
431
net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-X509-glue.patch
Normal file
|
@ -0,0 +1,431 @@
|
|||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
||||
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:49:22.195632128 -0800
|
||||
@@ -3,9 +3,9 @@
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
|
||||
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
|
||||
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
- PICFLAG=@PICFLAG@
|
||||
+ LD=@LD@
|
||||
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
|
||||
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
|
||||
-LIBS=@LIBS@
|
||||
+LIBS=@LIBS@ -lpthread
|
||||
K5LIBS=@K5LIBS@
|
||||
@@ -803,8 +803,8 @@
|
||||
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
|
||||
{
|
||||
struct session_state *state;
|
||||
-- const struct sshcipher *none = cipher_by_name("none");
|
||||
-+ struct sshcipher *none = cipher_by_name("none");
|
||||
+- const struct sshcipher *none = cipher_none();
|
||||
++ struct sshcipher *none = cipher_none();
|
||||
int r;
|
||||
|
||||
if (none == NULL) {
|
||||
@@ -894,24 +894,24 @@
|
||||
intptr = &options->compression;
|
||||
multistate_ptr = multistate_compression;
|
||||
@@ -2272,6 +2278,7 @@ initialize_options(Options * options)
|
||||
- options->revoked_host_keys = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->update_hostkeys = -1;
|
||||
+ options->known_hosts_command = NULL;
|
||||
+ options->disable_multithreaded = -1;
|
||||
- options->hostbased_accepted_algos = NULL;
|
||||
- options->pubkey_accepted_algos = NULL;
|
||||
- options->known_hosts_command = NULL;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
|
||||
+ options->update_hostkeys = 0;
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
|
||||
- #endif
|
||||
+ if (options->update_hostkeys == -1)
|
||||
+ options->update_hostkeys = 0;
|
||||
+ if (options->disable_multithreaded == -1)
|
||||
+ options->disable_multithreaded = 0;
|
||||
|
||||
- /* Expand KEX name lists */
|
||||
- all_cipher = cipher_alg_list(',', 0);
|
||||
+ /* expand KEX and etc. name lists */
|
||||
+ { char *all;
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index 2fba866e..7f8f0227 100644
|
||||
--- a/readconf.h
|
||||
@@ -950,9 +950,9 @@
|
||||
/* Portable-specific options */
|
||||
sUsePAM,
|
||||
+ sDisableMTAES,
|
||||
- /* Standard Options */
|
||||
- sPort, sHostKeyFile, sLoginGraceTime,
|
||||
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
+ /* X.509 Standard Options */
|
||||
+ sHostbasedAlgorithms,
|
||||
+ sPubkeyAlgorithms,
|
||||
@@ -662,6 +666,7 @@ static struct {
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:54:51.800546480 -0800
|
||||
@@ -157,6 +157,36 @@
|
||||
+ Allan Jude provided the code for the NoneMac and buffer normalization.
|
||||
+ This work was financed, in part, by Cisco System, Inc., the National
|
||||
+ Library of Medicine, and the National Science Foundation.
|
||||
+diff --git a/auth2.c b/auth2.c
|
||||
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
|
||||
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
|
||||
+@@ -229,16 +229,17 @@
|
||||
+ double delay;
|
||||
+
|
||||
+ digest_alg = ssh_digest_maxbytes();
|
||||
+- len = ssh_digest_bytes(digest_alg);
|
||||
+- hash = xmalloc(len);
|
||||
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
|
||||
++ hash = xmalloc(len);
|
||||
+
|
||||
+- (void)snprintf(b, sizeof b, "%llu%s",
|
||||
+- (unsigned long long)options.timing_secret, user);
|
||||
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
||||
+- fatal_f("ssh_digest_memory");
|
||||
+- /* 0-4.2 ms of delay */
|
||||
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
||||
+- freezero(hash, len);
|
||||
++ (void)snprintf(b, sizeof b, "%llu%s",
|
||||
++ (unsigned long long)options.timing_secret, user);
|
||||
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
||||
++ fatal_f("ssh_digest_memory");
|
||||
++ /* 0-4.2 ms of delay */
|
||||
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
||||
++ freezero(hash, len);
|
||||
++ }
|
||||
+ debug3_f("user specific delay %0.3lfms", delay/1000);
|
||||
+ return MIN_FAIL_DELAY_SECONDS + delay;
|
||||
+ }
|
||||
diff --git a/channels.c b/channels.c
|
||||
index b60d56c4..0e363c15 100644
|
||||
--- a/channels.c
|
||||
@@ -209,14 +239,14 @@
|
||||
static void
|
||||
channel_pre_open(struct ssh *ssh, Channel *c,
|
||||
fd_set *readset, fd_set *writeset)
|
||||
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
||||
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
||||
|
||||
if (c->type == SSH_CHANNEL_OPEN &&
|
||||
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
|
||||
- ((c->local_window_max - c->local_window >
|
||||
- c->local_maxpacket*3) ||
|
||||
-+ ((ssh_packet_is_interactive(ssh) &&
|
||||
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
||||
++ ((ssh_packet_is_interactive(ssh) &&
|
||||
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
||||
c->local_window < c->local_window_max/2) &&
|
||||
c->local_consumed > 0) {
|
||||
+ u_int addition = 0;
|
||||
@@ -235,9 +265,8 @@
|
||||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
|
||||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
|
||||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
|
||||
- (r = sshpkt_send(ssh)) != 0) {
|
||||
- fatal_fr(r, "channel %i", c->self);
|
||||
- }
|
||||
+ (r = sshpkt_send(ssh)) != 0)
|
||||
+ fatal_fr(r, "channel %d", c->self);
|
||||
- debug2("channel %d: window %d sent adjust %d", c->self,
|
||||
- c->local_window, c->local_consumed);
|
||||
- c->local_window += c->local_consumed;
|
||||
@@ -337,70 +366,92 @@
|
||||
index 70f492f8..5503af1d 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
|
||||
+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
|
||||
sock = x11_connect_display(ssh);
|
||||
if (sock < 0)
|
||||
return NULL;
|
||||
- c = channel_new(ssh, "x11",
|
||||
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
||||
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
|
||||
-+ c = channel_new(ssh, "x11",
|
||||
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
||||
-+ /* again is this really necessary for X11? */
|
||||
-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
||||
-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
|
||||
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
|
||||
+- CHANNEL_NONBLOCK_SET);
|
||||
++ c = channel_new(ssh, "x11",
|
||||
++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
||||
++ /* again is this really necessary for X11? */
|
||||
++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
||||
++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
|
||||
c->force_drain = 1;
|
||||
return c;
|
||||
}
|
||||
-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
|
||||
+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
|
||||
return NULL;
|
||||
}
|
||||
c = channel_new(ssh, "authentication agent connection",
|
||||
- SSH_CHANNEL_OPEN, sock, sock, -1,
|
||||
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
|
||||
-- "authentication agent connection", 1);
|
||||
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
|
||||
-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
|
||||
-+ CHAN_TCP_PACKET_DEFAULT, 0,
|
||||
-+ "authentication agent connection", 1);
|
||||
+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
|
||||
++ SSH_CHANNEL_OPEN, sock, sock, -1,
|
||||
++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
|
||||
++ CHAN_TCP_PACKET_DEFAULT, 0,
|
||||
++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
|
||||
c->force_drain = 1;
|
||||
return c;
|
||||
}
|
||||
-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
|
||||
+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
|
||||
}
|
||||
debug("Tunnel forwarding using interface %s", ifname);
|
||||
|
||||
- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
||||
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
|
||||
-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
||||
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
|
||||
+- CHANNEL_NONBLOCK_SET);
|
||||
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
||||
+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
||||
-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
|
||||
++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
|
||||
c->datagram = 1;
|
||||
|
||||
-+
|
||||
-+
|
||||
#if defined(SSH_TUN_FILTER)
|
||||
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
|
||||
- channel_register_filter(ssh, c->self, sys_tun_infilter,
|
||||
diff --git a/compat.c b/compat.c
|
||||
index 69befa96..90b5f338 100644
|
||||
--- a/compat.c
|
||||
+++ b/compat.c
|
||||
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
|
||||
- debug_f("match: %s pat %s compat 0x%08x",
|
||||
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
|
||||
+ static u_int
|
||||
+ compat_datafellows(const char *version)
|
||||
+ {
|
||||
+- int i;
|
||||
++ int i, bugs = 0;
|
||||
+ static struct {
|
||||
+ char *pat;
|
||||
+ int bugs;
|
||||
+@@ -147,11 +147,26 @@
|
||||
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
|
||||
+ debug("match: %s pat %s compat 0x%08x",
|
||||
version, check[i].pat, check[i].bugs);
|
||||
- ssh->compat = check[i].bugs;
|
||||
+ /* Check to see if the remote side is OpenSSH and not HPN */
|
||||
-+ /* TODO: need to use new method to test for this */
|
||||
+ if (strstr(version, "OpenSSH") != NULL) {
|
||||
+ if (strstr(version, "hpn") == NULL) {
|
||||
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
|
||||
++ bugs |= SSH_BUG_LARGEWINDOW;
|
||||
+ debug("Remote is NON-HPN aware");
|
||||
+ }
|
||||
+ }
|
||||
- return;
|
||||
+- return check[i].bugs;
|
||||
++ bugs |= check[i].bugs;
|
||||
}
|
||||
}
|
||||
+- debug("no match: %s", version);
|
||||
+- return 0;
|
||||
++ /* Check to see if the remote side is OpenSSH and not HPN */
|
||||
++ if (strstr(version, "OpenSSH") != NULL) {
|
||||
++ if (strstr(version, "hpn") == NULL) {
|
||||
++ bugs |= SSH_BUG_LARGEWINDOW;
|
||||
++ debug("Remote is NON-HPN aware");
|
||||
++ }
|
||||
++ }
|
||||
++ if (bugs == 0)
|
||||
++ debug("no match: %s", version);
|
||||
++ return bugs;
|
||||
+ }
|
||||
+
|
||||
+ char *
|
||||
diff --git a/compat.h b/compat.h
|
||||
index c197fafc..ea2e17a7 100644
|
||||
--- a/compat.h
|
||||
@@ -459,7 +510,7 @@
|
||||
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
int nenc, nmac, ncomp;
|
||||
u_int mode, ctos, need, dh_need, authlen;
|
||||
- int r, first_kex_follows;
|
||||
+ int r, first_kex_follows = 0;
|
||||
+ int auth_flag = 0;
|
||||
+
|
||||
+ auth_flag = packet_authentication_state(ssh);
|
||||
@@ -553,10 +604,10 @@
|
||||
#define MAX_PACKETS (1U<<31)
|
||||
static int
|
||||
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
||||
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
+ {
|
||||
struct session_state *state = ssh->state;
|
||||
int len, r, ms_remain;
|
||||
- struct pollfd pfd;
|
||||
- char buf[8192];
|
||||
+ char buf[SSH_IOBUFSZ];
|
||||
struct timeval start;
|
||||
@@ -1072,7 +1123,7 @@
|
||||
+ else
|
||||
+ options.hpn_buffer_size = 2 * 1024 * 1024;
|
||||
+
|
||||
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
|
||||
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
|
||||
+ debug("HPN to Non-HPN Connection");
|
||||
+ } else {
|
||||
+ int sock, socksize;
|
||||
@@ -1136,14 +1187,14 @@
|
||||
}
|
||||
@@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
|
||||
window, packetmax, CHAN_EXTENDED_WRITE,
|
||||
- "client-session", /*nonblock*/0);
|
||||
+ "client-session", CHANNEL_NONBLOCK_STDIO);
|
||||
|
||||
+ if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
|
||||
+ c->dynamic_window = 1;
|
||||
+ debug("Enabled Dynamic Window Scaling");
|
||||
+ }
|
||||
+
|
||||
- debug3_f("channel_new: %d", c->self);
|
||||
+ debug2_f("channel %d", c->self);
|
||||
|
||||
channel_send_open(ssh, c->self);
|
||||
@@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
|
||||
@@ -1314,7 +1365,29 @@
|
||||
/* Bind the socket to the desired port. */
|
||||
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||
error("Bind to port %s on %s failed: %.200s.",
|
||||
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
|
||||
+@@ -1625,13 +1632,14 @@
|
||||
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
|
||||
+ sshbuf_len(server_cfg)) != 0)
|
||||
+ fatal_f("ssh_digest_update");
|
||||
+- len = ssh_digest_bytes(digest_alg);
|
||||
+- hash = xmalloc(len);
|
||||
+- if (ssh_digest_final(ctx, hash, len) != 0)
|
||||
+- fatal_f("ssh_digest_final");
|
||||
+- options.timing_secret = PEEK_U64(hash);
|
||||
+- freezero(hash, len);
|
||||
+- ssh_digest_free(ctx);
|
||||
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
|
||||
++ hash = xmalloc(len);
|
||||
++ if (ssh_digest_final(ctx, hash, len) != 0)
|
||||
++ fatal_f("ssh_digest_final");
|
||||
++ options.timing_secret = PEEK_U64(hash);
|
||||
++ freezero(hash, len);
|
||||
++ ssh_digest_free(ctx);
|
||||
++ }
|
||||
+ ctx = NULL;
|
||||
+ return;
|
||||
+ }
|
||||
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
|
||||
fatal("AuthorizedPrincipalsCommand set without "
|
||||
"AuthorizedPrincipalsCommandUser");
|
||||
|
||||
@@ -1334,7 +1407,7 @@
|
||||
/*
|
||||
* Check whether there is any path through configured auth methods.
|
||||
* Unfortunately it is not possible to verify this generally before
|
||||
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
|
||||
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
|
||||
rdomain == NULL ? "" : "\"");
|
||||
free(laddr);
|
||||
|
||||
@@ -1344,7 +1417,7 @@
|
||||
/*
|
||||
* We don't want to listen forever unless the other side
|
||||
* successfully authenticates itself. So we set up an alarm which is
|
||||
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
struct kex *kex;
|
||||
int r;
|
||||
|
||||
@@ -1384,14 +1457,3 @@
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
-diff --git a/version.h b/version.h
|
||||
-index 6b4fa372..332fb486 100644
|
||||
---- a/version.h
|
||||
-+++ b/version.h
|
||||
-@@ -3,4 +3,5 @@
|
||||
- #define SSH_VERSION "OpenSSH_8.5"
|
||||
-
|
||||
- #define SSH_PORTABLE "p1"
|
||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
-+#define SSH_HPN "-hpn15v2"
|
||||
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
||||
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:49:22.196632131 -0800
|
||||
@@ -12,9 +12,9 @@
|
||||
static long stalled; /* how long we have been stalled */
|
||||
static int bytes_per_second; /* current speed in bytes per second */
|
||||
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
|
||||
+ off_t bytes_left;
|
||||
int cur_speed;
|
||||
- int hours, minutes, seconds;
|
||||
- int file_len;
|
||||
+ int len;
|
||||
+ off_t delta_pos;
|
||||
|
||||
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
|
||||
@@ -30,15 +30,17 @@
|
||||
if (bytes_left > 0)
|
||||
elapsed = now - last_update;
|
||||
else {
|
||||
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
|
||||
-
|
||||
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
|
||||
+ buf[1] = '\0';
|
||||
+
|
||||
/* filename */
|
||||
- buf[0] = '\0';
|
||||
-- file_len = win_size - 36;
|
||||
-+ file_len = win_size - 45;
|
||||
- if (file_len > 0) {
|
||||
- buf[0] = '\r';
|
||||
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
|
||||
+- if (win_size > 36) {
|
||||
++ if (win_size > 45) {
|
||||
+- int file_len = win_size - 36;
|
||||
++ int file_len = win_size - 45;
|
||||
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
|
||||
+ file_len, file);
|
||||
+ }
|
||||
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
|
||||
(off_t)bytes_per_second);
|
||||
strlcat(buf, "/s ", win_size);
|
||||
@@ -63,15 +65,3 @@
|
||||
}
|
||||
|
||||
/*ARGSUSED*/
|
||||
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
-index cfb5f115..986ff59b 100644
|
||||
---- a/ssh-keygen.c
|
||||
-+++ b/ssh-keygen.c
|
||||
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
|
||||
-
|
||||
- if (skprovider == NULL)
|
||||
- fatal("Cannot download keys without provider");
|
||||
--
|
||||
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
|
||||
- if (!quiet) {
|
||||
- printf("You may need to touch your authenticator "
|
238
net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
Normal file
238
net-misc/openssh/files/openssh-8.9_p1-hpn-15.2-glue.patch
Normal file
|
@ -0,0 +1,238 @@
|
|||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
|
||||
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
|
||||
@@ -1026,9 +1026,9 @@
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
||||
- }
|
||||
-
|
||||
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
||||
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
|
||||
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 6277e6d6..bf3d6e4a 100644
|
||||
--- a/sshd.c
|
||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
|
||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
|
||||
@@ -536,18 +536,10 @@
|
||||
if (state->rekey_limit)
|
||||
*max_blocks = MINIMUM(*max_blocks,
|
||||
state->rekey_limit / enc->block_size);
|
||||
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-+/* this supports the forced rekeying required for the NONE cipher */
|
||||
-+int rekey_requested = 0;
|
||||
-+void
|
||||
-+packet_request_rekeying(void)
|
||||
-+{
|
||||
-+ rekey_requested = 1;
|
||||
-+}
|
||||
-+
|
||||
+/* used to determine if pre or post auth when rekeying for aes-ctr
|
||||
+ * and none cipher switch */
|
||||
+int
|
||||
@@ -561,27 +553,14 @@
|
||||
#define MAX_PACKETS (1U<<31)
|
||||
static int
|
||||
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
||||
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
||||
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
|
||||
- return 0;
|
||||
-
|
||||
-+ /* used to force rekeying when called for by the none
|
||||
-+ * cipher switch methods -cjr */
|
||||
-+ if (rekey_requested == 1) {
|
||||
-+ rekey_requested = 0;
|
||||
-+ return 1;
|
||||
-+ }
|
||||
-+
|
||||
- /* Time-based rekeying */
|
||||
- if (state->rekey_interval != 0 &&
|
||||
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
|
||||
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
struct session_state *state = ssh->state;
|
||||
int len, r, ms_remain;
|
||||
- fd_set *setp;
|
||||
+ struct pollfd pfd;
|
||||
- char buf[8192];
|
||||
+ char buf[SSH_IOBUFSZ];
|
||||
- struct timeval timeout, start, *timeoutp = NULL;
|
||||
+ struct timeval start;
|
||||
+ struct timespec timespec, *timespecp = NULL;
|
||||
|
||||
DBG(debug("packet_read()"));
|
||||
diff --git a/packet.h b/packet.h
|
||||
@@ -598,12 +577,11 @@
|
||||
};
|
||||
|
||||
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
|
||||
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
|
||||
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
|
||||
int ssh_packet_set_maxsize(struct ssh *, u_int);
|
||||
u_int ssh_packet_get_maxsize(struct ssh *);
|
||||
|
||||
+/* for forced packet rekeying post auth */
|
||||
-+void packet_request_rekeying(void);
|
||||
+int packet_authentication_state(const struct ssh *);
|
||||
+
|
||||
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
|
||||
@@ -627,9 +605,9 @@
|
||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
|
||||
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
|
||||
+ oDisableMTAES,
|
||||
oVisualHostKey,
|
||||
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||
@@ -297,6 +300,9 @@ static struct {
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
{ "ipqos", oIPQoS },
|
||||
@@ -637,9 +615,9 @@
|
||||
+ { "noneenabled", oNoneEnabled },
|
||||
+ { "nonemacenabled", oNoneMacEnabled },
|
||||
+ { "noneswitch", oNoneSwitch },
|
||||
- { "proxyusefdpass", oProxyUseFdpass },
|
||||
- { "canonicaldomains", oCanonicalDomains },
|
||||
- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
||||
+ { "sessiontype", oSessionType },
|
||||
+ { "stdinnull", oStdinNull },
|
||||
+ { "forkafterauthentication", oForkAfterAuthentication },
|
||||
@@ -317,6 +323,11 @@ static struct {
|
||||
{ "securitykeyprovider", oSecurityKeyProvider },
|
||||
{ "knownhostscommand", oKnownHostsCommand },
|
||||
@@ -717,9 +695,9 @@
|
||||
+ options->hpn_buffer_size = -1;
|
||||
+ options->tcp_rcv_buf_poll = -1;
|
||||
+ options->tcp_rcv_buf = -1;
|
||||
- options->proxy_use_fdpass = -1;
|
||||
- options->ignored_unknown = NULL;
|
||||
- options->num_canonical_domains = 0;
|
||||
+ options->session_type = -1;
|
||||
+ options->stdin_null = -1;
|
||||
+ options->fork_after_authentication = -1;
|
||||
@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
|
||||
options->server_alive_interval = 0;
|
||||
if (options->server_alive_count_max == -1)
|
||||
@@ -778,9 +756,9 @@
|
||||
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
||||
SyslogFacility log_facility; /* Facility for system logging. */
|
||||
@@ -120,7 +124,11 @@ typedef struct {
|
||||
-
|
||||
int enable_ssh_keysign;
|
||||
int64_t rekey_limit;
|
||||
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
|
||||
+ int none_switch; /* Use none cipher */
|
||||
+ int none_enabled; /* Allow none cipher to be used */
|
||||
+ int nonemac_enabled; /* Allow none MAC to be used */
|
||||
@@ -842,9 +820,9 @@
|
||||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
|
||||
- }
|
||||
- if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
+ if (options->disable_multithreaded == -1)
|
||||
+ options->disable_multithreaded = 0;
|
||||
+ if (options->none_enabled == -1)
|
||||
+ options->none_enabled = 0;
|
||||
+ if (options->nonemac_enabled == -1)
|
||||
@@ -975,15 +953,6 @@
|
||||
index 306658cb..d4309903 100644
|
||||
--- a/serverloop.c
|
||||
+++ b/serverloop.c
|
||||
-@@ -322,7 +322,7 @@ static int
|
||||
- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
|
||||
- {
|
||||
- int r, len;
|
||||
-- char buf[16384];
|
||||
-+ char buf[SSH_IOBUFSZ];
|
||||
-
|
||||
- /* Read and buffer any input data from the client. */
|
||||
- if (FD_ISSET(connection_in, readset)) {
|
||||
@@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
|
||||
debug("Tunnel forwarding using interface %s", ifname);
|
||||
|
||||
@@ -1047,30 +1016,17 @@
|
||||
Note that
|
||||
diff --git a/sftp.c b/sftp.c
|
||||
index fb3c08d1..89bebbb2 100644
|
||||
---- a/sftp.c
|
||||
-+++ b/sftp.c
|
||||
-@@ -71,7 +71,7 @@ typedef void EditLine;
|
||||
- #include "sftp-client.h"
|
||||
-
|
||||
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
|
||||
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
|
||||
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
|
||||
-
|
||||
- /* File to read commands from */
|
||||
- FILE* infile;
|
||||
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
-index cfb5f115..36a6e519 100644
|
||||
---- a/ssh-keygen.c
|
||||
-+++ b/ssh-keygen.c
|
||||
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
|
||||
- freezero(pin, strlen(pin));
|
||||
- error_r(r, "Unable to load resident keys");
|
||||
- return -1;
|
||||
-- }
|
||||
-+ }
|
||||
- if (nkeys == 0)
|
||||
- logit("No keys to download");
|
||||
- if (pin != NULL)
|
||||
+--- a/sftp-client.c
|
||||
++++ b/sftp-client.c
|
||||
+@@ -65,7 +65,7 @@ typedef void EditLine;
|
||||
+ #define DEFAULT_COPY_BUFLEN 32768
|
||||
+
|
||||
+ /* Default number of concurrent outstanding requests */
|
||||
+-#define DEFAULT_NUM_REQUESTS 64
|
||||
++#define DEFAULT_NUM_REQUESTS 256
|
||||
+
|
||||
+ /* Minimum amount of data to read at a time */
|
||||
+ #define MIN_READ_SIZE 512
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 53330da5..27b9770e 100644
|
||||
--- a/ssh.c
|
||||
@@ -1330,9 +1286,9 @@
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
||||
- }
|
||||
|
||||
+ #ifdef WITH_OPENSSL
|
||||
+ if (options.disable_multithreaded == 0) {
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 6277e6d6..d66fa41a 100644
|
||||
--- a/sshd.c
|
||||
@@ -1359,8 +1315,8 @@
|
||||
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||
error("Bind to port %s on %s failed: %.200s.",
|
||||
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
|
||||
- /* Fill in default values for those options not explicitly set. */
|
||||
- fill_default_server_options(&options);
|
||||
+ fatal("AuthorizedPrincipalsCommand set without "
|
||||
+ "AuthorizedPrincipalsCommandUser");
|
||||
|
||||
+ if (options.none_enabled == 1) {
|
||||
+ char *old_ciphers = options.ciphers;
|
||||
@@ -1375,9 +1331,9 @@
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
- /* challenge-response is implemented via keyboard interactive */
|
||||
- if (options.challenge_response_authentication)
|
||||
- options.kbd_interactive_authentication = 1;
|
||||
+ /*
|
||||
+ * Check whether there is any path through configured auth methods.
|
||||
+ * Unfortunately it is not possible to verify this generally before
|
||||
@@ -2166,6 +2186,9 @@ main(int ac, char **av)
|
||||
rdomain == NULL ? "" : "\"");
|
||||
free(laddr);
|
54
net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
Normal file
54
net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
Normal file
|
@ -0,0 +1,54 @@
|
|||
diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
|
||||
--- a/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:43:33.957093896 -0700
|
||||
+++ b/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:44:17.232396805 -0700
|
||||
@@ -48941,8 +48941,8 @@
|
||||
gss_create_empty_oid_set(&status, &oidset);
|
||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
|
||||
+- if (gethostname(lname, HOST_NAME_MAX)) {
|
||||
++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (-1);
|
||||
}
|
||||
@@ -57102,12 +57102,11 @@
|
||||
|
||||
install-files:
|
||||
$(MKDIR_P) $(DESTDIR)$(bindir)
|
||||
-@@ -395,6 +372,8 @@
|
||||
+@@ -395,6 +372,7 @@
|
||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
|
||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||
$(MKDIR_P) $(DESTDIR)$(libexecdir)
|
||||
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
|
||||
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
|
||||
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||
@@ -78638,7 +78637,7 @@
|
||||
+if test "$sshd_type" = "pkix" ; then
|
||||
+ unset_arg=''
|
||||
+else
|
||||
-+ unset_arg=none
|
||||
++ unset_arg=''
|
||||
+fi
|
||||
+
|
||||
cat > $OBJ/sshd_config.i << _EOF
|
||||
@@ -143777,16 +143776,6 @@
|
||||
+int asnmprintf(char **, size_t, int *, const char *, ...)
|
||||
__attribute__((format(printf, 4, 5)));
|
||||
void msetlocale(void);
|
||||
-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
|
||||
---- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300
|
||||
-+++ openssh-9.0p1+x509-13.4.1/version.h 2022-06-23 09:07:00.000000000 +0300
|
||||
-@@ -2,5 +2,4 @@
|
||||
-
|
||||
- #define SSH_VERSION "OpenSSH_9.0"
|
||||
-
|
||||
--#define SSH_PORTABLE "p1"
|
||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
|
||||
diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
|
||||
--- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
|
||||
+++ openssh-9.0p1+x509-13.4.1/version.m4 2022-06-23 09:07:00.000000000 +0300
|
|
@ -0,0 +1,12 @@
|
|||
diff -ur a/auth2.c b/auth2.c
|
||||
--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700
|
||||
+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700
|
||||
@@ -226,7 +226,7 @@
|
||||
int digest_alg;
|
||||
size_t len;
|
||||
u_char *hash;
|
||||
- double delay;
|
||||
+ double delay = 0;
|
||||
|
||||
digest_alg = ssh_digest_maxbytes();
|
||||
if (len = ssh_digest_bytes(digest_alg) > 0) {
|
|
@ -0,0 +1,32 @@
|
|||
https://github.com/openssh/openssh-portable/pull/339
|
||||
|
||||
From a15d08a25f1ccc3ee803dfe790cc1f608651464c Mon Sep 17 00:00:00 2001
|
||||
From: Sam James <sam@gentoo.org>
|
||||
Date: Thu, 8 Sep 2022 02:49:29 +0100
|
||||
Subject: [PATCH] openbsd-compat/bsd-asprintf: add <stdio.h> include for
|
||||
vsnprintf
|
||||
|
||||
Fixes the following build failure with Clang 15 on musl:
|
||||
```
|
||||
bsd-asprintf.c:51:8: error: call to undeclared library function 'vsnprintf' with type 'int (char *, unsigned long, const char *, struct __va_list_tag *)'; ISO C99 and laterclang -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -mretpoline -ftrapv -fzero-call-used-regs=all -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/misc/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/lib/misc/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c cipher-aes.c -o cipher-aes.o
|
||||
do not support
|
||||
implicit function declarations [-Wimplicit-function-declaration]
|
||||
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
|
||||
^
|
||||
bsd-asprintf.c:51:8: note: include the header <stdio.h> or explicitly provide a declaration for 'vsnprintf'
|
||||
1 error generated.
|
||||
```
|
||||
|
||||
See also: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-June/037811.html
|
||||
See also: 73eb6cef41daba0359c1888e4756108d41b4e819
|
||||
--- a/openbsd-compat/bsd-asprintf.c
|
||||
+++ b/openbsd-compat/bsd-asprintf.c
|
||||
@@ -32,6 +32,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
+#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#define INIT_SZ 128
|
||||
|
13
net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
Normal file
13
net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
Normal file
|
@ -0,0 +1,13 @@
|
|||
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
|
||||
index dd8cdc4b7..c446f0aa2 100644
|
||||
--- a/openbsd-compat/regress/Makefile.in
|
||||
+++ b/openbsd-compat/regress/Makefile.in
|
||||
@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
|
||||
CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
|
||||
EXEEXT=@EXEEXT@
|
||||
LIBCOMPAT=../libopenbsd-compat.a
|
||||
-LIBS=@LIBS@
|
||||
+LIBS=@LIBS@ -lssl -lcrypto
|
||||
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
||||
|
||||
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
33
net-misc/openssh/files/sshd-r1.confd
Normal file
33
net-misc/openssh/files/sshd-r1.confd
Normal file
|
@ -0,0 +1,33 @@
|
|||
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
|
||||
|
||||
# Where is your sshd_config file stored?
|
||||
|
||||
SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
|
||||
|
||||
|
||||
# Any random options you want to pass to sshd.
|
||||
# See the sshd(8) manpage for more info.
|
||||
|
||||
SSHD_OPTS=""
|
||||
|
||||
|
||||
# Wait one second (length chosen arbitrarily) to see if sshd actually
|
||||
# creates a PID file, or if it crashes for some reason like not being
|
||||
# able to bind to the address in ListenAddress.
|
||||
|
||||
#SSHD_SSD_OPTS="--wait 1000"
|
||||
|
||||
|
||||
# Pid file to use (needs to be absolute path).
|
||||
|
||||
#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
|
||||
|
||||
|
||||
# Path to the sshd binary (needs to be absolute path).
|
||||
|
||||
#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
|
||||
|
||||
|
||||
# Path to the ssh-keygen binary (needs to be absolute path).
|
||||
|
||||
#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
|
87
net-misc/openssh/files/sshd-r1.initd
Normal file
87
net-misc/openssh/files/sshd-r1.initd
Normal file
|
@ -0,0 +1,87 @@
|
|||
#!/sbin/openrc-run
|
||||
# Copyright 1999-2019 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
extra_commands="checkconfig"
|
||||
extra_started_commands="reload"
|
||||
|
||||
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
|
||||
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
|
||||
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
|
||||
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
|
||||
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
|
||||
|
||||
command="${SSHD_BINARY}"
|
||||
pidfile="${SSHD_PIDFILE}"
|
||||
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
|
||||
|
||||
# Wait one second (length chosen arbitrarily) to see if sshd actually
|
||||
# creates a PID file, or if it crashes for some reason like not being
|
||||
# able to bind to the address in ListenAddress (bug 617596).
|
||||
: ${SSHD_SSD_OPTS:=--wait 1000}
|
||||
start_stop_daemon_args="${SSHD_SSD_OPTS}"
|
||||
|
||||
depend() {
|
||||
# Entropy can be used by ssh-keygen, among other things, but
|
||||
# is not strictly required (bug 470020).
|
||||
use logger dns entropy
|
||||
if [ "${rc_need+set}" = "set" ] ; then
|
||||
: # Do nothing, the user has explicitly set rc_need
|
||||
else
|
||||
local x warn_addr
|
||||
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
|
||||
case "${x}" in
|
||||
0.0.0.0|0.0.0.0:*) ;;
|
||||
::|\[::\]*) ;;
|
||||
*) warn_addr="${warn_addr} ${x}" ;;
|
||||
esac
|
||||
done
|
||||
if [ -n "${warn_addr}" ] ; then
|
||||
need net
|
||||
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
|
||||
ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
|
||||
ewarn "where FOO is the interface(s) providing the following address(es):"
|
||||
ewarn "${warn_addr}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
checkconfig() {
|
||||
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
|
||||
|
||||
if [ ! -e "${SSHD_CONFIG}" ] ; then
|
||||
eerror "You need an ${SSHD_CONFIG} file to run sshd"
|
||||
eerror "There is a sample file in /usr/share/doc/openssh"
|
||||
return 1
|
||||
fi
|
||||
|
||||
${SSHD_KEYGEN_BINARY} -A || return 2
|
||||
|
||||
"${command}" -t ${command_args} || return 3
|
||||
}
|
||||
|
||||
start_pre() {
|
||||
# Make sure that the user's config isn't busted before we try
|
||||
# to start the daemon (this will produce better error messages
|
||||
# than if we just try to start it blindly).
|
||||
#
|
||||
# We always need to call checkconfig because this function will
|
||||
# also generate any missing host key and you can start a
|
||||
# non-running service with "restart" argument.
|
||||
checkconfig || return $?
|
||||
}
|
||||
|
||||
stop_pre() {
|
||||
# If this is a restart, check to make sure the user's config
|
||||
# isn't busted before we stop the running daemon.
|
||||
if [ "${RC_CMD}" = "restart" ] ; then
|
||||
checkconfig || return $?
|
||||
fi
|
||||
}
|
||||
|
||||
reload() {
|
||||
checkconfig || return $?
|
||||
ebegin "Reloading ${SVCNAME}"
|
||||
start-stop-daemon --signal HUP --pidfile "${pidfile}"
|
||||
eend $?
|
||||
}
|
4
net-misc/openssh/files/sshd.pam_include.2
Normal file
4
net-misc/openssh/files/sshd.pam_include.2
Normal file
|
@ -0,0 +1,4 @@
|
|||
auth include system-remote-login
|
||||
account include system-remote-login
|
||||
password include system-remote-login
|
||||
session include system-remote-login
|
12
net-misc/openssh/files/sshd.service
Normal file
12
net-misc/openssh/files/sshd.service
Normal file
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=OpenSSH server daemon
|
||||
After=syslog.target network.target auditd.service
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/usr/bin/ssh-keygen -A
|
||||
ExecStart=/usr/sbin/sshd -D -e
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
10
net-misc/openssh/files/sshd.socket
Normal file
10
net-misc/openssh/files/sshd.socket
Normal file
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=OpenSSH Server Socket
|
||||
Conflicts=sshd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=22
|
||||
Accept=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
8
net-misc/openssh/files/sshd_at.service
Normal file
8
net-misc/openssh/files/sshd_at.service
Normal file
|
@ -0,0 +1,8 @@
|
|||
[Unit]
|
||||
Description=OpenSSH per-connection server daemon
|
||||
After=syslog.target auditd.service
|
||||
|
||||
[Service]
|
||||
ExecStart=-/usr/sbin/sshd -i -e
|
||||
StandardInput=socket
|
||||
StandardError=journal
|
37
net-misc/openssh/metadata.xml
Normal file
37
net-misc/openssh/metadata.xml
Normal file
|
@ -0,0 +1,37 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>base-system@gentoo.org</email>
|
||||
<name>Gentoo Base System</name>
|
||||
</maintainer>
|
||||
<longdescription>
|
||||
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
|
||||
increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
|
||||
rlogin, ftp, and other such programs might not realize that their password is transmitted
|
||||
across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
|
||||
to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
|
||||
Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
|
||||
of authentication methods.
|
||||
|
||||
The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
|
||||
replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
|
||||
the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
|
||||
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
|
||||
</longdescription>
|
||||
<use>
|
||||
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
|
||||
<flag name="hpn">Enable high performance ssh</flag>
|
||||
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
|
||||
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
|
||||
<flag name="security-key">Include builtin U2F/FIDO support</flag>
|
||||
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
|
||||
<flag name="X509">Adds support for X.509 certificate authentication</flag>
|
||||
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
|
||||
</use>
|
||||
<upstream>
|
||||
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
|
||||
<remote-id type="github">openssh/openssh-portable</remote-id>
|
||||
<remote-id type="sourceforge">hpnssh</remote-id>
|
||||
</upstream>
|
||||
</pkgmetadata>
|
492
net-misc/openssh/openssh-8.9_p1-r2.ebuild
Normal file
492
net-misc/openssh/openssh-8.9_p1-r2.ebuild
Normal file
|
@ -0,0 +1,492 @@
|
|||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
||||
|
||||
# Make it more portable between straight releases
|
||||
# and _p? releases.
|
||||
PARCH=${P/_}
|
||||
|
||||
# PV to USE for HPN patches
|
||||
#HPN_PV="${PV^^}"
|
||||
HPN_PV="8.5_P1"
|
||||
|
||||
HPN_VER="15.2"
|
||||
HPN_PATCHES=(
|
||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
||||
)
|
||||
|
||||
SCTP_VER="1.2"
|
||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
||||
X509_VER="13.3.1"
|
||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
||||
|
||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||
HOMEPAGE="https://www.openssh.com/"
|
||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||
"
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
||||
S="${WORKDIR}/${PARCH}"
|
||||
|
||||
LICENSE="BSD GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
||||
# Probably want to drop ssl defaulting to on in a future version.
|
||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
|
||||
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
REQUIRED_USE="
|
||||
hpn? ( ssl )
|
||||
ldns? ( ssl )
|
||||
pie? ( !static )
|
||||
static? ( !kerberos !pam )
|
||||
X509? ( !sctp ssl !xmss )
|
||||
xmss? ( ssl )
|
||||
test? ( ssl )
|
||||
"
|
||||
|
||||
# tests currently fail with XMSS
|
||||
REQUIRED_USE+="test? ( !xmss )"
|
||||
|
||||
LIB_DEPEND="
|
||||
audit? ( sys-process/audit[static-libs(+)] )
|
||||
ldns? (
|
||||
net-libs/ldns[static-libs(+)]
|
||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||
)
|
||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||
virtual/libcrypt:=[static-libs(+)]
|
||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||
"
|
||||
RDEPEND="
|
||||
acct-group/sshd
|
||||
acct-user/sshd
|
||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||
pam? ( sys-libs/pam )
|
||||
kerberos? ( virtual/krb5 )
|
||||
"
|
||||
DEPEND="${RDEPEND}
|
||||
virtual/os-headers
|
||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||
static? ( ${LIB_DEPEND} )
|
||||
"
|
||||
RDEPEND="${RDEPEND}
|
||||
pam? ( >=sys-auth/pambase-20081028 )
|
||||
!prefix? ( sys-apps/shadow )
|
||||
X? ( x11-apps/xauth )
|
||||
"
|
||||
BDEPEND="
|
||||
virtual/pkgconfig
|
||||
sys-devel/autoconf
|
||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||
"
|
||||
|
||||
pkg_pretend() {
|
||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
||||
# than not be able to log in to their server any more
|
||||
local missing=()
|
||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
||||
check_feature hpn HPN_VER
|
||||
check_feature sctp SCTP_PATCH
|
||||
check_feature X509 X509_PATCH
|
||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
||||
eerror "Sorry, but this version does not yet support features"
|
||||
eerror "that you requested: ${missing[*]}"
|
||||
eerror "Please mask ${PF} for now and check back later:"
|
||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
||||
die "Missing requested third party patch."
|
||||
fi
|
||||
|
||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
default
|
||||
|
||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
||||
pathnames.h || die
|
||||
|
||||
# don't break .ssh/authorized_keys2 for fun
|
||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||
|
||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-fzero-call-used-regs.patch #834037
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
||||
|
||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
||||
|
||||
local PATCHSET_VERSION_MACROS=()
|
||||
|
||||
if use X509 ; then
|
||||
pushd "${WORKDIR}" &>/dev/null || die
|
||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
||||
|
||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
||||
# error
|
||||
einfo "Patching package version for X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
||||
|
||||
einfo "Patching version.h to expose X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
||||
fi
|
||||
|
||||
if use sctp ; then
|
||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
||||
|
||||
einfo "Patching version.h to expose SCTP patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
||||
|
||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
||||
sed -i \
|
||||
-e "/\t\tcfgparse \\\/d" \
|
||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
||||
fi
|
||||
|
||||
if use hpn ; then
|
||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
||||
mkdir "${hpn_patchdir}" || die
|
||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${hpn_patchdir}"
|
||||
|
||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
||||
|
||||
einfo "Patching Makefile.in for HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
||||
|
||||
einfo "Patching version.h to expose HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
||||
|
||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
||||
|
||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
||||
|
||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
||||
# and therefore disabled per default.
|
||||
DisableMTAES yes
|
||||
EOF
|
||||
sed -i \
|
||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
||||
|
||||
sed -i \
|
||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
||||
fi
|
||||
fi
|
||||
|
||||
if use X509 || use sctp || use hpn ; then
|
||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
||||
|
||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
||||
|
||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
||||
sed -i \
|
||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "/#UseLogin no/d" \
|
||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
||||
|
||||
eapply_user #473004
|
||||
|
||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||
sed -e '/\t\tpercent \\/ d' \
|
||||
-i regress/Makefile || die
|
||||
|
||||
tc-export PKG_CONFIG
|
||||
local sed_args=(
|
||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||
# Disable PATH reset, trust what portage gives us #254615
|
||||
-e 's:^PATH=/:#PATH=/:'
|
||||
# Disable fortify flags ... our gcc does this for us
|
||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||
)
|
||||
|
||||
# The -ftrapv flag ICEs on hppa #505182
|
||||
use hppa && sed_args+=(
|
||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
||||
)
|
||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||
-e 's/-D_XOPEN_SOURCE//'
|
||||
)
|
||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
addwrite /dev/ptmx
|
||||
|
||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||
use static && append-ldflags -static
|
||||
use xmss && append-cflags -DWITH_XMSS
|
||||
|
||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||
# doesn't check for this, so force the replacement to be put in
|
||||
# place
|
||||
append-cppflags -DBROKEN_GLOB
|
||||
fi
|
||||
|
||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||
|
||||
local myconf=(
|
||||
--with-ldflags="${LDFLAGS}"
|
||||
--disable-strip
|
||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||
--datadir="${EPREFIX}"/usr/share/openssh
|
||||
--with-privsep-path="${EPREFIX}"/var/empty
|
||||
--with-privsep-user=sshd
|
||||
$(use_with audit audit linux)
|
||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
||||
# unconditionally else we get unknown flag warnings.
|
||||
$(use sctp && use_with sctp)
|
||||
$(use_with ldns)
|
||||
$(use_with libedit)
|
||||
$(use_with pam)
|
||||
$(use_with pie)
|
||||
$(use_with selinux)
|
||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
||||
$(use_with ssl openssl)
|
||||
$(use_with ssl ssl-engine)
|
||||
$(use_with !elibc_Cygwin hardening) #659210
|
||||
)
|
||||
|
||||
if use elibc_musl; then
|
||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
||||
# https://bugs.gentoo.org/753230
|
||||
myconf+=( --disable-utmp --disable-wtmp )
|
||||
fi
|
||||
|
||||
econf "${myconf[@]}"
|
||||
}
|
||||
|
||||
src_test() {
|
||||
local tests=( compat-tests )
|
||||
local shell=$(egetshell "${UID}")
|
||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||
ewarn "user, so we will run a subset only."
|
||||
tests+=( interop-tests )
|
||||
else
|
||||
tests+=( tests )
|
||||
fi
|
||||
|
||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||
mkdir -p "${HOME}"/.ssh || die
|
||||
emake -j1 "${tests[@]}" </dev/null
|
||||
}
|
||||
|
||||
# Gentoo tweaks to default config files.
|
||||
tweak_ssh_configs() {
|
||||
local locale_vars=(
|
||||
# These are language variables that POSIX defines.
|
||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||
|
||||
# These are the GNU extensions.
|
||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||
)
|
||||
|
||||
# First the server config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
||||
|
||||
# Allow client to pass locale environment variables. #367017
|
||||
AcceptEnv ${locale_vars[*]}
|
||||
|
||||
# Allow client to pass COLORTERM to match TERM. #658540
|
||||
AcceptEnv COLORTERM
|
||||
EOF
|
||||
|
||||
# Then the client config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
||||
|
||||
# Send locale environment variables. #367017
|
||||
SendEnv ${locale_vars[*]}
|
||||
|
||||
# Send COLORTERM to match TERM. #658540
|
||||
SendEnv COLORTERM
|
||||
EOF
|
||||
|
||||
if use pam ; then
|
||||
sed -i \
|
||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
|
||||
if use livecd ; then
|
||||
sed -i \
|
||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake install-nokeys DESTDIR="${D}"
|
||||
fperms 600 /etc/ssh/sshd_config
|
||||
dobin contrib/ssh-copy-id
|
||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||
|
||||
if use pam; then
|
||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||
fi
|
||||
|
||||
tweak_ssh_configs
|
||||
|
||||
doman contrib/ssh-copy-id.1
|
||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
||||
use hpn && dodoc HPN-README
|
||||
use X509 || dodoc ChangeLog
|
||||
|
||||
diropts -m 0700
|
||||
dodir /etc/skel/.ssh
|
||||
|
||||
# https://bugs.gentoo.org/733802
|
||||
if ! use scp; then
|
||||
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|
||||
|| die "failed to remove scp"
|
||||
fi
|
||||
|
||||
rmdir "${ED}"/var/empty || die
|
||||
|
||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||
show_ssl_warning=1
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local old_ver
|
||||
for old_ver in ${REPLACING_VERSIONS}; do
|
||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||
elog "be an alternative for you as it supports USE=tcpd."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||
elog "You should however generate new keys using rsa or ed25519."
|
||||
|
||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||
elog "if you need to authenticate against LDAP."
|
||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||
ewarn "connection is generally safe."
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ -n ${show_ssl_warning} ]]; then
|
||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||
elog "and update all clients/servers that utilize them."
|
||||
fi
|
||||
|
||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
elog ""
|
||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
||||
elog "and therefore disabled at runtime per default."
|
||||
elog "Make sure your sshd_config is up to date and contains"
|
||||
elog ""
|
||||
elog " DisableMTAES yes"
|
||||
elog ""
|
||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
||||
elog ""
|
||||
fi
|
||||
}
|
485
net-misc/openssh/openssh-9.0_p1-r2.ebuild
Normal file
485
net-misc/openssh/openssh-9.0_p1-r2.ebuild
Normal file
|
@ -0,0 +1,485 @@
|
|||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
||||
|
||||
# Make it more portable between straight releases
|
||||
# and _p? releases.
|
||||
PARCH=${P/_}
|
||||
|
||||
# PV to USE for HPN patches
|
||||
#HPN_PV="${PV^^}"
|
||||
HPN_PV="8.5_P1"
|
||||
|
||||
HPN_VER="15.2"
|
||||
HPN_PATCHES=(
|
||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
||||
)
|
||||
|
||||
SCTP_VER="1.2"
|
||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
||||
X509_VER="13.4.1"
|
||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
||||
|
||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||
HOMEPAGE="https://www.openssh.com/"
|
||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||
"
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
||||
S="${WORKDIR}/${PARCH}"
|
||||
|
||||
LICENSE="BSD GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
||||
# Probably want to drop ssl defaulting to on in a future version.
|
||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
||||
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
REQUIRED_USE="
|
||||
hpn? ( ssl )
|
||||
ldns? ( ssl )
|
||||
pie? ( !static )
|
||||
static? ( !kerberos !pam )
|
||||
X509? ( !sctp ssl !xmss )
|
||||
xmss? ( ssl )
|
||||
test? ( ssl )
|
||||
"
|
||||
|
||||
# tests currently fail with XMSS
|
||||
REQUIRED_USE+="test? ( !xmss )"
|
||||
|
||||
LIB_DEPEND="
|
||||
audit? ( sys-process/audit[static-libs(+)] )
|
||||
ldns? (
|
||||
net-libs/ldns[static-libs(+)]
|
||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||
)
|
||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||
virtual/libcrypt:=[static-libs(+)]
|
||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||
"
|
||||
RDEPEND="
|
||||
acct-group/sshd
|
||||
acct-user/sshd
|
||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||
pam? ( sys-libs/pam )
|
||||
kerberos? ( virtual/krb5 )
|
||||
"
|
||||
DEPEND="${RDEPEND}
|
||||
virtual/os-headers
|
||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||
static? ( ${LIB_DEPEND} )
|
||||
"
|
||||
RDEPEND="${RDEPEND}
|
||||
pam? ( >=sys-auth/pambase-20081028 )
|
||||
!prefix? ( sys-apps/shadow )
|
||||
X? ( x11-apps/xauth )
|
||||
"
|
||||
BDEPEND="
|
||||
virtual/pkgconfig
|
||||
sys-devel/autoconf
|
||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||
"
|
||||
|
||||
pkg_pretend() {
|
||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
||||
# than not be able to log in to their server any more
|
||||
local missing=()
|
||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
||||
check_feature hpn HPN_VER
|
||||
check_feature sctp SCTP_PATCH
|
||||
check_feature X509 X509_PATCH
|
||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
||||
eerror "Sorry, but this version does not yet support features"
|
||||
eerror "that you requested: ${missing[*]}"
|
||||
eerror "Please mask ${PF} for now and check back later:"
|
||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
||||
die "Missing requested third party patch."
|
||||
fi
|
||||
|
||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
default
|
||||
|
||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
||||
pathnames.h || die
|
||||
|
||||
# don't break .ssh/authorized_keys2 for fun
|
||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||
|
||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
||||
|
||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
||||
|
||||
local PATCHSET_VERSION_MACROS=()
|
||||
|
||||
if use X509 ; then
|
||||
pushd "${WORKDIR}" &>/dev/null || die
|
||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
||||
|
||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
||||
# error
|
||||
einfo "Patching package version for X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
||||
|
||||
einfo "Patching version.h to expose X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
||||
fi
|
||||
|
||||
if use sctp ; then
|
||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
||||
|
||||
einfo "Patching version.h to expose SCTP patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
||||
|
||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
||||
sed -i \
|
||||
-e "/\t\tcfgparse \\\/d" \
|
||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
||||
fi
|
||||
|
||||
if use hpn ; then
|
||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
||||
mkdir "${hpn_patchdir}" || die
|
||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${hpn_patchdir}"
|
||||
|
||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
||||
|
||||
einfo "Patching Makefile.in for HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
||||
|
||||
einfo "Patching version.h to expose HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
||||
|
||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
||||
|
||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
||||
|
||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
||||
# and therefore disabled per default.
|
||||
DisableMTAES yes
|
||||
EOF
|
||||
sed -i \
|
||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
||||
|
||||
sed -i \
|
||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
||||
fi
|
||||
fi
|
||||
|
||||
if use X509 || use sctp || use hpn ; then
|
||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
||||
|
||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
||||
|
||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
||||
sed -i \
|
||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "/#UseLogin no/d" \
|
||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
||||
|
||||
eapply_user #473004
|
||||
|
||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||
sed -e '/\t\tpercent \\/ d' \
|
||||
-i regress/Makefile || die
|
||||
|
||||
tc-export PKG_CONFIG
|
||||
local sed_args=(
|
||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||
# Disable PATH reset, trust what portage gives us #254615
|
||||
-e 's:^PATH=/:#PATH=/:'
|
||||
# Disable fortify flags ... our gcc does this for us
|
||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||
)
|
||||
|
||||
# The -ftrapv flag ICEs on hppa #505182
|
||||
use hppa && sed_args+=(
|
||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
||||
)
|
||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||
-e 's/-D_XOPEN_SOURCE//'
|
||||
)
|
||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
addwrite /dev/ptmx
|
||||
|
||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||
use static && append-ldflags -static
|
||||
use xmss && append-cflags -DWITH_XMSS
|
||||
|
||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||
# doesn't check for this, so force the replacement to be put in
|
||||
# place
|
||||
append-cppflags -DBROKEN_GLOB
|
||||
fi
|
||||
|
||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||
|
||||
local myconf=(
|
||||
--with-ldflags="${LDFLAGS}"
|
||||
--disable-strip
|
||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||
--datadir="${EPREFIX}"/usr/share/openssh
|
||||
--with-privsep-path="${EPREFIX}"/var/empty
|
||||
--with-privsep-user=sshd
|
||||
$(use_with audit audit linux)
|
||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
||||
# unconditionally else we get unknown flag warnings.
|
||||
$(use sctp && use_with sctp)
|
||||
$(use_with ldns)
|
||||
$(use_with libedit)
|
||||
$(use_with pam)
|
||||
$(use_with pie)
|
||||
$(use_with selinux)
|
||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
||||
$(use_with ssl openssl)
|
||||
$(use_with ssl ssl-engine)
|
||||
$(use_with !elibc_Cygwin hardening) #659210
|
||||
)
|
||||
|
||||
if use elibc_musl; then
|
||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
||||
# https://bugs.gentoo.org/753230
|
||||
myconf+=( --disable-utmp --disable-wtmp )
|
||||
fi
|
||||
|
||||
econf "${myconf[@]}"
|
||||
}
|
||||
|
||||
src_test() {
|
||||
local tests=( compat-tests )
|
||||
local shell=$(egetshell "${UID}")
|
||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||
ewarn "user, so we will run a subset only."
|
||||
tests+=( interop-tests )
|
||||
else
|
||||
tests+=( tests )
|
||||
fi
|
||||
|
||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||
mkdir -p "${HOME}"/.ssh || die
|
||||
emake -j1 "${tests[@]}" </dev/null
|
||||
}
|
||||
|
||||
# Gentoo tweaks to default config files.
|
||||
tweak_ssh_configs() {
|
||||
local locale_vars=(
|
||||
# These are language variables that POSIX defines.
|
||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||
|
||||
# These are the GNU extensions.
|
||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||
)
|
||||
|
||||
# First the server config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
||||
|
||||
# Allow client to pass locale environment variables. #367017
|
||||
AcceptEnv ${locale_vars[*]}
|
||||
|
||||
# Allow client to pass COLORTERM to match TERM. #658540
|
||||
AcceptEnv COLORTERM
|
||||
EOF
|
||||
|
||||
# Then the client config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
||||
|
||||
# Send locale environment variables. #367017
|
||||
SendEnv ${locale_vars[*]}
|
||||
|
||||
# Send COLORTERM to match TERM. #658540
|
||||
SendEnv COLORTERM
|
||||
EOF
|
||||
|
||||
if use pam ; then
|
||||
sed -i \
|
||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
|
||||
if use livecd ; then
|
||||
sed -i \
|
||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake install-nokeys DESTDIR="${D}"
|
||||
fperms 600 /etc/ssh/sshd_config
|
||||
dobin contrib/ssh-copy-id
|
||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||
|
||||
if use pam; then
|
||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||
fi
|
||||
|
||||
tweak_ssh_configs
|
||||
|
||||
doman contrib/ssh-copy-id.1
|
||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
||||
use hpn && dodoc HPN-README
|
||||
use X509 || dodoc ChangeLog
|
||||
|
||||
diropts -m 0700
|
||||
dodir /etc/skel/.ssh
|
||||
rmdir "${ED}"/var/empty || die
|
||||
|
||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||
show_ssl_warning=1
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local old_ver
|
||||
for old_ver in ${REPLACING_VERSIONS}; do
|
||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||
elog "be an alternative for you as it supports USE=tcpd."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||
elog "You should however generate new keys using rsa or ed25519."
|
||||
|
||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||
elog "if you need to authenticate against LDAP."
|
||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||
ewarn "connection is generally safe."
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ -n ${show_ssl_warning} ]]; then
|
||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||
elog "and update all clients/servers that utilize them."
|
||||
fi
|
||||
|
||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
elog ""
|
||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
||||
elog "and therefore disabled at runtime per default."
|
||||
elog "Make sure your sshd_config is up to date and contains"
|
||||
elog ""
|
||||
elog " DisableMTAES yes"
|
||||
elog ""
|
||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
||||
elog ""
|
||||
fi
|
||||
}
|
499
net-misc/openssh/openssh-9.0_p1-r6.ebuild
Normal file
499
net-misc/openssh/openssh-9.0_p1-r6.ebuild
Normal file
|
@ -0,0 +1,499 @@
|
|||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
||||
|
||||
# Make it more portable between straight releases
|
||||
# and _p? releases.
|
||||
PARCH=${P/_}
|
||||
|
||||
# PV to USE for HPN patches
|
||||
#HPN_PV="${PV^^}"
|
||||
HPN_PV="8.5_P1"
|
||||
|
||||
HPN_VER="15.2"
|
||||
HPN_PATCHES=(
|
||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
||||
)
|
||||
|
||||
SCTP_VER="1.2"
|
||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
||||
X509_VER="13.4.1"
|
||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
||||
|
||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||
HOMEPAGE="https://www.openssh.com/"
|
||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||
"
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
||||
S="${WORKDIR}/${PARCH}"
|
||||
|
||||
LICENSE="BSD GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
||||
# Probably want to drop ssl defaulting to on in a future version.
|
||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
||||
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
REQUIRED_USE="
|
||||
hpn? ( ssl )
|
||||
ldns? ( ssl )
|
||||
pie? ( !static )
|
||||
static? ( !kerberos !pam )
|
||||
X509? ( !sctp ssl !xmss )
|
||||
xmss? ( ssl )
|
||||
test? ( ssl )
|
||||
"
|
||||
|
||||
# tests currently fail with XMSS
|
||||
REQUIRED_USE+="test? ( !xmss )"
|
||||
|
||||
# Blocker on older gcc-config for bug #872416
|
||||
LIB_DEPEND="
|
||||
!<sys-devel/gcc-config-2.6
|
||||
audit? ( sys-process/audit[static-libs(+)] )
|
||||
ldns? (
|
||||
net-libs/ldns[static-libs(+)]
|
||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||
)
|
||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||
virtual/libcrypt:=[static-libs(+)]
|
||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||
"
|
||||
RDEPEND="
|
||||
acct-group/sshd
|
||||
acct-user/sshd
|
||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||
pam? ( sys-libs/pam )
|
||||
kerberos? ( virtual/krb5 )
|
||||
"
|
||||
DEPEND="${RDEPEND}
|
||||
virtual/os-headers
|
||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||
static? ( ${LIB_DEPEND} )
|
||||
"
|
||||
RDEPEND="${RDEPEND}
|
||||
pam? ( >=sys-auth/pambase-20081028 )
|
||||
!prefix? ( sys-apps/shadow )
|
||||
X? ( x11-apps/xauth )
|
||||
"
|
||||
# Weird dep construct for newer gcc-config for bug #872416
|
||||
BDEPEND="
|
||||
sys-devel/autoconf
|
||||
virtual/pkgconfig
|
||||
|| (
|
||||
>=sys-devel/gcc-config-2.6
|
||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
||||
)
|
||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||
"
|
||||
|
||||
pkg_pretend() {
|
||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
||||
# than not be able to log in to their server any more
|
||||
local missing=()
|
||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
||||
check_feature hpn HPN_VER
|
||||
check_feature sctp SCTP_PATCH
|
||||
check_feature X509 X509_PATCH
|
||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
||||
eerror "Sorry, but this version does not yet support features"
|
||||
eerror "that you requested: ${missing[*]}"
|
||||
eerror "Please mask ${PF} for now and check back later:"
|
||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
||||
die "Missing requested third party patch."
|
||||
fi
|
||||
|
||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
default
|
||||
|
||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
||||
pathnames.h || die
|
||||
|
||||
# don't break .ssh/authorized_keys2 for fun
|
||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||
|
||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
||||
eapply "${FILESDIR}"/${PN}-9.0_p1-implicit-func-decl-vsnprintf.patch
|
||||
|
||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
||||
|
||||
local PATCHSET_VERSION_MACROS=()
|
||||
|
||||
if use X509 ; then
|
||||
pushd "${WORKDIR}" &>/dev/null || die
|
||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
||||
|
||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
||||
# error
|
||||
einfo "Patching package version for X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
||||
|
||||
einfo "Patching version.h to expose X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
||||
fi
|
||||
|
||||
if use sctp ; then
|
||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
||||
|
||||
einfo "Patching version.h to expose SCTP patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
||||
|
||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
||||
sed -i \
|
||||
-e "/\t\tcfgparse \\\/d" \
|
||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
||||
fi
|
||||
|
||||
if use hpn ; then
|
||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
||||
mkdir "${hpn_patchdir}" || die
|
||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${hpn_patchdir}"
|
||||
|
||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
||||
|
||||
einfo "Patching Makefile.in for HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
||||
|
||||
einfo "Patching version.h to expose HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
||||
|
||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
||||
|
||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
||||
|
||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
||||
# and therefore disabled per default.
|
||||
DisableMTAES yes
|
||||
EOF
|
||||
sed -i \
|
||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
||||
|
||||
sed -i \
|
||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
||||
fi
|
||||
fi
|
||||
|
||||
if use X509 || use sctp || use hpn ; then
|
||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
||||
|
||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
||||
|
||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
||||
sed -i \
|
||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "/#UseLogin no/d" \
|
||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
||||
|
||||
eapply_user #473004
|
||||
|
||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||
sed -e '/\t\tpercent \\/ d' \
|
||||
-i regress/Makefile || die
|
||||
|
||||
tc-export PKG_CONFIG
|
||||
local sed_args=(
|
||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||
# Disable PATH reset, trust what portage gives us #254615
|
||||
-e 's:^PATH=/:#PATH=/:'
|
||||
# Disable fortify flags ... our gcc does this for us
|
||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||
)
|
||||
|
||||
# The -ftrapv flag ICEs on hppa #505182
|
||||
use hppa && sed_args+=(
|
||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
||||
)
|
||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||
-e 's/-D_XOPEN_SOURCE//'
|
||||
)
|
||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
addwrite /dev/ptmx
|
||||
|
||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||
use static && append-ldflags -static
|
||||
use xmss && append-cflags -DWITH_XMSS
|
||||
|
||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||
# doesn't check for this, so force the replacement to be put in
|
||||
# place
|
||||
append-cppflags -DBROKEN_GLOB
|
||||
fi
|
||||
|
||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||
|
||||
local myconf=(
|
||||
--with-ldflags="${LDFLAGS}"
|
||||
--disable-strip
|
||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||
--datadir="${EPREFIX}"/usr/share/openssh
|
||||
--with-privsep-path="${EPREFIX}"/var/empty
|
||||
--with-privsep-user=sshd
|
||||
$(use_with audit audit linux)
|
||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
||||
# unconditionally else we get unknown flag warnings.
|
||||
$(use sctp && use_with sctp)
|
||||
$(use_with ldns)
|
||||
$(use_with libedit)
|
||||
$(use_with pam)
|
||||
$(use_with pie)
|
||||
$(use_with selinux)
|
||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
||||
$(use_with ssl openssl)
|
||||
$(use_with ssl ssl-engine)
|
||||
$(use_with !elibc_Cygwin hardening) #659210
|
||||
)
|
||||
|
||||
if use elibc_musl; then
|
||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
||||
# https://bugs.gentoo.org/753230
|
||||
myconf+=( --disable-utmp --disable-wtmp )
|
||||
fi
|
||||
|
||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
||||
tc-is-clang && myconf+=( --without-hardening )
|
||||
|
||||
econf "${myconf[@]}"
|
||||
}
|
||||
|
||||
src_test() {
|
||||
local tests=( compat-tests )
|
||||
local shell=$(egetshell "${UID}")
|
||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||
ewarn "user, so we will run a subset only."
|
||||
tests+=( interop-tests )
|
||||
else
|
||||
tests+=( tests )
|
||||
fi
|
||||
|
||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||
mkdir -p "${HOME}"/.ssh || die
|
||||
emake -j1 "${tests[@]}" </dev/null
|
||||
}
|
||||
|
||||
# Gentoo tweaks to default config files.
|
||||
tweak_ssh_configs() {
|
||||
local locale_vars=(
|
||||
# These are language variables that POSIX defines.
|
||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||
|
||||
# These are the GNU extensions.
|
||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||
)
|
||||
|
||||
# First the server config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
||||
|
||||
# Allow client to pass locale environment variables. #367017
|
||||
AcceptEnv ${locale_vars[*]}
|
||||
|
||||
# Allow client to pass COLORTERM to match TERM. #658540
|
||||
AcceptEnv COLORTERM
|
||||
EOF
|
||||
|
||||
# Then the client config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
||||
|
||||
# Send locale environment variables. #367017
|
||||
SendEnv ${locale_vars[*]}
|
||||
|
||||
# Send COLORTERM to match TERM. #658540
|
||||
SendEnv COLORTERM
|
||||
EOF
|
||||
|
||||
if use pam ; then
|
||||
sed -i \
|
||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
|
||||
if use livecd ; then
|
||||
sed -i \
|
||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake install-nokeys DESTDIR="${D}"
|
||||
fperms 600 /etc/ssh/sshd_config
|
||||
dobin contrib/ssh-copy-id
|
||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||
|
||||
if use pam; then
|
||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||
fi
|
||||
|
||||
tweak_ssh_configs
|
||||
|
||||
doman contrib/ssh-copy-id.1
|
||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
||||
use hpn && dodoc HPN-README
|
||||
use X509 || dodoc ChangeLog
|
||||
|
||||
diropts -m 0700
|
||||
dodir /etc/skel/.ssh
|
||||
rmdir "${ED}"/var/empty || die
|
||||
|
||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||
show_ssl_warning=1
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local old_ver
|
||||
for old_ver in ${REPLACING_VERSIONS}; do
|
||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||
elog "be an alternative for you as it supports USE=tcpd."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||
elog "You should however generate new keys using rsa or ed25519."
|
||||
|
||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||
elog "if you need to authenticate against LDAP."
|
||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||
ewarn "connection is generally safe."
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ -n ${show_ssl_warning} ]]; then
|
||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||
elog "and update all clients/servers that utilize them."
|
||||
fi
|
||||
|
||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
elog ""
|
||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
||||
elog "and therefore disabled at runtime per default."
|
||||
elog "Make sure your sshd_config is up to date and contains"
|
||||
elog ""
|
||||
elog " DisableMTAES yes"
|
||||
elog ""
|
||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
||||
elog ""
|
||||
fi
|
||||
}
|
514
net-misc/openssh/openssh-9.1_p1-r1.ebuild
Normal file
514
net-misc/openssh/openssh-9.1_p1-r1.ebuild
Normal file
|
@ -0,0 +1,514 @@
|
|||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
||||
|
||||
# Make it more portable between straight releases
|
||||
# and _p? releases.
|
||||
PARCH=${P/_}
|
||||
|
||||
# PV to USE for HPN patches
|
||||
#HPN_PV="${PV^^}"
|
||||
HPN_PV="8.5_P1"
|
||||
|
||||
HPN_VER="15.2"
|
||||
HPN_PATCHES=(
|
||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
||||
)
|
||||
HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
|
||||
|
||||
SCTP_VER="1.2"
|
||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
||||
|
||||
X509_VER="14.0.1"
|
||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
||||
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
|
||||
X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
|
||||
|
||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||
HOMEPAGE="https://www.openssh.com/"
|
||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
||||
${HPN_VER:+hpn? (
|
||||
$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
|
||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
|
||||
)}
|
||||
${X509_PATCH:+X509? (
|
||||
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
|
||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
|
||||
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
|
||||
)}
|
||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||
"
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
||||
S="${WORKDIR}/${PARCH}"
|
||||
|
||||
LICENSE="BSD GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
||||
# Probably want to drop ssl defaulting to on in a future version.
|
||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
||||
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
REQUIRED_USE="
|
||||
hpn? ( ssl )
|
||||
ldns? ( ssl )
|
||||
pie? ( !static )
|
||||
static? ( !kerberos !pam )
|
||||
X509? ( !sctp ssl !xmss )
|
||||
xmss? ( ssl )
|
||||
test? ( ssl )
|
||||
"
|
||||
|
||||
# tests currently fail with XMSS
|
||||
REQUIRED_USE+="test? ( !xmss )"
|
||||
|
||||
# Blocker on older gcc-config for bug #872416
|
||||
LIB_DEPEND="
|
||||
!<sys-devel/gcc-config-2.6
|
||||
audit? ( sys-process/audit[static-libs(+)] )
|
||||
ldns? (
|
||||
net-libs/ldns[static-libs(+)]
|
||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||
)
|
||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||
virtual/libcrypt:=[static-libs(+)]
|
||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||
"
|
||||
RDEPEND="
|
||||
acct-group/sshd
|
||||
acct-user/sshd
|
||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||
pam? ( sys-libs/pam )
|
||||
kerberos? ( virtual/krb5 )
|
||||
"
|
||||
DEPEND="${RDEPEND}
|
||||
virtual/os-headers
|
||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||
static? ( ${LIB_DEPEND} )
|
||||
"
|
||||
RDEPEND="${RDEPEND}
|
||||
pam? ( >=sys-auth/pambase-20081028 )
|
||||
!prefix? ( sys-apps/shadow )
|
||||
X? ( x11-apps/xauth )
|
||||
"
|
||||
# Weird dep construct for newer gcc-config for bug #872416
|
||||
BDEPEND="
|
||||
sys-devel/autoconf
|
||||
virtual/pkgconfig
|
||||
|| (
|
||||
>=sys-devel/gcc-config-2.6
|
||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
||||
)
|
||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||
"
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
|
||||
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
|
||||
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
|
||||
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
|
||||
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
|
||||
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
|
||||
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
|
||||
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
|
||||
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
|
||||
)
|
||||
|
||||
pkg_pretend() {
|
||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
||||
# than not be able to log in to their server any more
|
||||
local missing=()
|
||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
||||
check_feature hpn HPN_VER
|
||||
check_feature sctp SCTP_PATCH
|
||||
check_feature X509 X509_PATCH
|
||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
||||
eerror "Sorry, but this version does not yet support features"
|
||||
eerror "that you requested: ${missing[*]}"
|
||||
eerror "Please mask ${PF} for now and check back later:"
|
||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
||||
die "Missing requested third party patch."
|
||||
fi
|
||||
|
||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
default
|
||||
|
||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
||||
pathnames.h || die
|
||||
|
||||
# don't break .ssh/authorized_keys2 for fun
|
||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||
|
||||
eapply "${PATCHES[@]}"
|
||||
|
||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
||||
|
||||
local PATCHSET_VERSION_MACROS=()
|
||||
|
||||
if use X509 ; then
|
||||
pushd "${WORKDIR}" &>/dev/null || die
|
||||
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
||||
|
||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
||||
# error
|
||||
einfo "Patching package version for X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
||||
|
||||
einfo "Patching version.h to expose X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
||||
fi
|
||||
|
||||
if use sctp ; then
|
||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
||||
|
||||
einfo "Patching version.h to expose SCTP patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
||||
|
||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
||||
sed -i \
|
||||
-e "/\t\tcfgparse \\\/d" \
|
||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
||||
fi
|
||||
|
||||
if use hpn ; then
|
||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
||||
mkdir "${hpn_patchdir}" || die
|
||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
||||
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
|
||||
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
|
||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${hpn_patchdir}"
|
||||
|
||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
||||
|
||||
einfo "Patching Makefile.in for HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
||||
|
||||
einfo "Patching version.h to expose HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
||||
|
||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
||||
|
||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
||||
|
||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
||||
# and therefore disabled per default.
|
||||
DisableMTAES yes
|
||||
EOF
|
||||
sed -i \
|
||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
||||
|
||||
sed -i \
|
||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
||||
fi
|
||||
fi
|
||||
|
||||
if use X509 || use sctp || use hpn ; then
|
||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
||||
|
||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
||||
|
||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
||||
sed -i \
|
||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "/#UseLogin no/d" \
|
||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
||||
|
||||
eapply_user #473004
|
||||
|
||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||
sed -e '/\t\tpercent \\/ d' \
|
||||
-i regress/Makefile || die
|
||||
|
||||
tc-export PKG_CONFIG
|
||||
local sed_args=(
|
||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||
# Disable PATH reset, trust what portage gives us #254615
|
||||
-e 's:^PATH=/:#PATH=/:'
|
||||
# Disable fortify flags ... our gcc does this for us
|
||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||
)
|
||||
|
||||
# The -ftrapv flag ICEs on hppa #505182
|
||||
use hppa && sed_args+=(
|
||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
||||
)
|
||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||
-e 's/-D_XOPEN_SOURCE//'
|
||||
)
|
||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
addwrite /dev/ptmx
|
||||
|
||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||
use static && append-ldflags -static
|
||||
use xmss && append-cflags -DWITH_XMSS
|
||||
|
||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||
# doesn't check for this, so force the replacement to be put in
|
||||
# place
|
||||
append-cppflags -DBROKEN_GLOB
|
||||
fi
|
||||
|
||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||
|
||||
local myconf=(
|
||||
--with-ldflags="${LDFLAGS}"
|
||||
--disable-strip
|
||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||
--datadir="${EPREFIX}"/usr/share/openssh
|
||||
--with-privsep-path="${EPREFIX}"/var/empty
|
||||
--with-privsep-user=sshd
|
||||
$(use_with audit audit linux)
|
||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
||||
# unconditionally else we get unknown flag warnings.
|
||||
$(use sctp && use_with sctp)
|
||||
$(use_with ldns)
|
||||
$(use_with libedit)
|
||||
$(use_with pam)
|
||||
$(use_with pie)
|
||||
$(use_with selinux)
|
||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
||||
$(use_with ssl openssl)
|
||||
$(use_with ssl ssl-engine)
|
||||
$(use_with !elibc_Cygwin hardening) #659210
|
||||
)
|
||||
|
||||
if use elibc_musl; then
|
||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
||||
# https://bugs.gentoo.org/753230
|
||||
myconf+=( --disable-utmp --disable-wtmp )
|
||||
fi
|
||||
|
||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
||||
tc-is-clang && myconf+=( --without-hardening )
|
||||
|
||||
econf "${myconf[@]}"
|
||||
}
|
||||
|
||||
src_test() {
|
||||
local tests=( compat-tests )
|
||||
local shell=$(egetshell "${UID}")
|
||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||
ewarn "user, so we will run a subset only."
|
||||
tests+=( interop-tests )
|
||||
else
|
||||
tests+=( tests )
|
||||
fi
|
||||
|
||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||
mkdir -p "${HOME}"/.ssh || die
|
||||
emake -j1 "${tests[@]}" </dev/null
|
||||
}
|
||||
|
||||
# Gentoo tweaks to default config files.
|
||||
tweak_ssh_configs() {
|
||||
local locale_vars=(
|
||||
# These are language variables that POSIX defines.
|
||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||
|
||||
# These are the GNU extensions.
|
||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||
)
|
||||
|
||||
# First the server config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
||||
|
||||
# Allow client to pass locale environment variables. #367017
|
||||
AcceptEnv ${locale_vars[*]}
|
||||
|
||||
# Allow client to pass COLORTERM to match TERM. #658540
|
||||
AcceptEnv COLORTERM
|
||||
EOF
|
||||
|
||||
# Then the client config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
||||
|
||||
# Send locale environment variables. #367017
|
||||
SendEnv ${locale_vars[*]}
|
||||
|
||||
# Send COLORTERM to match TERM. #658540
|
||||
SendEnv COLORTERM
|
||||
EOF
|
||||
|
||||
if use pam ; then
|
||||
sed -i \
|
||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
|
||||
if use livecd ; then
|
||||
sed -i \
|
||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake install-nokeys DESTDIR="${D}"
|
||||
fperms 600 /etc/ssh/sshd_config
|
||||
dobin contrib/ssh-copy-id
|
||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||
|
||||
if use pam; then
|
||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||
fi
|
||||
|
||||
tweak_ssh_configs
|
||||
|
||||
doman contrib/ssh-copy-id.1
|
||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
||||
use hpn && dodoc HPN-README
|
||||
use X509 || dodoc ChangeLog
|
||||
|
||||
diropts -m 0700
|
||||
dodir /etc/skel/.ssh
|
||||
rmdir "${ED}"/var/empty || die
|
||||
|
||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||
show_ssl_warning=1
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local old_ver
|
||||
for old_ver in ${REPLACING_VERSIONS}; do
|
||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||
elog "be an alternative for you as it supports USE=tcpd."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||
elog "You should however generate new keys using rsa or ed25519."
|
||||
|
||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||
elog "if you need to authenticate against LDAP."
|
||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||
ewarn "connection is generally safe."
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ -n ${show_ssl_warning} ]]; then
|
||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||
elog "and update all clients/servers that utilize them."
|
||||
fi
|
||||
|
||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
elog ""
|
||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
||||
elog "and therefore disabled at runtime per default."
|
||||
elog "Make sure your sshd_config is up to date and contains"
|
||||
elog ""
|
||||
elog " DisableMTAES yes"
|
||||
elog ""
|
||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
||||
elog ""
|
||||
fi
|
||||
}
|
514
net-misc/openssh/openssh-9.1_p1.ebuild
Normal file
514
net-misc/openssh/openssh-9.1_p1.ebuild
Normal file
|
@ -0,0 +1,514 @@
|
|||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=7
|
||||
|
||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
||||
|
||||
# Make it more portable between straight releases
|
||||
# and _p? releases.
|
||||
PARCH=${P/_}
|
||||
|
||||
# PV to USE for HPN patches
|
||||
#HPN_PV="${PV^^}"
|
||||
HPN_PV="8.5_P1"
|
||||
|
||||
HPN_VER="15.2"
|
||||
HPN_PATCHES=(
|
||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
||||
)
|
||||
HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
|
||||
|
||||
SCTP_VER="1.2"
|
||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
||||
|
||||
X509_VER="13.5"
|
||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
||||
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
|
||||
X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
|
||||
|
||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||
HOMEPAGE="https://www.openssh.com/"
|
||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
||||
${HPN_VER:+hpn? (
|
||||
$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
|
||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
|
||||
)}
|
||||
${X509_PATCH:+X509? (
|
||||
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
|
||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
|
||||
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
|
||||
)}
|
||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||
"
|
||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
||||
S="${WORKDIR}/${PARCH}"
|
||||
|
||||
LICENSE="BSD GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
||||
# Probably want to drop ssl defaulting to on in a future version.
|
||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
||||
|
||||
RESTRICT="!test? ( test )"
|
||||
|
||||
REQUIRED_USE="
|
||||
hpn? ( ssl )
|
||||
ldns? ( ssl )
|
||||
pie? ( !static )
|
||||
static? ( !kerberos !pam )
|
||||
X509? ( !sctp ssl !xmss )
|
||||
xmss? ( ssl )
|
||||
test? ( ssl )
|
||||
"
|
||||
|
||||
# tests currently fail with XMSS
|
||||
REQUIRED_USE+="test? ( !xmss )"
|
||||
|
||||
# Blocker on older gcc-config for bug #872416
|
||||
LIB_DEPEND="
|
||||
!<sys-devel/gcc-config-2.6
|
||||
audit? ( sys-process/audit[static-libs(+)] )
|
||||
ldns? (
|
||||
net-libs/ldns[static-libs(+)]
|
||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||
)
|
||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||
virtual/libcrypt:=[static-libs(+)]
|
||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||
"
|
||||
RDEPEND="
|
||||
acct-group/sshd
|
||||
acct-user/sshd
|
||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||
pam? ( sys-libs/pam )
|
||||
kerberos? ( virtual/krb5 )
|
||||
"
|
||||
DEPEND="${RDEPEND}
|
||||
virtual/os-headers
|
||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||
static? ( ${LIB_DEPEND} )
|
||||
"
|
||||
RDEPEND="${RDEPEND}
|
||||
pam? ( >=sys-auth/pambase-20081028 )
|
||||
!prefix? ( sys-apps/shadow )
|
||||
X? ( x11-apps/xauth )
|
||||
"
|
||||
# Weird dep construct for newer gcc-config for bug #872416
|
||||
BDEPEND="
|
||||
sys-devel/autoconf
|
||||
virtual/pkgconfig
|
||||
|| (
|
||||
>=sys-devel/gcc-config-2.6
|
||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
||||
)
|
||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||
"
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
|
||||
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
|
||||
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
|
||||
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
|
||||
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
|
||||
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
|
||||
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
|
||||
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
|
||||
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
|
||||
)
|
||||
|
||||
pkg_pretend() {
|
||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
||||
# than not be able to log in to their server any more
|
||||
local missing=()
|
||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
||||
check_feature hpn HPN_VER
|
||||
check_feature sctp SCTP_PATCH
|
||||
check_feature X509 X509_PATCH
|
||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
||||
eerror "Sorry, but this version does not yet support features"
|
||||
eerror "that you requested: ${missing[*]}"
|
||||
eerror "Please mask ${PF} for now and check back later:"
|
||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
||||
die "Missing requested third party patch."
|
||||
fi
|
||||
|
||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||
fi
|
||||
}
|
||||
|
||||
src_unpack() {
|
||||
default
|
||||
|
||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
||||
pathnames.h || die
|
||||
|
||||
# don't break .ssh/authorized_keys2 for fun
|
||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||
|
||||
eapply "${PATCHES[@]}"
|
||||
|
||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
||||
|
||||
local PATCHSET_VERSION_MACROS=()
|
||||
|
||||
if use X509 ; then
|
||||
pushd "${WORKDIR}" &>/dev/null || die
|
||||
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
||||
|
||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
||||
# error
|
||||
einfo "Patching package version for X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
||||
|
||||
einfo "Patching version.h to expose X.509 patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
||||
fi
|
||||
|
||||
if use sctp ; then
|
||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
||||
|
||||
einfo "Patching version.h to expose SCTP patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
||||
|
||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
||||
sed -i \
|
||||
-e "/\t\tcfgparse \\\/d" \
|
||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
||||
fi
|
||||
|
||||
if use hpn ; then
|
||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
||||
mkdir "${hpn_patchdir}" || die
|
||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
||||
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
|
||||
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
|
||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
||||
popd &>/dev/null || die
|
||||
|
||||
eapply "${hpn_patchdir}"
|
||||
|
||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
||||
|
||||
einfo "Patching Makefile.in for HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
||||
|
||||
einfo "Patching version.h to expose HPN patch set ..."
|
||||
sed -i \
|
||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
||||
|
||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
||||
|
||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
||||
|
||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
||||
# and therefore disabled per default.
|
||||
DisableMTAES yes
|
||||
EOF
|
||||
sed -i \
|
||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
||||
|
||||
sed -i \
|
||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
||||
fi
|
||||
fi
|
||||
|
||||
if use X509 || use sctp || use hpn ; then
|
||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
||||
|
||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
||||
sed -i \
|
||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
||||
|
||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
||||
sed -i \
|
||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
||||
fi
|
||||
|
||||
sed -i \
|
||||
-e "/#UseLogin no/d" \
|
||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
||||
|
||||
eapply_user #473004
|
||||
|
||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||
sed -e '/\t\tpercent \\/ d' \
|
||||
-i regress/Makefile || die
|
||||
|
||||
tc-export PKG_CONFIG
|
||||
local sed_args=(
|
||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||
# Disable PATH reset, trust what portage gives us #254615
|
||||
-e 's:^PATH=/:#PATH=/:'
|
||||
# Disable fortify flags ... our gcc does this for us
|
||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||
)
|
||||
|
||||
# The -ftrapv flag ICEs on hppa #505182
|
||||
use hppa && sed_args+=(
|
||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
||||
)
|
||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||
-e 's/-D_XOPEN_SOURCE//'
|
||||
)
|
||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
addwrite /dev/ptmx
|
||||
|
||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||
use static && append-ldflags -static
|
||||
use xmss && append-cflags -DWITH_XMSS
|
||||
|
||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||
# doesn't check for this, so force the replacement to be put in
|
||||
# place
|
||||
append-cppflags -DBROKEN_GLOB
|
||||
fi
|
||||
|
||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||
|
||||
local myconf=(
|
||||
--with-ldflags="${LDFLAGS}"
|
||||
--disable-strip
|
||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||
--datadir="${EPREFIX}"/usr/share/openssh
|
||||
--with-privsep-path="${EPREFIX}"/var/empty
|
||||
--with-privsep-user=sshd
|
||||
$(use_with audit audit linux)
|
||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
||||
# unconditionally else we get unknown flag warnings.
|
||||
$(use sctp && use_with sctp)
|
||||
$(use_with ldns)
|
||||
$(use_with libedit)
|
||||
$(use_with pam)
|
||||
$(use_with pie)
|
||||
$(use_with selinux)
|
||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
||||
$(use_with ssl openssl)
|
||||
$(use_with ssl ssl-engine)
|
||||
$(use_with !elibc_Cygwin hardening) #659210
|
||||
)
|
||||
|
||||
if use elibc_musl; then
|
||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
||||
# https://bugs.gentoo.org/753230
|
||||
myconf+=( --disable-utmp --disable-wtmp )
|
||||
fi
|
||||
|
||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
||||
tc-is-clang && myconf+=( --without-hardening )
|
||||
|
||||
econf "${myconf[@]}"
|
||||
}
|
||||
|
||||
src_test() {
|
||||
local tests=( compat-tests )
|
||||
local shell=$(egetshell "${UID}")
|
||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||
ewarn "user, so we will run a subset only."
|
||||
tests+=( interop-tests )
|
||||
else
|
||||
tests+=( tests )
|
||||
fi
|
||||
|
||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||
mkdir -p "${HOME}"/.ssh || die
|
||||
emake -j1 "${tests[@]}" </dev/null
|
||||
}
|
||||
|
||||
# Gentoo tweaks to default config files.
|
||||
tweak_ssh_configs() {
|
||||
local locale_vars=(
|
||||
# These are language variables that POSIX defines.
|
||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||
|
||||
# These are the GNU extensions.
|
||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||
)
|
||||
|
||||
# First the server config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
||||
|
||||
# Allow client to pass locale environment variables. #367017
|
||||
AcceptEnv ${locale_vars[*]}
|
||||
|
||||
# Allow client to pass COLORTERM to match TERM. #658540
|
||||
AcceptEnv COLORTERM
|
||||
EOF
|
||||
|
||||
# Then the client config.
|
||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
||||
|
||||
# Send locale environment variables. #367017
|
||||
SendEnv ${locale_vars[*]}
|
||||
|
||||
# Send COLORTERM to match TERM. #658540
|
||||
SendEnv COLORTERM
|
||||
EOF
|
||||
|
||||
if use pam ; then
|
||||
sed -i \
|
||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
|
||||
if use livecd ; then
|
||||
sed -i \
|
||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
||||
"${ED}"/etc/ssh/sshd_config || die
|
||||
fi
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake install-nokeys DESTDIR="${D}"
|
||||
fperms 600 /etc/ssh/sshd_config
|
||||
dobin contrib/ssh-copy-id
|
||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||
|
||||
if use pam; then
|
||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||
fi
|
||||
|
||||
tweak_ssh_configs
|
||||
|
||||
doman contrib/ssh-copy-id.1
|
||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
||||
use hpn && dodoc HPN-README
|
||||
use X509 || dodoc ChangeLog
|
||||
|
||||
diropts -m 0700
|
||||
dodir /etc/skel/.ssh
|
||||
rmdir "${ED}"/var/empty || die
|
||||
|
||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||
show_ssl_warning=1
|
||||
fi
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
local old_ver
|
||||
for old_ver in ${REPLACING_VERSIONS}; do
|
||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||
elog "be an alternative for you as it supports USE=tcpd."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||
elog "You should however generate new keys using rsa or ed25519."
|
||||
|
||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||
elog "if you need to authenticate against LDAP."
|
||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||
fi
|
||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||
ewarn "connection is generally safe."
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ -n ${show_ssl_warning} ]]; then
|
||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||
elog "and update all clients/servers that utilize them."
|
||||
fi
|
||||
|
||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
||||
elog ""
|
||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
||||
elog "and therefore disabled at runtime per default."
|
||||
elog "Make sure your sshd_config is up to date and contains"
|
||||
elog ""
|
||||
elog " DisableMTAES yes"
|
||||
elog ""
|
||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
||||
elog ""
|
||||
fi
|
||||
}
|
Loading…
Reference in a new issue