net-misc/openssh: Adding 9.8 with DSA
Signed-off-by: Alarig Le Lay <alarig@swordarmor.fr>
This commit is contained in:
parent
ad03cb1d56
commit
daf5deef90
|
@ -1,17 +0,0 @@
|
||||||
BDEPEND=virtual/pkgconfig sys-devel/autoconf verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
|
||||||
DEFINED_PHASES=configure install postinst preinst prepare pretend test unpack
|
|
||||||
DEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
|
||||||
DESCRIPTION=Port of OpenBSD's free SSH release
|
|
||||||
EAPI=7
|
|
||||||
HOMEPAGE=https://www.openssh.com/
|
|
||||||
INHERIT=user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
IUSE=abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss verify-sig
|
|
||||||
KEYWORDS=~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
|
|
||||||
LICENSE=BSD GPL-2
|
|
||||||
RDEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth )
|
|
||||||
REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
|
||||||
RESTRICT=!test? ( test )
|
|
||||||
SLOT=0
|
|
||||||
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-8.9p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-8.9p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff ) X509? ( https://roumenpetrov.info/openssh/x509-13.3.1/openssh-8.9p1+x509-13.3.1.diff.gz ) verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-8.9p1.tar.gz.asc )
|
|
||||||
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs e56c7649b804f051623c8bc1a1c44084 multilib c19072c3cd7ac5cb21de013f7e9832e0 flag-o-matic e503ea5acc20410237ba33ec3f7c857d gnuconfig a397adda6984a4c423e28ac274c1ba98 libtool 5f49a16f67f81bdf873e3d1f10b10001 autotools d12ccbad07b44642a75ac97a3334d8e0 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd c8b03e8df84486aa991d4396686e8942 verify-sig a79ba011daaf532d71a219182474d150
|
|
||||||
_md5_=1510cd76f10f52edf43a5149b69cba5a
|
|
|
@ -1,17 +0,0 @@
|
||||||
BDEPEND=virtual/pkgconfig sys-devel/autoconf verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
|
||||||
DEFINED_PHASES=configure install postinst preinst prepare pretend test unpack
|
|
||||||
DEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
|
||||||
DESCRIPTION=Port of OpenBSD's free SSH release
|
|
||||||
EAPI=7
|
|
||||||
HOMEPAGE=https://www.openssh.com/
|
|
||||||
INHERIT=user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
IUSE=abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss verify-sig
|
|
||||||
KEYWORDS=~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
|
|
||||||
LICENSE=BSD GPL-2
|
|
||||||
RDEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth )
|
|
||||||
REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
|
||||||
RESTRICT=!test? ( test )
|
|
||||||
SLOT=0
|
|
||||||
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-9.0p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.0p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff ) X509? ( https://roumenpetrov.info/openssh/x509-13.4.1/openssh-9.0p1+x509-13.4.1.diff.gz ) verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-9.0p1.tar.gz.asc )
|
|
||||||
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs e56c7649b804f051623c8bc1a1c44084 multilib c19072c3cd7ac5cb21de013f7e9832e0 flag-o-matic e503ea5acc20410237ba33ec3f7c857d gnuconfig a397adda6984a4c423e28ac274c1ba98 libtool 5f49a16f67f81bdf873e3d1f10b10001 autotools d12ccbad07b44642a75ac97a3334d8e0 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd c8b03e8df84486aa991d4396686e8942 verify-sig a79ba011daaf532d71a219182474d150
|
|
||||||
_md5_=a6f656c8b0544adc582831dd6d7148b4
|
|
|
@ -1,17 +0,0 @@
|
||||||
BDEPEND=sys-devel/autoconf virtual/pkgconfig || ( >=sys-devel/gcc-config-2.6 >=sys-devel/clang-toolchain-symlinks-14-r1:14 >=sys-devel/clang-toolchain-symlinks-15-r1:15 >=sys-devel/clang-toolchain-symlinks-16-r1:* ) verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
|
||||||
DEFINED_PHASES=configure install postinst preinst prepare pretend test unpack
|
|
||||||
DEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
|
||||||
DESCRIPTION=Port of OpenBSD's free SSH release
|
|
||||||
EAPI=7
|
|
||||||
HOMEPAGE=https://www.openssh.com/
|
|
||||||
INHERIT=user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
IUSE=abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss verify-sig
|
|
||||||
KEYWORDS=~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
|
|
||||||
LICENSE=BSD GPL-2
|
|
||||||
RDEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth )
|
|
||||||
REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
|
||||||
RESTRICT=!test? ( test )
|
|
||||||
SLOT=0
|
|
||||||
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-9.0p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.0p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff ) X509? ( https://roumenpetrov.info/openssh/x509-13.4.1/openssh-9.0p1+x509-13.4.1.diff.gz ) verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-9.0p1.tar.gz.asc )
|
|
||||||
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs e56c7649b804f051623c8bc1a1c44084 multilib c19072c3cd7ac5cb21de013f7e9832e0 flag-o-matic e503ea5acc20410237ba33ec3f7c857d gnuconfig a397adda6984a4c423e28ac274c1ba98 libtool 5f49a16f67f81bdf873e3d1f10b10001 autotools d12ccbad07b44642a75ac97a3334d8e0 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd c8b03e8df84486aa991d4396686e8942 verify-sig a79ba011daaf532d71a219182474d150
|
|
||||||
_md5_=71009e515de774359f52ac6fe8adaab6
|
|
|
@ -1,17 +0,0 @@
|
||||||
BDEPEND=sys-devel/autoconf virtual/pkgconfig || ( >=sys-devel/gcc-config-2.6 >=sys-devel/clang-toolchain-symlinks-14-r1:14 >=sys-devel/clang-toolchain-symlinks-15-r1:15 >=sys-devel/clang-toolchain-symlinks-16-r1:* ) verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
|
||||||
DEFINED_PHASES=configure install postinst preinst prepare pretend test unpack
|
|
||||||
DEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
|
||||||
DESCRIPTION=Port of OpenBSD's free SSH release
|
|
||||||
EAPI=7
|
|
||||||
HOMEPAGE=https://www.openssh.com/
|
|
||||||
INHERIT=user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
IUSE=abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss verify-sig
|
|
||||||
KEYWORDS=~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
|
|
||||||
LICENSE=BSD GPL-2
|
|
||||||
RDEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth )
|
|
||||||
REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
|
||||||
RESTRICT=!test? ( test )
|
|
||||||
SLOT=0
|
|
||||||
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-hpn-15.2-glue.patch.xz ) X509? ( https://roumenpetrov.info/openssh/x509-13.5/openssh-9.1p1+x509-13.5.diff.gz https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-X509-glue-13.5.patch.xz hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz ) ) verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz.asc )
|
|
||||||
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs e56c7649b804f051623c8bc1a1c44084 multilib c19072c3cd7ac5cb21de013f7e9832e0 flag-o-matic e503ea5acc20410237ba33ec3f7c857d gnuconfig a397adda6984a4c423e28ac274c1ba98 libtool 5f49a16f67f81bdf873e3d1f10b10001 autotools d12ccbad07b44642a75ac97a3334d8e0 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd c8b03e8df84486aa991d4396686e8942 verify-sig a79ba011daaf532d71a219182474d150
|
|
||||||
_md5_=eb45cc2012ca5ed3f651c8ff09d93408
|
|
|
@ -1,17 +0,0 @@
|
||||||
BDEPEND=sys-devel/autoconf virtual/pkgconfig || ( >=sys-devel/gcc-config-2.6 >=sys-devel/clang-toolchain-symlinks-14-r1:14 >=sys-devel/clang-toolchain-symlinks-15-r1:15 >=sys-devel/clang-toolchain-symlinks-16-r1:* ) verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
|
||||||
DEFINED_PHASES=configure install postinst preinst prepare pretend test unpack
|
|
||||||
DEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
|
||||||
DESCRIPTION=Port of OpenBSD's free SSH release
|
|
||||||
EAPI=7
|
|
||||||
HOMEPAGE=https://www.openssh.com/
|
|
||||||
INHERIT=user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
IUSE=abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss verify-sig
|
|
||||||
KEYWORDS=~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
|
|
||||||
LICENSE=BSD GPL-2
|
|
||||||
RDEPEND=acct-group/sshd acct-user/sshd !static? ( !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth )
|
|
||||||
REQUIRED_USE=hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
|
||||||
RESTRICT=!test? ( test )
|
|
||||||
SLOT=0
|
|
||||||
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-AES-CTR-15.2.diff mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%2015v2%208.5p1/openssh-8_5_P1-hpn-PeakTput-15.2.diff https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-hpn-15.2-glue.patch.xz ) X509? ( https://roumenpetrov.info/openssh/x509-14.0.1/openssh-9.1p1+x509-14.0.1.diff.gz https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-X509-glue-14.0.1.patch.xz hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/openssh-9.1_p1-hpn-15.2-X509-14.0.1-glue.patch.xz ) ) verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz.asc )
|
|
||||||
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs e56c7649b804f051623c8bc1a1c44084 multilib c19072c3cd7ac5cb21de013f7e9832e0 flag-o-matic e503ea5acc20410237ba33ec3f7c857d gnuconfig a397adda6984a4c423e28ac274c1ba98 libtool 5f49a16f67f81bdf873e3d1f10b10001 autotools d12ccbad07b44642a75ac97a3334d8e0 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd c8b03e8df84486aa991d4396686e8942 verify-sig a79ba011daaf532d71a219182474d150
|
|
||||||
_md5_=39e9098a365c72cff654a7e2f348a46b
|
|
17
metadata/md5-cache/net-misc/openssh-9.8_p1-r2
Normal file
17
metadata/md5-cache/net-misc/openssh-9.8_p1-r2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
BDEPEND=dev-build/autoconf virtual/pkgconfig verify-sig? ( sec-keys/openpgp-keys-openssh ) >=app-portage/elt-patches-20240116 sys-devel/gnuconfig || ( >=dev-build/automake-1.17-r1:1.17 >=dev-build/automake-1.16.5:1.16 ) || ( >=dev-build/autoconf-2.72-r1:2.72 >=dev-build/autoconf-2.71-r6:2.71 ) >=dev-build/libtool-2.4.7-r3 virtual/pkgconfig verify-sig? ( app-crypt/gnupg >=app-portage/gemato-20 )
|
||||||
|
DEFINED_PHASES=compile configure install postinst preinst prepare pretend test unpack
|
||||||
|
DEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) virtual/os-headers kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) virtual/libcrypt:=[static-libs(+)] >=sys-libs/zlib-1.2.3:=[static-libs(+)] )
|
||||||
|
DESCRIPTION=Port of OpenBSD's free SSH release
|
||||||
|
EAPI=8
|
||||||
|
HOMEPAGE=https://www.openssh.com/
|
||||||
|
INHERIT=user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
|
||||||
|
IUSE=abi_mips_n32 audit debug dss kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss verify-sig
|
||||||
|
KEYWORDS=~alpha amd64 arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris
|
||||||
|
LICENSE=BSD GPL-2
|
||||||
|
RDEPEND=acct-group/sshd acct-user/sshd !static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:= ) security-key? ( >=dev-libs/libfido2-1.5.0:= ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0= ) virtual/libcrypt:= >=sys-libs/zlib-1.2.3:= ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) !net-misc/openssh-contrib pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow )
|
||||||
|
REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) xmss? ( ssl ) test? ( ssl ) test? ( !xmss )
|
||||||
|
RESTRICT=!test? ( test )
|
||||||
|
SLOT=0
|
||||||
|
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-9.8p1.tar.gz verify-sig? ( mirror://openbsd/OpenSSH/portable/openssh-9.8p1.tar.gz.asc )
|
||||||
|
_eclasses_=user-info 9951b1a0e4f026d16c33a001fd2d5cdf toolchain-funcs d3d42b22a610ce81c267b644bcec9b87 multilib b2a329026f2e404e9e371097dda47f96 flag-o-matic f14aba975c94ccaa9f357a27e3b17ffe gnuconfig ddeb9f8caff1b5f71a09c75b7534df79 libtool 6b28392a775f807c8be5fc7ec9a605b9 autotools 7d91cc798a8afd8f4e0c6e9587296ebe optfeature 222cb475c5a4f7ae7cfb0bf510a6fe54 pam b56d0c9c20fc5b553f13c8ae165a10a5 systemd 54bd206bb5c4efac6ae28b6b006713b0 verify-sig a79ba011daaf532d71a219182474d150
|
||||||
|
_md5_=3051a3cadd441fcadcbe20edc264d2f5
|
|
@ -1,21 +1,2 @@
|
||||||
DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
|
DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
|
||||||
DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
|
DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
|
||||||
DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
|
|
||||||
DIST openssh-8.9p1.tar.gz.asc 833 BLAKE2B fd44a5545bd0795ee335e480011dbe3c12011dc05b8722fb257bf4c7e8067ab4b515293cf73d23d57b6cf6980eb4e49251b026af9498a237365c5b0440226898 SHA512 fd0bbd285ff2f8791f5a512f087f32bce026b716d5ac213cd4ef28f08722601fb943514bee71b2ac4b9f9363e2f120ce6c60fed952d1d8e53dbcf2a6fe2e706b
|
|
||||||
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
|
|
||||||
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
|
|
||||||
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
|
|
||||||
DIST openssh-9.0p1+x509-13.4.1.diff.gz 1146757 BLAKE2B 070d6bc23179a581e4fe79412274f11399009ba69ad643cc354ec9cd6392ffb0a651fd2d7f310c52c60a9c626140b9c823e2f19c600f15ac9cdf992707274bcb SHA512 4aaa86c1a785741b28c5e2738cf6de6fa7965ac8692165a8b18fe7677aeb0996979f23b45306781e6be75d34fb39294659be5ae016ab4a82ef2a73bedcc6e8e7
|
|
||||||
DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3
|
|
||||||
DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
|
|
||||||
DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
|
|
||||||
DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
|
|
||||||
DIST openssh-9.1_p1-X509-glue-14.0.1.patch.xz 1096 BLAKE2B cf5568982c9b2b69ee9f99f3e80459aed7b89f1350362e550ae8db3e5eee4a6d2e07879f962262a05c9745d39f34a3ae83792595c61f0ac287226ee9e0ec2a1b SHA512 18c65c97cc8c436fa8e28c0ad9f0a3874f1fb745d75e0bfb76c180bc148ae14a5f6cc5c2b2fa7261d76a8e1234f28fe869bd7f64ed282bf39c88cc3f20932be5
|
|
||||||
DIST openssh-9.1_p1-hpn-15.2-X509-14.0.1-glue.patch.xz 5536 BLAKE2B 4629e62287f2bc36fe1eb830e4c47c5482e36650c1e725978e150e4f2a233d58b5bd1286024bdbef4d05586bb3e5d13c51fbd191dfe7429fdb06a278c564a777 SHA512 03467605b57ab3fb7ef2a9be175cf3708fa92234f3f0abfa74ea371c9ee90f2c01a3311022e282823c7bb67249d65aabf89f1574b917dc798c51847e57b0e33f
|
|
||||||
DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
|
|
||||||
DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
|
|
||||||
DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
|
|
||||||
DIST openssh-9.1p1+x509-14.0.1.diff.gz 1236304 BLAKE2B 389e652a7cca4d7322d784e516a9454b0c6cb540a64aa47c0b14ac80bd9ad5aa7aa72a00dbc9024aa7c1186b19f2c62f179b8a6463085dd1bdde15fd44e451e5 SHA512 da754497f3f7d173b273f710dab2e7dbc5bf5257c95e661687ff4dd6b5e1c696ac031785850d9a9eb5669f728cbe4fe26d256a7cbd6f137ecadaf38f153770d1
|
|
||||||
DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
|
|
||||||
DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
|
|
||||||
DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd
|
|
||||||
|
|
|
@ -1,17 +0,0 @@
|
||||||
the last nibble of the openssl version represents the status. that is,
|
|
||||||
whether it is a beta or release. when it comes to version checks in
|
|
||||||
openssh, this component does not matter, so ignore it.
|
|
||||||
|
|
||||||
https://bugzilla.mindrot.org/show_bug.cgi?id=2212
|
|
||||||
|
|
||||||
--- a/openbsd-compat/openssl-compat.c
|
|
||||||
+++ b/openbsd-compat/openssl-compat.c
|
|
||||||
@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
|
|
||||||
* For versions >= 1.0.0, major,minor,status must match and library
|
|
||||||
* fix version must be equal to or newer than the header.
|
|
||||||
*/
|
|
||||||
- mask = 0xfff0000fL; /* major,minor,status */
|
|
||||||
+ mask = 0xfff00000L; /* major,minor,status */
|
|
||||||
hfix = (headerver & 0x000ff000) >> 12;
|
|
||||||
lfix = (libver & 0x000ff000) >> 12;
|
|
||||||
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
|
|
|
@ -1,20 +0,0 @@
|
||||||
Disable conch interop tests which are failing when called
|
|
||||||
via portage for yet unknown reason and because using conch
|
|
||||||
seems to be flaky (test is failing when using Python2 but
|
|
||||||
passing when using Python3).
|
|
||||||
|
|
||||||
Bug: https://bugs.gentoo.org/605446
|
|
||||||
|
|
||||||
--- a/regress/conch-ciphers.sh
|
|
||||||
+++ b/regress/conch-ciphers.sh
|
|
||||||
@@ -3,6 +3,10 @@
|
|
||||||
|
|
||||||
tid="conch ciphers"
|
|
||||||
|
|
||||||
+# https://bugs.gentoo.org/605446
|
|
||||||
+echo "conch interop tests skipped due to Gentoo bug #605446"
|
|
||||||
+exit 0
|
|
||||||
+
|
|
||||||
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
|
|
||||||
echo "conch interop tests not enabled"
|
|
||||||
exit 0
|
|
|
@ -1,48 +0,0 @@
|
||||||
diff --git a/auth-options.c b/auth-options.c
|
|
||||||
index b05d6d6f..d1f42f04 100644
|
|
||||||
--- a/auth-options.c
|
|
||||||
+++ b/auth-options.c
|
|
||||||
@@ -26,6 +26,7 @@
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <limits.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
|
|
||||||
diff --git a/hmac.c b/hmac.c
|
|
||||||
index 1c879640..a29f32c5 100644
|
|
||||||
--- a/hmac.c
|
|
||||||
+++ b/hmac.c
|
|
||||||
@@ -19,6 +19,7 @@
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "digest.h"
|
|
||||||
diff --git a/krl.c b/krl.c
|
|
||||||
index 8e2d5d5d..c32e147a 100644
|
|
||||||
--- a/krl.c
|
|
||||||
+++ b/krl.c
|
|
||||||
@@ -28,6 +28,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
diff --git a/mac.c b/mac.c
|
|
||||||
index 51dc11d7..3d11eba6 100644
|
|
||||||
--- a/mac.c
|
|
||||||
+++ b/mac.c
|
|
||||||
@@ -29,6 +29,7 @@
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
|
|
||||||
#include "digest.h"
|
|
||||||
#include "hmac.h"
|
|
|
@ -1,31 +0,0 @@
|
||||||
From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lonnie Abelbeck <lonnie@abelbeck.com>
|
|
||||||
Date: Tue, 1 Oct 2019 09:05:09 -0500
|
|
||||||
Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
|
|
||||||
|
|
||||||
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
|
|
||||||
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
|
|
||||||
---
|
|
||||||
sandbox-seccomp-filter.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index 840c5232b..39dc289e3 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_stat64
|
|
||||||
SC_DENY(__NR_stat64, EACCES),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_shmget
|
|
||||||
+ SC_DENY(__NR_shmget, EACCES),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_shmat
|
|
||||||
+ SC_DENY(__NR_shmat, EACCES),
|
|
||||||
+#endif
|
|
||||||
+#ifdef __NR_shmdt
|
|
||||||
+ SC_DENY(__NR_shmdt, EACCES),
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Syscalls to permit */
|
|
||||||
#ifdef __NR_brk
|
|
|
@ -1,57 +0,0 @@
|
||||||
Make sure that host keys are already accepted before
|
|
||||||
running tests.
|
|
||||||
|
|
||||||
https://bugs.gentoo.org/493866
|
|
||||||
|
|
||||||
--- a/regress/putty-ciphers.sh
|
|
||||||
+++ b/regress/putty-ciphers.sh
|
|
||||||
@@ -10,11 +10,17 @@ fi
|
|
||||||
|
|
||||||
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
|
|
||||||
verbose "$tid: cipher $c"
|
|
||||||
+ rm -f ${COPY}
|
|
||||||
cp ${OBJ}/.putty/sessions/localhost_proxy \
|
|
||||||
${OBJ}/.putty/sessions/cipher_$c
|
|
||||||
echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
|
|
||||||
|
|
||||||
- rm -f ${COPY}
|
|
||||||
+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
|
|
||||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
|
||||||
+ if [ $? -ne 0 ]; then
|
|
||||||
+ fail "failed to pre-cache host key"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
|
|
||||||
cat ${DATA} > ${COPY}
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
--- a/regress/putty-kex.sh
|
|
||||||
+++ b/regress/putty-kex.sh
|
|
||||||
@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
|
|
||||||
${OBJ}/.putty/sessions/kex_$k
|
|
||||||
echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
|
|
||||||
|
|
||||||
+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
|
|
||||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
|
||||||
+ if [ $? -ne 0 ]; then
|
|
||||||
+ fail "failed to pre-cache host key"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
fail "KEX $k failed"
|
|
||||||
--- a/regress/putty-transfer.sh
|
|
||||||
+++ b/regress/putty-transfer.sh
|
|
||||||
@@ -14,6 +14,13 @@ for c in 0 1 ; do
|
|
||||||
cp ${OBJ}/.putty/sessions/localhost_proxy \
|
|
||||||
${OBJ}/.putty/sessions/compression_$c
|
|
||||||
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
|
|
||||||
+
|
|
||||||
+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
|
|
||||||
+ -i ${OBJ}/putty.rsa2 "exit"
|
|
||||||
+ if [ $? -ne 0 ]; then
|
|
||||||
+ fail "failed to pre-cache host key"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
env HOME=$PWD ${PLINK} -load compression_$c -batch \
|
|
||||||
-i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
|
|
||||||
if [ $? -ne 0 ]; then
|
|
|
@ -1,18 +0,0 @@
|
||||||
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
|
|
||||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
|
|
||||||
@@ -1414,14 +1414,3 @@
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
-diff --git a/version.h b/version.h
|
|
||||||
-index 6b4fa372..332fb486 100644
|
|
||||||
---- a/version.h
|
|
||||||
-+++ b/version.h
|
|
||||||
-@@ -3,4 +3,5 @@
|
|
||||||
- #define SSH_VERSION "OpenSSH_8.5"
|
|
||||||
-
|
|
||||||
- #define SSH_PORTABLE "p1"
|
|
||||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
||||||
-+#define SSH_HPN "-hpn15v2"
|
|
||||||
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
|
|
@ -1,13 +0,0 @@
|
||||||
diff --git a/kex.c b/kex.c
|
|
||||||
index 34808b5c..88d7ccac 100644
|
|
||||||
--- a/kex.c
|
|
||||||
+++ b/kex.c
|
|
||||||
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
|
||||||
if (version_addendum != NULL && *version_addendum == '\0')
|
|
||||||
version_addendum = NULL;
|
|
||||||
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
|
||||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
|
||||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
|
||||||
version_addendum == NULL ? "" : " ",
|
|
||||||
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
|
||||||
oerrno = errno;
|
|
|
@ -1,357 +0,0 @@
|
||||||
diff --git a/auth.c b/auth.c
|
|
||||||
index 00b168b4..8ee93581 100644
|
|
||||||
--- a/auth.c
|
|
||||||
+++ b/auth.c
|
|
||||||
@@ -729,118 +729,6 @@ fakepw(void)
|
|
||||||
return (&fake);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * Returns the remote DNS hostname as a string. The returned string must not
|
|
||||||
- * be freed. NB. this will usually trigger a DNS query the first time it is
|
|
||||||
- * called.
|
|
||||||
- * This function does additional checks on the hostname to mitigate some
|
|
||||||
- * attacks on based on conflation of hostnames and IP addresses.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-static char *
|
|
||||||
-remote_hostname(struct ssh *ssh)
|
|
||||||
-{
|
|
||||||
- struct sockaddr_storage from;
|
|
||||||
- socklen_t fromlen;
|
|
||||||
- struct addrinfo hints, *ai, *aitop;
|
|
||||||
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
|
|
||||||
- const char *ntop = ssh_remote_ipaddr(ssh);
|
|
||||||
-
|
|
||||||
- /* Get IP address of client. */
|
|
||||||
- fromlen = sizeof(from);
|
|
||||||
- memset(&from, 0, sizeof(from));
|
|
||||||
- if (getpeername(ssh_packet_get_connection_in(ssh),
|
|
||||||
- (struct sockaddr *)&from, &fromlen) == -1) {
|
|
||||||
- debug("getpeername failed: %.100s", strerror(errno));
|
|
||||||
- return xstrdup(ntop);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ipv64_normalise_mapped(&from, &fromlen);
|
|
||||||
- if (from.ss_family == AF_INET6)
|
|
||||||
- fromlen = sizeof(struct sockaddr_in6);
|
|
||||||
-
|
|
||||||
- debug3("Trying to reverse map address %.100s.", ntop);
|
|
||||||
- /* Map the IP address to a host name. */
|
|
||||||
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
|
||||||
- NULL, 0, NI_NAMEREQD) != 0) {
|
|
||||||
- /* Host name not found. Use ip address. */
|
|
||||||
- return xstrdup(ntop);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * if reverse lookup result looks like a numeric hostname,
|
|
||||||
- * someone is trying to trick us by PTR record like following:
|
|
||||||
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
|
|
||||||
- */
|
|
||||||
- memset(&hints, 0, sizeof(hints));
|
|
||||||
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
|
||||||
- hints.ai_flags = AI_NUMERICHOST;
|
|
||||||
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
|
|
||||||
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
|
||||||
- name, ntop);
|
|
||||||
- freeaddrinfo(ai);
|
|
||||||
- return xstrdup(ntop);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Names are stored in lowercase. */
|
|
||||||
- lowercase(name);
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Map it back to an IP address and check that the given
|
|
||||||
- * address actually is an address of this host. This is
|
|
||||||
- * necessary because anyone with access to a name server can
|
|
||||||
- * define arbitrary names for an IP address. Mapping from
|
|
||||||
- * name to IP address can be trusted better (but can still be
|
|
||||||
- * fooled if the intruder has access to the name server of
|
|
||||||
- * the domain).
|
|
||||||
- */
|
|
||||||
- memset(&hints, 0, sizeof(hints));
|
|
||||||
- hints.ai_family = from.ss_family;
|
|
||||||
- hints.ai_socktype = SOCK_STREAM;
|
|
||||||
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
|
||||||
- logit("reverse mapping checking getaddrinfo for %.700s "
|
|
||||||
- "[%s] failed.", name, ntop);
|
|
||||||
- return xstrdup(ntop);
|
|
||||||
- }
|
|
||||||
- /* Look for the address from the list of addresses. */
|
|
||||||
- for (ai = aitop; ai; ai = ai->ai_next) {
|
|
||||||
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
|
|
||||||
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
|
|
||||||
- (strcmp(ntop, ntop2) == 0))
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- freeaddrinfo(aitop);
|
|
||||||
- /* If we reached the end of the list, the address was not there. */
|
|
||||||
- if (ai == NULL) {
|
|
||||||
- /* Address not found for the host name. */
|
|
||||||
- logit("Address %.100s maps to %.600s, but this does not "
|
|
||||||
- "map back to the address.", ntop, name);
|
|
||||||
- return xstrdup(ntop);
|
|
||||||
- }
|
|
||||||
- return xstrdup(name);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * Return the canonical name of the host in the other side of the current
|
|
||||||
- * connection. The host name is cached, so it is efficient to call this
|
|
||||||
- * several times.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-const char *
|
|
||||||
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
|
|
||||||
-{
|
|
||||||
- static char *dnsname;
|
|
||||||
-
|
|
||||||
- if (!use_dns)
|
|
||||||
- return ssh_remote_ipaddr(ssh);
|
|
||||||
- else if (dnsname != NULL)
|
|
||||||
- return dnsname;
|
|
||||||
- else {
|
|
||||||
- dnsname = remote_hostname(ssh);
|
|
||||||
- return dnsname;
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/* These functions link key/cert options to the auth framework */
|
|
||||||
|
|
||||||
/* Log sshauthopt options locally and (optionally) for remote transmission */
|
|
||||||
diff --git a/canohost.c b/canohost.c
|
|
||||||
index a810da0e..18e9d8d4 100644
|
|
||||||
--- a/canohost.c
|
|
||||||
+++ b/canohost.c
|
|
||||||
@@ -202,3 +202,117 @@ get_local_port(int sock)
|
|
||||||
{
|
|
||||||
return get_sock_port(sock, 1);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Returns the remote DNS hostname as a string. The returned string must not
|
|
||||||
+ * be freed. NB. this will usually trigger a DNS query the first time it is
|
|
||||||
+ * called.
|
|
||||||
+ * This function does additional checks on the hostname to mitigate some
|
|
||||||
+ * attacks on legacy rhosts-style authentication.
|
|
||||||
+ * XXX is RhostsRSAAuthentication vulnerable to these?
|
|
||||||
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static char *
|
|
||||||
+remote_hostname(struct ssh *ssh)
|
|
||||||
+{
|
|
||||||
+ struct sockaddr_storage from;
|
|
||||||
+ socklen_t fromlen;
|
|
||||||
+ struct addrinfo hints, *ai, *aitop;
|
|
||||||
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
|
|
||||||
+ const char *ntop = ssh_remote_ipaddr(ssh);
|
|
||||||
+
|
|
||||||
+ /* Get IP address of client. */
|
|
||||||
+ fromlen = sizeof(from);
|
|
||||||
+ memset(&from, 0, sizeof(from));
|
|
||||||
+ if (getpeername(ssh_packet_get_connection_in(ssh),
|
|
||||||
+ (struct sockaddr *)&from, &fromlen) == -1) {
|
|
||||||
+ debug("getpeername failed: %.100s", strerror(errno));
|
|
||||||
+ return xstrdup(ntop);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ipv64_normalise_mapped(&from, &fromlen);
|
|
||||||
+ if (from.ss_family == AF_INET6)
|
|
||||||
+ fromlen = sizeof(struct sockaddr_in6);
|
|
||||||
+
|
|
||||||
+ debug3("Trying to reverse map address %.100s.", ntop);
|
|
||||||
+ /* Map the IP address to a host name. */
|
|
||||||
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
|
||||||
+ NULL, 0, NI_NAMEREQD) != 0) {
|
|
||||||
+ /* Host name not found. Use ip address. */
|
|
||||||
+ return xstrdup(ntop);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * if reverse lookup result looks like a numeric hostname,
|
|
||||||
+ * someone is trying to trick us by PTR record like following:
|
|
||||||
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
|
|
||||||
+ */
|
|
||||||
+ memset(&hints, 0, sizeof(hints));
|
|
||||||
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
|
||||||
+ hints.ai_flags = AI_NUMERICHOST;
|
|
||||||
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
|
|
||||||
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
|
||||||
+ name, ntop);
|
|
||||||
+ freeaddrinfo(ai);
|
|
||||||
+ return xstrdup(ntop);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Names are stored in lowercase. */
|
|
||||||
+ lowercase(name);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Map it back to an IP address and check that the given
|
|
||||||
+ * address actually is an address of this host. This is
|
|
||||||
+ * necessary because anyone with access to a name server can
|
|
||||||
+ * define arbitrary names for an IP address. Mapping from
|
|
||||||
+ * name to IP address can be trusted better (but can still be
|
|
||||||
+ * fooled if the intruder has access to the name server of
|
|
||||||
+ * the domain).
|
|
||||||
+ */
|
|
||||||
+ memset(&hints, 0, sizeof(hints));
|
|
||||||
+ hints.ai_family = from.ss_family;
|
|
||||||
+ hints.ai_socktype = SOCK_STREAM;
|
|
||||||
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
|
||||||
+ logit("reverse mapping checking getaddrinfo for %.700s "
|
|
||||||
+ "[%s] failed.", name, ntop);
|
|
||||||
+ return xstrdup(ntop);
|
|
||||||
+ }
|
|
||||||
+ /* Look for the address from the list of addresses. */
|
|
||||||
+ for (ai = aitop; ai; ai = ai->ai_next) {
|
|
||||||
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
|
|
||||||
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
|
|
||||||
+ (strcmp(ntop, ntop2) == 0))
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ freeaddrinfo(aitop);
|
|
||||||
+ /* If we reached the end of the list, the address was not there. */
|
|
||||||
+ if (ai == NULL) {
|
|
||||||
+ /* Address not found for the host name. */
|
|
||||||
+ logit("Address %.100s maps to %.600s, but this does not "
|
|
||||||
+ "map back to the address.", ntop, name);
|
|
||||||
+ return xstrdup(ntop);
|
|
||||||
+ }
|
|
||||||
+ return xstrdup(name);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Return the canonical name of the host in the other side of the current
|
|
||||||
+ * connection. The host name is cached, so it is efficient to call this
|
|
||||||
+ * several times.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+const char *
|
|
||||||
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
|
|
||||||
+{
|
|
||||||
+ static char *dnsname;
|
|
||||||
+
|
|
||||||
+ if (!use_dns)
|
|
||||||
+ return ssh_remote_ipaddr(ssh);
|
|
||||||
+ else if (dnsname != NULL)
|
|
||||||
+ return dnsname;
|
|
||||||
+ else {
|
|
||||||
+ dnsname = remote_hostname(ssh);
|
|
||||||
+ return dnsname;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/readconf.c b/readconf.c
|
|
||||||
index 03369a08..b45898ce 100644
|
|
||||||
--- a/readconf.c
|
|
||||||
+++ b/readconf.c
|
|
||||||
@@ -161,6 +161,7 @@ typedef enum {
|
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
||||||
+ oGssTrustDns,
|
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
||||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
|
||||||
oHashKnownHosts,
|
|
||||||
@@ -207,9 +208,11 @@ static struct {
|
|
||||||
#if defined(GSSAPI)
|
|
||||||
{ "gssapiauthentication", oGssAuthentication },
|
|
||||||
{ "gssapidelegatecredentials", oGssDelegateCreds },
|
|
||||||
+ { "gssapitrustdns", oGssTrustDns },
|
|
||||||
# else
|
|
||||||
{ "gssapiauthentication", oUnsupported },
|
|
||||||
{ "gssapidelegatecredentials", oUnsupported },
|
|
||||||
+ { "gssapitrustdns", oUnsupported },
|
|
||||||
#endif
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
{ "pkcs11provider", oPKCS11Provider },
|
|
||||||
@@ -1117,6 +1120,10 @@ parse_time:
|
|
||||||
intptr = &options->gss_deleg_creds;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
+ case oGssTrustDns:
|
|
||||||
+ intptr = &options->gss_trust_dns;
|
|
||||||
+ goto parse_flag;
|
|
||||||
+
|
|
||||||
case oBatchMode:
|
|
||||||
intptr = &options->batch_mode;
|
|
||||||
goto parse_flag;
|
|
||||||
@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
|
|
||||||
options->pubkey_authentication = -1;
|
|
||||||
options->gss_authentication = -1;
|
|
||||||
options->gss_deleg_creds = -1;
|
|
||||||
+ options->gss_trust_dns = -1;
|
|
||||||
options->password_authentication = -1;
|
|
||||||
options->kbd_interactive_authentication = -1;
|
|
||||||
options->kbd_interactive_devices = NULL;
|
|
||||||
@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
|
|
||||||
options->gss_authentication = 0;
|
|
||||||
if (options->gss_deleg_creds == -1)
|
|
||||||
options->gss_deleg_creds = 0;
|
|
||||||
+ if (options->gss_trust_dns == -1)
|
|
||||||
+ options->gss_trust_dns = 0;
|
|
||||||
if (options->password_authentication == -1)
|
|
||||||
options->password_authentication = 1;
|
|
||||||
if (options->kbd_interactive_authentication == -1)
|
|
||||||
diff --git a/readconf.h b/readconf.h
|
|
||||||
index f7d53b06..c3a91898 100644
|
|
||||||
--- a/readconf.h
|
|
||||||
+++ b/readconf.h
|
|
||||||
@@ -40,6 +40,7 @@ typedef struct {
|
|
||||||
int hostbased_authentication; /* ssh2's rhosts_rsa */
|
|
||||||
int gss_authentication; /* Try GSS authentication */
|
|
||||||
int gss_deleg_creds; /* Delegate GSS credentials */
|
|
||||||
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
|
|
||||||
int password_authentication; /* Try password
|
|
||||||
* authentication. */
|
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
|
||||||
index cd0eea86..27101943 100644
|
|
||||||
--- a/ssh_config.5
|
|
||||||
+++ b/ssh_config.5
|
|
||||||
@@ -832,6 +832,16 @@ The default is
|
|
||||||
Forward (delegate) credentials to the server.
|
|
||||||
The default is
|
|
||||||
.Cm no .
|
|
||||||
+Note that this option applies to protocol version 2 connections using GSSAPI.
|
|
||||||
+.It Cm GSSAPITrustDns
|
|
||||||
+Set to
|
|
||||||
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
|
||||||
+the name of the host being connected to. If
|
|
||||||
+.Dq no, the hostname entered on the
|
|
||||||
+command line will be passed untouched to the GSSAPI library.
|
|
||||||
+The default is
|
|
||||||
+.Dq no .
|
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
|
||||||
.It Cm HashKnownHosts
|
|
||||||
Indicates that
|
|
||||||
.Xr ssh 1
|
|
||||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
|
||||||
index fea50fab..aeff639b 100644
|
|
||||||
--- a/sshconnect2.c
|
|
||||||
+++ b/sshconnect2.c
|
|
||||||
@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
|
|
||||||
OM_uint32 min;
|
|
||||||
int r, ok = 0;
|
|
||||||
gss_OID mech = NULL;
|
|
||||||
+ const char *gss_host;
|
|
||||||
+
|
|
||||||
+ if (options.gss_trust_dns) {
|
|
||||||
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
|
|
||||||
+ gss_host = auth_get_canonical_hostname(ssh, 1);
|
|
||||||
+ } else
|
|
||||||
+ gss_host = authctxt->host;
|
|
||||||
|
|
||||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
|
||||||
* once. */
|
|
||||||
@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
|
|
||||||
elements[authctxt->mech_tried];
|
|
||||||
/* My DER encoding requires length<128 */
|
|
||||||
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
|
|
||||||
- mech, authctxt->host)) {
|
|
||||||
+ mech, gss_host)) {
|
|
||||||
ok = 1; /* Mechanism works */
|
|
||||||
} else {
|
|
||||||
authctxt->mech_tried++;
|
|
|
@ -1,126 +0,0 @@
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8.9p1+x509-13.3.1.diff b/openssh-8.9p1+x509-13.3.1.diff
|
|
||||||
--- a/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:49:32.673126122 -0800
|
|
||||||
+++ b/openssh-8.9p1+x509-13.3.1.diff 2022-03-05 21:52:52.581776560 -0800
|
|
||||||
@@ -1002,15 +1002,16 @@
|
|
||||||
char b[512];
|
|
||||||
- size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
|
|
||||||
- u_char *hash = xmalloc(len);
|
|
||||||
+- double delay;
|
|
||||||
+ int digest_alg;
|
|
||||||
+ size_t len;
|
|
||||||
+ u_char *hash;
|
|
||||||
- double delay;
|
|
||||||
-
|
|
||||||
++ double delay = 0;
|
|
||||||
++
|
|
||||||
+ digest_alg = ssh_digest_maxbytes();
|
|
||||||
+ len = ssh_digest_bytes(digest_alg);
|
|
||||||
+ hash = xmalloc(len);
|
|
||||||
-+
|
|
||||||
+
|
|
||||||
(void)snprintf(b, sizeof b, "%llu%s",
|
|
||||||
(unsigned long long)options.timing_secret, user);
|
|
||||||
- if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
|
|
||||||
@@ -44746,8 +44747,8 @@
|
|
||||||
gss_create_empty_oid_set(&status, &oidset);
|
|
||||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
|
||||||
|
|
||||||
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
|
||||||
-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
|
|
||||||
+- if (gethostname(lname, HOST_NAME_MAX)) {
|
|
||||||
++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
|
|
||||||
gss_release_oid_set(&status, &oidset);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
@@ -52143,7 +52144,7 @@
|
|
||||||
diff -ruN openssh-8.9p1/m4/openssh.m4 openssh-8.9p1+x509-13.3.1/m4/openssh.m4
|
|
||||||
--- openssh-8.9p1/m4/openssh.m4 2022-02-23 13:31:11.000000000 +0200
|
|
||||||
+++ openssh-8.9p1+x509-13.3.1/m4/openssh.m4 1970-01-01 02:00:00.000000000 +0200
|
|
||||||
-@@ -1,200 +0,0 @@
|
|
||||||
+@@ -1,203 +0,0 @@
|
|
||||||
-dnl OpenSSH-specific autoconf macros
|
|
||||||
-dnl
|
|
||||||
-
|
|
||||||
@@ -52160,6 +52161,8 @@
|
|
||||||
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
|
||||||
-#include <stdlib.h>
|
|
||||||
-#include <stdio.h>
|
|
||||||
+-/* Trivial function to help test for -fzero-call-used-regs */
|
|
||||||
+-void f(int n) {}
|
|
||||||
-int main(int argc, char **argv) {
|
|
||||||
- (void)argv;
|
|
||||||
- /* Some math to catch -ftrapv problems in the toolchain */
|
|
||||||
@@ -52167,6 +52170,7 @@
|
|
||||||
- float l = i * 2.1;
|
|
||||||
- double m = l / 0.5;
|
|
||||||
- long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
|
|
||||||
+- f(0);
|
|
||||||
- printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
|
|
||||||
- /*
|
|
||||||
- * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
|
|
||||||
@@ -52884,12 +52888,11 @@
|
|
||||||
|
|
||||||
install-files:
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(bindir)
|
|
||||||
-@@ -396,6 +372,8 @@
|
|
||||||
+@@ -396,6 +372,7 @@
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(libexecdir)
|
|
||||||
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
|
|
||||||
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
|
|
||||||
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
|
||||||
@@ -73836,7 +73839,7 @@
|
|
||||||
+if test "$sshd_type" = "pkix" ; then
|
|
||||||
+ unset_arg=''
|
|
||||||
+else
|
|
||||||
-+ unset_arg=none
|
|
||||||
++ unset_arg=
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
@@ -79691,25 +79694,6 @@
|
|
||||||
#ifdef __NR_getrandom
|
|
||||||
SC_ALLOW(__NR_getrandom),
|
|
||||||
#endif
|
|
||||||
-@@ -267,15 +273,15 @@
|
|
||||||
- #ifdef __NR_clock_nanosleep_time64
|
|
||||||
- SC_ALLOW(__NR_clock_nanosleep_time64),
|
|
||||||
- #endif
|
|
||||||
--#ifdef __NR_clock_gettime64
|
|
||||||
-- SC_ALLOW(__NR_clock_gettime64),
|
|
||||||
--#endif
|
|
||||||
- #ifdef __NR__newselect
|
|
||||||
- SC_ALLOW(__NR__newselect),
|
|
||||||
- #endif
|
|
||||||
- #ifdef __NR_ppoll
|
|
||||||
- SC_ALLOW(__NR_ppoll),
|
|
||||||
- #endif
|
|
||||||
-+#ifdef __NR_ppoll_time64
|
|
||||||
-+ SC_ALLOW(__NR_ppoll_time64),
|
|
||||||
-+#endif
|
|
||||||
- #ifdef __NR_poll
|
|
||||||
- SC_ALLOW(__NR_poll),
|
|
||||||
- #endif
|
|
||||||
@@ -288,6 +294,9 @@
|
|
||||||
#ifdef __NR_read
|
|
||||||
SC_ALLOW(__NR_read),
|
|
||||||
@@ -137848,16 +137832,6 @@
|
|
||||||
+int asnmprintf(char **, size_t, int *, const char *, ...)
|
|
||||||
__attribute__((format(printf, 4, 5)));
|
|
||||||
void msetlocale(void);
|
|
||||||
-diff -ruN openssh-8.9p1/version.h openssh-8.9p1+x509-13.3.1/version.h
|
|
||||||
---- openssh-8.9p1/version.h 2022-02-23 13:31:11.000000000 +0200
|
|
||||||
-+++ openssh-8.9p1+x509-13.3.1/version.h 2022-03-05 10:07:00.000000000 +0200
|
|
||||||
-@@ -2,5 +2,4 @@
|
|
||||||
-
|
|
||||||
- #define SSH_VERSION "OpenSSH_8.9"
|
|
||||||
-
|
|
||||||
--#define SSH_PORTABLE "p1"
|
|
||||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
||||||
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
|
|
||||||
diff -ruN openssh-8.9p1/version.m4 openssh-8.9p1+x509-13.3.1/version.m4
|
|
||||||
--- openssh-8.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200
|
|
||||||
+++ openssh-8.9p1+x509-13.3.1/version.m4 2022-03-05 10:07:00.000000000 +0200
|
|
|
@ -1,14 +0,0 @@
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index 2e065ba3..4ce80cb2 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_ppoll
|
|
||||||
SC_ALLOW(__NR_ppoll),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_ppoll_time64
|
|
||||||
+ SC_ALLOW(__NR_ppoll_time64),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_poll
|
|
||||||
SC_ALLOW(__NR_poll),
|
|
||||||
#endif
|
|
|
@ -1,32 +0,0 @@
|
||||||
From f107467179428a0e3ea9e4aa9738ac12ff02822d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Colin Watson <cjwatson@debian.org>
|
|
||||||
Date: Thu, 24 Feb 2022 16:04:18 +0000
|
|
||||||
Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
|
|
||||||
|
|
||||||
GCC doesn't tell us whether this option is supported unless it runs into
|
|
||||||
the situation where it would need to emit corresponding code.
|
|
||||||
---
|
|
||||||
m4/openssh.m4 | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/m4/openssh.m4 b/m4/openssh.m4
|
|
||||||
index 4f9c3792dc1..8c33c701b8b 100644
|
|
||||||
--- a/m4/openssh.m4
|
|
||||||
+++ b/m4/openssh.m4
|
|
||||||
@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
|
|
||||||
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
+/* Trivial function to help test for -fzero-call-used-regs */
|
|
||||||
+void f(int n) {}
|
|
||||||
int main(int argc, char **argv) {
|
|
||||||
(void)argv;
|
|
||||||
/* Some math to catch -ftrapv problems in the toolchain */
|
|
||||||
@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
|
|
||||||
float l = i * 2.1;
|
|
||||||
double m = l / 0.5;
|
|
||||||
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
|
|
||||||
+ f(0);
|
|
||||||
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
|
|
||||||
/*
|
|
||||||
* Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
|
|
|
@ -1,13 +0,0 @@
|
||||||
diff --git a/gss-serv.c b/gss-serv.c
|
|
||||||
index b5d4bb2d..00e3d118 100644
|
|
||||||
--- a/gss-serv.c
|
|
||||||
+++ b/gss-serv.c
|
|
||||||
@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
|
||||||
gss_create_empty_oid_set(&status, &oidset);
|
|
||||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
|
||||||
|
|
||||||
- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
|
||||||
+ if (gethostname(lname, HOST_NAME_MAX)) {
|
|
||||||
gss_release_oid_set(&status, &oidset);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
|
@ -1,431 +0,0 @@
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
|
||||||
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-24 18:49:22.195632128 -0800
|
|
||||||
@@ -3,9 +3,9 @@
|
|
||||||
--- a/Makefile.in
|
|
||||||
+++ b/Makefile.in
|
|
||||||
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
|
|
||||||
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
|
|
||||||
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
||||||
- PICFLAG=@PICFLAG@
|
|
||||||
+ LD=@LD@
|
|
||||||
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
|
|
||||||
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
|
|
||||||
-LIBS=@LIBS@
|
|
||||||
+LIBS=@LIBS@ -lpthread
|
|
||||||
K5LIBS=@K5LIBS@
|
|
||||||
@@ -803,8 +803,8 @@
|
|
||||||
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
|
|
||||||
{
|
|
||||||
struct session_state *state;
|
|
||||||
-- const struct sshcipher *none = cipher_by_name("none");
|
|
||||||
-+ struct sshcipher *none = cipher_by_name("none");
|
|
||||||
+- const struct sshcipher *none = cipher_none();
|
|
||||||
++ struct sshcipher *none = cipher_none();
|
|
||||||
int r;
|
|
||||||
|
|
||||||
if (none == NULL) {
|
|
||||||
@@ -894,24 +894,24 @@
|
|
||||||
intptr = &options->compression;
|
|
||||||
multistate_ptr = multistate_compression;
|
|
||||||
@@ -2272,6 +2278,7 @@ initialize_options(Options * options)
|
|
||||||
- options->revoked_host_keys = NULL;
|
|
||||||
options->fingerprint_hash = -1;
|
|
||||||
options->update_hostkeys = -1;
|
|
||||||
+ options->known_hosts_command = NULL;
|
|
||||||
+ options->disable_multithreaded = -1;
|
|
||||||
- options->hostbased_accepted_algos = NULL;
|
|
||||||
- options->pubkey_accepted_algos = NULL;
|
|
||||||
- options->known_hosts_command = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
|
|
||||||
+ options->update_hostkeys = 0;
|
|
||||||
if (options->sk_provider == NULL)
|
|
||||||
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
|
|
||||||
- #endif
|
|
||||||
+ if (options->update_hostkeys == -1)
|
|
||||||
+ options->update_hostkeys = 0;
|
|
||||||
+ if (options->disable_multithreaded == -1)
|
|
||||||
+ options->disable_multithreaded = 0;
|
|
||||||
|
|
||||||
- /* Expand KEX name lists */
|
|
||||||
- all_cipher = cipher_alg_list(',', 0);
|
|
||||||
+ /* expand KEX and etc. name lists */
|
|
||||||
+ { char *all;
|
|
||||||
diff --git a/readconf.h b/readconf.h
|
|
||||||
index 2fba866e..7f8f0227 100644
|
|
||||||
--- a/readconf.h
|
|
||||||
@@ -950,9 +950,9 @@
|
|
||||||
/* Portable-specific options */
|
|
||||||
sUsePAM,
|
|
||||||
+ sDisableMTAES,
|
|
||||||
- /* Standard Options */
|
|
||||||
- sPort, sHostKeyFile, sLoginGraceTime,
|
|
||||||
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
|
||||||
+ /* X.509 Standard Options */
|
|
||||||
+ sHostbasedAlgorithms,
|
|
||||||
+ sPubkeyAlgorithms,
|
|
||||||
@@ -662,6 +666,7 @@ static struct {
|
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
|
||||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-24 18:54:51.800546480 -0800
|
|
||||||
@@ -157,6 +157,36 @@
|
|
||||||
+ Allan Jude provided the code for the NoneMac and buffer normalization.
|
|
||||||
+ This work was financed, in part, by Cisco System, Inc., the National
|
|
||||||
+ Library of Medicine, and the National Science Foundation.
|
|
||||||
+diff --git a/auth2.c b/auth2.c
|
|
||||||
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
|
|
||||||
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
|
|
||||||
+@@ -229,16 +229,17 @@
|
|
||||||
+ double delay;
|
|
||||||
+
|
|
||||||
+ digest_alg = ssh_digest_maxbytes();
|
|
||||||
+- len = ssh_digest_bytes(digest_alg);
|
|
||||||
+- hash = xmalloc(len);
|
|
||||||
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
|
|
||||||
++ hash = xmalloc(len);
|
|
||||||
+
|
|
||||||
+- (void)snprintf(b, sizeof b, "%llu%s",
|
|
||||||
+- (unsigned long long)options.timing_secret, user);
|
|
||||||
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
|
||||||
+- fatal_f("ssh_digest_memory");
|
|
||||||
+- /* 0-4.2 ms of delay */
|
|
||||||
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
|
||||||
+- freezero(hash, len);
|
|
||||||
++ (void)snprintf(b, sizeof b, "%llu%s",
|
|
||||||
++ (unsigned long long)options.timing_secret, user);
|
|
||||||
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
|
|
||||||
++ fatal_f("ssh_digest_memory");
|
|
||||||
++ /* 0-4.2 ms of delay */
|
|
||||||
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
|
|
||||||
++ freezero(hash, len);
|
|
||||||
++ }
|
|
||||||
+ debug3_f("user specific delay %0.3lfms", delay/1000);
|
|
||||||
+ return MIN_FAIL_DELAY_SECONDS + delay;
|
|
||||||
+ }
|
|
||||||
diff --git a/channels.c b/channels.c
|
|
||||||
index b60d56c4..0e363c15 100644
|
|
||||||
--- a/channels.c
|
|
||||||
@@ -209,14 +239,14 @@
|
|
||||||
static void
|
|
||||||
channel_pre_open(struct ssh *ssh, Channel *c,
|
|
||||||
fd_set *readset, fd_set *writeset)
|
|
||||||
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
||||||
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
|
|
||||||
|
|
||||||
if (c->type == SSH_CHANNEL_OPEN &&
|
|
||||||
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
|
|
||||||
- ((c->local_window_max - c->local_window >
|
|
||||||
- c->local_maxpacket*3) ||
|
|
||||||
-+ ((ssh_packet_is_interactive(ssh) &&
|
|
||||||
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
|
||||||
++ ((ssh_packet_is_interactive(ssh) &&
|
|
||||||
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
|
|
||||||
c->local_window < c->local_window_max/2) &&
|
|
||||||
c->local_consumed > 0) {
|
|
||||||
+ u_int addition = 0;
|
|
||||||
@@ -235,9 +265,8 @@
|
|
||||||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
|
|
||||||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
|
|
||||||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
|
|
||||||
- (r = sshpkt_send(ssh)) != 0) {
|
|
||||||
- fatal_fr(r, "channel %i", c->self);
|
|
||||||
- }
|
|
||||||
+ (r = sshpkt_send(ssh)) != 0)
|
|
||||||
+ fatal_fr(r, "channel %d", c->self);
|
|
||||||
- debug2("channel %d: window %d sent adjust %d", c->self,
|
|
||||||
- c->local_window, c->local_consumed);
|
|
||||||
- c->local_window += c->local_consumed;
|
|
||||||
@@ -337,70 +366,92 @@
|
|
||||||
index 70f492f8..5503af1d 100644
|
|
||||||
--- a/clientloop.c
|
|
||||||
+++ b/clientloop.c
|
|
||||||
-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
|
|
||||||
+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
|
|
||||||
sock = x11_connect_display(ssh);
|
|
||||||
if (sock < 0)
|
|
||||||
return NULL;
|
|
||||||
- c = channel_new(ssh, "x11",
|
|
||||||
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
|
||||||
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
|
|
||||||
-+ c = channel_new(ssh, "x11",
|
|
||||||
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
|
||||||
-+ /* again is this really necessary for X11? */
|
|
||||||
-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
|
||||||
-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
|
|
||||||
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
|
|
||||||
+- CHANNEL_NONBLOCK_SET);
|
|
||||||
++ c = channel_new(ssh, "x11",
|
|
||||||
++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
|
|
||||||
++ /* again is this really necessary for X11? */
|
|
||||||
++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
|
||||||
++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
|
|
||||||
c->force_drain = 1;
|
|
||||||
return c;
|
|
||||||
}
|
|
||||||
-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
|
|
||||||
+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
c = channel_new(ssh, "authentication agent connection",
|
|
||||||
- SSH_CHANNEL_OPEN, sock, sock, -1,
|
|
||||||
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
|
|
||||||
-- "authentication agent connection", 1);
|
|
||||||
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
|
|
||||||
-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
|
|
||||||
-+ CHAN_TCP_PACKET_DEFAULT, 0,
|
|
||||||
-+ "authentication agent connection", 1);
|
|
||||||
+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
|
|
||||||
++ SSH_CHANNEL_OPEN, sock, sock, -1,
|
|
||||||
++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
|
|
||||||
++ CHAN_TCP_PACKET_DEFAULT, 0,
|
|
||||||
++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
|
|
||||||
c->force_drain = 1;
|
|
||||||
return c;
|
|
||||||
}
|
|
||||||
-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
|
|
||||||
+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
|
|
||||||
}
|
|
||||||
debug("Tunnel forwarding using interface %s", ifname);
|
|
||||||
|
|
||||||
- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
|
||||||
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
|
|
||||||
-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
|
||||||
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
|
|
||||||
+- CHANNEL_NONBLOCK_SET);
|
|
||||||
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
|
|
||||||
+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
|
|
||||||
-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
|
|
||||||
++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
|
|
||||||
c->datagram = 1;
|
|
||||||
|
|
||||||
-+
|
|
||||||
-+
|
|
||||||
#if defined(SSH_TUN_FILTER)
|
|
||||||
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
|
|
||||||
- channel_register_filter(ssh, c->self, sys_tun_infilter,
|
|
||||||
diff --git a/compat.c b/compat.c
|
|
||||||
index 69befa96..90b5f338 100644
|
|
||||||
--- a/compat.c
|
|
||||||
+++ b/compat.c
|
|
||||||
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
|
|
||||||
- debug_f("match: %s pat %s compat 0x%08x",
|
|
||||||
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
|
|
||||||
+ static u_int
|
|
||||||
+ compat_datafellows(const char *version)
|
|
||||||
+ {
|
|
||||||
+- int i;
|
|
||||||
++ int i, bugs = 0;
|
|
||||||
+ static struct {
|
|
||||||
+ char *pat;
|
|
||||||
+ int bugs;
|
|
||||||
+@@ -147,11 +147,26 @@
|
|
||||||
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
|
|
||||||
+ debug("match: %s pat %s compat 0x%08x",
|
|
||||||
version, check[i].pat, check[i].bugs);
|
|
||||||
- ssh->compat = check[i].bugs;
|
|
||||||
+ /* Check to see if the remote side is OpenSSH and not HPN */
|
|
||||||
-+ /* TODO: need to use new method to test for this */
|
|
||||||
+ if (strstr(version, "OpenSSH") != NULL) {
|
|
||||||
+ if (strstr(version, "hpn") == NULL) {
|
|
||||||
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
|
|
||||||
++ bugs |= SSH_BUG_LARGEWINDOW;
|
|
||||||
+ debug("Remote is NON-HPN aware");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
- return;
|
|
||||||
+- return check[i].bugs;
|
|
||||||
++ bugs |= check[i].bugs;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+- debug("no match: %s", version);
|
|
||||||
+- return 0;
|
|
||||||
++ /* Check to see if the remote side is OpenSSH and not HPN */
|
|
||||||
++ if (strstr(version, "OpenSSH") != NULL) {
|
|
||||||
++ if (strstr(version, "hpn") == NULL) {
|
|
||||||
++ bugs |= SSH_BUG_LARGEWINDOW;
|
|
||||||
++ debug("Remote is NON-HPN aware");
|
|
||||||
++ }
|
|
||||||
++ }
|
|
||||||
++ if (bugs == 0)
|
|
||||||
++ debug("no match: %s", version);
|
|
||||||
++ return bugs;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ char *
|
|
||||||
diff --git a/compat.h b/compat.h
|
|
||||||
index c197fafc..ea2e17a7 100644
|
|
||||||
--- a/compat.h
|
|
||||||
@@ -459,7 +510,7 @@
|
|
||||||
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
|
|
||||||
int nenc, nmac, ncomp;
|
|
||||||
u_int mode, ctos, need, dh_need, authlen;
|
|
||||||
- int r, first_kex_follows;
|
|
||||||
+ int r, first_kex_follows = 0;
|
|
||||||
+ int auth_flag = 0;
|
|
||||||
+
|
|
||||||
+ auth_flag = packet_authentication_state(ssh);
|
|
||||||
@@ -553,10 +604,10 @@
|
|
||||||
#define MAX_PACKETS (1U<<31)
|
|
||||||
static int
|
|
||||||
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
||||||
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
+ {
|
|
||||||
struct session_state *state = ssh->state;
|
|
||||||
int len, r, ms_remain;
|
|
||||||
- struct pollfd pfd;
|
|
||||||
- char buf[8192];
|
|
||||||
+ char buf[SSH_IOBUFSZ];
|
|
||||||
struct timeval start;
|
|
||||||
@@ -1072,7 +1123,7 @@
|
|
||||||
+ else
|
|
||||||
+ options.hpn_buffer_size = 2 * 1024 * 1024;
|
|
||||||
+
|
|
||||||
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
|
|
||||||
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
|
|
||||||
+ debug("HPN to Non-HPN Connection");
|
|
||||||
+ } else {
|
|
||||||
+ int sock, socksize;
|
|
||||||
@@ -1136,14 +1187,14 @@
|
|
||||||
}
|
|
||||||
@@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
|
|
||||||
window, packetmax, CHAN_EXTENDED_WRITE,
|
|
||||||
- "client-session", /*nonblock*/0);
|
|
||||||
+ "client-session", CHANNEL_NONBLOCK_STDIO);
|
|
||||||
|
|
||||||
+ if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
|
|
||||||
+ c->dynamic_window = 1;
|
|
||||||
+ debug("Enabled Dynamic Window Scaling");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
- debug3_f("channel_new: %d", c->self);
|
|
||||||
+ debug2_f("channel %d", c->self);
|
|
||||||
|
|
||||||
channel_send_open(ssh, c->self);
|
|
||||||
@@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
|
|
||||||
@@ -1314,7 +1365,29 @@
|
|
||||||
/* Bind the socket to the desired port. */
|
|
||||||
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
|
||||||
error("Bind to port %s on %s failed: %.200s.",
|
|
||||||
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
|
|
||||||
+@@ -1625,13 +1632,14 @@
|
|
||||||
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
|
|
||||||
+ sshbuf_len(server_cfg)) != 0)
|
|
||||||
+ fatal_f("ssh_digest_update");
|
|
||||||
+- len = ssh_digest_bytes(digest_alg);
|
|
||||||
+- hash = xmalloc(len);
|
|
||||||
+- if (ssh_digest_final(ctx, hash, len) != 0)
|
|
||||||
+- fatal_f("ssh_digest_final");
|
|
||||||
+- options.timing_secret = PEEK_U64(hash);
|
|
||||||
+- freezero(hash, len);
|
|
||||||
+- ssh_digest_free(ctx);
|
|
||||||
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
|
|
||||||
++ hash = xmalloc(len);
|
|
||||||
++ if (ssh_digest_final(ctx, hash, len) != 0)
|
|
||||||
++ fatal_f("ssh_digest_final");
|
|
||||||
++ options.timing_secret = PEEK_U64(hash);
|
|
||||||
++ freezero(hash, len);
|
|
||||||
++ ssh_digest_free(ctx);
|
|
||||||
++ }
|
|
||||||
+ ctx = NULL;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
|
|
||||||
fatal("AuthorizedPrincipalsCommand set without "
|
|
||||||
"AuthorizedPrincipalsCommandUser");
|
|
||||||
|
|
||||||
@@ -1334,7 +1407,7 @@
|
|
||||||
/*
|
|
||||||
* Check whether there is any path through configured auth methods.
|
|
||||||
* Unfortunately it is not possible to verify this generally before
|
|
||||||
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
|
|
||||||
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
|
|
||||||
rdomain == NULL ? "" : "\"");
|
|
||||||
free(laddr);
|
|
||||||
|
|
||||||
@@ -1344,7 +1417,7 @@
|
|
||||||
/*
|
|
||||||
* We don't want to listen forever unless the other side
|
|
||||||
* successfully authenticates itself. So we set up an alarm which is
|
|
||||||
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
|
|
||||||
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
|
|
||||||
struct kex *kex;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
@@ -1384,14 +1457,3 @@
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
||||||
-diff --git a/version.h b/version.h
|
|
||||||
-index 6b4fa372..332fb486 100644
|
|
||||||
---- a/version.h
|
|
||||||
-+++ b/version.h
|
|
||||||
-@@ -3,4 +3,5 @@
|
|
||||||
- #define SSH_VERSION "OpenSSH_8.5"
|
|
||||||
-
|
|
||||||
- #define SSH_PORTABLE "p1"
|
|
||||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
||||||
-+#define SSH_HPN "-hpn15v2"
|
|
||||||
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
|
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:48:19.078457000 -0800
|
|
||||||
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2022-02-24 18:49:22.196632131 -0800
|
|
||||||
@@ -12,9 +12,9 @@
|
|
||||||
static long stalled; /* how long we have been stalled */
|
|
||||||
static int bytes_per_second; /* current speed in bytes per second */
|
|
||||||
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
|
|
||||||
+ off_t bytes_left;
|
|
||||||
int cur_speed;
|
|
||||||
- int hours, minutes, seconds;
|
|
||||||
- int file_len;
|
|
||||||
+ int len;
|
|
||||||
+ off_t delta_pos;
|
|
||||||
|
|
||||||
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
|
|
||||||
@@ -30,15 +30,17 @@
|
|
||||||
if (bytes_left > 0)
|
|
||||||
elapsed = now - last_update;
|
|
||||||
else {
|
|
||||||
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
|
|
||||||
-
|
|
||||||
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
|
|
||||||
+ buf[1] = '\0';
|
|
||||||
+
|
|
||||||
/* filename */
|
|
||||||
- buf[0] = '\0';
|
|
||||||
-- file_len = win_size - 36;
|
|
||||||
-+ file_len = win_size - 45;
|
|
||||||
- if (file_len > 0) {
|
|
||||||
- buf[0] = '\r';
|
|
||||||
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
|
|
||||||
+- if (win_size > 36) {
|
|
||||||
++ if (win_size > 45) {
|
|
||||||
+- int file_len = win_size - 36;
|
|
||||||
++ int file_len = win_size - 45;
|
|
||||||
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
|
|
||||||
+ file_len, file);
|
|
||||||
+ }
|
|
||||||
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
|
|
||||||
(off_t)bytes_per_second);
|
|
||||||
strlcat(buf, "/s ", win_size);
|
|
||||||
@@ -63,15 +65,3 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
/*ARGSUSED*/
|
|
||||||
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
||||||
-index cfb5f115..986ff59b 100644
|
|
||||||
---- a/ssh-keygen.c
|
|
||||||
-+++ b/ssh-keygen.c
|
|
||||||
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
|
|
||||||
-
|
|
||||||
- if (skprovider == NULL)
|
|
||||||
- fatal("Cannot download keys without provider");
|
|
||||||
--
|
|
||||||
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
|
|
||||||
- if (!quiet) {
|
|
||||||
- printf("You may need to touch your authenticator "
|
|
|
@ -1,238 +0,0 @@
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:24.843395097 -0800
|
|
||||||
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2022-02-23 17:10:38.206451595 -0800
|
|
||||||
@@ -1026,9 +1026,9 @@
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
|
||||||
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
|
|
||||||
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index 6277e6d6..bf3d6e4a 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
|
|
||||||
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:08:38.124943587 -0800
|
|
||||||
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2022-02-23 17:20:59.432070316 -0800
|
|
||||||
@@ -536,18 +536,10 @@
|
|
||||||
if (state->rekey_limit)
|
|
||||||
*max_blocks = MINIMUM(*max_blocks,
|
|
||||||
state->rekey_limit / enc->block_size);
|
|
||||||
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
||||||
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-+/* this supports the forced rekeying required for the NONE cipher */
|
|
||||||
-+int rekey_requested = 0;
|
|
||||||
-+void
|
|
||||||
-+packet_request_rekeying(void)
|
|
||||||
-+{
|
|
||||||
-+ rekey_requested = 1;
|
|
||||||
-+}
|
|
||||||
-+
|
|
||||||
+/* used to determine if pre or post auth when rekeying for aes-ctr
|
|
||||||
+ * and none cipher switch */
|
|
||||||
+int
|
|
||||||
@@ -561,27 +553,14 @@
|
|
||||||
#define MAX_PACKETS (1U<<31)
|
|
||||||
static int
|
|
||||||
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
||||||
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
|
|
||||||
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
|
|
||||||
- return 0;
|
|
||||||
-
|
|
||||||
-+ /* used to force rekeying when called for by the none
|
|
||||||
-+ * cipher switch methods -cjr */
|
|
||||||
-+ if (rekey_requested == 1) {
|
|
||||||
-+ rekey_requested = 0;
|
|
||||||
-+ return 1;
|
|
||||||
-+ }
|
|
||||||
-+
|
|
||||||
- /* Time-based rekeying */
|
|
||||||
- if (state->rekey_interval != 0 &&
|
|
||||||
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
|
|
||||||
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
struct session_state *state = ssh->state;
|
|
||||||
int len, r, ms_remain;
|
|
||||||
- fd_set *setp;
|
|
||||||
+ struct pollfd pfd;
|
|
||||||
- char buf[8192];
|
|
||||||
+ char buf[SSH_IOBUFSZ];
|
|
||||||
- struct timeval timeout, start, *timeoutp = NULL;
|
|
||||||
+ struct timeval start;
|
|
||||||
+ struct timespec timespec, *timespecp = NULL;
|
|
||||||
|
|
||||||
DBG(debug("packet_read()"));
|
|
||||||
diff --git a/packet.h b/packet.h
|
|
||||||
@@ -598,12 +577,11 @@
|
|
||||||
};
|
|
||||||
|
|
||||||
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
|
|
||||||
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
|
|
||||||
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
|
|
||||||
int ssh_packet_set_maxsize(struct ssh *, u_int);
|
|
||||||
u_int ssh_packet_get_maxsize(struct ssh *);
|
|
||||||
|
|
||||||
+/* for forced packet rekeying post auth */
|
|
||||||
-+void packet_request_rekeying(void);
|
|
||||||
+int packet_authentication_state(const struct ssh *);
|
|
||||||
+
|
|
||||||
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
|
|
||||||
@@ -627,9 +605,9 @@
|
|
||||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
||||||
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
|
|
||||||
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
|
|
||||||
+ oDisableMTAES,
|
|
||||||
oVisualHostKey,
|
|
||||||
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
||||||
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
||||||
@@ -297,6 +300,9 @@ static struct {
|
|
||||||
{ "kexalgorithms", oKexAlgorithms },
|
|
||||||
{ "ipqos", oIPQoS },
|
|
||||||
@@ -637,9 +615,9 @@
|
|
||||||
+ { "noneenabled", oNoneEnabled },
|
|
||||||
+ { "nonemacenabled", oNoneMacEnabled },
|
|
||||||
+ { "noneswitch", oNoneSwitch },
|
|
||||||
- { "proxyusefdpass", oProxyUseFdpass },
|
|
||||||
- { "canonicaldomains", oCanonicalDomains },
|
|
||||||
- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
|
||||||
+ { "sessiontype", oSessionType },
|
|
||||||
+ { "stdinnull", oStdinNull },
|
|
||||||
+ { "forkafterauthentication", oForkAfterAuthentication },
|
|
||||||
@@ -317,6 +323,11 @@ static struct {
|
|
||||||
{ "securitykeyprovider", oSecurityKeyProvider },
|
|
||||||
{ "knownhostscommand", oKnownHostsCommand },
|
|
||||||
@@ -717,9 +695,9 @@
|
|
||||||
+ options->hpn_buffer_size = -1;
|
|
||||||
+ options->tcp_rcv_buf_poll = -1;
|
|
||||||
+ options->tcp_rcv_buf = -1;
|
|
||||||
- options->proxy_use_fdpass = -1;
|
|
||||||
- options->ignored_unknown = NULL;
|
|
||||||
- options->num_canonical_domains = 0;
|
|
||||||
+ options->session_type = -1;
|
|
||||||
+ options->stdin_null = -1;
|
|
||||||
+ options->fork_after_authentication = -1;
|
|
||||||
@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
|
|
||||||
options->server_alive_interval = 0;
|
|
||||||
if (options->server_alive_count_max == -1)
|
|
||||||
@@ -778,9 +756,9 @@
|
|
||||||
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
||||||
SyslogFacility log_facility; /* Facility for system logging. */
|
|
||||||
@@ -120,7 +124,11 @@ typedef struct {
|
|
||||||
-
|
|
||||||
int enable_ssh_keysign;
|
|
||||||
int64_t rekey_limit;
|
|
||||||
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
|
|
||||||
+ int none_switch; /* Use none cipher */
|
|
||||||
+ int none_enabled; /* Allow none cipher to be used */
|
|
||||||
+ int nonemac_enabled; /* Allow none MAC to be used */
|
|
||||||
@@ -842,9 +820,9 @@
|
|
||||||
/* Portable-specific options */
|
|
||||||
if (options->use_pam == -1)
|
|
||||||
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
|
|
||||||
- }
|
|
||||||
- if (options->permit_tun == -1)
|
|
||||||
options->permit_tun = SSH_TUNMODE_NO;
|
|
||||||
+ if (options->disable_multithreaded == -1)
|
|
||||||
+ options->disable_multithreaded = 0;
|
|
||||||
+ if (options->none_enabled == -1)
|
|
||||||
+ options->none_enabled = 0;
|
|
||||||
+ if (options->nonemac_enabled == -1)
|
|
||||||
@@ -975,15 +953,6 @@
|
|
||||||
index 306658cb..d4309903 100644
|
|
||||||
--- a/serverloop.c
|
|
||||||
+++ b/serverloop.c
|
|
||||||
-@@ -322,7 +322,7 @@ static int
|
|
||||||
- process_input(struct ssh *ssh, fd_set *readset, int connection_in)
|
|
||||||
- {
|
|
||||||
- int r, len;
|
|
||||||
-- char buf[16384];
|
|
||||||
-+ char buf[SSH_IOBUFSZ];
|
|
||||||
-
|
|
||||||
- /* Read and buffer any input data from the client. */
|
|
||||||
- if (FD_ISSET(connection_in, readset)) {
|
|
||||||
@@ -608,7 +608,8 @@ server_request_tun(struct ssh *ssh)
|
|
||||||
debug("Tunnel forwarding using interface %s", ifname);
|
|
||||||
|
|
||||||
@@ -1047,30 +1016,17 @@
|
|
||||||
Note that
|
|
||||||
diff --git a/sftp.c b/sftp.c
|
|
||||||
index fb3c08d1..89bebbb2 100644
|
|
||||||
---- a/sftp.c
|
|
||||||
-+++ b/sftp.c
|
|
||||||
-@@ -71,7 +71,7 @@ typedef void EditLine;
|
|
||||||
- #include "sftp-client.h"
|
|
||||||
-
|
|
||||||
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
|
|
||||||
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
|
|
||||||
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
|
|
||||||
-
|
|
||||||
- /* File to read commands from */
|
|
||||||
- FILE* infile;
|
|
||||||
-diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
||||||
-index cfb5f115..36a6e519 100644
|
|
||||||
---- a/ssh-keygen.c
|
|
||||||
-+++ b/ssh-keygen.c
|
|
||||||
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
|
|
||||||
- freezero(pin, strlen(pin));
|
|
||||||
- error_r(r, "Unable to load resident keys");
|
|
||||||
- return -1;
|
|
||||||
-- }
|
|
||||||
-+ }
|
|
||||||
- if (nkeys == 0)
|
|
||||||
- logit("No keys to download");
|
|
||||||
- if (pin != NULL)
|
|
||||||
+--- a/sftp-client.c
|
|
||||||
++++ b/sftp-client.c
|
|
||||||
+@@ -65,7 +65,7 @@ typedef void EditLine;
|
|
||||||
+ #define DEFAULT_COPY_BUFLEN 32768
|
|
||||||
+
|
|
||||||
+ /* Default number of concurrent outstanding requests */
|
|
||||||
+-#define DEFAULT_NUM_REQUESTS 64
|
|
||||||
++#define DEFAULT_NUM_REQUESTS 256
|
|
||||||
+
|
|
||||||
+ /* Minimum amount of data to read at a time */
|
|
||||||
+ #define MIN_READ_SIZE 512
|
|
||||||
diff --git a/ssh.c b/ssh.c
|
|
||||||
index 53330da5..27b9770e 100644
|
|
||||||
--- a/ssh.c
|
|
||||||
@@ -1330,9 +1286,9 @@
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
- debug("Authentication succeeded (%s).", authctxt.method->name);
|
|
||||||
- }
|
|
||||||
|
|
||||||
+ #ifdef WITH_OPENSSL
|
|
||||||
+ if (options.disable_multithreaded == 0) {
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index 6277e6d6..d66fa41a 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
@@ -1359,8 +1315,8 @@
|
|
||||||
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
|
||||||
error("Bind to port %s on %s failed: %.200s.",
|
|
||||||
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
|
|
||||||
- /* Fill in default values for those options not explicitly set. */
|
|
||||||
- fill_default_server_options(&options);
|
|
||||||
+ fatal("AuthorizedPrincipalsCommand set without "
|
|
||||||
+ "AuthorizedPrincipalsCommandUser");
|
|
||||||
|
|
||||||
+ if (options.none_enabled == 1) {
|
|
||||||
+ char *old_ciphers = options.ciphers;
|
|
||||||
@@ -1375,9 +1331,9 @@
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
- /* challenge-response is implemented via keyboard interactive */
|
|
||||||
- if (options.challenge_response_authentication)
|
|
||||||
- options.kbd_interactive_authentication = 1;
|
|
||||||
+ /*
|
|
||||||
+ * Check whether there is any path through configured auth methods.
|
|
||||||
+ * Unfortunately it is not possible to verify this generally before
|
|
||||||
@@ -2166,6 +2186,9 @@ main(int ac, char **av)
|
|
||||||
rdomain == NULL ? "" : "\"");
|
|
||||||
free(laddr);
|
|
|
@ -1,54 +0,0 @@
|
||||||
diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
|
|
||||||
--- a/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:43:33.957093896 -0700
|
|
||||||
+++ b/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:44:17.232396805 -0700
|
|
||||||
@@ -48941,8 +48941,8 @@
|
|
||||||
gss_create_empty_oid_set(&status, &oidset);
|
|
||||||
gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
|
||||||
|
|
||||||
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
|
||||||
-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
|
|
||||||
+- if (gethostname(lname, HOST_NAME_MAX)) {
|
|
||||||
++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
|
|
||||||
gss_release_oid_set(&status, &oidset);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
@@ -57102,12 +57102,11 @@
|
|
||||||
|
|
||||||
install-files:
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(bindir)
|
|
||||||
-@@ -395,6 +372,8 @@
|
|
||||||
+@@ -395,6 +372,7 @@
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
|
|
||||||
$(MKDIR_P) $(DESTDIR)$(libexecdir)
|
|
||||||
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
|
|
||||||
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
|
|
||||||
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
|
||||||
@@ -78638,7 +78637,7 @@
|
|
||||||
+if test "$sshd_type" = "pkix" ; then
|
|
||||||
+ unset_arg=''
|
|
||||||
+else
|
|
||||||
-+ unset_arg=none
|
|
||||||
++ unset_arg=''
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
@@ -143777,16 +143776,6 @@
|
|
||||||
+int asnmprintf(char **, size_t, int *, const char *, ...)
|
|
||||||
__attribute__((format(printf, 4, 5)));
|
|
||||||
void msetlocale(void);
|
|
||||||
-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
|
|
||||||
---- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300
|
|
||||||
-+++ openssh-9.0p1+x509-13.4.1/version.h 2022-06-23 09:07:00.000000000 +0300
|
|
||||||
-@@ -2,5 +2,4 @@
|
|
||||||
-
|
|
||||||
- #define SSH_VERSION "OpenSSH_9.0"
|
|
||||||
-
|
|
||||||
--#define SSH_PORTABLE "p1"
|
|
||||||
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
|
||||||
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
|
|
||||||
diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
|
|
||||||
--- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
|
|
||||||
+++ openssh-9.0p1+x509-13.4.1/version.m4 2022-06-23 09:07:00.000000000 +0300
|
|
|
@ -1,12 +0,0 @@
|
||||||
diff -ur a/auth2.c b/auth2.c
|
|
||||||
--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700
|
|
||||||
+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700
|
|
||||||
@@ -226,7 +226,7 @@
|
|
||||||
int digest_alg;
|
|
||||||
size_t len;
|
|
||||||
u_char *hash;
|
|
||||||
- double delay;
|
|
||||||
+ double delay = 0;
|
|
||||||
|
|
||||||
digest_alg = ssh_digest_maxbytes();
|
|
||||||
if (len = ssh_digest_bytes(digest_alg) > 0) {
|
|
|
@ -1,32 +0,0 @@
|
||||||
https://github.com/openssh/openssh-portable/pull/339
|
|
||||||
|
|
||||||
From a15d08a25f1ccc3ee803dfe790cc1f608651464c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sam James <sam@gentoo.org>
|
|
||||||
Date: Thu, 8 Sep 2022 02:49:29 +0100
|
|
||||||
Subject: [PATCH] openbsd-compat/bsd-asprintf: add <stdio.h> include for
|
|
||||||
vsnprintf
|
|
||||||
|
|
||||||
Fixes the following build failure with Clang 15 on musl:
|
|
||||||
```
|
|
||||||
bsd-asprintf.c:51:8: error: call to undeclared library function 'vsnprintf' with type 'int (char *, unsigned long, const char *, struct __va_list_tag *)'; ISO C99 and laterclang -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -pipe -Wunknown-warning-option -Qunused-arguments -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wmisleading-indentation -Wbitwise-instead-of-logical -fno-strict-aliasing -mretpoline -ftrapv -fzero-call-used-regs=all -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/misc/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/lib/misc/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c cipher-aes.c -o cipher-aes.o
|
|
||||||
do not support
|
|
||||||
implicit function declarations [-Wimplicit-function-declaration]
|
|
||||||
ret = vsnprintf(string, INIT_SZ, fmt, ap2);
|
|
||||||
^
|
|
||||||
bsd-asprintf.c:51:8: note: include the header <stdio.h> or explicitly provide a declaration for 'vsnprintf'
|
|
||||||
1 error generated.
|
|
||||||
```
|
|
||||||
|
|
||||||
See also: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-June/037811.html
|
|
||||||
See also: 73eb6cef41daba0359c1888e4756108d41b4e819
|
|
||||||
--- a/openbsd-compat/bsd-asprintf.c
|
|
||||||
+++ b/openbsd-compat/bsd-asprintf.c
|
|
||||||
@@ -32,6 +32,7 @@
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
|
|
||||||
#define INIT_SZ 128
|
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
|
|
||||||
index dd8cdc4b7..c446f0aa2 100644
|
|
||||||
--- a/openbsd-compat/regress/Makefile.in
|
|
||||||
+++ b/openbsd-compat/regress/Makefile.in
|
|
||||||
@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
|
|
||||||
CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
LIBCOMPAT=../libopenbsd-compat.a
|
|
||||||
-LIBS=@LIBS@
|
|
||||||
+LIBS=@LIBS@ -lssl -lcrypto
|
|
||||||
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
|
||||||
|
|
||||||
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
|
|
@ -1,69 +0,0 @@
|
||||||
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
|
|
||||||
index 02f15f9c..ffd33734 100644
|
|
||||||
--- a/openbsd-compat/arc4random.c
|
|
||||||
+++ b/openbsd-compat/arc4random.c
|
|
||||||
@@ -44,13 +44,15 @@
|
|
||||||
#ifndef HAVE_ARC4RANDOM
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * If we're not using a native getentropy, use the one from bsd-getentropy.c
|
|
||||||
- * under a different name, so that if in future these binaries are run on
|
|
||||||
- * a system that has a native getentropy OpenSSL cannot call the wrong one.
|
|
||||||
+ * Always use the getentropy implementation from bsd-getentropy.c, which
|
|
||||||
+ * will call a native getentropy if available then fall back as required.
|
|
||||||
+ * We use a different name so that OpenSSL cannot call the wrong getentropy.
|
|
||||||
*/
|
|
||||||
-#ifndef HAVE_GETENTROPY
|
|
||||||
-# define getentropy(x, y) (_ssh_compat_getentropy((x), (y)))
|
|
||||||
+int _ssh_compat_getentropy(void *, size_t);
|
|
||||||
+#ifdef getentropy
|
|
||||||
+# undef getentropy
|
|
||||||
#endif
|
|
||||||
+#define getentropy(x, y) (_ssh_compat_getentropy((x), (y)))
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
|
|
||||||
diff --git a/openbsd-compat/bsd-getentropy.c b/openbsd-compat/bsd-getentropy.c
|
|
||||||
index bd4b6695..554dfad7 100644
|
|
||||||
--- a/openbsd-compat/bsd-getentropy.c
|
|
||||||
+++ b/openbsd-compat/bsd-getentropy.c
|
|
||||||
@@ -18,8 +18,6 @@
|
|
||||||
|
|
||||||
#include "includes.h"
|
|
||||||
|
|
||||||
-#ifndef HAVE_GETENTROPY
|
|
||||||
-
|
|
||||||
#ifndef SSH_RANDOM_DEV
|
|
||||||
# define SSH_RANDOM_DEV "/dev/urandom"
|
|
||||||
#endif /* SSH_RANDOM_DEV */
|
|
||||||
@@ -52,6 +50,10 @@ _ssh_compat_getentropy(void *s, size_t len)
|
|
||||||
ssize_t r;
|
|
||||||
size_t o = 0;
|
|
||||||
|
|
||||||
+#ifdef HAVE_GETENTROPY
|
|
||||||
+ if (r = getentropy(s, len) == 0)
|
|
||||||
+ return 0;
|
|
||||||
+#endif /* HAVE_GETENTROPY */
|
|
||||||
#ifdef HAVE_GETRANDOM
|
|
||||||
if ((r = getrandom(s, len, 0)) > 0 && (size_t)r == len)
|
|
||||||
return 0;
|
|
||||||
@@ -79,4 +81,3 @@ _ssh_compat_getentropy(void *s, size_t len)
|
|
||||||
#endif /* WITH_OPENSSL */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-#endif /* WITH_GETENTROPY */
|
|
||||||
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
|
|
||||||
index 4af207cd..8f815090 100644
|
|
||||||
--- a/openbsd-compat/openbsd-compat.h
|
|
||||||
+++ b/openbsd-compat/openbsd-compat.h
|
|
||||||
@@ -69,10 +69,6 @@ void closefrom(int);
|
|
||||||
int ftruncate(int filedes, off_t length);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if defined(HAVE_DECL_GETENTROPY) && HAVE_DECL_GETENTROPY == 0
|
|
||||||
-int _ssh_compat_getentropy(void *, size_t);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#ifndef HAVE_GETLINE
|
|
||||||
#include <stdio.h>
|
|
||||||
ssize_t getline(char **, size_t *, FILE *);
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
From 45b491ce13fcf7dbc0b3bd6df986c9cf59190721 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jordan R Abrahams-Whitehead <ajordanr@google.com>
|
||||||
|
Date: Tue, 12 Dec 2023 22:54:02 +0000
|
||||||
|
Subject: [PATCH] Allow MAP_NORESERVE in sandbox seccomp filter maps
|
||||||
|
|
||||||
|
While debugging Scudo on ChromeOS, we found that the no reserve mode
|
||||||
|
immediately crashed `sshd`. We tracked it down to the
|
||||||
|
sandbox-seccomp-filter.
|
||||||
|
|
||||||
|
Being able to mmap with MAP_NORESERVE is useful (if not necessary) for
|
||||||
|
some overcommitting allocators.
|
||||||
|
|
||||||
|
During mmap calls, the flag MAP_NORESERVE is used by some allocators
|
||||||
|
such as LLVM's Scudo for layout optimisation. This causes the sandbox
|
||||||
|
seccomp filter for the client subprocess to die with some Scudo
|
||||||
|
configurations.
|
||||||
|
|
||||||
|
Upstream patch submission:
|
||||||
|
https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-December/041095.html
|
||||||
|
---
|
||||||
|
sandbox-seccomp-filter.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||||
|
index 23b40b643..a49c5ca99 100644
|
||||||
|
--- a/sandbox-seccomp-filter.c
|
||||||
|
+++ b/sandbox-seccomp-filter.c
|
||||||
|
@@ -190,9 +190,11 @@
|
||||||
|
|
||||||
|
#if defined(__NR_mmap) || defined(__NR_mmap2)
|
||||||
|
# ifdef MAP_FIXED_NOREPLACE
|
||||||
|
-# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE
|
||||||
|
+# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
|
||||||
|
+ |MAP_NORESERVE|MAP_FIXED_NOREPLACE
|
||||||
|
# else
|
||||||
|
-# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED
|
||||||
|
+# define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
|
||||||
|
+ |MAP_NORESERVE
|
||||||
|
# endif /* MAP_FIXED_NOREPLACE */
|
||||||
|
/* Use this for both __NR_mmap and __NR_mmap2 variants */
|
||||||
|
# define SC_MMAP(_nr) \
|
||||||
|
--
|
||||||
|
2.43.0.472.g3155946c3a-goog
|
||||||
|
|
19
net-misc/openssh/files/openssh-9.6_p1-CVE-2024-6387.patch
Normal file
19
net-misc/openssh/files/openssh-9.6_p1-CVE-2024-6387.patch
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
https://bugs.gentoo.org/935271
|
||||||
|
Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2.
|
||||||
|
--- a/log.c
|
||||||
|
+++ b/log.c
|
||||||
|
@@ -451,12 +451,14 @@ void
|
||||||
|
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||||
|
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
va_start(args, fmt);
|
||||||
|
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||||
|
suffix, fmt, args);
|
||||||
|
va_end(args);
|
||||||
|
+#endif
|
||||||
|
_exit(1);
|
||||||
|
}
|
||||||
|
|
16
net-misc/openssh/files/openssh-9.6_p1-chaff-logic.patch
Normal file
16
net-misc/openssh/files/openssh-9.6_p1-chaff-logic.patch
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
"Minor logic error in ObscureKeystrokeTiming"
|
||||||
|
https://marc.info/?l=oss-security&m=171982317624594&w=2
|
||||||
|
--- a/clientloop.c
|
||||||
|
+++ b/clientloop.c
|
||||||
|
@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
||||||
|
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||||
|
/* Stop if there have been no keystrokes for a while */
|
||||||
|
stop_reason = "chaff time expired";
|
||||||
|
- } else if (timespeccmp(&now, &next_interval, >=)) {
|
||||||
|
- /* Otherwise if we were due to send, then send chaff */
|
||||||
|
+ } else if (timespeccmp(&now, &next_interval, >=) &&
|
||||||
|
+ !ssh_packet_have_data_to_write(ssh)) {
|
||||||
|
+ /* If due to send but have no data, then send chaff */
|
||||||
|
if (send_chaff(ssh))
|
||||||
|
nchaff++;
|
||||||
|
}
|
20
net-misc/openssh/files/openssh-9.6_p1-fix-xmss-c99.patch
Normal file
20
net-misc/openssh/files/openssh-9.6_p1-fix-xmss-c99.patch
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
xmss_hash.c: In function ‘core_hash_SHA2’:
|
||||||
|
xmss_hash.c:56:5: error: implicit declaration of function ‘SHA256’ [-Wimplicit-function-declaration]
|
||||||
|
56 | SHA256(buf, inlen + keylen + n, out);
|
||||||
|
| ^~~~~~
|
||||||
|
xmss_hash.c:61:7: error: implicit declaration of function ‘SHA512’ [-Wimplicit-function-declaration]
|
||||||
|
61 | SHA512(buf, inlen + keylen + n, out);
|
||||||
|
| ^~~~~~
|
||||||
|
|
||||||
|
diff --git a/xmss_hash.c b/xmss_hash.c
|
||||||
|
index 70c126ae2..cb17de2af 100644
|
||||||
|
--- a/xmss_hash.c
|
||||||
|
+++ b/xmss_hash.c
|
||||||
|
@@ -12,6 +12,7 @@ Public domain.
|
||||||
|
#include "xmss_hash_address.h"
|
||||||
|
#include "xmss_commons.h"
|
||||||
|
#include "xmss_hash.h"
|
||||||
|
+#include <openssl/sha.h>
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
#ifdef HAVE_STDINT_H
|
27
net-misc/openssh/files/openssh-9.7_p1-config-tweaks.patch
Normal file
27
net-misc/openssh/files/openssh-9.7_p1-config-tweaks.patch
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
diff -Naur a/ssh_config b/ssh_config
|
||||||
|
--- a/ssh_config 2024-03-11 05:20:49.000000000 +0000
|
||||||
|
+++ b/ssh_config 2024-06-10 16:30:15.863023773 +0100
|
||||||
|
@@ -13,6 +13,9 @@
|
||||||
|
# Thus, host-specific definitions should be at the beginning of the
|
||||||
|
# configuration file, and defaults at the end.
|
||||||
|
|
||||||
|
+# Make sure that all Host and Match options are below this Include!
|
||||||
|
+Include "/etc/ssh/ssh_config.d/*.conf"
|
||||||
|
+
|
||||||
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||||
|
# list of available options, their meanings and defaults, please see the
|
||||||
|
# ssh_config(5) man page.
|
||||||
|
diff -Naur a/sshd_config b/sshd_config
|
||||||
|
--- a/sshd_config 2024-06-10 16:19:01.530491925 +0100
|
||||||
|
+++ b/sshd_config 2024-06-10 16:32:49.766386759 +0100
|
||||||
|
@@ -105,8 +105,8 @@
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
-# override default of no subsystems
|
||||||
|
-Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
+# Make sure that all Match options are below this Include!
|
||||||
|
+Include "/etc/ssh/sshd_config.d/*.conf"
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
14
net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch
Normal file
14
net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
https://bugzilla.mindrot.org/show_bug.cgi?id=3707
|
||||||
|
https://bugs.gentoo.org/935353
|
||||||
|
--- a/openbsd-compat/port-linux.c
|
||||||
|
+++ b/openbsd-compat/port-linux.c
|
||||||
|
@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
|
||||||
|
error_f("socket \"%s\": %s", path, strerror(errno));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- if (connect(fd, &addr, sizeof(addr)) != 0) {
|
||||||
|
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
|
||||||
|
error_f("socket \"%s\" connect: %s", path, strerror(errno));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
15
net-misc/openssh/files/sshd.service.1
Normal file
15
net-misc/openssh/files/sshd.service.1
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
[Unit]
|
||||||
|
Description=OpenSSH server daemon
|
||||||
|
After=network.target auditd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStartPre=/usr/bin/ssh-keygen -A
|
||||||
|
ExecStart=/usr/sbin/sshd -D -e
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
OOMPolicy=continue
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=42s
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
15
net-misc/openssh/files/sshd.service.2
Normal file
15
net-misc/openssh/files/sshd.service.2
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
[Unit]
|
||||||
|
Description=OpenSSH server daemon
|
||||||
|
After=network.target auditd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify-reload
|
||||||
|
ExecStartPre=/usr/bin/ssh-keygen -A
|
||||||
|
ExecStart=/usr/sbin/sshd -D -e
|
||||||
|
KillMode=process
|
||||||
|
OOMPolicy=continue
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=42s
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
8
net-misc/openssh/files/sshd_at.service.1
Normal file
8
net-misc/openssh/files/sshd_at.service.1
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
[Unit]
|
||||||
|
Description=OpenSSH per-connection server daemon
|
||||||
|
After=auditd.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=-/usr/sbin/sshd -i -e
|
||||||
|
StandardInput=socket
|
||||||
|
StandardError=journal
|
|
@ -20,18 +20,15 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
|
||||||
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
|
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
|
||||||
</longdescription>
|
</longdescription>
|
||||||
<use>
|
<use>
|
||||||
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
|
<flag name="dss">Enable depcrated DSA/ssh-dss keys</flag>
|
||||||
<flag name="hpn">Enable high performance ssh</flag>
|
|
||||||
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
|
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
|
||||||
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
|
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
|
||||||
<flag name="security-key">Include builtin U2F/FIDO support</flag>
|
<flag name="security-key">Include builtin U2F/FIDO support</flag>
|
||||||
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
|
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
|
||||||
<flag name="X509">Adds support for X.509 certificate authentication</flag>
|
|
||||||
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
|
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
|
||||||
</use>
|
</use>
|
||||||
<upstream>
|
<upstream>
|
||||||
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
|
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
|
||||||
<remote-id type="github">openssh/openssh-portable</remote-id>
|
<remote-id type="github">openssh/openssh-portable</remote-id>
|
||||||
<remote-id type="sourceforge">hpnssh</remote-id>
|
|
||||||
</upstream>
|
</upstream>
|
||||||
</pkgmetadata>
|
</pkgmetadata>
|
||||||
|
|
|
@ -1,492 +0,0 @@
|
||||||
# Copyright 1999-2022 Gentoo Authors
|
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
|
||||||
|
|
||||||
EAPI=7
|
|
||||||
|
|
||||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
|
|
||||||
# Make it more portable between straight releases
|
|
||||||
# and _p? releases.
|
|
||||||
PARCH=${P/_}
|
|
||||||
|
|
||||||
# PV to USE for HPN patches
|
|
||||||
#HPN_PV="${PV^^}"
|
|
||||||
HPN_PV="8.5_P1"
|
|
||||||
|
|
||||||
HPN_VER="15.2"
|
|
||||||
HPN_PATCHES=(
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
|
||||||
)
|
|
||||||
|
|
||||||
SCTP_VER="1.2"
|
|
||||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
|
||||||
X509_VER="13.3.1"
|
|
||||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
|
||||||
|
|
||||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
|
||||||
HOMEPAGE="https://www.openssh.com/"
|
|
||||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
|
||||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
|
||||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
|
||||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
|
||||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
|
||||||
"
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
|
||||||
S="${WORKDIR}/${PARCH}"
|
|
||||||
|
|
||||||
LICENSE="BSD GPL-2"
|
|
||||||
SLOT="0"
|
|
||||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
|
||||||
# Probably want to drop ssl defaulting to on in a future version.
|
|
||||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
|
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
REQUIRED_USE="
|
|
||||||
hpn? ( ssl )
|
|
||||||
ldns? ( ssl )
|
|
||||||
pie? ( !static )
|
|
||||||
static? ( !kerberos !pam )
|
|
||||||
X509? ( !sctp ssl !xmss )
|
|
||||||
xmss? ( ssl )
|
|
||||||
test? ( ssl )
|
|
||||||
"
|
|
||||||
|
|
||||||
# tests currently fail with XMSS
|
|
||||||
REQUIRED_USE+="test? ( !xmss )"
|
|
||||||
|
|
||||||
LIB_DEPEND="
|
|
||||||
audit? ( sys-process/audit[static-libs(+)] )
|
|
||||||
ldns? (
|
|
||||||
net-libs/ldns[static-libs(+)]
|
|
||||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
|
||||||
)
|
|
||||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
|
||||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
|
||||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
|
||||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
|
||||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
|
||||||
virtual/libcrypt:=[static-libs(+)]
|
|
||||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
|
||||||
"
|
|
||||||
RDEPEND="
|
|
||||||
acct-group/sshd
|
|
||||||
acct-user/sshd
|
|
||||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
|
||||||
pam? ( sys-libs/pam )
|
|
||||||
kerberos? ( virtual/krb5 )
|
|
||||||
"
|
|
||||||
DEPEND="${RDEPEND}
|
|
||||||
virtual/os-headers
|
|
||||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
|
||||||
static? ( ${LIB_DEPEND} )
|
|
||||||
"
|
|
||||||
RDEPEND="${RDEPEND}
|
|
||||||
pam? ( >=sys-auth/pambase-20081028 )
|
|
||||||
!prefix? ( sys-apps/shadow )
|
|
||||||
X? ( x11-apps/xauth )
|
|
||||||
"
|
|
||||||
BDEPEND="
|
|
||||||
virtual/pkgconfig
|
|
||||||
sys-devel/autoconf
|
|
||||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
|
||||||
"
|
|
||||||
|
|
||||||
pkg_pretend() {
|
|
||||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
|
||||||
# than not be able to log in to their server any more
|
|
||||||
local missing=()
|
|
||||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
|
||||||
check_feature hpn HPN_VER
|
|
||||||
check_feature sctp SCTP_PATCH
|
|
||||||
check_feature X509 X509_PATCH
|
|
||||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
|
||||||
eerror "Sorry, but this version does not yet support features"
|
|
||||||
eerror "that you requested: ${missing[*]}"
|
|
||||||
eerror "Please mask ${PF} for now and check back later:"
|
|
||||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
|
||||||
die "Missing requested third party patch."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
|
||||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
|
||||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
|
||||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_unpack() {
|
|
||||||
default
|
|
||||||
|
|
||||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
|
||||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
|
||||||
}
|
|
||||||
|
|
||||||
src_prepare() {
|
|
||||||
sed -i \
|
|
||||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
|
||||||
pathnames.h || die
|
|
||||||
|
|
||||||
# don't break .ssh/authorized_keys2 for fun
|
|
||||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
|
||||||
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
|
||||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-fzero-call-used-regs.patch #834037
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
|
||||||
|
|
||||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
|
||||||
|
|
||||||
local PATCHSET_VERSION_MACROS=()
|
|
||||||
|
|
||||||
if use X509 ; then
|
|
||||||
pushd "${WORKDIR}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
|
||||||
|
|
||||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
|
||||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
|
||||||
# error
|
|
||||||
einfo "Patching package version for X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
|
||||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use sctp ; then
|
|
||||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose SCTP patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
|
||||||
|
|
||||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/\t\tcfgparse \\\/d" \
|
|
||||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn ; then
|
|
||||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
|
||||||
mkdir "${hpn_patchdir}" || die
|
|
||||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
|
||||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
|
||||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
|
||||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${hpn_patchdir}"
|
|
||||||
|
|
||||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
|
||||||
|
|
||||||
einfo "Patching Makefile.in for HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
|
||||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
|
||||||
|
|
||||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
|
||||||
|
|
||||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
|
||||||
|
|
||||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
|
||||||
# and therefore disabled per default.
|
|
||||||
DisableMTAES yes
|
|
||||||
EOF
|
|
||||||
sed -i \
|
|
||||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
|
||||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
|
||||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use X509 || use sctp || use hpn ; then
|
|
||||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
|
||||||
|
|
||||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
|
||||||
|
|
||||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
|
||||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/#UseLogin no/d" \
|
|
||||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
|
||||||
|
|
||||||
eapply_user #473004
|
|
||||||
|
|
||||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
|
||||||
sed -e '/\t\tpercent \\/ d' \
|
|
||||||
-i regress/Makefile || die
|
|
||||||
|
|
||||||
tc-export PKG_CONFIG
|
|
||||||
local sed_args=(
|
|
||||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
|
||||||
# Disable PATH reset, trust what portage gives us #254615
|
|
||||||
-e 's:^PATH=/:#PATH=/:'
|
|
||||||
# Disable fortify flags ... our gcc does this for us
|
|
||||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
|
||||||
)
|
|
||||||
|
|
||||||
# The -ftrapv flag ICEs on hppa #505182
|
|
||||||
use hppa && sed_args+=(
|
|
||||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
|
||||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
|
||||||
)
|
|
||||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
|
||||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
|
||||||
-e 's/-D_XOPEN_SOURCE//'
|
|
||||||
)
|
|
||||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
|
||||||
|
|
||||||
eautoreconf
|
|
||||||
}
|
|
||||||
|
|
||||||
src_configure() {
|
|
||||||
addwrite /dev/ptmx
|
|
||||||
|
|
||||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
use static && append-ldflags -static
|
|
||||||
use xmss && append-cflags -DWITH_XMSS
|
|
||||||
|
|
||||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
|
||||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
|
||||||
# doesn't check for this, so force the replacement to be put in
|
|
||||||
# place
|
|
||||||
append-cppflags -DBROKEN_GLOB
|
|
||||||
fi
|
|
||||||
|
|
||||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
|
||||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
|
||||||
|
|
||||||
local myconf=(
|
|
||||||
--with-ldflags="${LDFLAGS}"
|
|
||||||
--disable-strip
|
|
||||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
|
||||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
|
||||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
|
||||||
--datadir="${EPREFIX}"/usr/share/openssh
|
|
||||||
--with-privsep-path="${EPREFIX}"/var/empty
|
|
||||||
--with-privsep-user=sshd
|
|
||||||
$(use_with audit audit linux)
|
|
||||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
|
||||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
|
||||||
# unconditionally else we get unknown flag warnings.
|
|
||||||
$(use sctp && use_with sctp)
|
|
||||||
$(use_with ldns)
|
|
||||||
$(use_with libedit)
|
|
||||||
$(use_with pam)
|
|
||||||
$(use_with pie)
|
|
||||||
$(use_with selinux)
|
|
||||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
|
||||||
$(use_with ssl openssl)
|
|
||||||
$(use_with ssl ssl-engine)
|
|
||||||
$(use_with !elibc_Cygwin hardening) #659210
|
|
||||||
)
|
|
||||||
|
|
||||||
if use elibc_musl; then
|
|
||||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
|
||||||
# https://bugs.gentoo.org/753230
|
|
||||||
myconf+=( --disable-utmp --disable-wtmp )
|
|
||||||
fi
|
|
||||||
|
|
||||||
econf "${myconf[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
src_test() {
|
|
||||||
local tests=( compat-tests )
|
|
||||||
local shell=$(egetshell "${UID}")
|
|
||||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
|
||||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
|
||||||
ewarn "user, so we will run a subset only."
|
|
||||||
tests+=( interop-tests )
|
|
||||||
else
|
|
||||||
tests+=( tests )
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
||||||
mkdir -p "${HOME}"/.ssh || die
|
|
||||||
emake -j1 "${tests[@]}" </dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
# Gentoo tweaks to default config files.
|
|
||||||
tweak_ssh_configs() {
|
|
||||||
local locale_vars=(
|
|
||||||
# These are language variables that POSIX defines.
|
|
||||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
|
||||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
|
||||||
|
|
||||||
# These are the GNU extensions.
|
|
||||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
|
||||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
|
||||||
)
|
|
||||||
|
|
||||||
# First the server config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables. #367017
|
|
||||||
AcceptEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Allow client to pass COLORTERM to match TERM. #658540
|
|
||||||
AcceptEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Then the client config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
|
||||||
|
|
||||||
# Send locale environment variables. #367017
|
|
||||||
SendEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Send COLORTERM to match TERM. #658540
|
|
||||||
SendEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if use pam ; then
|
|
||||||
sed -i \
|
|
||||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
|
||||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
|
||||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
|
||||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use livecd ; then
|
|
||||||
sed -i \
|
|
||||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_install() {
|
|
||||||
emake install-nokeys DESTDIR="${D}"
|
|
||||||
fperms 600 /etc/ssh/sshd_config
|
|
||||||
dobin contrib/ssh-copy-id
|
|
||||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
|
||||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
|
||||||
|
|
||||||
if use pam; then
|
|
||||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
|
||||||
fi
|
|
||||||
|
|
||||||
tweak_ssh_configs
|
|
||||||
|
|
||||||
doman contrib/ssh-copy-id.1
|
|
||||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
|
||||||
use hpn && dodoc HPN-README
|
|
||||||
use X509 || dodoc ChangeLog
|
|
||||||
|
|
||||||
diropts -m 0700
|
|
||||||
dodir /etc/skel/.ssh
|
|
||||||
|
|
||||||
# https://bugs.gentoo.org/733802
|
|
||||||
if ! use scp; then
|
|
||||||
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|
|
||||||
|| die "failed to remove scp"
|
|
||||||
fi
|
|
||||||
|
|
||||||
rmdir "${ED}"/var/empty || die
|
|
||||||
|
|
||||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
|
||||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_preinst() {
|
|
||||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
|
||||||
show_ssl_warning=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst() {
|
|
||||||
local old_ver
|
|
||||||
for old_ver in ${REPLACING_VERSIONS}; do
|
|
||||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
|
||||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
||||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
||||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
|
||||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
||||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
||||||
elog "be an alternative for you as it supports USE=tcpd."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
|
||||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
||||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
||||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
||||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
||||||
elog "You should however generate new keys using rsa or ed25519."
|
|
||||||
|
|
||||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
||||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
||||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
|
||||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
||||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
|
||||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
||||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
||||||
elog "if you need to authenticate against LDAP."
|
|
||||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
|
||||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
||||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
||||||
ewarn "connection is generally safe."
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ -n ${show_ssl_warning} ]]; then
|
|
||||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
|
||||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
|
||||||
elog "and update all clients/servers that utilize them."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
elog ""
|
|
||||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
|
||||||
elog "and therefore disabled at runtime per default."
|
|
||||||
elog "Make sure your sshd_config is up to date and contains"
|
|
||||||
elog ""
|
|
||||||
elog " DisableMTAES yes"
|
|
||||||
elog ""
|
|
||||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
|
||||||
elog ""
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,485 +0,0 @@
|
||||||
# Copyright 1999-2022 Gentoo Authors
|
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
|
||||||
|
|
||||||
EAPI=7
|
|
||||||
|
|
||||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
|
|
||||||
# Make it more portable between straight releases
|
|
||||||
# and _p? releases.
|
|
||||||
PARCH=${P/_}
|
|
||||||
|
|
||||||
# PV to USE for HPN patches
|
|
||||||
#HPN_PV="${PV^^}"
|
|
||||||
HPN_PV="8.5_P1"
|
|
||||||
|
|
||||||
HPN_VER="15.2"
|
|
||||||
HPN_PATCHES=(
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
|
||||||
)
|
|
||||||
|
|
||||||
SCTP_VER="1.2"
|
|
||||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
|
||||||
X509_VER="13.4.1"
|
|
||||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
|
||||||
|
|
||||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
|
||||||
HOMEPAGE="https://www.openssh.com/"
|
|
||||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
|
||||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
|
||||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
|
||||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
|
||||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
|
||||||
"
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
|
||||||
S="${WORKDIR}/${PARCH}"
|
|
||||||
|
|
||||||
LICENSE="BSD GPL-2"
|
|
||||||
SLOT="0"
|
|
||||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
|
||||||
# Probably want to drop ssl defaulting to on in a future version.
|
|
||||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
REQUIRED_USE="
|
|
||||||
hpn? ( ssl )
|
|
||||||
ldns? ( ssl )
|
|
||||||
pie? ( !static )
|
|
||||||
static? ( !kerberos !pam )
|
|
||||||
X509? ( !sctp ssl !xmss )
|
|
||||||
xmss? ( ssl )
|
|
||||||
test? ( ssl )
|
|
||||||
"
|
|
||||||
|
|
||||||
# tests currently fail with XMSS
|
|
||||||
REQUIRED_USE+="test? ( !xmss )"
|
|
||||||
|
|
||||||
LIB_DEPEND="
|
|
||||||
audit? ( sys-process/audit[static-libs(+)] )
|
|
||||||
ldns? (
|
|
||||||
net-libs/ldns[static-libs(+)]
|
|
||||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
|
||||||
)
|
|
||||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
|
||||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
|
||||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
|
||||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
|
||||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
|
||||||
virtual/libcrypt:=[static-libs(+)]
|
|
||||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
|
||||||
"
|
|
||||||
RDEPEND="
|
|
||||||
acct-group/sshd
|
|
||||||
acct-user/sshd
|
|
||||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
|
||||||
pam? ( sys-libs/pam )
|
|
||||||
kerberos? ( virtual/krb5 )
|
|
||||||
"
|
|
||||||
DEPEND="${RDEPEND}
|
|
||||||
virtual/os-headers
|
|
||||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
|
||||||
static? ( ${LIB_DEPEND} )
|
|
||||||
"
|
|
||||||
RDEPEND="${RDEPEND}
|
|
||||||
pam? ( >=sys-auth/pambase-20081028 )
|
|
||||||
!prefix? ( sys-apps/shadow )
|
|
||||||
X? ( x11-apps/xauth )
|
|
||||||
"
|
|
||||||
BDEPEND="
|
|
||||||
virtual/pkgconfig
|
|
||||||
sys-devel/autoconf
|
|
||||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
|
||||||
"
|
|
||||||
|
|
||||||
pkg_pretend() {
|
|
||||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
|
||||||
# than not be able to log in to their server any more
|
|
||||||
local missing=()
|
|
||||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
|
||||||
check_feature hpn HPN_VER
|
|
||||||
check_feature sctp SCTP_PATCH
|
|
||||||
check_feature X509 X509_PATCH
|
|
||||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
|
||||||
eerror "Sorry, but this version does not yet support features"
|
|
||||||
eerror "that you requested: ${missing[*]}"
|
|
||||||
eerror "Please mask ${PF} for now and check back later:"
|
|
||||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
|
||||||
die "Missing requested third party patch."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
|
||||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
|
||||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
|
||||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_unpack() {
|
|
||||||
default
|
|
||||||
|
|
||||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
|
||||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
|
||||||
}
|
|
||||||
|
|
||||||
src_prepare() {
|
|
||||||
sed -i \
|
|
||||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
|
||||||
pathnames.h || die
|
|
||||||
|
|
||||||
# don't break .ssh/authorized_keys2 for fun
|
|
||||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
|
||||||
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
|
||||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
|
||||||
|
|
||||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
|
||||||
|
|
||||||
local PATCHSET_VERSION_MACROS=()
|
|
||||||
|
|
||||||
if use X509 ; then
|
|
||||||
pushd "${WORKDIR}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
|
||||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
|
||||||
|
|
||||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
|
||||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
|
||||||
# error
|
|
||||||
einfo "Patching package version for X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
|
||||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use sctp ; then
|
|
||||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose SCTP patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
|
||||||
|
|
||||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/\t\tcfgparse \\\/d" \
|
|
||||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn ; then
|
|
||||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
|
||||||
mkdir "${hpn_patchdir}" || die
|
|
||||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
|
||||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
|
||||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
|
||||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${hpn_patchdir}"
|
|
||||||
|
|
||||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
|
||||||
|
|
||||||
einfo "Patching Makefile.in for HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
|
||||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
|
||||||
|
|
||||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
|
||||||
|
|
||||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
|
||||||
|
|
||||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
|
||||||
# and therefore disabled per default.
|
|
||||||
DisableMTAES yes
|
|
||||||
EOF
|
|
||||||
sed -i \
|
|
||||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
|
||||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
|
||||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use X509 || use sctp || use hpn ; then
|
|
||||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
|
||||||
|
|
||||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
|
||||||
|
|
||||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
|
||||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/#UseLogin no/d" \
|
|
||||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
|
||||||
|
|
||||||
eapply_user #473004
|
|
||||||
|
|
||||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
|
||||||
sed -e '/\t\tpercent \\/ d' \
|
|
||||||
-i regress/Makefile || die
|
|
||||||
|
|
||||||
tc-export PKG_CONFIG
|
|
||||||
local sed_args=(
|
|
||||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
|
||||||
# Disable PATH reset, trust what portage gives us #254615
|
|
||||||
-e 's:^PATH=/:#PATH=/:'
|
|
||||||
# Disable fortify flags ... our gcc does this for us
|
|
||||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
|
||||||
)
|
|
||||||
|
|
||||||
# The -ftrapv flag ICEs on hppa #505182
|
|
||||||
use hppa && sed_args+=(
|
|
||||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
|
||||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
|
||||||
)
|
|
||||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
|
||||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
|
||||||
-e 's/-D_XOPEN_SOURCE//'
|
|
||||||
)
|
|
||||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
|
||||||
|
|
||||||
eautoreconf
|
|
||||||
}
|
|
||||||
|
|
||||||
src_configure() {
|
|
||||||
addwrite /dev/ptmx
|
|
||||||
|
|
||||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
use static && append-ldflags -static
|
|
||||||
use xmss && append-cflags -DWITH_XMSS
|
|
||||||
|
|
||||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
|
||||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
|
||||||
# doesn't check for this, so force the replacement to be put in
|
|
||||||
# place
|
|
||||||
append-cppflags -DBROKEN_GLOB
|
|
||||||
fi
|
|
||||||
|
|
||||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
|
||||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
|
||||||
|
|
||||||
local myconf=(
|
|
||||||
--with-ldflags="${LDFLAGS}"
|
|
||||||
--disable-strip
|
|
||||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
|
||||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
|
||||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
|
||||||
--datadir="${EPREFIX}"/usr/share/openssh
|
|
||||||
--with-privsep-path="${EPREFIX}"/var/empty
|
|
||||||
--with-privsep-user=sshd
|
|
||||||
$(use_with audit audit linux)
|
|
||||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
|
||||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
|
||||||
# unconditionally else we get unknown flag warnings.
|
|
||||||
$(use sctp && use_with sctp)
|
|
||||||
$(use_with ldns)
|
|
||||||
$(use_with libedit)
|
|
||||||
$(use_with pam)
|
|
||||||
$(use_with pie)
|
|
||||||
$(use_with selinux)
|
|
||||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
|
||||||
$(use_with ssl openssl)
|
|
||||||
$(use_with ssl ssl-engine)
|
|
||||||
$(use_with !elibc_Cygwin hardening) #659210
|
|
||||||
)
|
|
||||||
|
|
||||||
if use elibc_musl; then
|
|
||||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
|
||||||
# https://bugs.gentoo.org/753230
|
|
||||||
myconf+=( --disable-utmp --disable-wtmp )
|
|
||||||
fi
|
|
||||||
|
|
||||||
econf "${myconf[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
src_test() {
|
|
||||||
local tests=( compat-tests )
|
|
||||||
local shell=$(egetshell "${UID}")
|
|
||||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
|
||||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
|
||||||
ewarn "user, so we will run a subset only."
|
|
||||||
tests+=( interop-tests )
|
|
||||||
else
|
|
||||||
tests+=( tests )
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
||||||
mkdir -p "${HOME}"/.ssh || die
|
|
||||||
emake -j1 "${tests[@]}" </dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
# Gentoo tweaks to default config files.
|
|
||||||
tweak_ssh_configs() {
|
|
||||||
local locale_vars=(
|
|
||||||
# These are language variables that POSIX defines.
|
|
||||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
|
||||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
|
||||||
|
|
||||||
# These are the GNU extensions.
|
|
||||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
|
||||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
|
||||||
)
|
|
||||||
|
|
||||||
# First the server config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables. #367017
|
|
||||||
AcceptEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Allow client to pass COLORTERM to match TERM. #658540
|
|
||||||
AcceptEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Then the client config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
|
||||||
|
|
||||||
# Send locale environment variables. #367017
|
|
||||||
SendEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Send COLORTERM to match TERM. #658540
|
|
||||||
SendEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if use pam ; then
|
|
||||||
sed -i \
|
|
||||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
|
||||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
|
||||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
|
||||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use livecd ; then
|
|
||||||
sed -i \
|
|
||||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_install() {
|
|
||||||
emake install-nokeys DESTDIR="${D}"
|
|
||||||
fperms 600 /etc/ssh/sshd_config
|
|
||||||
dobin contrib/ssh-copy-id
|
|
||||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
|
||||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
|
||||||
|
|
||||||
if use pam; then
|
|
||||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
|
||||||
fi
|
|
||||||
|
|
||||||
tweak_ssh_configs
|
|
||||||
|
|
||||||
doman contrib/ssh-copy-id.1
|
|
||||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
|
||||||
use hpn && dodoc HPN-README
|
|
||||||
use X509 || dodoc ChangeLog
|
|
||||||
|
|
||||||
diropts -m 0700
|
|
||||||
dodir /etc/skel/.ssh
|
|
||||||
rmdir "${ED}"/var/empty || die
|
|
||||||
|
|
||||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
|
||||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_preinst() {
|
|
||||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
|
||||||
show_ssl_warning=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst() {
|
|
||||||
local old_ver
|
|
||||||
for old_ver in ${REPLACING_VERSIONS}; do
|
|
||||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
|
||||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
||||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
||||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
|
||||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
||||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
||||||
elog "be an alternative for you as it supports USE=tcpd."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
|
||||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
||||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
||||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
||||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
||||||
elog "You should however generate new keys using rsa or ed25519."
|
|
||||||
|
|
||||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
||||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
||||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
|
||||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
||||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
|
||||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
||||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
||||||
elog "if you need to authenticate against LDAP."
|
|
||||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
|
||||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
||||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
||||||
ewarn "connection is generally safe."
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ -n ${show_ssl_warning} ]]; then
|
|
||||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
|
||||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
|
||||||
elog "and update all clients/servers that utilize them."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
elog ""
|
|
||||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
|
||||||
elog "and therefore disabled at runtime per default."
|
|
||||||
elog "Make sure your sshd_config is up to date and contains"
|
|
||||||
elog ""
|
|
||||||
elog " DisableMTAES yes"
|
|
||||||
elog ""
|
|
||||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
|
||||||
elog ""
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,499 +0,0 @@
|
||||||
# Copyright 1999-2022 Gentoo Authors
|
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
|
||||||
|
|
||||||
EAPI=7
|
|
||||||
|
|
||||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
|
|
||||||
# Make it more portable between straight releases
|
|
||||||
# and _p? releases.
|
|
||||||
PARCH=${P/_}
|
|
||||||
|
|
||||||
# PV to USE for HPN patches
|
|
||||||
#HPN_PV="${PV^^}"
|
|
||||||
HPN_PV="8.5_P1"
|
|
||||||
|
|
||||||
HPN_VER="15.2"
|
|
||||||
HPN_PATCHES=(
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
|
||||||
)
|
|
||||||
|
|
||||||
SCTP_VER="1.2"
|
|
||||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
|
||||||
X509_VER="13.4.1"
|
|
||||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
|
||||||
|
|
||||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
|
||||||
HOMEPAGE="https://www.openssh.com/"
|
|
||||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
|
||||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
|
||||||
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
|
|
||||||
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
|
|
||||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
|
||||||
"
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
|
||||||
S="${WORKDIR}/${PARCH}"
|
|
||||||
|
|
||||||
LICENSE="BSD GPL-2"
|
|
||||||
SLOT="0"
|
|
||||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
|
||||||
# Probably want to drop ssl defaulting to on in a future version.
|
|
||||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
REQUIRED_USE="
|
|
||||||
hpn? ( ssl )
|
|
||||||
ldns? ( ssl )
|
|
||||||
pie? ( !static )
|
|
||||||
static? ( !kerberos !pam )
|
|
||||||
X509? ( !sctp ssl !xmss )
|
|
||||||
xmss? ( ssl )
|
|
||||||
test? ( ssl )
|
|
||||||
"
|
|
||||||
|
|
||||||
# tests currently fail with XMSS
|
|
||||||
REQUIRED_USE+="test? ( !xmss )"
|
|
||||||
|
|
||||||
# Blocker on older gcc-config for bug #872416
|
|
||||||
LIB_DEPEND="
|
|
||||||
!<sys-devel/gcc-config-2.6
|
|
||||||
audit? ( sys-process/audit[static-libs(+)] )
|
|
||||||
ldns? (
|
|
||||||
net-libs/ldns[static-libs(+)]
|
|
||||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
|
||||||
)
|
|
||||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
|
||||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
|
||||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
|
||||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
|
||||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
|
||||||
virtual/libcrypt:=[static-libs(+)]
|
|
||||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
|
||||||
"
|
|
||||||
RDEPEND="
|
|
||||||
acct-group/sshd
|
|
||||||
acct-user/sshd
|
|
||||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
|
||||||
pam? ( sys-libs/pam )
|
|
||||||
kerberos? ( virtual/krb5 )
|
|
||||||
"
|
|
||||||
DEPEND="${RDEPEND}
|
|
||||||
virtual/os-headers
|
|
||||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
|
||||||
static? ( ${LIB_DEPEND} )
|
|
||||||
"
|
|
||||||
RDEPEND="${RDEPEND}
|
|
||||||
pam? ( >=sys-auth/pambase-20081028 )
|
|
||||||
!prefix? ( sys-apps/shadow )
|
|
||||||
X? ( x11-apps/xauth )
|
|
||||||
"
|
|
||||||
# Weird dep construct for newer gcc-config for bug #872416
|
|
||||||
BDEPEND="
|
|
||||||
sys-devel/autoconf
|
|
||||||
virtual/pkgconfig
|
|
||||||
|| (
|
|
||||||
>=sys-devel/gcc-config-2.6
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
|
||||||
)
|
|
||||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
|
||||||
"
|
|
||||||
|
|
||||||
pkg_pretend() {
|
|
||||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
|
||||||
# than not be able to log in to their server any more
|
|
||||||
local missing=()
|
|
||||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
|
||||||
check_feature hpn HPN_VER
|
|
||||||
check_feature sctp SCTP_PATCH
|
|
||||||
check_feature X509 X509_PATCH
|
|
||||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
|
||||||
eerror "Sorry, but this version does not yet support features"
|
|
||||||
eerror "that you requested: ${missing[*]}"
|
|
||||||
eerror "Please mask ${PF} for now and check back later:"
|
|
||||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
|
||||||
die "Missing requested third party patch."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
|
||||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
|
||||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
|
||||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_unpack() {
|
|
||||||
default
|
|
||||||
|
|
||||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
|
||||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
|
||||||
}
|
|
||||||
|
|
||||||
src_prepare() {
|
|
||||||
sed -i \
|
|
||||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
|
||||||
pathnames.h || die
|
|
||||||
|
|
||||||
# don't break .ssh/authorized_keys2 for fun
|
|
||||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
|
||||||
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
|
|
||||||
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-allow-ppoll_time64.patch #834019
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch #834044
|
|
||||||
eapply "${FILESDIR}"/${PN}-9.0_p1-implicit-func-decl-vsnprintf.patch
|
|
||||||
|
|
||||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
|
||||||
|
|
||||||
local PATCHSET_VERSION_MACROS=()
|
|
||||||
|
|
||||||
if use X509 ; then
|
|
||||||
pushd "${WORKDIR}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
|
||||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
|
||||||
|
|
||||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
|
||||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
|
||||||
# error
|
|
||||||
einfo "Patching package version for X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
|
||||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use sctp ; then
|
|
||||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose SCTP patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
|
||||||
|
|
||||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/\t\tcfgparse \\\/d" \
|
|
||||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn ; then
|
|
||||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
|
||||||
mkdir "${hpn_patchdir}" || die
|
|
||||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
|
||||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
|
||||||
eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-glue.patch
|
|
||||||
use X509 && eapply "${FILESDIR}"/${PN}-8.9_p1-hpn-${HPN_VER}-X509-glue.patch
|
|
||||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${hpn_patchdir}"
|
|
||||||
|
|
||||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
|
||||||
|
|
||||||
einfo "Patching Makefile.in for HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
|
||||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
|
||||||
|
|
||||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
|
||||||
|
|
||||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
|
||||||
|
|
||||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
|
||||||
# and therefore disabled per default.
|
|
||||||
DisableMTAES yes
|
|
||||||
EOF
|
|
||||||
sed -i \
|
|
||||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
|
||||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
|
||||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use X509 || use sctp || use hpn ; then
|
|
||||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
|
||||||
|
|
||||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
|
||||||
|
|
||||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
|
||||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/#UseLogin no/d" \
|
|
||||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
|
||||||
|
|
||||||
eapply_user #473004
|
|
||||||
|
|
||||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
|
||||||
sed -e '/\t\tpercent \\/ d' \
|
|
||||||
-i regress/Makefile || die
|
|
||||||
|
|
||||||
tc-export PKG_CONFIG
|
|
||||||
local sed_args=(
|
|
||||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
|
||||||
# Disable PATH reset, trust what portage gives us #254615
|
|
||||||
-e 's:^PATH=/:#PATH=/:'
|
|
||||||
# Disable fortify flags ... our gcc does this for us
|
|
||||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
|
||||||
)
|
|
||||||
|
|
||||||
# The -ftrapv flag ICEs on hppa #505182
|
|
||||||
use hppa && sed_args+=(
|
|
||||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
|
||||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
|
||||||
)
|
|
||||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
|
||||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
|
||||||
-e 's/-D_XOPEN_SOURCE//'
|
|
||||||
)
|
|
||||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
|
||||||
|
|
||||||
eautoreconf
|
|
||||||
}
|
|
||||||
|
|
||||||
src_configure() {
|
|
||||||
addwrite /dev/ptmx
|
|
||||||
|
|
||||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
use static && append-ldflags -static
|
|
||||||
use xmss && append-cflags -DWITH_XMSS
|
|
||||||
|
|
||||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
|
||||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
|
||||||
# doesn't check for this, so force the replacement to be put in
|
|
||||||
# place
|
|
||||||
append-cppflags -DBROKEN_GLOB
|
|
||||||
fi
|
|
||||||
|
|
||||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
|
||||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
|
||||||
|
|
||||||
local myconf=(
|
|
||||||
--with-ldflags="${LDFLAGS}"
|
|
||||||
--disable-strip
|
|
||||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
|
||||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
|
||||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
|
||||||
--datadir="${EPREFIX}"/usr/share/openssh
|
|
||||||
--with-privsep-path="${EPREFIX}"/var/empty
|
|
||||||
--with-privsep-user=sshd
|
|
||||||
$(use_with audit audit linux)
|
|
||||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
|
||||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
|
||||||
# unconditionally else we get unknown flag warnings.
|
|
||||||
$(use sctp && use_with sctp)
|
|
||||||
$(use_with ldns)
|
|
||||||
$(use_with libedit)
|
|
||||||
$(use_with pam)
|
|
||||||
$(use_with pie)
|
|
||||||
$(use_with selinux)
|
|
||||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
|
||||||
$(use_with ssl openssl)
|
|
||||||
$(use_with ssl ssl-engine)
|
|
||||||
$(use_with !elibc_Cygwin hardening) #659210
|
|
||||||
)
|
|
||||||
|
|
||||||
if use elibc_musl; then
|
|
||||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
|
||||||
# https://bugs.gentoo.org/753230
|
|
||||||
myconf+=( --disable-utmp --disable-wtmp )
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
|
||||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
|
||||||
tc-is-clang && myconf+=( --without-hardening )
|
|
||||||
|
|
||||||
econf "${myconf[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
src_test() {
|
|
||||||
local tests=( compat-tests )
|
|
||||||
local shell=$(egetshell "${UID}")
|
|
||||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
|
||||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
|
||||||
ewarn "user, so we will run a subset only."
|
|
||||||
tests+=( interop-tests )
|
|
||||||
else
|
|
||||||
tests+=( tests )
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
||||||
mkdir -p "${HOME}"/.ssh || die
|
|
||||||
emake -j1 "${tests[@]}" </dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
# Gentoo tweaks to default config files.
|
|
||||||
tweak_ssh_configs() {
|
|
||||||
local locale_vars=(
|
|
||||||
# These are language variables that POSIX defines.
|
|
||||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
|
||||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
|
||||||
|
|
||||||
# These are the GNU extensions.
|
|
||||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
|
||||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
|
||||||
)
|
|
||||||
|
|
||||||
# First the server config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables. #367017
|
|
||||||
AcceptEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Allow client to pass COLORTERM to match TERM. #658540
|
|
||||||
AcceptEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Then the client config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
|
||||||
|
|
||||||
# Send locale environment variables. #367017
|
|
||||||
SendEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Send COLORTERM to match TERM. #658540
|
|
||||||
SendEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if use pam ; then
|
|
||||||
sed -i \
|
|
||||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
|
||||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
|
||||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
|
||||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use livecd ; then
|
|
||||||
sed -i \
|
|
||||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_install() {
|
|
||||||
emake install-nokeys DESTDIR="${D}"
|
|
||||||
fperms 600 /etc/ssh/sshd_config
|
|
||||||
dobin contrib/ssh-copy-id
|
|
||||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
|
||||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
|
||||||
|
|
||||||
if use pam; then
|
|
||||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
|
||||||
fi
|
|
||||||
|
|
||||||
tweak_ssh_configs
|
|
||||||
|
|
||||||
doman contrib/ssh-copy-id.1
|
|
||||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
|
||||||
use hpn && dodoc HPN-README
|
|
||||||
use X509 || dodoc ChangeLog
|
|
||||||
|
|
||||||
diropts -m 0700
|
|
||||||
dodir /etc/skel/.ssh
|
|
||||||
rmdir "${ED}"/var/empty || die
|
|
||||||
|
|
||||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
|
||||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_preinst() {
|
|
||||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
|
||||||
show_ssl_warning=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst() {
|
|
||||||
local old_ver
|
|
||||||
for old_ver in ${REPLACING_VERSIONS}; do
|
|
||||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
|
||||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
||||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
||||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
|
||||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
||||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
||||||
elog "be an alternative for you as it supports USE=tcpd."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
|
||||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
||||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
||||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
||||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
||||||
elog "You should however generate new keys using rsa or ed25519."
|
|
||||||
|
|
||||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
||||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
||||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
|
||||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
||||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
|
||||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
||||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
||||||
elog "if you need to authenticate against LDAP."
|
|
||||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
|
||||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
||||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
||||||
ewarn "connection is generally safe."
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ -n ${show_ssl_warning} ]]; then
|
|
||||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
|
||||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
|
||||||
elog "and update all clients/servers that utilize them."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
elog ""
|
|
||||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
|
||||||
elog "and therefore disabled at runtime per default."
|
|
||||||
elog "Make sure your sshd_config is up to date and contains"
|
|
||||||
elog ""
|
|
||||||
elog " DisableMTAES yes"
|
|
||||||
elog ""
|
|
||||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
|
||||||
elog ""
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,515 +0,0 @@
|
||||||
# Copyright 1999-2022 Gentoo Authors
|
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
|
||||||
|
|
||||||
EAPI=7
|
|
||||||
|
|
||||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
|
|
||||||
# Make it more portable between straight releases
|
|
||||||
# and _p? releases.
|
|
||||||
PARCH=${P/_}
|
|
||||||
|
|
||||||
# PV to USE for HPN patches
|
|
||||||
#HPN_PV="${PV^^}"
|
|
||||||
HPN_PV="8.5_P1"
|
|
||||||
|
|
||||||
HPN_VER="15.2"
|
|
||||||
HPN_PATCHES=(
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
|
||||||
)
|
|
||||||
HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
|
|
||||||
|
|
||||||
SCTP_VER="1.2"
|
|
||||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
|
||||||
|
|
||||||
X509_VER="14.0.1"
|
|
||||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
|
||||||
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
|
|
||||||
X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
|
|
||||||
|
|
||||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
|
||||||
HOMEPAGE="https://www.openssh.com/"
|
|
||||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
|
||||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
|
||||||
${HPN_VER:+hpn? (
|
|
||||||
$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
|
|
||||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
|
|
||||||
)}
|
|
||||||
${X509_PATCH:+X509? (
|
|
||||||
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
|
|
||||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
|
|
||||||
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
|
|
||||||
)}
|
|
||||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
|
||||||
"
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
|
||||||
S="${WORKDIR}/${PARCH}"
|
|
||||||
|
|
||||||
LICENSE="BSD GPL-2"
|
|
||||||
SLOT="0"
|
|
||||||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
|
||||||
# Probably want to drop ssl defaulting to on in a future version.
|
|
||||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
REQUIRED_USE="
|
|
||||||
hpn? ( ssl )
|
|
||||||
ldns? ( ssl )
|
|
||||||
pie? ( !static )
|
|
||||||
static? ( !kerberos !pam )
|
|
||||||
X509? ( !sctp ssl !xmss )
|
|
||||||
xmss? ( ssl )
|
|
||||||
test? ( ssl )
|
|
||||||
"
|
|
||||||
|
|
||||||
# tests currently fail with XMSS
|
|
||||||
REQUIRED_USE+="test? ( !xmss )"
|
|
||||||
|
|
||||||
# Blocker on older gcc-config for bug #872416
|
|
||||||
LIB_DEPEND="
|
|
||||||
!<sys-devel/gcc-config-2.6
|
|
||||||
audit? ( sys-process/audit[static-libs(+)] )
|
|
||||||
ldns? (
|
|
||||||
net-libs/ldns[static-libs(+)]
|
|
||||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
|
||||||
)
|
|
||||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
|
||||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
|
||||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
|
||||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
|
||||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
|
||||||
virtual/libcrypt:=[static-libs(+)]
|
|
||||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
|
||||||
"
|
|
||||||
RDEPEND="
|
|
||||||
acct-group/sshd
|
|
||||||
acct-user/sshd
|
|
||||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
|
||||||
pam? ( sys-libs/pam )
|
|
||||||
kerberos? ( virtual/krb5 )
|
|
||||||
"
|
|
||||||
DEPEND="${RDEPEND}
|
|
||||||
virtual/os-headers
|
|
||||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
|
||||||
static? ( ${LIB_DEPEND} )
|
|
||||||
"
|
|
||||||
RDEPEND="${RDEPEND}
|
|
||||||
pam? ( >=sys-auth/pambase-20081028 )
|
|
||||||
!prefix? ( sys-apps/shadow )
|
|
||||||
X? ( x11-apps/xauth )
|
|
||||||
"
|
|
||||||
# Weird dep construct for newer gcc-config for bug #872416
|
|
||||||
BDEPEND="
|
|
||||||
sys-devel/autoconf
|
|
||||||
virtual/pkgconfig
|
|
||||||
|| (
|
|
||||||
>=sys-devel/gcc-config-2.6
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
|
||||||
)
|
|
||||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
|
||||||
"
|
|
||||||
|
|
||||||
PATCHES=(
|
|
||||||
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
|
|
||||||
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
|
|
||||||
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
|
|
||||||
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
|
|
||||||
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
|
|
||||||
"${FILESDIR}/${P}-getentropy.patch"
|
|
||||||
)
|
|
||||||
|
|
||||||
pkg_pretend() {
|
|
||||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
|
||||||
# than not be able to log in to their server any more
|
|
||||||
local missing=()
|
|
||||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
|
||||||
check_feature hpn HPN_VER
|
|
||||||
check_feature sctp SCTP_PATCH
|
|
||||||
check_feature X509 X509_PATCH
|
|
||||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
|
||||||
eerror "Sorry, but this version does not yet support features"
|
|
||||||
eerror "that you requested: ${missing[*]}"
|
|
||||||
eerror "Please mask ${PF} for now and check back later:"
|
|
||||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
|
||||||
die "Missing requested third party patch."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
|
||||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
|
||||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
|
||||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_unpack() {
|
|
||||||
default
|
|
||||||
|
|
||||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
|
||||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
|
||||||
}
|
|
||||||
|
|
||||||
src_prepare() {
|
|
||||||
sed -i \
|
|
||||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
|
||||||
pathnames.h || die
|
|
||||||
|
|
||||||
# don't break .ssh/authorized_keys2 for fun
|
|
||||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
|
||||||
|
|
||||||
eapply "${PATCHES[@]}"
|
|
||||||
|
|
||||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
|
||||||
|
|
||||||
local PATCHSET_VERSION_MACROS=()
|
|
||||||
|
|
||||||
if use X509 ; then
|
|
||||||
pushd "${WORKDIR}" &>/dev/null || die
|
|
||||||
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
|
||||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
|
||||||
|
|
||||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
|
||||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
|
||||||
# error
|
|
||||||
einfo "Patching package version for X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
|
||||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use sctp ; then
|
|
||||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose SCTP patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
|
||||||
|
|
||||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/\t\tcfgparse \\\/d" \
|
|
||||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn ; then
|
|
||||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
|
||||||
mkdir "${hpn_patchdir}" || die
|
|
||||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
|
||||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
|
||||||
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
|
|
||||||
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
|
|
||||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${hpn_patchdir}"
|
|
||||||
|
|
||||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
|
||||||
|
|
||||||
einfo "Patching Makefile.in for HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
|
||||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
|
||||||
|
|
||||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
|
||||||
|
|
||||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
|
||||||
|
|
||||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
|
||||||
# and therefore disabled per default.
|
|
||||||
DisableMTAES yes
|
|
||||||
EOF
|
|
||||||
sed -i \
|
|
||||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
|
||||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
|
||||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use X509 || use sctp || use hpn ; then
|
|
||||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
|
||||||
|
|
||||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
|
||||||
|
|
||||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
|
||||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/#UseLogin no/d" \
|
|
||||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
|
||||||
|
|
||||||
eapply_user #473004
|
|
||||||
|
|
||||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
|
||||||
sed -e '/\t\tpercent \\/ d' \
|
|
||||||
-i regress/Makefile || die
|
|
||||||
|
|
||||||
tc-export PKG_CONFIG
|
|
||||||
local sed_args=(
|
|
||||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
|
||||||
# Disable PATH reset, trust what portage gives us #254615
|
|
||||||
-e 's:^PATH=/:#PATH=/:'
|
|
||||||
# Disable fortify flags ... our gcc does this for us
|
|
||||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
|
||||||
)
|
|
||||||
|
|
||||||
# The -ftrapv flag ICEs on hppa #505182
|
|
||||||
use hppa && sed_args+=(
|
|
||||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
|
||||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
|
||||||
)
|
|
||||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
|
||||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
|
||||||
-e 's/-D_XOPEN_SOURCE//'
|
|
||||||
)
|
|
||||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
|
||||||
|
|
||||||
eautoreconf
|
|
||||||
}
|
|
||||||
|
|
||||||
src_configure() {
|
|
||||||
addwrite /dev/ptmx
|
|
||||||
|
|
||||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
use static && append-ldflags -static
|
|
||||||
use xmss && append-cflags -DWITH_XMSS
|
|
||||||
|
|
||||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
|
||||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
|
||||||
# doesn't check for this, so force the replacement to be put in
|
|
||||||
# place
|
|
||||||
append-cppflags -DBROKEN_GLOB
|
|
||||||
fi
|
|
||||||
|
|
||||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
|
||||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
|
||||||
|
|
||||||
local myconf=(
|
|
||||||
--with-ldflags="${LDFLAGS}"
|
|
||||||
--disable-strip
|
|
||||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
|
||||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
|
||||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
|
||||||
--datadir="${EPREFIX}"/usr/share/openssh
|
|
||||||
--with-privsep-path="${EPREFIX}"/var/empty
|
|
||||||
--with-privsep-user=sshd
|
|
||||||
$(use_with audit audit linux)
|
|
||||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
|
||||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
|
||||||
# unconditionally else we get unknown flag warnings.
|
|
||||||
$(use sctp && use_with sctp)
|
|
||||||
$(use_with ldns)
|
|
||||||
$(use_with libedit)
|
|
||||||
$(use_with pam)
|
|
||||||
$(use_with pie)
|
|
||||||
$(use_with selinux)
|
|
||||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
|
||||||
$(use_with ssl openssl)
|
|
||||||
$(use_with ssl ssl-engine)
|
|
||||||
$(use_with !elibc_Cygwin hardening) #659210
|
|
||||||
)
|
|
||||||
|
|
||||||
if use elibc_musl; then
|
|
||||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
|
||||||
# https://bugs.gentoo.org/753230
|
|
||||||
myconf+=( --disable-utmp --disable-wtmp )
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
|
||||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
|
||||||
tc-is-clang && myconf+=( --without-hardening )
|
|
||||||
|
|
||||||
econf "${myconf[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
src_test() {
|
|
||||||
local tests=( compat-tests )
|
|
||||||
local shell=$(egetshell "${UID}")
|
|
||||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
|
||||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
|
||||||
ewarn "user, so we will run a subset only."
|
|
||||||
tests+=( interop-tests )
|
|
||||||
else
|
|
||||||
tests+=( tests )
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
||||||
mkdir -p "${HOME}"/.ssh || die
|
|
||||||
emake -j1 "${tests[@]}" </dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
# Gentoo tweaks to default config files.
|
|
||||||
tweak_ssh_configs() {
|
|
||||||
local locale_vars=(
|
|
||||||
# These are language variables that POSIX defines.
|
|
||||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
|
||||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
|
||||||
|
|
||||||
# These are the GNU extensions.
|
|
||||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
|
||||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
|
||||||
)
|
|
||||||
|
|
||||||
# First the server config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables. #367017
|
|
||||||
AcceptEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Allow client to pass COLORTERM to match TERM. #658540
|
|
||||||
AcceptEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Then the client config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
|
||||||
|
|
||||||
# Send locale environment variables. #367017
|
|
||||||
SendEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Send COLORTERM to match TERM. #658540
|
|
||||||
SendEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if use pam ; then
|
|
||||||
sed -i \
|
|
||||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
|
||||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
|
||||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
|
||||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use livecd ; then
|
|
||||||
sed -i \
|
|
||||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_install() {
|
|
||||||
emake install-nokeys DESTDIR="${D}"
|
|
||||||
fperms 600 /etc/ssh/sshd_config
|
|
||||||
dobin contrib/ssh-copy-id
|
|
||||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
|
||||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
|
||||||
|
|
||||||
if use pam; then
|
|
||||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
|
||||||
fi
|
|
||||||
|
|
||||||
tweak_ssh_configs
|
|
||||||
|
|
||||||
doman contrib/ssh-copy-id.1
|
|
||||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
|
||||||
use hpn && dodoc HPN-README
|
|
||||||
use X509 || dodoc ChangeLog
|
|
||||||
|
|
||||||
diropts -m 0700
|
|
||||||
dodir /etc/skel/.ssh
|
|
||||||
rmdir "${ED}"/var/empty || die
|
|
||||||
|
|
||||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
|
||||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_preinst() {
|
|
||||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
|
||||||
show_ssl_warning=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst() {
|
|
||||||
local old_ver
|
|
||||||
for old_ver in ${REPLACING_VERSIONS}; do
|
|
||||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
|
||||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
||||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
||||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
|
||||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
||||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
||||||
elog "be an alternative for you as it supports USE=tcpd."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
|
||||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
||||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
||||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
||||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
||||||
elog "You should however generate new keys using rsa or ed25519."
|
|
||||||
|
|
||||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
||||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
||||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
|
||||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
||||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
|
||||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
||||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
||||||
elog "if you need to authenticate against LDAP."
|
|
||||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
|
||||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
||||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
||||||
ewarn "connection is generally safe."
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ -n ${show_ssl_warning} ]]; then
|
|
||||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
|
||||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
|
||||||
elog "and update all clients/servers that utilize them."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
elog ""
|
|
||||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
|
||||||
elog "and therefore disabled at runtime per default."
|
|
||||||
elog "Make sure your sshd_config is up to date and contains"
|
|
||||||
elog ""
|
|
||||||
elog " DisableMTAES yes"
|
|
||||||
elog ""
|
|
||||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
|
||||||
elog ""
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,514 +0,0 @@
|
||||||
# Copyright 1999-2022 Gentoo Authors
|
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
|
||||||
|
|
||||||
EAPI=7
|
|
||||||
|
|
||||||
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
|
|
||||||
|
|
||||||
# Make it more portable between straight releases
|
|
||||||
# and _p? releases.
|
|
||||||
PARCH=${P/_}
|
|
||||||
|
|
||||||
# PV to USE for HPN patches
|
|
||||||
#HPN_PV="${PV^^}"
|
|
||||||
HPN_PV="8.5_P1"
|
|
||||||
|
|
||||||
HPN_VER="15.2"
|
|
||||||
HPN_PATCHES=(
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
|
|
||||||
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
|
|
||||||
)
|
|
||||||
HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
|
|
||||||
|
|
||||||
SCTP_VER="1.2"
|
|
||||||
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
|
|
||||||
|
|
||||||
X509_VER="13.5"
|
|
||||||
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
|
|
||||||
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
|
|
||||||
X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
|
|
||||||
|
|
||||||
DESCRIPTION="Port of OpenBSD's free SSH release"
|
|
||||||
HOMEPAGE="https://www.openssh.com/"
|
|
||||||
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
|
||||||
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
|
|
||||||
${HPN_VER:+hpn? (
|
|
||||||
$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
|
|
||||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
|
|
||||||
)}
|
|
||||||
${X509_PATCH:+X509? (
|
|
||||||
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
|
|
||||||
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
|
|
||||||
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
|
|
||||||
)}
|
|
||||||
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
|
||||||
"
|
|
||||||
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
|
|
||||||
S="${WORKDIR}/${PARCH}"
|
|
||||||
|
|
||||||
LICENSE="BSD GPL-2"
|
|
||||||
SLOT="0"
|
|
||||||
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
|
|
||||||
# Probably want to drop ssl defaulting to on in a future version.
|
|
||||||
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
|
|
||||||
|
|
||||||
RESTRICT="!test? ( test )"
|
|
||||||
|
|
||||||
REQUIRED_USE="
|
|
||||||
hpn? ( ssl )
|
|
||||||
ldns? ( ssl )
|
|
||||||
pie? ( !static )
|
|
||||||
static? ( !kerberos !pam )
|
|
||||||
X509? ( !sctp ssl !xmss )
|
|
||||||
xmss? ( ssl )
|
|
||||||
test? ( ssl )
|
|
||||||
"
|
|
||||||
|
|
||||||
# tests currently fail with XMSS
|
|
||||||
REQUIRED_USE+="test? ( !xmss )"
|
|
||||||
|
|
||||||
# Blocker on older gcc-config for bug #872416
|
|
||||||
LIB_DEPEND="
|
|
||||||
!<sys-devel/gcc-config-2.6
|
|
||||||
audit? ( sys-process/audit[static-libs(+)] )
|
|
||||||
ldns? (
|
|
||||||
net-libs/ldns[static-libs(+)]
|
|
||||||
net-libs/ldns[ecdsa(+),ssl(+)]
|
|
||||||
)
|
|
||||||
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
|
||||||
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
|
|
||||||
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
|
||||||
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
|
||||||
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
|
||||||
virtual/libcrypt:=[static-libs(+)]
|
|
||||||
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
|
||||||
"
|
|
||||||
RDEPEND="
|
|
||||||
acct-group/sshd
|
|
||||||
acct-user/sshd
|
|
||||||
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
|
||||||
pam? ( sys-libs/pam )
|
|
||||||
kerberos? ( virtual/krb5 )
|
|
||||||
"
|
|
||||||
DEPEND="${RDEPEND}
|
|
||||||
virtual/os-headers
|
|
||||||
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
|
||||||
static? ( ${LIB_DEPEND} )
|
|
||||||
"
|
|
||||||
RDEPEND="${RDEPEND}
|
|
||||||
pam? ( >=sys-auth/pambase-20081028 )
|
|
||||||
!prefix? ( sys-apps/shadow )
|
|
||||||
X? ( x11-apps/xauth )
|
|
||||||
"
|
|
||||||
# Weird dep construct for newer gcc-config for bug #872416
|
|
||||||
BDEPEND="
|
|
||||||
sys-devel/autoconf
|
|
||||||
virtual/pkgconfig
|
|
||||||
|| (
|
|
||||||
>=sys-devel/gcc-config-2.6
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-14-r1:14
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-15-r1:15
|
|
||||||
>=sys-devel/clang-toolchain-symlinks-16-r1:*
|
|
||||||
)
|
|
||||||
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
|
||||||
"
|
|
||||||
|
|
||||||
PATCHES=(
|
|
||||||
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
|
|
||||||
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
|
|
||||||
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
|
|
||||||
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
|
|
||||||
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
|
|
||||||
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
|
|
||||||
)
|
|
||||||
|
|
||||||
pkg_pretend() {
|
|
||||||
# this sucks, but i'd rather have people unable to `emerge -u openssh`
|
|
||||||
# than not be able to log in to their server any more
|
|
||||||
local missing=()
|
|
||||||
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
|
|
||||||
check_feature hpn HPN_VER
|
|
||||||
check_feature sctp SCTP_PATCH
|
|
||||||
check_feature X509 X509_PATCH
|
|
||||||
if [[ ${#missing[@]} -ne 0 ]] ; then
|
|
||||||
eerror "Sorry, but this version does not yet support features"
|
|
||||||
eerror "that you requested: ${missing[*]}"
|
|
||||||
eerror "Please mask ${PF} for now and check back later:"
|
|
||||||
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
|
|
||||||
die "Missing requested third party patch."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
|
||||||
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
|
||||||
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
|
||||||
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_unpack() {
|
|
||||||
default
|
|
||||||
|
|
||||||
# We don't have signatures for HPN, X509, so we have to write this ourselves
|
|
||||||
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
|
|
||||||
}
|
|
||||||
|
|
||||||
src_prepare() {
|
|
||||||
sed -i \
|
|
||||||
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
|
|
||||||
pathnames.h || die
|
|
||||||
|
|
||||||
# don't break .ssh/authorized_keys2 for fun
|
|
||||||
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
|
||||||
|
|
||||||
eapply "${PATCHES[@]}"
|
|
||||||
|
|
||||||
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
|
|
||||||
|
|
||||||
local PATCHSET_VERSION_MACROS=()
|
|
||||||
|
|
||||||
if use X509 ; then
|
|
||||||
pushd "${WORKDIR}" &>/dev/null || die
|
|
||||||
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${WORKDIR}"/${X509_PATCH%.*}
|
|
||||||
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
|
|
||||||
|
|
||||||
# We need to patch package version or any X.509 sshd will reject our ssh client
|
|
||||||
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
|
|
||||||
# error
|
|
||||||
einfo "Patching package version for X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
|
|
||||||
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose X.509 patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use sctp ; then
|
|
||||||
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose SCTP patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
|
|
||||||
|
|
||||||
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/\t\tcfgparse \\\/d" \
|
|
||||||
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn ; then
|
|
||||||
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
|
|
||||||
mkdir "${hpn_patchdir}" || die
|
|
||||||
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
|
|
||||||
pushd "${hpn_patchdir}" &>/dev/null || die
|
|
||||||
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
|
|
||||||
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
|
|
||||||
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
|
|
||||||
popd &>/dev/null || die
|
|
||||||
|
|
||||||
eapply "${hpn_patchdir}"
|
|
||||||
|
|
||||||
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
|
|
||||||
|
|
||||||
einfo "Patching Makefile.in for HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^LIBS=/ s/\$/ -lpthread/" \
|
|
||||||
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
|
|
||||||
|
|
||||||
einfo "Patching version.h to expose HPN patch set ..."
|
|
||||||
sed -i \
|
|
||||||
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
|
|
||||||
"${S}"/version.h || die "Failed to sed-in HPN patch version"
|
|
||||||
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
|
|
||||||
|
|
||||||
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
einfo "Disabling known non-working MT AES cipher per default ..."
|
|
||||||
|
|
||||||
cat > "${T}"/disable_mtaes.conf <<- EOF
|
|
||||||
|
|
||||||
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
|
|
||||||
# and therefore disabled per default.
|
|
||||||
DisableMTAES yes
|
|
||||||
EOF
|
|
||||||
sed -i \
|
|
||||||
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
|
|
||||||
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
|
|
||||||
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use X509 || use sctp || use hpn ; then
|
|
||||||
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
|
|
||||||
|
|
||||||
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
|
|
||||||
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
|
|
||||||
|
|
||||||
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
|
|
||||||
sed -i \
|
|
||||||
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
|
|
||||||
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed -i \
|
|
||||||
-e "/#UseLogin no/d" \
|
|
||||||
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
|
|
||||||
|
|
||||||
eapply_user #473004
|
|
||||||
|
|
||||||
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
|
||||||
sed -e '/\t\tpercent \\/ d' \
|
|
||||||
-i regress/Makefile || die
|
|
||||||
|
|
||||||
tc-export PKG_CONFIG
|
|
||||||
local sed_args=(
|
|
||||||
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
|
||||||
# Disable PATH reset, trust what portage gives us #254615
|
|
||||||
-e 's:^PATH=/:#PATH=/:'
|
|
||||||
# Disable fortify flags ... our gcc does this for us
|
|
||||||
-e 's:-D_FORTIFY_SOURCE=2::'
|
|
||||||
)
|
|
||||||
|
|
||||||
# The -ftrapv flag ICEs on hppa #505182
|
|
||||||
use hppa && sed_args+=(
|
|
||||||
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
|
|
||||||
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
|
|
||||||
)
|
|
||||||
# _XOPEN_SOURCE causes header conflicts on Solaris
|
|
||||||
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
|
||||||
-e 's/-D_XOPEN_SOURCE//'
|
|
||||||
)
|
|
||||||
sed -i "${sed_args[@]}" configure{.ac,} || die
|
|
||||||
|
|
||||||
eautoreconf
|
|
||||||
}
|
|
||||||
|
|
||||||
src_configure() {
|
|
||||||
addwrite /dev/ptmx
|
|
||||||
|
|
||||||
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
|
||||||
use static && append-ldflags -static
|
|
||||||
use xmss && append-cflags -DWITH_XMSS
|
|
||||||
|
|
||||||
if [[ ${CHOST} == *-solaris* ]] ; then
|
|
||||||
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
|
||||||
# doesn't check for this, so force the replacement to be put in
|
|
||||||
# place
|
|
||||||
append-cppflags -DBROKEN_GLOB
|
|
||||||
fi
|
|
||||||
|
|
||||||
# use replacement, RPF_ECHO_ON doesn't exist here
|
|
||||||
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
|
||||||
|
|
||||||
local myconf=(
|
|
||||||
--with-ldflags="${LDFLAGS}"
|
|
||||||
--disable-strip
|
|
||||||
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
|
||||||
--sysconfdir="${EPREFIX}"/etc/ssh
|
|
||||||
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
|
||||||
--datadir="${EPREFIX}"/usr/share/openssh
|
|
||||||
--with-privsep-path="${EPREFIX}"/var/empty
|
|
||||||
--with-privsep-user=sshd
|
|
||||||
$(use_with audit audit linux)
|
|
||||||
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
|
||||||
# We apply the sctp patch conditionally, so can't pass --without-sctp
|
|
||||||
# unconditionally else we get unknown flag warnings.
|
|
||||||
$(use sctp && use_with sctp)
|
|
||||||
$(use_with ldns)
|
|
||||||
$(use_with libedit)
|
|
||||||
$(use_with pam)
|
|
||||||
$(use_with pie)
|
|
||||||
$(use_with selinux)
|
|
||||||
$(usex X509 '' "$(use_with security-key security-key-builtin)")
|
|
||||||
$(use_with ssl openssl)
|
|
||||||
$(use_with ssl ssl-engine)
|
|
||||||
$(use_with !elibc_Cygwin hardening) #659210
|
|
||||||
)
|
|
||||||
|
|
||||||
if use elibc_musl; then
|
|
||||||
# musl defines bogus values for UTMP_FILE and WTMP_FILE
|
|
||||||
# https://bugs.gentoo.org/753230
|
|
||||||
myconf+=( --disable-utmp --disable-wtmp )
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
|
||||||
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
|
||||||
tc-is-clang && myconf+=( --without-hardening )
|
|
||||||
|
|
||||||
econf "${myconf[@]}"
|
|
||||||
}
|
|
||||||
|
|
||||||
src_test() {
|
|
||||||
local tests=( compat-tests )
|
|
||||||
local shell=$(egetshell "${UID}")
|
|
||||||
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
|
||||||
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
|
||||||
ewarn "user, so we will run a subset only."
|
|
||||||
tests+=( interop-tests )
|
|
||||||
else
|
|
||||||
tests+=( tests )
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
|
||||||
mkdir -p "${HOME}"/.ssh || die
|
|
||||||
emake -j1 "${tests[@]}" </dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
# Gentoo tweaks to default config files.
|
|
||||||
tweak_ssh_configs() {
|
|
||||||
local locale_vars=(
|
|
||||||
# These are language variables that POSIX defines.
|
|
||||||
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
|
||||||
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
|
||||||
|
|
||||||
# These are the GNU extensions.
|
|
||||||
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
|
||||||
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
|
||||||
)
|
|
||||||
|
|
||||||
# First the server config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
|
|
||||||
|
|
||||||
# Allow client to pass locale environment variables. #367017
|
|
||||||
AcceptEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Allow client to pass COLORTERM to match TERM. #658540
|
|
||||||
AcceptEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Then the client config.
|
|
||||||
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
|
|
||||||
|
|
||||||
# Send locale environment variables. #367017
|
|
||||||
SendEnv ${locale_vars[*]}
|
|
||||||
|
|
||||||
# Send COLORTERM to match TERM. #658540
|
|
||||||
SendEnv COLORTERM
|
|
||||||
EOF
|
|
||||||
|
|
||||||
if use pam ; then
|
|
||||||
sed -i \
|
|
||||||
-e "/^#UsePAM /s:.*:UsePAM yes:" \
|
|
||||||
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
|
|
||||||
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
|
|
||||||
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use livecd ; then
|
|
||||||
sed -i \
|
|
||||||
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
|
|
||||||
"${ED}"/etc/ssh/sshd_config || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
src_install() {
|
|
||||||
emake install-nokeys DESTDIR="${D}"
|
|
||||||
fperms 600 /etc/ssh/sshd_config
|
|
||||||
dobin contrib/ssh-copy-id
|
|
||||||
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
|
||||||
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
|
||||||
|
|
||||||
if use pam; then
|
|
||||||
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
|
||||||
fi
|
|
||||||
|
|
||||||
tweak_ssh_configs
|
|
||||||
|
|
||||||
doman contrib/ssh-copy-id.1
|
|
||||||
dodoc CREDITS OVERVIEW README* TODO sshd_config
|
|
||||||
use hpn && dodoc HPN-README
|
|
||||||
use X509 || dodoc ChangeLog
|
|
||||||
|
|
||||||
diropts -m 0700
|
|
||||||
dodir /etc/skel/.ssh
|
|
||||||
rmdir "${ED}"/var/empty || die
|
|
||||||
|
|
||||||
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
|
|
||||||
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_preinst() {
|
|
||||||
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
|
||||||
show_ssl_warning=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
pkg_postinst() {
|
|
||||||
local old_ver
|
|
||||||
for old_ver in ${REPLACING_VERSIONS}; do
|
|
||||||
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
|
||||||
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
||||||
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
||||||
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
|
||||||
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
||||||
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
||||||
elog "be an alternative for you as it supports USE=tcpd."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
|
||||||
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
||||||
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
||||||
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
||||||
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
||||||
elog "You should however generate new keys using rsa or ed25519."
|
|
||||||
|
|
||||||
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
||||||
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
||||||
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
|
||||||
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
||||||
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
|
||||||
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
||||||
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
||||||
elog "if you need to authenticate against LDAP."
|
|
||||||
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
||||||
fi
|
|
||||||
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
|
||||||
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
||||||
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
||||||
ewarn "connection is generally safe."
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ -n ${show_ssl_warning} ]]; then
|
|
||||||
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
|
||||||
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
|
||||||
elog "and update all clients/servers that utilize them."
|
|
||||||
fi
|
|
||||||
|
|
||||||
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
|
|
||||||
elog ""
|
|
||||||
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
|
|
||||||
elog "and therefore disabled at runtime per default."
|
|
||||||
elog "Make sure your sshd_config is up to date and contains"
|
|
||||||
elog ""
|
|
||||||
elog " DisableMTAES yes"
|
|
||||||
elog ""
|
|
||||||
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
|
|
||||||
elog ""
|
|
||||||
fi
|
|
||||||
}
|
|
436
net-misc/openssh/openssh-9.8_p1-r2.ebuild
Normal file
436
net-misc/openssh/openssh-9.8_p1-r2.ebuild
Normal file
|
@ -0,0 +1,436 @@
|
||||||
|
# Copyright 1999-2024 Gentoo Authors
|
||||||
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
|
|
||||||
|
EAPI=8
|
||||||
|
|
||||||
|
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
|
||||||
|
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
|
||||||
|
|
||||||
|
# Make it more portable between straight releases
|
||||||
|
# and _p? releases.
|
||||||
|
PARCH=${P/_}
|
||||||
|
|
||||||
|
DESCRIPTION="Port of OpenBSD's free SSH release"
|
||||||
|
HOMEPAGE="https://www.openssh.com/"
|
||||||
|
SRC_URI="
|
||||||
|
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
|
||||||
|
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
|
||||||
|
"
|
||||||
|
S="${WORKDIR}/${PARCH}"
|
||||||
|
|
||||||
|
LICENSE="BSD GPL-2"
|
||||||
|
SLOT="0"
|
||||||
|
KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
|
||||||
|
# Probably want to drop ssl defaulting to on in a future version.
|
||||||
|
IUSE="abi_mips_n32 audit debug dss kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
|
||||||
|
|
||||||
|
RESTRICT="!test? ( test )"
|
||||||
|
|
||||||
|
REQUIRED_USE="
|
||||||
|
ldns? ( ssl )
|
||||||
|
pie? ( !static )
|
||||||
|
static? ( !kerberos !pam )
|
||||||
|
xmss? ( ssl )
|
||||||
|
test? ( ssl )
|
||||||
|
"
|
||||||
|
|
||||||
|
# tests currently fail with XMSS
|
||||||
|
REQUIRED_USE+="test? ( !xmss )"
|
||||||
|
|
||||||
|
LIB_DEPEND="
|
||||||
|
audit? ( sys-process/audit[static-libs(+)] )
|
||||||
|
ldns? (
|
||||||
|
net-libs/ldns[static-libs(+)]
|
||||||
|
net-libs/ldns[ecdsa(+),ssl(+)]
|
||||||
|
)
|
||||||
|
libedit? ( dev-libs/libedit:=[static-libs(+)] )
|
||||||
|
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
|
||||||
|
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
|
||||||
|
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
|
||||||
|
virtual/libcrypt:=[static-libs(+)]
|
||||||
|
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
|
||||||
|
"
|
||||||
|
RDEPEND="
|
||||||
|
acct-group/sshd
|
||||||
|
acct-user/sshd
|
||||||
|
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
|
||||||
|
pam? ( sys-libs/pam )
|
||||||
|
kerberos? ( virtual/krb5 )
|
||||||
|
"
|
||||||
|
DEPEND="
|
||||||
|
${RDEPEND}
|
||||||
|
virtual/os-headers
|
||||||
|
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
|
||||||
|
static? ( ${LIB_DEPEND} )
|
||||||
|
"
|
||||||
|
RDEPEND="
|
||||||
|
${RDEPEND}
|
||||||
|
!net-misc/openssh-contrib
|
||||||
|
pam? ( >=sys-auth/pambase-20081028 )
|
||||||
|
!prefix? ( sys-apps/shadow )
|
||||||
|
"
|
||||||
|
BDEPEND="
|
||||||
|
dev-build/autoconf
|
||||||
|
virtual/pkgconfig
|
||||||
|
verify-sig? ( sec-keys/openpgp-keys-openssh )
|
||||||
|
"
|
||||||
|
|
||||||
|
PATCHES=(
|
||||||
|
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
|
||||||
|
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
|
||||||
|
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
|
||||||
|
"${FILESDIR}/${PN}-9.8_p1-musl-connect.patch"
|
||||||
|
)
|
||||||
|
|
||||||
|
pkg_pretend() {
|
||||||
|
local i enabled_eol_flags disabled_eol_flags
|
||||||
|
for i in hpn sctp X509; do
|
||||||
|
if has_version "net-misc/openssh[${i}]"; then
|
||||||
|
enabled_eol_flags+="${i},"
|
||||||
|
disabled_eol_flags+="-${i},"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
|
||||||
|
# Skip for binary packages entirely because of environment saving, bug #907892
|
||||||
|
[[ ${MERGE_TYPE} == binary ]] && return
|
||||||
|
|
||||||
|
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
|
||||||
|
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
|
||||||
|
ewarn "since these USE flags required third-party patches that often trigger bugs"
|
||||||
|
ewarn "and are of questionable provenance."
|
||||||
|
ewarn
|
||||||
|
ewarn "If you must continue relying on this functionality, switch to"
|
||||||
|
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
|
||||||
|
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
|
||||||
|
ewarn
|
||||||
|
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
|
||||||
|
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
|
||||||
|
ewarn "variant, when re-emerging you will have to set"
|
||||||
|
ewarn
|
||||||
|
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
|
||||||
|
|
||||||
|
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure people who are using tcp wrappers are notified of its removal. #531156
|
||||||
|
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
|
||||||
|
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
|
||||||
|
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
src_prepare() {
|
||||||
|
# don't break .ssh/authorized_keys2 for fun
|
||||||
|
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
|
||||||
|
|
||||||
|
[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
|
||||||
|
|
||||||
|
default
|
||||||
|
|
||||||
|
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
|
||||||
|
sed -e '/\t\tpercent \\/ d' \
|
||||||
|
-i regress/Makefile || die
|
||||||
|
|
||||||
|
tc-export PKG_CONFIG
|
||||||
|
local sed_args=(
|
||||||
|
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
|
||||||
|
# Disable fortify flags ... our gcc does this for us
|
||||||
|
-e 's:-D_FORTIFY_SOURCE=2::'
|
||||||
|
)
|
||||||
|
|
||||||
|
# _XOPEN_SOURCE causes header conflicts on Solaris
|
||||||
|
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
|
||||||
|
-e 's/-D_XOPEN_SOURCE//'
|
||||||
|
)
|
||||||
|
sed -i "${sed_args[@]}" configure{.ac,} || die
|
||||||
|
|
||||||
|
eautoreconf
|
||||||
|
}
|
||||||
|
|
||||||
|
src_configure() {
|
||||||
|
addwrite /dev/ptmx
|
||||||
|
|
||||||
|
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
|
||||||
|
use static && append-ldflags -static
|
||||||
|
use xmss && append-cflags -DWITH_XMSS
|
||||||
|
|
||||||
|
if [[ ${CHOST} == *-solaris* ]] ; then
|
||||||
|
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
|
||||||
|
# doesn't check for this, so force the replacement to be put in
|
||||||
|
# place
|
||||||
|
append-cppflags -DBROKEN_GLOB
|
||||||
|
fi
|
||||||
|
|
||||||
|
# use replacement, RPF_ECHO_ON doesn't exist here
|
||||||
|
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
|
||||||
|
|
||||||
|
local myconf=(
|
||||||
|
--with-ldflags="${LDFLAGS}"
|
||||||
|
--disable-strip
|
||||||
|
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
|
||||||
|
--sysconfdir="${EPREFIX}"/etc/ssh
|
||||||
|
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
|
||||||
|
--datadir="${EPREFIX}"/usr/share/openssh
|
||||||
|
--with-privsep-path="${EPREFIX}"/var/empty
|
||||||
|
--with-privsep-user=sshd
|
||||||
|
# optional at runtime; guarantee a known path
|
||||||
|
--with-xauth="${EPREFIX}"/usr/bin/xauth
|
||||||
|
|
||||||
|
# --with-hardening adds the following in addition to flags we
|
||||||
|
# already set in our toolchain:
|
||||||
|
# * -ftrapv (which is broken with GCC anyway),
|
||||||
|
# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
|
||||||
|
# the world to not have)
|
||||||
|
# * -fzero-call-used-regs=used (history of miscompilations with
|
||||||
|
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
|
||||||
|
# gcc PR104820, gcc PR104817, gcc PR110934)).
|
||||||
|
#
|
||||||
|
# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK,
|
||||||
|
# so we cannot just disable -fzero-call-used-regs=used.
|
||||||
|
#
|
||||||
|
# Therefore, just pass --without-hardening, given it doesn't negate
|
||||||
|
# our already hardened toolchain defaults, and avoids adding flags
|
||||||
|
# which are known-broken in both Clang and GCC and haven't been
|
||||||
|
# proven reliable.
|
||||||
|
--without-hardening
|
||||||
|
|
||||||
|
$(use_with audit audit linux)
|
||||||
|
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
|
||||||
|
$(use_with ldns)
|
||||||
|
$(use_with libedit)
|
||||||
|
$(use_with pam)
|
||||||
|
$(use_with pie)
|
||||||
|
$(use_with selinux)
|
||||||
|
$(use_with security-key security-key-builtin)
|
||||||
|
$(use_with ssl openssl)
|
||||||
|
$(use_with ssl ssl-engine)
|
||||||
|
$(use_enable dss dsa-keys)
|
||||||
|
)
|
||||||
|
|
||||||
|
if use elibc_musl; then
|
||||||
|
# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
|
||||||
|
myconf+=( --disable-utmp --disable-wtmp )
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
|
||||||
|
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
|
||||||
|
tc-is-clang && myconf+=( --without-hardening )
|
||||||
|
|
||||||
|
econf "${myconf[@]}"
|
||||||
|
}
|
||||||
|
|
||||||
|
create_config_dropins() {
|
||||||
|
local locale_vars=(
|
||||||
|
# These are language variables that POSIX defines.
|
||||||
|
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
|
||||||
|
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
|
||||||
|
|
||||||
|
# These are the GNU extensions.
|
||||||
|
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
|
||||||
|
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
|
||||||
|
)
|
||||||
|
|
||||||
|
mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die
|
||||||
|
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
|
||||||
|
# Send locale environment variables (bug #367017)
|
||||||
|
SendEnv ${locale_vars[*]}
|
||||||
|
|
||||||
|
# Send COLORTERM to match TERM (bug #658540)
|
||||||
|
SendEnv COLORTERM
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
|
||||||
|
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die
|
||||||
|
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
|
||||||
|
# Allow client to pass locale environment variables (bug #367017)
|
||||||
|
AcceptEnv ${locale_vars[*]}
|
||||||
|
|
||||||
|
# Allow client to pass COLORTERM to match TERM (bug #658540)
|
||||||
|
AcceptEnv COLORTERM
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if use pam ; then
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
|
||||||
|
UsePAM yes
|
||||||
|
# This interferes with PAM.
|
||||||
|
PasswordAuthentication no
|
||||||
|
# PAM can do its own handling of MOTD.
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog no
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if use livecd ; then
|
||||||
|
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
|
||||||
|
# Allow root login with password on livecds.
|
||||||
|
PermitRootLogin Yes
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
src_compile() {
|
||||||
|
default
|
||||||
|
create_config_dropins
|
||||||
|
}
|
||||||
|
|
||||||
|
src_test() {
|
||||||
|
local tests=( compat-tests )
|
||||||
|
local shell=$(egetshell "${UID}")
|
||||||
|
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
|
||||||
|
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
|
||||||
|
ewarn "user, so we will run a subset only."
|
||||||
|
tests+=( interop-tests )
|
||||||
|
else
|
||||||
|
tests+=( tests )
|
||||||
|
fi
|
||||||
|
|
||||||
|
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
|
||||||
|
mkdir -p "${HOME}"/.ssh || die
|
||||||
|
emake -j1 "${tests[@]}" </dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
src_install() {
|
||||||
|
emake install-nokeys DESTDIR="${D}"
|
||||||
|
fperms 600 /etc/ssh/sshd_config
|
||||||
|
dobin contrib/ssh-copy-id
|
||||||
|
newinitd "${FILESDIR}"/sshd-r1.initd sshd
|
||||||
|
newconfd "${FILESDIR}"/sshd-r1.confd sshd
|
||||||
|
|
||||||
|
if use pam; then
|
||||||
|
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
|
||||||
|
fi
|
||||||
|
|
||||||
|
doman contrib/ssh-copy-id.1
|
||||||
|
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
|
||||||
|
|
||||||
|
rmdir "${ED}"/var/empty || die
|
||||||
|
|
||||||
|
systemd_dounit "${FILESDIR}"/sshd.socket
|
||||||
|
systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
|
||||||
|
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
|
||||||
|
|
||||||
|
# Install dropins with explicit mode, bug 906638, 915840
|
||||||
|
diropts -m0755
|
||||||
|
insopts -m0644
|
||||||
|
insinto /etc/ssh
|
||||||
|
doins -r "${WORKDIR}"/etc/ssh/ssh_config.d
|
||||||
|
doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts
|
||||||
|
diropts -m0700
|
||||||
|
insopts -m0600
|
||||||
|
doins -r "${WORKDIR}"/etc/ssh/sshd_config.d
|
||||||
|
}
|
||||||
|
|
||||||
|
pkg_preinst() {
|
||||||
|
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
|
||||||
|
show_ssl_warning=1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
pkg_postinst() {
|
||||||
|
# bug #139235
|
||||||
|
optfeature "x11 forwarding" x11-apps/xauth
|
||||||
|
|
||||||
|
local old_ver
|
||||||
|
for old_ver in ${REPLACING_VERSIONS}; do
|
||||||
|
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
||||||
|
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
||||||
|
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
||||||
|
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
||||||
|
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
||||||
|
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
||||||
|
elog "be an alternative for you as it supports USE=tcpd."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
||||||
|
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
||||||
|
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
||||||
|
elog "adding to your sshd_config or ~/.ssh/config files:"
|
||||||
|
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
||||||
|
elog "You should however generate new keys using rsa or ed25519."
|
||||||
|
|
||||||
|
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
||||||
|
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
||||||
|
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
||||||
|
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
||||||
|
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
||||||
|
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
||||||
|
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
||||||
|
elog "if you need to authenticate against LDAP."
|
||||||
|
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
||||||
|
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
||||||
|
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
||||||
|
ewarn "connection is generally safe."
|
||||||
|
fi
|
||||||
|
if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
|
||||||
|
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
|
||||||
|
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
|
||||||
|
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
|
||||||
|
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
|
||||||
|
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
|
||||||
|
ewarn "set 'Restart=no' in your sshd unit file."
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ -n ${show_ssl_warning} ]]; then
|
||||||
|
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
||||||
|
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
|
||||||
|
elog "and update all clients/servers that utilize them."
|
||||||
|
fi
|
||||||
|
|
||||||
|
openssh_maybe_restart
|
||||||
|
}
|
||||||
|
|
||||||
|
openssh_maybe_restart() {
|
||||||
|
local ver
|
||||||
|
declare -a versions
|
||||||
|
read -ra versions <<<"${REPLACING_VERSIONS}"
|
||||||
|
for ver in "${versions[@]}"; do
|
||||||
|
# Exclude 9.8_p1 because it didn't have the safety check
|
||||||
|
[[ ${ver} == 9.8_p1 ]] && break
|
||||||
|
|
||||||
|
if [[ ${ver%_*} == "${PV%_*}" ]]; then
|
||||||
|
# No major version change has occurred
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ ${ROOT} ]]; then
|
||||||
|
return
|
||||||
|
elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
|
||||||
|
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
|
||||||
|
ewarn "bricking the running instance. See bug #709748."
|
||||||
|
ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
|
||||||
|
systemctl try-restart sshd
|
||||||
|
eend $?
|
||||||
|
elif [[ -d /run/openrc ]]; then
|
||||||
|
# We don't check for sshd -t here because the OpenRC init script
|
||||||
|
# has a stop_pre() which does checkconfig, i.e. we defer to it
|
||||||
|
# to give nicer output for a failed sanity check.
|
||||||
|
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
|
||||||
|
ewarn "bricking the running instance. See bug #709748."
|
||||||
|
ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
|
||||||
|
rc-service -q --ifstarted --nodeps sshd restart
|
||||||
|
eend $?
|
||||||
|
fi
|
||||||
|
}
|
Loading…
Reference in a new issue