commit: 6eef306b2fd5638411819065d30a1710f6a4e966 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sat Feb 13 17:17:32 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sat Feb 13 17:17:32 2016 +0000 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=6eef306b
net-misc/openssh: turn off hardening on x86 net-misc/openssh/Manifest | 19 ++ .../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 ++++++++ .../openssh-6.7_p1-openssl-ignore-status.patch | 17 ++ .../openssh-6.8_p1-ssl-engine-configure.patch | 33 +++ .../files/openssh-7.0_p1-sctp-x509-glue.patch | 74 +++++ .../files/openssh-7.1_p1-hpn-x509-glue.patch | 11 + .../files/openssh-7.1_p2-x509-hpn14v10-glue.patch | 51 ++++ net-misc/openssh/files/sshd.confd | 21 ++ net-misc/openssh/files/sshd.pam_include.2 | 4 + net-misc/openssh/files/sshd.rc6.4 | 85 ++++++ net-misc/openssh/files/sshd.service | 11 + net-misc/openssh/files/sshd.socket | 10 + net-misc/openssh/files/sshd_at.service | 8 + net-misc/openssh/metadata.xml | 40 +++ net-misc/openssh/openssh-7.1_p2-r99.ebuild | 327 +++++++++++++++++++++ 15 files changed, 838 insertions(+) diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest new file mode 100644 index 0000000..4a0e718 --- /dev/null +++ b/net-misc/openssh/Manifest @@ -0,0 +1,19 @@ +AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb +AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b +AUX openssh-6.8_p1-ssl-engine-configure.patch 936 SHA256 cb3f34ef031aa5360b082468b4afb8b7fd2c778c990c2f20fda250167725ff88 SHA512 4b7840f719ad58c1f196327a52534f0a21264ce47e8df4a335e9f58d9d5eae33dbb9a75a2a714c3bdae6bee04728e66020ed57eb521fc1164521c4c5aa4a9a93 WHIRLPOOL 662d6eedb091021d5da4cdbd6d623e3678e54fb75cb52d8afdc4ef9c31f98d95f8445c2fde834d622b0aabf8b9593244847da574201ed176c350747526a28fe5 +AUX openssh-7.0_p1-sctp-x509-glue.patch 2655 SHA256 f01218be5cc344797d6a1db034e6916b0383ea7188d0341ec1e4a3281c5917a6 SHA512 b53aaca05e671be9d8456e7d1aea3ed32afd333922f39c58aa3f9c2539a2d40bdf02ec23c438602e9a590702bcdf96901fb09dfaad93f4ab3fc735d7d189752d WHIRLPOOL 1d6a1947accb77fbd5b578d9e57a51f6ffc9d0d30c806beabea9b2a672ce1af17a283422fb58c835edd8370a5dbe4500ef515ec59af8a3948af5fc15a58a6da0 +AUX openssh-7.1_p1-hpn-x509-glue.patch 535 SHA256 28fabcb503632c57f4f4dfdbdd3e5f2eea97a1f1f216e19125d382820db484b5 SHA512 7f81586e8f755a2451bee962da6a76285fa1609cf761e1ed335e14b07dc28dd0dd9741654a26039d1029e34a45950cdf869132a137461118d9fd1ca142675010 WHIRLPOOL 4e55dd712f7e24f03d7a72017e7238c7bbda53aa54e4068a37a7dadc0f73f4777f9a8c58fefe4d671755ab24c747108dc57af6a08918f70e3425abe7faadc96a +AUX openssh-7.1_p2-x509-hpn14v10-glue.patch 1451 SHA256 13eb0540a6cd951f2a1c59ea979201fd15ea22ed1c73d153b329f0c8eb9e306e SHA512 e649981c553275baafb34b4d7d05c733cf9a3a829b68dbee206bfde969fb827c54244e67650626915d3403f9d6df9d633eec9a4eebe67face492fa2b16dcb392 WHIRLPOOL 701f4ded357ac8497e60c39d78ef64cb7052f90a0c66748e3fb85713605acd00843f607993b6dc9ccec3af12623cfc9365eeddc274b5eadaaaca9db56a2cfa90 +AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53 +AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b +AUX sshd.rc6.4 2114 SHA256 b577e0ac07558205e2229b32bf52ab52d050acda3748708d9a36dc4365a3a725 SHA512 8bde7a1acf3a743982f0d1c951319adf9a401839a17c0bc55e5541940440187e08d46e0def650bcc758669841bcabb9d80afe81f37efee39bb451f131a58f0eb WHIRLPOOL fa4372c2673762bb5f2a9a67e0fea130b45ba7b76244c972fd14845b3689d9f841ffcd5ca21dcbaa58d547eea385936e65ef4a48279c95bc795c6b4cc90b2ddb +AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989 +AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5 +AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1 +DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476 +DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652 +DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c +DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4 +DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 +EBUILD openssh-7.1_p2-r99.ebuild 10393 SHA256 0eaa7e1064de2d0f0bdc563779fce1dfcfb91c0d1b296e81b43c5c60a3a53f19 SHA512 304f182148f27a7cca36e5ebab0b0db16f814b5c11b0458cd26ba51c1778f5a4f1b5b0650b4a353935cfb023172444b493428c2b0f2bee957e5301934e7b64ca WHIRLPOOL c071539112865fb4d5a965630bafbe3bbd8062aac0b8d76bf3c77bb0cbced3fbddbfdc40aaf76f0e9f7b408fb55408479c3b8d08c017b32210ba089c5d50621d +MISC metadata.xml 2240 SHA256 1a1ca86748452626c89e6089a0de75155a2919878d8238212f3d460345341ce5 SHA512 1baaf891e3a6922d5b3d130b2330613b45089b921e66f8a03abad069e1b19b5a6b66d013d77a67ca91e53646bb200cf5a3ee4186e614b0393f2e5c41ebe75269 WHIRLPOOL 20652dff4c961f82dc9f3c26dc89ae84121afe185b1a96d24dcad029ae119eb145a15847befdd2a09214d3d1ac311f137258d2a12a57596ebee94cbf17765523 diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch new file mode 100644 index 0000000..c81ae5c --- /dev/null +++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch @@ -0,0 +1,127 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +Index: readconf.c +=================================================================== +RCS file: /cvs/openssh/readconf.c,v +retrieving revision 1.135 +diff -u -r1.135 readconf.c +--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 ++++ readconf.c 19 Aug 2006 11:59:52 -0000 +@@ -126,6 +126,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -163,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -444,6 +447,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1010,6 +1017,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1100,6 +1108,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +Index: readconf.h +=================================================================== +RCS file: /cvs/openssh/readconf.h,v +retrieving revision 1.63 +diff -u -r1.63 readconf.h +--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 ++++ readconf.h 19 Aug 2006 11:59:52 -0000 +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +Index: ssh_config.5 +=================================================================== +RCS file: /cvs/openssh/ssh_config.5,v +retrieving revision 1.97 +diff -u -r1.97 ssh_config.5 +--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 ++++ ssh_config.5 19 Aug 2006 11:59:53 -0000 +@@ -483,7 +483,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +Index: sshconnect2.c +=================================================================== +RCS file: /cvs/openssh/sshconnect2.c,v +retrieving revision 1.151 +diff -u -r1.151 sshconnect2.c +--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 ++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 +@@ -499,6 +499,12 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -511,7 +517,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 0000000..fa33af3 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch new file mode 100644 index 0000000..a355e2c --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch @@ -0,0 +1,33 @@ +https://github.com/openssh/openssh-portable/pull/29 + +From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <[email protected]> +Date: Wed, 18 Mar 2015 12:37:24 -0400 +Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is + set + +--- + configure.ac | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b4d6598..7806d20 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2276,10 +2276,10 @@ openssl_engine=no + AC_ARG_WITH([ssl-engine], + [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], + [ +- if test "x$openssl" = "xno" ; then +- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) +- fi + if test "x$withval" != "xno" ; then ++ if test "x$openssl" = "xno" ; then ++ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) ++ fi + openssl_engine=yes + fi + ] +-- +2.3.2 + diff --git a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch new file mode 100644 index 0000000..d793f90 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch @@ -0,0 +1,74 @@ +--- openssh-6.8_p1-sctp.patch.1 2015-08-12 16:01:13.854769013 -0700 ++++ openssh-6.8_p1-sctp.patch 2015-08-12 16:00:38.208488789 -0700 +@@ -195,14 +195,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -178,6 +178,7 @@ For full details of the options listed b +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User + @@ -218,6 +219,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -477,19 +469,11 @@ + .Sh SYNOPSIS + .Nm ssh + .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -473,6 +473,7 @@ For full details of the options listed b +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UsePrivilegedPort + @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte + controls. + .It Fl y +@@ -501,7 +485,7 @@ + By default this information is sent to stderr. + --- a/ssh.c + +++ b/ssh.c +-@@ -194,12 +194,17 @@ extern int muxserver_sock; ++@@ -194,11 +194,16 @@ extern int muxserver_sock; + extern u_int muxclient_command; + + /* Prints a help message to the user. This function never returns. */ +@@ -515,18 +499,17 @@ + usage(void) + { + fprintf(stderr, +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" + " [-F configfile] [-I pkcs11] [-i identity_file]\n" +- " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" + @@ -506,7 +512,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++ # define ENGCONFIG "" ++ #endif + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch new file mode 100644 index 0000000..393ea99 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch @@ -0,0 +1,11 @@ +--- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig 2015-08-24 11:17:05.379280954 -0700 ++++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch 2015-08-24 11:19:30.788424050 -0700 +@@ -80,7 +80,7 @@ + + else + + fatal("Pre-authentication none cipher requests are not allowed."); + + } +- debug("kex: %s %s %s %s", ++ debug("kex: %s cipher: %s MAC: %s compression: %s", + ctos ? "client->server" : "server->client", + newkeys->enc.name, + diff --git a/myproposal.h b/myproposal.h diff --git a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch new file mode 100644 index 0000000..5124569 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch @@ -0,0 +1,51 @@ +--- openssh-7.1p2/Makefile.in ++++ openssh-7.1p2/Makefile.in +@@ -45,7 +45,7 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + K5LIBS=@K5LIBS@ + GSSLIBS=@GSSLIBS@ +@@ -53,6 +53,7 @@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- openssh-7.1p2/sshconnect.c ++++ openssh-7.1p2/sshconnect.c +@@ -465,7 +465,7 @@ + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", +--- openssh-7.1p2/sshd.c ++++ openssh-7.1p2/sshd.c +@@ -472,8 +472,8 @@ + comment = ""; + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", +- major, minor, SSH_VERSION, comment, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", ++ major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +--- openssh-7.1p2/version.h ++++ openssh-7.1p2/version.h +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_7.1" + + #define SSH_PORTABLE "p2" ++#define SSH_X509 " PKIX" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 0000000..28952b4 --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 0000000..b801aaa --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100644 index 0000000..34e1970 --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 0000000..b5e96b3 --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 0000000..94b9533 --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 0000000..2645ad0 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml new file mode 100644 index 0000000..1d275bd --- /dev/null +++ b/net-misc/openssh/metadata.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer restrict="net-misc/openssh[ldap]" type="person"> + <email>[email protected]</email> + <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> + </maintainer> + <maintainer type="project"> + <email>[email protected]</email> + <name>Gentoo Base System</name> + </maintainer> + <longdescription> +OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that +increasing numbers of people on the Internet are coming to rely on. Many users of telnet, +rlogin, ftp, and other such programs might not realize that their password is transmitted +across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) +to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety +of authentication methods. + +The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which +replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of +the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, +ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. +</longdescription> + <use> + <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> + <flag name="hpn">Enable high performance ssh</flag> + <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> + <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> + <flag name="sctp">Support for Stream Control Transmission Protocol</flag> + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> + <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> + <flag name="X509">Adds support for X.509 certificate authentication</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> + <remote-id type="sourceforge">hpnssh</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-misc/openssh/openssh-7.1_p2-r99.ebuild b/net-misc/openssh/openssh-7.1_p2-r99.ebuild new file mode 100644 index 0000000..f53e827 --- /dev/null +++ b/net-misc/openssh/openssh-7.1_p2-r99.ebuild @@ -0,0 +1,327 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz" +LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz" +X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/"; +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~x86" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + if use hpn ; then + pushd ${HPN_PATCH%.*.*} >/dev/null + epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch + popd >/dev/null + fi + epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch + save_version X509 + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + # The X509 patchset fixes this independently. + use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch + epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --without-hardening + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service '[email protected]' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +}
