commit: 15e618a1fdd34e952d0485cb9bcfdc8672aa25e8 Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> AuthorDate: Wed Sep 28 17:26:18 2016 +0000 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> CommitDate: Wed Sep 28 17:26:18 2016 +0000 URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=15e618a1
net-misc/openssh: migrate to gx86 net-misc/openssh/Manifest | 13 - .../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 -------- .../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 ----------- .../openssh/files/openssh-6.3_p1-x509-glue.patch | 16 - .../files/openssh-6.3_p1-x509-hpn14v2-glue.patch | 51 ---- .../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 ------- .../openssh/files/openssh-6.6.1_p1-x509-glue.patch | 17 -- .../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 -- .../files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch | 26 -- net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 ---------- .../openssh-6.6_p1-openssl-ignore-status.patch | 17 -- .../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 - .../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 -- .../openssh-6.7_p1-openssl-ignore-status.patch | 17 -- .../files/openssh-6.7_p1-xmalloc-include.patch | 11 - .../files/openssh-6.8_p1-sctp-x509-glue.patch | 90 ------ .../files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch | 40 --- .../openssh-6.8_p1-sshd-gssapi-multihomed.patch | 162 ---------- .../openssh-6.8_p1-ssl-engine-configure.patch | 31 -- .../files/openssh-6.8_p1-teraterm-hpn-glue.patch | 15 - .../openssh/files/openssh-6.8_p1-teraterm.patch | 69 ----- .../files/openssh-6.9_p1-x509-warnings.patch | 24 -- net-misc/openssh/files/sshd.confd | 21 -- net-misc/openssh/files/sshd.pam_include.2 | 4 - net-misc/openssh/files/sshd.rc6.4 | 85 ------ net-misc/openssh/files/sshd.service | 11 - net-misc/openssh/files/sshd.socket | 10 - net-misc/openssh/files/sshd_at.service | 8 - net-misc/openssh/metadata.xml | 40 --- net-misc/openssh/openssh-6.8_p1-r5.ebuild | 336 --------------------- net-misc/openssh/openssh-6.9_p1-r2.ebuild | 315 ------------------- net-misc/openssh/openssh-7.1_p2-r1.ebuild | 327 -------------------- 32 files changed, 2416 deletions(-) diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest deleted file mode 100644 index 5ad3eda..0000000 --- a/net-misc/openssh/Manifest +++ /dev/null @@ -1,13 +0,0 @@ -DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476 -DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73 -DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b -DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3 -DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a -DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2 -DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7 -DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f -DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652 -DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c -DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4 -DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b -DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch deleted file mode 100644 index c81ae5c..0000000 --- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,127 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - -Index: readconf.c -=================================================================== -RCS file: /cvs/openssh/readconf.c,v -retrieving revision 1.135 -diff -u -r1.135 readconf.c ---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 -+++ readconf.c 19 Aug 2006 11:59:52 -0000 -@@ -126,6 +126,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -163,9 +164,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -444,6 +447,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1010,6 +1017,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1100,6 +1108,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -Index: readconf.h -=================================================================== -RCS file: /cvs/openssh/readconf.h,v -retrieving revision 1.63 -diff -u -r1.63 readconf.h ---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 -+++ readconf.h 19 Aug 2006 11:59:52 -0000 -@@ -45,6 +45,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -Index: ssh_config.5 -=================================================================== -RCS file: /cvs/openssh/ssh_config.5,v -retrieving revision 1.97 -diff -u -r1.97 ssh_config.5 ---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 -+++ ssh_config.5 19 Aug 2006 11:59:53 -0000 -@@ -483,7 +483,16 @@ - Forward (delegate) credentials to the server. - The default is - .Dq no . --Note that this option applies to protocol version 2 only. -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -Index: sshconnect2.c -=================================================================== -RCS file: /cvs/openssh/sshconnect2.c,v -retrieving revision 1.151 -diff -u -r1.151 sshconnect2.c ---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 -+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 -@@ -499,6 +499,12 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -511,7 +517,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch deleted file mode 100644 index 6377d03..0000000 --- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch +++ /dev/null @@ -1,184 +0,0 @@ -Index: gss-serv.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v -retrieving revision 1.22 -diff -u -p -r1.22 gss-serv.c ---- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 -+++ gss-serv.c 11 Jan 2010 05:38:29 -0000 -@@ -41,9 +41,12 @@ - #include "channels.h" - #include "session.h" - #include "misc.h" -+#include "servconf.h" - - #include "ssh-gss.h" - -+extern ServerOptions options; -+ - static ssh_gssapi_client gssapi_client = - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; -@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - char lname[MAXHOSTNAMELEN]; - gss_OID_set oidset; - -- gss_create_empty_oid_set(&status, &oidset); -- gss_add_oid_set_member(&status, ctx->oid, &oidset); -- -- if (gethostname(lname, MAXHOSTNAMELEN)) { -- gss_release_oid_set(&status, &oidset); -- return (-1); -- } -+ if (options.gss_strict_acceptor) { -+ gss_create_empty_oid_set(&status, &oidset); -+ gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ -+ if (gethostname(lname, MAXHOSTNAMELEN)) { -+ gss_release_oid_set(&status, &oidset); -+ return (-1); -+ } -+ -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -+ gss_release_oid_set(&status, &oidset); -+ return (ctx->major); -+ } -+ -+ if ((ctx->major = gss_acquire_cred(&ctx->minor, -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, -+ NULL, NULL))) -+ ssh_gssapi_error(ctx); - -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { - gss_release_oid_set(&status, &oidset); - return (ctx->major); -+ } else { -+ ctx->name = GSS_C_NO_NAME; -+ ctx->creds = GSS_C_NO_CREDENTIAL; - } -- -- if ((ctx->major = gss_acquire_cred(&ctx->minor, -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) -- ssh_gssapi_error(ctx); -- -- gss_release_oid_set(&status, &oidset); -- return (ctx->major); -+ return GSS_S_COMPLETE; - } - - /* Privileged */ -Index: servconf.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/servconf.c,v -retrieving revision 1.201 -diff -u -p -r1.201 servconf.c ---- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 -+++ servconf.c 11 Jan 2010 05:34:56 -0000 -@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions - options->kerberos_get_afs_token = -1; - options->gss_authentication=-1; - options->gss_cleanup_creds = -1; -+ options->gss_strict_acceptor = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption - options->gss_authentication = 0; - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; -+ if (options->gss_strict_acceptor == -1) -+ options->gss_strict_acceptor = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -@@ -277,7 +280,8 @@ typedef enum { - sBanner, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, -+ sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -327,9 +331,11 @@ static struct { - #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, - #else - { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, - #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions - - case sGssCleanupCreds: - intptr = &options->gss_cleanup_creds; -+ goto parse_flag; -+ -+ case sGssStrictAcceptor: -+ intptr = &options->gss_strict_acceptor; - goto parse_flag; - - case sPasswordAuthentication: -Index: servconf.h -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/servconf.h,v -retrieving revision 1.89 -diff -u -p -r1.89 servconf.h ---- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 -+++ servconf.h 11 Jan 2010 05:32:28 -0000 -@@ -92,6 +92,7 @@ typedef struct { - * authenticated with Kerberos. */ - int gss_authentication; /* If true, permit GSSAPI authentication */ - int gss_cleanup_creds; /* If true, destroy cred cache on logout */ -+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ - int password_authentication; /* If true, permit password - * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ -Index: sshd_config -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/sshd_config,v -retrieving revision 1.81 -diff -u -p -r1.81 sshd_config ---- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 -+++ sshd_config 11 Jan 2010 05:32:28 -0000 -@@ -69,6 +69,7 @@ - # GSSAPI options - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -Index: sshd_config.5 -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v -retrieving revision 1.116 -diff -u -p -r1.116 sshd_config.5 ---- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 -+++ sshd_config.5 11 Jan 2010 05:37:20 -0000 -@@ -386,6 +386,21 @@ on logout. - The default is - .Dq yes . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIStrictAcceptorCheck -+Determines whether to be strict about the identity of the GSSAPI acceptor -+a client authenticates against. -+If set to -+.Dq yes -+then the client must authenticate against the -+.Pa host -+service on the current hostname. -+If set to -+.Dq no -+then the client may authenticate against any service key stored in the -+machine's default store. -+This facility is provided to assist with operation on multi homed machines. -+The default is -+.Dq yes . - .It Cm HostbasedAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful public key client host authentication is allowed diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch deleted file mode 100644 index f70d44a..0000000 --- a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch +++ /dev/null @@ -1,16 +0,0 @@ -make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch - ---- openssh-6.3p1+x509-7.6.diff -+++ openssh-6.3p1+x509-7.6.diff -@@ -14784,10 +14784,9 @@ - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or though authentication styles supported in --@@ -490,6 +567,16 @@ -+@@ -490,5 +567,15 @@ - The default is - .Dq yes . -- Note that this option applies to protocol version 2 only. - +.It Cm HostbasedAlgorithms - +Specifies the protocol version 2 algorithms used in - +.Dq hostbased diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch deleted file mode 100644 index c3647d5..0000000 --- a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch +++ /dev/null @@ -1,51 +0,0 @@ ---- openssh-6.3p1/Makefile.in -+++ openssh-6.3p1/Makefile.in -@@ -45,7 +45,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ -+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - K5LIBS=@K5LIBS@ - GSSLIBS=@GSSLIBS@ -@@ -53,6 +53,7 @@ - SSHDLIBS=@SSHDLIBS@ - LIBEDIT=@LIBEDIT@ - LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ -+CPPFLAGS+=@LDAP_CPPFLAGS@ - AR=@AR@ - AWK=@AWK@ - RANLIB=@RANLIB@ ---- openssh-6.3p1/sshconnect.c -+++ openssh-6.3p1/sshconnect.c -@@ -465,7 +465,7 @@ - { - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", ---- openssh-6.3p1/sshd.c -+++ openssh-6.3p1/sshd.c -@@ -472,8 +472,8 @@ - comment = ""; - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -- major, minor, SSH_VERSION, comment, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -+ major, minor, SSH_VERSION, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - ---- openssh-6.3p1/version.h -+++ openssh-6.3p1/version.h -@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_6.3" - - #define SSH_PORTABLE "p1" -+#define SSH_X509 " PKIX" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch deleted file mode 100644 index cfb060f..0000000 --- a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch +++ /dev/null @@ -1,114 +0,0 @@ -https://bugs.gentoo.org/498632 - -make sure we do not use unaligned loads/stores as some arches really hate that. - ---- a/cipher-ctr-mt.c -+++ b/cipher-ctr-mt.c -@@ -58,8 +58,16 @@ - /* Collect thread stats and print at cancellation when in debug mode */ - /* #define CIPHER_THREAD_STATS */ - --/* Use single-byte XOR instead of 8-byte XOR */ --/* #define CIPHER_BYTE_XOR */ -+/* Can the system do unaligned loads natively? */ -+#if defined(__aarch64__) || \ -+ defined(__i386__) || \ -+ defined(__powerpc__) || \ -+ defined(__x86_64__) -+# define CIPHER_UNALIGNED_OK -+#endif -+#if defined(__SIZEOF_INT128__) -+# define CIPHER_INT128_OK -+#endif - /*-------------------- END TUNABLES --------------------*/ - - -@@ -285,8 +293,20 @@ thread_loop(void *x) - - static int - ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, -- u_int len) -+ size_t len) - { -+ typedef union { -+#ifdef CIPHER_INT128_OK -+ __uint128_t *u128; -+#endif -+ uint64_t *u64; -+ uint32_t *u32; -+ uint8_t *u8; -+ const uint8_t *cu8; -+ uintptr_t u; -+ } ptrs_t; -+ ptrs_t destp, srcp, bufp; -+ uintptr_t align; - struct ssh_aes_ctr_ctx *c; - struct kq *q, *oldq; - int ridx; -@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, - ridx = c->ridx; - - /* src already padded to block multiple */ -+ srcp.cu8 = src; -+ destp.u8 = dest; - while (len > 0) { - buf = q->keys[ridx]; -+ bufp.u8 = buf; - --#ifdef CIPHER_BYTE_XOR -- dest[0] = src[0] ^ buf[0]; -- dest[1] = src[1] ^ buf[1]; -- dest[2] = src[2] ^ buf[2]; -- dest[3] = src[3] ^ buf[3]; -- dest[4] = src[4] ^ buf[4]; -- dest[5] = src[5] ^ buf[5]; -- dest[6] = src[6] ^ buf[6]; -- dest[7] = src[7] ^ buf[7]; -- dest[8] = src[8] ^ buf[8]; -- dest[9] = src[9] ^ buf[9]; -- dest[10] = src[10] ^ buf[10]; -- dest[11] = src[11] ^ buf[11]; -- dest[12] = src[12] ^ buf[12]; -- dest[13] = src[13] ^ buf[13]; -- dest[14] = src[14] ^ buf[14]; -- dest[15] = src[15] ^ buf[15]; --#else -- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf; -- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^ -- *(uint64_t *)(buf + 8); --#endif -+ /* figure out the alignment on the fly */ -+#ifdef CIPHER_UNALIGNED_OK -+ align = 0; -+#else -+ align = destp.u | srcp.u | bufp.u; -+#endif -+ -+#ifdef CIPHER_INT128_OK -+ if ((align & 0xf) == 0) { -+ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0]; -+ } else -+#endif -+ if ((align & 0x7) == 0) { -+ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0]; -+ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1]; -+ } else if ((align & 0x3) == 0) { -+ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0]; -+ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1]; -+ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2]; -+ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3]; -+ } else { -+ size_t i; -+ for (i = 0; i < AES_BLOCK_SIZE; ++i) -+ dest[i] = src[i] ^ buf[i]; -+ } - -- dest += 16; -- src += 16; -- len -= 16; -+ destp.u += AES_BLOCK_SIZE; -+ srcp.u += AES_BLOCK_SIZE; -+ len -= AES_BLOCK_SIZE; - ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); - - /* Increment read index, switch queues on rollover */ diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch deleted file mode 100644 index 2a34ee9..0000000 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch +++ /dev/null @@ -1,17 +0,0 @@ -Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. - ---- openssh-6.6p1+x509-8.0.diff -+++ openssh-6.6p1+x509-8.0.diff -@@ -16337,10 +16337,10 @@ - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or though authentication styles supported in --@@ -499,6 +576,16 @@ -+@@ -514,6 +591,16 @@ -+ This facility is provided to assist with operation on multi homed machines. - The default is - .Dq yes . -- Note that this option applies to protocol version 2 only. - +.It Cm HostbasedAlgorithms - +Specifies the protocol version 2 algorithms used in - +.Dq hostbased diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch deleted file mode 100644 index c76015d..0000000 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch +++ /dev/null @@ -1,26 +0,0 @@ -make the hpn patch apply when the x509 patch has also been applied - ---- openssh-6.6.1p1-hpnssh14v4.diff -+++ openssh-6.6.1p1-hpnssh14v4.diff -@@ -1742,18 +1742,14 @@ - if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) --@@ -345,9 +393,10 @@ -+@@ -345,6 +393,7 @@ - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, - sKexAlgorithms, sIPQoS, sVersionAddendum, - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, --- sAuthenticationMethods, sHostKeyAgent, --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, -- sDeprecated, sUnsupported -- } ServerOpCodes; -- -+ sAuthenticationMethods, sHostKeyAgent, - @@ -468,6 +517,10 @@ - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch deleted file mode 100644 index beb2292..0000000 --- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch +++ /dev/null @@ -1,26 +0,0 @@ -make the hpn patch apply when the x509 patch has also been applied - ---- openssh-6.6.1p1-hpnssh14v5.diff -+++ openssh-6.6.1p1-hpnssh14v5.diff -@@ -1742,18 +1742,14 @@ - if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) --@@ -345,9 +392,10 @@ -+@@ -345,6 +392,7 @@ - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, - sKexAlgorithms, sIPQoS, sVersionAddendum, - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, --- sAuthenticationMethods, sHostKeyAgent, --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, -- sDeprecated, sUnsupported -- } ServerOpCodes; -- -+ sAuthenticationMethods, sHostKeyAgent, - @@ -468,6 +516,10 @@ - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch deleted file mode 100644 index 2a8a87c..0000000 --- a/net-misc/openssh/files/openssh-6.6.1_p1.patch +++ /dev/null @@ -1,167 +0,0 @@ -Hi, - -So I screwed up when writing the support for the curve25519 KEX method -that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left -leading zero bytes where they should have been skipped. The impact of -this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a -peer that implements curve25519-sha256 at libssh.org properly about 0.2% -of the time (one in every 512ish connections). - -We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 -key exchange for previous versions, but I'd recommend distributors -of OpenSSH apply this patch so the affected code doesn't become -too entrenched in LTS releases. - -The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as -to distinguish itself from the incorrect versions so the compatibility -code to disable the affected KEX isn't activated. - -I've committed this on the 6.6 branch too. - -Apologies for the hassle. - --d - -Index: version.h -=================================================================== -RCS file: /var/cvs/openssh/version.h,v -retrieving revision 1.82 -diff -u -p -r1.82 version.h ---- version.h 27 Feb 2014 23:01:54 -0000 1.82 -+++ version.h 20 Apr 2014 03:35:15 -0000 -@@ -1,6 +1,6 @@ - /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ - --#define SSH_VERSION "OpenSSH_6.6" -+#define SSH_VERSION "OpenSSH_6.6.1" - - #define SSH_PORTABLE "p1" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -Index: compat.c -=================================================================== -RCS file: /var/cvs/openssh/compat.c,v -retrieving revision 1.82 -retrieving revision 1.85 -diff -u -p -r1.82 -r1.85 ---- compat.c 31 Dec 2013 01:25:41 -0000 1.82 -+++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 -@@ -95,6 +95,9 @@ compat_datafellows(const char *version) - { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, - { "OpenSSH_4*", 0 }, - { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, -+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, -+ { "OpenSSH_6.5*," -+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, - { "OpenSSH*", SSH_NEW_OPENSSH }, - { "*MindTerm*", 0 }, - { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| -@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop - return cipher_prop; - } - -- - char * - compat_pkalg_proposal(char *pkalg_prop) - { -@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) - if (*pkalg_prop == '\0') - fatal("No supported PK algorithms found"); - return pkalg_prop; -+} -+ -+char * -+compat_kex_proposal(char *kex_prop) -+{ -+ if (!(datafellows & SSH_BUG_CURVE25519PAD)) -+ return kex_prop; -+ debug2("%s: original KEX proposal: %s", __func__, kex_prop); -+ kex_prop = filter_proposal(kex_prop, "[email protected]"); -+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); -+ if (*kex_prop == '\0') -+ fatal("No supported key exchange algorithms found"); -+ return kex_prop; - } - -Index: compat.h -=================================================================== -RCS file: /var/cvs/openssh/compat.h,v -retrieving revision 1.42 -retrieving revision 1.43 -diff -u -p -r1.42 -r1.43 ---- compat.h 31 Dec 2013 01:25:41 -0000 1.42 -+++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 -@@ -59,6 +59,7 @@ - #define SSH_BUG_RFWD_ADDR 0x02000000 - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 -+#define SSH_BUG_CURVE25519PAD 0x10000000 - - void enable_compat13(void); - void enable_compat20(void); -@@ -66,6 +67,7 @@ void compat_datafellows(const char * - int proto_spec(const char *); - char *compat_cipher_proposal(char *); - char *compat_pkalg_proposal(char *); -+char *compat_kex_proposal(char *); - - extern int compat13; - extern int compat20; -Index: sshd.c -=================================================================== -RCS file: /var/cvs/openssh/sshd.c,v -retrieving revision 1.448 -retrieving revision 1.453 -diff -u -p -r1.448 -r1.453 ---- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 -+++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 -@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); -+ - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, - (time_t)options.rekey_interval); -Index: sshconnect2.c -=================================================================== -RCS file: /var/cvs/openssh/sshconnect2.c,v -retrieving revision 1.197 -retrieving revision 1.199 -diff -u -p -r1.197 -r1.199 ---- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 -+++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 -@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); - - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, -Index: bufaux.c -=================================================================== -RCS file: /var/cvs/openssh/bufaux.c,v -retrieving revision 1.62 -retrieving revision 1.63 -diff -u -p -r1.62 -r1.63 ---- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 -+++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 -@@ -1,4 +1,4 @@ --/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ -+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ - /* - * Author: Tatu Ylonen <[email protected]> - * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland -@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b - - if (l > 8 * 1024) - fatal("%s: length %u too long", __func__, l); -+ /* Skip leading zero bytes */ -+ for (; l > 0 && *s == 0; l--, s++) -+ ; - p = buf = xmalloc(l + 1); - /* - * If most significant bit is set then prepend a zero byte to diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch deleted file mode 100644 index 6db6b97d..0000000 --- a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch +++ /dev/null @@ -1,17 +0,0 @@ -the last nibble of the openssl version represents the status. that is, -whether it is a beta or release. when it comes to version checks in -openssh, this component does not matter, so ignore it. - -https://bugzilla.mindrot.org/show_bug.cgi?id=2212 - ---- a/entropy.c -+++ b/entropy.c -@@ -216,7 +216,7 @@ seed_rng(void) - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed - * within a patch series. - */ -- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; -+ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L; - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) - fatal("OpenSSL version mismatch. Built against %lx, you " diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch deleted file mode 100644 index 0ba3e45..0000000 --- a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch +++ /dev/null @@ -1,16 +0,0 @@ -Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. - ---- openssh-6.6p1+x509-7.9.diff -+++ openssh-6.6p1+x509-7.9.diff -@@ -15473,10 +15473,9 @@ - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or though authentication styles supported in --@@ -499,6 +576,16 @@ -+@@ -499,5 +576,15 @@ - The default is - .Dq yes . -- Note that this option applies to protocol version 2 only. - +.It Cm HostbasedAlgorithms - +Specifies the protocol version 2 algorithms used in - +.Dq hostbased diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch deleted file mode 100644 index a69830e..0000000 --- a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch +++ /dev/null @@ -1,26 +0,0 @@ -make the hpn patch apply when the x509 patch has also been applied - ---- openssh-6.6p1-hpnssh14v4.diff -+++ openssh-6.6p1-hpnssh14v4.diff -@@ -1742,18 +1742,14 @@ - if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_LOWDELAY; - if (options->ip_qos_bulk == -1) --@@ -345,9 +393,10 @@ -+@@ -345,6 +393,7 @@ - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, - sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, --+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, -++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, - sKexAlgorithms, sIPQoS, sVersionAddendum, - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, --- sAuthenticationMethods, sHostKeyAgent, --+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, -- sDeprecated, sUnsupported -- } ServerOpCodes; -- -+ sAuthenticationMethods, sHostKeyAgent, - @@ -468,6 +517,10 @@ - { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch deleted file mode 100644 index fa33af3..0000000 --- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch +++ /dev/null @@ -1,17 +0,0 @@ -the last nibble of the openssl version represents the status. that is, -whether it is a beta or release. when it comes to version checks in -openssh, this component does not matter, so ignore it. - -https://bugzilla.mindrot.org/show_bug.cgi?id=2212 - ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) - * For versions >= 1.0.0, major,minor,status must match and library - * fix version must be equal to or newer than the header. - */ -- mask = 0xfff0000fL; /* major,minor,status */ -+ mask = 0xfff00000L; /* major,minor,status */ - hfix = (headerver & 0x000ff000) >> 12; - lfix = (libver & 0x000ff000) >> 12; - if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch deleted file mode 100644 index 170031d..0000000 --- a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c ---- openssh-6.7p1.orig/ssh-rsa.c 2015-02-24 14:52:54.512197868 -0800 -+++ openssh-6.7p1/ssh-rsa.c 2015-02-27 11:48:54.173951646 -0800 -@@ -34,6 +34,7 @@ - #include "sshkey.h" - #include "digest.h" - #include "evp-compat.h" -+#include "xmalloc.h" - - /*NOTE: Do not define USE_LEGACY_RSA_... if build - is with FIPS capable OpenSSL */ diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch deleted file mode 100644 index 7b12e9a..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,90 +0,0 @@ ---- openssh-6.8_p1-sctp.patch.orig 2015-03-18 17:52:40.563506822 -0700 -+++ openssh-6.8_p1-sctp.patch 2015-03-18 18:14:30.919753194 -0700 -@@ -184,34 +184,6 @@ - int port; /* Port to connect. */ - int address_family; - int connection_attempts; /* Max attempts (seconds) before ----- a/scp.1 --+++ b/scp.1 --@@ -19,7 +19,7 @@ -- .Sh SYNOPSIS -- .Nm scp -- .Bk -words ---.Op Fl 12346BCpqrv --+.Op Fl 12346BCpqrvz -- .Op Fl c Ar cipher -- .Op Fl F Ar ssh_config -- .Op Fl i Ar identity_file --@@ -178,6 +178,7 @@ For full details of the options listed b -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User --@@ -218,6 +219,8 @@ and -- to print debugging messages about their progress. -- This is helpful in -- debugging connection, authentication, and configuration problems. --+.It Fl z --+Use the SCTP protocol for connection instead of TCP which is the default. -- .El -- .Sh EXIT STATUS -- .Ex -std scp - --- a/scp.c - +++ b/scp.c - @@ -395,7 +395,11 @@ main(int argc, char **argv) -@@ -471,34 +443,6 @@ - int protocol; /* Supported protocol versions. */ - struct ForwardOptions fwd_opts; /* forwarding options */ - SyslogFacility log_facility; /* Facility for system logging. */ ----- a/ssh.1 --+++ b/ssh.1 --@@ -43,7 +43,7 @@ -- .Sh SYNOPSIS -- .Nm ssh -- .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -- .Op Fl b Ar bind_address -- .Op Fl c Ar cipher_spec -- .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -473,6 +473,7 @@ For full details of the options listed b -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UsePrivilegedPort --@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte -- controls. -- .It Fl y -- Send log information using the --+.It Fl z --+Use the SCTP protocol for connection instead of TCP which is the default. -- .Xr syslog 3 -- system module. -- By default this information is sent to stderr. - --- a/ssh.c - +++ b/ssh.c - @@ -194,12 +194,17 @@ extern int muxserver_sock; -@@ -520,13 +464,11 @@ - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file]\n" - " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" --@@ -506,7 +512,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+@@ -506,4 +512,4 @@ main(int ac, char **av) - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch deleted file mode 100644 index e14a728..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch +++ /dev/null @@ -1,40 +0,0 @@ -https://bugs.gentoo.org/544078 -https://bugzilla.mindrot.org/show_bug.cgi?id=2369 - -From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001 -From: "[email protected]" <[email protected]> -Date: Mon, 23 Mar 2015 06:06:38 +0000 -Subject: [PATCH] upstream commit - -for ssh-keygen -A, don't try (and fail) to generate ssh - v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled - without OpenSSL based on patch by Mike Frysinger; bz#2369 ---- - ssh-keygen.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/ssh-keygen.c b/ssh-keygen.c -index a3c2362..96dd8b4 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw) - char *key_type_display; - char *path; - } key_types[] = { -+#ifdef WITH_OPENSSL -+#ifdef WITH_SSH1 - { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, -+#endif /* WITH_SSH1 */ - { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, - { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, - #ifdef OPENSSL_HAS_ECC - { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, --#endif -+#endif /* OPENSSL_HAS_ECC */ -+#endif /* WITH_OPENSSL */ - { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, - { NULL, NULL, NULL } - }; --- -2.3.3 - diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch deleted file mode 100644 index 48fce1e..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch +++ /dev/null @@ -1,162 +0,0 @@ -https://bugs.gentoo.org/378361 -https://bugzilla.mindrot.org/show_bug.cgi?id=928 - ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -41,9 +41,12 @@ - #include "channels.h" - #include "session.h" - #include "misc.h" -+#include "servconf.h" - - #include "ssh-gss.h" - -+extern ServerOptions options; -+ - static ssh_gssapi_client gssapi_client = - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; -@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - char lname[NI_MAXHOST]; - gss_OID_set oidset; - -- gss_create_empty_oid_set(&status, &oidset); -- gss_add_oid_set_member(&status, ctx->oid, &oidset); -- -- if (gethostname(lname, sizeof(lname))) { -- gss_release_oid_set(&status, &oidset); -- return (-1); -- } -+ if (options.gss_strict_acceptor) { -+ gss_create_empty_oid_set(&status, &oidset); -+ gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ -+ if (gethostname(lname, MAXHOSTNAMELEN)) { -+ gss_release_oid_set(&status, &oidset); -+ return (-1); -+ } -+ -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -+ gss_release_oid_set(&status, &oidset); -+ return (ctx->major); -+ } -+ -+ if ((ctx->major = gss_acquire_cred(&ctx->minor, -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, -+ NULL, NULL))) -+ ssh_gssapi_error(ctx); - -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { - gss_release_oid_set(&status, &oidset); - return (ctx->major); -+ } else { -+ ctx->name = GSS_C_NO_NAME; -+ ctx->creds = GSS_C_NO_CREDENTIAL; - } -- -- if ((ctx->major = gss_acquire_cred(&ctx->minor, -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) -- ssh_gssapi_error(ctx); -- -- gss_release_oid_set(&status, &oidset); -- return (ctx->major); -+ return GSS_S_COMPLETE; - } - - /* Privileged */ ---- a/servconf.c -+++ b/servconf.c -@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions - options->kerberos_get_afs_token = -1; - options->gss_authentication=-1; - options->gss_cleanup_creds = -1; -+ options->gss_strict_acceptor = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption - options->gss_authentication = 0; - if (options->gss_cleanup_creds == -1) - options->gss_cleanup_creds = 1; -+ if (options->gss_strict_acceptor == -1) -+ options->gss_strict_acceptor = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -@@ -277,7 +280,8 @@ typedef enum { - sBanner, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, - sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, -- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, -+ sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, -@@ -327,9 +331,11 @@ static struct { - #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, - { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, - #else - { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, - { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, - #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions - - case sGssCleanupCreds: - intptr = &options->gss_cleanup_creds; -+ goto parse_flag; -+ -+ case sGssStrictAcceptor: -+ intptr = &options->gss_strict_acceptor; - goto parse_flag; - - case sPasswordAuthentication: ---- a/servconf.h -+++ b/servconf.h -@@ -92,6 +92,7 @@ typedef struct { - * authenticated with Kerberos. */ - int gss_authentication; /* If true, permit GSSAPI authentication */ - int gss_cleanup_creds; /* If true, destroy cred cache on logout */ -+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ - int password_authentication; /* If true, permit password - * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ ---- a/sshd_config -+++ b/sshd_config -@@ -69,6 +69,7 @@ - # GSSAPI options - #GSSAPIAuthentication no - #GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -386,6 +386,21 @@ on logout. - The default is - .Dq yes . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIStrictAcceptorCheck -+Determines whether to be strict about the identity of the GSSAPI acceptor -+a client authenticates against. -+If set to -+.Dq yes -+then the client must authenticate against the -+.Pa host -+service on the current hostname. -+If set to -+.Dq no -+then the client may authenticate against any service key stored in the -+machine's default store. -+This facility is provided to assist with operation on multi homed machines. -+The default is -+.Dq yes . - .It Cm HostbasedAcceptedKeyTypes - Specifies the key types that will be accepted for hostbased authentication - as a comma-separated pattern list. diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch deleted file mode 100644 index 9fad386..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <[email protected]> -Date: Wed, 18 Mar 2015 12:37:24 -0400 -Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is - set - ---- - configure.ac | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index b4d6598..7806d20 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2276,10 +2276,10 @@ openssl_engine=no - AC_ARG_WITH([ssl-engine], - [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], - [ -- if test "x$openssl" = "xno" ; then -- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) -- fi - if test "x$withval" != "xno" ; then -+ if test "x$openssl" = "xno" ; then -+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) -+ fi - openssl_engine=yes - fi - ] --- -2.3.2 - diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch deleted file mode 100644 index e72b1e6..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/0005-support-dynamically-sized-receive-buffers.patch -+++ b/0005-support-dynamically-sized-receive-buffers.patch -@@ -411,10 +411,10 @@ index af2f007..41b782b 100644 - --- a/compat.h - +++ b/compat.h - @@ -60,6 +60,7 @@ -- #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_CURVE25519PAD 0x10000000 --+#define SSH_BUG_LARGEWINDOW 0x20000000 -+ #define SSH_BUG_HOSTKEYS 0x20000000 -++#define SSH_BUG_LARGEWINDOW 0x40000000 - - void enable_compat13(void); - void enable_compat20(void); diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch deleted file mode 100644 index f99e92f..0000000 --- a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch +++ /dev/null @@ -1,69 +0,0 @@ -https://bugs.gentoo.org/547944 - -From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001 -From: "[email protected]" <[email protected]> -Date: Fri, 10 Apr 2015 05:16:50 +0000 -Subject: [PATCH] upstream commit - -Don't send hostkey advertisments - ([email protected]) to current versions of Tera Term as they can't - handle them. Newer versions should be OK. Patch from Bryan Drewery and - IWAMOTO Kouichi, ok djm@ ---- - compat.c | 13 ++++++++++++- - compat.h | 3 ++- - sshd.c | 6 +++++- - 3 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/compat.c b/compat.c -index 2498168..0934de9 100644 ---- a/compat.c -+++ b/compat.c -@@ -167,6 +167,17 @@ compat_datafellows(const char *version) - SSH_BUG_SCANNER }, - { "Probe-*", - SSH_BUG_PROBE }, -+ { "TeraTerm SSH*," -+ "TTSSH/1.5.*," -+ "TTSSH/2.1*," -+ "TTSSH/2.2*," -+ "TTSSH/2.3*," -+ "TTSSH/2.4*," -+ "TTSSH/2.5*," -+ "TTSSH/2.6*," -+ "TTSSH/2.70*," -+ "TTSSH/2.71*," -+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, - { NULL, 0 } - }; - -diff --git a/compat.h b/compat.h -index af2f007..83507f0 100644 ---- a/compat.h -+++ b/compat.h -@@ -60,6 +60,7 @@ - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 - #define SSH_BUG_CURVE25519PAD 0x10000000 -+#define SSH_BUG_HOSTKEYS 0x20000000 - - void enable_compat13(void); - void enable_compat20(void); -diff --git a/sshd.c b/sshd.c -index 6aa17fa..60b0cd4 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh) - int i, nkeys, r; - char *fp; - -+ /* Some clients cannot cope with the hostkeys message, skip those. */ -+ if (datafellows & SSH_BUG_HOSTKEYS) -+ return; -+ - if ((buf = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new", __func__); - for (i = nkeys = 0; i < options.num_host_key_files; i++) { --- -2.3.6 - diff --git a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch deleted file mode 100644 index 9ce2967..0000000 --- a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -ur openssh-6.9p1.orig/sshconnect2.c openssh-6.9p1/sshconnect2.c ---- openssh-6.9p1.orig/sshconnect2.c 2015-07-01 14:56:26.766316866 -0700 -+++ openssh-6.9p1/sshconnect2.c 2015-07-01 14:59:22.828692366 -0700 -@@ -1404,7 +1404,7 @@ - static int - get_allowed_keytype(Key *k) { - char *pattern; -- char *alg; -+ const char *alg; - - if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC) - return KEY_UNSPEC; -diff -ur openssh-6.9p1.orig/x509_nm_cmp.c openssh-6.9p1/x509_nm_cmp.c ---- openssh-6.9p1.orig/x509_nm_cmp.c 2015-07-01 14:56:26.129311890 -0700 -+++ openssh-6.9p1/x509_nm_cmp.c 2015-07-01 14:59:14.086624068 -0700 -@@ -133,7 +133,7 @@ - tag = M_ASN1_STRING_type(in); - if (tag != V_ASN1_UTF8STRING) { - /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/ -- return(ASN1_STRING_to_UTF8(out, in)); -+ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in)); - } - - l = M_ASN1_STRING_length(in); diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd deleted file mode 100644 index 28952b4..0000000 --- a/net-misc/openssh/files/sshd.confd +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/conf.d/sshd: config file for /etc/init.d/sshd - -# Where is your sshd_config file stored? - -SSHD_CONFDIR="/etc/ssh" - - -# Any random options you want to pass to sshd. -# See the sshd(8) manpage for more info. - -SSHD_OPTS="" - - -# Pid file to use (needs to be absolute path). - -#SSHD_PIDFILE="/var/run/sshd.pid" - - -# Path to the sshd binary (needs to be absolute path). - -#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 deleted file mode 100644 index b801aaa..0000000 --- a/net-misc/openssh/files/sshd.pam_include.2 +++ /dev/null @@ -1,4 +0,0 @@ -auth include system-remote-login -account include system-remote-login -password include system-remote-login -session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 deleted file mode 100755 index 80f1b7e..0000000 --- a/net-misc/openssh/files/sshd.rc6.4 +++ /dev/null @@ -1,85 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.5 2015/05/04 02:56:25 vapier Exp $ - -extra_commands="checkconfig" -extra_started_commands="reload" - -: ${SSHD_CONFDIR:=/etc/ssh} -: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} -: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} -: ${SSHD_BINARY:=/usr/sbin/sshd} - -depend() { - use logger dns - if [ "${rc_need+set}" = "set" ] ; then - : # Do nothing, the user has explicitly set rc_need - else - local x warn_addr - for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do - case "${x}" in - 0.0.0.0|0.0.0.0:*) ;; - ::|\[::\]*) ;; - *) warn_addr="${warn_addr} ${x}" ;; - esac - done - if [ -n "${warn_addr}" ] ; then - need net - ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" - ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" - ewarn "where FOO is the interface(s) providing the following address(es):" - ewarn "${warn_addr}" - fi - fi -} - -checkconfig() { - if [ ! -d /var/empty ] ; then - mkdir -p /var/empty || return 1 - fi - - if [ ! -e "${SSHD_CONFIG}" ] ; then - eerror "You need an ${SSHD_CONFIG} file to run sshd" - eerror "There is a sample file in /usr/share/doc/openssh" - return 1 - fi - - ssh-keygen -A || return 1 - - [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ - && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" - [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ - && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" - - "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 -} - -start() { - checkconfig || return 1 - - ebegin "Starting ${SVCNAME}" - start-stop-daemon --start --exec "${SSHD_BINARY}" \ - --pidfile "${SSHD_PIDFILE}" \ - -- ${SSHD_OPTS} - eend $? -} - -stop() { - if [ "${RC_CMD}" = "restart" ] ; then - checkconfig || return 1 - fi - - ebegin "Stopping ${SVCNAME}" - start-stop-daemon --stop --exec "${SSHD_BINARY}" \ - --pidfile "${SSHD_PIDFILE}" --quiet - eend $? -} - -reload() { - checkconfig || return 1 - ebegin "Reloading ${SVCNAME}" - start-stop-daemon --signal HUP \ - --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" - eend $? -} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service deleted file mode 100644 index b5e96b3..0000000 --- a/net-misc/openssh/files/sshd.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=OpenSSH server daemon -After=syslog.target network.target auditd.service - -[Service] -ExecStartPre=/usr/bin/ssh-keygen -A -ExecStart=/usr/sbin/sshd -D -e -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket deleted file mode 100644 index 94b9533..0000000 --- a/net-misc/openssh/files/sshd.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=OpenSSH Server Socket -Conflicts=sshd.service - -[Socket] -ListenStream=22 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service deleted file mode 100644 index 2645ad0..0000000 --- a/net-misc/openssh/files/sshd_at.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=OpenSSH per-connection server daemon -After=syslog.target auditd.service - -[Service] -ExecStart=-/usr/sbin/sshd -i -e -StandardInput=socket -StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml deleted file mode 100644 index 29134fc..0000000 --- a/net-misc/openssh/metadata.xml +++ /dev/null @@ -1,40 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> -<pkgmetadata> - <maintainer type="project"> - <email>[email protected]</email> - <name>Gentoo Base System</name> - </maintainer> - <maintainer type="person"> - <email>[email protected]</email> - <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> - </maintainer> - <longdescription> -OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that -increasing numbers of people on the Internet are coming to rely on. Many users of telnet, -rlogin, ftp, and other such programs might not realize that their password is transmitted -across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) -to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. -Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety -of authentication methods. - -The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which -replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of -the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, -ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. -</longdescription> - <use> - <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> - <flag name="hpn">Enable high performance ssh</flag> - <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> - <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> - <flag name="livecd">Enable root password logins for live-cd environment.</flag> - <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> - <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> - <flag name="X509">Adds support for X.509 certificate authentication</flag> - </use> - <upstream> - <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> - <remote-id type="sourceforge">hpnssh</remote-id> - </upstream> -</pkgmetadata> diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild deleted file mode 100644 index 86b6a01..0000000 --- a/net-misc/openssh/openssh-6.8_p1-r5.ebuild +++ /dev/null @@ -1,336 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.8_p1-r5.ebuild,v 1.1 2015/04/28 04:39:35 vapier Exp $ - -EAPI="4" -inherit eutils user flag-o-matic multilib autotools pam systemd versionator - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz" -LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" -X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/"; -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - mirror://gentoo/${P}-sctp.patch.xz - ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH} - http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} - mirror://sourceforge/hpnssh/${HPN_PATCH} - )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${X509_PATCH:+X509? ( - http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz - )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssh1/ssl defaulting to on in a future version. -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509" -REQUIRED_USE="pie? ( !static ) - ssh1? ( ssl ) - static? ( !kerberos !pam ) - X509? ( !ldap ssl )" - -LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) - libedit? ( dev-libs/libedit[static-libs(+)] ) - ssl? ( - >=dev-libs/openssl-0.9.6d:0[bindist=] - dev-libs/openssl[static-libs(+)] - ) - >=sys-libs/zlib-1.2.3[static-libs(+)]" -RDEPEND=" - !static? ( - ${LIB_DEPEND//\[static-libs(+)]} - ldns? ( - !bindist? ( net-libs/ldns[ecdsa,ssl] ) - bindist? ( net-libs/ldns[-ecdsa,ssl] ) - ) - ) - pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) - ldap? ( net-nds/openldap )" -DEPEND="${RDEPEND} - static? ( - ${LIB_DEPEND} - ldns? ( - !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) - ) - ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( virtual/shadow ) - X? ( x11-apps/xauth )" - -S=${WORKDIR}/${PARCH} - -pkg_setup() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use X509 && maybe_fail X509 X509_PATCH) - $(use ldap && maybe_fail ldap LDAP_PATCH) - $(use hpn && maybe_fail hpn HPN_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - die "USE=tcpd no longer works" - fi -} - -save_version() { - # version.h patch conflict avoidence - mv version.h version.h.$1 - cp -f version.h.pristine version.h -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - # keep this as we need it to avoid the conflict between LPK and HPN changing - # this file. - cp version.h version.h.pristine - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361 - if use X509 ; then - pushd .. >/dev/null - epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch - epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch - popd >/dev/null - epatch "${WORKDIR}"/${X509_PATCH%.*} - epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch - save_version X509 - fi - if use ldap ; then - epatch "${WORKDIR}"/${LDAP_PATCH%.*} - save_version LPK - fi - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078 - epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944 - # The X509 patchset fixes this independently. - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch - epatch "${WORKDIR}"/${P}-sctp.patch - if use hpn ; then - # The teraterm patch pulled in an upstream update. - pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null - epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch - popd >/dev/null - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - save_version HPN - fi - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die - - epatch_user #473004 - - # Now we can build a sane merged version.h - ( - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u - macros=() - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" - ) > version.h - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - addpredict /etc/skey/skeykeys # skey configure code triggers this - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the ldap patch conditionally, so can't pass --without-ldap - # unconditionally else we get unknown flag warnings. - $(use ldap && use_with ldap) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with sctp) - $(use_with selinux) - $(use_with skey) - $(use_with ssh1) - # The X509 patch deletes this option entirely. - $(use X509 || use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - ) - - # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) - if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then - myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) - append-ldflags -lutil - fi - - econf "${myconf[@]}" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6.4 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - keepdir /var/empty - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - # Gentoo tweaks to default config files - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables #367017 - AcceptEnv LANG LC_* - EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables #367017 - SendEnv LANG LC_* - EOF - - # This instruction is from the HPN webpage, - # Used for the server logging functionality - if [[ -n ${HPN_PATCH} ]] && use hpn ; then - keepdir /var/empty/dev - fi - - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then - insinto /etc/openldap/schema/ - newins openssh-lpk_openldap.schema openssh-lpk.schema - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - diropts -m 0700 - dodir /etc/skel/.ssh - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service '[email protected]' -} - -src_test() { - [[ $(id -u) = 0 ]] || return #335343 - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(egetshell ${UID}) - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped="${skipped} tests" - else - tests="${tests} tests" - fi - # It will also attempt to write to the homedir .ssh - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in ${tests} ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed="${passed}${t} " \ - || failed="${failed}${t} " - done - einfo "Passed tests: ${passed}" - ewarn "Skipped tests: ${skipped}" - if [[ -n ${failed} ]] ; then - ewarn "Failed tests: ${failed}" - die "Some tests failed: ${failed}" - else - einfo "Failed tests: ${failed}" - return 0 - fi -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd - fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - ewarn "Remember to merge your config files in /etc/ssh/ and then" - ewarn "reload sshd: '/etc/init.d/sshd reload'." - # This instruction is from the HPN webpage, - # Used for the server logging functionality - if [[ -n ${HPN_PATCH} ]] && use hpn ; then - einfo "For the HPN server logging patch, you must ensure that" - einfo "your syslog application also listens at /var/empty/dev/log." - fi - elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" - elog " dropped it. Make sure to update any configs that you might have." -} diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild deleted file mode 100644 index 2cbcfa5..0000000 --- a/net-misc/openssh/openssh-6.9_p1-r2.ebuild +++ /dev/null @@ -1,315 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI="4" -inherit eutils user flag-o-matic multilib autotools pam systemd versionator - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz" -LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" -X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/"; -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz - ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH} - https://dev.gentoo.org/~polynomial-c/${HPN_PATCH} - mirror://sourceforge/hpnssh/${HPN_PATCH} - )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - ssh1? ( ssl ) - static? ( !kerberos !pam ) - X509? ( !ldap ssl )" - -LIB_DEPEND=" - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl] ) - bindist? ( net-libs/ldns[-ecdsa,ssl] ) - ) - libedit? ( dev-libs/libedit[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) - ssl? ( - >=dev-libs/openssl-0.9.8f:0[bindist=] - dev-libs/openssl:0[static-libs(+)] - ) - >=sys-libs/zlib-1.2.3[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) - ldap? ( net-nds/openldap )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( virtual/shadow ) - X? ( x11-apps/xauth )" - -S=${WORKDIR}/${PARCH} - -pkg_setup() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use X509 && maybe_fail X509 X509_PATCH) - $(use ldap && maybe_fail ldap LDAP_PATCH) - $(use hpn && maybe_fail hpn HPN_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -save_version() { - # version.h patch conflict avoidence - mv version.h version.h.$1 - cp -f version.h.pristine version.h -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - # keep this as we need it to avoid the conflict between LPK and HPN changing - # this file. - cp version.h version.h.pristine - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - if use X509 ; then - pushd .. >/dev/null - #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch - epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch - popd >/dev/null - epatch "${WORKDIR}"/${X509_PATCH%.*} - epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch - epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch - save_version X509 - fi - if use ldap ; then - epatch "${WORKDIR}"/${LDAP_PATCH%.*} - save_version LPK - fi - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - # The X509 patchset fixes this independently. - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch - epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch - if use hpn ; then - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - save_version HPN - fi - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die - - epatch_user #473004 - - # Now we can build a sane merged version.h - ( - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u - macros=() - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" - ) > version.h - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - addpredict /etc/skey/skeykeys # skey configure code triggers this - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the ldap patch conditionally, so can't pass --without-ldap - # unconditionally else we get unknown flag warnings. - $(use ldap && use_with ldap) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with sctp) - $(use_with selinux) - $(use_with skey) - $(use_with ssh1) - # The X509 patch deletes this option entirely. - $(use X509 || use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) - if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then - myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) - append-ldflags -lutil - fi - - econf "${myconf[@]}" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6.4 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - keepdir /var/empty - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - # Gentoo tweaks to default config files - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables #367017 - AcceptEnv LANG LC_* - EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables #367017 - SendEnv LANG LC_* - EOF - - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then - insinto /etc/openldap/schema/ - newins openssh-lpk_openldap.schema openssh-lpk.schema - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - diropts -m 0700 - dodir /etc/skel/.ssh - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service '[email protected]' -} - -src_test() { - [[ $(id -u) = 0 ]] || return #335343 - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(egetshell ${UID}) - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped="${skipped} tests" - else - tests="${tests} tests" - fi - # It will also attempt to write to the homedir .ssh - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in ${tests} ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed="${passed}${t} " \ - || failed="${failed}${t} " - done - einfo "Passed tests: ${passed}" - ewarn "Skipped tests: ${skipped}" - if [[ -n ${failed} ]] ; then - ewarn "Failed tests: ${failed}" - die "Some tests failed: ${failed}" - else - einfo "Failed tests: ${failed}" - return 0 - fi -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd - fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." - fi - ewarn "Remember to merge your config files in /etc/ssh/ and then" - ewarn "reload sshd: '/etc/init.d/sshd reload'." - elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" - elog " dropped it. Make sure to update any configs that you might have." -} diff --git a/net-misc/openssh/openssh-7.1_p2-r1.ebuild b/net-misc/openssh/openssh-7.1_p2-r1.ebuild deleted file mode 100644 index d17c953..0000000 --- a/net-misc/openssh/openssh-7.1_p2-r1.ebuild +++ /dev/null @@ -1,327 +0,0 @@ -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI="5" - -inherit eutils user flag-o-matic multilib autotools pam systemd versionator - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz" -LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz" -X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/"; -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz - ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH} - mirror://sourceforge/hpnssh/${HPN_PATCH} - )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - ssh1? ( ssl ) - static? ( !kerberos !pam ) - X509? ( !ldap ssl )" - -LIB_DEPEND=" - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl] ) - bindist? ( net-libs/ldns[-ecdsa,ssl] ) - ) - libedit? ( dev-libs/libedit[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) - ssl? ( - !libressl? ( - >=dev-libs/openssl-0.9.8f:0[bindist=] - dev-libs/openssl:0[static-libs(+)] - ) - libressl? ( dev-libs/libressl[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) - ldap? ( net-nds/openldap )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( virtual/shadow ) - X? ( x11-apps/xauth )" - -S=${WORKDIR}/${PARCH} - -pkg_setup() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use X509 && maybe_fail X509 X509_PATCH) - $(use ldap && maybe_fail ldap LDAP_PATCH) - $(use hpn && maybe_fail hpn HPN_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -save_version() { - # version.h patch conflict avoidence - mv version.h version.h.$1 - cp -f version.h.pristine version.h -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - # keep this as we need it to avoid the conflict between LPK and HPN changing - # this file. - cp version.h version.h.pristine - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - if use X509 ; then - pushd .. >/dev/null - if use hpn ; then - pushd ${HPN_PATCH%.*.*} >/dev/null - epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch - popd >/dev/null - fi - epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch - popd >/dev/null - epatch "${WORKDIR}"/${X509_PATCH%.*} - epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch - save_version X509 - fi - if use ldap ; then - epatch "${WORKDIR}"/${LDAP_PATCH%.*} - save_version LPK - fi - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - # The X509 patchset fixes this independently. - use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch - epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch - if use hpn ; then - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - save_version HPN - fi - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - epatch_user #473004 - - # Now we can build a sane merged version.h - ( - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u - macros=() - for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" - ) > version.h - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the ldap patch conditionally, so can't pass --without-ldap - # unconditionally else we get unknown flag warnings. - $(use ldap && use_with ldap) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with sctp) - $(use_with selinux) - $(use_with skey) - $(use_with ssh1) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6.4 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - keepdir /var/empty - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - # Gentoo tweaks to default config files - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables #367017 - AcceptEnv LANG LC_* - EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables #367017 - SendEnv LANG LC_* - EOF - - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then - insinto /etc/openldap/schema/ - newins openssh-lpk_openldap.schema openssh-lpk.schema - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - diropts -m 0700 - dodir /etc/skel/.ssh - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service '[email protected]' -} - -src_test() { - [[ $(id -u) = 0 ]] || return #335343 - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(egetshell ${UID}) - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped="${skipped} tests" - else - tests="${tests} tests" - fi - # It will also attempt to write to the homedir .ssh - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in ${tests} ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed="${passed}${t} " \ - || failed="${failed}${t} " - done - einfo "Passed tests: ${passed}" - ewarn "Skipped tests: ${skipped}" - if [[ -n ${failed} ]] ; then - ewarn "Failed tests: ${failed}" - die "Some tests failed: ${failed}" - else - einfo "Failed tests: ${failed}" - return 0 - fi -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi -}
