diff options
| -rw-r--r-- | net-misc/openssh/Manifest | 1 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch | 277 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch | 33 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.3_p1-r3.ebuild | 343 |
4 files changed, 654 insertions, 0 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 7e2535fbb111..c6667a52a2d8 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -9,6 +9,7 @@ DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4 DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c +DIST openssh-7_2_P2-hpn-14.10.diff 78587 SHA256 f083d4c4a2054808386e974accda385542ce150f0c0f079ec1a0d4fa78888b17 SHA512 49d772c6a071fe1883d5d2844aba1d327c40938af368ba349b44c643e10f4e2d02e5c889810f8914c61324fbf90e53547aa346fdbd47b22b2f8da6afc174692c WHIRLPOOL 516621cdbccae3ecc900fde1b1edd2bac807b628d631289e3002747901d7663f5a2545f6b0396415a850f9695dd57e2ab5dbc548584f2c973726b38ca4d57bac DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch new file mode 100644 index 000000000000..2c4cc50db9cd --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch @@ -0,0 +1,277 @@ +--- openssh-7_2_P2-hpn-14.10.diff.orig 2016-09-01 10:34:05.905112131 -0700 ++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 11:33:19.106664802 -0700 +@@ -156,145 +156,6 @@ + compat.o crc32.o deattack.o fatal.o hostfile.o \ + log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \ + readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ +-diff --git a/auth2.c b/auth2.c +-index 7177962..4af53f0 100644 +---- a/auth2.c +-+++ b/auth2.c +-@@ -50,6 +50,7 @@ +- #include "dispatch.h" +- #include "pathnames.h" +- #include "buffer.h" +-+#include "canohost.h" +- +- #ifdef GSSAPI +- #include "ssh-gss.h" +-@@ -73,6 +74,8 @@ extern Authmethod method_hostbased; +- extern Authmethod method_gssapi; +- #endif +- +-+static int log_flag = 0; +-+ +- Authmethod *authmethods[] = { +- &method_none, +- &method_pubkey, +-@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +- service = packet_get_cstring(NULL); +- method = packet_get_cstring(NULL); +- debug("userauth-request for user %s service %s method %s", user, service, method); +-+ if (!log_flag) { +-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", +-+ get_remote_ipaddr(), get_remote_port(), user); +-+ log_flag = 1; +-+ } +- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); +- +- if ((style = strchr(user, ':')) != NULL) +-diff --git a/canohost.c b/canohost.c +-index 223964e..db35f73 100644 +---- a/canohost.c +-+++ b/canohost.c +-@@ -338,13 +338,13 @@ clear_cached_addr(void) +- */ +- +- const char * +--get_remote_ipaddr(void) +-+ssh_get_remote_ipaddr(struct ssh *ssh) +- { +- /* Check whether we have cached the ipaddr. */ +- if (canonical_host_ip == NULL) { +-- if (packet_connection_is_on_socket()) { +-+ if (ssh_packet_connection_is_on_socket(ssh)) { +- canonical_host_ip = +-- get_peer_ipaddr(packet_get_connection_in()); +-+ get_peer_ipaddr(ssh_packet_get_connection_in(ssh)); +- if (canonical_host_ip == NULL) +- cleanup_exit(255); +- } else { +-@@ -356,6 +356,12 @@ get_remote_ipaddr(void) +- } +- +- const char * +-+get_remote_ipaddr(void) +-+{ +-+ return ssh_get_remote_ipaddr(active_state); +-+} +-+ +-+const char * +- get_remote_name_or_ip(u_int utmp_len, int use_dns) +- { +- static const char *remote = ""; +-@@ -410,17 +416,17 @@ get_sock_port(int sock, int local) +- /* Returns remote/local port number for the current connection. */ +- +- static int +--get_port(int local) +-+get_port(struct ssh *ssh, int local) +- { +- /* +- * If the connection is not a socket, return 65535. This is +- * intentionally chosen to be an unprivileged port number. +- */ +-- if (!packet_connection_is_on_socket()) +-+ if (!ssh_packet_connection_is_on_socket(ssh)) +- return 65535; +- +- /* Get socket and return the port number. */ +-- return get_sock_port(packet_get_connection_in(), local); +-+ return get_sock_port(ssh_packet_get_connection_in(ssh), local); +- } +- +- int +-@@ -430,17 +436,23 @@ get_peer_port(int sock) +- } +- +- int +--get_remote_port(void) +-+ssh_get_remote_port(struct ssh *ssh) +- { +- /* Cache to avoid getpeername() on a dead connection */ +- if (cached_port == -1) +-- cached_port = get_port(0); +-+ cached_port = get_port(ssh, 0); +- +- return cached_port; +- } +- +- int +-+get_remote_port(void) +-+{ +-+ return ssh_get_remote_port(active_state); +-+} +-+ +-+int +- get_local_port(void) +- { +-- return get_port(1); +-+ return get_port(active_state, 1); +- } +-diff --git a/canohost.h b/canohost.h +-index 4c8636f..4d60b27 100644 +---- a/canohost.h +-+++ b/canohost.h +-@@ -12,8 +12,11 @@ +- * called by a name other than "ssh" or "Secure Shell". +- */ +- +-+struct ssh; +-+ +- const char *get_canonical_hostname(int); +- const char *get_remote_ipaddr(void); +-+const char *ssh_get_remote_ipaddr(struct ssh *); +- const char *get_remote_name_or_ip(u_int, int); +- +- char *get_peer_ipaddr(int); +-@@ -22,6 +25,7 @@ char *get_local_ipaddr(int); +- char *get_local_name(int); +- +- int get_remote_port(void); +-+int ssh_get_remote_port(struct ssh *); +- int get_local_port(void); +- int get_sock_port(int, int); +- void clear_cached_addr(void); + diff --git a/channels.c b/channels.c + index c9d2015..13b30a1 100644 + --- a/channels.c +@@ -1270,7 +1131,7 @@ + + #include "ssherr.h" + #include "sshbuf.h" +-+#include "canohost.h" +++#include "packet.h" + #include "digest.h" + + #if OPENSSL_VERSION_NUMBER >= 0x00907000L +@@ -1312,8 +1173,8 @@ + + */ + + if (ctos && !log_flag) { + + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", +-+ ssh_get_remote_ipaddr(ssh), +-+ ssh_get_remote_port(ssh), +++ ssh_remote_ipaddr(ssh), +++ ssh_remote_port(ssh), + + newkeys->enc.name, + + authlen == 0 ? newkeys->mac.name : "<implicit>", + + newkeys->comp.name); +@@ -1430,7 +1291,7 @@ + + rekey_requested = 0; + + return 1; + + } +-+ +++ + /* Time-based rekeying */ + if (state->rekey_interval != 0 && + state->rekey_time + state->rekey_interval <= monotime()) +@@ -1490,7 +1351,7 @@ + + transferred = *counter - (cur_pos ? cur_pos : start_pos); + cur_pos = *counter; +- now = monotime(); ++ now = monotime_double(); + bytes_left = end_pos - cur_pos; + + + delta_pos = cur_pos - last_pos; +@@ -1564,8 +1425,8 @@ + { "canonicaldomains", oCanonicalDomains }, + { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, + @@ -282,6 +287,11 @@ static struct { +- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, + { "ignoreunknown", oIgnoreUnknown }, ++ { "proxyjump", oProxyJump }, + + + { "tcprcvbufpoll", oTcpRcvBufPoll }, + + { "tcprcvbuf", oTcpRcvBuf }, +@@ -1736,8 +1597,8 @@ + off_t size, statbytes; + unsigned long long ull; + int setimes, targisdir, wrerrno = 0; +-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; +-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; ++- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; +++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384]; + struct timeval tv[2]; + + #define atime tv[0] +@@ -1956,32 +1817,6 @@ + } + + /* +-@@ -820,11 +836,13 @@ void +- server_loop2(Authctxt *authctxt) +- { +- fd_set *readset = NULL, *writeset = NULL; +-+ double start_time, total_time; +- int max_fd; +- u_int nalloc = 0; +- u_int64_t rekey_timeout_ms = 0; +- +- debug("Entering interactive session for SSH2."); +-+ start_time = get_current_time(); +- +- mysignal(SIGCHLD, sigchld_handler); +- child_terminated = 0; +-@@ -883,6 +901,11 @@ server_loop2(Authctxt *authctxt) +- +- /* free remaining sessions, e.g. remove wtmp entries */ +- session_destroy_all(NULL); +-+ total_time = get_current_time() - start_time; +-+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f", +-+ get_remote_ipaddr(), get_remote_port(), +-+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time, +-+ fdout_bytes / total_time); +- } +- +- static int + @@ -1041,8 +1064,12 @@ server_request_tun(void) + sock = tun_open(tun, mode); + if (sock < 0) +@@ -2372,10 +2207,10 @@ + debug("Client protocol version %d.%d; client software version %.100s", + remote_major, remote_minor, remote_version); + + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s", +-+ get_remote_ipaddr(), get_remote_port(), +++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + + remote_major, remote_minor, remote_version); + +- active_state->compat = compat_datafellows(remote_version); ++ ssh->compat = compat_datafellows(remote_version); + + @@ -1160,6 +1163,8 @@ server_listen(void) + int ret, listen_sock, on = 1; +@@ -2413,7 +2248,7 @@ + if (options.challenge_response_authentication) + options.kbd_interactive_authentication = 1; + @@ -2151,6 +2168,9 @@ main(int ac, char **av) +- remote_ip, remote_port, laddr, get_local_port()); ++ remote_ip, remote_port, laddr, ssh_local_port(ssh)); + free(laddr); + + + /* set the HPN options for the child */ +@@ -2486,11 +2321,10 @@ + index eb4e948..3692722 100644 + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,6 @@ +- #define SSH_VERSION "OpenSSH_7.2" ++@@ -3,4 +3,5 @@ ++ #define SSH_VERSION "OpenSSH_7.3" + +- #define SSH_PORTABLE "p2" ++ #define SSH_PORTABLE "p1" + -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE + +#define SSH_HPN "-hpn14v11" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch new file mode 100644 index 000000000000..443392540f6c --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch @@ -0,0 +1,33 @@ +--- openssh-7_2_P2-hpn-14.10.diff.clean 2016-09-01 12:11:41.120750207 -0700 ++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 14:00:44.311487904 -0700 +@@ -141,7 +141,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2098,7 +2098,7 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", + - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); + } else { +@@ -2196,9 +2196,9 @@ + @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out) + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild new file mode 100644 index 000000000000..ddaf4581fba5 --- /dev/null +++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild @@ -0,0 +1,343 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} +HPN_PV="7.2_p2" +HPN_VER="14.10" + +HPN_DIR_PV="${HPN_PV/_}" +HPN_PV="${HPN_PV/./_}" + +HPN_PATCH="${PN}-${HPN_PV/p/P}-hpn-14.10.diff" +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" +X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + mirror://sourceforge/project/hpnssh/HPN-SSH%20${HPN_VER/./v}%20${HPN_DIR_PV}/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + use hpn && cp -L "${DISTDIR}"/${HPN_PATCH} "${WORKDIR}"/${HPN_PATCH} + + if use X509 ; then + pushd .. >/dev/null + if use hpn ; then + pushd "${WORKDIR}" >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch + popd >/dev/null + fi + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch + #save_version X509 + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${SCTP_PATCH%.*} + if use hpn ; then + #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + pushd "${WORKDIR}" >/dev/null + epatch "${FILESDIR}"/${P}-hpn-update.patch + popd >/dev/null + epatch "${WORKDIR}"/${HPN_PATCH} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} |