[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Julian Ospald <hasufell@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Sun, 20 Sep 2015 17:35:30
Message-Id:	`1442770498.cb790cc5d87d2b0b213ca1f601e29028bdaaf3dd.hasufell@gentoo`

1

commit:     cb790cc5d87d2b0b213ca1f601e29028bdaaf3dd

2

Author:     Julian Ospald <hasufell <AT> gentoo <DOT> org>

3

AuthorDate: Sun Sep 20 17:12:44 2015 +0000

4

Commit:     Julian Ospald <hasufell <AT> gentoo <DOT> org>

5

CommitDate: Sun Sep 20 17:34:58 2015 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb790cc5

7

8

net-misc/openssh: add libressl support

9

10

 net-misc/openssh/openssh-7.1_p1-r1.ebuild | 327 ++++++++++++++++++++++++++++++

11

 1 file changed, 327 insertions(+)

12

13

diff --git a/net-misc/openssh/openssh-7.1_p1-r1.ebuild b/net-misc/openssh/openssh-7.1_p1-r1.ebuild

14

new file mode 100644

15

index 0000000..082440f

16

--- /dev/null

17

+++ b/net-misc/openssh/openssh-7.1_p1-r1.ebuild

18

@@ -0,0 +1,327 @@

19

+# Copyright 1999-2015 Gentoo Foundation

20

+# Distributed under the terms of the GNU General Public License v2

21

+# $Id$

22

+

23

+EAPI="4"

24

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

25

+

26

+# Make it more portable between straight releases

27

+# and _p? releases.

28

+PARCH=${P/_}

29

+

30

+HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"

31

+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"

32

+X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"

33

+

34

+DESCRIPTION="Port of OpenBSD's free SSH release"

35

+HOMEPAGE="http://www.openssh.org/"

36

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

37

+	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz

38

+	${HPN_PATCH:+hpn? (

39

+		mirror://gentoo/${HPN_PATCH}

40

+		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}

41

+		mirror://sourceforge/hpnssh/${HPN_PATCH}

42

+	)}

43

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

44

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

45

+	"

46

+

47

+LICENSE="BSD GPL-2"

48

+SLOT="0"

49

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

50

+# Probably want to drop ssl defaulting to on in a future version.

51

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"

52

+REQUIRED_USE="ldns? ( ssl )

53

+	pie? ( !static )

54

+	ssh1? ( ssl )

55

+	static? ( !kerberos !pam )

56

+	X509? ( !ldap ssl )"

57

+

58

+LIB_DEPEND="

59

+	ldns? (

60

+		net-libs/ldns[static-libs(+)]

61

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

62

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

63

+	)

64

+	libedit? ( dev-libs/libedit[static-libs(+)] )

65

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

66

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

67

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

68

+	ssl? (

69

+		!libressl? (

70

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

71

+			dev-libs/openssl:0[static-libs(+)]

72

+		)

73

+		libressl? ( dev-libs/libressl[static-libs(+)] )

74

+	)

75

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

76

+RDEPEND="

77

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

78

+	pam? ( virtual/pam )

79

+	kerberos? ( virtual/krb5 )

80

+	ldap? ( net-nds/openldap )"

81

+DEPEND="${RDEPEND}

82

+	static? ( ${LIB_DEPEND} )

83

+	virtual/pkgconfig

84

+	virtual/os-headers

85

+	sys-devel/autoconf"

86

+RDEPEND="${RDEPEND}

87

+	pam? ( >=sys-auth/pambase-20081028 )

88

+	userland_GNU? ( virtual/shadow )

89

+	X? ( x11-apps/xauth )"

90

+

91

+S=${WORKDIR}/${PARCH}

92

+

93

+pkg_setup() {

94

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

95

+	# than not be able to log in to their server any more

96

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

97

+	local fail="

98

+		$(use X509 && maybe_fail X509 X509_PATCH)

99

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

100

+		$(use hpn && maybe_fail hpn HPN_PATCH)

101

+	"

102

+	fail=$(echo ${fail})

103

+	if [[ -n ${fail} ]] ; then

104

+		eerror "Sorry, but this version does not yet support features"

105

+		eerror "that you requested:	 ${fail}"

106

+		eerror "Please mask ${PF} for now and check back later:"

107

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

108

+		die "booooo"

109

+	fi

110

+

111

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

112

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

113

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

114

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

115

+	fi

116

+}

117

+

118

+save_version() {

119

+	# version.h patch conflict avoidence

120

+	mv version.h version.h.$1

121

+	cp -f version.h.pristine version.h

122

+}

123

+

124

+src_prepare() {

125

+	sed -i \

126

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

127

+		pathnames.h || die

128

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

129

+	# this file.

130

+	cp version.h version.h.pristine

131

+

132

+	# don't break .ssh/authorized_keys2 for fun

133

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

134

+

135

+	if use X509 ; then

136

+		pushd .. >/dev/null

137

+		epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch

138

+		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch

139

+		popd >/dev/null

140

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

141

+		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch

142

+		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch

143

+		save_version X509

144

+	fi

145

+	if use ldap ; then

146

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

147

+		save_version LPK

148

+	fi

149

+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex

150

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

151

+	# The X509 patchset fixes this independently.

152

+	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch

153

+	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch

154

+	if use hpn ; then

155

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

156

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

157

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

158

+		save_version HPN

159

+	fi

160

+

161

+	tc-export PKG_CONFIG

162

+	local sed_args=(

163

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

164

+		# Disable PATH reset, trust what portage gives us #254615

165

+		-e 's:^PATH=/:#PATH=/:'

166

+		# Disable fortify flags ... our gcc does this for us

167

+		-e 's:-D_FORTIFY_SOURCE=2::'

168

+	)

169

+	# The -ftrapv flag ICEs on hppa #505182

170

+	use hppa && sed_args+=(

171

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

172

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

173

+	)

174

+	sed -i "${sed_args[@]}" configure{.ac,} || die

175

+

176

+	epatch_user #473004

177

+

178

+	# Now we can build a sane merged version.h

179

+	(

180

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

181

+		macros=()

182

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

183

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

184

+	) > version.h

185

+

186

+	eautoreconf

187

+}

188

+

189

+src_configure() {

190

+	addwrite /dev/ptmx

191

+	addpredict /etc/skey/skeykeys # skey configure code triggers this

192

+

193

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

194

+	use static && append-ldflags -static

195

+

196

+	local myconf=(

197

+		--with-ldflags="${LDFLAGS}"

198

+		--disable-strip

199

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

200

+		--sysconfdir="${EPREFIX}"/etc/ssh

201

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

202

+		--datadir="${EPREFIX}"/usr/share/openssh

203

+		--with-privsep-path="${EPREFIX}"/var/empty

204

+		--with-privsep-user=sshd

205

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

206

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

207

+		# unconditionally else we get unknown flag warnings.

208

+		$(use ldap && use_with ldap)

209

+		$(use_with ldns)

210

+		$(use_with libedit)

211

+		$(use_with pam)

212

+		$(use_with pie)

213

+		$(use_with sctp)

214

+		$(use_with selinux)

215

+		$(use_with skey)

216

+		$(use_with ssh1)

217

+		# The X509 patch deletes this option entirely.

218

+		$(use X509 || use_with ssl openssl)

219

+		$(use_with ssl md5-passwords)

220

+		$(use_with ssl ssl-engine)

221

+	)

222

+

223

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

224

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

225

+

226

+	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)

227

+	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then

228

+		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )

229

+		append-ldflags -lutil

230

+	fi

231

+

232

+	econf "${myconf[@]}"

233

+}

234

+

235

+src_install() {

236

+	emake install-nokeys DESTDIR="${D}"

237

+	fperms 600 /etc/ssh/sshd_config

238

+	dobin contrib/ssh-copy-id

239

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

240

+	newconfd "${FILESDIR}"/sshd.confd sshd

241

+	keepdir /var/empty

242

+

243

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

244

+	if use pam ; then

245

+		sed -i \

246

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

247

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

248

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

249

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

250

+			"${ED}"/etc/ssh/sshd_config || die

251

+	fi

252

+

253

+	# Gentoo tweaks to default config files

254

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

255

+

256

+	# Allow client to pass locale environment variables #367017

257

+	AcceptEnv LANG LC_*

258

+	EOF

259

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

260

+

261

+	# Send locale environment variables #367017

262

+	SendEnv LANG LC_*

263

+	EOF

264

+

265

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

266

+		insinto /etc/openldap/schema/

267

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

268

+	fi

269

+

270

+	doman contrib/ssh-copy-id.1

271

+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config

272

+

273

+	diropts -m 0700

274

+	dodir /etc/skel/.ssh

275

+

276

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

277

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

278

+}

279

+

280

+src_test() {

281

+	local t tests skipped failed passed shell

282

+	tests="interop-tests compat-tests"

283

+	skipped=""

284

+	shell=$(egetshell ${UID})

285

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

286

+		elog "Running the full OpenSSH testsuite"

287

+		elog "requires a usable shell for the 'portage'"

288

+		elog "user, so we will run a subset only."

289

+		skipped="${skipped} tests"

290

+	else

291

+		tests="${tests} tests"

292

+	fi

293

+	# It will also attempt to write to the homedir .ssh

294

+	local sshhome=${T}/homedir

295

+	mkdir -p "${sshhome}"/.ssh

296

+	for t in ${tests} ; do

297

+		# Some tests read from stdin ...

298

+		HOMEDIR="${sshhome}" \

299

+		emake -k -j1 ${t} </dev/null \

300

+			&& passed="${passed}${t} " \

301

+			|| failed="${failed}${t} "

302

+	done

303

+	einfo "Passed tests: ${passed}"

304

+	ewarn "Skipped tests: ${skipped}"

305

+	if [[ -n ${failed} ]] ; then

306

+		ewarn "Failed tests: ${failed}"

307

+		die "Some tests failed: ${failed}"

308

+	else

309

+		einfo "Failed tests: ${failed}"

310

+		return 0

311

+	fi

312

+}

313

+

314

+pkg_preinst() {

315

+	enewgroup sshd 22

316

+	enewuser sshd 22 -1 /var/empty sshd

317

+}

318

+

319

+pkg_postinst() {

320

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

321

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

322

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

323

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

324

+	fi

325

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

326

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

327

+	fi

328

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

329

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

330

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

331

+		elog "be an alternative for you as it supports USE=tcpd."

332

+	fi

333

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388

334

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

335

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

336

+		elog "adding to your sshd_config:"

337

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

338

+		elog "You should however generate new keys using rsa or ed25519."

339

+	fi

340

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

341

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

342

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

343

+		elog "and update all clients/servers that utilize them."

344

+	fi

345

+}

1	commit: cb790cc5d87d2b0b213ca1f601e29028bdaaf3dd
2	Author: Julian Ospald <hasufell <AT> gentoo <DOT> org>
3	AuthorDate: Sun Sep 20 17:12:44 2015 +0000
4	Commit: Julian Ospald <hasufell <AT> gentoo <DOT> org>
5	CommitDate: Sun Sep 20 17:34:58 2015 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb790cc5
7
8	net-misc/openssh: add libressl support
9
10	net-misc/openssh/openssh-7.1_p1-r1.ebuild \| 327 ++++++++++++++++++++++++++++++
11	1 file changed, 327 insertions(+)
12
13	diff --git a/net-misc/openssh/openssh-7.1_p1-r1.ebuild b/net-misc/openssh/openssh-7.1_p1-r1.ebuild
14	new file mode 100644
15	index 0000000..082440f
16	--- /dev/null
17	+++ b/net-misc/openssh/openssh-7.1_p1-r1.ebuild
18	@@ -0,0 +1,327 @@
19	+# Copyright 1999-2015 Gentoo Foundation
20	+# Distributed under the terms of the GNU General Public License v2
21	+# $Id$
22	+
23	+EAPI="4"
24	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
25	+
26	+# Make it more portable between straight releases
27	+# and _p? releases.
28	+PARCH=${P/_}
29	+
30	+HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
31	+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
32	+X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
33	+
34	+DESCRIPTION="Port of OpenBSD's free SSH release"
35	+HOMEPAGE="http://www.openssh.org/"
36	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
37	+ mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
38	+ ${HPN_PATCH:+hpn? (
39	+ mirror://gentoo/${HPN_PATCH}
40	+ https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
41	+ mirror://sourceforge/hpnssh/${HPN_PATCH}
42	+ )}
43	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
44	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
45	+ "
46	+
47	+LICENSE="BSD GPL-2"
48	+SLOT="0"
49	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
50	+# Probably want to drop ssl defaulting to on in a future version.
51	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
52	+REQUIRED_USE="ldns? ( ssl )
53	+ pie? ( !static )
54	+ ssh1? ( ssl )
55	+ static? ( !kerberos !pam )
56	+ X509? ( !ldap ssl )"
57	+
58	+LIB_DEPEND="
59	+ ldns? (
60	+ net-libs/ldns[static-libs(+)]
61	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
62	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
63	+ )
64	+ libedit? ( dev-libs/libedit[static-libs(+)] )
65	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
66	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
67	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
68	+ ssl? (
69	+ !libressl? (
70	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
71	+ dev-libs/openssl:0[static-libs(+)]
72	+ )
73	+ libressl? ( dev-libs/libressl[static-libs(+)] )
74	+ )
75	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
76	+RDEPEND="
77	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
78	+ pam? ( virtual/pam )
79	+ kerberos? ( virtual/krb5 )
80	+ ldap? ( net-nds/openldap )"
81	+DEPEND="${RDEPEND}
82	+ static? ( ${LIB_DEPEND} )
83	+ virtual/pkgconfig
84	+ virtual/os-headers
85	+ sys-devel/autoconf"
86	+RDEPEND="${RDEPEND}
87	+ pam? ( >=sys-auth/pambase-20081028 )
88	+ userland_GNU? ( virtual/shadow )
89	+ X? ( x11-apps/xauth )"
90	+
91	+S=${WORKDIR}/${PARCH}
92	+
93	+pkg_setup() {
94	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
95	+ # than not be able to log in to their server any more
96	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
97	+ local fail="
98	+ $(use X509 && maybe_fail X509 X509_PATCH)
99	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
100	+ $(use hpn && maybe_fail hpn HPN_PATCH)
101	+ "
102	+ fail=$(echo ${fail})
103	+ if [[ -n ${fail} ]] ; then
104	+ eerror "Sorry, but this version does not yet support features"
105	+ eerror "that you requested: ${fail}"
106	+ eerror "Please mask ${PF} for now and check back later:"
107	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
108	+ die "booooo"
109	+ fi
110	+
111	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
112	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
113	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
114	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
115	+ fi
116	+}
117	+
118	+save_version() {
119	+ # version.h patch conflict avoidence
120	+ mv version.h version.h.$1
121	+ cp -f version.h.pristine version.h
122	+}
123	+
124	+src_prepare() {
125	+ sed -i \
126	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
127	+ pathnames.h \|\| die
128	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
129	+ # this file.
130	+ cp version.h version.h.pristine
131	+
132	+ # don't break .ssh/authorized_keys2 for fun
133	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
134	+
135	+ if use X509 ; then
136	+ pushd .. >/dev/null
137	+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
138	+ epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
139	+ popd >/dev/null
140	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
141	+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
142	+ epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
143	+ save_version X509
144	+ fi
145	+ if use ldap ; then
146	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
147	+ save_version LPK
148	+ fi
149	+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
150	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
151	+ # The X509 patchset fixes this independently.
152	+ use X509 \|\| epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
153	+ epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
154	+ if use hpn ; then
155	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
156	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
157	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
158	+ save_version HPN
159	+ fi
160	+
161	+ tc-export PKG_CONFIG
162	+ local sed_args=(
163	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
164	+ # Disable PATH reset, trust what portage gives us #254615
165	+ -e 's:^PATH=/:#PATH=/:'
166	+ # Disable fortify flags ... our gcc does this for us
167	+ -e 's:-D_FORTIFY_SOURCE=2::'
168	+ )
169	+ # The -ftrapv flag ICEs on hppa #505182
170	+ use hppa && sed_args+=(
171	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
172	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
173	+ )
174	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
175	+
176	+ epatch_user #473004
177	+
178	+ # Now we can build a sane merged version.h
179	+ (
180	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
181	+ macros=()
182	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
183	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
184	+ ) > version.h
185	+
186	+ eautoreconf
187	+}
188	+
189	+src_configure() {
190	+ addwrite /dev/ptmx
191	+ addpredict /etc/skey/skeykeys # skey configure code triggers this
192	+
193	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
194	+ use static && append-ldflags -static
195	+
196	+ local myconf=(
197	+ --with-ldflags="${LDFLAGS}"
198	+ --disable-strip
199	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
200	+ --sysconfdir="${EPREFIX}"/etc/ssh
201	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
202	+ --datadir="${EPREFIX}"/usr/share/openssh
203	+ --with-privsep-path="${EPREFIX}"/var/empty
204	+ --with-privsep-user=sshd
205	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
206	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
207	+ # unconditionally else we get unknown flag warnings.
208	+ $(use ldap && use_with ldap)
209	+ $(use_with ldns)
210	+ $(use_with libedit)
211	+ $(use_with pam)
212	+ $(use_with pie)
213	+ $(use_with sctp)
214	+ $(use_with selinux)
215	+ $(use_with skey)
216	+ $(use_with ssh1)
217	+ # The X509 patch deletes this option entirely.
218	+ $(use X509 \|\| use_with ssl openssl)
219	+ $(use_with ssl md5-passwords)
220	+ $(use_with ssl ssl-engine)
221	+ )
222	+
223	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
224	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
225	+
226	+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
227	+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r\|sed 's/\(.\..\).*/\1/')" ; then
228	+ myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
229	+ append-ldflags -lutil
230	+ fi
231	+
232	+ econf "${myconf[@]}"
233	+}
234	+
235	+src_install() {
236	+ emake install-nokeys DESTDIR="${D}"
237	+ fperms 600 /etc/ssh/sshd_config
238	+ dobin contrib/ssh-copy-id
239	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
240	+ newconfd "${FILESDIR}"/sshd.confd sshd
241	+ keepdir /var/empty
242	+
243	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
244	+ if use pam ; then
245	+ sed -i \
246	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
247	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
248	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
249	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
250	+ "${ED}"/etc/ssh/sshd_config \|\| die
251	+ fi
252	+
253	+ # Gentoo tweaks to default config files
254	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
255	+
256	+ # Allow client to pass locale environment variables #367017
257	+ AcceptEnv LANG LC_*
258	+ EOF
259	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
260	+
261	+ # Send locale environment variables #367017
262	+ SendEnv LANG LC_*
263	+ EOF
264	+
265	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
266	+ insinto /etc/openldap/schema/
267	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
268	+ fi
269	+
270	+ doman contrib/ssh-copy-id.1
271	+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
272	+
273	+ diropts -m 0700
274	+ dodir /etc/skel/.ssh
275	+
276	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
277	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
278	+}
279	+
280	+src_test() {
281	+ local t tests skipped failed passed shell
282	+ tests="interop-tests compat-tests"
283	+ skipped=""
284	+ shell=$(egetshell ${UID})
285	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
286	+ elog "Running the full OpenSSH testsuite"
287	+ elog "requires a usable shell for the 'portage'"
288	+ elog "user, so we will run a subset only."
289	+ skipped="${skipped} tests"
290	+ else
291	+ tests="${tests} tests"
292	+ fi
293	+ # It will also attempt to write to the homedir .ssh
294	+ local sshhome=${T}/homedir
295	+ mkdir -p "${sshhome}"/.ssh
296	+ for t in ${tests} ; do
297	+ # Some tests read from stdin ...
298	+ HOMEDIR="${sshhome}" \
299	+ emake -k -j1 ${t} </dev/null \
300	+ && passed="${passed}${t} " \
301	+ \|\| failed="${failed}${t} "
302	+ done
303	+ einfo "Passed tests: ${passed}"
304	+ ewarn "Skipped tests: ${skipped}"
305	+ if [[ -n ${failed} ]] ; then
306	+ ewarn "Failed tests: ${failed}"
307	+ die "Some tests failed: ${failed}"
308	+ else
309	+ einfo "Failed tests: ${failed}"
310	+ return 0
311	+ fi
312	+}
313	+
314	+pkg_preinst() {
315	+ enewgroup sshd 22
316	+ enewuser sshd 22 -1 /var/empty sshd
317	+}
318	+
319	+pkg_postinst() {
320	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
321	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
322	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
323	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
324	+ fi
325	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
326	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
327	+ fi
328	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
329	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
330	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
331	+ elog "be an alternative for you as it supports USE=tcpd."
332	+ fi
333	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
334	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
335	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
336	+ elog "adding to your sshd_config:"
337	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
338	+ elog "You should however generate new keys using rsa or ed25519."
339	+ fi
340	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
341	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
342	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
343	+ elog "and update all clients/servers that utilize them."
344	+ fi
345	+}

Gentoo Archives: gentoo-commits