1 |
commit: 15e618a1fdd34e952d0485cb9bcfdc8672aa25e8 |
2 |
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Sep 28 17:26:18 2016 +0000 |
4 |
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Sep 28 17:26:18 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=15e618a1 |
7 |
|
8 |
net-misc/openssh: migrate to gx86 |
9 |
|
10 |
net-misc/openssh/Manifest | 13 - |
11 |
.../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 -------- |
12 |
.../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 ----------- |
13 |
.../openssh/files/openssh-6.3_p1-x509-glue.patch | 16 - |
14 |
.../files/openssh-6.3_p1-x509-hpn14v2-glue.patch | 51 ---- |
15 |
.../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 ------- |
16 |
.../openssh/files/openssh-6.6.1_p1-x509-glue.patch | 17 -- |
17 |
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 -- |
18 |
.../files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch | 26 -- |
19 |
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 ---------- |
20 |
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 -- |
21 |
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 - |
22 |
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 -- |
23 |
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 -- |
24 |
.../files/openssh-6.7_p1-xmalloc-include.patch | 11 - |
25 |
.../files/openssh-6.8_p1-sctp-x509-glue.patch | 90 ------ |
26 |
.../files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch | 40 --- |
27 |
.../openssh-6.8_p1-sshd-gssapi-multihomed.patch | 162 ---------- |
28 |
.../openssh-6.8_p1-ssl-engine-configure.patch | 31 -- |
29 |
.../files/openssh-6.8_p1-teraterm-hpn-glue.patch | 15 - |
30 |
.../openssh/files/openssh-6.8_p1-teraterm.patch | 69 ----- |
31 |
.../files/openssh-6.9_p1-x509-warnings.patch | 24 -- |
32 |
net-misc/openssh/files/sshd.confd | 21 -- |
33 |
net-misc/openssh/files/sshd.pam_include.2 | 4 - |
34 |
net-misc/openssh/files/sshd.rc6.4 | 85 ------ |
35 |
net-misc/openssh/files/sshd.service | 11 - |
36 |
net-misc/openssh/files/sshd.socket | 10 - |
37 |
net-misc/openssh/files/sshd_at.service | 8 - |
38 |
net-misc/openssh/metadata.xml | 40 --- |
39 |
net-misc/openssh/openssh-6.8_p1-r5.ebuild | 336 --------------------- |
40 |
net-misc/openssh/openssh-6.9_p1-r2.ebuild | 315 ------------------- |
41 |
net-misc/openssh/openssh-7.1_p2-r1.ebuild | 327 -------------------- |
42 |
32 files changed, 2416 deletions(-) |
43 |
|
44 |
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest |
45 |
deleted file mode 100644 |
46 |
index 5ad3eda..0000000 |
47 |
--- a/net-misc/openssh/Manifest |
48 |
+++ /dev/null |
49 |
@@ -1,13 +0,0 @@ |
50 |
-DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476 |
51 |
-DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73 |
52 |
-DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b |
53 |
-DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3 |
54 |
-DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a |
55 |
-DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2 |
56 |
-DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7 |
57 |
-DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f |
58 |
-DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652 |
59 |
-DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c |
60 |
-DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4 |
61 |
-DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b |
62 |
-DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 |
63 |
|
64 |
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch |
65 |
deleted file mode 100644 |
66 |
index c81ae5c..0000000 |
67 |
--- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch |
68 |
+++ /dev/null |
69 |
@@ -1,127 +0,0 @@ |
70 |
-http://bugs.gentoo.org/165444 |
71 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008 |
72 |
- |
73 |
-Index: readconf.c |
74 |
-=================================================================== |
75 |
-RCS file: /cvs/openssh/readconf.c,v |
76 |
-retrieving revision 1.135 |
77 |
-diff -u -r1.135 readconf.c |
78 |
---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 |
79 |
-+++ readconf.c 19 Aug 2006 11:59:52 -0000 |
80 |
-@@ -126,6 +126,7 @@ |
81 |
- oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
82 |
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
83 |
- oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
84 |
-+ oGssTrustDns, |
85 |
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
86 |
- oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, |
87 |
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
88 |
-@@ -163,9 +164,11 @@ |
89 |
- #if defined(GSSAPI) |
90 |
- { "gssapiauthentication", oGssAuthentication }, |
91 |
- { "gssapidelegatecredentials", oGssDelegateCreds }, |
92 |
-+ { "gssapitrustdns", oGssTrustDns }, |
93 |
- #else |
94 |
- { "gssapiauthentication", oUnsupported }, |
95 |
- { "gssapidelegatecredentials", oUnsupported }, |
96 |
-+ { "gssapitrustdns", oUnsupported }, |
97 |
- #endif |
98 |
- { "fallbacktorsh", oDeprecated }, |
99 |
- { "usersh", oDeprecated }, |
100 |
-@@ -444,6 +447,10 @@ |
101 |
- intptr = &options->gss_deleg_creds; |
102 |
- goto parse_flag; |
103 |
- |
104 |
-+ case oGssTrustDns: |
105 |
-+ intptr = &options->gss_trust_dns; |
106 |
-+ goto parse_flag; |
107 |
-+ |
108 |
- case oBatchMode: |
109 |
- intptr = &options->batch_mode; |
110 |
- goto parse_flag; |
111 |
-@@ -1010,6 +1017,7 @@ |
112 |
- options->challenge_response_authentication = -1; |
113 |
- options->gss_authentication = -1; |
114 |
- options->gss_deleg_creds = -1; |
115 |
-+ options->gss_trust_dns = -1; |
116 |
- options->password_authentication = -1; |
117 |
- options->kbd_interactive_authentication = -1; |
118 |
- options->kbd_interactive_devices = NULL; |
119 |
-@@ -1100,6 +1108,8 @@ |
120 |
- options->gss_authentication = 0; |
121 |
- if (options->gss_deleg_creds == -1) |
122 |
- options->gss_deleg_creds = 0; |
123 |
-+ if (options->gss_trust_dns == -1) |
124 |
-+ options->gss_trust_dns = 0; |
125 |
- if (options->password_authentication == -1) |
126 |
- options->password_authentication = 1; |
127 |
- if (options->kbd_interactive_authentication == -1) |
128 |
-Index: readconf.h |
129 |
-=================================================================== |
130 |
-RCS file: /cvs/openssh/readconf.h,v |
131 |
-retrieving revision 1.63 |
132 |
-diff -u -r1.63 readconf.h |
133 |
---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 |
134 |
-+++ readconf.h 19 Aug 2006 11:59:52 -0000 |
135 |
-@@ -45,6 +45,7 @@ |
136 |
- /* Try S/Key or TIS, authentication. */ |
137 |
- int gss_authentication; /* Try GSS authentication */ |
138 |
- int gss_deleg_creds; /* Delegate GSS credentials */ |
139 |
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
140 |
- int password_authentication; /* Try password |
141 |
- * authentication. */ |
142 |
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
143 |
-Index: ssh_config.5 |
144 |
-=================================================================== |
145 |
-RCS file: /cvs/openssh/ssh_config.5,v |
146 |
-retrieving revision 1.97 |
147 |
-diff -u -r1.97 ssh_config.5 |
148 |
---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 |
149 |
-+++ ssh_config.5 19 Aug 2006 11:59:53 -0000 |
150 |
-@@ -483,7 +483,16 @@ |
151 |
- Forward (delegate) credentials to the server. |
152 |
- The default is |
153 |
- .Dq no . |
154 |
--Note that this option applies to protocol version 2 only. |
155 |
-+Note that this option applies to protocol version 2 connections using GSSAPI. |
156 |
-+.It Cm GSSAPITrustDns |
157 |
-+Set to |
158 |
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize |
159 |
-+the name of the host being connected to. If |
160 |
-+.Dq no, the hostname entered on the |
161 |
-+command line will be passed untouched to the GSSAPI library. |
162 |
-+The default is |
163 |
-+.Dq no . |
164 |
-+This option only applies to protocol version 2 connections using GSSAPI. |
165 |
- .It Cm HashKnownHosts |
166 |
- Indicates that |
167 |
- .Xr ssh 1 |
168 |
-Index: sshconnect2.c |
169 |
-=================================================================== |
170 |
-RCS file: /cvs/openssh/sshconnect2.c,v |
171 |
-retrieving revision 1.151 |
172 |
-diff -u -r1.151 sshconnect2.c |
173 |
---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 |
174 |
-+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 |
175 |
-@@ -499,6 +499,12 @@ |
176 |
- static u_int mech = 0; |
177 |
- OM_uint32 min; |
178 |
- int ok = 0; |
179 |
-+ const char *gss_host; |
180 |
-+ |
181 |
-+ if (options.gss_trust_dns) |
182 |
-+ gss_host = get_canonical_hostname(1); |
183 |
-+ else |
184 |
-+ gss_host = authctxt->host; |
185 |
- |
186 |
- /* Try one GSSAPI method at a time, rather than sending them all at |
187 |
- * once. */ |
188 |
-@@ -511,7 +517,7 @@ |
189 |
- /* My DER encoding requires length<128 */ |
190 |
- if (gss_supported->elements[mech].length < 128 && |
191 |
- ssh_gssapi_check_mechanism(&gssctxt, |
192 |
-- &gss_supported->elements[mech], authctxt->host)) { |
193 |
-+ &gss_supported->elements[mech], gss_host)) { |
194 |
- ok = 1; /* Mechanism works */ |
195 |
- } else { |
196 |
- mech++; |
197 |
|
198 |
diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch |
199 |
deleted file mode 100644 |
200 |
index 6377d03..0000000 |
201 |
--- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch |
202 |
+++ /dev/null |
203 |
@@ -1,184 +0,0 @@ |
204 |
-Index: gss-serv.c |
205 |
-=================================================================== |
206 |
-RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v |
207 |
-retrieving revision 1.22 |
208 |
-diff -u -p -r1.22 gss-serv.c |
209 |
---- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 |
210 |
-+++ gss-serv.c 11 Jan 2010 05:38:29 -0000 |
211 |
-@@ -41,9 +41,12 @@ |
212 |
- #include "channels.h" |
213 |
- #include "session.h" |
214 |
- #include "misc.h" |
215 |
-+#include "servconf.h" |
216 |
- |
217 |
- #include "ssh-gss.h" |
218 |
- |
219 |
-+extern ServerOptions options; |
220 |
-+ |
221 |
- static ssh_gssapi_client gssapi_client = |
222 |
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
223 |
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
224 |
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
225 |
- char lname[MAXHOSTNAMELEN]; |
226 |
- gss_OID_set oidset; |
227 |
- |
228 |
-- gss_create_empty_oid_set(&status, &oidset); |
229 |
-- gss_add_oid_set_member(&status, ctx->oid, &oidset); |
230 |
-- |
231 |
-- if (gethostname(lname, MAXHOSTNAMELEN)) { |
232 |
-- gss_release_oid_set(&status, &oidset); |
233 |
-- return (-1); |
234 |
-- } |
235 |
-+ if (options.gss_strict_acceptor) { |
236 |
-+ gss_create_empty_oid_set(&status, &oidset); |
237 |
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset); |
238 |
-+ |
239 |
-+ if (gethostname(lname, MAXHOSTNAMELEN)) { |
240 |
-+ gss_release_oid_set(&status, &oidset); |
241 |
-+ return (-1); |
242 |
-+ } |
243 |
-+ |
244 |
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
245 |
-+ gss_release_oid_set(&status, &oidset); |
246 |
-+ return (ctx->major); |
247 |
-+ } |
248 |
-+ |
249 |
-+ if ((ctx->major = gss_acquire_cred(&ctx->minor, |
250 |
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, |
251 |
-+ NULL, NULL))) |
252 |
-+ ssh_gssapi_error(ctx); |
253 |
- |
254 |
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
255 |
- gss_release_oid_set(&status, &oidset); |
256 |
- return (ctx->major); |
257 |
-+ } else { |
258 |
-+ ctx->name = GSS_C_NO_NAME; |
259 |
-+ ctx->creds = GSS_C_NO_CREDENTIAL; |
260 |
- } |
261 |
-- |
262 |
-- if ((ctx->major = gss_acquire_cred(&ctx->minor, |
263 |
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
264 |
-- ssh_gssapi_error(ctx); |
265 |
-- |
266 |
-- gss_release_oid_set(&status, &oidset); |
267 |
-- return (ctx->major); |
268 |
-+ return GSS_S_COMPLETE; |
269 |
- } |
270 |
- |
271 |
- /* Privileged */ |
272 |
-Index: servconf.c |
273 |
-=================================================================== |
274 |
-RCS file: /cvs/src/usr.bin/ssh/servconf.c,v |
275 |
-retrieving revision 1.201 |
276 |
-diff -u -p -r1.201 servconf.c |
277 |
---- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 |
278 |
-+++ servconf.c 11 Jan 2010 05:34:56 -0000 |
279 |
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions |
280 |
- options->kerberos_get_afs_token = -1; |
281 |
- options->gss_authentication=-1; |
282 |
- options->gss_cleanup_creds = -1; |
283 |
-+ options->gss_strict_acceptor = -1; |
284 |
- options->password_authentication = -1; |
285 |
- options->kbd_interactive_authentication = -1; |
286 |
- options->challenge_response_authentication = -1; |
287 |
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption |
288 |
- options->gss_authentication = 0; |
289 |
- if (options->gss_cleanup_creds == -1) |
290 |
- options->gss_cleanup_creds = 1; |
291 |
-+ if (options->gss_strict_acceptor == -1) |
292 |
-+ options->gss_strict_acceptor = 0; |
293 |
- if (options->password_authentication == -1) |
294 |
- options->password_authentication = 1; |
295 |
- if (options->kbd_interactive_authentication == -1) |
296 |
-@@ -277,7 +280,8 @@ typedef enum { |
297 |
- sBanner, sUseDNS, sHostbasedAuthentication, |
298 |
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
299 |
- sClientAliveCountMax, sAuthorizedKeysFile, |
300 |
-- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
301 |
-+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
302 |
-+ sAcceptEnv, sPermitTunnel, |
303 |
- sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
304 |
- sUsePrivilegeSeparation, sAllowAgentForwarding, |
305 |
- sZeroKnowledgePasswordAuthentication, sHostCertificate, |
306 |
-@@ -327,9 +331,11 @@ static struct { |
307 |
- #ifdef GSSAPI |
308 |
- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
309 |
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
310 |
-+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
311 |
- #else |
312 |
- { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
313 |
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
314 |
-+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
315 |
- #endif |
316 |
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
317 |
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
318 |
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions |
319 |
- |
320 |
- case sGssCleanupCreds: |
321 |
- intptr = &options->gss_cleanup_creds; |
322 |
-+ goto parse_flag; |
323 |
-+ |
324 |
-+ case sGssStrictAcceptor: |
325 |
-+ intptr = &options->gss_strict_acceptor; |
326 |
- goto parse_flag; |
327 |
- |
328 |
- case sPasswordAuthentication: |
329 |
-Index: servconf.h |
330 |
-=================================================================== |
331 |
-RCS file: /cvs/src/usr.bin/ssh/servconf.h,v |
332 |
-retrieving revision 1.89 |
333 |
-diff -u -p -r1.89 servconf.h |
334 |
---- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 |
335 |
-+++ servconf.h 11 Jan 2010 05:32:28 -0000 |
336 |
-@@ -92,6 +92,7 @@ typedef struct { |
337 |
- * authenticated with Kerberos. */ |
338 |
- int gss_authentication; /* If true, permit GSSAPI authentication */ |
339 |
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
340 |
-+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
341 |
- int password_authentication; /* If true, permit password |
342 |
- * authentication. */ |
343 |
- int kbd_interactive_authentication; /* If true, permit */ |
344 |
-Index: sshd_config |
345 |
-=================================================================== |
346 |
-RCS file: /cvs/src/usr.bin/ssh/sshd_config,v |
347 |
-retrieving revision 1.81 |
348 |
-diff -u -p -r1.81 sshd_config |
349 |
---- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 |
350 |
-+++ sshd_config 11 Jan 2010 05:32:28 -0000 |
351 |
-@@ -69,6 +69,7 @@ |
352 |
- # GSSAPI options |
353 |
- #GSSAPIAuthentication no |
354 |
- #GSSAPICleanupCredentials yes |
355 |
-+#GSSAPIStrictAcceptorCheck yes |
356 |
- |
357 |
- # Set this to 'yes' to enable PAM authentication, account processing, |
358 |
- # and session processing. If this is enabled, PAM authentication will |
359 |
-Index: sshd_config.5 |
360 |
-=================================================================== |
361 |
-RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v |
362 |
-retrieving revision 1.116 |
363 |
-diff -u -p -r1.116 sshd_config.5 |
364 |
---- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 |
365 |
-+++ sshd_config.5 11 Jan 2010 05:37:20 -0000 |
366 |
-@@ -386,6 +386,21 @@ on logout. |
367 |
- The default is |
368 |
- .Dq yes . |
369 |
- Note that this option applies to protocol version 2 only. |
370 |
-+.It Cm GSSAPIStrictAcceptorCheck |
371 |
-+Determines whether to be strict about the identity of the GSSAPI acceptor |
372 |
-+a client authenticates against. |
373 |
-+If set to |
374 |
-+.Dq yes |
375 |
-+then the client must authenticate against the |
376 |
-+.Pa host |
377 |
-+service on the current hostname. |
378 |
-+If set to |
379 |
-+.Dq no |
380 |
-+then the client may authenticate against any service key stored in the |
381 |
-+machine's default store. |
382 |
-+This facility is provided to assist with operation on multi homed machines. |
383 |
-+The default is |
384 |
-+.Dq yes . |
385 |
- .It Cm HostbasedAuthentication |
386 |
- Specifies whether rhosts or /etc/hosts.equiv authentication together |
387 |
- with successful public key client host authentication is allowed |
388 |
|
389 |
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch |
390 |
deleted file mode 100644 |
391 |
index f70d44a..0000000 |
392 |
--- a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch |
393 |
+++ /dev/null |
394 |
@@ -1,16 +0,0 @@ |
395 |
-make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch |
396 |
- |
397 |
---- openssh-6.3p1+x509-7.6.diff |
398 |
-+++ openssh-6.3p1+x509-7.6.diff |
399 |
-@@ -14784,10 +14784,9 @@ |
400 |
- .It Cm ChallengeResponseAuthentication |
401 |
- Specifies whether challenge-response authentication is allowed (e.g. via |
402 |
- PAM or though authentication styles supported in |
403 |
--@@ -490,6 +567,16 @@ |
404 |
-+@@ -490,5 +567,15 @@ |
405 |
- The default is |
406 |
- .Dq yes . |
407 |
-- Note that this option applies to protocol version 2 only. |
408 |
- +.It Cm HostbasedAlgorithms |
409 |
- +Specifies the protocol version 2 algorithms used in |
410 |
- +.Dq hostbased |
411 |
|
412 |
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch |
413 |
deleted file mode 100644 |
414 |
index c3647d5..0000000 |
415 |
--- a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch |
416 |
+++ /dev/null |
417 |
@@ -1,51 +0,0 @@ |
418 |
---- openssh-6.3p1/Makefile.in |
419 |
-+++ openssh-6.3p1/Makefile.in |
420 |
-@@ -45,7 +45,7 @@ |
421 |
- CC=@CC@ |
422 |
- LD=@LD@ |
423 |
- CFLAGS=@CFLAGS@ |
424 |
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
425 |
-+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
426 |
- LIBS=@LIBS@ |
427 |
- K5LIBS=@K5LIBS@ |
428 |
- GSSLIBS=@GSSLIBS@ |
429 |
-@@ -53,6 +53,7 @@ |
430 |
- SSHDLIBS=@SSHDLIBS@ |
431 |
- LIBEDIT=@LIBEDIT@ |
432 |
- LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ |
433 |
-+CPPFLAGS+=@LDAP_CPPFLAGS@ |
434 |
- AR=@AR@ |
435 |
- AWK=@AWK@ |
436 |
- RANLIB=@RANLIB@ |
437 |
---- openssh-6.3p1/sshconnect.c |
438 |
-+++ openssh-6.3p1/sshconnect.c |
439 |
-@@ -465,7 +465,7 @@ |
440 |
- { |
441 |
- /* Send our own protocol version identification. */ |
442 |
- if (compat20) { |
443 |
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", |
444 |
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
445 |
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); |
446 |
- } else { |
447 |
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", |
448 |
---- openssh-6.3p1/sshd.c |
449 |
-+++ openssh-6.3p1/sshd.c |
450 |
-@@ -472,8 +472,8 @@ |
451 |
- comment = ""; |
452 |
- } |
453 |
- |
454 |
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", |
455 |
-- major, minor, SSH_VERSION, comment, |
456 |
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
457 |
-+ major, minor, SSH_VERSION, |
458 |
- *options.version_addendum == '\0' ? "" : " ", |
459 |
- options.version_addendum, newline); |
460 |
- |
461 |
---- openssh-6.3p1/version.h |
462 |
-+++ openssh-6.3p1/version.h |
463 |
-@@ -3,4 +3,5 @@ |
464 |
- #define SSH_VERSION "OpenSSH_6.3" |
465 |
- |
466 |
- #define SSH_PORTABLE "p1" |
467 |
-+#define SSH_X509 " PKIX" |
468 |
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
469 |
|
470 |
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch |
471 |
deleted file mode 100644 |
472 |
index cfb060f..0000000 |
473 |
--- a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch |
474 |
+++ /dev/null |
475 |
@@ -1,114 +0,0 @@ |
476 |
-https://bugs.gentoo.org/498632 |
477 |
- |
478 |
-make sure we do not use unaligned loads/stores as some arches really hate that. |
479 |
- |
480 |
---- a/cipher-ctr-mt.c |
481 |
-+++ b/cipher-ctr-mt.c |
482 |
-@@ -58,8 +58,16 @@ |
483 |
- /* Collect thread stats and print at cancellation when in debug mode */ |
484 |
- /* #define CIPHER_THREAD_STATS */ |
485 |
- |
486 |
--/* Use single-byte XOR instead of 8-byte XOR */ |
487 |
--/* #define CIPHER_BYTE_XOR */ |
488 |
-+/* Can the system do unaligned loads natively? */ |
489 |
-+#if defined(__aarch64__) || \ |
490 |
-+ defined(__i386__) || \ |
491 |
-+ defined(__powerpc__) || \ |
492 |
-+ defined(__x86_64__) |
493 |
-+# define CIPHER_UNALIGNED_OK |
494 |
-+#endif |
495 |
-+#if defined(__SIZEOF_INT128__) |
496 |
-+# define CIPHER_INT128_OK |
497 |
-+#endif |
498 |
- /*-------------------- END TUNABLES --------------------*/ |
499 |
- |
500 |
- |
501 |
-@@ -285,8 +293,20 @@ thread_loop(void *x) |
502 |
- |
503 |
- static int |
504 |
- ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, |
505 |
-- u_int len) |
506 |
-+ size_t len) |
507 |
- { |
508 |
-+ typedef union { |
509 |
-+#ifdef CIPHER_INT128_OK |
510 |
-+ __uint128_t *u128; |
511 |
-+#endif |
512 |
-+ uint64_t *u64; |
513 |
-+ uint32_t *u32; |
514 |
-+ uint8_t *u8; |
515 |
-+ const uint8_t *cu8; |
516 |
-+ uintptr_t u; |
517 |
-+ } ptrs_t; |
518 |
-+ ptrs_t destp, srcp, bufp; |
519 |
-+ uintptr_t align; |
520 |
- struct ssh_aes_ctr_ctx *c; |
521 |
- struct kq *q, *oldq; |
522 |
- int ridx; |
523 |
-@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, |
524 |
- ridx = c->ridx; |
525 |
- |
526 |
- /* src already padded to block multiple */ |
527 |
-+ srcp.cu8 = src; |
528 |
-+ destp.u8 = dest; |
529 |
- while (len > 0) { |
530 |
- buf = q->keys[ridx]; |
531 |
-+ bufp.u8 = buf; |
532 |
- |
533 |
--#ifdef CIPHER_BYTE_XOR |
534 |
-- dest[0] = src[0] ^ buf[0]; |
535 |
-- dest[1] = src[1] ^ buf[1]; |
536 |
-- dest[2] = src[2] ^ buf[2]; |
537 |
-- dest[3] = src[3] ^ buf[3]; |
538 |
-- dest[4] = src[4] ^ buf[4]; |
539 |
-- dest[5] = src[5] ^ buf[5]; |
540 |
-- dest[6] = src[6] ^ buf[6]; |
541 |
-- dest[7] = src[7] ^ buf[7]; |
542 |
-- dest[8] = src[8] ^ buf[8]; |
543 |
-- dest[9] = src[9] ^ buf[9]; |
544 |
-- dest[10] = src[10] ^ buf[10]; |
545 |
-- dest[11] = src[11] ^ buf[11]; |
546 |
-- dest[12] = src[12] ^ buf[12]; |
547 |
-- dest[13] = src[13] ^ buf[13]; |
548 |
-- dest[14] = src[14] ^ buf[14]; |
549 |
-- dest[15] = src[15] ^ buf[15]; |
550 |
--#else |
551 |
-- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf; |
552 |
-- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^ |
553 |
-- *(uint64_t *)(buf + 8); |
554 |
--#endif |
555 |
-+ /* figure out the alignment on the fly */ |
556 |
-+#ifdef CIPHER_UNALIGNED_OK |
557 |
-+ align = 0; |
558 |
-+#else |
559 |
-+ align = destp.u | srcp.u | bufp.u; |
560 |
-+#endif |
561 |
-+ |
562 |
-+#ifdef CIPHER_INT128_OK |
563 |
-+ if ((align & 0xf) == 0) { |
564 |
-+ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0]; |
565 |
-+ } else |
566 |
-+#endif |
567 |
-+ if ((align & 0x7) == 0) { |
568 |
-+ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0]; |
569 |
-+ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1]; |
570 |
-+ } else if ((align & 0x3) == 0) { |
571 |
-+ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0]; |
572 |
-+ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1]; |
573 |
-+ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2]; |
574 |
-+ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3]; |
575 |
-+ } else { |
576 |
-+ size_t i; |
577 |
-+ for (i = 0; i < AES_BLOCK_SIZE; ++i) |
578 |
-+ dest[i] = src[i] ^ buf[i]; |
579 |
-+ } |
580 |
- |
581 |
-- dest += 16; |
582 |
-- src += 16; |
583 |
-- len -= 16; |
584 |
-+ destp.u += AES_BLOCK_SIZE; |
585 |
-+ srcp.u += AES_BLOCK_SIZE; |
586 |
-+ len -= AES_BLOCK_SIZE; |
587 |
- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); |
588 |
- |
589 |
- /* Increment read index, switch queues on rollover */ |
590 |
|
591 |
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch |
592 |
deleted file mode 100644 |
593 |
index 2a34ee9..0000000 |
594 |
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch |
595 |
+++ /dev/null |
596 |
@@ -1,17 +0,0 @@ |
597 |
-Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. |
598 |
- |
599 |
---- openssh-6.6p1+x509-8.0.diff |
600 |
-+++ openssh-6.6p1+x509-8.0.diff |
601 |
-@@ -16337,10 +16337,10 @@ |
602 |
- .It Cm ChallengeResponseAuthentication |
603 |
- Specifies whether challenge-response authentication is allowed (e.g. via |
604 |
- PAM or though authentication styles supported in |
605 |
--@@ -499,6 +576,16 @@ |
606 |
-+@@ -514,6 +591,16 @@ |
607 |
-+ This facility is provided to assist with operation on multi homed machines. |
608 |
- The default is |
609 |
- .Dq yes . |
610 |
-- Note that this option applies to protocol version 2 only. |
611 |
- +.It Cm HostbasedAlgorithms |
612 |
- +Specifies the protocol version 2 algorithms used in |
613 |
- +.Dq hostbased |
614 |
|
615 |
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch |
616 |
deleted file mode 100644 |
617 |
index c76015d..0000000 |
618 |
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch |
619 |
+++ /dev/null |
620 |
@@ -1,26 +0,0 @@ |
621 |
-make the hpn patch apply when the x509 patch has also been applied |
622 |
- |
623 |
---- openssh-6.6.1p1-hpnssh14v4.diff |
624 |
-+++ openssh-6.6.1p1-hpnssh14v4.diff |
625 |
-@@ -1742,18 +1742,14 @@ |
626 |
- if (options->ip_qos_interactive == -1) |
627 |
- options->ip_qos_interactive = IPTOS_LOWDELAY; |
628 |
- if (options->ip_qos_bulk == -1) |
629 |
--@@ -345,9 +393,10 @@ |
630 |
-+@@ -345,6 +393,7 @@ |
631 |
- sUsePrivilegeSeparation, sAllowAgentForwarding, |
632 |
- sHostCertificate, |
633 |
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
634 |
--+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, |
635 |
-++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, |
636 |
- sKexAlgorithms, sIPQoS, sVersionAddendum, |
637 |
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
638 |
--- sAuthenticationMethods, sHostKeyAgent, |
639 |
--+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, |
640 |
-- sDeprecated, sUnsupported |
641 |
-- } ServerOpCodes; |
642 |
-- |
643 |
-+ sAuthenticationMethods, sHostKeyAgent, |
644 |
- @@ -468,6 +517,10 @@ |
645 |
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
646 |
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
647 |
|
648 |
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch |
649 |
deleted file mode 100644 |
650 |
index beb2292..0000000 |
651 |
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v5-glue.patch |
652 |
+++ /dev/null |
653 |
@@ -1,26 +0,0 @@ |
654 |
-make the hpn patch apply when the x509 patch has also been applied |
655 |
- |
656 |
---- openssh-6.6.1p1-hpnssh14v5.diff |
657 |
-+++ openssh-6.6.1p1-hpnssh14v5.diff |
658 |
-@@ -1742,18 +1742,14 @@ |
659 |
- if (options->ip_qos_interactive == -1) |
660 |
- options->ip_qos_interactive = IPTOS_LOWDELAY; |
661 |
- if (options->ip_qos_bulk == -1) |
662 |
--@@ -345,9 +392,10 @@ |
663 |
-+@@ -345,6 +392,7 @@ |
664 |
- sUsePrivilegeSeparation, sAllowAgentForwarding, |
665 |
- sHostCertificate, |
666 |
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
667 |
--+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, |
668 |
-++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, |
669 |
- sKexAlgorithms, sIPQoS, sVersionAddendum, |
670 |
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
671 |
--- sAuthenticationMethods, sHostKeyAgent, |
672 |
--+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, |
673 |
-- sDeprecated, sUnsupported |
674 |
-- } ServerOpCodes; |
675 |
-- |
676 |
-+ sAuthenticationMethods, sHostKeyAgent, |
677 |
- @@ -468,6 +516,10 @@ |
678 |
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
679 |
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
680 |
|
681 |
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch |
682 |
deleted file mode 100644 |
683 |
index 2a8a87c..0000000 |
684 |
--- a/net-misc/openssh/files/openssh-6.6.1_p1.patch |
685 |
+++ /dev/null |
686 |
@@ -1,167 +0,0 @@ |
687 |
-Hi, |
688 |
- |
689 |
-So I screwed up when writing the support for the curve25519 KEX method |
690 |
-that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left |
691 |
-leading zero bytes where they should have been skipped. The impact of |
692 |
-this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a |
693 |
-peer that implements curve25519-sha256 at libssh.org properly about 0.2% |
694 |
-of the time (one in every 512ish connections). |
695 |
- |
696 |
-We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 |
697 |
-key exchange for previous versions, but I'd recommend distributors |
698 |
-of OpenSSH apply this patch so the affected code doesn't become |
699 |
-too entrenched in LTS releases. |
700 |
- |
701 |
-The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as |
702 |
-to distinguish itself from the incorrect versions so the compatibility |
703 |
-code to disable the affected KEX isn't activated. |
704 |
- |
705 |
-I've committed this on the 6.6 branch too. |
706 |
- |
707 |
-Apologies for the hassle. |
708 |
- |
709 |
--d |
710 |
- |
711 |
-Index: version.h |
712 |
-=================================================================== |
713 |
-RCS file: /var/cvs/openssh/version.h,v |
714 |
-retrieving revision 1.82 |
715 |
-diff -u -p -r1.82 version.h |
716 |
---- version.h 27 Feb 2014 23:01:54 -0000 1.82 |
717 |
-+++ version.h 20 Apr 2014 03:35:15 -0000 |
718 |
-@@ -1,6 +1,6 @@ |
719 |
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ |
720 |
- |
721 |
--#define SSH_VERSION "OpenSSH_6.6" |
722 |
-+#define SSH_VERSION "OpenSSH_6.6.1" |
723 |
- |
724 |
- #define SSH_PORTABLE "p1" |
725 |
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
726 |
-Index: compat.c |
727 |
-=================================================================== |
728 |
-RCS file: /var/cvs/openssh/compat.c,v |
729 |
-retrieving revision 1.82 |
730 |
-retrieving revision 1.85 |
731 |
-diff -u -p -r1.82 -r1.85 |
732 |
---- compat.c 31 Dec 2013 01:25:41 -0000 1.82 |
733 |
-+++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 |
734 |
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version) |
735 |
- { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, |
736 |
- { "OpenSSH_4*", 0 }, |
737 |
- { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, |
738 |
-+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, |
739 |
-+ { "OpenSSH_6.5*," |
740 |
-+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, |
741 |
- { "OpenSSH*", SSH_NEW_OPENSSH }, |
742 |
- { "*MindTerm*", 0 }, |
743 |
- { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| |
744 |
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop |
745 |
- return cipher_prop; |
746 |
- } |
747 |
- |
748 |
-- |
749 |
- char * |
750 |
- compat_pkalg_proposal(char *pkalg_prop) |
751 |
- { |
752 |
-@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) |
753 |
- if (*pkalg_prop == '\0') |
754 |
- fatal("No supported PK algorithms found"); |
755 |
- return pkalg_prop; |
756 |
-+} |
757 |
-+ |
758 |
-+char * |
759 |
-+compat_kex_proposal(char *kex_prop) |
760 |
-+{ |
761 |
-+ if (!(datafellows & SSH_BUG_CURVE25519PAD)) |
762 |
-+ return kex_prop; |
763 |
-+ debug2("%s: original KEX proposal: %s", __func__, kex_prop); |
764 |
-+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@××××××.org"); |
765 |
-+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); |
766 |
-+ if (*kex_prop == '\0') |
767 |
-+ fatal("No supported key exchange algorithms found"); |
768 |
-+ return kex_prop; |
769 |
- } |
770 |
- |
771 |
-Index: compat.h |
772 |
-=================================================================== |
773 |
-RCS file: /var/cvs/openssh/compat.h,v |
774 |
-retrieving revision 1.42 |
775 |
-retrieving revision 1.43 |
776 |
-diff -u -p -r1.42 -r1.43 |
777 |
---- compat.h 31 Dec 2013 01:25:41 -0000 1.42 |
778 |
-+++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 |
779 |
-@@ -59,6 +59,7 @@ |
780 |
- #define SSH_BUG_RFWD_ADDR 0x02000000 |
781 |
- #define SSH_NEW_OPENSSH 0x04000000 |
782 |
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000 |
783 |
-+#define SSH_BUG_CURVE25519PAD 0x10000000 |
784 |
- |
785 |
- void enable_compat13(void); |
786 |
- void enable_compat20(void); |
787 |
-@@ -66,6 +67,7 @@ void compat_datafellows(const char * |
788 |
- int proto_spec(const char *); |
789 |
- char *compat_cipher_proposal(char *); |
790 |
- char *compat_pkalg_proposal(char *); |
791 |
-+char *compat_kex_proposal(char *); |
792 |
- |
793 |
- extern int compat13; |
794 |
- extern int compat20; |
795 |
-Index: sshd.c |
796 |
-=================================================================== |
797 |
-RCS file: /var/cvs/openssh/sshd.c,v |
798 |
-retrieving revision 1.448 |
799 |
-retrieving revision 1.453 |
800 |
-diff -u -p -r1.448 -r1.453 |
801 |
---- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 |
802 |
-+++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 |
803 |
-@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) |
804 |
- if (options.kex_algorithms != NULL) |
805 |
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
806 |
- |
807 |
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
808 |
-+ myproposal[PROPOSAL_KEX_ALGS]); |
809 |
-+ |
810 |
- if (options.rekey_limit || options.rekey_interval) |
811 |
- packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
812 |
- (time_t)options.rekey_interval); |
813 |
-Index: sshconnect2.c |
814 |
-=================================================================== |
815 |
-RCS file: /var/cvs/openssh/sshconnect2.c,v |
816 |
-retrieving revision 1.197 |
817 |
-retrieving revision 1.199 |
818 |
-diff -u -p -r1.197 -r1.199 |
819 |
---- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 |
820 |
-+++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 |
821 |
-@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho |
822 |
- } |
823 |
- if (options.kex_algorithms != NULL) |
824 |
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
825 |
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
826 |
-+ myproposal[PROPOSAL_KEX_ALGS]); |
827 |
- |
828 |
- if (options.rekey_limit || options.rekey_interval) |
829 |
- packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
830 |
-Index: bufaux.c |
831 |
-=================================================================== |
832 |
-RCS file: /var/cvs/openssh/bufaux.c,v |
833 |
-retrieving revision 1.62 |
834 |
-retrieving revision 1.63 |
835 |
-diff -u -p -r1.62 -r1.63 |
836 |
---- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 |
837 |
-+++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 |
838 |
-@@ -1,4 +1,4 @@ |
839 |
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ |
840 |
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ |
841 |
- /* |
842 |
- * Author: Tatu Ylonen <ylo@××××××.fi> |
843 |
- * Copyright (c) 1995 Tatu Ylonen <ylo@××××××.fi>, Espoo, Finland |
844 |
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b |
845 |
- |
846 |
- if (l > 8 * 1024) |
847 |
- fatal("%s: length %u too long", __func__, l); |
848 |
-+ /* Skip leading zero bytes */ |
849 |
-+ for (; l > 0 && *s == 0; l--, s++) |
850 |
-+ ; |
851 |
- p = buf = xmalloc(l + 1); |
852 |
- /* |
853 |
- * If most significant bit is set then prepend a zero byte to |
854 |
|
855 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch |
856 |
deleted file mode 100644 |
857 |
index 6db6b97d..0000000 |
858 |
--- a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch |
859 |
+++ /dev/null |
860 |
@@ -1,17 +0,0 @@ |
861 |
-the last nibble of the openssl version represents the status. that is, |
862 |
-whether it is a beta or release. when it comes to version checks in |
863 |
-openssh, this component does not matter, so ignore it. |
864 |
- |
865 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212 |
866 |
- |
867 |
---- a/entropy.c |
868 |
-+++ b/entropy.c |
869 |
-@@ -216,7 +216,7 @@ seed_rng(void) |
870 |
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed |
871 |
- * within a patch series. |
872 |
- */ |
873 |
-- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; |
874 |
-+ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L; |
875 |
- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || |
876 |
- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) |
877 |
- fatal("OpenSSL version mismatch. Built against %lx, you " |
878 |
|
879 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch |
880 |
deleted file mode 100644 |
881 |
index 0ba3e45..0000000 |
882 |
--- a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch |
883 |
+++ /dev/null |
884 |
@@ -1,16 +0,0 @@ |
885 |
-Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. |
886 |
- |
887 |
---- openssh-6.6p1+x509-7.9.diff |
888 |
-+++ openssh-6.6p1+x509-7.9.diff |
889 |
-@@ -15473,10 +15473,9 @@ |
890 |
- .It Cm ChallengeResponseAuthentication |
891 |
- Specifies whether challenge-response authentication is allowed (e.g. via |
892 |
- PAM or though authentication styles supported in |
893 |
--@@ -499,6 +576,16 @@ |
894 |
-+@@ -499,5 +576,15 @@ |
895 |
- The default is |
896 |
- .Dq yes . |
897 |
-- Note that this option applies to protocol version 2 only. |
898 |
- +.It Cm HostbasedAlgorithms |
899 |
- +Specifies the protocol version 2 algorithms used in |
900 |
- +.Dq hostbased |
901 |
|
902 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch |
903 |
deleted file mode 100644 |
904 |
index a69830e..0000000 |
905 |
--- a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch |
906 |
+++ /dev/null |
907 |
@@ -1,26 +0,0 @@ |
908 |
-make the hpn patch apply when the x509 patch has also been applied |
909 |
- |
910 |
---- openssh-6.6p1-hpnssh14v4.diff |
911 |
-+++ openssh-6.6p1-hpnssh14v4.diff |
912 |
-@@ -1742,18 +1742,14 @@ |
913 |
- if (options->ip_qos_interactive == -1) |
914 |
- options->ip_qos_interactive = IPTOS_LOWDELAY; |
915 |
- if (options->ip_qos_bulk == -1) |
916 |
--@@ -345,9 +393,10 @@ |
917 |
-+@@ -345,6 +393,7 @@ |
918 |
- sUsePrivilegeSeparation, sAllowAgentForwarding, |
919 |
- sHostCertificate, |
920 |
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
921 |
--+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, |
922 |
-++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, |
923 |
- sKexAlgorithms, sIPQoS, sVersionAddendum, |
924 |
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
925 |
--- sAuthenticationMethods, sHostKeyAgent, |
926 |
--+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, |
927 |
-- sDeprecated, sUnsupported |
928 |
-- } ServerOpCodes; |
929 |
-- |
930 |
-+ sAuthenticationMethods, sHostKeyAgent, |
931 |
- @@ -468,6 +517,10 @@ |
932 |
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
933 |
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
934 |
|
935 |
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
936 |
deleted file mode 100644 |
937 |
index fa33af3..0000000 |
938 |
--- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
939 |
+++ /dev/null |
940 |
@@ -1,17 +0,0 @@ |
941 |
-the last nibble of the openssl version represents the status. that is, |
942 |
-whether it is a beta or release. when it comes to version checks in |
943 |
-openssh, this component does not matter, so ignore it. |
944 |
- |
945 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212 |
946 |
- |
947 |
---- a/openbsd-compat/openssl-compat.c |
948 |
-+++ b/openbsd-compat/openssl-compat.c |
949 |
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) |
950 |
- * For versions >= 1.0.0, major,minor,status must match and library |
951 |
- * fix version must be equal to or newer than the header. |
952 |
- */ |
953 |
-- mask = 0xfff0000fL; /* major,minor,status */ |
954 |
-+ mask = 0xfff00000L; /* major,minor,status */ |
955 |
- hfix = (headerver & 0x000ff000) >> 12; |
956 |
- lfix = (libver & 0x000ff000) >> 12; |
957 |
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix) |
958 |
|
959 |
diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch |
960 |
deleted file mode 100644 |
961 |
index 170031d..0000000 |
962 |
--- a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch |
963 |
+++ /dev/null |
964 |
@@ -1,11 +0,0 @@ |
965 |
-diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c |
966 |
---- openssh-6.7p1.orig/ssh-rsa.c 2015-02-24 14:52:54.512197868 -0800 |
967 |
-+++ openssh-6.7p1/ssh-rsa.c 2015-02-27 11:48:54.173951646 -0800 |
968 |
-@@ -34,6 +34,7 @@ |
969 |
- #include "sshkey.h" |
970 |
- #include "digest.h" |
971 |
- #include "evp-compat.h" |
972 |
-+#include "xmalloc.h" |
973 |
- |
974 |
- /*NOTE: Do not define USE_LEGACY_RSA_... if build |
975 |
- is with FIPS capable OpenSSL */ |
976 |
|
977 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch |
978 |
deleted file mode 100644 |
979 |
index 7b12e9a..0000000 |
980 |
--- a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch |
981 |
+++ /dev/null |
982 |
@@ -1,90 +0,0 @@ |
983 |
---- openssh-6.8_p1-sctp.patch.orig 2015-03-18 17:52:40.563506822 -0700 |
984 |
-+++ openssh-6.8_p1-sctp.patch 2015-03-18 18:14:30.919753194 -0700 |
985 |
-@@ -184,34 +184,6 @@ |
986 |
- int port; /* Port to connect. */ |
987 |
- int address_family; |
988 |
- int connection_attempts; /* Max attempts (seconds) before |
989 |
----- a/scp.1 |
990 |
--+++ b/scp.1 |
991 |
--@@ -19,7 +19,7 @@ |
992 |
-- .Sh SYNOPSIS |
993 |
-- .Nm scp |
994 |
-- .Bk -words |
995 |
---.Op Fl 12346BCpqrv |
996 |
--+.Op Fl 12346BCpqrvz |
997 |
-- .Op Fl c Ar cipher |
998 |
-- .Op Fl F Ar ssh_config |
999 |
-- .Op Fl i Ar identity_file |
1000 |
--@@ -178,6 +178,7 @@ For full details of the options listed b |
1001 |
-- .It ServerAliveCountMax |
1002 |
-- .It StrictHostKeyChecking |
1003 |
-- .It TCPKeepAlive |
1004 |
--+.It Transport |
1005 |
-- .It UpdateHostKeys |
1006 |
-- .It UsePrivilegedPort |
1007 |
-- .It User |
1008 |
--@@ -218,6 +219,8 @@ and |
1009 |
-- to print debugging messages about their progress. |
1010 |
-- This is helpful in |
1011 |
-- debugging connection, authentication, and configuration problems. |
1012 |
--+.It Fl z |
1013 |
--+Use the SCTP protocol for connection instead of TCP which is the default. |
1014 |
-- .El |
1015 |
-- .Sh EXIT STATUS |
1016 |
-- .Ex -std scp |
1017 |
- --- a/scp.c |
1018 |
- +++ b/scp.c |
1019 |
- @@ -395,7 +395,11 @@ main(int argc, char **argv) |
1020 |
-@@ -471,34 +443,6 @@ |
1021 |
- int protocol; /* Supported protocol versions. */ |
1022 |
- struct ForwardOptions fwd_opts; /* forwarding options */ |
1023 |
- SyslogFacility log_facility; /* Facility for system logging. */ |
1024 |
----- a/ssh.1 |
1025 |
--+++ b/ssh.1 |
1026 |
--@@ -43,7 +43,7 @@ |
1027 |
-- .Sh SYNOPSIS |
1028 |
-- .Nm ssh |
1029 |
-- .Bk -words |
1030 |
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy |
1031 |
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz |
1032 |
-- .Op Fl b Ar bind_address |
1033 |
-- .Op Fl c Ar cipher_spec |
1034 |
-- .Op Fl D Oo Ar bind_address : Oc Ns Ar port |
1035 |
--@@ -473,6 +473,7 @@ For full details of the options listed b |
1036 |
-- .It StreamLocalBindUnlink |
1037 |
-- .It StrictHostKeyChecking |
1038 |
-- .It TCPKeepAlive |
1039 |
--+.It Transport |
1040 |
-- .It Tunnel |
1041 |
-- .It TunnelDevice |
1042 |
-- .It UsePrivilegedPort |
1043 |
--@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte |
1044 |
-- controls. |
1045 |
-- .It Fl y |
1046 |
-- Send log information using the |
1047 |
--+.It Fl z |
1048 |
--+Use the SCTP protocol for connection instead of TCP which is the default. |
1049 |
-- .Xr syslog 3 |
1050 |
-- system module. |
1051 |
-- By default this information is sent to stderr. |
1052 |
- --- a/ssh.c |
1053 |
- +++ b/ssh.c |
1054 |
- @@ -194,12 +194,17 @@ extern int muxserver_sock; |
1055 |
-@@ -520,13 +464,11 @@ |
1056 |
- " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" |
1057 |
- " [-F configfile] [-I pkcs11] [-i identity_file]\n" |
1058 |
- " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" |
1059 |
--@@ -506,7 +512,7 @@ main(int ac, char **av) |
1060 |
-- argv0 = av[0]; |
1061 |
-+@@ -506,4 +512,4 @@ main(int ac, char **av) |
1062 |
- |
1063 |
-- again: |
1064 |
--- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" |
1065 |
--+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT |
1066 |
-- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { |
1067 |
-+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" |
1068 |
-++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT |
1069 |
-+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { |
1070 |
- switch (opt) { |
1071 |
- case '1': |
1072 |
- @@ -732,6 +738,11 @@ main(int ac, char **av) |
1073 |
|
1074 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch |
1075 |
deleted file mode 100644 |
1076 |
index e14a728..0000000 |
1077 |
--- a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch |
1078 |
+++ /dev/null |
1079 |
@@ -1,40 +0,0 @@ |
1080 |
-https://bugs.gentoo.org/544078 |
1081 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=2369 |
1082 |
- |
1083 |
-From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001 |
1084 |
-From: "djm@×××××××.org" <djm@×××××××.org> |
1085 |
-Date: Mon, 23 Mar 2015 06:06:38 +0000 |
1086 |
-Subject: [PATCH] upstream commit |
1087 |
- |
1088 |
-for ssh-keygen -A, don't try (and fail) to generate ssh |
1089 |
- v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled |
1090 |
- without OpenSSL based on patch by Mike Frysinger; bz#2369 |
1091 |
---- |
1092 |
- ssh-keygen.c | 8 ++++++-- |
1093 |
- 1 file changed, 6 insertions(+), 2 deletions(-) |
1094 |
- |
1095 |
-diff --git a/ssh-keygen.c b/ssh-keygen.c |
1096 |
-index a3c2362..96dd8b4 100644 |
1097 |
---- a/ssh-keygen.c |
1098 |
-+++ b/ssh-keygen.c |
1099 |
-@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw) |
1100 |
- char *key_type_display; |
1101 |
- char *path; |
1102 |
- } key_types[] = { |
1103 |
-+#ifdef WITH_OPENSSL |
1104 |
-+#ifdef WITH_SSH1 |
1105 |
- { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
1106 |
-+#endif /* WITH_SSH1 */ |
1107 |
- { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
1108 |
- { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
1109 |
- #ifdef OPENSSL_HAS_ECC |
1110 |
- { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
1111 |
--#endif |
1112 |
-+#endif /* OPENSSL_HAS_ECC */ |
1113 |
-+#endif /* WITH_OPENSSL */ |
1114 |
- { "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, |
1115 |
- { NULL, NULL, NULL } |
1116 |
- }; |
1117 |
--- |
1118 |
-2.3.3 |
1119 |
- |
1120 |
|
1121 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch |
1122 |
deleted file mode 100644 |
1123 |
index 48fce1e..0000000 |
1124 |
--- a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch |
1125 |
+++ /dev/null |
1126 |
@@ -1,162 +0,0 @@ |
1127 |
-https://bugs.gentoo.org/378361 |
1128 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=928 |
1129 |
- |
1130 |
---- a/gss-serv.c |
1131 |
-+++ b/gss-serv.c |
1132 |
-@@ -41,9 +41,12 @@ |
1133 |
- #include "channels.h" |
1134 |
- #include "session.h" |
1135 |
- #include "misc.h" |
1136 |
-+#include "servconf.h" |
1137 |
- |
1138 |
- #include "ssh-gss.h" |
1139 |
- |
1140 |
-+extern ServerOptions options; |
1141 |
-+ |
1142 |
- static ssh_gssapi_client gssapi_client = |
1143 |
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
1144 |
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
1145 |
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1146 |
- char lname[NI_MAXHOST]; |
1147 |
- gss_OID_set oidset; |
1148 |
- |
1149 |
-- gss_create_empty_oid_set(&status, &oidset); |
1150 |
-- gss_add_oid_set_member(&status, ctx->oid, &oidset); |
1151 |
-- |
1152 |
-- if (gethostname(lname, sizeof(lname))) { |
1153 |
-- gss_release_oid_set(&status, &oidset); |
1154 |
-- return (-1); |
1155 |
-- } |
1156 |
-+ if (options.gss_strict_acceptor) { |
1157 |
-+ gss_create_empty_oid_set(&status, &oidset); |
1158 |
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset); |
1159 |
-+ |
1160 |
-+ if (gethostname(lname, MAXHOSTNAMELEN)) { |
1161 |
-+ gss_release_oid_set(&status, &oidset); |
1162 |
-+ return (-1); |
1163 |
-+ } |
1164 |
-+ |
1165 |
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
1166 |
-+ gss_release_oid_set(&status, &oidset); |
1167 |
-+ return (ctx->major); |
1168 |
-+ } |
1169 |
-+ |
1170 |
-+ if ((ctx->major = gss_acquire_cred(&ctx->minor, |
1171 |
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, |
1172 |
-+ NULL, NULL))) |
1173 |
-+ ssh_gssapi_error(ctx); |
1174 |
- |
1175 |
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
1176 |
- gss_release_oid_set(&status, &oidset); |
1177 |
- return (ctx->major); |
1178 |
-+ } else { |
1179 |
-+ ctx->name = GSS_C_NO_NAME; |
1180 |
-+ ctx->creds = GSS_C_NO_CREDENTIAL; |
1181 |
- } |
1182 |
-- |
1183 |
-- if ((ctx->major = gss_acquire_cred(&ctx->minor, |
1184 |
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
1185 |
-- ssh_gssapi_error(ctx); |
1186 |
-- |
1187 |
-- gss_release_oid_set(&status, &oidset); |
1188 |
-- return (ctx->major); |
1189 |
-+ return GSS_S_COMPLETE; |
1190 |
- } |
1191 |
- |
1192 |
- /* Privileged */ |
1193 |
---- a/servconf.c |
1194 |
-+++ b/servconf.c |
1195 |
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions |
1196 |
- options->kerberos_get_afs_token = -1; |
1197 |
- options->gss_authentication=-1; |
1198 |
- options->gss_cleanup_creds = -1; |
1199 |
-+ options->gss_strict_acceptor = -1; |
1200 |
- options->password_authentication = -1; |
1201 |
- options->kbd_interactive_authentication = -1; |
1202 |
- options->challenge_response_authentication = -1; |
1203 |
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption |
1204 |
- options->gss_authentication = 0; |
1205 |
- if (options->gss_cleanup_creds == -1) |
1206 |
- options->gss_cleanup_creds = 1; |
1207 |
-+ if (options->gss_strict_acceptor == -1) |
1208 |
-+ options->gss_strict_acceptor = 0; |
1209 |
- if (options->password_authentication == -1) |
1210 |
- options->password_authentication = 1; |
1211 |
- if (options->kbd_interactive_authentication == -1) |
1212 |
-@@ -277,7 +280,8 @@ typedef enum { |
1213 |
- sBanner, sUseDNS, sHostbasedAuthentication, |
1214 |
- sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
1215 |
- sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
1216 |
-- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
1217 |
-+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
1218 |
-+ sAcceptEnv, sPermitTunnel, |
1219 |
- sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
1220 |
- sUsePrivilegeSeparation, sAllowAgentForwarding, |
1221 |
- sHostCertificate, |
1222 |
-@@ -327,9 +331,11 @@ static struct { |
1223 |
- #ifdef GSSAPI |
1224 |
- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
1225 |
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
1226 |
-+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
1227 |
- #else |
1228 |
- { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
1229 |
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
1230 |
-+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
1231 |
- #endif |
1232 |
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
1233 |
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
1234 |
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions |
1235 |
- |
1236 |
- case sGssCleanupCreds: |
1237 |
- intptr = &options->gss_cleanup_creds; |
1238 |
-+ goto parse_flag; |
1239 |
-+ |
1240 |
-+ case sGssStrictAcceptor: |
1241 |
-+ intptr = &options->gss_strict_acceptor; |
1242 |
- goto parse_flag; |
1243 |
- |
1244 |
- case sPasswordAuthentication: |
1245 |
---- a/servconf.h |
1246 |
-+++ b/servconf.h |
1247 |
-@@ -92,6 +92,7 @@ typedef struct { |
1248 |
- * authenticated with Kerberos. */ |
1249 |
- int gss_authentication; /* If true, permit GSSAPI authentication */ |
1250 |
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */ |
1251 |
-+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ |
1252 |
- int password_authentication; /* If true, permit password |
1253 |
- * authentication. */ |
1254 |
- int kbd_interactive_authentication; /* If true, permit */ |
1255 |
---- a/sshd_config |
1256 |
-+++ b/sshd_config |
1257 |
-@@ -69,6 +69,7 @@ |
1258 |
- # GSSAPI options |
1259 |
- #GSSAPIAuthentication no |
1260 |
- #GSSAPICleanupCredentials yes |
1261 |
-+#GSSAPIStrictAcceptorCheck yes |
1262 |
- |
1263 |
- # Set this to 'yes' to enable PAM authentication, account processing, |
1264 |
- # and session processing. If this is enabled, PAM authentication will |
1265 |
---- a/sshd_config.5 |
1266 |
-+++ b/sshd_config.5 |
1267 |
-@@ -386,6 +386,21 @@ on logout. |
1268 |
- The default is |
1269 |
- .Dq yes . |
1270 |
- Note that this option applies to protocol version 2 only. |
1271 |
-+.It Cm GSSAPIStrictAcceptorCheck |
1272 |
-+Determines whether to be strict about the identity of the GSSAPI acceptor |
1273 |
-+a client authenticates against. |
1274 |
-+If set to |
1275 |
-+.Dq yes |
1276 |
-+then the client must authenticate against the |
1277 |
-+.Pa host |
1278 |
-+service on the current hostname. |
1279 |
-+If set to |
1280 |
-+.Dq no |
1281 |
-+then the client may authenticate against any service key stored in the |
1282 |
-+machine's default store. |
1283 |
-+This facility is provided to assist with operation on multi homed machines. |
1284 |
-+The default is |
1285 |
-+.Dq yes . |
1286 |
- .It Cm HostbasedAcceptedKeyTypes |
1287 |
- Specifies the key types that will be accepted for hostbased authentication |
1288 |
- as a comma-separated pattern list. |
1289 |
|
1290 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch |
1291 |
deleted file mode 100644 |
1292 |
index 9fad386..0000000 |
1293 |
--- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch |
1294 |
+++ /dev/null |
1295 |
@@ -1,31 +0,0 @@ |
1296 |
-From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 |
1297 |
-From: Mike Frysinger <vapier@g.o> |
1298 |
-Date: Wed, 18 Mar 2015 12:37:24 -0400 |
1299 |
-Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is |
1300 |
- set |
1301 |
- |
1302 |
---- |
1303 |
- configure.ac | 6 +++--- |
1304 |
- 1 file changed, 3 insertions(+), 3 deletions(-) |
1305 |
- |
1306 |
-diff --git a/configure.ac b/configure.ac |
1307 |
-index b4d6598..7806d20 100644 |
1308 |
---- a/configure.ac |
1309 |
-+++ b/configure.ac |
1310 |
-@@ -2276,10 +2276,10 @@ openssl_engine=no |
1311 |
- AC_ARG_WITH([ssl-engine], |
1312 |
- [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
1313 |
- [ |
1314 |
-- if test "x$openssl" = "xno" ; then |
1315 |
-- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) |
1316 |
-- fi |
1317 |
- if test "x$withval" != "xno" ; then |
1318 |
-+ if test "x$openssl" = "xno" ; then |
1319 |
-+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) |
1320 |
-+ fi |
1321 |
- openssl_engine=yes |
1322 |
- fi |
1323 |
- ] |
1324 |
--- |
1325 |
-2.3.2 |
1326 |
- |
1327 |
|
1328 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch |
1329 |
deleted file mode 100644 |
1330 |
index e72b1e6..0000000 |
1331 |
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch |
1332 |
+++ /dev/null |
1333 |
@@ -1,15 +0,0 @@ |
1334 |
---- a/0005-support-dynamically-sized-receive-buffers.patch |
1335 |
-+++ b/0005-support-dynamically-sized-receive-buffers.patch |
1336 |
-@@ -411,10 +411,10 @@ index af2f007..41b782b 100644 |
1337 |
- --- a/compat.h |
1338 |
- +++ b/compat.h |
1339 |
- @@ -60,6 +60,7 @@ |
1340 |
-- #define SSH_NEW_OPENSSH 0x04000000 |
1341 |
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000 |
1342 |
- #define SSH_BUG_CURVE25519PAD 0x10000000 |
1343 |
--+#define SSH_BUG_LARGEWINDOW 0x20000000 |
1344 |
-+ #define SSH_BUG_HOSTKEYS 0x20000000 |
1345 |
-++#define SSH_BUG_LARGEWINDOW 0x40000000 |
1346 |
- |
1347 |
- void enable_compat13(void); |
1348 |
- void enable_compat20(void); |
1349 |
|
1350 |
diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch |
1351 |
deleted file mode 100644 |
1352 |
index f99e92f..0000000 |
1353 |
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch |
1354 |
+++ /dev/null |
1355 |
@@ -1,69 +0,0 @@ |
1356 |
-https://bugs.gentoo.org/547944 |
1357 |
- |
1358 |
-From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001 |
1359 |
-From: "dtucker@×××××××.org" <dtucker@×××××××.org> |
1360 |
-Date: Fri, 10 Apr 2015 05:16:50 +0000 |
1361 |
-Subject: [PATCH] upstream commit |
1362 |
- |
1363 |
-Don't send hostkey advertisments |
1364 |
- (hostkeys-00@×××××××.com) to current versions of Tera Term as they can't |
1365 |
- handle them. Newer versions should be OK. Patch from Bryan Drewery and |
1366 |
- IWAMOTO Kouichi, ok djm@ |
1367 |
---- |
1368 |
- compat.c | 13 ++++++++++++- |
1369 |
- compat.h | 3 ++- |
1370 |
- sshd.c | 6 +++++- |
1371 |
- 3 files changed, 19 insertions(+), 3 deletions(-) |
1372 |
- |
1373 |
-diff --git a/compat.c b/compat.c |
1374 |
-index 2498168..0934de9 100644 |
1375 |
---- a/compat.c |
1376 |
-+++ b/compat.c |
1377 |
-@@ -167,6 +167,17 @@ compat_datafellows(const char *version) |
1378 |
- SSH_BUG_SCANNER }, |
1379 |
- { "Probe-*", |
1380 |
- SSH_BUG_PROBE }, |
1381 |
-+ { "TeraTerm SSH*," |
1382 |
-+ "TTSSH/1.5.*," |
1383 |
-+ "TTSSH/2.1*," |
1384 |
-+ "TTSSH/2.2*," |
1385 |
-+ "TTSSH/2.3*," |
1386 |
-+ "TTSSH/2.4*," |
1387 |
-+ "TTSSH/2.5*," |
1388 |
-+ "TTSSH/2.6*," |
1389 |
-+ "TTSSH/2.70*," |
1390 |
-+ "TTSSH/2.71*," |
1391 |
-+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, |
1392 |
- { NULL, 0 } |
1393 |
- }; |
1394 |
- |
1395 |
-diff --git a/compat.h b/compat.h |
1396 |
-index af2f007..83507f0 100644 |
1397 |
---- a/compat.h |
1398 |
-+++ b/compat.h |
1399 |
-@@ -60,6 +60,7 @@ |
1400 |
- #define SSH_NEW_OPENSSH 0x04000000 |
1401 |
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000 |
1402 |
- #define SSH_BUG_CURVE25519PAD 0x10000000 |
1403 |
-+#define SSH_BUG_HOSTKEYS 0x20000000 |
1404 |
- |
1405 |
- void enable_compat13(void); |
1406 |
- void enable_compat20(void); |
1407 |
-diff --git a/sshd.c b/sshd.c |
1408 |
-index 6aa17fa..60b0cd4 100644 |
1409 |
---- a/sshd.c |
1410 |
-+++ b/sshd.c |
1411 |
-@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh) |
1412 |
- int i, nkeys, r; |
1413 |
- char *fp; |
1414 |
- |
1415 |
-+ /* Some clients cannot cope with the hostkeys message, skip those. */ |
1416 |
-+ if (datafellows & SSH_BUG_HOSTKEYS) |
1417 |
-+ return; |
1418 |
-+ |
1419 |
- if ((buf = sshbuf_new()) == NULL) |
1420 |
- fatal("%s: sshbuf_new", __func__); |
1421 |
- for (i = nkeys = 0; i < options.num_host_key_files; i++) { |
1422 |
--- |
1423 |
-2.3.6 |
1424 |
- |
1425 |
|
1426 |
diff --git a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch |
1427 |
deleted file mode 100644 |
1428 |
index 9ce2967..0000000 |
1429 |
--- a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch |
1430 |
+++ /dev/null |
1431 |
@@ -1,24 +0,0 @@ |
1432 |
-diff -ur openssh-6.9p1.orig/sshconnect2.c openssh-6.9p1/sshconnect2.c |
1433 |
---- openssh-6.9p1.orig/sshconnect2.c 2015-07-01 14:56:26.766316866 -0700 |
1434 |
-+++ openssh-6.9p1/sshconnect2.c 2015-07-01 14:59:22.828692366 -0700 |
1435 |
-@@ -1404,7 +1404,7 @@ |
1436 |
- static int |
1437 |
- get_allowed_keytype(Key *k) { |
1438 |
- char *pattern; |
1439 |
-- char *alg; |
1440 |
-+ const char *alg; |
1441 |
- |
1442 |
- if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC) |
1443 |
- return KEY_UNSPEC; |
1444 |
-diff -ur openssh-6.9p1.orig/x509_nm_cmp.c openssh-6.9p1/x509_nm_cmp.c |
1445 |
---- openssh-6.9p1.orig/x509_nm_cmp.c 2015-07-01 14:56:26.129311890 -0700 |
1446 |
-+++ openssh-6.9p1/x509_nm_cmp.c 2015-07-01 14:59:14.086624068 -0700 |
1447 |
-@@ -133,7 +133,7 @@ |
1448 |
- tag = M_ASN1_STRING_type(in); |
1449 |
- if (tag != V_ASN1_UTF8STRING) { |
1450 |
- /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/ |
1451 |
-- return(ASN1_STRING_to_UTF8(out, in)); |
1452 |
-+ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in)); |
1453 |
- } |
1454 |
- |
1455 |
- l = M_ASN1_STRING_length(in); |
1456 |
|
1457 |
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd |
1458 |
deleted file mode 100644 |
1459 |
index 28952b4..0000000 |
1460 |
--- a/net-misc/openssh/files/sshd.confd |
1461 |
+++ /dev/null |
1462 |
@@ -1,21 +0,0 @@ |
1463 |
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd |
1464 |
- |
1465 |
-# Where is your sshd_config file stored? |
1466 |
- |
1467 |
-SSHD_CONFDIR="/etc/ssh" |
1468 |
- |
1469 |
- |
1470 |
-# Any random options you want to pass to sshd. |
1471 |
-# See the sshd(8) manpage for more info. |
1472 |
- |
1473 |
-SSHD_OPTS="" |
1474 |
- |
1475 |
- |
1476 |
-# Pid file to use (needs to be absolute path). |
1477 |
- |
1478 |
-#SSHD_PIDFILE="/var/run/sshd.pid" |
1479 |
- |
1480 |
- |
1481 |
-# Path to the sshd binary (needs to be absolute path). |
1482 |
- |
1483 |
-#SSHD_BINARY="/usr/sbin/sshd" |
1484 |
|
1485 |
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 |
1486 |
deleted file mode 100644 |
1487 |
index b801aaa..0000000 |
1488 |
--- a/net-misc/openssh/files/sshd.pam_include.2 |
1489 |
+++ /dev/null |
1490 |
@@ -1,4 +0,0 @@ |
1491 |
-auth include system-remote-login |
1492 |
-account include system-remote-login |
1493 |
-password include system-remote-login |
1494 |
-session include system-remote-login |
1495 |
|
1496 |
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 |
1497 |
deleted file mode 100755 |
1498 |
index 80f1b7e..0000000 |
1499 |
--- a/net-misc/openssh/files/sshd.rc6.4 |
1500 |
+++ /dev/null |
1501 |
@@ -1,85 +0,0 @@ |
1502 |
-#!/sbin/runscript |
1503 |
-# Copyright 1999-2015 Gentoo Foundation |
1504 |
-# Distributed under the terms of the GNU General Public License v2 |
1505 |
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.5 2015/05/04 02:56:25 vapier Exp $ |
1506 |
- |
1507 |
-extra_commands="checkconfig" |
1508 |
-extra_started_commands="reload" |
1509 |
- |
1510 |
-: ${SSHD_CONFDIR:=/etc/ssh} |
1511 |
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} |
1512 |
-: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} |
1513 |
-: ${SSHD_BINARY:=/usr/sbin/sshd} |
1514 |
- |
1515 |
-depend() { |
1516 |
- use logger dns |
1517 |
- if [ "${rc_need+set}" = "set" ] ; then |
1518 |
- : # Do nothing, the user has explicitly set rc_need |
1519 |
- else |
1520 |
- local x warn_addr |
1521 |
- for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do |
1522 |
- case "${x}" in |
1523 |
- 0.0.0.0|0.0.0.0:*) ;; |
1524 |
- ::|\[::\]*) ;; |
1525 |
- *) warn_addr="${warn_addr} ${x}" ;; |
1526 |
- esac |
1527 |
- done |
1528 |
- if [ -n "${warn_addr}" ] ; then |
1529 |
- need net |
1530 |
- ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" |
1531 |
- ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" |
1532 |
- ewarn "where FOO is the interface(s) providing the following address(es):" |
1533 |
- ewarn "${warn_addr}" |
1534 |
- fi |
1535 |
- fi |
1536 |
-} |
1537 |
- |
1538 |
-checkconfig() { |
1539 |
- if [ ! -d /var/empty ] ; then |
1540 |
- mkdir -p /var/empty || return 1 |
1541 |
- fi |
1542 |
- |
1543 |
- if [ ! -e "${SSHD_CONFIG}" ] ; then |
1544 |
- eerror "You need an ${SSHD_CONFIG} file to run sshd" |
1545 |
- eerror "There is a sample file in /usr/share/doc/openssh" |
1546 |
- return 1 |
1547 |
- fi |
1548 |
- |
1549 |
- ssh-keygen -A || return 1 |
1550 |
- |
1551 |
- [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ |
1552 |
- && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" |
1553 |
- [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ |
1554 |
- && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" |
1555 |
- |
1556 |
- "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 |
1557 |
-} |
1558 |
- |
1559 |
-start() { |
1560 |
- checkconfig || return 1 |
1561 |
- |
1562 |
- ebegin "Starting ${SVCNAME}" |
1563 |
- start-stop-daemon --start --exec "${SSHD_BINARY}" \ |
1564 |
- --pidfile "${SSHD_PIDFILE}" \ |
1565 |
- -- ${SSHD_OPTS} |
1566 |
- eend $? |
1567 |
-} |
1568 |
- |
1569 |
-stop() { |
1570 |
- if [ "${RC_CMD}" = "restart" ] ; then |
1571 |
- checkconfig || return 1 |
1572 |
- fi |
1573 |
- |
1574 |
- ebegin "Stopping ${SVCNAME}" |
1575 |
- start-stop-daemon --stop --exec "${SSHD_BINARY}" \ |
1576 |
- --pidfile "${SSHD_PIDFILE}" --quiet |
1577 |
- eend $? |
1578 |
-} |
1579 |
- |
1580 |
-reload() { |
1581 |
- checkconfig || return 1 |
1582 |
- ebegin "Reloading ${SVCNAME}" |
1583 |
- start-stop-daemon --signal HUP \ |
1584 |
- --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" |
1585 |
- eend $? |
1586 |
-} |
1587 |
|
1588 |
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service |
1589 |
deleted file mode 100644 |
1590 |
index b5e96b3..0000000 |
1591 |
--- a/net-misc/openssh/files/sshd.service |
1592 |
+++ /dev/null |
1593 |
@@ -1,11 +0,0 @@ |
1594 |
-[Unit] |
1595 |
-Description=OpenSSH server daemon |
1596 |
-After=syslog.target network.target auditd.service |
1597 |
- |
1598 |
-[Service] |
1599 |
-ExecStartPre=/usr/bin/ssh-keygen -A |
1600 |
-ExecStart=/usr/sbin/sshd -D -e |
1601 |
-ExecReload=/bin/kill -HUP $MAINPID |
1602 |
- |
1603 |
-[Install] |
1604 |
-WantedBy=multi-user.target |
1605 |
|
1606 |
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket |
1607 |
deleted file mode 100644 |
1608 |
index 94b9533..0000000 |
1609 |
--- a/net-misc/openssh/files/sshd.socket |
1610 |
+++ /dev/null |
1611 |
@@ -1,10 +0,0 @@ |
1612 |
-[Unit] |
1613 |
-Description=OpenSSH Server Socket |
1614 |
-Conflicts=sshd.service |
1615 |
- |
1616 |
-[Socket] |
1617 |
-ListenStream=22 |
1618 |
-Accept=yes |
1619 |
- |
1620 |
-[Install] |
1621 |
-WantedBy=sockets.target |
1622 |
|
1623 |
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service |
1624 |
deleted file mode 100644 |
1625 |
index 2645ad0..0000000 |
1626 |
--- a/net-misc/openssh/files/sshd_at.service |
1627 |
+++ /dev/null |
1628 |
@@ -1,8 +0,0 @@ |
1629 |
-[Unit] |
1630 |
-Description=OpenSSH per-connection server daemon |
1631 |
-After=syslog.target auditd.service |
1632 |
- |
1633 |
-[Service] |
1634 |
-ExecStart=-/usr/sbin/sshd -i -e |
1635 |
-StandardInput=socket |
1636 |
-StandardError=syslog |
1637 |
|
1638 |
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml |
1639 |
deleted file mode 100644 |
1640 |
index 29134fc..0000000 |
1641 |
--- a/net-misc/openssh/metadata.xml |
1642 |
+++ /dev/null |
1643 |
@@ -1,40 +0,0 @@ |
1644 |
-<?xml version="1.0" encoding="UTF-8"?> |
1645 |
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
1646 |
-<pkgmetadata> |
1647 |
- <maintainer type="project"> |
1648 |
- <email>base-system@g.o</email> |
1649 |
- <name>Gentoo Base System</name> |
1650 |
- </maintainer> |
1651 |
- <maintainer type="person"> |
1652 |
- <email>robbat2@g.o</email> |
1653 |
- <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> |
1654 |
- </maintainer> |
1655 |
- <longdescription> |
1656 |
-OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that |
1657 |
-increasing numbers of people on the Internet are coming to rely on. Many users of telnet, |
1658 |
-rlogin, ftp, and other such programs might not realize that their password is transmitted |
1659 |
-across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) |
1660 |
-to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. |
1661 |
-Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety |
1662 |
-of authentication methods. |
1663 |
- |
1664 |
-The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which |
1665 |
-replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of |
1666 |
-the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, |
1667 |
-ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. |
1668 |
-</longdescription> |
1669 |
- <use> |
1670 |
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> |
1671 |
- <flag name="hpn">Enable high performance ssh</flag> |
1672 |
- <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> |
1673 |
- <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> |
1674 |
- <flag name="livecd">Enable root password logins for live-cd environment.</flag> |
1675 |
- <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> |
1676 |
- <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> |
1677 |
- <flag name="X509">Adds support for X.509 certificate authentication</flag> |
1678 |
- </use> |
1679 |
- <upstream> |
1680 |
- <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> |
1681 |
- <remote-id type="sourceforge">hpnssh</remote-id> |
1682 |
- </upstream> |
1683 |
-</pkgmetadata> |
1684 |
|
1685 |
diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild |
1686 |
deleted file mode 100644 |
1687 |
index 86b6a01..0000000 |
1688 |
--- a/net-misc/openssh/openssh-6.8_p1-r5.ebuild |
1689 |
+++ /dev/null |
1690 |
@@ -1,336 +0,0 @@ |
1691 |
-# Copyright 1999-2015 Gentoo Foundation |
1692 |
-# Distributed under the terms of the GNU General Public License v2 |
1693 |
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.8_p1-r5.ebuild,v 1.1 2015/04/28 04:39:35 vapier Exp $ |
1694 |
- |
1695 |
-EAPI="4" |
1696 |
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator |
1697 |
- |
1698 |
-# Make it more portable between straight releases |
1699 |
-# and _p? releases. |
1700 |
-PARCH=${P/_} |
1701 |
- |
1702 |
-HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz" |
1703 |
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" |
1704 |
-X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
1705 |
- |
1706 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
1707 |
-HOMEPAGE="http://www.openssh.org/" |
1708 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
1709 |
- mirror://gentoo/${P}-sctp.patch.xz |
1710 |
- ${HPN_PATCH:+hpn? ( |
1711 |
- mirror://gentoo/${HPN_PATCH} |
1712 |
- http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} |
1713 |
- mirror://sourceforge/hpnssh/${HPN_PATCH} |
1714 |
- )} |
1715 |
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} |
1716 |
- ${X509_PATCH:+X509? ( |
1717 |
- http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} |
1718 |
- mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz |
1719 |
- )} |
1720 |
- " |
1721 |
- |
1722 |
-LICENSE="BSD GPL-2" |
1723 |
-SLOT="0" |
1724 |
-KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
1725 |
-# Probably want to drop ssh1/ssl defaulting to on in a future version. |
1726 |
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509" |
1727 |
-REQUIRED_USE="pie? ( !static ) |
1728 |
- ssh1? ( ssl ) |
1729 |
- static? ( !kerberos !pam ) |
1730 |
- X509? ( !ldap ssl )" |
1731 |
- |
1732 |
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
1733 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
1734 |
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) |
1735 |
- libedit? ( dev-libs/libedit[static-libs(+)] ) |
1736 |
- ssl? ( |
1737 |
- >=dev-libs/openssl-0.9.6d:0[bindist=] |
1738 |
- dev-libs/openssl[static-libs(+)] |
1739 |
- ) |
1740 |
- >=sys-libs/zlib-1.2.3[static-libs(+)]" |
1741 |
-RDEPEND=" |
1742 |
- !static? ( |
1743 |
- ${LIB_DEPEND//\[static-libs(+)]} |
1744 |
- ldns? ( |
1745 |
- !bindist? ( net-libs/ldns[ecdsa,ssl] ) |
1746 |
- bindist? ( net-libs/ldns[-ecdsa,ssl] ) |
1747 |
- ) |
1748 |
- ) |
1749 |
- pam? ( virtual/pam ) |
1750 |
- kerberos? ( virtual/krb5 ) |
1751 |
- ldap? ( net-nds/openldap )" |
1752 |
-DEPEND="${RDEPEND} |
1753 |
- static? ( |
1754 |
- ${LIB_DEPEND} |
1755 |
- ldns? ( |
1756 |
- !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) |
1757 |
- bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) |
1758 |
- ) |
1759 |
- ) |
1760 |
- virtual/pkgconfig |
1761 |
- virtual/os-headers |
1762 |
- sys-devel/autoconf" |
1763 |
-RDEPEND="${RDEPEND} |
1764 |
- pam? ( >=sys-auth/pambase-20081028 ) |
1765 |
- userland_GNU? ( virtual/shadow ) |
1766 |
- X? ( x11-apps/xauth )" |
1767 |
- |
1768 |
-S=${WORKDIR}/${PARCH} |
1769 |
- |
1770 |
-pkg_setup() { |
1771 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
1772 |
- # than not be able to log in to their server any more |
1773 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
1774 |
- local fail=" |
1775 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
1776 |
- $(use ldap && maybe_fail ldap LDAP_PATCH) |
1777 |
- $(use hpn && maybe_fail hpn HPN_PATCH) |
1778 |
- " |
1779 |
- fail=$(echo ${fail}) |
1780 |
- if [[ -n ${fail} ]] ; then |
1781 |
- eerror "Sorry, but this version does not yet support features" |
1782 |
- eerror "that you requested: ${fail}" |
1783 |
- eerror "Please mask ${PF} for now and check back later:" |
1784 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
1785 |
- die "booooo" |
1786 |
- fi |
1787 |
- |
1788 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
1789 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
1790 |
- eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
1791 |
- eerror "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." |
1792 |
- die "USE=tcpd no longer works" |
1793 |
- fi |
1794 |
-} |
1795 |
- |
1796 |
-save_version() { |
1797 |
- # version.h patch conflict avoidence |
1798 |
- mv version.h version.h.$1 |
1799 |
- cp -f version.h.pristine version.h |
1800 |
-} |
1801 |
- |
1802 |
-src_prepare() { |
1803 |
- sed -i \ |
1804 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
1805 |
- pathnames.h || die |
1806 |
- # keep this as we need it to avoid the conflict between LPK and HPN changing |
1807 |
- # this file. |
1808 |
- cp version.h version.h.pristine |
1809 |
- |
1810 |
- # don't break .ssh/authorized_keys2 for fun |
1811 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
1812 |
- |
1813 |
- epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361 |
1814 |
- if use X509 ; then |
1815 |
- pushd .. >/dev/null |
1816 |
- epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch |
1817 |
- epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch |
1818 |
- popd >/dev/null |
1819 |
- epatch "${WORKDIR}"/${X509_PATCH%.*} |
1820 |
- epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch |
1821 |
- save_version X509 |
1822 |
- fi |
1823 |
- if use ldap ; then |
1824 |
- epatch "${WORKDIR}"/${LDAP_PATCH%.*} |
1825 |
- save_version LPK |
1826 |
- fi |
1827 |
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
1828 |
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
1829 |
- epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078 |
1830 |
- epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944 |
1831 |
- # The X509 patchset fixes this independently. |
1832 |
- use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch |
1833 |
- epatch "${WORKDIR}"/${P}-sctp.patch |
1834 |
- if use hpn ; then |
1835 |
- # The teraterm patch pulled in an upstream update. |
1836 |
- pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null |
1837 |
- epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch |
1838 |
- popd >/dev/null |
1839 |
- EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ |
1840 |
- EPATCH_MULTI_MSG="Applying HPN patchset ..." \ |
1841 |
- epatch "${WORKDIR}"/${HPN_PATCH%.*.*} |
1842 |
- save_version HPN |
1843 |
- fi |
1844 |
- |
1845 |
- tc-export PKG_CONFIG |
1846 |
- local sed_args=( |
1847 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
1848 |
- # Disable PATH reset, trust what portage gives us #254615 |
1849 |
- -e 's:^PATH=/:#PATH=/:' |
1850 |
- # Disable fortify flags ... our gcc does this for us |
1851 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
1852 |
- ) |
1853 |
- # The -ftrapv flag ICEs on hppa #505182 |
1854 |
- use hppa && sed_args+=( |
1855 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
1856 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
1857 |
- ) |
1858 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
1859 |
- |
1860 |
- sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die |
1861 |
- |
1862 |
- epatch_user #473004 |
1863 |
- |
1864 |
- # Now we can build a sane merged version.h |
1865 |
- ( |
1866 |
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u |
1867 |
- macros=() |
1868 |
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done |
1869 |
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" |
1870 |
- ) > version.h |
1871 |
- |
1872 |
- eautoreconf |
1873 |
-} |
1874 |
- |
1875 |
-src_configure() { |
1876 |
- addwrite /dev/ptmx |
1877 |
- addpredict /etc/skey/skeykeys # skey configure code triggers this |
1878 |
- |
1879 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
1880 |
- use static && append-ldflags -static |
1881 |
- |
1882 |
- local myconf=( |
1883 |
- --with-ldflags="${LDFLAGS}" |
1884 |
- --disable-strip |
1885 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
1886 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
1887 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
1888 |
- --datadir="${EPREFIX}"/usr/share/openssh |
1889 |
- --with-privsep-path="${EPREFIX}"/var/empty |
1890 |
- --with-privsep-user=sshd |
1891 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
1892 |
- # We apply the ldap patch conditionally, so can't pass --without-ldap |
1893 |
- # unconditionally else we get unknown flag warnings. |
1894 |
- $(use ldap && use_with ldap) |
1895 |
- $(use_with ldns) |
1896 |
- $(use_with libedit) |
1897 |
- $(use_with pam) |
1898 |
- $(use_with pie) |
1899 |
- $(use_with sctp) |
1900 |
- $(use_with selinux) |
1901 |
- $(use_with skey) |
1902 |
- $(use_with ssh1) |
1903 |
- # The X509 patch deletes this option entirely. |
1904 |
- $(use X509 || use_with ssl openssl) |
1905 |
- $(use_with ssl md5-passwords) |
1906 |
- $(use_with ssl ssl-engine) |
1907 |
- ) |
1908 |
- |
1909 |
- # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) |
1910 |
- if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then |
1911 |
- myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) |
1912 |
- append-ldflags -lutil |
1913 |
- fi |
1914 |
- |
1915 |
- econf "${myconf[@]}" |
1916 |
-} |
1917 |
- |
1918 |
-src_install() { |
1919 |
- emake install-nokeys DESTDIR="${D}" |
1920 |
- fperms 600 /etc/ssh/sshd_config |
1921 |
- dobin contrib/ssh-copy-id |
1922 |
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd |
1923 |
- newconfd "${FILESDIR}"/sshd.confd sshd |
1924 |
- keepdir /var/empty |
1925 |
- |
1926 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
1927 |
- if use pam ; then |
1928 |
- sed -i \ |
1929 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
1930 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
1931 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
1932 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
1933 |
- "${ED}"/etc/ssh/sshd_config || die |
1934 |
- fi |
1935 |
- |
1936 |
- # Gentoo tweaks to default config files |
1937 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
1938 |
- |
1939 |
- # Allow client to pass locale environment variables #367017 |
1940 |
- AcceptEnv LANG LC_* |
1941 |
- EOF |
1942 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
1943 |
- |
1944 |
- # Send locale environment variables #367017 |
1945 |
- SendEnv LANG LC_* |
1946 |
- EOF |
1947 |
- |
1948 |
- # This instruction is from the HPN webpage, |
1949 |
- # Used for the server logging functionality |
1950 |
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then |
1951 |
- keepdir /var/empty/dev |
1952 |
- fi |
1953 |
- |
1954 |
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
1955 |
- insinto /etc/openldap/schema/ |
1956 |
- newins openssh-lpk_openldap.schema openssh-lpk.schema |
1957 |
- fi |
1958 |
- |
1959 |
- doman contrib/ssh-copy-id.1 |
1960 |
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config |
1961 |
- |
1962 |
- diropts -m 0700 |
1963 |
- dodir /etc/skel/.ssh |
1964 |
- |
1965 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
1966 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
1967 |
-} |
1968 |
- |
1969 |
-src_test() { |
1970 |
- [[ $(id -u) = 0 ]] || return #335343 |
1971 |
- local t tests skipped failed passed shell |
1972 |
- tests="interop-tests compat-tests" |
1973 |
- skipped="" |
1974 |
- shell=$(egetshell ${UID}) |
1975 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
1976 |
- elog "Running the full OpenSSH testsuite" |
1977 |
- elog "requires a usable shell for the 'portage'" |
1978 |
- elog "user, so we will run a subset only." |
1979 |
- skipped="${skipped} tests" |
1980 |
- else |
1981 |
- tests="${tests} tests" |
1982 |
- fi |
1983 |
- # It will also attempt to write to the homedir .ssh |
1984 |
- local sshhome=${T}/homedir |
1985 |
- mkdir -p "${sshhome}"/.ssh |
1986 |
- for t in ${tests} ; do |
1987 |
- # Some tests read from stdin ... |
1988 |
- HOMEDIR="${sshhome}" \ |
1989 |
- emake -k -j1 ${t} </dev/null \ |
1990 |
- && passed="${passed}${t} " \ |
1991 |
- || failed="${failed}${t} " |
1992 |
- done |
1993 |
- einfo "Passed tests: ${passed}" |
1994 |
- ewarn "Skipped tests: ${skipped}" |
1995 |
- if [[ -n ${failed} ]] ; then |
1996 |
- ewarn "Failed tests: ${failed}" |
1997 |
- die "Some tests failed: ${failed}" |
1998 |
- else |
1999 |
- einfo "Failed tests: ${failed}" |
2000 |
- return 0 |
2001 |
- fi |
2002 |
-} |
2003 |
- |
2004 |
-pkg_preinst() { |
2005 |
- enewgroup sshd 22 |
2006 |
- enewuser sshd 22 -1 /var/empty sshd |
2007 |
- fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign |
2008 |
-} |
2009 |
- |
2010 |
-pkg_postinst() { |
2011 |
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
2012 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
2013 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
2014 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
2015 |
- fi |
2016 |
- ewarn "Remember to merge your config files in /etc/ssh/ and then" |
2017 |
- ewarn "reload sshd: '/etc/init.d/sshd reload'." |
2018 |
- # This instruction is from the HPN webpage, |
2019 |
- # Used for the server logging functionality |
2020 |
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then |
2021 |
- einfo "For the HPN server logging patch, you must ensure that" |
2022 |
- einfo "your syslog application also listens at /var/empty/dev/log." |
2023 |
- fi |
2024 |
- elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" |
2025 |
- elog " dropped it. Make sure to update any configs that you might have." |
2026 |
-} |
2027 |
|
2028 |
diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild |
2029 |
deleted file mode 100644 |
2030 |
index 2cbcfa5..0000000 |
2031 |
--- a/net-misc/openssh/openssh-6.9_p1-r2.ebuild |
2032 |
+++ /dev/null |
2033 |
@@ -1,315 +0,0 @@ |
2034 |
-# Copyright 1999-2015 Gentoo Foundation |
2035 |
-# Distributed under the terms of the GNU General Public License v2 |
2036 |
-# $Id$ |
2037 |
- |
2038 |
-EAPI="4" |
2039 |
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator |
2040 |
- |
2041 |
-# Make it more portable between straight releases |
2042 |
-# and _p? releases. |
2043 |
-PARCH=${P/_} |
2044 |
- |
2045 |
-HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz" |
2046 |
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz" |
2047 |
-X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz" |
2048 |
- |
2049 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
2050 |
-HOMEPAGE="http://www.openssh.org/" |
2051 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
2052 |
- mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz |
2053 |
- ${HPN_PATCH:+hpn? ( |
2054 |
- mirror://gentoo/${HPN_PATCH} |
2055 |
- https://dev.gentoo.org/~polynomial-c/${HPN_PATCH} |
2056 |
- mirror://sourceforge/hpnssh/${HPN_PATCH} |
2057 |
- )} |
2058 |
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} |
2059 |
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
2060 |
- " |
2061 |
- |
2062 |
-LICENSE="BSD GPL-2" |
2063 |
-SLOT="0" |
2064 |
-KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
2065 |
-# Probably want to drop ssl defaulting to on in a future version. |
2066 |
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509" |
2067 |
-REQUIRED_USE="ldns? ( ssl ) |
2068 |
- pie? ( !static ) |
2069 |
- ssh1? ( ssl ) |
2070 |
- static? ( !kerberos !pam ) |
2071 |
- X509? ( !ldap ssl )" |
2072 |
- |
2073 |
-LIB_DEPEND=" |
2074 |
- ldns? ( |
2075 |
- net-libs/ldns[static-libs(+)] |
2076 |
- !bindist? ( net-libs/ldns[ecdsa,ssl] ) |
2077 |
- bindist? ( net-libs/ldns[-ecdsa,ssl] ) |
2078 |
- ) |
2079 |
- libedit? ( dev-libs/libedit[static-libs(+)] ) |
2080 |
- sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
2081 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
2082 |
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) |
2083 |
- ssl? ( |
2084 |
- >=dev-libs/openssl-0.9.8f:0[bindist=] |
2085 |
- dev-libs/openssl:0[static-libs(+)] |
2086 |
- ) |
2087 |
- >=sys-libs/zlib-1.2.3[static-libs(+)]" |
2088 |
-RDEPEND=" |
2089 |
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
2090 |
- pam? ( virtual/pam ) |
2091 |
- kerberos? ( virtual/krb5 ) |
2092 |
- ldap? ( net-nds/openldap )" |
2093 |
-DEPEND="${RDEPEND} |
2094 |
- static? ( ${LIB_DEPEND} ) |
2095 |
- virtual/pkgconfig |
2096 |
- virtual/os-headers |
2097 |
- sys-devel/autoconf" |
2098 |
-RDEPEND="${RDEPEND} |
2099 |
- pam? ( >=sys-auth/pambase-20081028 ) |
2100 |
- userland_GNU? ( virtual/shadow ) |
2101 |
- X? ( x11-apps/xauth )" |
2102 |
- |
2103 |
-S=${WORKDIR}/${PARCH} |
2104 |
- |
2105 |
-pkg_setup() { |
2106 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
2107 |
- # than not be able to log in to their server any more |
2108 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
2109 |
- local fail=" |
2110 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
2111 |
- $(use ldap && maybe_fail ldap LDAP_PATCH) |
2112 |
- $(use hpn && maybe_fail hpn HPN_PATCH) |
2113 |
- " |
2114 |
- fail=$(echo ${fail}) |
2115 |
- if [[ -n ${fail} ]] ; then |
2116 |
- eerror "Sorry, but this version does not yet support features" |
2117 |
- eerror "that you requested: ${fail}" |
2118 |
- eerror "Please mask ${PF} for now and check back later:" |
2119 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
2120 |
- die "booooo" |
2121 |
- fi |
2122 |
- |
2123 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
2124 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
2125 |
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
2126 |
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." |
2127 |
- fi |
2128 |
-} |
2129 |
- |
2130 |
-save_version() { |
2131 |
- # version.h patch conflict avoidence |
2132 |
- mv version.h version.h.$1 |
2133 |
- cp -f version.h.pristine version.h |
2134 |
-} |
2135 |
- |
2136 |
-src_prepare() { |
2137 |
- sed -i \ |
2138 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
2139 |
- pathnames.h || die |
2140 |
- # keep this as we need it to avoid the conflict between LPK and HPN changing |
2141 |
- # this file. |
2142 |
- cp version.h version.h.pristine |
2143 |
- |
2144 |
- # don't break .ssh/authorized_keys2 for fun |
2145 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
2146 |
- |
2147 |
- if use X509 ; then |
2148 |
- pushd .. >/dev/null |
2149 |
- #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch |
2150 |
- epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch |
2151 |
- popd >/dev/null |
2152 |
- epatch "${WORKDIR}"/${X509_PATCH%.*} |
2153 |
- epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch |
2154 |
- epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch |
2155 |
- save_version X509 |
2156 |
- fi |
2157 |
- if use ldap ; then |
2158 |
- epatch "${WORKDIR}"/${LDAP_PATCH%.*} |
2159 |
- save_version LPK |
2160 |
- fi |
2161 |
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
2162 |
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
2163 |
- # The X509 patchset fixes this independently. |
2164 |
- use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch |
2165 |
- epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch |
2166 |
- if use hpn ; then |
2167 |
- EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ |
2168 |
- EPATCH_MULTI_MSG="Applying HPN patchset ..." \ |
2169 |
- epatch "${WORKDIR}"/${HPN_PATCH%.*.*} |
2170 |
- save_version HPN |
2171 |
- fi |
2172 |
- |
2173 |
- tc-export PKG_CONFIG |
2174 |
- local sed_args=( |
2175 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
2176 |
- # Disable PATH reset, trust what portage gives us #254615 |
2177 |
- -e 's:^PATH=/:#PATH=/:' |
2178 |
- # Disable fortify flags ... our gcc does this for us |
2179 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
2180 |
- ) |
2181 |
- # The -ftrapv flag ICEs on hppa #505182 |
2182 |
- use hppa && sed_args+=( |
2183 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
2184 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
2185 |
- ) |
2186 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
2187 |
- |
2188 |
- sed -i -e 's/-m 4711/-m 0711/' "${S}"/Makefile.in || die |
2189 |
- |
2190 |
- epatch_user #473004 |
2191 |
- |
2192 |
- # Now we can build a sane merged version.h |
2193 |
- ( |
2194 |
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u |
2195 |
- macros=() |
2196 |
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done |
2197 |
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" |
2198 |
- ) > version.h |
2199 |
- |
2200 |
- eautoreconf |
2201 |
-} |
2202 |
- |
2203 |
-src_configure() { |
2204 |
- addwrite /dev/ptmx |
2205 |
- addpredict /etc/skey/skeykeys # skey configure code triggers this |
2206 |
- |
2207 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
2208 |
- use static && append-ldflags -static |
2209 |
- |
2210 |
- local myconf=( |
2211 |
- --with-ldflags="${LDFLAGS}" |
2212 |
- --disable-strip |
2213 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
2214 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
2215 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
2216 |
- --datadir="${EPREFIX}"/usr/share/openssh |
2217 |
- --with-privsep-path="${EPREFIX}"/var/empty |
2218 |
- --with-privsep-user=sshd |
2219 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
2220 |
- # We apply the ldap patch conditionally, so can't pass --without-ldap |
2221 |
- # unconditionally else we get unknown flag warnings. |
2222 |
- $(use ldap && use_with ldap) |
2223 |
- $(use_with ldns) |
2224 |
- $(use_with libedit) |
2225 |
- $(use_with pam) |
2226 |
- $(use_with pie) |
2227 |
- $(use_with sctp) |
2228 |
- $(use_with selinux) |
2229 |
- $(use_with skey) |
2230 |
- $(use_with ssh1) |
2231 |
- # The X509 patch deletes this option entirely. |
2232 |
- $(use X509 || use_with ssl openssl) |
2233 |
- $(use_with ssl md5-passwords) |
2234 |
- $(use_with ssl ssl-engine) |
2235 |
- ) |
2236 |
- |
2237 |
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
2238 |
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
2239 |
- |
2240 |
- # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) |
2241 |
- if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then |
2242 |
- myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) |
2243 |
- append-ldflags -lutil |
2244 |
- fi |
2245 |
- |
2246 |
- econf "${myconf[@]}" |
2247 |
-} |
2248 |
- |
2249 |
-src_install() { |
2250 |
- emake install-nokeys DESTDIR="${D}" |
2251 |
- fperms 600 /etc/ssh/sshd_config |
2252 |
- dobin contrib/ssh-copy-id |
2253 |
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd |
2254 |
- newconfd "${FILESDIR}"/sshd.confd sshd |
2255 |
- keepdir /var/empty |
2256 |
- |
2257 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
2258 |
- if use pam ; then |
2259 |
- sed -i \ |
2260 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
2261 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
2262 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
2263 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
2264 |
- "${ED}"/etc/ssh/sshd_config || die |
2265 |
- fi |
2266 |
- |
2267 |
- # Gentoo tweaks to default config files |
2268 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
2269 |
- |
2270 |
- # Allow client to pass locale environment variables #367017 |
2271 |
- AcceptEnv LANG LC_* |
2272 |
- EOF |
2273 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
2274 |
- |
2275 |
- # Send locale environment variables #367017 |
2276 |
- SendEnv LANG LC_* |
2277 |
- EOF |
2278 |
- |
2279 |
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
2280 |
- insinto /etc/openldap/schema/ |
2281 |
- newins openssh-lpk_openldap.schema openssh-lpk.schema |
2282 |
- fi |
2283 |
- |
2284 |
- doman contrib/ssh-copy-id.1 |
2285 |
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config |
2286 |
- |
2287 |
- diropts -m 0700 |
2288 |
- dodir /etc/skel/.ssh |
2289 |
- |
2290 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
2291 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
2292 |
-} |
2293 |
- |
2294 |
-src_test() { |
2295 |
- [[ $(id -u) = 0 ]] || return #335343 |
2296 |
- local t tests skipped failed passed shell |
2297 |
- tests="interop-tests compat-tests" |
2298 |
- skipped="" |
2299 |
- shell=$(egetshell ${UID}) |
2300 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
2301 |
- elog "Running the full OpenSSH testsuite" |
2302 |
- elog "requires a usable shell for the 'portage'" |
2303 |
- elog "user, so we will run a subset only." |
2304 |
- skipped="${skipped} tests" |
2305 |
- else |
2306 |
- tests="${tests} tests" |
2307 |
- fi |
2308 |
- # It will also attempt to write to the homedir .ssh |
2309 |
- local sshhome=${T}/homedir |
2310 |
- mkdir -p "${sshhome}"/.ssh |
2311 |
- for t in ${tests} ; do |
2312 |
- # Some tests read from stdin ... |
2313 |
- HOMEDIR="${sshhome}" \ |
2314 |
- emake -k -j1 ${t} </dev/null \ |
2315 |
- && passed="${passed}${t} " \ |
2316 |
- || failed="${failed}${t} " |
2317 |
- done |
2318 |
- einfo "Passed tests: ${passed}" |
2319 |
- ewarn "Skipped tests: ${skipped}" |
2320 |
- if [[ -n ${failed} ]] ; then |
2321 |
- ewarn "Failed tests: ${failed}" |
2322 |
- die "Some tests failed: ${failed}" |
2323 |
- else |
2324 |
- einfo "Failed tests: ${failed}" |
2325 |
- return 0 |
2326 |
- fi |
2327 |
-} |
2328 |
- |
2329 |
-pkg_preinst() { |
2330 |
- enewgroup sshd 22 |
2331 |
- enewuser sshd 22 -1 /var/empty sshd |
2332 |
- fperms 4711 /usr/$(get_libdir)/misc/ssh-keysign |
2333 |
-} |
2334 |
- |
2335 |
-pkg_postinst() { |
2336 |
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
2337 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
2338 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
2339 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
2340 |
- fi |
2341 |
- if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then |
2342 |
- elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." |
2343 |
- fi |
2344 |
- ewarn "Remember to merge your config files in /etc/ssh/ and then" |
2345 |
- ewarn "reload sshd: '/etc/init.d/sshd reload'." |
2346 |
- elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" |
2347 |
- elog " dropped it. Make sure to update any configs that you might have." |
2348 |
-} |
2349 |
|
2350 |
diff --git a/net-misc/openssh/openssh-7.1_p2-r1.ebuild b/net-misc/openssh/openssh-7.1_p2-r1.ebuild |
2351 |
deleted file mode 100644 |
2352 |
index d17c953..0000000 |
2353 |
--- a/net-misc/openssh/openssh-7.1_p2-r1.ebuild |
2354 |
+++ /dev/null |
2355 |
@@ -1,327 +0,0 @@ |
2356 |
-# Copyright 1999-2016 Gentoo Foundation |
2357 |
-# Distributed under the terms of the GNU General Public License v2 |
2358 |
-# $Id$ |
2359 |
- |
2360 |
-EAPI="5" |
2361 |
- |
2362 |
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator |
2363 |
- |
2364 |
-# Make it more portable between straight releases |
2365 |
-# and _p? releases. |
2366 |
-PARCH=${P/_} |
2367 |
- |
2368 |
-HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz" |
2369 |
-LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz" |
2370 |
-X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" |
2371 |
- |
2372 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
2373 |
-HOMEPAGE="http://www.openssh.org/" |
2374 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
2375 |
- mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz |
2376 |
- ${HPN_PATCH:+hpn? ( |
2377 |
- mirror://gentoo/${HPN_PATCH} |
2378 |
- mirror://sourceforge/hpnssh/${HPN_PATCH} |
2379 |
- )} |
2380 |
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} |
2381 |
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
2382 |
- " |
2383 |
- |
2384 |
-LICENSE="BSD GPL-2" |
2385 |
-SLOT="0" |
2386 |
-KEYWORDS="~ppc-aix ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
2387 |
-# Probably want to drop ssl defaulting to on in a future version. |
2388 |
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" |
2389 |
-REQUIRED_USE="ldns? ( ssl ) |
2390 |
- pie? ( !static ) |
2391 |
- ssh1? ( ssl ) |
2392 |
- static? ( !kerberos !pam ) |
2393 |
- X509? ( !ldap ssl )" |
2394 |
- |
2395 |
-LIB_DEPEND=" |
2396 |
- ldns? ( |
2397 |
- net-libs/ldns[static-libs(+)] |
2398 |
- !bindist? ( net-libs/ldns[ecdsa,ssl] ) |
2399 |
- bindist? ( net-libs/ldns[-ecdsa,ssl] ) |
2400 |
- ) |
2401 |
- libedit? ( dev-libs/libedit[static-libs(+)] ) |
2402 |
- sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
2403 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
2404 |
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) |
2405 |
- ssl? ( |
2406 |
- !libressl? ( |
2407 |
- >=dev-libs/openssl-0.9.8f:0[bindist=] |
2408 |
- dev-libs/openssl:0[static-libs(+)] |
2409 |
- ) |
2410 |
- libressl? ( dev-libs/libressl[static-libs(+)] ) |
2411 |
- ) |
2412 |
- >=sys-libs/zlib-1.2.3[static-libs(+)]" |
2413 |
-RDEPEND=" |
2414 |
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
2415 |
- pam? ( virtual/pam ) |
2416 |
- kerberos? ( virtual/krb5 ) |
2417 |
- ldap? ( net-nds/openldap )" |
2418 |
-DEPEND="${RDEPEND} |
2419 |
- static? ( ${LIB_DEPEND} ) |
2420 |
- virtual/pkgconfig |
2421 |
- virtual/os-headers |
2422 |
- sys-devel/autoconf" |
2423 |
-RDEPEND="${RDEPEND} |
2424 |
- pam? ( >=sys-auth/pambase-20081028 ) |
2425 |
- userland_GNU? ( virtual/shadow ) |
2426 |
- X? ( x11-apps/xauth )" |
2427 |
- |
2428 |
-S=${WORKDIR}/${PARCH} |
2429 |
- |
2430 |
-pkg_setup() { |
2431 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
2432 |
- # than not be able to log in to their server any more |
2433 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
2434 |
- local fail=" |
2435 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
2436 |
- $(use ldap && maybe_fail ldap LDAP_PATCH) |
2437 |
- $(use hpn && maybe_fail hpn HPN_PATCH) |
2438 |
- " |
2439 |
- fail=$(echo ${fail}) |
2440 |
- if [[ -n ${fail} ]] ; then |
2441 |
- eerror "Sorry, but this version does not yet support features" |
2442 |
- eerror "that you requested: ${fail}" |
2443 |
- eerror "Please mask ${PF} for now and check back later:" |
2444 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
2445 |
- die "booooo" |
2446 |
- fi |
2447 |
- |
2448 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
2449 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
2450 |
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
2451 |
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." |
2452 |
- fi |
2453 |
-} |
2454 |
- |
2455 |
-save_version() { |
2456 |
- # version.h patch conflict avoidence |
2457 |
- mv version.h version.h.$1 |
2458 |
- cp -f version.h.pristine version.h |
2459 |
-} |
2460 |
- |
2461 |
-src_prepare() { |
2462 |
- sed -i \ |
2463 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
2464 |
- pathnames.h || die |
2465 |
- # keep this as we need it to avoid the conflict between LPK and HPN changing |
2466 |
- # this file. |
2467 |
- cp version.h version.h.pristine |
2468 |
- |
2469 |
- # don't break .ssh/authorized_keys2 for fun |
2470 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
2471 |
- |
2472 |
- if use X509 ; then |
2473 |
- pushd .. >/dev/null |
2474 |
- if use hpn ; then |
2475 |
- pushd ${HPN_PATCH%.*.*} >/dev/null |
2476 |
- epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch |
2477 |
- popd >/dev/null |
2478 |
- fi |
2479 |
- epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch |
2480 |
- popd >/dev/null |
2481 |
- epatch "${WORKDIR}"/${X509_PATCH%.*} |
2482 |
- epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch |
2483 |
- save_version X509 |
2484 |
- fi |
2485 |
- if use ldap ; then |
2486 |
- epatch "${WORKDIR}"/${LDAP_PATCH%.*} |
2487 |
- save_version LPK |
2488 |
- fi |
2489 |
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
2490 |
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
2491 |
- # The X509 patchset fixes this independently. |
2492 |
- use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch |
2493 |
- epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch |
2494 |
- if use hpn ; then |
2495 |
- EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ |
2496 |
- EPATCH_MULTI_MSG="Applying HPN patchset ..." \ |
2497 |
- epatch "${WORKDIR}"/${HPN_PATCH%.*.*} |
2498 |
- save_version HPN |
2499 |
- fi |
2500 |
- |
2501 |
- tc-export PKG_CONFIG |
2502 |
- local sed_args=( |
2503 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
2504 |
- # Disable PATH reset, trust what portage gives us #254615 |
2505 |
- -e 's:^PATH=/:#PATH=/:' |
2506 |
- # Disable fortify flags ... our gcc does this for us |
2507 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
2508 |
- ) |
2509 |
- # The -ftrapv flag ICEs on hppa #505182 |
2510 |
- use hppa && sed_args+=( |
2511 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
2512 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
2513 |
- ) |
2514 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
2515 |
- |
2516 |
- epatch_user #473004 |
2517 |
- |
2518 |
- # Now we can build a sane merged version.h |
2519 |
- ( |
2520 |
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u |
2521 |
- macros=() |
2522 |
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done |
2523 |
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" |
2524 |
- ) > version.h |
2525 |
- |
2526 |
- eautoreconf |
2527 |
-} |
2528 |
- |
2529 |
-src_configure() { |
2530 |
- addwrite /dev/ptmx |
2531 |
- |
2532 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
2533 |
- use static && append-ldflags -static |
2534 |
- |
2535 |
- local myconf=( |
2536 |
- --with-ldflags="${LDFLAGS}" |
2537 |
- --disable-strip |
2538 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
2539 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
2540 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
2541 |
- --datadir="${EPREFIX}"/usr/share/openssh |
2542 |
- --with-privsep-path="${EPREFIX}"/var/empty |
2543 |
- --with-privsep-user=sshd |
2544 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
2545 |
- # We apply the ldap patch conditionally, so can't pass --without-ldap |
2546 |
- # unconditionally else we get unknown flag warnings. |
2547 |
- $(use ldap && use_with ldap) |
2548 |
- $(use_with ldns) |
2549 |
- $(use_with libedit) |
2550 |
- $(use_with pam) |
2551 |
- $(use_with pie) |
2552 |
- $(use_with sctp) |
2553 |
- $(use_with selinux) |
2554 |
- $(use_with skey) |
2555 |
- $(use_with ssh1) |
2556 |
- $(use_with ssl openssl) |
2557 |
- $(use_with ssl md5-passwords) |
2558 |
- $(use_with ssl ssl-engine) |
2559 |
- ) |
2560 |
- |
2561 |
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
2562 |
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
2563 |
- |
2564 |
- econf "${myconf[@]}" |
2565 |
-} |
2566 |
- |
2567 |
-src_install() { |
2568 |
- emake install-nokeys DESTDIR="${D}" |
2569 |
- fperms 600 /etc/ssh/sshd_config |
2570 |
- dobin contrib/ssh-copy-id |
2571 |
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd |
2572 |
- newconfd "${FILESDIR}"/sshd.confd sshd |
2573 |
- keepdir /var/empty |
2574 |
- |
2575 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
2576 |
- if use pam ; then |
2577 |
- sed -i \ |
2578 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
2579 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
2580 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
2581 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
2582 |
- "${ED}"/etc/ssh/sshd_config || die |
2583 |
- fi |
2584 |
- |
2585 |
- # Gentoo tweaks to default config files |
2586 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
2587 |
- |
2588 |
- # Allow client to pass locale environment variables #367017 |
2589 |
- AcceptEnv LANG LC_* |
2590 |
- EOF |
2591 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
2592 |
- |
2593 |
- # Send locale environment variables #367017 |
2594 |
- SendEnv LANG LC_* |
2595 |
- EOF |
2596 |
- |
2597 |
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
2598 |
- insinto /etc/openldap/schema/ |
2599 |
- newins openssh-lpk_openldap.schema openssh-lpk.schema |
2600 |
- fi |
2601 |
- |
2602 |
- doman contrib/ssh-copy-id.1 |
2603 |
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config |
2604 |
- |
2605 |
- diropts -m 0700 |
2606 |
- dodir /etc/skel/.ssh |
2607 |
- |
2608 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
2609 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
2610 |
-} |
2611 |
- |
2612 |
-src_test() { |
2613 |
- [[ $(id -u) = 0 ]] || return #335343 |
2614 |
- local t tests skipped failed passed shell |
2615 |
- tests="interop-tests compat-tests" |
2616 |
- skipped="" |
2617 |
- shell=$(egetshell ${UID}) |
2618 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
2619 |
- elog "Running the full OpenSSH testsuite" |
2620 |
- elog "requires a usable shell for the 'portage'" |
2621 |
- elog "user, so we will run a subset only." |
2622 |
- skipped="${skipped} tests" |
2623 |
- else |
2624 |
- tests="${tests} tests" |
2625 |
- fi |
2626 |
- # It will also attempt to write to the homedir .ssh |
2627 |
- local sshhome=${T}/homedir |
2628 |
- mkdir -p "${sshhome}"/.ssh |
2629 |
- for t in ${tests} ; do |
2630 |
- # Some tests read from stdin ... |
2631 |
- HOMEDIR="${sshhome}" \ |
2632 |
- emake -k -j1 ${t} </dev/null \ |
2633 |
- && passed="${passed}${t} " \ |
2634 |
- || failed="${failed}${t} " |
2635 |
- done |
2636 |
- einfo "Passed tests: ${passed}" |
2637 |
- ewarn "Skipped tests: ${skipped}" |
2638 |
- if [[ -n ${failed} ]] ; then |
2639 |
- ewarn "Failed tests: ${failed}" |
2640 |
- die "Some tests failed: ${failed}" |
2641 |
- else |
2642 |
- einfo "Failed tests: ${failed}" |
2643 |
- return 0 |
2644 |
- fi |
2645 |
-} |
2646 |
- |
2647 |
-pkg_preinst() { |
2648 |
- enewgroup sshd 22 |
2649 |
- enewuser sshd 22 -1 /var/empty sshd |
2650 |
-} |
2651 |
- |
2652 |
-pkg_postinst() { |
2653 |
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
2654 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
2655 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
2656 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
2657 |
- fi |
2658 |
- if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then |
2659 |
- elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." |
2660 |
- fi |
2661 |
- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then |
2662 |
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
2663 |
- elog "Make sure to update any configs that you might have. Note that xinetd might" |
2664 |
- elog "be an alternative for you as it supports USE=tcpd." |
2665 |
- fi |
2666 |
- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 |
2667 |
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
2668 |
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
2669 |
- elog "adding to your sshd_config or ~/.ssh/config files:" |
2670 |
- elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
2671 |
- elog "You should however generate new keys using rsa or ed25519." |
2672 |
- |
2673 |
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
2674 |
- elog "to 'prohibit-password'. That means password auth for root users no longer works" |
2675 |
- elog "out of the box. If you need this, please update your sshd_config explicitly." |
2676 |
- fi |
2677 |
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then |
2678 |
- elog "Be aware that by disabling openssl support in openssh, the server and clients" |
2679 |
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
2680 |
- elog "and update all clients/servers that utilize them." |
2681 |
- fi |
2682 |
-} |