Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date: Thu, 16 Aug 2018 15:03:39
Message-Id: 1534431803.f1972d34210086aa07183ca4b412b7d1888c3971.whissi@gentoo
1 commit: f1972d34210086aa07183ca4b412b7d1888c3971
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 16 15:02:47 2018 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Thu Aug 16 15:03:23 2018 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1972d34
7
8 net-misc/openssh: add patch to prevent username enumeration
9
10 Link: http://seclists.org/oss-sec/2018/q3/124
11 Package-Manager: Portage-2.3.46, Repoman-2.3.10
12
13 net-misc/openssh/Manifest | 1 +
14 net-misc/openssh/openssh-7.7_p1-r8.ebuild | 444 ++++++++++++++++++++++++++++++
15 2 files changed, 445 insertions(+)
16
17 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
18 index 533bb4cbc5c..7baaf9672f0 100644
19 --- a/net-misc/openssh/Manifest
20 +++ b/net-misc/openssh/Manifest
21 @@ -8,6 +8,7 @@ DIST openssh-7.6p1-hpnssh14v12-r1.tar.xz 15440 BLAKE2B e140852a3ce63e4f744ed4b18
22 DIST openssh-7.6p1.tar.gz 1489788 BLAKE2B 938bfeeff0a0aaa2fc7e4c345f04561c6c071c526e354a7d344a08742cb70ab1f4a41d325b31720f2fba5c4afa4db11f3fc87055c8c9c8bea37b29cc11dc8f39 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
23 DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
24 DIST openssh-7.7p1-patches-1.1.tar.xz 16476 BLAKE2B fca2885a9e29faec40700ece37a995ba83e40bd2a6875129a5327770d8ee43663a7c063de33b4653994ed7332adb03730f613c047550d874190b95c66e2e9efa SHA512 aa5e33ce4bb4be16abf27ac1bade1dc85c51d82002be546402e0b8b0685de3ec7029f0f56bf1295ec346eb3960a6bed7cfc882722e57957a19a732f3174b3039
25 +DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
26 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
27 DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
28 DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
29
30 diff --git a/net-misc/openssh/openssh-7.7_p1-r8.ebuild b/net-misc/openssh/openssh-7.7_p1-r8.ebuild
31 new file mode 100644
32 index 00000000000..e9af1d2b782
33 --- /dev/null
34 +++ b/net-misc/openssh/openssh-7.7_p1-r8.ebuild
35 @@ -0,0 +1,444 @@
36 +# Copyright 1999-2018 Gentoo Foundation
37 +# Distributed under the terms of the GNU General Public License v2
38 +
39 +EAPI=6
40 +
41 +inherit user flag-o-matic multilib autotools pam systemd versionator
42 +
43 +# Make it more portable between straight releases
44 +# and _p? releases.
45 +PARCH=${P/_}
46 +
47 +HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
48 +SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
49 +X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
50 +
51 +PATCH_SET="openssh-7.7p1-patches-1.2"
52 +
53 +DESCRIPTION="Port of OpenBSD's free SSH release"
54 +HOMEPAGE="https://www.openssh.com/"
55 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
56 + https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
57 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
58 + ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
59 + ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
60 + "
61 +
62 +LICENSE="BSD GPL-2"
63 +SLOT="0"
64 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
65 +# Probably want to drop ssl defaulting to on in a future version.
66 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
67 +RESTRICT="!test? ( test )"
68 +REQUIRED_USE="ldns? ( ssl )
69 + pie? ( !static )
70 + static? ( !kerberos !pam )
71 + X509? ( !sctp ssl )
72 + test? ( ssl )"
73 +
74 +LIB_DEPEND="
75 + audit? ( sys-process/audit[static-libs(+)] )
76 + ldns? (
77 + net-libs/ldns[static-libs(+)]
78 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
79 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
80 + )
81 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
82 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
83 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
84 + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
85 + ssl? (
86 + !libressl? (
87 + >=dev-libs/openssl-1.0.1:0=[bindist=]
88 + dev-libs/openssl:0=[static-libs(+)]
89 + )
90 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
91 + )
92 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
93 +RDEPEND="
94 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
95 + pam? ( virtual/pam )
96 + kerberos? ( virtual/krb5 )"
97 +DEPEND="${RDEPEND}
98 + static? ( ${LIB_DEPEND} )
99 + virtual/pkgconfig
100 + virtual/os-headers
101 + sys-devel/autoconf"
102 +RDEPEND="${RDEPEND}
103 + pam? ( >=sys-auth/pambase-20081028 )
104 + userland_GNU? ( virtual/shadow )
105 + X? ( x11-apps/xauth )"
106 +
107 +S="${WORKDIR}/${PARCH}"
108 +
109 +pkg_pretend() {
110 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
111 + # than not be able to log in to their server any more
112 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
113 + local fail="
114 + $(use hpn && maybe_fail hpn HPN_PATCH)
115 + $(use sctp && maybe_fail sctp SCTP_PATCH)
116 + $(use X509 && maybe_fail X509 X509_PATCH)
117 + "
118 + fail=$(echo ${fail})
119 + if [[ -n ${fail} ]] ; then
120 + eerror "Sorry, but this version does not yet support features"
121 + eerror "that you requested: ${fail}"
122 + eerror "Please mask ${PF} for now and check back later:"
123 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
124 + die "booooo"
125 + fi
126 +
127 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
128 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
129 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
130 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
131 + fi
132 +}
133 +
134 +src_prepare() {
135 + sed -i \
136 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
137 + pathnames.h || die
138 +
139 + # don't break .ssh/authorized_keys2 for fun
140 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
141 +
142 + eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
143 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
144 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
145 +
146 + local PATCHSET_VERSION_MACROS=()
147 +
148 + if use X509 ; then
149 + eapply "${WORKDIR}"/${X509_PATCH%.*}
150 +
151 + # We need to patch package version or any X.509 sshd will reject our ssh client
152 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
153 + # error
154 + einfo "Patching package version for X.509 patch set ..."
155 + sed -i \
156 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
157 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
158 +
159 + einfo "Patching version.h to expose X.509 patch set ..."
160 + sed -i \
161 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
162 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
163 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
164 +
165 + einfo "Disabling broken X.509 agent test ..."
166 + sed -i \
167 + -e "/^ agent$/d" \
168 + "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
169 +
170 + # The following patches don't apply on top of X509 patch
171 + rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
172 + rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
173 + rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
174 + rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
175 + else
176 + rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
177 + rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
178 + fi
179 +
180 + if use sctp ; then
181 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
182 +
183 + einfo "Patching version.h to expose SCTP patch set ..."
184 + sed -i \
185 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
186 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
187 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
188 +
189 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
190 + sed -i \
191 + -e "/\t\tcfgparse \\\/d" \
192 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
193 + fi
194 +
195 + if use hpn ; then
196 + eapply "${WORKDIR}"/${HPN_PATCH%.*}
197 +
198 + einfo "Patching Makefile.in for HPN patch set ..."
199 + sed -i \
200 + -e "/^LIBS=/ s/\$/ -lpthread/" \
201 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
202 +
203 + einfo "Patching version.h to expose HPN patch set ..."
204 + sed -i \
205 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
206 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
207 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
208 +
209 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
210 + einfo "Disabling known non-working MT AES cipher per default ..."
211 +
212 + cat > "${T}"/disable_mtaes.conf <<- EOF
213 +
214 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
215 + # and therefore disabled per default.
216 + DisableMTAES yes
217 + EOF
218 + sed -i \
219 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
220 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
221 +
222 + sed -i \
223 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
224 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
225 + fi
226 + fi
227 +
228 + if use X509 || use hpn ; then
229 + einfo "Patching packet.c for X509 and/or HPN patch set ..."
230 + sed -i \
231 + -e "s/const struct sshcipher/struct sshcipher/" \
232 + "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
233 + fi
234 +
235 + if use X509 || use sctp || use hpn ; then
236 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
237 + sed -i \
238 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
239 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
240 +
241 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
242 + sed -i \
243 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
244 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
245 +
246 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
247 + sed -i \
248 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
249 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
250 + fi
251 +
252 + sed -i \
253 + -e "/#UseLogin no/d" \
254 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
255 +
256 + eapply "${WORKDIR}"/patch/*.patch
257 +
258 + eapply_user #473004
259 +
260 + tc-export PKG_CONFIG
261 + local sed_args=(
262 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
263 + # Disable PATH reset, trust what portage gives us #254615
264 + -e 's:^PATH=/:#PATH=/:'
265 + # Disable fortify flags ... our gcc does this for us
266 + -e 's:-D_FORTIFY_SOURCE=2::'
267 + )
268 +
269 + # The -ftrapv flag ICEs on hppa #505182
270 + use hppa && sed_args+=(
271 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
272 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
273 + )
274 + # _XOPEN_SOURCE causes header conflicts on Solaris
275 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
276 + -e 's/-D_XOPEN_SOURCE//'
277 + )
278 + sed -i "${sed_args[@]}" configure{.ac,} || die
279 +
280 + eautoreconf
281 +}
282 +
283 +src_configure() {
284 + addwrite /dev/ptmx
285 +
286 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
287 + use static && append-ldflags -static
288 +
289 + local myconf=(
290 + --with-ldflags="${LDFLAGS}"
291 + --disable-strip
292 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
293 + --sysconfdir="${EPREFIX%/}"/etc/ssh
294 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
295 + --datadir="${EPREFIX%/}"/usr/share/openssh
296 + --with-privsep-path="${EPREFIX%/}"/var/empty
297 + --with-privsep-user=sshd
298 + $(use_with audit audit linux)
299 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
300 + # We apply the sctp patch conditionally, so can't pass --without-sctp
301 + # unconditionally else we get unknown flag warnings.
302 + $(use sctp && use_with sctp)
303 + $(use_with ldns)
304 + $(use_with libedit)
305 + $(use_with pam)
306 + $(use_with pie)
307 + $(use_with selinux)
308 + $(use_with skey)
309 + $(use_with ssl openssl)
310 + $(use_with ssl md5-passwords)
311 + $(use_with ssl ssl-engine)
312 + )
313 +
314 + # stackprotect is broken on musl x86
315 + use elibc_musl && use x86 && myconf+=( --without-stackprotect )
316 +
317 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
318 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
319 +
320 + econf "${myconf[@]}"
321 +}
322 +
323 +src_test() {
324 + local t skipped=() failed=() passed=()
325 + local tests=( interop-tests compat-tests )
326 +
327 + local shell=$(egetshell "${UID}")
328 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
329 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
330 + elog "user, so we will run a subset only."
331 + skipped+=( tests )
332 + else
333 + tests+=( tests )
334 + fi
335 +
336 + # It will also attempt to write to the homedir .ssh.
337 + local sshhome=${T}/homedir
338 + mkdir -p "${sshhome}"/.ssh
339 + for t in "${tests[@]}" ; do
340 + # Some tests read from stdin ...
341 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
342 + emake -k -j1 ${t} </dev/null \
343 + && passed+=( "${t}" ) \
344 + || failed+=( "${t}" )
345 + done
346 +
347 + einfo "Passed tests: ${passed[*]}"
348 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
349 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
350 +}
351 +
352 +# Gentoo tweaks to default config files.
353 +tweak_ssh_configs() {
354 + local locale_vars=(
355 + # These are language variables that POSIX defines.
356 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
357 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
358 +
359 + # These are the GNU extensions.
360 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
361 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
362 + )
363 +
364 + # First the server config.
365 + cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
366 +
367 + # Allow client to pass locale environment variables. #367017
368 + AcceptEnv ${locale_vars[*]}
369 +
370 + # Allow client to pass COLORTERM to match TERM. #658540
371 + AcceptEnv COLORTERM
372 + EOF
373 +
374 + # Then the client config.
375 + cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
376 +
377 + # Send locale environment variables. #367017
378 + SendEnv ${locale_vars[*]}
379 +
380 + # Send COLORTERM to match TERM. #658540
381 + SendEnv COLORTERM
382 + EOF
383 +
384 + if use pam ; then
385 + sed -i \
386 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
387 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
388 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
389 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
390 + "${ED%/}"/etc/ssh/sshd_config || die
391 + fi
392 +
393 + if use livecd ; then
394 + sed -i \
395 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
396 + "${ED%/}"/etc/ssh/sshd_config || die
397 + fi
398 +}
399 +
400 +src_install() {
401 + emake install-nokeys DESTDIR="${D}"
402 + fperms 600 /etc/ssh/sshd_config
403 + dobin contrib/ssh-copy-id
404 + newinitd "${FILESDIR}"/sshd.rc6.5 sshd
405 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
406 +
407 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
408 +
409 + tweak_ssh_configs
410 +
411 + doman contrib/ssh-copy-id.1
412 + dodoc CREDITS OVERVIEW README* TODO sshd_config
413 + use hpn && dodoc HPN-README
414 + use X509 || dodoc ChangeLog
415 +
416 + diropts -m 0700
417 + dodir /etc/skel/.ssh
418 +
419 + keepdir /var/empty
420 +
421 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
422 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
423 +}
424 +
425 +pkg_preinst() {
426 + enewgroup sshd 22
427 + enewuser sshd 22 -1 /var/empty sshd
428 +}
429 +
430 +pkg_postinst() {
431 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
432 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
433 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
434 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
435 + fi
436 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
437 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
438 + elog "Make sure to update any configs that you might have. Note that xinetd might"
439 + elog "be an alternative for you as it supports USE=tcpd."
440 + fi
441 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
442 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
443 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
444 + elog "adding to your sshd_config or ~/.ssh/config files:"
445 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
446 + elog "You should however generate new keys using rsa or ed25519."
447 +
448 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
449 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
450 + elog "out of the box. If you need this, please update your sshd_config explicitly."
451 + fi
452 + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
453 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
454 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
455 + fi
456 + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
457 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
458 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
459 + elog "if you need to authenticate against LDAP."
460 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
461 + fi
462 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
463 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
464 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
465 + elog "and update all clients/servers that utilize them."
466 + fi
467 +
468 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
469 + elog ""
470 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
471 + elog "and therefore disabled at runtime per default."
472 + elog "Make sure your sshd_config is up to date and contains"
473 + elog ""
474 + elog " DisableMTAES yes"
475 + elog ""
476 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
477 + elog ""
478 + fi
479 +}
Report Message
Find on MARC Find on Google Groups