Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Thu, 31 Jan 2019 23:36:20
Message-Id: 1548977766.050d6622eb94afedb98e37aa719e8ca6972cc9fa.polynomial-c@gentoo
1 commit: 050d6622eb94afedb98e37aa719e8ca6972cc9fa
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 31 23:35:14 2019 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 31 23:36:06 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=050d6622
7
8 Revert "net-misc/openssh: Removed old."
9
10 This reverts commit 500a23230ac217b5dbca87f3cc22deaf1356ec2b.
11 because some ebuilds still depend on <openssh-7.6
12
13 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
14
15 net-misc/openssh/Manifest | 9 +
16 .../files/openssh-7.3-mips-seccomp-n32.patch | 21 +
17 .../files/openssh-7.5_p1-CVE-2017-15906.patch | 31 ++
18 .../openssh/files/openssh-7.5_p1-GSSAPI-dns.patch | 351 ++++++++++++++++
19 .../openssh/files/openssh-7.5_p1-cross-cache.patch | 39 ++
20 .../files/openssh-7.5_p1-hpn-x509-10.2-glue.patch | 67 +++
21 .../files/openssh-7.5_p1-s390-seccomp.patch | 27 ++
22 .../openssh/files/openssh-7.5_p1-x32-typo.patch | 25 ++
23 .../files/openssh-7.8_p1-X509-no-version.patch | 19 +
24 .../files/openssh-7.8_p1-hpn-X509-glue.patch | 79 ++++
25 .../openssh/files/openssh-7.8_p1-hpn-glue.patch | 112 +++++
26 .../files/openssh-7.8_p1-hpn-sctp-glue.patch | 17 +
27 net-misc/openssh/metadata.xml | 2 +
28 net-misc/openssh/openssh-7.5_p1-r4.ebuild | 334 +++++++++++++++
29 net-misc/openssh/openssh-7.8_p1.ebuild | 438 ++++++++++++++++++++
30 net-misc/openssh/openssh-7.9_p1-r1.ebuild | 450 +++++++++++++++++++++
31 net-misc/openssh/openssh-7.9_p1.ebuild | 450 +++++++++++++++++++++
32 17 files changed, 2471 insertions(+)
33
34 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
35 index 2bb83502015..e0c1d3402c2 100644
36 --- a/net-misc/openssh/Manifest
37 +++ b/net-misc/openssh/Manifest
38 @@ -1,10 +1,19 @@
39 +DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4
40 +DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a
41 +DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9
42 +DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
43 DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
44 DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
45 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
46 DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
47 DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
48 +DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a2e9fb4ca98d00b4940be5cb547fcb647adc9663245274d4e792bcc7c2ec49accaceb7c3c489707bbb7aaeed260dd2e0eb1c3 SHA512 b95d46201626797f197c5aa8488b0543d2c7c5719b99fadd94ef2c888a96c6a7b649527b78b6d6014d953ae57e05ecf116192cf498687db8cb7669c3998deecc
49 +DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
50 +DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
51 +DIST openssh-7.9p1+x509-11.5.diff.gz 594995 BLAKE2B 2c44df224e4114da0473cbbdfdcc4bd84b0b0235f80b43517d70fe1071f219d2631f784015ab1470eebcf8f3b6b5f8744862acebb22f217c6e76f79e6a49c099 SHA512 4d2fd950dee9721add822fdb54ff8c20fd18da85081ce8a2bd2a1050d3ff7900a7213782c479691de9dcfe4e2f91061e124d34b365edb3831e8bfe4aef3744f9
52 DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
53 DIST openssh-7.9p1-sctp-1.1.patch.xz 7552 BLAKE2B 0eeda7c8a50c0c98433b5ee0734b9f79043067be376a9ca724d574d4a595c3f7aed0626342300467b73ad9003392e22fda8abe778158ba5be5a50a57eeef79f8 SHA512 6cad32c40dd3901c4eadb0c463a35ec2d901e61220c333d3df7759f672259f66fc83e2b1ace8b0ef84cbc1a65397f00f9c670ffa23726d8309fa5060512d2c21
54 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
55 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
56 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
57 +DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
58
59 diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
60 new file mode 100644
61 index 00000000000..7eaadaf11cd
62 --- /dev/null
63 +++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
64 @@ -0,0 +1,21 @@
65 +https://bugs.gentoo.org/591392
66 +https://bugzilla.mindrot.org/show_bug.cgi?id=2590
67 +
68 +7.3 added seccomp support to MIPS, but failed to handled the N32
69 +case. This patch is temporary until upstream fixes.
70 +
71 +--- openssh-7.3p1/configure.ac
72 ++++ openssh-7.3p1/configure.ac
73 +@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
74 + seccomp_audit_arch=AUDIT_ARCH_MIPSEL
75 + ;;
76 + mips64-*)
77 +- seccomp_audit_arch=AUDIT_ARCH_MIPS64
78 ++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
79 + ;;
80 + mips64el-*)
81 +- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
82 ++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
83 + ;;
84 + esac
85 + if test "x$seccomp_audit_arch" != "x" ; then
86
87 diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
88 new file mode 100644
89 index 00000000000..b97ceb4b278
90 --- /dev/null
91 +++ b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
92 @@ -0,0 +1,31 @@
93 +From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
94 +From: djm <djm@×××××××.org>
95 +Date: Tue, 4 Apr 2017 00:24:56 +0000
96 +Subject: [PATCH] disallow creation (of empty files) in read-only mode;
97 + reported by Michal Zalewski, feedback & ok deraadt@
98 +
99 +---
100 + usr.bin/ssh/sftp-server.c | 6 +++---
101 + 1 file changed, 3 insertions(+), 3 deletions(-)
102 +
103 +diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
104 +index 2510d234a3a..42249ebd60d 100644
105 +--- a/usr.bin/ssh/sftp-server.c
106 ++++ b/usr.bin/ssh/sftp-server.c
107 +@@ -1,4 +1,4 @@
108 +-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
109 ++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
110 + /*
111 + * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
112 + *
113 +@@ -683,8 +683,8 @@ process_open(u_int32_t id)
114 + logit("open \"%s\" flags %s mode 0%o",
115 + name, string_from_portable(pflags), mode);
116 + if (readonly &&
117 +- ((flags & O_ACCMODE) == O_WRONLY ||
118 +- (flags & O_ACCMODE) == O_RDWR)) {
119 ++ ((flags & O_ACCMODE) != O_RDONLY ||
120 ++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
121 + verbose("Refusing open request in read-only mode");
122 + status = SSH2_FX_PERMISSION_DENIED;
123 + } else {
124
125 diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
126 new file mode 100644
127 index 00000000000..6b1e6dd35a4
128 --- /dev/null
129 +++ b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
130 @@ -0,0 +1,351 @@
131 +http://bugs.gentoo.org/165444
132 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008
133 +
134 +--- a/readconf.c
135 ++++ b/readconf.c
136 +@@ -148,6 +148,7 @@
137 + oClearAllForwardings, oNoHostAuthenticationForLocalhost,
138 + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
139 + oAddressFamily, oGssAuthentication, oGssDelegateCreds,
140 ++ oGssTrustDns,
141 + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
142 + oSendEnv, oControlPath, oControlMaster, oControlPersist,
143 + oHashKnownHosts,
144 +@@ -194,9 +195,11 @@
145 + #if defined(GSSAPI)
146 + { "gssapiauthentication", oGssAuthentication },
147 + { "gssapidelegatecredentials", oGssDelegateCreds },
148 ++ { "gssapitrustdns", oGssTrustDns },
149 + # else
150 + { "gssapiauthentication", oUnsupported },
151 + { "gssapidelegatecredentials", oUnsupported },
152 ++ { "gssapitrustdns", oUnsupported },
153 + #endif
154 + #ifdef ENABLE_PKCS11
155 + { "smartcarddevice", oPKCS11Provider },
156 +@@ -930,6 +933,10 @@
157 + intptr = &options->gss_deleg_creds;
158 + goto parse_flag;
159 +
160 ++ case oGssTrustDns:
161 ++ intptr = &options->gss_trust_dns;
162 ++ goto parse_flag;
163 ++
164 + case oBatchMode:
165 + intptr = &options->batch_mode;
166 + goto parse_flag;
167 +@@ -1649,6 +1656,7 @@
168 + options->challenge_response_authentication = -1;
169 + options->gss_authentication = -1;
170 + options->gss_deleg_creds = -1;
171 ++ options->gss_trust_dns = -1;
172 + options->password_authentication = -1;
173 + options->kbd_interactive_authentication = -1;
174 + options->kbd_interactive_devices = NULL;
175 +@@ -1779,6 +1787,8 @@
176 + options->gss_authentication = 0;
177 + if (options->gss_deleg_creds == -1)
178 + options->gss_deleg_creds = 0;
179 ++ if (options->gss_trust_dns == -1)
180 ++ options->gss_trust_dns = 0;
181 + if (options->password_authentication == -1)
182 + options->password_authentication = 1;
183 + if (options->kbd_interactive_authentication == -1)
184 +--- a/readconf.h
185 ++++ b/readconf.h
186 +@@ -46,6 +46,7 @@
187 + /* Try S/Key or TIS, authentication. */
188 + int gss_authentication; /* Try GSS authentication */
189 + int gss_deleg_creds; /* Delegate GSS credentials */
190 ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
191 + int password_authentication; /* Try password
192 + * authentication. */
193 + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
194 +--- a/ssh_config.5
195 ++++ b/ssh_config.5
196 +@@ -830,6 +830,16 @@
197 + Forward (delegate) credentials to the server.
198 + The default is
199 + .Cm no .
200 ++Note that this option applies to protocol version 2 connections using GSSAPI.
201 ++.It Cm GSSAPITrustDns
202 ++Set to
203 ++.Dq yes to indicate that the DNS is trusted to securely canonicalize
204 ++the name of the host being connected to. If
205 ++.Dq no, the hostname entered on the
206 ++command line will be passed untouched to the GSSAPI library.
207 ++The default is
208 ++.Dq no .
209 ++This option only applies to protocol version 2 connections using GSSAPI.
210 + .It Cm HashKnownHosts
211 + Indicates that
212 + .Xr ssh 1
213 +--- a/sshconnect2.c
214 ++++ b/sshconnect2.c
215 +@@ -656,6 +656,13 @@
216 + static u_int mech = 0;
217 + OM_uint32 min;
218 + int ok = 0;
219 ++ const char *gss_host;
220 ++
221 ++ if (options.gss_trust_dns) {
222 ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
223 ++ gss_host = auth_get_canonical_hostname(active_state, 1);
224 ++ } else
225 ++ gss_host = authctxt->host;
226 +
227 + /* Try one GSSAPI method at a time, rather than sending them all at
228 + * once. */
229 +@@ -668,7 +674,7 @@
230 + /* My DER encoding requires length<128 */
231 + if (gss_supported->elements[mech].length < 128 &&
232 + ssh_gssapi_check_mechanism(&gssctxt,
233 +- &gss_supported->elements[mech], authctxt->host)) {
234 ++ &gss_supported->elements[mech], gss_host)) {
235 + ok = 1; /* Mechanism works */
236 + } else {
237 + mech++;
238 +
239 +need to move these two funcs back to canohost so they're available to clients
240 +and the server. auth.c is only used in the server.
241 +
242 +--- a/auth.c
243 ++++ b/auth.c
244 +@@ -784,117 +784,3 @@ fakepw(void)
245 +
246 + return (&fake);
247 + }
248 +-
249 +-/*
250 +- * Returns the remote DNS hostname as a string. The returned string must not
251 +- * be freed. NB. this will usually trigger a DNS query the first time it is
252 +- * called.
253 +- * This function does additional checks on the hostname to mitigate some
254 +- * attacks on legacy rhosts-style authentication.
255 +- * XXX is RhostsRSAAuthentication vulnerable to these?
256 +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
257 +- */
258 +-
259 +-static char *
260 +-remote_hostname(struct ssh *ssh)
261 +-{
262 +- struct sockaddr_storage from;
263 +- socklen_t fromlen;
264 +- struct addrinfo hints, *ai, *aitop;
265 +- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
266 +- const char *ntop = ssh_remote_ipaddr(ssh);
267 +-
268 +- /* Get IP address of client. */
269 +- fromlen = sizeof(from);
270 +- memset(&from, 0, sizeof(from));
271 +- if (getpeername(ssh_packet_get_connection_in(ssh),
272 +- (struct sockaddr *)&from, &fromlen) < 0) {
273 +- debug("getpeername failed: %.100s", strerror(errno));
274 +- return strdup(ntop);
275 +- }
276 +-
277 +- ipv64_normalise_mapped(&from, &fromlen);
278 +- if (from.ss_family == AF_INET6)
279 +- fromlen = sizeof(struct sockaddr_in6);
280 +-
281 +- debug3("Trying to reverse map address %.100s.", ntop);
282 +- /* Map the IP address to a host name. */
283 +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
284 +- NULL, 0, NI_NAMEREQD) != 0) {
285 +- /* Host name not found. Use ip address. */
286 +- return strdup(ntop);
287 +- }
288 +-
289 +- /*
290 +- * if reverse lookup result looks like a numeric hostname,
291 +- * someone is trying to trick us by PTR record like following:
292 +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
293 +- */
294 +- memset(&hints, 0, sizeof(hints));
295 +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
296 +- hints.ai_flags = AI_NUMERICHOST;
297 +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
298 +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
299 +- name, ntop);
300 +- freeaddrinfo(ai);
301 +- return strdup(ntop);
302 +- }
303 +-
304 +- /* Names are stored in lowercase. */
305 +- lowercase(name);
306 +-
307 +- /*
308 +- * Map it back to an IP address and check that the given
309 +- * address actually is an address of this host. This is
310 +- * necessary because anyone with access to a name server can
311 +- * define arbitrary names for an IP address. Mapping from
312 +- * name to IP address can be trusted better (but can still be
313 +- * fooled if the intruder has access to the name server of
314 +- * the domain).
315 +- */
316 +- memset(&hints, 0, sizeof(hints));
317 +- hints.ai_family = from.ss_family;
318 +- hints.ai_socktype = SOCK_STREAM;
319 +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
320 +- logit("reverse mapping checking getaddrinfo for %.700s "
321 +- "[%s] failed.", name, ntop);
322 +- return strdup(ntop);
323 +- }
324 +- /* Look for the address from the list of addresses. */
325 +- for (ai = aitop; ai; ai = ai->ai_next) {
326 +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
327 +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
328 +- (strcmp(ntop, ntop2) == 0))
329 +- break;
330 +- }
331 +- freeaddrinfo(aitop);
332 +- /* If we reached the end of the list, the address was not there. */
333 +- if (ai == NULL) {
334 +- /* Address not found for the host name. */
335 +- logit("Address %.100s maps to %.600s, but this does not "
336 +- "map back to the address.", ntop, name);
337 +- return strdup(ntop);
338 +- }
339 +- return strdup(name);
340 +-}
341 +-
342 +-/*
343 +- * Return the canonical name of the host in the other side of the current
344 +- * connection. The host name is cached, so it is efficient to call this
345 +- * several times.
346 +- */
347 +-
348 +-const char *
349 +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
350 +-{
351 +- static char *dnsname;
352 +-
353 +- if (!use_dns)
354 +- return ssh_remote_ipaddr(ssh);
355 +- else if (dnsname != NULL)
356 +- return dnsname;
357 +- else {
358 +- dnsname = remote_hostname(ssh);
359 +- return dnsname;
360 +- }
361 +-}
362 +--- a/canohost.c
363 ++++ b/canohost.c
364 +@@ -202,3 +202,117 @@ get_local_port(int sock)
365 + {
366 + return get_sock_port(sock, 1);
367 + }
368 ++
369 ++/*
370 ++ * Returns the remote DNS hostname as a string. The returned string must not
371 ++ * be freed. NB. this will usually trigger a DNS query the first time it is
372 ++ * called.
373 ++ * This function does additional checks on the hostname to mitigate some
374 ++ * attacks on legacy rhosts-style authentication.
375 ++ * XXX is RhostsRSAAuthentication vulnerable to these?
376 ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
377 ++ */
378 ++
379 ++static char *
380 ++remote_hostname(struct ssh *ssh)
381 ++{
382 ++ struct sockaddr_storage from;
383 ++ socklen_t fromlen;
384 ++ struct addrinfo hints, *ai, *aitop;
385 ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
386 ++ const char *ntop = ssh_remote_ipaddr(ssh);
387 ++
388 ++ /* Get IP address of client. */
389 ++ fromlen = sizeof(from);
390 ++ memset(&from, 0, sizeof(from));
391 ++ if (getpeername(ssh_packet_get_connection_in(ssh),
392 ++ (struct sockaddr *)&from, &fromlen) < 0) {
393 ++ debug("getpeername failed: %.100s", strerror(errno));
394 ++ return strdup(ntop);
395 ++ }
396 ++
397 ++ ipv64_normalise_mapped(&from, &fromlen);
398 ++ if (from.ss_family == AF_INET6)
399 ++ fromlen = sizeof(struct sockaddr_in6);
400 ++
401 ++ debug3("Trying to reverse map address %.100s.", ntop);
402 ++ /* Map the IP address to a host name. */
403 ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
404 ++ NULL, 0, NI_NAMEREQD) != 0) {
405 ++ /* Host name not found. Use ip address. */
406 ++ return strdup(ntop);
407 ++ }
408 ++
409 ++ /*
410 ++ * if reverse lookup result looks like a numeric hostname,
411 ++ * someone is trying to trick us by PTR record like following:
412 ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
413 ++ */
414 ++ memset(&hints, 0, sizeof(hints));
415 ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
416 ++ hints.ai_flags = AI_NUMERICHOST;
417 ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
418 ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
419 ++ name, ntop);
420 ++ freeaddrinfo(ai);
421 ++ return strdup(ntop);
422 ++ }
423 ++
424 ++ /* Names are stored in lowercase. */
425 ++ lowercase(name);
426 ++
427 ++ /*
428 ++ * Map it back to an IP address and check that the given
429 ++ * address actually is an address of this host. This is
430 ++ * necessary because anyone with access to a name server can
431 ++ * define arbitrary names for an IP address. Mapping from
432 ++ * name to IP address can be trusted better (but can still be
433 ++ * fooled if the intruder has access to the name server of
434 ++ * the domain).
435 ++ */
436 ++ memset(&hints, 0, sizeof(hints));
437 ++ hints.ai_family = from.ss_family;
438 ++ hints.ai_socktype = SOCK_STREAM;
439 ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
440 ++ logit("reverse mapping checking getaddrinfo for %.700s "
441 ++ "[%s] failed.", name, ntop);
442 ++ return strdup(ntop);
443 ++ }
444 ++ /* Look for the address from the list of addresses. */
445 ++ for (ai = aitop; ai; ai = ai->ai_next) {
446 ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
447 ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
448 ++ (strcmp(ntop, ntop2) == 0))
449 ++ break;
450 ++ }
451 ++ freeaddrinfo(aitop);
452 ++ /* If we reached the end of the list, the address was not there. */
453 ++ if (ai == NULL) {
454 ++ /* Address not found for the host name. */
455 ++ logit("Address %.100s maps to %.600s, but this does not "
456 ++ "map back to the address.", ntop, name);
457 ++ return strdup(ntop);
458 ++ }
459 ++ return strdup(name);
460 ++}
461 ++
462 ++/*
463 ++ * Return the canonical name of the host in the other side of the current
464 ++ * connection. The host name is cached, so it is efficient to call this
465 ++ * several times.
466 ++ */
467 ++
468 ++const char *
469 ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
470 ++{
471 ++ static char *dnsname;
472 ++
473 ++ if (!use_dns)
474 ++ return ssh_remote_ipaddr(ssh);
475 ++ else if (dnsname != NULL)
476 ++ return dnsname;
477 ++ else {
478 ++ dnsname = remote_hostname(ssh);
479 ++ return dnsname;
480 ++ }
481 ++}
482
483 diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
484 new file mode 100644
485 index 00000000000..1c2b7b8a091
486 --- /dev/null
487 +++ b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
488 @@ -0,0 +1,39 @@
489 +From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
490 +From: Mike Frysinger <vapier@××××××××.org>
491 +Date: Wed, 24 May 2017 23:18:41 -0400
492 +Subject: [PATCH] configure: actually set cache vars when cross-compiling
493 +
494 +The cross-compiling fallback message says it's assuming the test
495 +passed, but it didn't actually set the cache var which causes
496 +later tests to fail.
497 +---
498 + configure.ac | 6 ++++--
499 + 1 file changed, 4 insertions(+), 2 deletions(-)
500 +
501 +diff --git a/configure.ac b/configure.ac
502 +index 5cfea38c0a6c..895c5211ea93 100644
503 +--- a/configure.ac
504 ++++ b/configure.ac
505 +@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
506 + select_works_with_rlimit=yes],
507 + [AC_MSG_RESULT([no])
508 + select_works_with_rlimit=no],
509 +- [AC_MSG_WARN([cross compiling: assuming yes])]
510 ++ [AC_MSG_WARN([cross compiling: assuming yes])
511 ++ select_works_with_rlimit=yes]
512 + )
513 +
514 + AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
515 +@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
516 + rlimit_nofile_zero_works=yes],
517 + [AC_MSG_RESULT([no])
518 + rlimit_nofile_zero_works=no],
519 +- [AC_MSG_WARN([cross compiling: assuming yes])]
520 ++ [AC_MSG_WARN([cross compiling: assuming yes])
521 ++ rlimit_nofile_zero_works=yes]
522 + )
523 +
524 + AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
525 +--
526 +2.12.0
527 +
528
529 diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
530 new file mode 100644
531 index 00000000000..11a5b364be4
532 --- /dev/null
533 +++ b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
534 @@ -0,0 +1,67 @@
535 +diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
536 +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700
537 ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700
538 +@@ -40,7 +40,7 @@
539 + @@ -44,7 +44,7 @@ CC=@CC@
540 + LD=@LD@
541 + CFLAGS=@CFLAGS@
542 +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
543 ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
544 + -LIBS=@LIBS@
545 + +LIBS=@LIBS@ -lpthread
546 + K5LIBS=@K5LIBS@
547 +@@ -1023,6 +1023,3 @@
548 + do_authenticated(authctxt);
549 +
550 + /* The connection has been terminated. */
551 +---
552 +-2.12.0
553 +-
554 +diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
555 +--- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700
556 ++++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700
557 +@@ -926,9 +926,9 @@
558 + @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
559 + /* Send our own protocol version identification. */
560 + if (compat20) {
561 +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
562 +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
563 +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
564 ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
565 ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
566 +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
567 + } else {
568 + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
569 + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
570 +@@ -943,11 +943,11 @@
571 + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
572 + char remote_version[256]; /* Must be at least as big as buf. */
573 +
574 +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
575 +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
576 +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
577 ++ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
578 ++- major, minor, SSH_VERSION, pkix_comment,
579 +++ major, minor, SSH_RELEASE, pkix_comment,
580 + *options.version_addendum == '\0' ? "" : " ",
581 +- options.version_addendum);
582 ++ options.version_addendum, newline);
583 +
584 + @@ -1020,6 +1020,8 @@ server_listen(void)
585 + int ret, listen_sock, on = 1;
586 +@@ -1006,12 +1008,9 @@
587 + --- a/version.h
588 + +++ b/version.h
589 +-@@ -3,4 +3,5 @@
590 ++@@ -3,4 +3,6 @@
591 + #define SSH_VERSION "OpenSSH_7.5"
592 +
593 +- #define SSH_PORTABLE "p1"
594 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
595 ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
596 +++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION
597 + +#define SSH_HPN "-hpn14v12"
598 + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
599 +---
600 +-2.12.0
601 +-
602
603 diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
604 new file mode 100644
605 index 00000000000..d7932003f8f
606 --- /dev/null
607 +++ b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
608 @@ -0,0 +1,27 @@
609 +From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
610 +From: Damien Miller <djm@×××××××.org>
611 +Date: Wed, 22 Mar 2017 12:43:02 +1100
612 +Subject: [PATCH] Missing header on Linux/s390
613 +
614 +Patch from Jakub Jelen
615 +---
616 + sandbox-seccomp-filter.c | 3 +++
617 + 1 file changed, 3 insertions(+)
618 +
619 +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
620 +index a8d472a63ccb..2831e9d1083c 100644
621 +--- a/sandbox-seccomp-filter.c
622 ++++ b/sandbox-seccomp-filter.c
623 +@@ -50,6 +50,9 @@
624 + #include <elf.h>
625 +
626 + #include <asm/unistd.h>
627 ++#ifdef __s390__
628 ++#include <asm/zcrypt.h>
629 ++#endif
630 +
631 + #include <errno.h>
632 + #include <signal.h>
633 +--
634 +2.15.1
635 +
636
637 diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
638 new file mode 100644
639 index 00000000000..5dca1b0e4e1
640 --- /dev/null
641 +++ b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
642 @@ -0,0 +1,25 @@
643 +From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
644 +From: Mike Frysinger <vapier@g.o>
645 +Date: Mon, 20 Mar 2017 14:57:40 -0400
646 +Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
647 +
648 +---
649 + sandbox-seccomp-filter.c | 2 +-
650 + 1 file changed, 1 insertion(+), 1 deletion(-)
651 +
652 +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
653 +index 3a1aedce72c2..a8d472a63ccb 100644
654 +--- a/sandbox-seccomp-filter.c
655 ++++ b/sandbox-seccomp-filter.c
656 +@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
657 + * x86-64 syscall under some circumstances, e.g.
658 + * https://bugs.debian.org/849923
659 + */
660 +- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
661 ++ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
662 + #endif
663 +
664 + /* Default deny */
665 +--
666 +2.12.0
667 +
668
669 diff --git a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
670 new file mode 100644
671 index 00000000000..66641c27473
672 --- /dev/null
673 +++ b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
674 @@ -0,0 +1,19 @@
675 +--- a/openssh-7.8p1+x509-11.4.diff 2018-08-24 14:55:19.153936872 -0700
676 ++++ b/openssh-7.8p1+x509-11.4.diff 2018-08-24 14:55:58.116677254 -0700
677 +@@ -63643,16 +63643,6 @@
678 + setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
679 + return;
680 + setlocale(LC_CTYPE, "C");
681 +-diff -ruN openssh-7.8p1/version.h openssh-7.8p1+x509-11.4/version.h
682 +---- openssh-7.8p1/version.h 2018-08-23 08:41:42.000000000 +0300
683 +-+++ openssh-7.8p1+x509-11.4/version.h 2018-08-24 20:07:00.000000000 +0300
684 +-@@ -2,5 +2,4 @@
685 +-
686 +- #define SSH_VERSION "OpenSSH_7.8"
687 +-
688 +--#define SSH_PORTABLE "p1"
689 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
690 +-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
691 + diff -ruN openssh-7.8p1/version.m4 openssh-7.8p1+x509-11.4/version.m4
692 + --- openssh-7.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
693 + +++ openssh-7.8p1+x509-11.4/version.m4 2018-08-24 20:00:00.000000000 +0300
694
695 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
696 new file mode 100644
697 index 00000000000..c76d454c92f
698 --- /dev/null
699 +++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
700 @@ -0,0 +1,79 @@
701 +--- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig 2018-09-12 15:58:57.377986085 -0700
702 ++++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2018-09-12 16:07:15.376711327 -0700
703 +@@ -4,8 +4,8 @@
704 + +++ b/Makefile.in
705 + @@ -42,7 +42,7 @@ CC=@CC@
706 + LD=@LD@
707 +- CFLAGS=@CFLAGS@
708 +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
709 ++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
710 ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
711 + -LIBS=@LIBS@
712 + +LIBS=@LIBS@ -lpthread
713 + K5LIBS=@K5LIBS@
714 +@@ -788,8 +788,8 @@
715 + ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
716 + {
717 + struct session_state *state;
718 +-- const struct sshcipher *none = cipher_by_name("none");
719 +-+ struct sshcipher *none = cipher_by_name("none");
720 ++- const struct sshcipher *none = cipher_none();
721 +++ struct sshcipher *none = cipher_none();
722 + int r;
723 +
724 + if (none == NULL) {
725 +@@ -933,9 +933,9 @@
726 + /* Portable-specific options */
727 + sUsePAM,
728 + + sDisableMTAES,
729 +- /* Standard Options */
730 +- sPort, sHostKeyFile, sLoginGraceTime,
731 +- sPermitRootLogin, sLogFacility, sLogLevel,
732 ++ /* X.509 Standard Options */
733 ++ sHostbasedAlgorithms,
734 ++ sPubkeyAlgorithms,
735 + @@ -626,6 +630,7 @@ static struct {
736 + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
737 + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
738 +--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 16:38:16.947447218 -0700
739 ++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 16:32:35.479700864 -0700
740 +@@ -382,7 +382,7 @@
741 + @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
742 + int nenc, nmac, ncomp;
743 + u_int mode, ctos, need, dh_need, authlen;
744 +- int r, first_kex_follows;
745 ++ int r, first_kex_follows = 0;
746 + + int auth_flag;
747 + +
748 + + auth_flag = packet_authentication_state(ssh);
749 +@@ -1125,15 +1125,6 @@
750 + index a738c3a..b32dbe0 100644
751 + --- a/sshd.c
752 + +++ b/sshd.c
753 +-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
754 +- char remote_version[256]; /* Must be at least as big as buf. */
755 +-
756 +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
757 +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
758 +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
759 +- *options.version_addendum == '\0' ? "" : " ",
760 +- options.version_addendum);
761 +-
762 + @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
763 + int ret, listen_sock;
764 + struct addrinfo *ai;
765 +@@ -1213,14 +1204,3 @@
766 + # Example of overriding settings on a per-user basis
767 + #Match User anoncvs
768 + # X11Forwarding no
769 +-diff --git a/version.h b/version.h
770 +-index f1bbf00..21a70c2 100644
771 +---- a/version.h
772 +-+++ b/version.h
773 +-@@ -3,4 +3,5 @@
774 +- #define SSH_VERSION "OpenSSH_7.8"
775 +-
776 +- #define SSH_PORTABLE "p1"
777 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
778 +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
779 +-+
780
781 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
782 new file mode 100644
783 index 00000000000..0561e381406
784 --- /dev/null
785 +++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
786 @@ -0,0 +1,112 @@
787 +--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-11 17:19:19.968420409 -0700
788 ++++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-11 17:39:19.977535398 -0700
789 +@@ -409,18 +409,10 @@
790 + index dcf35e6..da4ced0 100644
791 + --- a/packet.c
792 + +++ b/packet.c
793 +-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
794 ++@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
795 + return 0;
796 + }
797 +
798 +-+/* this supports the forced rekeying required for the NONE cipher */
799 +-+int rekey_requested = 0;
800 +-+void
801 +-+packet_request_rekeying(void)
802 +-+{
803 +-+ rekey_requested = 1;
804 +-+}
805 +-+
806 + +/* used to determine if pre or post auth when rekeying for aes-ctr
807 + + * and none cipher switch */
808 + +int
809 +@@ -434,20 +426,6 @@
810 + #define MAX_PACKETS (1U<<31)
811 + static int
812 + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
813 +-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
814 +- if (state->p_send.packets == 0 && state->p_read.packets == 0)
815 +- return 0;
816 +-
817 +-+ /* used to force rekeying when called for by the none
818 +-+ * cipher switch methods -cjr */
819 +-+ if (rekey_requested == 1) {
820 +-+ rekey_requested = 0;
821 +-+ return 1;
822 +-+ }
823 +-+
824 +- /* Time-based rekeying */
825 +- if (state->rekey_interval != 0 &&
826 +- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
827 + diff --git a/packet.h b/packet.h
828 + index 170203c..f4d9df2 100644
829 + --- a/packet.h
830 +@@ -476,9 +454,9 @@
831 + /* Format of the configuration file:
832 +
833 + @@ -166,6 +167,8 @@ typedef enum {
834 +- oHashKnownHosts,
835 + oTunnel, oTunnelDevice,
836 + oLocalCommand, oPermitLocalCommand, oRemoteCommand,
837 ++ oDisableMTAES,
838 + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
839 + + oNoneEnabled, oNoneSwitch,
840 + oVisualHostKey,
841 +@@ -615,9 +593,9 @@
842 + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
843 + SyslogFacility log_facility; /* Facility for system logging. */
844 + @@ -111,7 +115,10 @@ typedef struct {
845 +-
846 + int enable_ssh_keysign;
847 + int64_t rekey_limit;
848 ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
849 + + int none_switch; /* Use none cipher */
850 + + int none_enabled; /* Allow none to be used */
851 + int rekey_interval;
852 +@@ -673,9 +651,9 @@
853 + /* Portable-specific options */
854 + if (options->use_pam == -1)
855 + @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
856 +- }
857 +- if (options->permit_tun == -1)
858 + options->permit_tun = SSH_TUNMODE_NO;
859 ++ if (options->disable_multithreaded == -1)
860 ++ options->disable_multithreaded = 0;
861 + + if (options->none_enabled == -1)
862 + + options->none_enabled = 0;
863 + + if (options->hpn_disabled == -1)
864 +@@ -1092,7 +1070,7 @@
865 + xxx_host = host;
866 + xxx_hostaddr = hostaddr;
867 +
868 +-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
869 ++@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
870 +
871 + if (!authctxt.success)
872 + fatal("Authentication failed.");
873 +@@ -1117,10 +1095,9 @@
874 + + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
875 + + }
876 + + }
877 +-+
878 +- debug("Authentication succeeded (%s).", authctxt.method->name);
879 +- }
880 +
881 ++ #ifdef WITH_OPENSSL
882 ++ if (options.disable_multithreaded == 0) {
883 + diff --git a/sshd.c b/sshd.c
884 + index a738c3a..b32dbe0 100644
885 + --- a/sshd.c
886 +@@ -1217,11 +1194,10 @@
887 + index f1bbf00..21a70c2 100644
888 + --- a/version.h
889 + +++ b/version.h
890 +-@@ -3,4 +3,6 @@
891 ++@@ -3,4 +3,5 @@
892 + #define SSH_VERSION "OpenSSH_7.8"
893 +
894 + #define SSH_PORTABLE "p1"
895 + -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
896 +-+#define SSH_HPN "-hpn14v16"
897 + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
898 + +
899
900 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
901 new file mode 100644
902 index 00000000000..a7d51ad9483
903 --- /dev/null
904 +++ b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
905 @@ -0,0 +1,17 @@
906 +--- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 18:18:51.851536374 -0700
907 ++++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 18:19:01.116475099 -0700
908 +@@ -1190,14 +1190,3 @@
909 + # Example of overriding settings on a per-user basis
910 + #Match User anoncvs
911 + # X11Forwarding no
912 +-diff --git a/version.h b/version.h
913 +-index f1bbf00..21a70c2 100644
914 +---- a/version.h
915 +-+++ b/version.h
916 +-@@ -3,4 +3,5 @@
917 +- #define SSH_VERSION "OpenSSH_7.8"
918 +-
919 +- #define SSH_PORTABLE "p1"
920 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
921 +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
922 +-+
923
924 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
925 index ab669d3e59a..29134fc060d 100644
926 --- a/net-misc/openssh/metadata.xml
927 +++ b/net-misc/openssh/metadata.xml
928 @@ -26,8 +26,10 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
929 <use>
930 <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
931 <flag name="hpn">Enable high performance ssh</flag>
932 + <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
933 <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
934 <flag name="livecd">Enable root password logins for live-cd environment.</flag>
935 + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
936 <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
937 <flag name="X509">Adds support for X.509 certificate authentication</flag>
938 </use>
939
940 diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
941 new file mode 100644
942 index 00000000000..cbe425c4eef
943 --- /dev/null
944 +++ b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
945 @@ -0,0 +1,334 @@
946 +# Copyright 1999-2018 Gentoo Foundation
947 +# Distributed under the terms of the GNU General Public License v2
948 +
949 +EAPI="5"
950 +
951 +inherit eutils user flag-o-matic multilib autotools pam systemd
952 +
953 +# Make it more portable between straight releases
954 +# and _p? releases.
955 +PARCH=${P/_}
956 +
957 +HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
958 +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
959 +LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
960 +X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
961 +
962 +DESCRIPTION="Port of OpenBSD's free SSH release"
963 +HOMEPAGE="http://www.openssh.org/"
964 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
965 + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
966 + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
967 + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
968 + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
969 + "
970 +
971 +LICENSE="BSD GPL-2"
972 +SLOT="0"
973 +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
974 +# Probably want to drop ssl defaulting to on in a future version.
975 +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
976 +REQUIRED_USE="ldns? ( ssl )
977 + pie? ( !static )
978 + ssh1? ( ssl )
979 + static? ( !kerberos !pam )
980 + X509? ( !ldap !sctp ssl )
981 + test? ( ssl )"
982 +
983 +LIB_DEPEND="
984 + audit? ( sys-process/audit[static-libs(+)] )
985 + ldns? (
986 + net-libs/ldns[static-libs(+)]
987 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
988 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
989 + )
990 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
991 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
992 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
993 + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
994 + ssl? (
995 + !libressl? (
996 + >=dev-libs/openssl-1.0.1:0=[bindist=]
997 + dev-libs/openssl:0=[static-libs(+)]
998 + )
999 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1000 + )
1001 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1002 +RDEPEND="
1003 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1004 + pam? ( virtual/pam )
1005 + kerberos? ( virtual/krb5 )
1006 + ldap? ( net-nds/openldap )"
1007 +DEPEND="${RDEPEND}
1008 + static? ( ${LIB_DEPEND} )
1009 + virtual/pkgconfig
1010 + virtual/os-headers
1011 + sys-devel/autoconf"
1012 +RDEPEND="${RDEPEND}
1013 + pam? ( >=sys-auth/pambase-20081028 )
1014 + userland_GNU? ( virtual/shadow )
1015 + X? ( x11-apps/xauth )"
1016 +
1017 +S=${WORKDIR}/${PARCH}
1018 +
1019 +pkg_pretend() {
1020 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
1021 + # than not be able to log in to their server any more
1022 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1023 + local fail="
1024 + $(use X509 && maybe_fail X509 X509_PATCH)
1025 + $(use ldap && maybe_fail ldap LDAP_PATCH)
1026 + $(use hpn && maybe_fail hpn HPN_PATCH)
1027 + "
1028 + fail=$(echo ${fail})
1029 + if [[ -n ${fail} ]] ; then
1030 + eerror "Sorry, but this version does not yet support features"
1031 + eerror "that you requested: ${fail}"
1032 + eerror "Please mask ${PF} for now and check back later:"
1033 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1034 + die "booooo"
1035 + fi
1036 +
1037 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
1038 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
1039 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1040 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1041 + fi
1042 +}
1043 +
1044 +save_version() {
1045 + # version.h patch conflict avoidence
1046 + mv version.h version.h.$1
1047 + cp -f version.h.pristine version.h
1048 +}
1049 +
1050 +src_prepare() {
1051 + sed -i \
1052 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
1053 + pathnames.h || die
1054 + # keep this as we need it to avoid the conflict between LPK and HPN changing
1055 + # this file.
1056 + cp version.h version.h.pristine
1057 +
1058 + # don't break .ssh/authorized_keys2 for fun
1059 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1060 +
1061 + if use X509 ; then
1062 + if use hpn ; then
1063 + pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
1064 + epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
1065 + popd >/dev/null
1066 + fi
1067 + save_version X509
1068 + epatch "${WORKDIR}"/${X509_PATCH%.*}
1069 + fi
1070 +
1071 + if use ldap ; then
1072 + epatch "${WORKDIR}"/${LDAP_PATCH%.*}
1073 + save_version LPK
1074 + fi
1075 +
1076 + epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1077 + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1078 + epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1079 + epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
1080 + epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
1081 + use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
1082 + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
1083 + use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
1084 + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
1085 +
1086 + if use hpn ; then
1087 + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
1088 + EPATCH_MULTI_MSG="Applying HPN patchset ..." \
1089 + epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
1090 + save_version HPN
1091 + fi
1092 +
1093 + tc-export PKG_CONFIG
1094 + local sed_args=(
1095 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1096 + # Disable PATH reset, trust what portage gives us #254615
1097 + -e 's:^PATH=/:#PATH=/:'
1098 + # Disable fortify flags ... our gcc does this for us
1099 + -e 's:-D_FORTIFY_SOURCE=2::'
1100 + )
1101 + # The -ftrapv flag ICEs on hppa #505182
1102 + use hppa && sed_args+=(
1103 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1104 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1105 + )
1106 + # _XOPEN_SOURCE causes header conflicts on Solaris
1107 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1108 + -e 's/-D_XOPEN_SOURCE//'
1109 + )
1110 + sed -i "${sed_args[@]}" configure{.ac,} || die
1111 +
1112 + epatch_user #473004
1113 +
1114 + # Now we can build a sane merged version.h
1115 + (
1116 + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
1117 + macros=()
1118 + for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
1119 + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
1120 + ) > version.h
1121 +
1122 + eautoreconf
1123 +}
1124 +
1125 +src_configure() {
1126 + addwrite /dev/ptmx
1127 +
1128 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1129 + use static && append-ldflags -static
1130 +
1131 + local myconf=(
1132 + --with-ldflags="${LDFLAGS}"
1133 + --disable-strip
1134 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1135 + --sysconfdir="${EPREFIX}"/etc/ssh
1136 + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
1137 + --datadir="${EPREFIX}"/usr/share/openssh
1138 + --with-privsep-path="${EPREFIX}"/var/empty
1139 + --with-privsep-user=sshd
1140 + $(use_with audit audit linux)
1141 + $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
1142 + # We apply the ldap patch conditionally, so can't pass --without-ldap
1143 + # unconditionally else we get unknown flag warnings.
1144 + $(use ldap && use_with ldap)
1145 + $(use_with ldns)
1146 + $(use_with libedit)
1147 + $(use_with pam)
1148 + $(use_with pie)
1149 + $(use X509 || use_with sctp)
1150 + $(use_with selinux)
1151 + $(use_with skey)
1152 + $(use_with ssh1)
1153 + $(use_with ssl openssl)
1154 + $(use_with ssl md5-passwords)
1155 + $(use_with ssl ssl-engine)
1156 + )
1157 +
1158 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1159 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1160 +
1161 + econf "${myconf[@]}"
1162 +}
1163 +
1164 +src_install() {
1165 + emake install-nokeys DESTDIR="${D}"
1166 + fperms 600 /etc/ssh/sshd_config
1167 + dobin contrib/ssh-copy-id
1168 + newinitd "${FILESDIR}"/sshd.rc6.4 sshd
1169 + newconfd "${FILESDIR}"/sshd.confd sshd
1170 +
1171 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1172 + if use pam ; then
1173 + sed -i \
1174 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
1175 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1176 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1177 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1178 + "${ED}"/etc/ssh/sshd_config || die
1179 + fi
1180 +
1181 + # Gentoo tweaks to default config files
1182 + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
1183 +
1184 + # Allow client to pass locale environment variables #367017
1185 + AcceptEnv LANG LC_*
1186 + EOF
1187 + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
1188 +
1189 + # Send locale environment variables #367017
1190 + SendEnv LANG LC_*
1191 + EOF
1192 +
1193 + if use livecd ; then
1194 + sed -i \
1195 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
1196 + "${ED}"/etc/ssh/sshd_config || die
1197 + fi
1198 +
1199 + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
1200 + insinto /etc/openldap/schema/
1201 + newins openssh-lpk_openldap.schema openssh-lpk.schema
1202 + fi
1203 +
1204 + doman contrib/ssh-copy-id.1
1205 + dodoc CREDITS OVERVIEW README* TODO sshd_config
1206 + use X509 || dodoc ChangeLog
1207 +
1208 + diropts -m 0700
1209 + dodir /etc/skel/.ssh
1210 +
1211 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
1212 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
1213 +}
1214 +
1215 +src_test() {
1216 + local t skipped=() failed=() passed=()
1217 + local tests=( interop-tests compat-tests )
1218 +
1219 + local shell=$(egetshell "${UID}")
1220 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1221 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
1222 + elog "user, so we will run a subset only."
1223 + skipped+=( tests )
1224 + else
1225 + tests+=( tests )
1226 + fi
1227 +
1228 + # It will also attempt to write to the homedir .ssh.
1229 + local sshhome=${T}/homedir
1230 + mkdir -p "${sshhome}"/.ssh
1231 + for t in "${tests[@]}" ; do
1232 + # Some tests read from stdin ...
1233 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
1234 + emake -k -j1 ${t} </dev/null \
1235 + && passed+=( "${t}" ) \
1236 + || failed+=( "${t}" )
1237 + done
1238 +
1239 + einfo "Passed tests: ${passed[*]}"
1240 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
1241 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
1242 +}
1243 +
1244 +pkg_preinst() {
1245 + enewgroup sshd 22
1246 + enewuser sshd 22 -1 /var/empty sshd
1247 +}
1248 +
1249 +pkg_postinst() {
1250 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
1251 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
1252 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
1253 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
1254 + fi
1255 + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
1256 + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
1257 + fi
1258 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
1259 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
1260 + elog "Make sure to update any configs that you might have. Note that xinetd might"
1261 + elog "be an alternative for you as it supports USE=tcpd."
1262 + fi
1263 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
1264 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
1265 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
1266 + elog "adding to your sshd_config or ~/.ssh/config files:"
1267 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
1268 + elog "You should however generate new keys using rsa or ed25519."
1269 +
1270 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
1271 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
1272 + elog "out of the box. If you need this, please update your sshd_config explicitly."
1273 + fi
1274 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
1275 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
1276 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
1277 + elog "and update all clients/servers that utilize them."
1278 + fi
1279 +}
1280
1281 diff --git a/net-misc/openssh/openssh-7.8_p1.ebuild b/net-misc/openssh/openssh-7.8_p1.ebuild
1282 new file mode 100644
1283 index 00000000000..3ce6916d6e9
1284 --- /dev/null
1285 +++ b/net-misc/openssh/openssh-7.8_p1.ebuild
1286 @@ -0,0 +1,438 @@
1287 +# Copyright 1999-2018 Gentoo Foundation
1288 +# Distributed under the terms of the GNU General Public License v2
1289 +
1290 +EAPI=6
1291 +
1292 +inherit user flag-o-matic multilib autotools pam systemd
1293 +
1294 +# Make it more portable between straight releases
1295 +# and _p? releases.
1296 +PARCH=${P/_}
1297 +CAP_PV="${PV^^}"
1298 +
1299 +HPN_VER="14.16"
1300 +HPN_PATCHES=(
1301 + ${PN}-${CAP_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
1302 + ${PN}-${CAP_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
1303 +)
1304 +HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
1305 +SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
1306 +X509_VER="11.4" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1307 +
1308 +DESCRIPTION="Port of OpenBSD's free SSH release"
1309 +HOMEPAGE="https://www.openssh.com/"
1310 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1311 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
1312 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
1313 + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1314 + "
1315 +
1316 +LICENSE="BSD GPL-2"
1317 +SLOT="0"
1318 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1319 +# Probably want to drop ssl defaulting to on in a future version.
1320 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
1321 +RESTRICT="!test? ( test )"
1322 +REQUIRED_USE="ldns? ( ssl )
1323 + pie? ( !static )
1324 + static? ( !kerberos !pam )
1325 + X509? ( !sctp ssl )
1326 + test? ( ssl )"
1327 +
1328 +LIB_DEPEND="
1329 + audit? ( sys-process/audit[static-libs(+)] )
1330 + ldns? (
1331 + net-libs/ldns[static-libs(+)]
1332 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1333 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1334 + )
1335 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
1336 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1337 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1338 + ssl? (
1339 + !libressl? (
1340 + >=dev-libs/openssl-1.0.1:0=[bindist=]
1341 + dev-libs/openssl:0=[static-libs(+)]
1342 + )
1343 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1344 + )
1345 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1346 +RDEPEND="
1347 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1348 + pam? ( virtual/pam )
1349 + kerberos? ( virtual/krb5 )"
1350 +DEPEND="${RDEPEND}
1351 + static? ( ${LIB_DEPEND} )
1352 + virtual/pkgconfig
1353 + virtual/os-headers
1354 + sys-devel/autoconf"
1355 +RDEPEND="${RDEPEND}
1356 + pam? ( >=sys-auth/pambase-20081028 )
1357 + userland_GNU? ( virtual/shadow )
1358 + X? ( x11-apps/xauth )"
1359 +
1360 +S="${WORKDIR}/${PARCH}"
1361 +
1362 +pkg_pretend() {
1363 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
1364 + # than not be able to log in to their server any more
1365 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1366 + local fail="
1367 + $(use hpn && maybe_fail hpn HPN_VER)
1368 + $(use sctp && maybe_fail sctp SCTP_PATCH)
1369 + $(use X509 && maybe_fail X509 X509_PATCH)
1370 + "
1371 + fail=$(echo ${fail})
1372 + if [[ -n ${fail} ]] ; then
1373 + eerror "Sorry, but this version does not yet support features"
1374 + eerror "that you requested: ${fail}"
1375 + eerror "Please mask ${PF} for now and check back later:"
1376 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1377 + die "booooo"
1378 + fi
1379 +
1380 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
1381 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
1382 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1383 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1384 + fi
1385 +}
1386 +
1387 +src_prepare() {
1388 + sed -i \
1389 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
1390 + pathnames.h || die
1391 +
1392 + # don't break .ssh/authorized_keys2 for fun
1393 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1394 +
1395 + eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1396 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1397 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1398 +
1399 + local PATCHSET_VERSION_MACROS=()
1400 +
1401 + if use X509 ; then
1402 + pushd "${WORKDIR}" || die
1403 + eapply "${FILESDIR}/${P}-X509-no-version.patch"
1404 + popd || die
1405 +
1406 + eapply "${WORKDIR}"/${X509_PATCH%.*}
1407 +
1408 + # We need to patch package version or any X.509 sshd will reject our ssh client
1409 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
1410 + # error
1411 + einfo "Patching package version for X.509 patch set ..."
1412 + sed -i \
1413 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
1414 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
1415 +
1416 + einfo "Patching version.h to expose X.509 patch set ..."
1417 + sed -i \
1418 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
1419 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
1420 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
1421 + fi
1422 +
1423 + if use sctp ; then
1424 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
1425 +
1426 + einfo "Patching version.h to expose SCTP patch set ..."
1427 + sed -i \
1428 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
1429 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
1430 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
1431 +
1432 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
1433 + sed -i \
1434 + -e "/\t\tcfgparse \\\/d" \
1435 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
1436 + fi
1437 +
1438 + if use hpn ; then
1439 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
1440 + mkdir "${hpn_patchdir}"
1441 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
1442 + pushd "${hpn_patchdir}"
1443 + eapply "${FILESDIR}"/${P}-hpn-glue.patch
1444 + use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
1445 + use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
1446 + popd
1447 +
1448 + eapply "${hpn_patchdir}"
1449 +
1450 + einfo "Patching Makefile.in for HPN patch set ..."
1451 + sed -i \
1452 + -e "/^LIBS=/ s/\$/ -lpthread/" \
1453 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
1454 +
1455 + einfo "Patching version.h to expose HPN patch set ..."
1456 + sed -i \
1457 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
1458 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
1459 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
1460 +
1461 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1462 + einfo "Disabling known non-working MT AES cipher per default ..."
1463 +
1464 + cat > "${T}"/disable_mtaes.conf <<- EOF
1465 +
1466 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
1467 + # and therefore disabled per default.
1468 + DisableMTAES yes
1469 + EOF
1470 + sed -i \
1471 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
1472 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
1473 +
1474 + sed -i \
1475 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
1476 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
1477 + fi
1478 + fi
1479 +
1480 + if use X509 || use sctp || use hpn ; then
1481 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
1482 + sed -i \
1483 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1484 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
1485 +
1486 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
1487 + sed -i \
1488 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1489 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
1490 +
1491 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
1492 + sed -i \
1493 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
1494 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
1495 + fi
1496 +
1497 + sed -i \
1498 + -e "/#UseLogin no/d" \
1499 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
1500 +
1501 + [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
1502 +
1503 + eapply_user #473004
1504 +
1505 + tc-export PKG_CONFIG
1506 + local sed_args=(
1507 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1508 + # Disable PATH reset, trust what portage gives us #254615
1509 + -e 's:^PATH=/:#PATH=/:'
1510 + # Disable fortify flags ... our gcc does this for us
1511 + -e 's:-D_FORTIFY_SOURCE=2::'
1512 + )
1513 +
1514 + # The -ftrapv flag ICEs on hppa #505182
1515 + use hppa && sed_args+=(
1516 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1517 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1518 + )
1519 + # _XOPEN_SOURCE causes header conflicts on Solaris
1520 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1521 + -e 's/-D_XOPEN_SOURCE//'
1522 + )
1523 + sed -i "${sed_args[@]}" configure{.ac,} || die
1524 +
1525 + eautoreconf
1526 +}
1527 +
1528 +src_configure() {
1529 + addwrite /dev/ptmx
1530 +
1531 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1532 + use static && append-ldflags -static
1533 +
1534 + local myconf=(
1535 + --with-ldflags="${LDFLAGS}"
1536 + --disable-strip
1537 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1538 + --sysconfdir="${EPREFIX%/}"/etc/ssh
1539 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
1540 + --datadir="${EPREFIX%/}"/usr/share/openssh
1541 + --with-privsep-path="${EPREFIX%/}"/var/empty
1542 + --with-privsep-user=sshd
1543 + $(use_with audit audit linux)
1544 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
1545 + # We apply the sctp patch conditionally, so can't pass --without-sctp
1546 + # unconditionally else we get unknown flag warnings.
1547 + $(use sctp && use_with sctp)
1548 + $(use_with ldns)
1549 + $(use_with libedit)
1550 + $(use_with pam)
1551 + $(use_with pie)
1552 + $(use_with selinux)
1553 + $(use_with ssl openssl)
1554 + $(use_with ssl md5-passwords)
1555 + $(use_with ssl ssl-engine)
1556 + $(use_with !elibc_Cygwin hardening) #659210
1557 + )
1558 +
1559 + # stackprotect is broken on musl x86
1560 + use elibc_musl && use x86 && myconf+=( --without-stackprotect )
1561 +
1562 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1563 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1564 +
1565 + econf "${myconf[@]}"
1566 +}
1567 +
1568 +src_test() {
1569 + local t skipped=() failed=() passed=()
1570 + local tests=( interop-tests compat-tests )
1571 +
1572 + local shell=$(egetshell "${UID}")
1573 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1574 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
1575 + elog "user, so we will run a subset only."
1576 + skipped+=( tests )
1577 + else
1578 + tests+=( tests )
1579 + fi
1580 +
1581 + # It will also attempt to write to the homedir .ssh.
1582 + local sshhome=${T}/homedir
1583 + mkdir -p "${sshhome}"/.ssh
1584 + for t in "${tests[@]}" ; do
1585 + # Some tests read from stdin ...
1586 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
1587 + emake -k -j1 ${t} </dev/null \
1588 + && passed+=( "${t}" ) \
1589 + || failed+=( "${t}" )
1590 + done
1591 +
1592 + einfo "Passed tests: ${passed[*]}"
1593 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
1594 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
1595 +}
1596 +
1597 +# Gentoo tweaks to default config files.
1598 +tweak_ssh_configs() {
1599 + local locale_vars=(
1600 + # These are language variables that POSIX defines.
1601 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
1602 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
1603 +
1604 + # These are the GNU extensions.
1605 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
1606 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
1607 + )
1608 +
1609 + # First the server config.
1610 + cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
1611 +
1612 + # Allow client to pass locale environment variables. #367017
1613 + AcceptEnv ${locale_vars[*]}
1614 +
1615 + # Allow client to pass COLORTERM to match TERM. #658540
1616 + AcceptEnv COLORTERM
1617 + EOF
1618 +
1619 + # Then the client config.
1620 + cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
1621 +
1622 + # Send locale environment variables. #367017
1623 + SendEnv ${locale_vars[*]}
1624 +
1625 + # Send COLORTERM to match TERM. #658540
1626 + SendEnv COLORTERM
1627 + EOF
1628 +
1629 + if use pam ; then
1630 + sed -i \
1631 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
1632 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1633 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1634 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1635 + "${ED%/}"/etc/ssh/sshd_config || die
1636 + fi
1637 +
1638 + if use livecd ; then
1639 + sed -i \
1640 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
1641 + "${ED%/}"/etc/ssh/sshd_config || die
1642 + fi
1643 +}
1644 +
1645 +src_install() {
1646 + emake install-nokeys DESTDIR="${D}"
1647 + fperms 600 /etc/ssh/sshd_config
1648 + dobin contrib/ssh-copy-id
1649 + newinitd "${FILESDIR}"/sshd.initd sshd
1650 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
1651 +
1652 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1653 +
1654 + tweak_ssh_configs
1655 +
1656 + doman contrib/ssh-copy-id.1
1657 + dodoc CREDITS OVERVIEW README* TODO sshd_config
1658 + use hpn && dodoc HPN-README
1659 + use X509 || dodoc ChangeLog
1660 +
1661 + diropts -m 0700
1662 + dodir /etc/skel/.ssh
1663 +
1664 + keepdir /var/empty
1665 +
1666 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
1667 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
1668 +}
1669 +
1670 +pkg_preinst() {
1671 + enewgroup sshd 22
1672 + enewuser sshd 22 -1 /var/empty sshd
1673 +}
1674 +
1675 +pkg_postinst() {
1676 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
1677 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
1678 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
1679 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
1680 + fi
1681 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
1682 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
1683 + elog "Make sure to update any configs that you might have. Note that xinetd might"
1684 + elog "be an alternative for you as it supports USE=tcpd."
1685 + fi
1686 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
1687 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
1688 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
1689 + elog "adding to your sshd_config or ~/.ssh/config files:"
1690 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
1691 + elog "You should however generate new keys using rsa or ed25519."
1692 +
1693 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
1694 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
1695 + elog "out of the box. If you need this, please update your sshd_config explicitly."
1696 + fi
1697 + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
1698 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
1699 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
1700 + fi
1701 + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
1702 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
1703 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
1704 + elog "if you need to authenticate against LDAP."
1705 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
1706 + fi
1707 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
1708 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
1709 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
1710 + elog "and update all clients/servers that utilize them."
1711 + fi
1712 +
1713 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1714 + elog ""
1715 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
1716 + elog "and therefore disabled at runtime per default."
1717 + elog "Make sure your sshd_config is up to date and contains"
1718 + elog ""
1719 + elog " DisableMTAES yes"
1720 + elog ""
1721 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
1722 + elog ""
1723 + fi
1724 +}
1725
1726 diff --git a/net-misc/openssh/openssh-7.9_p1-r1.ebuild b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
1727 new file mode 100644
1728 index 00000000000..af3fd632c5f
1729 --- /dev/null
1730 +++ b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
1731 @@ -0,0 +1,450 @@
1732 +# Copyright 1999-2018 Gentoo Authors
1733 +# Distributed under the terms of the GNU General Public License v2
1734 +
1735 +EAPI=6
1736 +
1737 +inherit user flag-o-matic multilib autotools pam systemd
1738 +
1739 +# Make it more portable between straight releases
1740 +# and _p? releases.
1741 +PARCH=${P/_}
1742 +#HPN_PV="${PV^^}"
1743 +HPN_PV="7.8_P1"
1744 +
1745 +HPN_VER="14.16"
1746 +HPN_PATCHES=(
1747 + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
1748 + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
1749 +)
1750 +HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
1751 +SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
1752 +X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1753 +
1754 +DESCRIPTION="Port of OpenBSD's free SSH release"
1755 +HOMEPAGE="https://www.openssh.com/"
1756 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1757 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
1758 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
1759 + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1760 + "
1761 +
1762 +LICENSE="BSD GPL-2"
1763 +SLOT="0"
1764 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1765 +# Probably want to drop ssl defaulting to on in a future version.
1766 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
1767 +RESTRICT="!test? ( test )"
1768 +REQUIRED_USE="ldns? ( ssl )
1769 + pie? ( !static )
1770 + static? ( !kerberos !pam )
1771 + X509? ( !sctp ssl )
1772 + test? ( ssl )"
1773 +
1774 +LIB_DEPEND="
1775 + audit? ( sys-process/audit[static-libs(+)] )
1776 + ldns? (
1777 + net-libs/ldns[static-libs(+)]
1778 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1779 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1780 + )
1781 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
1782 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1783 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1784 + ssl? (
1785 + !libressl? (
1786 + || (
1787 + (
1788 + >=dev-libs/openssl-1.0.1:0[bindist=]
1789 + <dev-libs/openssl-1.1.0:0[bindist=]
1790 + )
1791 + >=dev-libs/openssl-1.1.0g:0[bindist=]
1792 + )
1793 + dev-libs/openssl:0=[static-libs(+)]
1794 + )
1795 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1796 + )
1797 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1798 +RDEPEND="
1799 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1800 + pam? ( virtual/pam )
1801 + kerberos? ( virtual/krb5 )"
1802 +DEPEND="${RDEPEND}
1803 + static? ( ${LIB_DEPEND} )
1804 + virtual/pkgconfig
1805 + virtual/os-headers
1806 + sys-devel/autoconf"
1807 +RDEPEND="${RDEPEND}
1808 + pam? ( >=sys-auth/pambase-20081028 )
1809 + userland_GNU? ( virtual/shadow )
1810 + X? ( x11-apps/xauth )"
1811 +
1812 +S="${WORKDIR}/${PARCH}"
1813 +
1814 +pkg_pretend() {
1815 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
1816 + # than not be able to log in to their server any more
1817 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1818 + local fail="
1819 + $(use hpn && maybe_fail hpn HPN_VER)
1820 + $(use sctp && maybe_fail sctp SCTP_PATCH)
1821 + $(use X509 && maybe_fail X509 X509_PATCH)
1822 + "
1823 + fail=$(echo ${fail})
1824 + if [[ -n ${fail} ]] ; then
1825 + eerror "Sorry, but this version does not yet support features"
1826 + eerror "that you requested: ${fail}"
1827 + eerror "Please mask ${PF} for now and check back later:"
1828 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1829 + die "booooo"
1830 + fi
1831 +
1832 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
1833 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
1834 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1835 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1836 + fi
1837 +}
1838 +
1839 +src_prepare() {
1840 + sed -i \
1841 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
1842 + pathnames.h || die
1843 +
1844 + # don't break .ssh/authorized_keys2 for fun
1845 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1846 +
1847 + eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
1848 + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
1849 + eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1850 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1851 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1852 +
1853 + local PATCHSET_VERSION_MACROS=()
1854 +
1855 + if use X509 ; then
1856 + pushd "${WORKDIR}" || die
1857 + eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
1858 + eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
1859 + popd || die
1860 +
1861 + eapply "${WORKDIR}"/${X509_PATCH%.*}
1862 + eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
1863 +
1864 + # We need to patch package version or any X.509 sshd will reject our ssh client
1865 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
1866 + # error
1867 + einfo "Patching package version for X.509 patch set ..."
1868 + sed -i \
1869 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
1870 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
1871 +
1872 + einfo "Patching version.h to expose X.509 patch set ..."
1873 + sed -i \
1874 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
1875 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
1876 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
1877 + fi
1878 +
1879 + if use sctp ; then
1880 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
1881 +
1882 + einfo "Patching version.h to expose SCTP patch set ..."
1883 + sed -i \
1884 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
1885 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
1886 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
1887 +
1888 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
1889 + sed -i \
1890 + -e "/\t\tcfgparse \\\/d" \
1891 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
1892 + fi
1893 +
1894 + if use hpn ; then
1895 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
1896 + mkdir "${hpn_patchdir}"
1897 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
1898 + pushd "${hpn_patchdir}"
1899 + eapply "${FILESDIR}"/${P}-hpn-glue.patch
1900 + use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
1901 + use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
1902 + popd
1903 +
1904 + eapply "${hpn_patchdir}"
1905 + eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
1906 +
1907 + einfo "Patching Makefile.in for HPN patch set ..."
1908 + sed -i \
1909 + -e "/^LIBS=/ s/\$/ -lpthread/" \
1910 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
1911 +
1912 + einfo "Patching version.h to expose HPN patch set ..."
1913 + sed -i \
1914 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
1915 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
1916 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
1917 +
1918 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1919 + einfo "Disabling known non-working MT AES cipher per default ..."
1920 +
1921 + cat > "${T}"/disable_mtaes.conf <<- EOF
1922 +
1923 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
1924 + # and therefore disabled per default.
1925 + DisableMTAES yes
1926 + EOF
1927 + sed -i \
1928 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
1929 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
1930 +
1931 + sed -i \
1932 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
1933 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
1934 + fi
1935 + fi
1936 +
1937 + if use X509 || use sctp || use hpn ; then
1938 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
1939 + sed -i \
1940 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1941 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
1942 +
1943 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
1944 + sed -i \
1945 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1946 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
1947 +
1948 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
1949 + sed -i \
1950 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
1951 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
1952 + fi
1953 +
1954 + sed -i \
1955 + -e "/#UseLogin no/d" \
1956 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
1957 +
1958 + [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
1959 +
1960 + eapply_user #473004
1961 +
1962 + tc-export PKG_CONFIG
1963 + local sed_args=(
1964 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1965 + # Disable PATH reset, trust what portage gives us #254615
1966 + -e 's:^PATH=/:#PATH=/:'
1967 + # Disable fortify flags ... our gcc does this for us
1968 + -e 's:-D_FORTIFY_SOURCE=2::'
1969 + )
1970 +
1971 + # The -ftrapv flag ICEs on hppa #505182
1972 + use hppa && sed_args+=(
1973 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1974 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1975 + )
1976 + # _XOPEN_SOURCE causes header conflicts on Solaris
1977 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1978 + -e 's/-D_XOPEN_SOURCE//'
1979 + )
1980 + sed -i "${sed_args[@]}" configure{.ac,} || die
1981 +
1982 + eautoreconf
1983 +}
1984 +
1985 +src_configure() {
1986 + addwrite /dev/ptmx
1987 +
1988 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1989 + use static && append-ldflags -static
1990 +
1991 + local myconf=(
1992 + --with-ldflags="${LDFLAGS}"
1993 + --disable-strip
1994 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1995 + --sysconfdir="${EPREFIX%/}"/etc/ssh
1996 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
1997 + --datadir="${EPREFIX%/}"/usr/share/openssh
1998 + --with-privsep-path="${EPREFIX%/}"/var/empty
1999 + --with-privsep-user=sshd
2000 + $(use_with audit audit linux)
2001 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2002 + # We apply the sctp patch conditionally, so can't pass --without-sctp
2003 + # unconditionally else we get unknown flag warnings.
2004 + $(use sctp && use_with sctp)
2005 + $(use_with ldns)
2006 + $(use_with libedit)
2007 + $(use_with pam)
2008 + $(use_with pie)
2009 + $(use_with selinux)
2010 + $(use_with ssl openssl)
2011 + $(use_with ssl md5-passwords)
2012 + $(use_with ssl ssl-engine)
2013 + $(use_with !elibc_Cygwin hardening) #659210
2014 + )
2015 +
2016 + # stackprotect is broken on musl x86
2017 + use elibc_musl && use x86 && myconf+=( --without-stackprotect )
2018 +
2019 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2020 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2021 +
2022 + econf "${myconf[@]}"
2023 +}
2024 +
2025 +src_test() {
2026 + local t skipped=() failed=() passed=()
2027 + local tests=( interop-tests compat-tests )
2028 +
2029 + local shell=$(egetshell "${UID}")
2030 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2031 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2032 + elog "user, so we will run a subset only."
2033 + skipped+=( tests )
2034 + else
2035 + tests+=( tests )
2036 + fi
2037 +
2038 + # It will also attempt to write to the homedir .ssh.
2039 + local sshhome=${T}/homedir
2040 + mkdir -p "${sshhome}"/.ssh
2041 + for t in "${tests[@]}" ; do
2042 + # Some tests read from stdin ...
2043 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
2044 + emake -k -j1 ${t} </dev/null \
2045 + && passed+=( "${t}" ) \
2046 + || failed+=( "${t}" )
2047 + done
2048 +
2049 + einfo "Passed tests: ${passed[*]}"
2050 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2051 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2052 +}
2053 +
2054 +# Gentoo tweaks to default config files.
2055 +tweak_ssh_configs() {
2056 + local locale_vars=(
2057 + # These are language variables that POSIX defines.
2058 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
2059 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
2060 +
2061 + # These are the GNU extensions.
2062 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
2063 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
2064 + )
2065 +
2066 + # First the server config.
2067 + cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
2068 +
2069 + # Allow client to pass locale environment variables. #367017
2070 + AcceptEnv ${locale_vars[*]}
2071 +
2072 + # Allow client to pass COLORTERM to match TERM. #658540
2073 + AcceptEnv COLORTERM
2074 + EOF
2075 +
2076 + # Then the client config.
2077 + cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
2078 +
2079 + # Send locale environment variables. #367017
2080 + SendEnv ${locale_vars[*]}
2081 +
2082 + # Send COLORTERM to match TERM. #658540
2083 + SendEnv COLORTERM
2084 + EOF
2085 +
2086 + if use pam ; then
2087 + sed -i \
2088 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
2089 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2090 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2091 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2092 + "${ED%/}"/etc/ssh/sshd_config || die
2093 + fi
2094 +
2095 + if use livecd ; then
2096 + sed -i \
2097 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2098 + "${ED%/}"/etc/ssh/sshd_config || die
2099 + fi
2100 +}
2101 +
2102 +src_install() {
2103 + emake install-nokeys DESTDIR="${D}"
2104 + fperms 600 /etc/ssh/sshd_config
2105 + dobin contrib/ssh-copy-id
2106 + newinitd "${FILESDIR}"/sshd.initd sshd
2107 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
2108 +
2109 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2110 +
2111 + tweak_ssh_configs
2112 +
2113 + doman contrib/ssh-copy-id.1
2114 + dodoc CREDITS OVERVIEW README* TODO sshd_config
2115 + use hpn && dodoc HPN-README
2116 + use X509 || dodoc ChangeLog
2117 +
2118 + diropts -m 0700
2119 + dodir /etc/skel/.ssh
2120 +
2121 + keepdir /var/empty
2122 +
2123 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2124 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2125 +}
2126 +
2127 +pkg_preinst() {
2128 + enewgroup sshd 22
2129 + enewuser sshd 22 -1 /var/empty sshd
2130 +}
2131 +
2132 +pkg_postinst() {
2133 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2134 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
2135 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2136 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2137 + fi
2138 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2139 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2140 + elog "Make sure to update any configs that you might have. Note that xinetd might"
2141 + elog "be an alternative for you as it supports USE=tcpd."
2142 + fi
2143 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2144 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2145 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2146 + elog "adding to your sshd_config or ~/.ssh/config files:"
2147 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2148 + elog "You should however generate new keys using rsa or ed25519."
2149 +
2150 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2151 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
2152 + elog "out of the box. If you need this, please update your sshd_config explicitly."
2153 + fi
2154 + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
2155 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2156 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2157 + fi
2158 + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
2159 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
2160 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
2161 + elog "if you need to authenticate against LDAP."
2162 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
2163 + fi
2164 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2165 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
2166 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2167 + elog "and update all clients/servers that utilize them."
2168 + fi
2169 +
2170 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2171 + elog ""
2172 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
2173 + elog "and therefore disabled at runtime per default."
2174 + elog "Make sure your sshd_config is up to date and contains"
2175 + elog ""
2176 + elog " DisableMTAES yes"
2177 + elog ""
2178 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
2179 + elog ""
2180 + fi
2181 +}
2182
2183 diff --git a/net-misc/openssh/openssh-7.9_p1.ebuild b/net-misc/openssh/openssh-7.9_p1.ebuild
2184 new file mode 100644
2185 index 00000000000..f39686f32b0
2186 --- /dev/null
2187 +++ b/net-misc/openssh/openssh-7.9_p1.ebuild
2188 @@ -0,0 +1,450 @@
2189 +# Copyright 1999-2018 Gentoo Authors
2190 +# Distributed under the terms of the GNU General Public License v2
2191 +
2192 +EAPI=6
2193 +
2194 +inherit user flag-o-matic multilib autotools pam systemd
2195 +
2196 +# Make it more portable between straight releases
2197 +# and _p? releases.
2198 +PARCH=${P/_}
2199 +#HPN_PV="${PV^^}"
2200 +HPN_PV="7.8_P1"
2201 +
2202 +HPN_VER="14.16"
2203 +HPN_PATCHES=(
2204 + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
2205 + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
2206 +)
2207 +HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
2208 +SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2209 +X509_VER="11.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
2210 +
2211 +DESCRIPTION="Port of OpenBSD's free SSH release"
2212 +HOMEPAGE="https://www.openssh.com/"
2213 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2214 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
2215 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
2216 + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2217 + "
2218 +
2219 +LICENSE="BSD GPL-2"
2220 +SLOT="0"
2221 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2222 +# Probably want to drop ssl defaulting to on in a future version.
2223 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
2224 +RESTRICT="!test? ( test )"
2225 +REQUIRED_USE="ldns? ( ssl )
2226 + pie? ( !static )
2227 + static? ( !kerberos !pam )
2228 + X509? ( !sctp ssl )
2229 + test? ( ssl )"
2230 +
2231 +LIB_DEPEND="
2232 + audit? ( sys-process/audit[static-libs(+)] )
2233 + ldns? (
2234 + net-libs/ldns[static-libs(+)]
2235 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2236 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2237 + )
2238 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
2239 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2240 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2241 + ssl? (
2242 + !libressl? (
2243 + || (
2244 + (
2245 + >=dev-libs/openssl-1.0.1:0[bindist=]
2246 + <dev-libs/openssl-1.1.0:0[bindist=]
2247 + )
2248 + >=dev-libs/openssl-1.1.0g:0[bindist=]
2249 + )
2250 + dev-libs/openssl:0=[static-libs(+)]
2251 + )
2252 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
2253 + )
2254 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
2255 +RDEPEND="
2256 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2257 + pam? ( virtual/pam )
2258 + kerberos? ( virtual/krb5 )"
2259 +DEPEND="${RDEPEND}
2260 + static? ( ${LIB_DEPEND} )
2261 + virtual/pkgconfig
2262 + virtual/os-headers
2263 + sys-devel/autoconf"
2264 +RDEPEND="${RDEPEND}
2265 + pam? ( >=sys-auth/pambase-20081028 )
2266 + userland_GNU? ( virtual/shadow )
2267 + X? ( x11-apps/xauth )"
2268 +
2269 +S="${WORKDIR}/${PARCH}"
2270 +
2271 +pkg_pretend() {
2272 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
2273 + # than not be able to log in to their server any more
2274 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2275 + local fail="
2276 + $(use hpn && maybe_fail hpn HPN_VER)
2277 + $(use sctp && maybe_fail sctp SCTP_PATCH)
2278 + $(use X509 && maybe_fail X509 X509_PATCH)
2279 + "
2280 + fail=$(echo ${fail})
2281 + if [[ -n ${fail} ]] ; then
2282 + eerror "Sorry, but this version does not yet support features"
2283 + eerror "that you requested: ${fail}"
2284 + eerror "Please mask ${PF} for now and check back later:"
2285 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2286 + die "booooo"
2287 + fi
2288 +
2289 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
2290 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
2291 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2292 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2293 + fi
2294 +}
2295 +
2296 +src_prepare() {
2297 + sed -i \
2298 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
2299 + pathnames.h || die
2300 +
2301 + # don't break .ssh/authorized_keys2 for fun
2302 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2303 +
2304 + eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
2305 + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
2306 + eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2307 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2308 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2309 +
2310 + local PATCHSET_VERSION_MACROS=()
2311 +
2312 + if use X509 ; then
2313 + pushd "${WORKDIR}" || die
2314 + eapply "${FILESDIR}/${P}-X509-glue.patch"
2315 + eapply "${FILESDIR}/${P}-X509-dont-make-piddir.patch"
2316 + popd || die
2317 +
2318 + eapply "${WORKDIR}"/${X509_PATCH%.*}
2319 + eapply "${FILESDIR}"/${PN}-7.9_p1-libressl-2.8.patch
2320 +
2321 + # We need to patch package version or any X.509 sshd will reject our ssh client
2322 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2323 + # error
2324 + einfo "Patching package version for X.509 patch set ..."
2325 + sed -i \
2326 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2327 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2328 +
2329 + einfo "Patching version.h to expose X.509 patch set ..."
2330 + sed -i \
2331 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2332 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2333 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2334 + fi
2335 +
2336 + if use sctp ; then
2337 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2338 +
2339 + einfo "Patching version.h to expose SCTP patch set ..."
2340 + sed -i \
2341 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2342 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2343 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2344 +
2345 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2346 + sed -i \
2347 + -e "/\t\tcfgparse \\\/d" \
2348 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2349 + fi
2350 +
2351 + if use hpn ; then
2352 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
2353 + mkdir "${hpn_patchdir}"
2354 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
2355 + pushd "${hpn_patchdir}"
2356 + eapply "${FILESDIR}"/${P}-hpn-glue.patch
2357 + use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
2358 + use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
2359 + popd
2360 +
2361 + eapply "${hpn_patchdir}"
2362 + eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
2363 +
2364 + einfo "Patching Makefile.in for HPN patch set ..."
2365 + sed -i \
2366 + -e "/^LIBS=/ s/\$/ -lpthread/" \
2367 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2368 +
2369 + einfo "Patching version.h to expose HPN patch set ..."
2370 + sed -i \
2371 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
2372 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
2373 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2374 +
2375 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2376 + einfo "Disabling known non-working MT AES cipher per default ..."
2377 +
2378 + cat > "${T}"/disable_mtaes.conf <<- EOF
2379 +
2380 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2381 + # and therefore disabled per default.
2382 + DisableMTAES yes
2383 + EOF
2384 + sed -i \
2385 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2386 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2387 +
2388 + sed -i \
2389 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2390 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2391 + fi
2392 + fi
2393 +
2394 + if use X509 || use sctp || use hpn ; then
2395 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2396 + sed -i \
2397 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2398 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2399 +
2400 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2401 + sed -i \
2402 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2403 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2404 +
2405 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2406 + sed -i \
2407 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2408 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2409 + fi
2410 +
2411 + sed -i \
2412 + -e "/#UseLogin no/d" \
2413 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2414 +
2415 + [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
2416 +
2417 + eapply_user #473004
2418 +
2419 + tc-export PKG_CONFIG
2420 + local sed_args=(
2421 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2422 + # Disable PATH reset, trust what portage gives us #254615
2423 + -e 's:^PATH=/:#PATH=/:'
2424 + # Disable fortify flags ... our gcc does this for us
2425 + -e 's:-D_FORTIFY_SOURCE=2::'
2426 + )
2427 +
2428 + # The -ftrapv flag ICEs on hppa #505182
2429 + use hppa && sed_args+=(
2430 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2431 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2432 + )
2433 + # _XOPEN_SOURCE causes header conflicts on Solaris
2434 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2435 + -e 's/-D_XOPEN_SOURCE//'
2436 + )
2437 + sed -i "${sed_args[@]}" configure{.ac,} || die
2438 +
2439 + eautoreconf
2440 +}
2441 +
2442 +src_configure() {
2443 + addwrite /dev/ptmx
2444 +
2445 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2446 + use static && append-ldflags -static
2447 +
2448 + local myconf=(
2449 + --with-ldflags="${LDFLAGS}"
2450 + --disable-strip
2451 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2452 + --sysconfdir="${EPREFIX%/}"/etc/ssh
2453 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
2454 + --datadir="${EPREFIX%/}"/usr/share/openssh
2455 + --with-privsep-path="${EPREFIX%/}"/var/empty
2456 + --with-privsep-user=sshd
2457 + $(use_with audit audit linux)
2458 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2459 + # We apply the sctp patch conditionally, so can't pass --without-sctp
2460 + # unconditionally else we get unknown flag warnings.
2461 + $(use sctp && use_with sctp)
2462 + $(use_with ldns)
2463 + $(use_with libedit)
2464 + $(use_with pam)
2465 + $(use_with pie)
2466 + $(use_with selinux)
2467 + $(use_with ssl openssl)
2468 + $(use_with ssl md5-passwords)
2469 + $(use_with ssl ssl-engine)
2470 + $(use_with !elibc_Cygwin hardening) #659210
2471 + )
2472 +
2473 + # stackprotect is broken on musl x86
2474 + use elibc_musl && use x86 && myconf+=( --without-stackprotect )
2475 +
2476 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2477 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2478 +
2479 + econf "${myconf[@]}"
2480 +}
2481 +
2482 +src_test() {
2483 + local t skipped=() failed=() passed=()
2484 + local tests=( interop-tests compat-tests )
2485 +
2486 + local shell=$(egetshell "${UID}")
2487 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2488 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2489 + elog "user, so we will run a subset only."
2490 + skipped+=( tests )
2491 + else
2492 + tests+=( tests )
2493 + fi
2494 +
2495 + # It will also attempt to write to the homedir .ssh.
2496 + local sshhome=${T}/homedir
2497 + mkdir -p "${sshhome}"/.ssh
2498 + for t in "${tests[@]}" ; do
2499 + # Some tests read from stdin ...
2500 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
2501 + emake -k -j1 ${t} </dev/null \
2502 + && passed+=( "${t}" ) \
2503 + || failed+=( "${t}" )
2504 + done
2505 +
2506 + einfo "Passed tests: ${passed[*]}"
2507 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2508 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2509 +}
2510 +
2511 +# Gentoo tweaks to default config files.
2512 +tweak_ssh_configs() {
2513 + local locale_vars=(
2514 + # These are language variables that POSIX defines.