Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Frysinger <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Wed, 02 Mar 2016 20:29:12
Message-Id: 1456950498.16c23496b905c9e4e26d887efbf909133a75856a.vapier@gentoo
1 commit: 16c23496b905c9e4e26d887efbf909133a75856a
2 Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3 AuthorDate: Wed Mar 2 20:26:43 2016 +0000
4 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5 CommitDate: Wed Mar 2 20:28:18 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16c23496
7
8 net-misc/openssh: version bump to 7.2_p1
9
10 net-misc/openssh/Manifest | 4 +
11 .../openssh/files/openssh-7.2_p1-GSSAPI-dns.patch | 106 +++++++
12 .../files/openssh-7.2_p1-sctp-x509-glue.patch | 74 +++++
13 net-misc/openssh/openssh-7.2_p1.ebuild | 324 +++++++++++++++++++++
14 4 files changed, 508 insertions(+)
15
16 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
17 index 61ef955..aeb1b97 100644
18 --- a/net-misc/openssh/Manifest
19 +++ b/net-misc/openssh/Manifest
20 @@ -6,5 +6,9 @@ DIST openssh-7.1p2+x509-8.6.diff.xz 283964 SHA256 0848ceb42fa15f6197d5d81f9da6de
21 DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652
22 DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c
23 DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4
24 +DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306
25 +DIST openssh-7.2p1+x509-8.8.diff.gz 446930 SHA256 a6a4bc0fb63d8117718d2ddb975ff09e99d8788913b396f9b7af22a7630e5d8f SHA512 28ace1c1972b8a77f0574b578054bb0224ec3861f6549c193351b1c8395ed335c9cf1070f8cc9b28c9b4188ead264d84bcd4477d4ce8b6143e0122ac9e7eb304 WHIRLPOOL c5dd0f4be77f69a0cd435b1a4f85496ec5da3a162f0858a006acb0bedfb613959f74031ccf24fb4f86f7244a20066a89191d068a4890d165315586d5574f7155
26 +DIST openssh-7.2p1.tar.gz 1499707 SHA256 973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3 SHA512 e6a1a6fbc420c5af76892f05ac5d7601533629a595869c6143edc3a21322faa72c5638ccb2e346d25af5703d77c1e1bebf2ace488d75aaaa5b3d5a65a53bdb54 WHIRLPOOL d284999b325b5ef1c4e33ea14a51d74a22c7b52d9642dee70490fa71b4473dd08c0b76c4faa4575932c579b931608f575f3366881dd6438150b71333239e189c
27 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
28 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
29 +DIST openssh-lpk-7.2p1-0.3.14.patch.xz 17700 SHA256 4fdec61e082acedd33cf9199ff8a99780b8b1690e2236a05d1a57035dde70a5b SHA512 4da7ab88c42df4580dccadf43c72c9a19806172dd219356b740dd9877db5ba2842d481ffaac3f87427ca2b7fa2bc4f076edf1890517d13f641122bbf6728d8c7 WHIRLPOOL dcb4c800c5b54b512907dd00f6aab7f0c7ee87cb66240eb346cdd4937ed62983e21fb1777a4c74d7b6db492683ed4c68de13a21dbcba39abd879a16c6b4dd2da
30
31 diff --git a/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch
32 new file mode 100644
33 index 0000000..29e94e4
34 --- /dev/null
35 +++ b/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch
36 @@ -0,0 +1,106 @@
37 +http://bugs.gentoo.org/165444
38 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008
39 +
40 +--- openssh-7.2p1/readconf.c
41 ++++ openssh-7.2p1/readconf.c
42 +@@ -148,6 +148,7 @@
43 + oClearAllForwardings, oNoHostAuthenticationForLocalhost,
44 + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
45 + oAddressFamily, oGssAuthentication, oGssDelegateCreds,
46 ++ oGssTrustDns,
47 + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
48 + oSendEnv, oControlPath, oControlMaster, oControlPersist,
49 + oHashKnownHosts,
50 +@@ -194,9 +195,11 @@
51 + #if defined(GSSAPI)
52 + { "gssapiauthentication", oGssAuthentication },
53 + { "gssapidelegatecredentials", oGssDelegateCreds },
54 ++ { "gssapitrustdns", oGssTrustDns },
55 + #else
56 + { "gssapiauthentication", oUnsupported },
57 + { "gssapidelegatecredentials", oUnsupported },
58 ++ { "gssapitrustdns", oUnsupported },
59 + #endif
60 + { "fallbacktorsh", oDeprecated },
61 + { "usersh", oDeprecated },
62 +@@ -930,6 +933,10 @@
63 + intptr = &options->gss_deleg_creds;
64 + goto parse_flag;
65 +
66 ++ case oGssTrustDns:
67 ++ intptr = &options->gss_trust_dns;
68 ++ goto parse_flag;
69 ++
70 + case oBatchMode:
71 + intptr = &options->batch_mode;
72 + goto parse_flag;
73 +@@ -1649,6 +1656,7 @@
74 + options->challenge_response_authentication = -1;
75 + options->gss_authentication = -1;
76 + options->gss_deleg_creds = -1;
77 ++ options->gss_trust_dns = -1;
78 + options->password_authentication = -1;
79 + options->kbd_interactive_authentication = -1;
80 + options->kbd_interactive_devices = NULL;
81 +@@ -1779,6 +1787,8 @@
82 + options->gss_authentication = 0;
83 + if (options->gss_deleg_creds == -1)
84 + options->gss_deleg_creds = 0;
85 ++ if (options->gss_trust_dns == -1)
86 ++ options->gss_trust_dns = 0;
87 + if (options->password_authentication == -1)
88 + options->password_authentication = 1;
89 + if (options->kbd_interactive_authentication == -1)
90 +--- openssh-7.2p1/readconf.h
91 ++++ openssh-7.2p1/readconf.h
92 +@@ -46,6 +46,7 @@
93 + /* Try S/Key or TIS, authentication. */
94 + int gss_authentication; /* Try GSS authentication */
95 + int gss_deleg_creds; /* Delegate GSS credentials */
96 ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
97 + int password_authentication; /* Try password
98 + * authentication. */
99 + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
100 +--- openssh-7.2p1/ssh_config.5
101 ++++ openssh-7.2p1/ssh_config.5
102 +@@ -830,6 +830,16 @@
103 + Forward (delegate) credentials to the server.
104 + The default is
105 + .Dq no .
106 ++Note that this option applies to protocol version 2 connections using GSSAPI.
107 ++.It Cm GSSAPITrustDns
108 ++Set to
109 ++.Dq yes to indicate that the DNS is trusted to securely canonicalize
110 ++the name of the host being connected to. If
111 ++.Dq no, the hostname entered on the
112 ++command line will be passed untouched to the GSSAPI library.
113 ++The default is
114 ++.Dq no .
115 ++This option only applies to protocol version 2 connections using GSSAPI.
116 + .It Cm HashKnownHosts
117 + Indicates that
118 + .Xr ssh 1
119 +--- openssh-7.2p1/sshconnect2.c
120 ++++ openssh-7.2p1/sshconnect2.c
121 +@@ -656,6 +656,12 @@
122 + static u_int mech = 0;
123 + OM_uint32 min;
124 + int ok = 0;
125 ++ const char *gss_host;
126 ++
127 ++ if (options.gss_trust_dns)
128 ++ gss_host = get_canonical_hostname(1);
129 ++ else
130 ++ gss_host = authctxt->host;
131 +
132 + /* Try one GSSAPI method at a time, rather than sending them all at
133 + * once. */
134 +@@ -668,7 +674,7 @@
135 + /* My DER encoding requires length<128 */
136 + if (gss_supported->elements[mech].length < 128 &&
137 + ssh_gssapi_check_mechanism(&gssctxt,
138 +- &gss_supported->elements[mech], authctxt->host)) {
139 ++ &gss_supported->elements[mech], gss_host)) {
140 + ok = 1; /* Mechanism works */
141 + } else {
142 + mech++;
143
144 diff --git a/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch
145 new file mode 100644
146 index 0000000..2884ee9
147 --- /dev/null
148 +++ b/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch
149 @@ -0,0 +1,74 @@
150 +--- openssh-7.2_p1-sctp.patch
151 ++++ openssh-7.2_p1-sctp.patch
152 +@@ -195,14 +195,6 @@
153 + .Op Fl c Ar cipher
154 + .Op Fl F Ar ssh_config
155 + .Op Fl i Ar identity_file
156 +-@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see
157 +- .It ServerAliveCountMax
158 +- .It StrictHostKeyChecking
159 +- .It TCPKeepAlive
160 +-+.It Transport
161 +- .It UpdateHostKeys
162 +- .It UsePrivilegedPort
163 +- .It User
164 + @@ -222,6 +223,8 @@ and
165 + to print debugging messages about their progress.
166 + This is helpful in
167 +@@ -477,19 +469,11 @@
168 + .Sh SYNOPSIS
169 + .Nm ssh
170 + .Bk -words
171 +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
172 +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
173 ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
174 +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
175 + .Op Fl b Ar bind_address
176 + .Op Fl c Ar cipher_spec
177 + .Op Fl D Oo Ar bind_address : Oc Ns Ar port
178 +-@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see
179 +- .It StreamLocalBindUnlink
180 +- .It StrictHostKeyChecking
181 +- .It TCPKeepAlive
182 +-+.It Transport
183 +- .It Tunnel
184 +- .It TunnelDevice
185 +- .It UpdateHostKeys
186 + @@ -770,6 +771,8 @@ controls.
187 + .Pp
188 + .It Fl y
189 +@@ -501,7 +485,7 @@
190 + index f9ff91f..d0d92ce 100644
191 + --- a/ssh.c
192 + +++ b/ssh.c
193 +-@@ -195,12 +195,17 @@ extern int muxserver_sock;
194 ++@@ -195,11 +195,16 @@ extern int muxserver_sock;
195 + extern u_int muxclient_command;
196 +
197 + /* Prints a help message to the user. This function never returns. */
198 +@@ -515,18 +499,17 @@
199 + usage(void)
200 + {
201 + fprintf(stderr,
202 +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
203 +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
204 ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
205 +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
206 + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
207 + " [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n"
208 +- " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
209 + @@ -605,7 +610,7 @@ main(int ac, char **av)
210 +- argv0 = av[0];
211 ++ # define ENGCONFIG ""
212 ++ #endif
213 +
214 +- again:
215 +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
216 +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
217 +- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
218 ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
219 +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
220 ++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
221 + switch (opt) {
222 + case '1':
223 + @@ -845,6 +850,11 @@ main(int ac, char **av)
224
225 diff --git a/net-misc/openssh/openssh-7.2_p1.ebuild b/net-misc/openssh/openssh-7.2_p1.ebuild
226 new file mode 100644
227 index 0000000..ca15fb2
228 --- /dev/null
229 +++ b/net-misc/openssh/openssh-7.2_p1.ebuild
230 @@ -0,0 +1,324 @@
231 +# Copyright 1999-2016 Gentoo Foundation
232 +# Distributed under the terms of the GNU General Public License v2
233 +# $Id$
234 +
235 +EAPI="5"
236 +
237 +inherit eutils user flag-o-matic multilib autotools pam systemd versionator
238 +
239 +# Make it more portable between straight releases
240 +# and _p? releases.
241 +PARCH=${P/_}
242 +
243 +#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
244 +LDAP_PATCH="${PN}-lpk-7.2p1-0.3.14.patch.xz"
245 +X509_VER="8.8" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
246 +
247 +DESCRIPTION="Port of OpenBSD's free SSH release"
248 +HOMEPAGE="http://www.openssh.org/"
249 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
250 + mirror://gentoo/${PN}-7.2_p1-sctp.patch.xz
251 + ${HPN_PATCH:+hpn? (
252 + mirror://gentoo/${HPN_PATCH}
253 + mirror://sourceforge/hpnssh/${HPN_PATCH}
254 + )}
255 + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
256 + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
257 + "
258 +
259 +LICENSE="BSD GPL-2"
260 +SLOT="0"
261 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
262 +# Probably want to drop ssl defaulting to on in a future version.
263 +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
264 +REQUIRED_USE="ldns? ( ssl )
265 + pie? ( !static )
266 + ssh1? ( ssl )
267 + static? ( !kerberos !pam )
268 + X509? ( !ldap ssl )"
269 +
270 +LIB_DEPEND="
271 + ldns? (
272 + net-libs/ldns[static-libs(+)]
273 + !bindist? ( net-libs/ldns[ecdsa,ssl] )
274 + bindist? ( net-libs/ldns[-ecdsa,ssl] )
275 + )
276 + libedit? ( dev-libs/libedit[static-libs(+)] )
277 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
278 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
279 + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
280 + ssl? (
281 + !libressl? (
282 + >=dev-libs/openssl-0.9.8f:0[bindist=]
283 + dev-libs/openssl:0[static-libs(+)]
284 + )
285 + libressl? ( dev-libs/libressl[static-libs(+)] )
286 + )
287 + >=sys-libs/zlib-1.2.3[static-libs(+)]"
288 +RDEPEND="
289 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
290 + pam? ( virtual/pam )
291 + kerberos? ( virtual/krb5 )
292 + ldap? ( net-nds/openldap )"
293 +DEPEND="${RDEPEND}
294 + static? ( ${LIB_DEPEND} )
295 + virtual/pkgconfig
296 + virtual/os-headers
297 + sys-devel/autoconf"
298 +RDEPEND="${RDEPEND}
299 + pam? ( >=sys-auth/pambase-20081028 )
300 + userland_GNU? ( virtual/shadow )
301 + X? ( x11-apps/xauth )"
302 +
303 +S=${WORKDIR}/${PARCH}
304 +
305 +pkg_setup() {
306 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
307 + # than not be able to log in to their server any more
308 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
309 + local fail="
310 + $(use X509 && maybe_fail X509 X509_PATCH)
311 + $(use ldap && maybe_fail ldap LDAP_PATCH)
312 + $(use hpn && maybe_fail hpn HPN_PATCH)
313 + "
314 + fail=$(echo ${fail})
315 + if [[ -n ${fail} ]] ; then
316 + eerror "Sorry, but this version does not yet support features"
317 + eerror "that you requested: ${fail}"
318 + eerror "Please mask ${PF} for now and check back later:"
319 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
320 + die "booooo"
321 + fi
322 +
323 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
324 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
325 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
326 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
327 + fi
328 +}
329 +
330 +save_version() {
331 + # version.h patch conflict avoidence
332 + mv version.h version.h.$1
333 + cp -f version.h.pristine version.h
334 +}
335 +
336 +src_prepare() {
337 + sed -i \
338 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
339 + pathnames.h || die
340 + # keep this as we need it to avoid the conflict between LPK and HPN changing
341 + # this file.
342 + cp version.h version.h.pristine
343 +
344 + # don't break .ssh/authorized_keys2 for fun
345 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
346 +
347 + if use X509 ; then
348 + pushd .. >/dev/null
349 + if use hpn ; then
350 + pushd ${HPN_PATCH%.*.*} >/dev/null
351 + epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
352 + popd >/dev/null
353 + fi
354 + epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch
355 + popd >/dev/null
356 + epatch "${WORKDIR}"/${X509_PATCH%.*}
357 + #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
358 + #save_version X509
359 + fi
360 + if use ldap ; then
361 + epatch "${WORKDIR}"/${LDAP_PATCH%.*}
362 + save_version LPK
363 + fi
364 + epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
365 + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
366 + epatch "${WORKDIR}"/${PN}-7.2_p1-sctp.patch
367 + if use hpn ; then
368 + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
369 + EPATCH_MULTI_MSG="Applying HPN patchset ..." \
370 + epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
371 + save_version HPN
372 + fi
373 +
374 + tc-export PKG_CONFIG
375 + local sed_args=(
376 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
377 + # Disable PATH reset, trust what portage gives us #254615
378 + -e 's:^PATH=/:#PATH=/:'
379 + # Disable fortify flags ... our gcc does this for us
380 + -e 's:-D_FORTIFY_SOURCE=2::'
381 + )
382 + # The -ftrapv flag ICEs on hppa #505182
383 + use hppa && sed_args+=(
384 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
385 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
386 + )
387 + sed -i "${sed_args[@]}" configure{.ac,} || die
388 +
389 + epatch_user #473004
390 +
391 + # Now we can build a sane merged version.h
392 + (
393 + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
394 + macros=()
395 + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
396 + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
397 + ) > version.h
398 +
399 + eautoreconf
400 +}
401 +
402 +src_configure() {
403 + addwrite /dev/ptmx
404 +
405 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
406 + use static && append-ldflags -static
407 +
408 + local myconf=(
409 + --with-ldflags="${LDFLAGS}"
410 + --disable-strip
411 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
412 + --sysconfdir="${EPREFIX}"/etc/ssh
413 + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
414 + --datadir="${EPREFIX}"/usr/share/openssh
415 + --with-privsep-path="${EPREFIX}"/var/empty
416 + --with-privsep-user=sshd
417 + $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
418 + # We apply the ldap patch conditionally, so can't pass --without-ldap
419 + # unconditionally else we get unknown flag warnings.
420 + $(use ldap && use_with ldap)
421 + $(use_with ldns)
422 + $(use_with libedit)
423 + $(use_with pam)
424 + $(use_with pie)
425 + $(use_with sctp)
426 + $(use_with selinux)
427 + $(use_with skey)
428 + $(use_with ssh1)
429 + $(use_with ssl openssl)
430 + $(use_with ssl md5-passwords)
431 + $(use_with ssl ssl-engine)
432 + )
433 +
434 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
435 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
436 +
437 + econf "${myconf[@]}"
438 +}
439 +
440 +src_install() {
441 + emake install-nokeys DESTDIR="${D}"
442 + fperms 600 /etc/ssh/sshd_config
443 + dobin contrib/ssh-copy-id
444 + newinitd "${FILESDIR}"/sshd.rc6.4 sshd
445 + newconfd "${FILESDIR}"/sshd.confd sshd
446 + keepdir /var/empty
447 +
448 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
449 + if use pam ; then
450 + sed -i \
451 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
452 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
453 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
454 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
455 + "${ED}"/etc/ssh/sshd_config || die
456 + fi
457 +
458 + # Gentoo tweaks to default config files
459 + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
460 +
461 + # Allow client to pass locale environment variables #367017
462 + AcceptEnv LANG LC_*
463 + EOF
464 + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
465 +
466 + # Send locale environment variables #367017
467 + SendEnv LANG LC_*
468 + EOF
469 +
470 + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
471 + insinto /etc/openldap/schema/
472 + newins openssh-lpk_openldap.schema openssh-lpk.schema
473 + fi
474 +
475 + doman contrib/ssh-copy-id.1
476 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
477 +
478 + diropts -m 0700
479 + dodir /etc/skel/.ssh
480 +
481 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
482 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
483 +}
484 +
485 +src_test() {
486 + local t tests skipped failed passed shell
487 + tests="interop-tests compat-tests"
488 + skipped=""
489 + shell=$(egetshell ${UID})
490 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
491 + elog "Running the full OpenSSH testsuite"
492 + elog "requires a usable shell for the 'portage'"
493 + elog "user, so we will run a subset only."
494 + skipped="${skipped} tests"
495 + else
496 + tests="${tests} tests"
497 + fi
498 + # It will also attempt to write to the homedir .ssh
499 + local sshhome=${T}/homedir
500 + mkdir -p "${sshhome}"/.ssh
501 + for t in ${tests} ; do
502 + # Some tests read from stdin ...
503 + HOMEDIR="${sshhome}" \
504 + emake -k -j1 ${t} </dev/null \
505 + && passed="${passed}${t} " \
506 + || failed="${failed}${t} "
507 + done
508 + einfo "Passed tests: ${passed}"
509 + ewarn "Skipped tests: ${skipped}"
510 + if [[ -n ${failed} ]] ; then
511 + ewarn "Failed tests: ${failed}"
512 + die "Some tests failed: ${failed}"
513 + else
514 + einfo "Failed tests: ${failed}"
515 + return 0
516 + fi
517 +}
518 +
519 +pkg_preinst() {
520 + enewgroup sshd 22
521 + enewuser sshd 22 -1 /var/empty sshd
522 +}
523 +
524 +pkg_postinst() {
525 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
526 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
527 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
528 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
529 + fi
530 + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
531 + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
532 + fi
533 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
534 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
535 + elog "Make sure to update any configs that you might have. Note that xinetd might"
536 + elog "be an alternative for you as it supports USE=tcpd."
537 + fi
538 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
539 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
540 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
541 + elog "adding to your sshd_config or ~/.ssh/config files:"
542 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
543 + elog "You should however generate new keys using rsa or ed25519."
544 +
545 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
546 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
547 + elog "out of the box. If you need this, please update your sshd_config explicitly."
548 + fi
549 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
550 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
551 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
552 + elog "and update all clients/servers that utilize them."
553 + fi
554 +}
Report Message
Find on MARC Find on Google Groups