1 |
commit: ed7be3a97e16371d731c736d36ba24a23e00bb33 |
2 |
Author: orbea <orbea <AT> riseup <DOT> net> |
3 |
AuthorDate: Sun Jul 3 02:50:51 2022 +0000 |
4 |
Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> |
5 |
CommitDate: Sun Jul 3 17:47:00 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=ed7be3a9 |
7 |
|
8 |
net-misc/openssh: Remove package |
9 |
|
10 |
Works with libress-3.5.x and openssh-8.9_p1-r2::gentoo. |
11 |
|
12 |
Signed-off-by: orbea <orbea <AT> riseup.net> |
13 |
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com> |
14 |
|
15 |
net-misc/openssh/Manifest | 15 - |
16 |
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 - |
17 |
...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 - |
18 |
.../files/openssh-7.9_p1-include-stdlib.patch | 48 -- |
19 |
...mget-shmat-shmdt-in-preauth-privsep-child.patch | 31 -- |
20 |
.../files/openssh-8.0_p1-fix-putty-tests.patch | 57 --- |
21 |
.../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 ----- |
22 |
.../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 - |
23 |
.../openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 --------------- |
24 |
.../files/openssh-8.1_p1-X509-12.3-tests.patch | 11 - |
25 |
.../files/openssh-8.1_p1-X509-glue-12.3.patch | 35 -- |
26 |
.../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 ----- |
27 |
.../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 - |
28 |
.../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 -- |
29 |
.../openssh/files/openssh-8.2_p1-GSSAPI-dns.patch | 359 --------------- |
30 |
.../files/openssh-8.2_p1-X509-12.4.3-tests.patch | 11 - |
31 |
.../files/openssh-8.2_p1-X509-glue-12.4.3.patch | 128 ------ |
32 |
.../files/openssh-8.2_p1-hpn-14.20-X509-glue.patch | 133 ------ |
33 |
.../files/openssh-8.2_p1-hpn-14.20-glue.patch | 151 ------ |
34 |
.../files/openssh-8.2_p1-hpn-14.20-libressl.patch | 20 - |
35 |
.../files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch | 19 - |
36 |
.../files/openssh-8.3_p1-X509-glue-12.5.1.patch | 35 -- |
37 |
.../files/openssh-8.3_p1-hpn-14.20-glue.patch | 177 ------- |
38 |
.../files/openssh-8.3_p1-sha2-include.patch | 13 - |
39 |
.../files/openssh-8.4_p1-X509-glue-12.6.patch | 34 -- |
40 |
.../files/openssh-8.4_p1-fix-ssh-copy-id.patch | 30 -- |
41 |
.../files/openssh-8.4_p1-hpn-14.22-X509-glue.patch | 129 ------ |
42 |
.../files/openssh-8.4_p1-hpn-14.22-glue.patch | 94 ---- |
43 |
.../files/openssh-8.4_p1-hpn-14.22-libressl.patch | 20 - |
44 |
.../files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch | 18 - |
45 |
net-misc/openssh/files/sshd-r1.confd | 33 -- |
46 |
net-misc/openssh/files/sshd-r1.initd | 87 ---- |
47 |
net-misc/openssh/files/sshd.pam_include.2 | 4 - |
48 |
net-misc/openssh/files/sshd.service | 11 - |
49 |
net-misc/openssh/files/sshd.socket | 10 - |
50 |
net-misc/openssh/files/sshd_at.service | 8 - |
51 |
net-misc/openssh/metadata.xml | 37 -- |
52 |
net-misc/openssh/openssh-8.2_p1-r7.ebuild | 481 ------------------- |
53 |
net-misc/openssh/openssh-8.3_p1-r5.ebuild | 506 -------------------- |
54 |
net-misc/openssh/openssh-8.4_p1-r2.ebuild | 511 --------------------- |
55 |
40 files changed, 3926 deletions(-) |
56 |
|
57 |
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest |
58 |
deleted file mode 100644 |
59 |
index a67588c..0000000 |
60 |
--- a/net-misc/openssh/Manifest |
61 |
+++ /dev/null |
62 |
@@ -1,15 +0,0 @@ |
63 |
-DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91 |
64 |
-DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305 |
65 |
-DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a |
66 |
-DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0 |
67 |
-DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014 |
68 |
-DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 |
69 |
-DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3 |
70 |
-DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380 |
71 |
-DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce |
72 |
-DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221 |
73 |
-DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739 |
74 |
-DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d |
75 |
-DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be |
76 |
-DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd |
77 |
-DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb |
78 |
|
79 |
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
80 |
deleted file mode 100644 |
81 |
index fa33af3..0000000 |
82 |
--- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
83 |
+++ /dev/null |
84 |
@@ -1,17 +0,0 @@ |
85 |
-the last nibble of the openssl version represents the status. that is, |
86 |
-whether it is a beta or release. when it comes to version checks in |
87 |
-openssh, this component does not matter, so ignore it. |
88 |
- |
89 |
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212 |
90 |
- |
91 |
---- a/openbsd-compat/openssl-compat.c |
92 |
-+++ b/openbsd-compat/openssl-compat.c |
93 |
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) |
94 |
- * For versions >= 1.0.0, major,minor,status must match and library |
95 |
- * fix version must be equal to or newer than the header. |
96 |
- */ |
97 |
-- mask = 0xfff0000fL; /* major,minor,status */ |
98 |
-+ mask = 0xfff00000L; /* major,minor,status */ |
99 |
- hfix = (headerver & 0x000ff000) >> 12; |
100 |
- lfix = (libver & 0x000ff000) >> 12; |
101 |
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix) |
102 |
|
103 |
diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch |
104 |
deleted file mode 100644 |
105 |
index a5647ce..0000000 |
106 |
--- a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch |
107 |
+++ /dev/null |
108 |
@@ -1,20 +0,0 @@ |
109 |
-Disable conch interop tests which are failing when called |
110 |
-via portage for yet unknown reason and because using conch |
111 |
-seems to be flaky (test is failing when using Python2 but |
112 |
-passing when using Python3). |
113 |
- |
114 |
-Bug: https://bugs.gentoo.org/605446 |
115 |
- |
116 |
---- a/regress/conch-ciphers.sh |
117 |
-+++ b/regress/conch-ciphers.sh |
118 |
-@@ -3,6 +3,10 @@ |
119 |
- |
120 |
- tid="conch ciphers" |
121 |
- |
122 |
-+# https://bugs.gentoo.org/605446 |
123 |
-+echo "conch interop tests skipped due to Gentoo bug #605446" |
124 |
-+exit 0 |
125 |
-+ |
126 |
- if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then |
127 |
- echo "conch interop tests not enabled" |
128 |
- exit 0 |
129 |
|
130 |
diff --git a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch |
131 |
deleted file mode 100644 |
132 |
index c5697c2..0000000 |
133 |
--- a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch |
134 |
+++ /dev/null |
135 |
@@ -1,48 +0,0 @@ |
136 |
-diff --git a/auth-options.c b/auth-options.c |
137 |
-index b05d6d6f..d1f42f04 100644 |
138 |
---- a/auth-options.c |
139 |
-+++ b/auth-options.c |
140 |
-@@ -26,6 +26,7 @@ |
141 |
- #include <stdarg.h> |
142 |
- #include <ctype.h> |
143 |
- #include <limits.h> |
144 |
-+#include <stdlib.h> |
145 |
- |
146 |
- #include "openbsd-compat/sys-queue.h" |
147 |
- |
148 |
-diff --git a/hmac.c b/hmac.c |
149 |
-index 1c879640..a29f32c5 100644 |
150 |
---- a/hmac.c |
151 |
-+++ b/hmac.c |
152 |
-@@ -19,6 +19,7 @@ |
153 |
- |
154 |
- #include <sys/types.h> |
155 |
- #include <string.h> |
156 |
-+#include <stdlib.h> |
157 |
- |
158 |
- #include "sshbuf.h" |
159 |
- #include "digest.h" |
160 |
-diff --git a/krl.c b/krl.c |
161 |
-index 8e2d5d5d..c32e147a 100644 |
162 |
---- a/krl.c |
163 |
-+++ b/krl.c |
164 |
-@@ -28,6 +28,7 @@ |
165 |
- #include <string.h> |
166 |
- #include <time.h> |
167 |
- #include <unistd.h> |
168 |
-+#include <stdlib.h> |
169 |
- |
170 |
- #include "sshbuf.h" |
171 |
- #include "ssherr.h" |
172 |
-diff --git a/mac.c b/mac.c |
173 |
-index 51dc11d7..3d11eba6 100644 |
174 |
---- a/mac.c |
175 |
-+++ b/mac.c |
176 |
-@@ -29,6 +29,7 @@ |
177 |
- |
178 |
- #include <string.h> |
179 |
- #include <stdio.h> |
180 |
-+#include <stdlib.h> |
181 |
- |
182 |
- #include "digest.h" |
183 |
- #include "hmac.h" |
184 |
|
185 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
186 |
deleted file mode 100644 |
187 |
index fe3be24..0000000 |
188 |
--- a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
189 |
+++ /dev/null |
190 |
@@ -1,31 +0,0 @@ |
191 |
-From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001 |
192 |
-From: Lonnie Abelbeck <lonnie@××××××××.com> |
193 |
-Date: Tue, 1 Oct 2019 09:05:09 -0500 |
194 |
-Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. |
195 |
- |
196 |
-New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt |
197 |
-in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. |
198 |
---- |
199 |
- sandbox-seccomp-filter.c | 9 +++++++++ |
200 |
- 1 file changed, 9 insertions(+) |
201 |
- |
202 |
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
203 |
-index 840c5232b..39dc289e3 100644 |
204 |
---- a/sandbox-seccomp-filter.c |
205 |
-+++ b/sandbox-seccomp-filter.c |
206 |
-@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = { |
207 |
- #ifdef __NR_stat64 |
208 |
- SC_DENY(__NR_stat64, EACCES), |
209 |
- #endif |
210 |
-+#ifdef __NR_shmget |
211 |
-+ SC_DENY(__NR_shmget, EACCES), |
212 |
-+#endif |
213 |
-+#ifdef __NR_shmat |
214 |
-+ SC_DENY(__NR_shmat, EACCES), |
215 |
-+#endif |
216 |
-+#ifdef __NR_shmdt |
217 |
-+ SC_DENY(__NR_shmdt, EACCES), |
218 |
-+#endif |
219 |
- |
220 |
- /* Syscalls to permit */ |
221 |
- #ifdef __NR_brk |
222 |
|
223 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch |
224 |
deleted file mode 100644 |
225 |
index 4310aa1..0000000 |
226 |
--- a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch |
227 |
+++ /dev/null |
228 |
@@ -1,57 +0,0 @@ |
229 |
-Make sure that host keys are already accepted before |
230 |
-running tests. |
231 |
- |
232 |
-https://bugs.gentoo.org/493866 |
233 |
- |
234 |
---- a/regress/putty-ciphers.sh |
235 |
-+++ b/regress/putty-ciphers.sh |
236 |
-@@ -10,11 +10,17 @@ fi |
237 |
- |
238 |
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do |
239 |
- verbose "$tid: cipher $c" |
240 |
-+ rm -f ${COPY} |
241 |
- cp ${OBJ}/.putty/sessions/localhost_proxy \ |
242 |
- ${OBJ}/.putty/sessions/cipher_$c |
243 |
- echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c |
244 |
- |
245 |
-- rm -f ${COPY} |
246 |
-+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ |
247 |
-+ -i ${OBJ}/putty.rsa2 "exit" |
248 |
-+ if [ $? -ne 0 ]; then |
249 |
-+ fail "failed to pre-cache host key" |
250 |
-+ fi |
251 |
-+ |
252 |
- env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ |
253 |
- cat ${DATA} > ${COPY} |
254 |
- if [ $? -ne 0 ]; then |
255 |
---- a/regress/putty-kex.sh |
256 |
-+++ b/regress/putty-kex.sh |
257 |
-@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do |
258 |
- ${OBJ}/.putty/sessions/kex_$k |
259 |
- echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k |
260 |
- |
261 |
-+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ |
262 |
-+ -i ${OBJ}/putty.rsa2 "exit" |
263 |
-+ if [ $? -ne 0 ]; then |
264 |
-+ fail "failed to pre-cache host key" |
265 |
-+ fi |
266 |
-+ |
267 |
- env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true |
268 |
- if [ $? -ne 0 ]; then |
269 |
- fail "KEX $k failed" |
270 |
---- a/regress/putty-transfer.sh |
271 |
-+++ b/regress/putty-transfer.sh |
272 |
-@@ -14,6 +14,13 @@ for c in 0 1 ; do |
273 |
- cp ${OBJ}/.putty/sessions/localhost_proxy \ |
274 |
- ${OBJ}/.putty/sessions/compression_$c |
275 |
- echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k |
276 |
-+ |
277 |
-+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ |
278 |
-+ -i ${OBJ}/putty.rsa2 "exit" |
279 |
-+ if [ $? -ne 0 ]; then |
280 |
-+ fail "failed to pre-cache host key" |
281 |
-+ fi |
282 |
-+ |
283 |
- env HOME=$PWD ${PLINK} -load compression_$c -batch \ |
284 |
- -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} |
285 |
- if [ $? -ne 0 ]; then |
286 |
|
287 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch |
288 |
deleted file mode 100644 |
289 |
index 167adfc..0000000 |
290 |
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch |
291 |
+++ /dev/null |
292 |
@@ -1,111 +0,0 @@ |
293 |
-diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
294 |
---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800 |
295 |
-+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800 |
296 |
-@@ -4,8 +4,8 @@ |
297 |
- +++ b/Makefile.in |
298 |
- @@ -42,7 +42,7 @@ CC=@CC@ |
299 |
- LD=@LD@ |
300 |
-- CFLAGS=@CFLAGS@ |
301 |
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
302 |
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
303 |
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
304 |
- -LIBS=@LIBS@ |
305 |
- +LIBS=@LIBS@ -lpthread |
306 |
- K5LIBS=@K5LIBS@ |
307 |
-@@ -803,8 +803,8 @@ |
308 |
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
309 |
- { |
310 |
- struct session_state *state; |
311 |
--- const struct sshcipher *none = cipher_by_name("none"); |
312 |
--+ struct sshcipher *none = cipher_by_name("none"); |
313 |
-+- const struct sshcipher *none = cipher_none(); |
314 |
-++ struct sshcipher *none = cipher_none(); |
315 |
- int r; |
316 |
- |
317 |
- if (none == NULL) { |
318 |
-@@ -948,9 +948,9 @@ |
319 |
- /* Portable-specific options */ |
320 |
- sUsePAM, |
321 |
- + sDisableMTAES, |
322 |
-- /* Standard Options */ |
323 |
-- sPort, sHostKeyFile, sLoginGraceTime, |
324 |
-- sPermitRootLogin, sLogFacility, sLogLevel, |
325 |
-+ /* X.509 Standard Options */ |
326 |
-+ sHostbasedAlgorithms, |
327 |
-+ sPubkeyAlgorithms, |
328 |
- @@ -643,6 +647,7 @@ static struct { |
329 |
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
330 |
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
331 |
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
332 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800 |
333 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800 |
334 |
-@@ -382,7 +382,7 @@ |
335 |
- @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh) |
336 |
- int nenc, nmac, ncomp; |
337 |
- u_int mode, ctos, need, dh_need, authlen; |
338 |
-- int r, first_kex_follows; |
339 |
-+ int r, first_kex_follows = 0; |
340 |
- + int auth_flag; |
341 |
- + |
342 |
- + auth_flag = packet_authentication_state(ssh); |
343 |
-@@ -391,8 +391,8 @@ |
344 |
- debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); |
345 |
- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) |
346 |
- @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh) |
347 |
-- peer[ncomp] = NULL; |
348 |
-- goto out; |
349 |
-+ else |
350 |
-+ fatal("Pre-authentication none cipher requests are not allowed."); |
351 |
- } |
352 |
- + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); |
353 |
- + if (strcmp(newkeys->enc.name, "none") == 0) { |
354 |
-@@ -1169,15 +1169,3 @@ |
355 |
- # Example of overriding settings on a per-user basis |
356 |
- #Match User anoncvs |
357 |
- # X11Forwarding no |
358 |
--diff --git a/version.h b/version.h |
359 |
--index 6b3fadf8..ec1d2e27 100644 |
360 |
----- a/version.h |
361 |
--+++ b/version.h |
362 |
--@@ -3,4 +3,6 @@ |
363 |
-- #define SSH_VERSION "OpenSSH_8.1" |
364 |
-- |
365 |
-- #define SSH_PORTABLE "p1" |
366 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
367 |
--+#define SSH_HPN "-hpn14v20" |
368 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
369 |
--+ |
370 |
-diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff |
371 |
---- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800 |
372 |
-+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800 |
373 |
-@@ -12,9 +12,9 @@ |
374 |
- static long stalled; /* how long we have been stalled */ |
375 |
- static int bytes_per_second; /* current speed in bytes per second */ |
376 |
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
377 |
-+ off_t bytes_left; |
378 |
- int cur_speed; |
379 |
-- int hours, minutes, seconds; |
380 |
-- int file_len; |
381 |
-+ int len; |
382 |
- + off_t delta_pos; |
383 |
- |
384 |
- if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
385 |
-@@ -33,12 +33,12 @@ |
386 |
- @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
387 |
- |
388 |
- /* filename */ |
389 |
-- buf[0] = '\0'; |
390 |
--- file_len = win_size - 36; |
391 |
--+ file_len = win_size - 45; |
392 |
-- if (file_len > 0) { |
393 |
-- buf[0] = '\r'; |
394 |
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
395 |
-+ if (win_size > 36) { |
396 |
-+- int file_len = win_size - 36; |
397 |
-++ int file_len = win_size - 45; |
398 |
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
399 |
-+ file_len, file); |
400 |
-+ } |
401 |
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
402 |
- (off_t)bytes_per_second); |
403 |
- strlcat(buf, "/s ", win_size); |
404 |
|
405 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch |
406 |
deleted file mode 100644 |
407 |
index 37905ce..0000000 |
408 |
--- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch |
409 |
+++ /dev/null |
410 |
@@ -1,13 +0,0 @@ |
411 |
-diff --git a/kex.c b/kex.c |
412 |
-index 34808b5c..88d7ccac 100644 |
413 |
---- a/kex.c |
414 |
-+++ b/kex.c |
415 |
-@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
416 |
- if (version_addendum != NULL && *version_addendum == '\0') |
417 |
- version_addendum = NULL; |
418 |
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
419 |
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, |
420 |
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, |
421 |
- version_addendum == NULL ? "" : " ", |
422 |
- version_addendum == NULL ? "" : version_addendum)) != 0) { |
423 |
- error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); |
424 |
|
425 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch |
426 |
deleted file mode 100644 |
427 |
index 6aba6f2..0000000 |
428 |
--- a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch |
429 |
+++ /dev/null |
430 |
@@ -1,359 +0,0 @@ |
431 |
-diff --git a/auth.c b/auth.c |
432 |
-index ca450f4e..2994a4e4 100644 |
433 |
---- a/auth.c |
434 |
-+++ b/auth.c |
435 |
-@@ -723,120 +723,6 @@ fakepw(void) |
436 |
- return (&fake); |
437 |
- } |
438 |
- |
439 |
--/* |
440 |
-- * Returns the remote DNS hostname as a string. The returned string must not |
441 |
-- * be freed. NB. this will usually trigger a DNS query the first time it is |
442 |
-- * called. |
443 |
-- * This function does additional checks on the hostname to mitigate some |
444 |
-- * attacks on legacy rhosts-style authentication. |
445 |
-- * XXX is RhostsRSAAuthentication vulnerable to these? |
446 |
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
447 |
-- */ |
448 |
-- |
449 |
--static char * |
450 |
--remote_hostname(struct ssh *ssh) |
451 |
--{ |
452 |
-- struct sockaddr_storage from; |
453 |
-- socklen_t fromlen; |
454 |
-- struct addrinfo hints, *ai, *aitop; |
455 |
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
456 |
-- const char *ntop = ssh_remote_ipaddr(ssh); |
457 |
-- |
458 |
-- /* Get IP address of client. */ |
459 |
-- fromlen = sizeof(from); |
460 |
-- memset(&from, 0, sizeof(from)); |
461 |
-- if (getpeername(ssh_packet_get_connection_in(ssh), |
462 |
-- (struct sockaddr *)&from, &fromlen) == -1) { |
463 |
-- debug("getpeername failed: %.100s", strerror(errno)); |
464 |
-- return strdup(ntop); |
465 |
-- } |
466 |
-- |
467 |
-- ipv64_normalise_mapped(&from, &fromlen); |
468 |
-- if (from.ss_family == AF_INET6) |
469 |
-- fromlen = sizeof(struct sockaddr_in6); |
470 |
-- |
471 |
-- debug3("Trying to reverse map address %.100s.", ntop); |
472 |
-- /* Map the IP address to a host name. */ |
473 |
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
474 |
-- NULL, 0, NI_NAMEREQD) != 0) { |
475 |
-- /* Host name not found. Use ip address. */ |
476 |
-- return strdup(ntop); |
477 |
-- } |
478 |
-- |
479 |
-- /* |
480 |
-- * if reverse lookup result looks like a numeric hostname, |
481 |
-- * someone is trying to trick us by PTR record like following: |
482 |
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
483 |
-- */ |
484 |
-- memset(&hints, 0, sizeof(hints)); |
485 |
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
486 |
-- hints.ai_flags = AI_NUMERICHOST; |
487 |
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
488 |
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
489 |
-- name, ntop); |
490 |
-- freeaddrinfo(ai); |
491 |
-- return strdup(ntop); |
492 |
-- } |
493 |
-- |
494 |
-- /* Names are stored in lowercase. */ |
495 |
-- lowercase(name); |
496 |
-- |
497 |
-- /* |
498 |
-- * Map it back to an IP address and check that the given |
499 |
-- * address actually is an address of this host. This is |
500 |
-- * necessary because anyone with access to a name server can |
501 |
-- * define arbitrary names for an IP address. Mapping from |
502 |
-- * name to IP address can be trusted better (but can still be |
503 |
-- * fooled if the intruder has access to the name server of |
504 |
-- * the domain). |
505 |
-- */ |
506 |
-- memset(&hints, 0, sizeof(hints)); |
507 |
-- hints.ai_family = from.ss_family; |
508 |
-- hints.ai_socktype = SOCK_STREAM; |
509 |
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
510 |
-- logit("reverse mapping checking getaddrinfo for %.700s " |
511 |
-- "[%s] failed.", name, ntop); |
512 |
-- return strdup(ntop); |
513 |
-- } |
514 |
-- /* Look for the address from the list of addresses. */ |
515 |
-- for (ai = aitop; ai; ai = ai->ai_next) { |
516 |
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
517 |
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
518 |
-- (strcmp(ntop, ntop2) == 0)) |
519 |
-- break; |
520 |
-- } |
521 |
-- freeaddrinfo(aitop); |
522 |
-- /* If we reached the end of the list, the address was not there. */ |
523 |
-- if (ai == NULL) { |
524 |
-- /* Address not found for the host name. */ |
525 |
-- logit("Address %.100s maps to %.600s, but this does not " |
526 |
-- "map back to the address.", ntop, name); |
527 |
-- return strdup(ntop); |
528 |
-- } |
529 |
-- return strdup(name); |
530 |
--} |
531 |
-- |
532 |
--/* |
533 |
-- * Return the canonical name of the host in the other side of the current |
534 |
-- * connection. The host name is cached, so it is efficient to call this |
535 |
-- * several times. |
536 |
-- */ |
537 |
-- |
538 |
--const char * |
539 |
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
540 |
--{ |
541 |
-- static char *dnsname; |
542 |
-- |
543 |
-- if (!use_dns) |
544 |
-- return ssh_remote_ipaddr(ssh); |
545 |
-- else if (dnsname != NULL) |
546 |
-- return dnsname; |
547 |
-- else { |
548 |
-- dnsname = remote_hostname(ssh); |
549 |
-- return dnsname; |
550 |
-- } |
551 |
--} |
552 |
-- |
553 |
- /* |
554 |
- * Runs command in a subprocess with a minimal environment. |
555 |
- * Returns pid on success, 0 on failure. |
556 |
-diff --git a/canohost.c b/canohost.c |
557 |
-index abea9c6e..4f4524d2 100644 |
558 |
---- a/canohost.c |
559 |
-+++ b/canohost.c |
560 |
-@@ -202,3 +202,117 @@ get_local_port(int sock) |
561 |
- { |
562 |
- return get_sock_port(sock, 1); |
563 |
- } |
564 |
-+ |
565 |
-+/* |
566 |
-+ * Returns the remote DNS hostname as a string. The returned string must not |
567 |
-+ * be freed. NB. this will usually trigger a DNS query the first time it is |
568 |
-+ * called. |
569 |
-+ * This function does additional checks on the hostname to mitigate some |
570 |
-+ * attacks on legacy rhosts-style authentication. |
571 |
-+ * XXX is RhostsRSAAuthentication vulnerable to these? |
572 |
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
573 |
-+ */ |
574 |
-+ |
575 |
-+static char * |
576 |
-+remote_hostname(struct ssh *ssh) |
577 |
-+{ |
578 |
-+ struct sockaddr_storage from; |
579 |
-+ socklen_t fromlen; |
580 |
-+ struct addrinfo hints, *ai, *aitop; |
581 |
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
582 |
-+ const char *ntop = ssh_remote_ipaddr(ssh); |
583 |
-+ |
584 |
-+ /* Get IP address of client. */ |
585 |
-+ fromlen = sizeof(from); |
586 |
-+ memset(&from, 0, sizeof(from)); |
587 |
-+ if (getpeername(ssh_packet_get_connection_in(ssh), |
588 |
-+ (struct sockaddr *)&from, &fromlen) < 0) { |
589 |
-+ debug("getpeername failed: %.100s", strerror(errno)); |
590 |
-+ return strdup(ntop); |
591 |
-+ } |
592 |
-+ |
593 |
-+ ipv64_normalise_mapped(&from, &fromlen); |
594 |
-+ if (from.ss_family == AF_INET6) |
595 |
-+ fromlen = sizeof(struct sockaddr_in6); |
596 |
-+ |
597 |
-+ debug3("Trying to reverse map address %.100s.", ntop); |
598 |
-+ /* Map the IP address to a host name. */ |
599 |
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
600 |
-+ NULL, 0, NI_NAMEREQD) != 0) { |
601 |
-+ /* Host name not found. Use ip address. */ |
602 |
-+ return strdup(ntop); |
603 |
-+ } |
604 |
-+ |
605 |
-+ /* |
606 |
-+ * if reverse lookup result looks like a numeric hostname, |
607 |
-+ * someone is trying to trick us by PTR record like following: |
608 |
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
609 |
-+ */ |
610 |
-+ memset(&hints, 0, sizeof(hints)); |
611 |
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
612 |
-+ hints.ai_flags = AI_NUMERICHOST; |
613 |
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
614 |
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
615 |
-+ name, ntop); |
616 |
-+ freeaddrinfo(ai); |
617 |
-+ return strdup(ntop); |
618 |
-+ } |
619 |
-+ |
620 |
-+ /* Names are stored in lowercase. */ |
621 |
-+ lowercase(name); |
622 |
-+ |
623 |
-+ /* |
624 |
-+ * Map it back to an IP address and check that the given |
625 |
-+ * address actually is an address of this host. This is |
626 |
-+ * necessary because anyone with access to a name server can |
627 |
-+ * define arbitrary names for an IP address. Mapping from |
628 |
-+ * name to IP address can be trusted better (but can still be |
629 |
-+ * fooled if the intruder has access to the name server of |
630 |
-+ * the domain). |
631 |
-+ */ |
632 |
-+ memset(&hints, 0, sizeof(hints)); |
633 |
-+ hints.ai_family = from.ss_family; |
634 |
-+ hints.ai_socktype = SOCK_STREAM; |
635 |
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
636 |
-+ logit("reverse mapping checking getaddrinfo for %.700s " |
637 |
-+ "[%s] failed.", name, ntop); |
638 |
-+ return strdup(ntop); |
639 |
-+ } |
640 |
-+ /* Look for the address from the list of addresses. */ |
641 |
-+ for (ai = aitop; ai; ai = ai->ai_next) { |
642 |
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
643 |
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
644 |
-+ (strcmp(ntop, ntop2) == 0)) |
645 |
-+ break; |
646 |
-+ } |
647 |
-+ freeaddrinfo(aitop); |
648 |
-+ /* If we reached the end of the list, the address was not there. */ |
649 |
-+ if (ai == NULL) { |
650 |
-+ /* Address not found for the host name. */ |
651 |
-+ logit("Address %.100s maps to %.600s, but this does not " |
652 |
-+ "map back to the address.", ntop, name); |
653 |
-+ return strdup(ntop); |
654 |
-+ } |
655 |
-+ return strdup(name); |
656 |
-+} |
657 |
-+ |
658 |
-+/* |
659 |
-+ * Return the canonical name of the host in the other side of the current |
660 |
-+ * connection. The host name is cached, so it is efficient to call this |
661 |
-+ * several times. |
662 |
-+ */ |
663 |
-+ |
664 |
-+const char * |
665 |
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
666 |
-+{ |
667 |
-+ static char *dnsname; |
668 |
-+ |
669 |
-+ if (!use_dns) |
670 |
-+ return ssh_remote_ipaddr(ssh); |
671 |
-+ else if (dnsname != NULL) |
672 |
-+ return dnsname; |
673 |
-+ else { |
674 |
-+ dnsname = remote_hostname(ssh); |
675 |
-+ return dnsname; |
676 |
-+ } |
677 |
-+} |
678 |
-diff --git a/readconf.c b/readconf.c |
679 |
-index f78b4d6f..747287f7 100644 |
680 |
---- a/readconf.c |
681 |
-+++ b/readconf.c |
682 |
-@@ -162,6 +162,7 @@ typedef enum { |
683 |
- oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
684 |
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
685 |
- oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
686 |
-+ oGssTrustDns, |
687 |
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
688 |
- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, |
689 |
- oHashKnownHosts, |
690 |
-@@ -203,9 +204,11 @@ static struct { |
691 |
- #if defined(GSSAPI) |
692 |
- { "gssapiauthentication", oGssAuthentication }, |
693 |
- { "gssapidelegatecredentials", oGssDelegateCreds }, |
694 |
-+ { "gssapitrustdns", oGssTrustDns }, |
695 |
- # else |
696 |
- { "gssapiauthentication", oUnsupported }, |
697 |
- { "gssapidelegatecredentials", oUnsupported }, |
698 |
-+ { "gssapitrustdns", oUnsupported }, |
699 |
- #endif |
700 |
- #ifdef ENABLE_PKCS11 |
701 |
- { "pkcs11provider", oPKCS11Provider }, |
702 |
-@@ -992,6 +995,10 @@ parse_time: |
703 |
- intptr = &options->gss_deleg_creds; |
704 |
- goto parse_flag; |
705 |
- |
706 |
-+ case oGssTrustDns: |
707 |
-+ intptr = &options->gss_trust_dns; |
708 |
-+ goto parse_flag; |
709 |
-+ |
710 |
- case oBatchMode: |
711 |
- intptr = &options->batch_mode; |
712 |
- goto parse_flag; |
713 |
-@@ -1864,6 +1871,7 @@ initialize_options(Options * options) |
714 |
- options->challenge_response_authentication = -1; |
715 |
- options->gss_authentication = -1; |
716 |
- options->gss_deleg_creds = -1; |
717 |
-+ options->gss_trust_dns = -1; |
718 |
- options->password_authentication = -1; |
719 |
- options->kbd_interactive_authentication = -1; |
720 |
- options->kbd_interactive_devices = NULL; |
721 |
-@@ -2011,6 +2019,8 @@ fill_default_options(Options * options) |
722 |
- options->gss_authentication = 0; |
723 |
- if (options->gss_deleg_creds == -1) |
724 |
- options->gss_deleg_creds = 0; |
725 |
-+ if (options->gss_trust_dns == -1) |
726 |
-+ options->gss_trust_dns = 0; |
727 |
- if (options->password_authentication == -1) |
728 |
- options->password_authentication = 1; |
729 |
- if (options->kbd_interactive_authentication == -1) |
730 |
-diff --git a/readconf.h b/readconf.h |
731 |
-index 8e36bf32..c9e4718d 100644 |
732 |
---- a/readconf.h |
733 |
-+++ b/readconf.h |
734 |
-@@ -41,6 +41,7 @@ typedef struct { |
735 |
- /* Try S/Key or TIS, authentication. */ |
736 |
- int gss_authentication; /* Try GSS authentication */ |
737 |
- int gss_deleg_creds; /* Delegate GSS credentials */ |
738 |
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
739 |
- int password_authentication; /* Try password |
740 |
- * authentication. */ |
741 |
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
742 |
-diff --git a/ssh_config.5 b/ssh_config.5 |
743 |
-index 02a87892..95de538b 100644 |
744 |
---- a/ssh_config.5 |
745 |
-+++ b/ssh_config.5 |
746 |
-@@ -762,6 +762,16 @@ The default is |
747 |
- Forward (delegate) credentials to the server. |
748 |
- The default is |
749 |
- .Cm no . |
750 |
-+Note that this option applies to protocol version 2 connections using GSSAPI. |
751 |
-+.It Cm GSSAPITrustDns |
752 |
-+Set to |
753 |
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize |
754 |
-+the name of the host being connected to. If |
755 |
-+.Dq no, the hostname entered on the |
756 |
-+command line will be passed untouched to the GSSAPI library. |
757 |
-+The default is |
758 |
-+.Dq no . |
759 |
-+This option only applies to protocol version 2 connections using GSSAPI. |
760 |
- .It Cm HashKnownHosts |
761 |
- Indicates that |
762 |
- .Xr ssh 1 |
763 |
-diff --git a/sshconnect2.c b/sshconnect2.c |
764 |
-index 87fa70a4..a6ffdc96 100644 |
765 |
---- a/sshconnect2.c |
766 |
-+++ b/sshconnect2.c |
767 |
-@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh) |
768 |
- OM_uint32 min; |
769 |
- int r, ok = 0; |
770 |
- gss_OID mech = NULL; |
771 |
-+ const char *gss_host; |
772 |
-+ |
773 |
-+ if (options.gss_trust_dns) { |
774 |
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); |
775 |
-+ gss_host = auth_get_canonical_hostname(ssh, 1); |
776 |
-+ } else |
777 |
-+ gss_host = authctxt->host; |
778 |
- |
779 |
- /* Try one GSSAPI method at a time, rather than sending them all at |
780 |
- * once. */ |
781 |
-@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh) |
782 |
- elements[authctxt->mech_tried]; |
783 |
- /* My DER encoding requires length<128 */ |
784 |
- if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
785 |
-- mech, authctxt->host)) { |
786 |
-+ mech, gss_host)) { |
787 |
- ok = 1; /* Mechanism works */ |
788 |
- } else { |
789 |
- authctxt->mech_tried++; |
790 |
|
791 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch |
792 |
deleted file mode 100644 |
793 |
index 67a93fe..0000000 |
794 |
--- a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch |
795 |
+++ /dev/null |
796 |
@@ -1,11 +0,0 @@ |
797 |
---- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700 |
798 |
-+++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700 |
799 |
-@@ -7,7 +7,7 @@ |
800 |
- CC=@CC@ |
801 |
- LD=@LD@ |
802 |
- CFLAGS=@CFLAGS@ |
803 |
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
804 |
-+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
805 |
- EXEEXT=@EXEEXT@ |
806 |
- LIBCOMPAT=../libopenbsd-compat.a |
807 |
- LIBS=@LIBS@ |
808 |
|
809 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch |
810 |
deleted file mode 100644 |
811 |
index 48cce79..0000000 |
812 |
--- a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch |
813 |
+++ /dev/null |
814 |
@@ -1,35 +0,0 @@ |
815 |
-Only in b: .openssh-8.1p1+x509-12.3.diff.un~ |
816 |
-diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff |
817 |
---- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700 |
818 |
-+++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700 |
819 |
-@@ -35343,12 +35343,11 @@ |
820 |
- |
821 |
- install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config |
822 |
- install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf |
823 |
--@@ -339,6 +360,8 @@ |
824 |
-+@@ -339,6 +360,7 @@ |
825 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
826 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
827 |
- $(MKDIR_P) $(DESTDIR)$(libexecdir) |
828 |
- + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
829 |
--+ $(MKDIR_P) $(DESTDIR)$(piddir) |
830 |
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
831 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
832 |
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
833 |
-@@ -83536,16 +83535,6 @@ |
834 |
- + return mbtowc(NULL, s, n); |
835 |
- +} |
836 |
- +#endif |
837 |
--diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h |
838 |
----- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300 |
839 |
--+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300 |
840 |
--@@ -2,5 +2,4 @@ |
841 |
-- |
842 |
-- #define SSH_VERSION "OpenSSH_8.1" |
843 |
-- |
844 |
---#define SSH_PORTABLE "p1" |
845 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
846 |
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
847 |
- diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4 |
848 |
- --- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
849 |
- +++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300 |
850 |
|
851 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch |
852 |
deleted file mode 100644 |
853 |
index 90fa248..0000000 |
854 |
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch |
855 |
+++ /dev/null |
856 |
@@ -1,105 +0,0 @@ |
857 |
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
858 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 |
859 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800 |
860 |
-@@ -409,18 +409,10 @@ |
861 |
- index 817da43b..b2bcf78f 100644 |
862 |
- --- a/packet.c |
863 |
- +++ b/packet.c |
864 |
--@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
865 |
-+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
866 |
- return 0; |
867 |
- } |
868 |
- |
869 |
--+/* this supports the forced rekeying required for the NONE cipher */ |
870 |
--+int rekey_requested = 0; |
871 |
--+void |
872 |
--+packet_request_rekeying(void) |
873 |
--+{ |
874 |
--+ rekey_requested = 1; |
875 |
--+} |
876 |
--+ |
877 |
- +/* used to determine if pre or post auth when rekeying for aes-ctr |
878 |
- + * and none cipher switch */ |
879 |
- +int |
880 |
-@@ -434,20 +426,6 @@ |
881 |
- #define MAX_PACKETS (1U<<31) |
882 |
- static int |
883 |
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
884 |
--@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
885 |
-- if (state->p_send.packets == 0 && state->p_read.packets == 0) |
886 |
-- return 0; |
887 |
-- |
888 |
--+ /* used to force rekeying when called for by the none |
889 |
--+ * cipher switch methods -cjr */ |
890 |
--+ if (rekey_requested == 1) { |
891 |
--+ rekey_requested = 0; |
892 |
--+ return 1; |
893 |
--+ } |
894 |
--+ |
895 |
-- /* Time-based rekeying */ |
896 |
-- if (state->rekey_interval != 0 && |
897 |
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
898 |
- diff --git a/packet.h b/packet.h |
899 |
- index 8ccfd2e0..1ad9bc06 100644 |
900 |
- --- a/packet.h |
901 |
-@@ -476,9 +454,9 @@ |
902 |
- /* Format of the configuration file: |
903 |
- |
904 |
- @@ -167,6 +168,8 @@ typedef enum { |
905 |
-- oHashKnownHosts, |
906 |
- oTunnel, oTunnelDevice, |
907 |
- oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
908 |
-+ oDisableMTAES, |
909 |
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
910 |
- + oNoneEnabled, oNoneSwitch, |
911 |
- oVisualHostKey, |
912 |
-@@ -615,9 +593,9 @@ |
913 |
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
914 |
- SyslogFacility log_facility; /* Facility for system logging. */ |
915 |
- @@ -112,7 +116,10 @@ typedef struct { |
916 |
-- |
917 |
- int enable_ssh_keysign; |
918 |
- int64_t rekey_limit; |
919 |
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
920 |
- + int none_switch; /* Use none cipher */ |
921 |
- + int none_enabled; /* Allow none to be used */ |
922 |
- int rekey_interval; |
923 |
-@@ -700,9 +678,9 @@ |
924 |
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
925 |
- + } |
926 |
- + |
927 |
-+ if (options->disable_multithreaded == -1) |
928 |
-+ options->disable_multithreaded = 0; |
929 |
- if (options->ip_qos_interactive == -1) |
930 |
-- options->ip_qos_interactive = IPTOS_DSCP_AF21; |
931 |
-- if (options->ip_qos_bulk == -1) |
932 |
- @@ -486,6 +532,8 @@ typedef enum { |
933 |
- sPasswordAuthentication, sKbdInteractiveAuthentication, |
934 |
- sListenAddress, sAddressFamily, |
935 |
-@@ -1079,11 +1057,11 @@ |
936 |
- xxx_host = host; |
937 |
- xxx_hostaddr = hostaddr; |
938 |
- |
939 |
--@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
940 |
-+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
941 |
- |
942 |
- if (!authctxt.success) |
943 |
- fatal("Authentication failed."); |
944 |
--+ |
945 |
-+ |
946 |
- + /* |
947 |
- + * If the user wants to use the none cipher, do it post authentication |
948 |
- + * and only if the right conditions are met -- both of the NONE commands |
949 |
-@@ -1105,9 +1083,9 @@ |
950 |
- + } |
951 |
- + } |
952 |
- + |
953 |
-- debug("Authentication succeeded (%s).", authctxt.method->name); |
954 |
-- } |
955 |
-- |
956 |
-+ #ifdef WITH_OPENSSL |
957 |
-+ if (options.disable_multithreaded == 0) { |
958 |
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox |
959 |
- diff --git a/sshd.c b/sshd.c |
960 |
- index 11571c01..23a06022 100644 |
961 |
- --- a/sshd.c |
962 |
|
963 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch |
964 |
deleted file mode 100644 |
965 |
index 3f5c7a4..0000000 |
966 |
--- a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch |
967 |
+++ /dev/null |
968 |
@@ -1,19 +0,0 @@ |
969 |
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
970 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 |
971 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800 |
972 |
-@@ -1191,15 +1191,3 @@ |
973 |
- # Example of overriding settings on a per-user basis |
974 |
- #Match User anoncvs |
975 |
- # X11Forwarding no |
976 |
--diff --git a/version.h b/version.h |
977 |
--index 6b3fadf8..ec1d2e27 100644 |
978 |
----- a/version.h |
979 |
--+++ b/version.h |
980 |
--@@ -3,4 +3,6 @@ |
981 |
-- #define SSH_VERSION "OpenSSH_8.1" |
982 |
-- |
983 |
-- #define SSH_PORTABLE "p1" |
984 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
985 |
--+#define SSH_HPN "-hpn14v20" |
986 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
987 |
--+ |
988 |
|
989 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch |
990 |
deleted file mode 100644 |
991 |
index 505e34d..0000000 |
992 |
--- a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch |
993 |
+++ /dev/null |
994 |
@@ -1,26 +0,0 @@ |
995 |
-diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh |
996 |
-index 86ea6250..844adabc 100644 |
997 |
---- a/regress/cert-hostkey.sh |
998 |
-+++ b/regress/cert-hostkey.sh |
999 |
-@@ -252,7 +252,7 @@ test_one() { |
1000 |
- test_one "user-certificate" failure "-n $HOSTS" |
1001 |
- test_one "empty principals" success "-h" |
1002 |
- test_one "wrong principals" failure "-h -n foo" |
1003 |
--test_one "cert not yet valid" failure "-h -V20200101:20300101" |
1004 |
-+test_one "cert not yet valid" failure "-h -V20300101:20320101" |
1005 |
- test_one "cert expired" failure "-h -V19800101:19900101" |
1006 |
- test_one "cert valid interval" success "-h -V-1w:+2w" |
1007 |
- test_one "cert has constraints" failure "-h -Oforce-command=false" |
1008 |
-diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh |
1009 |
-index 38c14a69..5cd02fc3 100644 |
1010 |
---- a/regress/cert-userkey.sh |
1011 |
-+++ b/regress/cert-userkey.sh |
1012 |
-@@ -338,7 +338,7 @@ test_one() { |
1013 |
- test_one "correct principal" success "-n ${USER}" |
1014 |
- test_one "host-certificate" failure "-n ${USER} -h" |
1015 |
- test_one "wrong principals" failure "-n foo" |
1016 |
--test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" |
1017 |
-+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" |
1018 |
- test_one "cert expired" failure "-n ${USER} -V19800101:19900101" |
1019 |
- test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" |
1020 |
- test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" |
1021 |
|
1022 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch |
1023 |
deleted file mode 100644 |
1024 |
index d4db77b..0000000 |
1025 |
--- a/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch |
1026 |
+++ /dev/null |
1027 |
@@ -1,359 +0,0 @@ |
1028 |
-diff --git a/auth.c b/auth.c |
1029 |
-index 086b8ebb..a267353c 100644 |
1030 |
---- a/auth.c |
1031 |
-+++ b/auth.c |
1032 |
-@@ -724,120 +724,6 @@ fakepw(void) |
1033 |
- return (&fake); |
1034 |
- } |
1035 |
- |
1036 |
--/* |
1037 |
-- * Returns the remote DNS hostname as a string. The returned string must not |
1038 |
-- * be freed. NB. this will usually trigger a DNS query the first time it is |
1039 |
-- * called. |
1040 |
-- * This function does additional checks on the hostname to mitigate some |
1041 |
-- * attacks on legacy rhosts-style authentication. |
1042 |
-- * XXX is RhostsRSAAuthentication vulnerable to these? |
1043 |
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
1044 |
-- */ |
1045 |
-- |
1046 |
--static char * |
1047 |
--remote_hostname(struct ssh *ssh) |
1048 |
--{ |
1049 |
-- struct sockaddr_storage from; |
1050 |
-- socklen_t fromlen; |
1051 |
-- struct addrinfo hints, *ai, *aitop; |
1052 |
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
1053 |
-- const char *ntop = ssh_remote_ipaddr(ssh); |
1054 |
-- |
1055 |
-- /* Get IP address of client. */ |
1056 |
-- fromlen = sizeof(from); |
1057 |
-- memset(&from, 0, sizeof(from)); |
1058 |
-- if (getpeername(ssh_packet_get_connection_in(ssh), |
1059 |
-- (struct sockaddr *)&from, &fromlen) == -1) { |
1060 |
-- debug("getpeername failed: %.100s", strerror(errno)); |
1061 |
-- return xstrdup(ntop); |
1062 |
-- } |
1063 |
-- |
1064 |
-- ipv64_normalise_mapped(&from, &fromlen); |
1065 |
-- if (from.ss_family == AF_INET6) |
1066 |
-- fromlen = sizeof(struct sockaddr_in6); |
1067 |
-- |
1068 |
-- debug3("Trying to reverse map address %.100s.", ntop); |
1069 |
-- /* Map the IP address to a host name. */ |
1070 |
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
1071 |
-- NULL, 0, NI_NAMEREQD) != 0) { |
1072 |
-- /* Host name not found. Use ip address. */ |
1073 |
-- return xstrdup(ntop); |
1074 |
-- } |
1075 |
-- |
1076 |
-- /* |
1077 |
-- * if reverse lookup result looks like a numeric hostname, |
1078 |
-- * someone is trying to trick us by PTR record like following: |
1079 |
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
1080 |
-- */ |
1081 |
-- memset(&hints, 0, sizeof(hints)); |
1082 |
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
1083 |
-- hints.ai_flags = AI_NUMERICHOST; |
1084 |
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
1085 |
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
1086 |
-- name, ntop); |
1087 |
-- freeaddrinfo(ai); |
1088 |
-- return xstrdup(ntop); |
1089 |
-- } |
1090 |
-- |
1091 |
-- /* Names are stored in lowercase. */ |
1092 |
-- lowercase(name); |
1093 |
-- |
1094 |
-- /* |
1095 |
-- * Map it back to an IP address and check that the given |
1096 |
-- * address actually is an address of this host. This is |
1097 |
-- * necessary because anyone with access to a name server can |
1098 |
-- * define arbitrary names for an IP address. Mapping from |
1099 |
-- * name to IP address can be trusted better (but can still be |
1100 |
-- * fooled if the intruder has access to the name server of |
1101 |
-- * the domain). |
1102 |
-- */ |
1103 |
-- memset(&hints, 0, sizeof(hints)); |
1104 |
-- hints.ai_family = from.ss_family; |
1105 |
-- hints.ai_socktype = SOCK_STREAM; |
1106 |
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
1107 |
-- logit("reverse mapping checking getaddrinfo for %.700s " |
1108 |
-- "[%s] failed.", name, ntop); |
1109 |
-- return xstrdup(ntop); |
1110 |
-- } |
1111 |
-- /* Look for the address from the list of addresses. */ |
1112 |
-- for (ai = aitop; ai; ai = ai->ai_next) { |
1113 |
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
1114 |
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
1115 |
-- (strcmp(ntop, ntop2) == 0)) |
1116 |
-- break; |
1117 |
-- } |
1118 |
-- freeaddrinfo(aitop); |
1119 |
-- /* If we reached the end of the list, the address was not there. */ |
1120 |
-- if (ai == NULL) { |
1121 |
-- /* Address not found for the host name. */ |
1122 |
-- logit("Address %.100s maps to %.600s, but this does not " |
1123 |
-- "map back to the address.", ntop, name); |
1124 |
-- return xstrdup(ntop); |
1125 |
-- } |
1126 |
-- return xstrdup(name); |
1127 |
--} |
1128 |
-- |
1129 |
--/* |
1130 |
-- * Return the canonical name of the host in the other side of the current |
1131 |
-- * connection. The host name is cached, so it is efficient to call this |
1132 |
-- * several times. |
1133 |
-- */ |
1134 |
-- |
1135 |
--const char * |
1136 |
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
1137 |
--{ |
1138 |
-- static char *dnsname; |
1139 |
-- |
1140 |
-- if (!use_dns) |
1141 |
-- return ssh_remote_ipaddr(ssh); |
1142 |
-- else if (dnsname != NULL) |
1143 |
-- return dnsname; |
1144 |
-- else { |
1145 |
-- dnsname = remote_hostname(ssh); |
1146 |
-- return dnsname; |
1147 |
-- } |
1148 |
--} |
1149 |
-- |
1150 |
- /* |
1151 |
- * Runs command in a subprocess with a minimal environment. |
1152 |
- * Returns pid on success, 0 on failure. |
1153 |
-diff --git a/canohost.c b/canohost.c |
1154 |
-index abea9c6e..4f4524d2 100644 |
1155 |
---- a/canohost.c |
1156 |
-+++ b/canohost.c |
1157 |
-@@ -202,3 +202,117 @@ get_local_port(int sock) |
1158 |
- { |
1159 |
- return get_sock_port(sock, 1); |
1160 |
- } |
1161 |
-+ |
1162 |
-+/* |
1163 |
-+ * Returns the remote DNS hostname as a string. The returned string must not |
1164 |
-+ * be freed. NB. this will usually trigger a DNS query the first time it is |
1165 |
-+ * called. |
1166 |
-+ * This function does additional checks on the hostname to mitigate some |
1167 |
-+ * attacks on legacy rhosts-style authentication. |
1168 |
-+ * XXX is RhostsRSAAuthentication vulnerable to these? |
1169 |
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
1170 |
-+ */ |
1171 |
-+ |
1172 |
-+static char * |
1173 |
-+remote_hostname(struct ssh *ssh) |
1174 |
-+{ |
1175 |
-+ struct sockaddr_storage from; |
1176 |
-+ socklen_t fromlen; |
1177 |
-+ struct addrinfo hints, *ai, *aitop; |
1178 |
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
1179 |
-+ const char *ntop = ssh_remote_ipaddr(ssh); |
1180 |
-+ |
1181 |
-+ /* Get IP address of client. */ |
1182 |
-+ fromlen = sizeof(from); |
1183 |
-+ memset(&from, 0, sizeof(from)); |
1184 |
-+ if (getpeername(ssh_packet_get_connection_in(ssh), |
1185 |
-+ (struct sockaddr *)&from, &fromlen) < 0) { |
1186 |
-+ debug("getpeername failed: %.100s", strerror(errno)); |
1187 |
-+ return strdup(ntop); |
1188 |
-+ } |
1189 |
-+ |
1190 |
-+ ipv64_normalise_mapped(&from, &fromlen); |
1191 |
-+ if (from.ss_family == AF_INET6) |
1192 |
-+ fromlen = sizeof(struct sockaddr_in6); |
1193 |
-+ |
1194 |
-+ debug3("Trying to reverse map address %.100s.", ntop); |
1195 |
-+ /* Map the IP address to a host name. */ |
1196 |
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
1197 |
-+ NULL, 0, NI_NAMEREQD) != 0) { |
1198 |
-+ /* Host name not found. Use ip address. */ |
1199 |
-+ return strdup(ntop); |
1200 |
-+ } |
1201 |
-+ |
1202 |
-+ /* |
1203 |
-+ * if reverse lookup result looks like a numeric hostname, |
1204 |
-+ * someone is trying to trick us by PTR record like following: |
1205 |
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
1206 |
-+ */ |
1207 |
-+ memset(&hints, 0, sizeof(hints)); |
1208 |
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
1209 |
-+ hints.ai_flags = AI_NUMERICHOST; |
1210 |
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
1211 |
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
1212 |
-+ name, ntop); |
1213 |
-+ freeaddrinfo(ai); |
1214 |
-+ return strdup(ntop); |
1215 |
-+ } |
1216 |
-+ |
1217 |
-+ /* Names are stored in lowercase. */ |
1218 |
-+ lowercase(name); |
1219 |
-+ |
1220 |
-+ /* |
1221 |
-+ * Map it back to an IP address and check that the given |
1222 |
-+ * address actually is an address of this host. This is |
1223 |
-+ * necessary because anyone with access to a name server can |
1224 |
-+ * define arbitrary names for an IP address. Mapping from |
1225 |
-+ * name to IP address can be trusted better (but can still be |
1226 |
-+ * fooled if the intruder has access to the name server of |
1227 |
-+ * the domain). |
1228 |
-+ */ |
1229 |
-+ memset(&hints, 0, sizeof(hints)); |
1230 |
-+ hints.ai_family = from.ss_family; |
1231 |
-+ hints.ai_socktype = SOCK_STREAM; |
1232 |
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
1233 |
-+ logit("reverse mapping checking getaddrinfo for %.700s " |
1234 |
-+ "[%s] failed.", name, ntop); |
1235 |
-+ return strdup(ntop); |
1236 |
-+ } |
1237 |
-+ /* Look for the address from the list of addresses. */ |
1238 |
-+ for (ai = aitop; ai; ai = ai->ai_next) { |
1239 |
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
1240 |
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
1241 |
-+ (strcmp(ntop, ntop2) == 0)) |
1242 |
-+ break; |
1243 |
-+ } |
1244 |
-+ freeaddrinfo(aitop); |
1245 |
-+ /* If we reached the end of the list, the address was not there. */ |
1246 |
-+ if (ai == NULL) { |
1247 |
-+ /* Address not found for the host name. */ |
1248 |
-+ logit("Address %.100s maps to %.600s, but this does not " |
1249 |
-+ "map back to the address.", ntop, name); |
1250 |
-+ return strdup(ntop); |
1251 |
-+ } |
1252 |
-+ return strdup(name); |
1253 |
-+} |
1254 |
-+ |
1255 |
-+/* |
1256 |
-+ * Return the canonical name of the host in the other side of the current |
1257 |
-+ * connection. The host name is cached, so it is efficient to call this |
1258 |
-+ * several times. |
1259 |
-+ */ |
1260 |
-+ |
1261 |
-+const char * |
1262 |
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
1263 |
-+{ |
1264 |
-+ static char *dnsname; |
1265 |
-+ |
1266 |
-+ if (!use_dns) |
1267 |
-+ return ssh_remote_ipaddr(ssh); |
1268 |
-+ else if (dnsname != NULL) |
1269 |
-+ return dnsname; |
1270 |
-+ else { |
1271 |
-+ dnsname = remote_hostname(ssh); |
1272 |
-+ return dnsname; |
1273 |
-+ } |
1274 |
-+} |
1275 |
-diff --git a/readconf.c b/readconf.c |
1276 |
-index f3cac6b3..adfd7a4e 100644 |
1277 |
---- a/readconf.c |
1278 |
-+++ b/readconf.c |
1279 |
-@@ -160,6 +160,7 @@ typedef enum { |
1280 |
- oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
1281 |
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
1282 |
- oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
1283 |
-+ oGssTrustDns, |
1284 |
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
1285 |
- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, |
1286 |
- oHashKnownHosts, |
1287 |
-@@ -205,9 +206,11 @@ static struct { |
1288 |
- #if defined(GSSAPI) |
1289 |
- { "gssapiauthentication", oGssAuthentication }, |
1290 |
- { "gssapidelegatecredentials", oGssDelegateCreds }, |
1291 |
-+ { "gssapitrustdns", oGssTrustDns }, |
1292 |
- # else |
1293 |
- { "gssapiauthentication", oUnsupported }, |
1294 |
- { "gssapidelegatecredentials", oUnsupported }, |
1295 |
-+ { "gssapitrustdns", oUnsupported }, |
1296 |
- #endif |
1297 |
- #ifdef ENABLE_PKCS11 |
1298 |
- { "pkcs11provider", oPKCS11Provider }, |
1299 |
-@@ -1033,6 +1036,10 @@ parse_time: |
1300 |
- intptr = &options->gss_deleg_creds; |
1301 |
- goto parse_flag; |
1302 |
- |
1303 |
-+ case oGssTrustDns: |
1304 |
-+ intptr = &options->gss_trust_dns; |
1305 |
-+ goto parse_flag; |
1306 |
-+ |
1307 |
- case oBatchMode: |
1308 |
- intptr = &options->batch_mode; |
1309 |
- goto parse_flag; |
1310 |
-@@ -1912,6 +1919,7 @@ initialize_options(Options * options) |
1311 |
- options->challenge_response_authentication = -1; |
1312 |
- options->gss_authentication = -1; |
1313 |
- options->gss_deleg_creds = -1; |
1314 |
-+ options->gss_trust_dns = -1; |
1315 |
- options->password_authentication = -1; |
1316 |
- options->kbd_interactive_authentication = -1; |
1317 |
- options->kbd_interactive_devices = NULL; |
1318 |
-@@ -2061,6 +2069,8 @@ fill_default_options(Options * options) |
1319 |
- options->gss_authentication = 0; |
1320 |
- if (options->gss_deleg_creds == -1) |
1321 |
- options->gss_deleg_creds = 0; |
1322 |
-+ if (options->gss_trust_dns == -1) |
1323 |
-+ options->gss_trust_dns = 0; |
1324 |
- if (options->password_authentication == -1) |
1325 |
- options->password_authentication = 1; |
1326 |
- if (options->kbd_interactive_authentication == -1) |
1327 |
-diff --git a/readconf.h b/readconf.h |
1328 |
-index feedb3d2..c7139c1b 100644 |
1329 |
---- a/readconf.h |
1330 |
-+++ b/readconf.h |
1331 |
-@@ -42,6 +42,7 @@ typedef struct { |
1332 |
- /* Try S/Key or TIS, authentication. */ |
1333 |
- int gss_authentication; /* Try GSS authentication */ |
1334 |
- int gss_deleg_creds; /* Delegate GSS credentials */ |
1335 |
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
1336 |
- int password_authentication; /* Try password |
1337 |
- * authentication. */ |
1338 |
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
1339 |
-diff --git a/ssh_config.5 b/ssh_config.5 |
1340 |
-index 06a32d31..6871ff36 100644 |
1341 |
---- a/ssh_config.5 |
1342 |
-+++ b/ssh_config.5 |
1343 |
-@@ -770,6 +770,16 @@ The default is |
1344 |
- Forward (delegate) credentials to the server. |
1345 |
- The default is |
1346 |
- .Cm no . |
1347 |
-+Note that this option applies to protocol version 2 connections using GSSAPI. |
1348 |
-+.It Cm GSSAPITrustDns |
1349 |
-+Set to |
1350 |
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize |
1351 |
-+the name of the host being connected to. If |
1352 |
-+.Dq no, the hostname entered on the |
1353 |
-+command line will be passed untouched to the GSSAPI library. |
1354 |
-+The default is |
1355 |
-+.Dq no . |
1356 |
-+This option only applies to protocol version 2 connections using GSSAPI. |
1357 |
- .It Cm HashKnownHosts |
1358 |
- Indicates that |
1359 |
- .Xr ssh 1 |
1360 |
-diff --git a/sshconnect2.c b/sshconnect2.c |
1361 |
-index af00fb30..652463c5 100644 |
1362 |
---- a/sshconnect2.c |
1363 |
-+++ b/sshconnect2.c |
1364 |
-@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh) |
1365 |
- OM_uint32 min; |
1366 |
- int r, ok = 0; |
1367 |
- gss_OID mech = NULL; |
1368 |
-+ const char *gss_host; |
1369 |
-+ |
1370 |
-+ if (options.gss_trust_dns) { |
1371 |
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); |
1372 |
-+ gss_host = auth_get_canonical_hostname(ssh, 1); |
1373 |
-+ } else |
1374 |
-+ gss_host = authctxt->host; |
1375 |
- |
1376 |
- /* Try one GSSAPI method at a time, rather than sending them all at |
1377 |
- * once. */ |
1378 |
-@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh) |
1379 |
- elements[authctxt->mech_tried]; |
1380 |
- /* My DER encoding requires length<128 */ |
1381 |
- if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
1382 |
-- mech, authctxt->host)) { |
1383 |
-+ mech, gss_host)) { |
1384 |
- ok = 1; /* Mechanism works */ |
1385 |
- } else { |
1386 |
- authctxt->mech_tried++; |
1387 |
|
1388 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch |
1389 |
deleted file mode 100644 |
1390 |
index 1c58d0d..0000000 |
1391 |
--- a/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch |
1392 |
+++ /dev/null |
1393 |
@@ -1,11 +0,0 @@ |
1394 |
---- a/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:01.210601434 -0700 |
1395 |
-+++ b/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:18.753485852 -0700 |
1396 |
-@@ -7,7 +7,7 @@ |
1397 |
- CC=@CC@ |
1398 |
- LD=@LD@ |
1399 |
- CFLAGS=@CFLAGS@ |
1400 |
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
1401 |
-+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
1402 |
- EXEEXT=@EXEEXT@ |
1403 |
- LIBCOMPAT=../libopenbsd-compat.a |
1404 |
- LIBS=@LIBS@ |
1405 |
|
1406 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch b/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch |
1407 |
deleted file mode 100644 |
1408 |
index e73c499..0000000 |
1409 |
--- a/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch |
1410 |
+++ /dev/null |
1411 |
@@ -1,128 +0,0 @@ |
1412 |
---- a/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:15:05.939809371 -0700 |
1413 |
-+++ b/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:23:15.424752355 -0700 |
1414 |
-@@ -39298,16 +39298,15 @@ |
1415 |
- |
1416 |
- install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config |
1417 |
- install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf |
1418 |
--@@ -378,6 +379,8 @@ |
1419 |
-+@@ -378,6 +379,7 @@ |
1420 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
1421 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
1422 |
- $(MKDIR_P) $(DESTDIR)$(libexecdir) |
1423 |
- + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
1424 |
--+ $(MKDIR_P) $(DESTDIR)$(piddir) |
1425 |
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
1426 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
1427 |
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
1428 |
--@@ -386,11 +389,14 @@ |
1429 |
-+@@ -386,11 +388,14 @@ |
1430 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
1431 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
1432 |
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
1433 |
-@@ -39326,7 +39325,7 @@ |
1434 |
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
1435 |
- $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
1436 |
- $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
1437 |
--@@ -400,12 +406,12 @@ |
1438 |
-+@@ -400,12 +405,12 @@ |
1439 |
- $(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5 |
1440 |
- $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
1441 |
- $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
1442 |
-@@ -39340,7 +39339,7 @@ |
1443 |
- |
1444 |
- install-sysconf: |
1445 |
- $(MKDIR_P) $(DESTDIR)$(sysconfdir) |
1446 |
--@@ -463,10 +469,9 @@ |
1447 |
-+@@ -463,10 +468,9 @@ |
1448 |
- -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
1449 |
- -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
1450 |
- -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
1451 |
-@@ -39354,7 +39353,7 @@ |
1452 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
1453 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
1454 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
1455 |
--@@ -478,7 +483,6 @@ |
1456 |
-+@@ -478,7 +482,6 @@ |
1457 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
1458 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
1459 |
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
1460 |
-@@ -39362,7 +39361,7 @@ |
1461 |
- |
1462 |
- regress-prep: |
1463 |
- $(MKDIR_P) `pwd`/regress/unittests/test_helper |
1464 |
--@@ -491,11 +495,11 @@ |
1465 |
-+@@ -491,11 +494,11 @@ |
1466 |
- $(MKDIR_P) `pwd`/regress/unittests/match |
1467 |
- $(MKDIR_P) `pwd`/regress/unittests/utf8 |
1468 |
- $(MKDIR_P) `pwd`/regress/misc/kexfuzz |
1469 |
-@@ -39376,7 +39375,7 @@ |
1470 |
- |
1471 |
- regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS) |
1472 |
- $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \ |
1473 |
--@@ -546,8 +550,7 @@ |
1474 |
-+@@ -546,8 +549,7 @@ |
1475 |
- regress/unittests/sshkey/tests.o \ |
1476 |
- regress/unittests/sshkey/common.o \ |
1477 |
- regress/unittests/sshkey/test_file.o \ |
1478 |
-@@ -39406,7 +39405,7 @@ |
1479 |
- |
1480 |
- regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \ |
1481 |
- ${UNITTESTS_TEST_HOSTKEYS_OBJS} \ |
1482 |
--@@ -618,35 +619,18 @@ |
1483 |
-+@@ -618,35 +618,18 @@ |
1484 |
- -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) |
1485 |
- |
1486 |
- MISC_KEX_FUZZ_OBJS=\ |
1487 |
-@@ -39444,7 +39443,7 @@ |
1488 |
- regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \ |
1489 |
- regress/unittests/sshkey/test_sshkey$(EXEEXT) \ |
1490 |
- regress/unittests/bitmap/test_bitmap$(EXEEXT) \ |
1491 |
--@@ -657,36 +641,29 @@ |
1492 |
-+@@ -657,36 +640,29 @@ |
1493 |
- regress/unittests/utf8/test_utf8$(EXEEXT) \ |
1494 |
- regress/misc/kexfuzz/kexfuzz$(EXEEXT) |
1495 |
- |
1496 |
-@@ -39501,7 +39500,7 @@ |
1497 |
- TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ |
1498 |
- TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \ |
1499 |
- TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ |
1500 |
--@@ -708,8 +685,6 @@ |
1501 |
-+@@ -708,8 +684,6 @@ |
1502 |
- TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \ |
1503 |
- TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \ |
1504 |
- TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \ |
1505 |
-@@ -39510,7 +39509,7 @@ |
1506 |
- TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ |
1507 |
- TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \ |
1508 |
- TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \ |
1509 |
--@@ -717,17 +692,35 @@ |
1510 |
-+@@ -717,17 +691,35 @@ |
1511 |
- TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ |
1512 |
- TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \ |
1513 |
- TEST_SSH_ECC="$${TEST_SSH_ECC}" \ |
1514 |
-@@ -39549,7 +39548,7 @@ |
1515 |
- |
1516 |
- survey: survey.sh ssh |
1517 |
- @$(SHELL) ./survey.sh > survey |
1518 |
--@@ -743,4 +736,8 @@ |
1519 |
-+@@ -743,4 +735,8 @@ |
1520 |
- sh buildpkg.sh; \ |
1521 |
- fi |
1522 |
- |
1523 |
-@@ -98215,16 +98214,6 @@ |
1524 |
- + return mbtowc(NULL, s, n); |
1525 |
- +} |
1526 |
- +#endif |
1527 |
--diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.3/version.h |
1528 |
----- openssh-8.2p1/version.h 2020-02-14 02:40:54.000000000 +0200 |
1529 |
--+++ openssh-8.2p1+x509-12.4.3/version.h 2020-03-21 19:07:00.000000000 +0200 |
1530 |
--@@ -2,5 +2,4 @@ |
1531 |
-- |
1532 |
-- #define SSH_VERSION "OpenSSH_8.2" |
1533 |
-- |
1534 |
---#define SSH_PORTABLE "p1" |
1535 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
1536 |
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
1537 |
- diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.3/version.m4 |
1538 |
- --- openssh-8.2p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
1539 |
- +++ openssh-8.2p1+x509-12.4.3/version.m4 2020-03-21 19:07:00.000000000 +0200 |
1540 |
|
1541 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch |
1542 |
deleted file mode 100644 |
1543 |
index 5af4534..0000000 |
1544 |
--- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch |
1545 |
+++ /dev/null |
1546 |
@@ -1,133 +0,0 @@ |
1547 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
1548 |
---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:41:56.143193830 -0800 |
1549 |
-+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:46:40.060133610 -0800 |
1550 |
-@@ -3,9 +3,9 @@ |
1551 |
- --- a/Makefile.in |
1552 |
- +++ b/Makefile.in |
1553 |
- @@ -42,7 +42,7 @@ CC=@CC@ |
1554 |
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
1555 |
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
1556 |
-- PICFLAG=@PICFLAG@ |
1557 |
-+ LD=@LD@ |
1558 |
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
1559 |
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
1560 |
- -LIBS=@LIBS@ |
1561 |
- +LIBS=@LIBS@ -lpthread |
1562 |
- K5LIBS=@K5LIBS@ |
1563 |
-@@ -803,8 +803,8 @@ |
1564 |
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
1565 |
- { |
1566 |
- struct session_state *state; |
1567 |
--- const struct sshcipher *none = cipher_by_name("none"); |
1568 |
--+ struct sshcipher *none = cipher_by_name("none"); |
1569 |
-+- const struct sshcipher *none = cipher_none(); |
1570 |
-++ struct sshcipher *none = cipher_none(); |
1571 |
- int r; |
1572 |
- |
1573 |
- if (none == NULL) { |
1574 |
-@@ -902,14 +902,14 @@ |
1575 |
- |
1576 |
- /* |
1577 |
- @@ -2118,6 +2125,8 @@ fill_default_options(Options * options) |
1578 |
-- options->canonicalize_hostname = SSH_CANONICALISE_NO; |
1579 |
-- if (options->fingerprint_hash == -1) |
1580 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
1581 |
-+ if (options->update_hostkeys == -1) |
1582 |
-+ options->update_hostkeys = 0; |
1583 |
- + if (options->disable_multithreaded == -1) |
1584 |
- + options->disable_multithreaded = 0; |
1585 |
-- #ifdef ENABLE_SK_INTERNAL |
1586 |
- if (options->sk_provider == NULL) |
1587 |
-- options->sk_provider = xstrdup("internal"); |
1588 |
-+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); |
1589 |
-+ |
1590 |
- diff --git a/readconf.h b/readconf.h |
1591 |
- index 8e36bf32..c803eca7 100644 |
1592 |
- --- a/readconf.h |
1593 |
-@@ -948,9 +948,9 @@ |
1594 |
- /* Portable-specific options */ |
1595 |
- sUsePAM, |
1596 |
- + sDisableMTAES, |
1597 |
-- /* Standard Options */ |
1598 |
-- sPort, sHostKeyFile, sLoginGraceTime, |
1599 |
-- sPermitRootLogin, sLogFacility, sLogLevel, |
1600 |
-+ /* X.509 Standard Options */ |
1601 |
-+ sHostbasedAlgorithms, |
1602 |
-+ sPubkeyAlgorithms, |
1603 |
- @@ -643,6 +647,7 @@ static struct { |
1604 |
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
1605 |
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
1606 |
-Only in b: openssh-8_1_P1-hpn-AES-CTR-14.20.diff.orig |
1607 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
1608 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:41:56.144193830 -0800 |
1609 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:45:36.665147504 -0800 |
1610 |
-@@ -382,7 +382,7 @@ |
1611 |
- @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh) |
1612 |
- int nenc, nmac, ncomp; |
1613 |
- u_int mode, ctos, need, dh_need, authlen; |
1614 |
-- int r, first_kex_follows; |
1615 |
-+ int r, first_kex_follows = 0; |
1616 |
- + int auth_flag; |
1617 |
- + |
1618 |
- + auth_flag = packet_authentication_state(ssh); |
1619 |
-@@ -391,8 +391,8 @@ |
1620 |
- debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); |
1621 |
- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) |
1622 |
- @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh) |
1623 |
-- peer[ncomp] = NULL; |
1624 |
-- goto out; |
1625 |
-+ else |
1626 |
-+ fatal("Pre-authentication none cipher requests are not allowed."); |
1627 |
- } |
1628 |
- + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); |
1629 |
- + if (strcmp(newkeys->enc.name, "none") == 0) { |
1630 |
-@@ -1169,15 +1169,3 @@ |
1631 |
- # Example of overriding settings on a per-user basis |
1632 |
- #Match User anoncvs |
1633 |
- # X11Forwarding no |
1634 |
--diff --git a/version.h b/version.h |
1635 |
--index 6b3fadf8..ec1d2e27 100644 |
1636 |
----- a/version.h |
1637 |
--+++ b/version.h |
1638 |
--@@ -3,4 +3,6 @@ |
1639 |
-- #define SSH_VERSION "OpenSSH_8.1" |
1640 |
-- |
1641 |
-- #define SSH_PORTABLE "p1" |
1642 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
1643 |
--+#define SSH_HPN "-hpn14v20" |
1644 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
1645 |
--+ |
1646 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff |
1647 |
---- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:41:43.834196317 -0800 |
1648 |
-+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:45:36.665147504 -0800 |
1649 |
-@@ -12,9 +12,9 @@ |
1650 |
- static long stalled; /* how long we have been stalled */ |
1651 |
- static int bytes_per_second; /* current speed in bytes per second */ |
1652 |
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
1653 |
-+ off_t bytes_left; |
1654 |
- int cur_speed; |
1655 |
-- int hours, minutes, seconds; |
1656 |
-- int file_len; |
1657 |
-+ int len; |
1658 |
- + off_t delta_pos; |
1659 |
- |
1660 |
- if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
1661 |
-@@ -33,12 +33,12 @@ |
1662 |
- @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
1663 |
- |
1664 |
- /* filename */ |
1665 |
-- buf[0] = '\0'; |
1666 |
--- file_len = win_size - 36; |
1667 |
--+ file_len = win_size - 45; |
1668 |
-- if (file_len > 0) { |
1669 |
-- buf[0] = '\r'; |
1670 |
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
1671 |
-+ if (win_size > 36) { |
1672 |
-+- int file_len = win_size - 36; |
1673 |
-++ int file_len = win_size - 45; |
1674 |
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
1675 |
-+ file_len, file); |
1676 |
-+ } |
1677 |
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
1678 |
- (off_t)bytes_per_second); |
1679 |
- strlcat(buf, "/s ", win_size); |
1680 |
|
1681 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch |
1682 |
deleted file mode 100644 |
1683 |
index b2163fe..0000000 |
1684 |
--- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch |
1685 |
+++ /dev/null |
1686 |
@@ -1,151 +0,0 @@ |
1687 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
1688 |
---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800 |
1689 |
-+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800 |
1690 |
-@@ -3,9 +3,9 @@ |
1691 |
- --- a/Makefile.in |
1692 |
- +++ b/Makefile.in |
1693 |
- @@ -42,7 +42,7 @@ CC=@CC@ |
1694 |
-- LD=@LD@ |
1695 |
-- CFLAGS=@CFLAGS@ |
1696 |
-+ CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
1697 |
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
1698 |
-+ PICFLAG=@PICFLAG@ |
1699 |
- -LIBS=@LIBS@ |
1700 |
- +LIBS=@LIBS@ -lpthread |
1701 |
- K5LIBS=@K5LIBS@ |
1702 |
-@@ -902,14 +902,14 @@ |
1703 |
- |
1704 |
- /* |
1705 |
- @@ -2118,6 +2125,8 @@ fill_default_options(Options * options) |
1706 |
-+ options->canonicalize_hostname = SSH_CANONICALISE_NO; |
1707 |
-+ if (options->fingerprint_hash == -1) |
1708 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
1709 |
-- if (options->update_hostkeys == -1) |
1710 |
-- options->update_hostkeys = 0; |
1711 |
- + if (options->disable_multithreaded == -1) |
1712 |
- + options->disable_multithreaded = 0; |
1713 |
-- |
1714 |
-- /* Expand KEX name lists */ |
1715 |
-- all_cipher = cipher_alg_list(',', 0); |
1716 |
-+ #ifdef ENABLE_SK_INTERNAL |
1717 |
-+ if (options->sk_provider == NULL) |
1718 |
-+ options->sk_provider = xstrdup("internal"); |
1719 |
- diff --git a/readconf.h b/readconf.h |
1720 |
- index 8e36bf32..c803eca7 100644 |
1721 |
- --- a/readconf.h |
1722 |
-@@ -952,9 +952,9 @@ |
1723 |
- sPort, sHostKeyFile, sLoginGraceTime, |
1724 |
- sPermitRootLogin, sLogFacility, sLogLevel, |
1725 |
- @@ -643,6 +647,7 @@ static struct { |
1726 |
-- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
1727 |
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
1728 |
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
1729 |
-+ { "include", sInclude, SSHCFG_ALL }, |
1730 |
- + { "disableMTAES", sDisableMTAES, SSHCFG_ALL }, |
1731 |
- { "ipqos", sIPQoS, SSHCFG_ALL }, |
1732 |
- { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, |
1733 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
1734 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800 |
1735 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800 |
1736 |
-@@ -409,18 +409,10 @@ |
1737 |
- index 817da43b..b2bcf78f 100644 |
1738 |
- --- a/packet.c |
1739 |
- +++ b/packet.c |
1740 |
--@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
1741 |
-+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
1742 |
- return 0; |
1743 |
- } |
1744 |
- |
1745 |
--+/* this supports the forced rekeying required for the NONE cipher */ |
1746 |
--+int rekey_requested = 0; |
1747 |
--+void |
1748 |
--+packet_request_rekeying(void) |
1749 |
--+{ |
1750 |
--+ rekey_requested = 1; |
1751 |
--+} |
1752 |
--+ |
1753 |
- +/* used to determine if pre or post auth when rekeying for aes-ctr |
1754 |
- + * and none cipher switch */ |
1755 |
- +int |
1756 |
-@@ -434,20 +426,6 @@ |
1757 |
- #define MAX_PACKETS (1U<<31) |
1758 |
- static int |
1759 |
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
1760 |
--@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
1761 |
-- if (state->p_send.packets == 0 && state->p_read.packets == 0) |
1762 |
-- return 0; |
1763 |
-- |
1764 |
--+ /* used to force rekeying when called for by the none |
1765 |
--+ * cipher switch methods -cjr */ |
1766 |
--+ if (rekey_requested == 1) { |
1767 |
--+ rekey_requested = 0; |
1768 |
--+ return 1; |
1769 |
--+ } |
1770 |
--+ |
1771 |
-- /* Time-based rekeying */ |
1772 |
-- if (state->rekey_interval != 0 && |
1773 |
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
1774 |
- diff --git a/packet.h b/packet.h |
1775 |
- index 8ccfd2e0..1ad9bc06 100644 |
1776 |
- --- a/packet.h |
1777 |
-@@ -476,9 +454,9 @@ |
1778 |
- /* Format of the configuration file: |
1779 |
- |
1780 |
- @@ -167,6 +168,8 @@ typedef enum { |
1781 |
-- oHashKnownHosts, |
1782 |
- oTunnel, oTunnelDevice, |
1783 |
- oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
1784 |
-+ oDisableMTAES, |
1785 |
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
1786 |
- + oNoneEnabled, oNoneSwitch, |
1787 |
- oVisualHostKey, |
1788 |
-@@ -615,9 +593,9 @@ |
1789 |
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
1790 |
- SyslogFacility log_facility; /* Facility for system logging. */ |
1791 |
- @@ -112,7 +116,10 @@ typedef struct { |
1792 |
-- |
1793 |
- int enable_ssh_keysign; |
1794 |
- int64_t rekey_limit; |
1795 |
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
1796 |
- + int none_switch; /* Use none cipher */ |
1797 |
- + int none_enabled; /* Allow none to be used */ |
1798 |
- int rekey_interval; |
1799 |
-@@ -700,9 +678,9 @@ |
1800 |
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
1801 |
- + } |
1802 |
- + |
1803 |
-+ if (options->disable_multithreaded == -1) |
1804 |
-+ options->disable_multithreaded = 0; |
1805 |
- if (options->ip_qos_interactive == -1) |
1806 |
-- options->ip_qos_interactive = IPTOS_DSCP_AF21; |
1807 |
-- if (options->ip_qos_bulk == -1) |
1808 |
- @@ -486,6 +532,8 @@ typedef enum { |
1809 |
- sPasswordAuthentication, sKbdInteractiveAuthentication, |
1810 |
- sListenAddress, sAddressFamily, |
1811 |
-@@ -1079,11 +1057,11 @@ |
1812 |
- xxx_host = host; |
1813 |
- xxx_hostaddr = hostaddr; |
1814 |
- |
1815 |
--@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
1816 |
-+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
1817 |
- |
1818 |
- if (!authctxt.success) |
1819 |
- fatal("Authentication failed."); |
1820 |
--+ |
1821 |
-+ |
1822 |
- + /* |
1823 |
- + * If the user wants to use the none cipher, do it post authentication |
1824 |
- + * and only if the right conditions are met -- both of the NONE commands |
1825 |
-@@ -1105,9 +1083,9 @@ |
1826 |
- + } |
1827 |
- + } |
1828 |
- + |
1829 |
-- debug("Authentication succeeded (%s).", authctxt.method->name); |
1830 |
-- } |
1831 |
-- |
1832 |
-+ #ifdef WITH_OPENSSL |
1833 |
-+ if (options.disable_multithreaded == 0) { |
1834 |
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox |
1835 |
- diff --git a/sshd.c b/sshd.c |
1836 |
- index 11571c01..23a06022 100644 |
1837 |
- --- a/sshd.c |
1838 |
|
1839 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch |
1840 |
deleted file mode 100644 |
1841 |
index 69dd22a..0000000 |
1842 |
--- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch |
1843 |
+++ /dev/null |
1844 |
@@ -1,20 +0,0 @@ |
1845 |
---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:31:37.392120799 -0700 |
1846 |
-+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:32:46.143684424 -0700 |
1847 |
-@@ -672,7 +672,7 @@ |
1848 |
- +const EVP_CIPHER * |
1849 |
- +evp_aes_ctr_mt(void) |
1850 |
- +{ |
1851 |
--+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL |
1852 |
-++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER) |
1853 |
- + static EVP_CIPHER *aes_ctr; |
1854 |
- + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/); |
1855 |
- + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE); |
1856 |
-@@ -701,7 +701,7 @@ |
1857 |
- + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; |
1858 |
- +# endif /*SSH_OLD_EVP*/ |
1859 |
- + return &aes_ctr; |
1860 |
--+# endif /*OPENSSH_VERSION_NUMBER*/ |
1861 |
-++# endif /*OPENSSL_VERSION_NUMBER*/ |
1862 |
- +} |
1863 |
- + |
1864 |
- +#endif /* defined(WITH_OPENSSL) */ |
1865 |
|
1866 |
diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch |
1867 |
deleted file mode 100644 |
1868 |
index 2397aad..0000000 |
1869 |
--- a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch |
1870 |
+++ /dev/null |
1871 |
@@ -1,19 +0,0 @@ |
1872 |
-diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
1873 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:00.321998279 -0800 |
1874 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:21.759980508 -0800 |
1875 |
-@@ -1169,15 +1169,3 @@ |
1876 |
- # Example of overriding settings on a per-user basis |
1877 |
- #Match User anoncvs |
1878 |
- # X11Forwarding no |
1879 |
--diff --git a/version.h b/version.h |
1880 |
--index 6b3fadf8..ec1d2e27 100644 |
1881 |
----- a/version.h |
1882 |
--+++ b/version.h |
1883 |
--@@ -3,4 +3,6 @@ |
1884 |
-- #define SSH_VERSION "OpenSSH_8.1" |
1885 |
-- |
1886 |
-- #define SSH_PORTABLE "p1" |
1887 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
1888 |
--+#define SSH_HPN "-hpn14v20" |
1889 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
1890 |
--+ |
1891 |
|
1892 |
diff --git a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch b/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch |
1893 |
deleted file mode 100644 |
1894 |
index d1651bc..0000000 |
1895 |
--- a/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch |
1896 |
+++ /dev/null |
1897 |
@@ -1,35 +0,0 @@ |
1898 |
-Only in b: .openssh-8.3p1+x509-12.5.1.diff.un~ |
1899 |
-diff -u a/openssh-8.3p1+x509-12.5.1.diff b/openssh-8.3p1+x509-12.5.1.diff |
1900 |
---- a/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:13:08.937543708 -0700 |
1901 |
-+++ b/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:16:33.417271984 -0700 |
1902 |
-@@ -35541,12 +35541,11 @@ |
1903 |
- |
1904 |
- install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config |
1905 |
- install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf |
1906 |
--@@ -382,6 +363,8 @@ |
1907 |
-+@@ -382,6 +363,7 @@ |
1908 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
1909 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
1910 |
- $(MKDIR_P) $(DESTDIR)$(libexecdir) |
1911 |
- + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
1912 |
--+ $(MKDIR_P) $(DESTDIR)$(piddir) |
1913 |
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
1914 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
1915 |
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
1916 |
-@@ -97028,16 +97027,6 @@ |
1917 |
- +int asnmprintf(char **, size_t, int *, const char *, ...) |
1918 |
- __attribute__((format(printf, 4, 5))); |
1919 |
- void msetlocale(void); |
1920 |
--diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5.1/version.h |
1921 |
----- openssh-8.3p1/version.h 2020-05-27 03:38:00.000000000 +0300 |
1922 |
--+++ openssh-8.3p1+x509-12.5.1/version.h 2020-06-07 11:07:00.000000000 +0300 |
1923 |
--@@ -2,5 +2,4 @@ |
1924 |
-- |
1925 |
-- #define SSH_VERSION "OpenSSH_8.3" |
1926 |
-- |
1927 |
---#define SSH_PORTABLE "p1" |
1928 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
1929 |
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
1930 |
- diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5.1/version.m4 |
1931 |
- --- openssh-8.3p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
1932 |
- +++ openssh-8.3p1+x509-12.5.1/version.m4 2020-06-07 11:07:00.000000000 +0300 |
1933 |
|
1934 |
diff --git a/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch |
1935 |
deleted file mode 100644 |
1936 |
index 4414f9b..0000000 |
1937 |
--- a/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch |
1938 |
+++ /dev/null |
1939 |
@@ -1,177 +0,0 @@ |
1940 |
-Only in b: .openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff.un~ |
1941 |
-diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
1942 |
---- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:27.704108928 -0700 |
1943 |
-+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:49.803967500 -0700 |
1944 |
-@@ -3,9 +3,9 @@ |
1945 |
- --- a/Makefile.in |
1946 |
- +++ b/Makefile.in |
1947 |
- @@ -42,7 +42,7 @@ CC=@CC@ |
1948 |
-- LD=@LD@ |
1949 |
-- CFLAGS=@CFLAGS@ |
1950 |
-+ CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
1951 |
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
1952 |
-+ PICFLAG=@PICFLAG@ |
1953 |
- -LIBS=@LIBS@ |
1954 |
- +LIBS=@LIBS@ -lpthread |
1955 |
- K5LIBS=@K5LIBS@ |
1956 |
-@@ -902,14 +902,14 @@ |
1957 |
- |
1958 |
- /* |
1959 |
- @@ -2118,6 +2125,8 @@ fill_default_options(Options * options) |
1960 |
-+ options->canonicalize_hostname = SSH_CANONICALISE_NO; |
1961 |
-+ if (options->fingerprint_hash == -1) |
1962 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
1963 |
-- if (options->update_hostkeys == -1) |
1964 |
-- options->update_hostkeys = 0; |
1965 |
- + if (options->disable_multithreaded == -1) |
1966 |
- + options->disable_multithreaded = 0; |
1967 |
-- |
1968 |
-- /* Expand KEX name lists */ |
1969 |
-- all_cipher = cipher_alg_list(',', 0); |
1970 |
-+ #ifdef ENABLE_SK_INTERNAL |
1971 |
-+ if (options->sk_provider == NULL) |
1972 |
-+ options->sk_provider = xstrdup("internal"); |
1973 |
- diff --git a/readconf.h b/readconf.h |
1974 |
- index 8e36bf32..c803eca7 100644 |
1975 |
- --- a/readconf.h |
1976 |
-@@ -952,9 +952,9 @@ |
1977 |
- sPort, sHostKeyFile, sLoginGraceTime, |
1978 |
- sPermitRootLogin, sLogFacility, sLogLevel, |
1979 |
- @@ -643,6 +647,7 @@ static struct { |
1980 |
-- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
1981 |
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
1982 |
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
1983 |
-+ { "include", sInclude, SSHCFG_ALL }, |
1984 |
- + { "disableMTAES", sDisableMTAES, SSHCFG_ALL }, |
1985 |
- { "ipqos", sIPQoS, SSHCFG_ALL }, |
1986 |
- { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, |
1987 |
-diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
1988 |
---- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 13:52:27.705108921 -0700 |
1989 |
-+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 14:03:57.888683100 -0700 |
1990 |
-@@ -409,18 +409,10 @@ |
1991 |
- index 817da43b..b2bcf78f 100644 |
1992 |
- --- a/packet.c |
1993 |
- +++ b/packet.c |
1994 |
--@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
1995 |
-+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
1996 |
- return 0; |
1997 |
- } |
1998 |
- |
1999 |
--+/* this supports the forced rekeying required for the NONE cipher */ |
2000 |
--+int rekey_requested = 0; |
2001 |
--+void |
2002 |
--+packet_request_rekeying(void) |
2003 |
--+{ |
2004 |
--+ rekey_requested = 1; |
2005 |
--+} |
2006 |
--+ |
2007 |
- +/* used to determine if pre or post auth when rekeying for aes-ctr |
2008 |
- + * and none cipher switch */ |
2009 |
- +int |
2010 |
-@@ -434,20 +426,6 @@ |
2011 |
- #define MAX_PACKETS (1U<<31) |
2012 |
- static int |
2013 |
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
2014 |
--@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
2015 |
-- if (state->p_send.packets == 0 && state->p_read.packets == 0) |
2016 |
-- return 0; |
2017 |
-- |
2018 |
--+ /* used to force rekeying when called for by the none |
2019 |
--+ * cipher switch methods -cjr */ |
2020 |
--+ if (rekey_requested == 1) { |
2021 |
--+ rekey_requested = 0; |
2022 |
--+ return 1; |
2023 |
--+ } |
2024 |
--+ |
2025 |
-- /* Time-based rekeying */ |
2026 |
-- if (state->rekey_interval != 0 && |
2027 |
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
2028 |
- diff --git a/packet.h b/packet.h |
2029 |
- index 8ccfd2e0..1ad9bc06 100644 |
2030 |
- --- a/packet.h |
2031 |
-@@ -476,9 +454,9 @@ |
2032 |
- /* Format of the configuration file: |
2033 |
- |
2034 |
- @@ -167,6 +168,8 @@ typedef enum { |
2035 |
-- oHashKnownHosts, |
2036 |
- oTunnel, oTunnelDevice, |
2037 |
- oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
2038 |
-+ oDisableMTAES, |
2039 |
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
2040 |
- + oNoneEnabled, oNoneSwitch, |
2041 |
- oVisualHostKey, |
2042 |
-@@ -615,9 +593,9 @@ |
2043 |
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
2044 |
- SyslogFacility log_facility; /* Facility for system logging. */ |
2045 |
- @@ -112,7 +116,10 @@ typedef struct { |
2046 |
-- |
2047 |
- int enable_ssh_keysign; |
2048 |
- int64_t rekey_limit; |
2049 |
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
2050 |
- + int none_switch; /* Use none cipher */ |
2051 |
- + int none_enabled; /* Allow none to be used */ |
2052 |
- int rekey_interval; |
2053 |
-@@ -700,9 +678,9 @@ |
2054 |
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
2055 |
- + } |
2056 |
- + |
2057 |
-+ if (options->disable_multithreaded == -1) |
2058 |
-+ options->disable_multithreaded = 0; |
2059 |
- if (options->ip_qos_interactive == -1) |
2060 |
-- options->ip_qos_interactive = IPTOS_DSCP_AF21; |
2061 |
-- if (options->ip_qos_bulk == -1) |
2062 |
- @@ -486,6 +532,8 @@ typedef enum { |
2063 |
- sPasswordAuthentication, sKbdInteractiveAuthentication, |
2064 |
- sListenAddress, sAddressFamily, |
2065 |
-@@ -731,11 +709,10 @@ |
2066 |
- *flags = keywords[i].flags; |
2067 |
- return keywords[i].opcode; |
2068 |
- } |
2069 |
--@@ -1424,10 +1477,27 @@ process_server_config_line(ServerOptions *options, char *line, |
2070 |
-- multistate_ptr = multistate_flag; |
2071 |
-+@@ -1424,12 +1477,28 @@ process_server_config_line(ServerOptions *options, char *line, |
2072 |
-+ multistate_ptr = multistate_ignore_rhosts; |
2073 |
- goto parse_multistate; |
2074 |
- |
2075 |
--+ |
2076 |
- + case sTcpRcvBufPoll: |
2077 |
- + intptr = &options->tcp_rcv_buf_poll; |
2078 |
- + goto parse_flag; |
2079 |
-@@ -750,7 +727,9 @@ |
2080 |
- + |
2081 |
- case sIgnoreUserKnownHosts: |
2082 |
- intptr = &options->ignore_user_known_hosts; |
2083 |
-- goto parse_flag; |
2084 |
-+ parse_flag: |
2085 |
-+ multistate_ptr = multistate_flag; |
2086 |
-+ goto parse_multistate; |
2087 |
- |
2088 |
- + case sNoneEnabled: |
2089 |
- + intptr = &options->none_enabled; |
2090 |
-@@ -1079,11 +1058,11 @@ |
2091 |
- xxx_host = host; |
2092 |
- xxx_hostaddr = hostaddr; |
2093 |
- |
2094 |
--@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
2095 |
-+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
2096 |
- |
2097 |
- if (!authctxt.success) |
2098 |
- fatal("Authentication failed."); |
2099 |
--+ |
2100 |
-+ |
2101 |
- + /* |
2102 |
- + * If the user wants to use the none cipher, do it post authentication |
2103 |
- + * and only if the right conditions are met -- both of the NONE commands |
2104 |
-@@ -1105,9 +1084,9 @@ |
2105 |
- + } |
2106 |
- + } |
2107 |
- + |
2108 |
-- debug("Authentication succeeded (%s).", authctxt.method->name); |
2109 |
-- } |
2110 |
-- |
2111 |
-+ #ifdef WITH_OPENSSL |
2112 |
-+ if (options.disable_multithreaded == 0) { |
2113 |
-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox |
2114 |
- diff --git a/sshd.c b/sshd.c |
2115 |
- index 11571c01..23a06022 100644 |
2116 |
- --- a/sshd.c |
2117 |
|
2118 |
diff --git a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch |
2119 |
deleted file mode 100644 |
2120 |
index 6bd7166..0000000 |
2121 |
--- a/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch |
2122 |
+++ /dev/null |
2123 |
@@ -1,13 +0,0 @@ |
2124 |
-diff --git a/Makefile.in b/Makefile.in |
2125 |
-index c9e4294d..2dbfac24 100644 |
2126 |
---- a/Makefile.in |
2127 |
-+++ b/Makefile.in |
2128 |
-@@ -44,7 +44,7 @@ CC=@CC@ |
2129 |
- LD=@LD@ |
2130 |
- CFLAGS=@CFLAGS@ |
2131 |
- CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
2132 |
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
2133 |
-+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@ |
2134 |
- PICFLAG=@PICFLAG@ |
2135 |
- LIBS=@LIBS@ |
2136 |
- K5LIBS=@K5LIBS@ |
2137 |
|
2138 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch |
2139 |
deleted file mode 100644 |
2140 |
index f12a309..0000000 |
2141 |
--- a/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch |
2142 |
+++ /dev/null |
2143 |
@@ -1,34 +0,0 @@ |
2144 |
-diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff |
2145 |
---- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700 |
2146 |
-+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700 |
2147 |
-@@ -39348,12 +39348,11 @@ |
2148 |
- |
2149 |
- install-files: |
2150 |
- $(MKDIR_P) $(DESTDIR)$(bindir) |
2151 |
--@@ -384,6 +365,8 @@ |
2152 |
-+@@ -384,6 +365,7 @@ |
2153 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
2154 |
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
2155 |
- $(MKDIR_P) $(DESTDIR)$(libexecdir) |
2156 |
- + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
2157 |
--+ $(MKDIR_P) $(DESTDIR)$(piddir) |
2158 |
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
2159 |
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
2160 |
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
2161 |
-@@ -103950,16 +103949,6 @@ |
2162 |
- +int asnmprintf(char **, size_t, int *, const char *, ...) |
2163 |
- __attribute__((format(printf, 4, 5))); |
2164 |
- void msetlocale(void); |
2165 |
--diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h |
2166 |
----- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300 |
2167 |
--+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300 |
2168 |
--@@ -2,5 +2,4 @@ |
2169 |
-- |
2170 |
-- #define SSH_VERSION "OpenSSH_8.4" |
2171 |
-- |
2172 |
---#define SSH_PORTABLE "p1" |
2173 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
2174 |
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
2175 |
- diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4 |
2176 |
- --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
2177 |
- +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300 |
2178 |
|
2179 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch |
2180 |
deleted file mode 100644 |
2181 |
index 32713d4..0000000 |
2182 |
--- a/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch |
2183 |
+++ /dev/null |
2184 |
@@ -1,30 +0,0 @@ |
2185 |
-From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001 |
2186 |
-From: Oleg <Fallmay@××××××××××××××××××××.com> |
2187 |
-Date: Thu, 1 Oct 2020 12:09:08 +0300 |
2188 |
-Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id |
2189 |
- |
2190 |
---- |
2191 |
- contrib/ssh-copy-id | 3 ++- |
2192 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
2193 |
- |
2194 |
-diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id |
2195 |
-index 392f64f94..a76907717 100644 |
2196 |
---- a/contrib/ssh-copy-id |
2197 |
-+++ b/contrib/ssh-copy-id |
2198 |
-@@ -247,7 +247,7 @@ installkeys_sh() { |
2199 |
- # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing |
2200 |
- # the cat adds the keys we're getting via STDIN |
2201 |
- # and if available restorecon is used to restore the SELinux context |
2202 |
-- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) |
2203 |
-+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF |
2204 |
- cd; |
2205 |
- umask 077; |
2206 |
- mkdir -p $(dirname "${AUTH_KEY_FILE}") && |
2207 |
-@@ -258,6 +258,7 @@ installkeys_sh() { |
2208 |
- restorecon -F .ssh ${AUTH_KEY_FILE}; |
2209 |
- fi |
2210 |
- EOF |
2211 |
-+ ) |
2212 |
- |
2213 |
- # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; |
2214 |
- printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" |
2215 |
|
2216 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch |
2217 |
deleted file mode 100644 |
2218 |
index 9bd600b..0000000 |
2219 |
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch |
2220 |
+++ /dev/null |
2221 |
@@ -1,129 +0,0 @@ |
2222 |
-diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff |
2223 |
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700 |
2224 |
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700 |
2225 |
-@@ -3,9 +3,9 @@ |
2226 |
- --- a/Makefile.in |
2227 |
- +++ b/Makefile.in |
2228 |
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ |
2229 |
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
2230 |
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
2231 |
-- PICFLAG=@PICFLAG@ |
2232 |
-+ LD=@LD@ |
2233 |
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
2234 |
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
2235 |
- -LIBS=@LIBS@ |
2236 |
- +LIBS=@LIBS@ -lpthread |
2237 |
- K5LIBS=@K5LIBS@ |
2238 |
-@@ -803,7 +803,7 @@ |
2239 |
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
2240 |
- { |
2241 |
- struct session_state *state; |
2242 |
--- const struct sshcipher *none = cipher_by_name("none"); |
2243 |
-+- const struct sshcipher *none = cipher_none(); |
2244 |
- + struct sshcipher *none = cipher_by_name("none"); |
2245 |
- int r; |
2246 |
- |
2247 |
-@@ -901,17 +901,18 @@ |
2248 |
- } |
2249 |
- |
2250 |
- /* |
2251 |
--@@ -2203,6 +2210,10 @@ fill_default_options(Options * options) |
2252 |
-+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options) |
2253 |
- if (options->sk_provider == NULL) |
2254 |
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); |
2255 |
-- #endif |
2256 |
-+ |
2257 |
- + if (options->update_hostkeys == -1) |
2258 |
- + options->update_hostkeys = 0; |
2259 |
- + if (options->disable_multithreaded == -1) |
2260 |
- + options->disable_multithreaded = 0; |
2261 |
-- |
2262 |
-- /* Expand KEX name lists */ |
2263 |
-- all_cipher = cipher_alg_list(',', 0); |
2264 |
-++ |
2265 |
-+ /* expand KEX and etc. name lists */ |
2266 |
-+ { char *all; |
2267 |
-+ #define ASSEMBLE(what, defaults, all) \ |
2268 |
- diff --git a/readconf.h b/readconf.h |
2269 |
- index e143a108..1383a3cd 100644 |
2270 |
- --- a/readconf.h |
2271 |
-@@ -950,9 +951,9 @@ |
2272 |
- /* Portable-specific options */ |
2273 |
- sUsePAM, |
2274 |
- + sDisableMTAES, |
2275 |
-- /* Standard Options */ |
2276 |
-- sPort, sHostKeyFile, sLoginGraceTime, |
2277 |
-- sPermitRootLogin, sLogFacility, sLogLevel, |
2278 |
-+ /* X.509 Standard Options */ |
2279 |
-+ sHostbasedAlgorithms, |
2280 |
-+ sPubkeyAlgorithms, |
2281 |
- @@ -679,6 +683,7 @@ static struct { |
2282 |
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
2283 |
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
2284 |
-diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff |
2285 |
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700 |
2286 |
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700 |
2287 |
-@@ -382,7 +382,7 @@ |
2288 |
- @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh) |
2289 |
- int nenc, nmac, ncomp; |
2290 |
- u_int mode, ctos, need, dh_need, authlen; |
2291 |
-- int r, first_kex_follows; |
2292 |
-+ int r, first_kex_follows = 0; |
2293 |
- + int auth_flag; |
2294 |
- + |
2295 |
- + auth_flag = packet_authentication_state(ssh); |
2296 |
-@@ -1193,14 +1193,3 @@ |
2297 |
- # Example of overriding settings on a per-user basis |
2298 |
- #Match User anoncvs |
2299 |
- # X11Forwarding no |
2300 |
--diff --git a/version.h b/version.h |
2301 |
--index a2eca3ec..ff654fc3 100644 |
2302 |
----- a/version.h |
2303 |
--+++ b/version.h |
2304 |
--@@ -3,4 +3,5 @@ |
2305 |
-- #define SSH_VERSION "OpenSSH_8.3" |
2306 |
-- |
2307 |
-- #define SSH_PORTABLE "p1" |
2308 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
2309 |
--+#define SSH_HPN "-hpn14v22" |
2310 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
2311 |
-diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff |
2312 |
---- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700 |
2313 |
-+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700 |
2314 |
-@@ -12,9 +12,9 @@ |
2315 |
- static long stalled; /* how long we have been stalled */ |
2316 |
- static int bytes_per_second; /* current speed in bytes per second */ |
2317 |
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
2318 |
-+ off_t bytes_left; |
2319 |
- int cur_speed; |
2320 |
-- int hours, minutes, seconds; |
2321 |
-- int file_len; |
2322 |
-+ int len; |
2323 |
- + off_t delta_pos; |
2324 |
- |
2325 |
- if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
2326 |
-@@ -30,15 +30,17 @@ |
2327 |
- if (bytes_left > 0) |
2328 |
- elapsed = now - last_update; |
2329 |
- else { |
2330 |
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
2331 |
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) |
2332 |
-+ buf[1] = '\0'; |
2333 |
- |
2334 |
- /* filename */ |
2335 |
-- buf[0] = '\0'; |
2336 |
--- file_len = win_size - 36; |
2337 |
--+ file_len = win_size - 45; |
2338 |
-- if (file_len > 0) { |
2339 |
-- buf[0] = '\r'; |
2340 |
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
2341 |
-+- if (win_size > 36) { |
2342 |
-+- int file_len = win_size - 36; |
2343 |
-++ if (win_size > 45) { |
2344 |
-++ int file_len = win_size - 45; |
2345 |
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
2346 |
-+ file_len, file); |
2347 |
-+ } |
2348 |
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
2349 |
- (off_t)bytes_per_second); |
2350 |
- strlcat(buf, "/s ", win_size); |
2351 |
|
2352 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch |
2353 |
deleted file mode 100644 |
2354 |
index 884063c..0000000 |
2355 |
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch |
2356 |
+++ /dev/null |
2357 |
@@ -1,94 +0,0 @@ |
2358 |
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff |
2359 |
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700 |
2360 |
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700 |
2361 |
-@@ -409,18 +409,10 @@ |
2362 |
- index e7abb341..c23276d4 100644 |
2363 |
- --- a/packet.c |
2364 |
- +++ b/packet.c |
2365 |
--@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
2366 |
-+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
2367 |
- return 0; |
2368 |
- } |
2369 |
- |
2370 |
--+/* this supports the forced rekeying required for the NONE cipher */ |
2371 |
--+int rekey_requested = 0; |
2372 |
--+void |
2373 |
--+packet_request_rekeying(void) |
2374 |
--+{ |
2375 |
--+ rekey_requested = 1; |
2376 |
--+} |
2377 |
--+ |
2378 |
- +/* used to determine if pre or post auth when rekeying for aes-ctr |
2379 |
- + * and none cipher switch */ |
2380 |
- +int |
2381 |
-@@ -434,20 +426,6 @@ |
2382 |
- #define MAX_PACKETS (1U<<31) |
2383 |
- static int |
2384 |
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
2385 |
--@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
2386 |
-- if (state->p_send.packets == 0 && state->p_read.packets == 0) |
2387 |
-- return 0; |
2388 |
-- |
2389 |
--+ /* used to force rekeying when called for by the none |
2390 |
--+ * cipher switch methods -cjr */ |
2391 |
--+ if (rekey_requested == 1) { |
2392 |
--+ rekey_requested = 0; |
2393 |
--+ return 1; |
2394 |
--+ } |
2395 |
--+ |
2396 |
-- /* Time-based rekeying */ |
2397 |
-- if (state->rekey_interval != 0 && |
2398 |
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
2399 |
- diff --git a/packet.h b/packet.h |
2400 |
- index c2544bd9..ebd85c88 100644 |
2401 |
- --- a/packet.h |
2402 |
-@@ -481,9 +459,9 @@ |
2403 |
- oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
2404 |
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
2405 |
- + oNoneEnabled, oNoneSwitch, |
2406 |
-+ oDisableMTAES, |
2407 |
- oVisualHostKey, |
2408 |
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, |
2409 |
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, |
2410 |
- @@ -294,6 +297,8 @@ static struct { |
2411 |
- { "kexalgorithms", oKexAlgorithms }, |
2412 |
- { "ipqos", oIPQoS }, |
2413 |
-@@ -615,9 +593,9 @@ |
2414 |
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
2415 |
- SyslogFacility log_facility; /* Facility for system logging. */ |
2416 |
- @@ -114,7 +118,10 @@ typedef struct { |
2417 |
-- |
2418 |
- int enable_ssh_keysign; |
2419 |
- int64_t rekey_limit; |
2420 |
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
2421 |
- + int none_switch; /* Use none cipher */ |
2422 |
- + int none_enabled; /* Allow none to be used */ |
2423 |
- int rekey_interval; |
2424 |
-@@ -700,9 +678,9 @@ |
2425 |
- + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
2426 |
- + } |
2427 |
- + |
2428 |
-+ if (options->disable_multithreaded == -1) |
2429 |
-+ options->disable_multithreaded = 0; |
2430 |
- if (options->ip_qos_interactive == -1) |
2431 |
-- options->ip_qos_interactive = IPTOS_DSCP_AF21; |
2432 |
-- if (options->ip_qos_bulk == -1) |
2433 |
- @@ -519,6 +565,8 @@ typedef enum { |
2434 |
- sPasswordAuthentication, sKbdInteractiveAuthentication, |
2435 |
- sListenAddress, sAddressFamily, |
2436 |
-@@ -1081,11 +1059,11 @@ |
2437 |
- xxx_host = host; |
2438 |
- xxx_hostaddr = hostaddr; |
2439 |
- |
2440 |
--@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
2441 |
-+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
2442 |
-+ } |
2443 |
-+ } |
2444 |
-+ #endif |
2445 |
- |
2446 |
-- if (!authctxt.success) |
2447 |
-- fatal("Authentication failed."); |
2448 |
--+ |
2449 |
- + /* |
2450 |
- + * If the user wants to use the none cipher, do it post authentication |
2451 |
- + * and only if the right conditions are met -- both of the NONE commands |
2452 |
|
2453 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch |
2454 |
deleted file mode 100644 |
2455 |
index 79cc3e5..0000000 |
2456 |
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-libressl.patch |
2457 |
+++ /dev/null |
2458 |
@@ -1,20 +0,0 @@ |
2459 |
---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:31:37.392120799 -0700 |
2460 |
-+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-04-17 10:32:46.143684424 -0700 |
2461 |
-@@ -672,7 +672,7 @@ |
2462 |
- +const EVP_CIPHER * |
2463 |
- +evp_aes_ctr_mt(void) |
2464 |
- +{ |
2465 |
--+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL |
2466 |
-++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER) |
2467 |
- + static EVP_CIPHER *aes_ctr; |
2468 |
- + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/); |
2469 |
- + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE); |
2470 |
-@@ -701,7 +701,7 @@ |
2471 |
- + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; |
2472 |
- +# endif /*SSH_OLD_EVP*/ |
2473 |
- + return &aes_ctr; |
2474 |
--+# endif /*OPENSSH_VERSION_NUMBER*/ |
2475 |
-++# endif /*OPENSSL_VERSION_NUMBER*/ |
2476 |
- +} |
2477 |
- + |
2478 |
- +#endif /* defined(WITH_OPENSSL) */ |
2479 |
|
2480 |
diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch |
2481 |
deleted file mode 100644 |
2482 |
index 52ec42e..0000000 |
2483 |
--- a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch |
2484 |
+++ /dev/null |
2485 |
@@ -1,18 +0,0 @@ |
2486 |
-diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff |
2487 |
---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700 |
2488 |
-+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700 |
2489 |
-@@ -1171,14 +1171,3 @@ |
2490 |
- # Example of overriding settings on a per-user basis |
2491 |
- #Match User anoncvs |
2492 |
- # X11Forwarding no |
2493 |
--diff --git a/version.h b/version.h |
2494 |
--index a2eca3ec..ff654fc3 100644 |
2495 |
----- a/version.h |
2496 |
--+++ b/version.h |
2497 |
--@@ -3,4 +3,5 @@ |
2498 |
-- #define SSH_VERSION "OpenSSH_8.3" |
2499 |
-- |
2500 |
-- #define SSH_PORTABLE "p1" |
2501 |
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
2502 |
--+#define SSH_HPN "-hpn14v22" |
2503 |
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
2504 |
|
2505 |
diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd |
2506 |
deleted file mode 100644 |
2507 |
index cf43037..0000000 |
2508 |
--- a/net-misc/openssh/files/sshd-r1.confd |
2509 |
+++ /dev/null |
2510 |
@@ -1,33 +0,0 @@ |
2511 |
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd |
2512 |
- |
2513 |
-# Where is your sshd_config file stored? |
2514 |
- |
2515 |
-SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh" |
2516 |
- |
2517 |
- |
2518 |
-# Any random options you want to pass to sshd. |
2519 |
-# See the sshd(8) manpage for more info. |
2520 |
- |
2521 |
-SSHD_OPTS="" |
2522 |
- |
2523 |
- |
2524 |
-# Wait one second (length chosen arbitrarily) to see if sshd actually |
2525 |
-# creates a PID file, or if it crashes for some reason like not being |
2526 |
-# able to bind to the address in ListenAddress. |
2527 |
- |
2528 |
-#SSHD_SSD_OPTS="--wait 1000" |
2529 |
- |
2530 |
- |
2531 |
-# Pid file to use (needs to be absolute path). |
2532 |
- |
2533 |
-#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid" |
2534 |
- |
2535 |
- |
2536 |
-# Path to the sshd binary (needs to be absolute path). |
2537 |
- |
2538 |
-#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd" |
2539 |
- |
2540 |
- |
2541 |
-# Path to the ssh-keygen binary (needs to be absolute path). |
2542 |
- |
2543 |
-#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen" |
2544 |
|
2545 |
diff --git a/net-misc/openssh/files/sshd-r1.initd b/net-misc/openssh/files/sshd-r1.initd |
2546 |
deleted file mode 100644 |
2547 |
index f6cd2e2..0000000 |
2548 |
--- a/net-misc/openssh/files/sshd-r1.initd |
2549 |
+++ /dev/null |
2550 |
@@ -1,87 +0,0 @@ |
2551 |
-#!/sbin/openrc-run |
2552 |
-# Copyright 1999-2021 Gentoo Authors |
2553 |
-# Distributed under the terms of the GNU General Public License v2 |
2554 |
- |
2555 |
-extra_commands="checkconfig" |
2556 |
-extra_started_commands="reload" |
2557 |
- |
2558 |
-: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} |
2559 |
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} |
2560 |
-: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} |
2561 |
-: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} |
2562 |
-: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} |
2563 |
- |
2564 |
-command="${SSHD_BINARY}" |
2565 |
-pidfile="${SSHD_PIDFILE}" |
2566 |
-command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" |
2567 |
- |
2568 |
-# Wait one second (length chosen arbitrarily) to see if sshd actually |
2569 |
-# creates a PID file, or if it crashes for some reason like not being |
2570 |
-# able to bind to the address in ListenAddress (bug 617596). |
2571 |
-: ${SSHD_SSD_OPTS:=--wait 1000} |
2572 |
-start_stop_daemon_args="${SSHD_SSD_OPTS}" |
2573 |
- |
2574 |
-depend() { |
2575 |
- # Entropy can be used by ssh-keygen, among other things, but |
2576 |
- # is not strictly required (bug 470020). |
2577 |
- use logger dns entropy |
2578 |
- if [ "${rc_need+set}" = "set" ] ; then |
2579 |
- : # Do nothing, the user has explicitly set rc_need |
2580 |
- else |
2581 |
- local x warn_addr |
2582 |
- for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do |
2583 |
- case "${x}" in |
2584 |
- 0.0.0.0|0.0.0.0:*) ;; |
2585 |
- ::|\[::\]*) ;; |
2586 |
- *) warn_addr="${warn_addr} ${x}" ;; |
2587 |
- esac |
2588 |
- done |
2589 |
- if [ -n "${warn_addr}" ] ; then |
2590 |
- need net |
2591 |
- ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" |
2592 |
- ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" |
2593 |
- ewarn "where FOO is the interface(s) providing the following address(es):" |
2594 |
- ewarn "${warn_addr}" |
2595 |
- fi |
2596 |
- fi |
2597 |
-} |
2598 |
- |
2599 |
-checkconfig() { |
2600 |
- checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" |
2601 |
- |
2602 |
- if [ ! -e "${SSHD_CONFIG}" ] ; then |
2603 |
- eerror "You need an ${SSHD_CONFIG} file to run sshd" |
2604 |
- eerror "There is a sample file in /usr/share/doc/openssh" |
2605 |
- return 1 |
2606 |
- fi |
2607 |
- |
2608 |
- ${SSHD_KEYGEN_BINARY} -A || return 2 |
2609 |
- |
2610 |
- "${command}" -t ${command_args} || return 3 |
2611 |
-} |
2612 |
- |
2613 |
-start_pre() { |
2614 |
- # Make sure that the user's config isn't busted before we try |
2615 |
- # to start the daemon (this will produce better error messages |
2616 |
- # than if we just try to start it blindly). |
2617 |
- # |
2618 |
- # We always need to call checkconfig because this function will |
2619 |
- # also generate any missing host key and you can start a |
2620 |
- # non-running service with "restart" argument. |
2621 |
- checkconfig || return $? |
2622 |
-} |
2623 |
- |
2624 |
-stop_pre() { |
2625 |
- # If this is a restart, check to make sure the user's config |
2626 |
- # isn't busted before we stop the running daemon. |
2627 |
- if [ "${RC_CMD}" = "restart" ] ; then |
2628 |
- checkconfig || return $? |
2629 |
- fi |
2630 |
-} |
2631 |
- |
2632 |
-reload() { |
2633 |
- checkconfig || return $? |
2634 |
- ebegin "Reloading ${SVCNAME}" |
2635 |
- start-stop-daemon --signal HUP --pidfile "${pidfile}" |
2636 |
- eend $? |
2637 |
-} |
2638 |
|
2639 |
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 |
2640 |
deleted file mode 100644 |
2641 |
index b801aaa..0000000 |
2642 |
--- a/net-misc/openssh/files/sshd.pam_include.2 |
2643 |
+++ /dev/null |
2644 |
@@ -1,4 +0,0 @@ |
2645 |
-auth include system-remote-login |
2646 |
-account include system-remote-login |
2647 |
-password include system-remote-login |
2648 |
-session include system-remote-login |
2649 |
|
2650 |
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service |
2651 |
deleted file mode 100644 |
2652 |
index b5e96b3..0000000 |
2653 |
--- a/net-misc/openssh/files/sshd.service |
2654 |
+++ /dev/null |
2655 |
@@ -1,11 +0,0 @@ |
2656 |
-[Unit] |
2657 |
-Description=OpenSSH server daemon |
2658 |
-After=syslog.target network.target auditd.service |
2659 |
- |
2660 |
-[Service] |
2661 |
-ExecStartPre=/usr/bin/ssh-keygen -A |
2662 |
-ExecStart=/usr/sbin/sshd -D -e |
2663 |
-ExecReload=/bin/kill -HUP $MAINPID |
2664 |
- |
2665 |
-[Install] |
2666 |
-WantedBy=multi-user.target |
2667 |
|
2668 |
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket |
2669 |
deleted file mode 100644 |
2670 |
index 94b9533..0000000 |
2671 |
--- a/net-misc/openssh/files/sshd.socket |
2672 |
+++ /dev/null |
2673 |
@@ -1,10 +0,0 @@ |
2674 |
-[Unit] |
2675 |
-Description=OpenSSH Server Socket |
2676 |
-Conflicts=sshd.service |
2677 |
- |
2678 |
-[Socket] |
2679 |
-ListenStream=22 |
2680 |
-Accept=yes |
2681 |
- |
2682 |
-[Install] |
2683 |
-WantedBy=sockets.target |
2684 |
|
2685 |
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service |
2686 |
deleted file mode 100644 |
2687 |
index ec2907b..0000000 |
2688 |
--- a/net-misc/openssh/files/sshd_at.service |
2689 |
+++ /dev/null |
2690 |
@@ -1,8 +0,0 @@ |
2691 |
-[Unit] |
2692 |
-Description=OpenSSH per-connection server daemon |
2693 |
-After=syslog.target auditd.service |
2694 |
- |
2695 |
-[Service] |
2696 |
-ExecStart=-/usr/sbin/sshd -i -e |
2697 |
-StandardInput=socket |
2698 |
-StandardError=journal |
2699 |
|
2700 |
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml |
2701 |
deleted file mode 100644 |
2702 |
index 9ce34e6..0000000 |
2703 |
--- a/net-misc/openssh/metadata.xml |
2704 |
+++ /dev/null |
2705 |
@@ -1,37 +0,0 @@ |
2706 |
-<?xml version="1.0" encoding="UTF-8"?> |
2707 |
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
2708 |
-<pkgmetadata> |
2709 |
- <maintainer type="project"> |
2710 |
- <email>base-system@g.o</email> |
2711 |
- <name>Gentoo Base System</name> |
2712 |
- </maintainer> |
2713 |
- <longdescription> |
2714 |
-OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that |
2715 |
-increasing numbers of people on the Internet are coming to rely on. Many users of telnet, |
2716 |
-rlogin, ftp, and other such programs might not realize that their password is transmitted |
2717 |
-across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) |
2718 |
-to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. |
2719 |
-Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety |
2720 |
-of authentication methods. |
2721 |
- |
2722 |
-The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which |
2723 |
-replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of |
2724 |
-the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, |
2725 |
-ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. |
2726 |
-</longdescription> |
2727 |
- <use> |
2728 |
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> |
2729 |
- <flag name="scp">Enable scp command with known security problems. See bug 733802</flag> |
2730 |
- <flag name="hpn">Enable high performance ssh</flag> |
2731 |
- <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> |
2732 |
- <flag name="livecd">Enable root password logins for live-cd environment.</flag> |
2733 |
- <flag name="security-key">Include builtin U2F/FIDO support</flag> |
2734 |
- <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> |
2735 |
- <flag name="X509">Adds support for X.509 certificate authentication</flag> |
2736 |
- <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag> |
2737 |
- </use> |
2738 |
- <upstream> |
2739 |
- <remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id> |
2740 |
- <remote-id type="sourceforge">hpnssh</remote-id> |
2741 |
- </upstream> |
2742 |
-</pkgmetadata> |
2743 |
|
2744 |
diff --git a/net-misc/openssh/openssh-8.2_p1-r7.ebuild b/net-misc/openssh/openssh-8.2_p1-r7.ebuild |
2745 |
deleted file mode 100644 |
2746 |
index 8895334..0000000 |
2747 |
--- a/net-misc/openssh/openssh-8.2_p1-r7.ebuild |
2748 |
+++ /dev/null |
2749 |
@@ -1,481 +0,0 @@ |
2750 |
-# Copyright 1999-2021 Gentoo Authors |
2751 |
-# Distributed under the terms of the GNU General Public License v2 |
2752 |
- |
2753 |
-EAPI=7 |
2754 |
- |
2755 |
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs |
2756 |
- |
2757 |
-# Make it more portable between straight releases |
2758 |
-# and _p? releases. |
2759 |
-PARCH=${P/_} |
2760 |
-HPN_PV="8.1_P1" |
2761 |
- |
2762 |
-HPN_VER="14.20" |
2763 |
-HPN_PATCHES=( |
2764 |
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff |
2765 |
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff |
2766 |
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff |
2767 |
-) |
2768 |
- |
2769 |
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" |
2770 |
-X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
2771 |
- |
2772 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
2773 |
-HOMEPAGE="https://www.openssh.com/" |
2774 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
2775 |
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} |
2776 |
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} |
2777 |
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
2778 |
-" |
2779 |
-S="${WORKDIR}/${PARCH}" |
2780 |
- |
2781 |
-LICENSE="BSD GPL-2" |
2782 |
-SLOT="0" |
2783 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
2784 |
-# Probably want to drop ssl defaulting to on in a future version. |
2785 |
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" |
2786 |
- |
2787 |
-RESTRICT="!test? ( test )" |
2788 |
- |
2789 |
-REQUIRED_USE=" |
2790 |
- ldns? ( ssl ) |
2791 |
- pie? ( !static ) |
2792 |
- static? ( !kerberos !pam ) |
2793 |
- X509? ( !sctp !security-key ssl !xmss ) |
2794 |
- xmss? ( ssl ) |
2795 |
- test? ( ssl ) |
2796 |
-" |
2797 |
- |
2798 |
-LIB_DEPEND=" |
2799 |
- audit? ( sys-process/audit[static-libs(+)] ) |
2800 |
- ldns? ( |
2801 |
- net-libs/ldns[static-libs(+)] |
2802 |
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) |
2803 |
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) |
2804 |
- ) |
2805 |
- libedit? ( dev-libs/libedit:=[static-libs(+)] ) |
2806 |
- sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
2807 |
- security-key? ( dev-libs/libfido2:=[static-libs(+)] ) |
2808 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
2809 |
- ssl? ( |
2810 |
- || ( |
2811 |
- ( |
2812 |
- >=dev-libs/openssl-1.0.1:0[bindist=] |
2813 |
- <dev-libs/openssl-1.1.0:0[bindist=] |
2814 |
- ) |
2815 |
- >=dev-libs/openssl-1.1.0g:0[bindist=] |
2816 |
- ) |
2817 |
- dev-libs/openssl:0=[static-libs(+)] |
2818 |
- ) |
2819 |
- virtual/libcrypt:=[static-libs(+)] |
2820 |
- >=sys-libs/zlib-1.2.3:=[static-libs(+)] |
2821 |
-" |
2822 |
-RDEPEND=" |
2823 |
- acct-group/sshd |
2824 |
- acct-user/sshd |
2825 |
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
2826 |
- pam? ( sys-libs/pam ) |
2827 |
- kerberos? ( virtual/krb5 ) |
2828 |
-" |
2829 |
-DEPEND="${RDEPEND} |
2830 |
- virtual/os-headers |
2831 |
- kernel_linux? ( >=sys-kernel/linux-headers-5.1 ) |
2832 |
- static? ( ${LIB_DEPEND} ) |
2833 |
-" |
2834 |
-RDEPEND="${RDEPEND} |
2835 |
- pam? ( >=sys-auth/pambase-20081028 ) |
2836 |
- userland_GNU? ( !prefix? ( sys-apps/shadow ) ) |
2837 |
- X? ( x11-apps/xauth ) |
2838 |
-" |
2839 |
-BDEPEND=" |
2840 |
- virtual/pkgconfig |
2841 |
- sys-devel/autoconf |
2842 |
-" |
2843 |
- |
2844 |
-pkg_pretend() { |
2845 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
2846 |
- # than not be able to log in to their server any more |
2847 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
2848 |
- local fail=" |
2849 |
- $(use hpn && maybe_fail hpn HPN_VER) |
2850 |
- $(use sctp && maybe_fail sctp SCTP_PATCH) |
2851 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
2852 |
- " |
2853 |
- fail=$(echo ${fail}) |
2854 |
- if [[ -n ${fail} ]] ; then |
2855 |
- eerror "Sorry, but this version does not yet support features" |
2856 |
- eerror "that you requested: ${fail}" |
2857 |
- eerror "Please mask ${PF} for now and check back later:" |
2858 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
2859 |
- die "booooo" |
2860 |
- fi |
2861 |
- |
2862 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
2863 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
2864 |
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
2865 |
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." |
2866 |
- fi |
2867 |
-} |
2868 |
- |
2869 |
-src_prepare() { |
2870 |
- sed -i \ |
2871 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
2872 |
- pathnames.h || die |
2873 |
- |
2874 |
- # don't break .ssh/authorized_keys2 for fun |
2875 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
2876 |
- |
2877 |
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch |
2878 |
- eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
2879 |
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
2880 |
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch |
2881 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch |
2882 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
2883 |
- |
2884 |
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches |
2885 |
- |
2886 |
- local PATCHSET_VERSION_MACROS=() |
2887 |
- |
2888 |
- if use X509 ; then |
2889 |
- pushd "${WORKDIR}" &>/dev/null || die |
2890 |
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" |
2891 |
- popd &>/dev/null || die |
2892 |
- |
2893 |
- eapply "${WORKDIR}"/${X509_PATCH%.*} |
2894 |
- eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch |
2895 |
- |
2896 |
- # We need to patch package version or any X.509 sshd will reject our ssh client |
2897 |
- # with "userauth_pubkey: could not parse key: string is too large [preauth]" |
2898 |
- # error |
2899 |
- einfo "Patching package version for X.509 patch set ..." |
2900 |
- sed -i \ |
2901 |
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ |
2902 |
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" |
2903 |
- |
2904 |
- einfo "Patching version.h to expose X.509 patch set ..." |
2905 |
- sed -i \ |
2906 |
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ |
2907 |
- "${S}"/version.h || die "Failed to sed-in X.509 patch version" |
2908 |
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) |
2909 |
- fi |
2910 |
- |
2911 |
- if use sctp ; then |
2912 |
- eapply "${WORKDIR}"/${SCTP_PATCH%.*} |
2913 |
- |
2914 |
- einfo "Patching version.h to expose SCTP patch set ..." |
2915 |
- sed -i \ |
2916 |
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ |
2917 |
- "${S}"/version.h || die "Failed to sed-in SCTP patch version" |
2918 |
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) |
2919 |
- |
2920 |
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." |
2921 |
- sed -i \ |
2922 |
- -e "/\t\tcfgparse \\\/d" \ |
2923 |
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" |
2924 |
- fi |
2925 |
- |
2926 |
- if use hpn ; then |
2927 |
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" |
2928 |
- mkdir "${hpn_patchdir}" || die |
2929 |
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die |
2930 |
- pushd "${hpn_patchdir}" &>/dev/null || die |
2931 |
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch |
2932 |
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch |
2933 |
- if use X509; then |
2934 |
- # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" |
2935 |
- # # X509 and AES-CTR-MT don't get along, let's just drop it |
2936 |
- # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die |
2937 |
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch |
2938 |
- fi |
2939 |
- use sctp && eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-sctp-glue.patch |
2940 |
- popd &>/dev/null || die |
2941 |
- |
2942 |
- eapply "${hpn_patchdir}" |
2943 |
- |
2944 |
- use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" |
2945 |
- |
2946 |
- einfo "Patching Makefile.in for HPN patch set ..." |
2947 |
- sed -i \ |
2948 |
- -e "/^LIBS=/ s/\$/ -lpthread/" \ |
2949 |
- "${S}"/Makefile.in || die "Failed to patch Makefile.in" |
2950 |
- |
2951 |
- einfo "Patching version.h to expose HPN patch set ..." |
2952 |
- sed -i \ |
2953 |
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ |
2954 |
- "${S}"/version.h || die "Failed to sed-in HPN patch version" |
2955 |
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) |
2956 |
- |
2957 |
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
2958 |
- einfo "Disabling known non-working MT AES cipher per default ..." |
2959 |
- |
2960 |
- cat > "${T}"/disable_mtaes.conf <<- EOF |
2961 |
- |
2962 |
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken |
2963 |
- # and therefore disabled per default. |
2964 |
- DisableMTAES yes |
2965 |
- EOF |
2966 |
- sed -i \ |
2967 |
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ |
2968 |
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" |
2969 |
- |
2970 |
- sed -i \ |
2971 |
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ |
2972 |
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" |
2973 |
- fi |
2974 |
- fi |
2975 |
- |
2976 |
- if use X509 || use sctp || use hpn ; then |
2977 |
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." |
2978 |
- sed -i \ |
2979 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
2980 |
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" |
2981 |
- |
2982 |
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." |
2983 |
- sed -i \ |
2984 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
2985 |
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" |
2986 |
- |
2987 |
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." |
2988 |
- sed -i \ |
2989 |
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ |
2990 |
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" |
2991 |
- fi |
2992 |
- |
2993 |
- sed -i \ |
2994 |
- -e "/#UseLogin no/d" \ |
2995 |
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" |
2996 |
- |
2997 |
- eapply_user #473004 |
2998 |
- |
2999 |
- tc-export PKG_CONFIG |
3000 |
- local sed_args=( |
3001 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
3002 |
- # Disable PATH reset, trust what portage gives us #254615 |
3003 |
- -e 's:^PATH=/:#PATH=/:' |
3004 |
- # Disable fortify flags ... our gcc does this for us |
3005 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
3006 |
- ) |
3007 |
- |
3008 |
- # The -ftrapv flag ICEs on hppa #505182 |
3009 |
- use hppa && sed_args+=( |
3010 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
3011 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
3012 |
- ) |
3013 |
- # _XOPEN_SOURCE causes header conflicts on Solaris |
3014 |
- [[ ${CHOST} == *-solaris* ]] && sed_args+=( |
3015 |
- -e 's/-D_XOPEN_SOURCE//' |
3016 |
- ) |
3017 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
3018 |
- |
3019 |
- eautoreconf |
3020 |
-} |
3021 |
- |
3022 |
-src_configure() { |
3023 |
- addwrite /dev/ptmx |
3024 |
- |
3025 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
3026 |
- use static && append-ldflags -static |
3027 |
- use xmss && append-cflags -DWITH_XMSS |
3028 |
- |
3029 |
- local myconf=( |
3030 |
- --with-ldflags="${LDFLAGS}" |
3031 |
- --disable-strip |
3032 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
3033 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
3034 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
3035 |
- --datadir="${EPREFIX}"/usr/share/openssh |
3036 |
- --with-privsep-path="${EPREFIX}"/var/empty |
3037 |
- --with-privsep-user=sshd |
3038 |
- $(use_with audit audit linux) |
3039 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
3040 |
- # We apply the sctp patch conditionally, so can't pass --without-sctp |
3041 |
- # unconditionally else we get unknown flag warnings. |
3042 |
- $(use sctp && use_with sctp) |
3043 |
- $(use_with ldns ldns "${EPREFIX}"/usr) |
3044 |
- $(use_with libedit) |
3045 |
- $(use_with pam) |
3046 |
- $(use_with pie) |
3047 |
- $(use_with selinux) |
3048 |
- $(use_with security-key security-key-builtin) |
3049 |
- $(use_with ssl openssl) |
3050 |
- $(use_with ssl md5-passwords) |
3051 |
- $(use_with ssl ssl-engine) |
3052 |
- $(use_with !elibc_Cygwin hardening) #659210 |
3053 |
- ) |
3054 |
- |
3055 |
- # stackprotect is broken on musl x86 and ppc |
3056 |
- use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) |
3057 |
- |
3058 |
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
3059 |
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
3060 |
- |
3061 |
- econf "${myconf[@]}" |
3062 |
-} |
3063 |
- |
3064 |
-src_test() { |
3065 |
- local t skipped=() failed=() passed=() |
3066 |
- local tests=( interop-tests compat-tests ) |
3067 |
- |
3068 |
- local shell=$(egetshell "${UID}") |
3069 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
3070 |
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" |
3071 |
- elog "user, so we will run a subset only." |
3072 |
- skipped+=( tests ) |
3073 |
- else |
3074 |
- tests+=( tests ) |
3075 |
- fi |
3076 |
- |
3077 |
- # It will also attempt to write to the homedir .ssh. |
3078 |
- local sshhome=${T}/homedir |
3079 |
- mkdir -p "${sshhome}"/.ssh |
3080 |
- for t in "${tests[@]}" ; do |
3081 |
- # Some tests read from stdin ... |
3082 |
- HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \ |
3083 |
- emake -k -j1 ${t} </dev/null \ |
3084 |
- && passed+=( "${t}" ) \ |
3085 |
- || failed+=( "${t}" ) |
3086 |
- done |
3087 |
- |
3088 |
- einfo "Passed tests: ${passed[*]}" |
3089 |
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" |
3090 |
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" |
3091 |
-} |
3092 |
- |
3093 |
-# Gentoo tweaks to default config files. |
3094 |
-tweak_ssh_configs() { |
3095 |
- local locale_vars=( |
3096 |
- # These are language variables that POSIX defines. |
3097 |
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 |
3098 |
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME |
3099 |
- |
3100 |
- # These are the GNU extensions. |
3101 |
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html |
3102 |
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE |
3103 |
- ) |
3104 |
- |
3105 |
- # First the server config. |
3106 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
3107 |
- |
3108 |
- # Allow client to pass locale environment variables. #367017 |
3109 |
- AcceptEnv ${locale_vars[*]} |
3110 |
- |
3111 |
- # Allow client to pass COLORTERM to match TERM. #658540 |
3112 |
- AcceptEnv COLORTERM |
3113 |
- EOF |
3114 |
- |
3115 |
- # Then the client config. |
3116 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
3117 |
- |
3118 |
- # Send locale environment variables. #367017 |
3119 |
- SendEnv ${locale_vars[*]} |
3120 |
- |
3121 |
- # Send COLORTERM to match TERM. #658540 |
3122 |
- SendEnv COLORTERM |
3123 |
- EOF |
3124 |
- |
3125 |
- if use pam ; then |
3126 |
- sed -i \ |
3127 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
3128 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
3129 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
3130 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
3131 |
- "${ED}"/etc/ssh/sshd_config || die |
3132 |
- fi |
3133 |
- |
3134 |
- if use livecd ; then |
3135 |
- sed -i \ |
3136 |
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ |
3137 |
- "${ED}"/etc/ssh/sshd_config || die |
3138 |
- fi |
3139 |
-} |
3140 |
- |
3141 |
-src_install() { |
3142 |
- emake install-nokeys DESTDIR="${D}" |
3143 |
- fperms 600 /etc/ssh/sshd_config |
3144 |
- dobin contrib/ssh-copy-id |
3145 |
- newinitd "${FILESDIR}"/sshd-r1.initd sshd |
3146 |
- newconfd "${FILESDIR}"/sshd-r1.confd sshd |
3147 |
- |
3148 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
3149 |
- |
3150 |
- tweak_ssh_configs |
3151 |
- |
3152 |
- doman contrib/ssh-copy-id.1 |
3153 |
- dodoc CREDITS OVERVIEW README* TODO sshd_config |
3154 |
- use hpn && dodoc HPN-README |
3155 |
- use X509 || dodoc ChangeLog |
3156 |
- |
3157 |
- diropts -m 0700 |
3158 |
- dodir /etc/skel/.ssh |
3159 |
- |
3160 |
- keepdir /var/empty |
3161 |
- |
3162 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
3163 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
3164 |
-} |
3165 |
- |
3166 |
-pkg_preinst() { |
3167 |
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then |
3168 |
- show_ssl_warning=1 |
3169 |
- fi |
3170 |
-} |
3171 |
- |
3172 |
-pkg_postinst() { |
3173 |
- local old_ver |
3174 |
- for old_ver in ${REPLACING_VERSIONS}; do |
3175 |
- if ver_test "${old_ver}" -lt "5.8_p1"; then |
3176 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
3177 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
3178 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
3179 |
- fi |
3180 |
- if ver_test "${old_ver}" -lt "7.0_p1"; then |
3181 |
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
3182 |
- elog "Make sure to update any configs that you might have. Note that xinetd might" |
3183 |
- elog "be an alternative for you as it supports USE=tcpd." |
3184 |
- fi |
3185 |
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 |
3186 |
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
3187 |
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
3188 |
- elog "adding to your sshd_config or ~/.ssh/config files:" |
3189 |
- elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
3190 |
- elog "You should however generate new keys using rsa or ed25519." |
3191 |
- |
3192 |
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
3193 |
- elog "to 'prohibit-password'. That means password auth for root users no longer works" |
3194 |
- elog "out of the box. If you need this, please update your sshd_config explicitly." |
3195 |
- fi |
3196 |
- if ver_test "${old_ver}" -lt "7.6_p1"; then |
3197 |
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
3198 |
- elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
3199 |
- fi |
3200 |
- if ver_test "${old_ver}" -lt "7.7_p1"; then |
3201 |
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
3202 |
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
3203 |
- elog "if you need to authenticate against LDAP." |
3204 |
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." |
3205 |
- fi |
3206 |
- if ver_test "${old_ver}" -lt "8.2_p1"; then |
3207 |
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
3208 |
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
3209 |
- ewarn "connection is generally safe." |
3210 |
- fi |
3211 |
- done |
3212 |
- |
3213 |
- if [[ -n ${show_ssl_warning} ]]; then |
3214 |
- elog "Be aware that by disabling openssl support in openssh, the server and clients" |
3215 |
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
3216 |
- elog "and update all clients/servers that utilize them." |
3217 |
- fi |
3218 |
- |
3219 |
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
3220 |
- elog "" |
3221 |
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" |
3222 |
- elog "and therefore disabled at runtime per default." |
3223 |
- elog "Make sure your sshd_config is up to date and contains" |
3224 |
- elog "" |
3225 |
- elog " DisableMTAES yes" |
3226 |
- elog "" |
3227 |
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." |
3228 |
- elog "" |
3229 |
- fi |
3230 |
-} |
3231 |
|
3232 |
diff --git a/net-misc/openssh/openssh-8.3_p1-r5.ebuild b/net-misc/openssh/openssh-8.3_p1-r5.ebuild |
3233 |
deleted file mode 100644 |
3234 |
index 543622f..0000000 |
3235 |
--- a/net-misc/openssh/openssh-8.3_p1-r5.ebuild |
3236 |
+++ /dev/null |
3237 |
@@ -1,506 +0,0 @@ |
3238 |
-# Copyright 1999-2021 Gentoo Authors |
3239 |
-# Distributed under the terms of the GNU General Public License v2 |
3240 |
- |
3241 |
-EAPI=7 |
3242 |
- |
3243 |
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs |
3244 |
- |
3245 |
-# Make it more portable between straight releases |
3246 |
-# and _p? releases. |
3247 |
-PARCH=${P/_} |
3248 |
- |
3249 |
-# PV to USE for HPN patches |
3250 |
-#HPN_PV="${PV^^}" |
3251 |
-HPN_PV="8.1_P1" |
3252 |
- |
3253 |
-HPN_VER="14.20" |
3254 |
-HPN_PATCHES=( |
3255 |
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff |
3256 |
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff |
3257 |
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff |
3258 |
-) |
3259 |
- |
3260 |
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" |
3261 |
-X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
3262 |
- |
3263 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
3264 |
-HOMEPAGE="https://www.openssh.com/" |
3265 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
3266 |
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} |
3267 |
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} |
3268 |
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
3269 |
-" |
3270 |
-S="${WORKDIR}/${PARCH}" |
3271 |
- |
3272 |
-LICENSE="BSD GPL-2" |
3273 |
-SLOT="0" |
3274 |
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
3275 |
-# Probably want to drop ssl defaulting to on in a future version. |
3276 |
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" |
3277 |
- |
3278 |
-RESTRICT="!test? ( test )" |
3279 |
- |
3280 |
-REQUIRED_USE=" |
3281 |
- ldns? ( ssl ) |
3282 |
- pie? ( !static ) |
3283 |
- static? ( !kerberos !pam ) |
3284 |
- X509? ( !sctp !security-key ssl !xmss ) |
3285 |
- xmss? ( ssl ) |
3286 |
- test? ( ssl ) |
3287 |
-" |
3288 |
- |
3289 |
-LIB_DEPEND=" |
3290 |
- audit? ( sys-process/audit[static-libs(+)] ) |
3291 |
- ldns? ( |
3292 |
- net-libs/ldns[static-libs(+)] |
3293 |
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) |
3294 |
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) |
3295 |
- ) |
3296 |
- libedit? ( dev-libs/libedit:=[static-libs(+)] ) |
3297 |
- sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
3298 |
- security-key? ( >=dev-libs/libfido2-1.4.0:=[static-libs(+)] ) |
3299 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
3300 |
- ssl? ( |
3301 |
- || ( |
3302 |
- ( |
3303 |
- >=dev-libs/openssl-1.0.1:0[bindist=] |
3304 |
- <dev-libs/openssl-1.1.0:0[bindist=] |
3305 |
- ) |
3306 |
- >=dev-libs/openssl-1.1.0g:0[bindist=] |
3307 |
- ) |
3308 |
- dev-libs/openssl:0=[static-libs(+)] |
3309 |
- ) |
3310 |
- virtual/libcrypt:=[static-libs(+)] |
3311 |
- >=sys-libs/zlib-1.2.3:=[static-libs(+)] |
3312 |
-" |
3313 |
-RDEPEND=" |
3314 |
- acct-group/sshd |
3315 |
- acct-user/sshd |
3316 |
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
3317 |
- pam? ( sys-libs/pam ) |
3318 |
- kerberos? ( virtual/krb5 ) |
3319 |
-" |
3320 |
-DEPEND="${RDEPEND} |
3321 |
- virtual/os-headers |
3322 |
- kernel_linux? ( >=sys-kernel/linux-headers-5.1 ) |
3323 |
- static? ( ${LIB_DEPEND} ) |
3324 |
-" |
3325 |
-RDEPEND="${RDEPEND} |
3326 |
- pam? ( >=sys-auth/pambase-20081028 ) |
3327 |
- userland_GNU? ( !prefix? ( sys-apps/shadow ) ) |
3328 |
- X? ( x11-apps/xauth ) |
3329 |
-" |
3330 |
-BDEPEND=" |
3331 |
- virtual/pkgconfig |
3332 |
- sys-devel/autoconf |
3333 |
-" |
3334 |
- |
3335 |
-pkg_pretend() { |
3336 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
3337 |
- # than not be able to log in to their server any more |
3338 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
3339 |
- local fail=" |
3340 |
- $(use hpn && maybe_fail hpn HPN_VER) |
3341 |
- $(use sctp && maybe_fail sctp SCTP_PATCH) |
3342 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
3343 |
- " |
3344 |
- fail=$(echo ${fail}) |
3345 |
- if [[ -n ${fail} ]] ; then |
3346 |
- eerror "Sorry, but this version does not yet support features" |
3347 |
- eerror "that you requested: ${fail}" |
3348 |
- eerror "Please mask ${PF} for now and check back later:" |
3349 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
3350 |
- die "booooo" |
3351 |
- fi |
3352 |
- |
3353 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
3354 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
3355 |
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
3356 |
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." |
3357 |
- fi |
3358 |
-} |
3359 |
- |
3360 |
-src_prepare() { |
3361 |
- sed -i \ |
3362 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
3363 |
- pathnames.h || die |
3364 |
- |
3365 |
- # don't break .ssh/authorized_keys2 for fun |
3366 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
3367 |
- |
3368 |
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch |
3369 |
- eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
3370 |
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
3371 |
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch |
3372 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch |
3373 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
3374 |
- |
3375 |
- # workaround for https://bugs.gentoo.org/734984 |
3376 |
- use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch |
3377 |
- |
3378 |
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches |
3379 |
- |
3380 |
- local PATCHSET_VERSION_MACROS=() |
3381 |
- |
3382 |
- if use X509 ; then |
3383 |
- pushd "${WORKDIR}" &>/dev/null || die |
3384 |
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" |
3385 |
- popd &>/dev/null || die |
3386 |
- |
3387 |
- eapply "${WORKDIR}"/${X509_PATCH%.*} |
3388 |
- |
3389 |
- # We need to patch package version or any X.509 sshd will reject our ssh client |
3390 |
- # with "userauth_pubkey: could not parse key: string is too large [preauth]" |
3391 |
- # error |
3392 |
- einfo "Patching package version for X.509 patch set ..." |
3393 |
- sed -i \ |
3394 |
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ |
3395 |
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" |
3396 |
- |
3397 |
- einfo "Patching version.h to expose X.509 patch set ..." |
3398 |
- sed -i \ |
3399 |
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ |
3400 |
- "${S}"/version.h || die "Failed to sed-in X.509 patch version" |
3401 |
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) |
3402 |
- fi |
3403 |
- |
3404 |
- if use sctp ; then |
3405 |
- eapply "${WORKDIR}"/${SCTP_PATCH%.*} |
3406 |
- |
3407 |
- einfo "Patching version.h to expose SCTP patch set ..." |
3408 |
- sed -i \ |
3409 |
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ |
3410 |
- "${S}"/version.h || die "Failed to sed-in SCTP patch version" |
3411 |
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) |
3412 |
- |
3413 |
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." |
3414 |
- sed -i \ |
3415 |
- -e "/\t\tcfgparse \\\/d" \ |
3416 |
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" |
3417 |
- fi |
3418 |
- |
3419 |
- if use hpn ; then |
3420 |
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" |
3421 |
- mkdir "${hpn_patchdir}" || die |
3422 |
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die |
3423 |
- pushd "${hpn_patchdir}" &>/dev/null || die |
3424 |
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch |
3425 |
- eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-libressl.patch |
3426 |
- if use X509; then |
3427 |
- # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" |
3428 |
- # # X509 and AES-CTR-MT don't get along, let's just drop it |
3429 |
- # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die |
3430 |
- |
3431 |
- eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch |
3432 |
- fi |
3433 |
- use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch |
3434 |
- popd &>/dev/null || die |
3435 |
- |
3436 |
- eapply "${hpn_patchdir}" |
3437 |
- |
3438 |
- use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" |
3439 |
- |
3440 |
- einfo "Patching Makefile.in for HPN patch set ..." |
3441 |
- sed -i \ |
3442 |
- -e "/^LIBS=/ s/\$/ -lpthread/" \ |
3443 |
- "${S}"/Makefile.in || die "Failed to patch Makefile.in" |
3444 |
- |
3445 |
- einfo "Patching version.h to expose HPN patch set ..." |
3446 |
- sed -i \ |
3447 |
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ |
3448 |
- "${S}"/version.h || die "Failed to sed-in HPN patch version" |
3449 |
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) |
3450 |
- |
3451 |
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
3452 |
- einfo "Disabling known non-working MT AES cipher per default ..." |
3453 |
- |
3454 |
- cat > "${T}"/disable_mtaes.conf <<- EOF |
3455 |
- |
3456 |
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken |
3457 |
- # and therefore disabled per default. |
3458 |
- DisableMTAES yes |
3459 |
- EOF |
3460 |
- sed -i \ |
3461 |
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ |
3462 |
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" |
3463 |
- |
3464 |
- sed -i \ |
3465 |
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ |
3466 |
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" |
3467 |
- fi |
3468 |
- fi |
3469 |
- |
3470 |
- if use X509 || use sctp || use hpn ; then |
3471 |
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." |
3472 |
- sed -i \ |
3473 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
3474 |
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" |
3475 |
- |
3476 |
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." |
3477 |
- sed -i \ |
3478 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
3479 |
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" |
3480 |
- |
3481 |
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." |
3482 |
- sed -i \ |
3483 |
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ |
3484 |
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" |
3485 |
- fi |
3486 |
- |
3487 |
- sed -i \ |
3488 |
- -e "/#UseLogin no/d" \ |
3489 |
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" |
3490 |
- |
3491 |
- eapply_user #473004 |
3492 |
- |
3493 |
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox |
3494 |
- sed -e '/\t\tpercent \\/ d' \ |
3495 |
- -i regress/Makefile || die |
3496 |
- |
3497 |
- tc-export PKG_CONFIG |
3498 |
- local sed_args=( |
3499 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
3500 |
- # Disable PATH reset, trust what portage gives us #254615 |
3501 |
- -e 's:^PATH=/:#PATH=/:' |
3502 |
- # Disable fortify flags ... our gcc does this for us |
3503 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
3504 |
- ) |
3505 |
- |
3506 |
- # The -ftrapv flag ICEs on hppa #505182 |
3507 |
- use hppa && sed_args+=( |
3508 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
3509 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
3510 |
- ) |
3511 |
- # _XOPEN_SOURCE causes header conflicts on Solaris |
3512 |
- [[ ${CHOST} == *-solaris* ]] && sed_args+=( |
3513 |
- -e 's/-D_XOPEN_SOURCE//' |
3514 |
- ) |
3515 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
3516 |
- |
3517 |
- eautoreconf |
3518 |
-} |
3519 |
- |
3520 |
-src_configure() { |
3521 |
- addwrite /dev/ptmx |
3522 |
- |
3523 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
3524 |
- use static && append-ldflags -static |
3525 |
- use xmss && append-cflags -DWITH_XMSS |
3526 |
- |
3527 |
- if [[ ${CHOST} == *-solaris* ]] ; then |
3528 |
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure |
3529 |
- # doesn't check for this, so force the replacement to be put in |
3530 |
- # place |
3531 |
- append-cppflags -DBROKEN_GLOB |
3532 |
- fi |
3533 |
- |
3534 |
- local myconf=( |
3535 |
- --with-ldflags="${LDFLAGS}" |
3536 |
- --disable-strip |
3537 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
3538 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
3539 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
3540 |
- --datadir="${EPREFIX}"/usr/share/openssh |
3541 |
- --with-privsep-path="${EPREFIX}"/var/empty |
3542 |
- --with-privsep-user=sshd |
3543 |
- $(use_with audit audit linux) |
3544 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
3545 |
- # We apply the sctp patch conditionally, so can't pass --without-sctp |
3546 |
- # unconditionally else we get unknown flag warnings. |
3547 |
- $(use sctp && use_with sctp) |
3548 |
- $(use_with ldns ldns "${EPREFIX}"/usr) |
3549 |
- $(use_with libedit) |
3550 |
- $(use_with pam) |
3551 |
- $(use_with pie) |
3552 |
- $(use_with selinux) |
3553 |
- $(usex X509 '' "$(use_with security-key security-key-builtin)") |
3554 |
- $(use_with ssl openssl) |
3555 |
- $(use_with ssl md5-passwords) |
3556 |
- $(use_with ssl ssl-engine) |
3557 |
- $(use_with !elibc_Cygwin hardening) #659210 |
3558 |
- ) |
3559 |
- |
3560 |
- # stackprotect is broken on musl x86 and ppc |
3561 |
- use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) |
3562 |
- |
3563 |
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
3564 |
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
3565 |
- |
3566 |
- econf "${myconf[@]}" |
3567 |
-} |
3568 |
- |
3569 |
-src_test() { |
3570 |
- local t skipped=() failed=() passed=() |
3571 |
- local tests=( interop-tests compat-tests ) |
3572 |
- |
3573 |
- local shell=$(egetshell "${UID}") |
3574 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
3575 |
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" |
3576 |
- elog "user, so we will run a subset only." |
3577 |
- skipped+=( tests ) |
3578 |
- else |
3579 |
- tests+=( tests ) |
3580 |
- fi |
3581 |
- |
3582 |
- # It will also attempt to write to the homedir .ssh. |
3583 |
- local sshhome=${T}/homedir |
3584 |
- mkdir -p "${sshhome}"/.ssh |
3585 |
- for t in "${tests[@]}" ; do |
3586 |
- # Some tests read from stdin ... |
3587 |
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ |
3588 |
- SUDO="" SSH_SK_PROVIDER="" \ |
3589 |
- TEST_SSH_UNSAFE_PERMISSIONS=1 \ |
3590 |
- emake -k -j1 ${t} </dev/null \ |
3591 |
- && passed+=( "${t}" ) \ |
3592 |
- || failed+=( "${t}" ) |
3593 |
- done |
3594 |
- |
3595 |
- einfo "Passed tests: ${passed[*]}" |
3596 |
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" |
3597 |
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" |
3598 |
-} |
3599 |
- |
3600 |
-# Gentoo tweaks to default config files. |
3601 |
-tweak_ssh_configs() { |
3602 |
- local locale_vars=( |
3603 |
- # These are language variables that POSIX defines. |
3604 |
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 |
3605 |
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME |
3606 |
- |
3607 |
- # These are the GNU extensions. |
3608 |
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html |
3609 |
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE |
3610 |
- ) |
3611 |
- |
3612 |
- # First the server config. |
3613 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
3614 |
- |
3615 |
- # Allow client to pass locale environment variables. #367017 |
3616 |
- AcceptEnv ${locale_vars[*]} |
3617 |
- |
3618 |
- # Allow client to pass COLORTERM to match TERM. #658540 |
3619 |
- AcceptEnv COLORTERM |
3620 |
- EOF |
3621 |
- |
3622 |
- # Then the client config. |
3623 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
3624 |
- |
3625 |
- # Send locale environment variables. #367017 |
3626 |
- SendEnv ${locale_vars[*]} |
3627 |
- |
3628 |
- # Send COLORTERM to match TERM. #658540 |
3629 |
- SendEnv COLORTERM |
3630 |
- EOF |
3631 |
- |
3632 |
- if use pam ; then |
3633 |
- sed -i \ |
3634 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
3635 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
3636 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
3637 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
3638 |
- "${ED}"/etc/ssh/sshd_config || die |
3639 |
- fi |
3640 |
- |
3641 |
- if use livecd ; then |
3642 |
- sed -i \ |
3643 |
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ |
3644 |
- "${ED}"/etc/ssh/sshd_config || die |
3645 |
- fi |
3646 |
-} |
3647 |
- |
3648 |
-src_install() { |
3649 |
- emake install-nokeys DESTDIR="${D}" |
3650 |
- fperms 600 /etc/ssh/sshd_config |
3651 |
- dobin contrib/ssh-copy-id |
3652 |
- newinitd "${FILESDIR}"/sshd-r1.initd sshd |
3653 |
- newconfd "${FILESDIR}"/sshd-r1.confd sshd |
3654 |
- |
3655 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
3656 |
- |
3657 |
- tweak_ssh_configs |
3658 |
- |
3659 |
- doman contrib/ssh-copy-id.1 |
3660 |
- dodoc CREDITS OVERVIEW README* TODO sshd_config |
3661 |
- use hpn && dodoc HPN-README |
3662 |
- use X509 || dodoc ChangeLog |
3663 |
- |
3664 |
- diropts -m 0700 |
3665 |
- dodir /etc/skel/.ssh |
3666 |
- |
3667 |
- # https://bugs.gentoo.org/733802 |
3668 |
- if ! use scp; then |
3669 |
- rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ |
3670 |
- || die "failed to remove scp" |
3671 |
- fi |
3672 |
- |
3673 |
- keepdir /var/empty |
3674 |
- |
3675 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
3676 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
3677 |
-} |
3678 |
- |
3679 |
-pkg_preinst() { |
3680 |
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then |
3681 |
- show_ssl_warning=1 |
3682 |
- fi |
3683 |
-} |
3684 |
- |
3685 |
-pkg_postinst() { |
3686 |
- local old_ver |
3687 |
- for old_ver in ${REPLACING_VERSIONS}; do |
3688 |
- if ver_test "${old_ver}" -lt "5.8_p1"; then |
3689 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
3690 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
3691 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
3692 |
- fi |
3693 |
- if ver_test "${old_ver}" -lt "7.0_p1"; then |
3694 |
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
3695 |
- elog "Make sure to update any configs that you might have. Note that xinetd might" |
3696 |
- elog "be an alternative for you as it supports USE=tcpd." |
3697 |
- fi |
3698 |
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 |
3699 |
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
3700 |
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
3701 |
- elog "adding to your sshd_config or ~/.ssh/config files:" |
3702 |
- elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
3703 |
- elog "You should however generate new keys using rsa or ed25519." |
3704 |
- |
3705 |
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
3706 |
- elog "to 'prohibit-password'. That means password auth for root users no longer works" |
3707 |
- elog "out of the box. If you need this, please update your sshd_config explicitly." |
3708 |
- fi |
3709 |
- if ver_test "${old_ver}" -lt "7.6_p1"; then |
3710 |
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
3711 |
- elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
3712 |
- fi |
3713 |
- if ver_test "${old_ver}" -lt "7.7_p1"; then |
3714 |
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
3715 |
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
3716 |
- elog "if you need to authenticate against LDAP." |
3717 |
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." |
3718 |
- fi |
3719 |
- if ver_test "${old_ver}" -lt "8.2_p1"; then |
3720 |
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
3721 |
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
3722 |
- ewarn "connection is generally safe." |
3723 |
- fi |
3724 |
- done |
3725 |
- |
3726 |
- if [[ -n ${show_ssl_warning} ]]; then |
3727 |
- elog "Be aware that by disabling openssl support in openssh, the server and clients" |
3728 |
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
3729 |
- elog "and update all clients/servers that utilize them." |
3730 |
- fi |
3731 |
- |
3732 |
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
3733 |
- elog "" |
3734 |
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" |
3735 |
- elog "and therefore disabled at runtime per default." |
3736 |
- elog "Make sure your sshd_config is up to date and contains" |
3737 |
- elog "" |
3738 |
- elog " DisableMTAES yes" |
3739 |
- elog "" |
3740 |
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." |
3741 |
- elog "" |
3742 |
- fi |
3743 |
-} |
3744 |
|
3745 |
diff --git a/net-misc/openssh/openssh-8.4_p1-r2.ebuild b/net-misc/openssh/openssh-8.4_p1-r2.ebuild |
3746 |
deleted file mode 100644 |
3747 |
index 67e9aad..0000000 |
3748 |
--- a/net-misc/openssh/openssh-8.4_p1-r2.ebuild |
3749 |
+++ /dev/null |
3750 |
@@ -1,511 +0,0 @@ |
3751 |
-# Copyright 1999-2021 Gentoo Authors |
3752 |
-# Distributed under the terms of the GNU General Public License v2 |
3753 |
- |
3754 |
-EAPI=7 |
3755 |
- |
3756 |
-inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs |
3757 |
- |
3758 |
-# Make it more portable between straight releases |
3759 |
-# and _p? releases. |
3760 |
-PARCH=${P/_} |
3761 |
- |
3762 |
-# PV to USE for HPN patches |
3763 |
-#HPN_PV="${PV^^}" |
3764 |
-HPN_PV="8.3_P1" |
3765 |
- |
3766 |
-HPN_VER="14.22" |
3767 |
-HPN_PATCHES=( |
3768 |
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff |
3769 |
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff |
3770 |
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff |
3771 |
-) |
3772 |
- |
3773 |
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" |
3774 |
-X509_VER="12.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
3775 |
- |
3776 |
-DESCRIPTION="Port of OpenBSD's free SSH release" |
3777 |
-HOMEPAGE="https://www.openssh.com/" |
3778 |
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
3779 |
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} |
3780 |
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} |
3781 |
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
3782 |
-" |
3783 |
-S="${WORKDIR}/${PARCH}" |
3784 |
- |
3785 |
-LICENSE="BSD GPL-2" |
3786 |
-SLOT="0" |
3787 |
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
3788 |
-# Probably want to drop ssl defaulting to on in a future version. |
3789 |
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" |
3790 |
- |
3791 |
-RESTRICT="!test? ( test )" |
3792 |
- |
3793 |
-REQUIRED_USE=" |
3794 |
- ldns? ( ssl ) |
3795 |
- pie? ( !static ) |
3796 |
- static? ( !kerberos !pam ) |
3797 |
- X509? ( !sctp !security-key ssl !xmss ) |
3798 |
- xmss? ( ssl ) |
3799 |
- test? ( ssl ) |
3800 |
-" |
3801 |
- |
3802 |
-LIB_DEPEND=" |
3803 |
- audit? ( sys-process/audit[static-libs(+)] ) |
3804 |
- ldns? ( |
3805 |
- net-libs/ldns[static-libs(+)] |
3806 |
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) |
3807 |
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) |
3808 |
- ) |
3809 |
- libedit? ( dev-libs/libedit:=[static-libs(+)] ) |
3810 |
- sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
3811 |
- security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) |
3812 |
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
3813 |
- ssl? ( |
3814 |
- || ( |
3815 |
- ( |
3816 |
- >=dev-libs/openssl-1.0.1:0[bindist=] |
3817 |
- <dev-libs/openssl-1.1.0:0[bindist=] |
3818 |
- ) |
3819 |
- >=dev-libs/openssl-1.1.0g:0[bindist=] |
3820 |
- ) |
3821 |
- dev-libs/openssl:0=[static-libs(+)] |
3822 |
- ) |
3823 |
- virtual/libcrypt:=[static-libs(+)] |
3824 |
- >=sys-libs/zlib-1.2.3:=[static-libs(+)] |
3825 |
-" |
3826 |
-RDEPEND=" |
3827 |
- acct-group/sshd |
3828 |
- acct-user/sshd |
3829 |
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
3830 |
- pam? ( sys-libs/pam ) |
3831 |
- kerberos? ( virtual/krb5 ) |
3832 |
-" |
3833 |
-DEPEND="${RDEPEND} |
3834 |
- virtual/os-headers |
3835 |
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) |
3836 |
- static? ( ${LIB_DEPEND} ) |
3837 |
-" |
3838 |
-RDEPEND="${RDEPEND} |
3839 |
- pam? ( >=sys-auth/pambase-20081028 ) |
3840 |
- userland_GNU? ( !prefix? ( sys-apps/shadow ) ) |
3841 |
- X? ( x11-apps/xauth ) |
3842 |
-" |
3843 |
-BDEPEND=" |
3844 |
- virtual/pkgconfig |
3845 |
- sys-devel/autoconf |
3846 |
-" |
3847 |
- |
3848 |
-pkg_pretend() { |
3849 |
- # this sucks, but i'd rather have people unable to `emerge -u openssh` |
3850 |
- # than not be able to log in to their server any more |
3851 |
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
3852 |
- local fail=" |
3853 |
- $(use hpn && maybe_fail hpn HPN_VER) |
3854 |
- $(use sctp && maybe_fail sctp SCTP_PATCH) |
3855 |
- $(use X509 && maybe_fail X509 X509_PATCH) |
3856 |
- " |
3857 |
- fail=$(echo ${fail}) |
3858 |
- if [[ -n ${fail} ]] ; then |
3859 |
- eerror "Sorry, but this version does not yet support features" |
3860 |
- eerror "that you requested: ${fail}" |
3861 |
- eerror "Please mask ${PF} for now and check back later:" |
3862 |
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
3863 |
- die "booooo" |
3864 |
- fi |
3865 |
- |
3866 |
- # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
3867 |
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
3868 |
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
3869 |
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." |
3870 |
- fi |
3871 |
-} |
3872 |
- |
3873 |
-src_prepare() { |
3874 |
- sed -i \ |
3875 |
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
3876 |
- pathnames.h || die |
3877 |
- |
3878 |
- # don't break .ssh/authorized_keys2 for fun |
3879 |
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
3880 |
- |
3881 |
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch |
3882 |
- eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
3883 |
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
3884 |
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch |
3885 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch |
3886 |
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
3887 |
- |
3888 |
- # https://bugs.gentoo.org/749026 |
3889 |
- use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch |
3890 |
- |
3891 |
- # workaround for https://bugs.gentoo.org/734984 |
3892 |
- use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch |
3893 |
- |
3894 |
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches |
3895 |
- |
3896 |
- local PATCHSET_VERSION_MACROS=() |
3897 |
- |
3898 |
- if use X509 ; then |
3899 |
- pushd "${WORKDIR}" &>/dev/null || die |
3900 |
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" |
3901 |
- popd &>/dev/null || die |
3902 |
- |
3903 |
- eapply "${WORKDIR}"/${X509_PATCH%.*} |
3904 |
- |
3905 |
- # We need to patch package version or any X.509 sshd will reject our ssh client |
3906 |
- # with "userauth_pubkey: could not parse key: string is too large [preauth]" |
3907 |
- # error |
3908 |
- einfo "Patching package version for X.509 patch set ..." |
3909 |
- sed -i \ |
3910 |
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ |
3911 |
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" |
3912 |
- |
3913 |
- einfo "Patching version.h to expose X.509 patch set ..." |
3914 |
- sed -i \ |
3915 |
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ |
3916 |
- "${S}"/version.h || die "Failed to sed-in X.509 patch version" |
3917 |
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) |
3918 |
- fi |
3919 |
- |
3920 |
- if use sctp ; then |
3921 |
- eapply "${WORKDIR}"/${SCTP_PATCH%.*} |
3922 |
- |
3923 |
- einfo "Patching version.h to expose SCTP patch set ..." |
3924 |
- sed -i \ |
3925 |
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ |
3926 |
- "${S}"/version.h || die "Failed to sed-in SCTP patch version" |
3927 |
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) |
3928 |
- |
3929 |
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." |
3930 |
- sed -i \ |
3931 |
- -e "/\t\tcfgparse \\\/d" \ |
3932 |
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" |
3933 |
- fi |
3934 |
- |
3935 |
- if use hpn ; then |
3936 |
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" |
3937 |
- mkdir "${hpn_patchdir}" || die |
3938 |
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die |
3939 |
- pushd "${hpn_patchdir}" &>/dev/null || die |
3940 |
- eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch |
3941 |
- eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-libressl.patch |
3942 |
- use X509 && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-X509-glue.patch |
3943 |
- use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch |
3944 |
- popd &>/dev/null || die |
3945 |
- |
3946 |
- eapply "${hpn_patchdir}" |
3947 |
- |
3948 |
- use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" |
3949 |
- |
3950 |
- einfo "Patching Makefile.in for HPN patch set ..." |
3951 |
- sed -i \ |
3952 |
- -e "/^LIBS=/ s/\$/ -lpthread/" \ |
3953 |
- "${S}"/Makefile.in || die "Failed to patch Makefile.in" |
3954 |
- |
3955 |
- einfo "Patching version.h to expose HPN patch set ..." |
3956 |
- sed -i \ |
3957 |
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ |
3958 |
- "${S}"/version.h || die "Failed to sed-in HPN patch version" |
3959 |
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) |
3960 |
- |
3961 |
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
3962 |
- einfo "Disabling known non-working MT AES cipher per default ..." |
3963 |
- |
3964 |
- cat > "${T}"/disable_mtaes.conf <<- EOF |
3965 |
- |
3966 |
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken |
3967 |
- # and therefore disabled per default. |
3968 |
- DisableMTAES yes |
3969 |
- EOF |
3970 |
- sed -i \ |
3971 |
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ |
3972 |
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" |
3973 |
- |
3974 |
- sed -i \ |
3975 |
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ |
3976 |
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" |
3977 |
- fi |
3978 |
- fi |
3979 |
- |
3980 |
- if use X509 || use sctp || use hpn ; then |
3981 |
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." |
3982 |
- sed -i \ |
3983 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
3984 |
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" |
3985 |
- |
3986 |
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." |
3987 |
- sed -i \ |
3988 |
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ |
3989 |
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" |
3990 |
- |
3991 |
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." |
3992 |
- sed -i \ |
3993 |
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ |
3994 |
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" |
3995 |
- fi |
3996 |
- |
3997 |
- sed -i \ |
3998 |
- -e "/#UseLogin no/d" \ |
3999 |
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" |
4000 |
- |
4001 |
- eapply_user #473004 |
4002 |
- |
4003 |
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox |
4004 |
- sed -e '/\t\tpercent \\/ d' \ |
4005 |
- -i regress/Makefile || die |
4006 |
- |
4007 |
- tc-export PKG_CONFIG |
4008 |
- local sed_args=( |
4009 |
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
4010 |
- # Disable PATH reset, trust what portage gives us #254615 |
4011 |
- -e 's:^PATH=/:#PATH=/:' |
4012 |
- # Disable fortify flags ... our gcc does this for us |
4013 |
- -e 's:-D_FORTIFY_SOURCE=2::' |
4014 |
- ) |
4015 |
- |
4016 |
- # The -ftrapv flag ICEs on hppa #505182 |
4017 |
- use hppa && sed_args+=( |
4018 |
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
4019 |
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
4020 |
- ) |
4021 |
- # _XOPEN_SOURCE causes header conflicts on Solaris |
4022 |
- [[ ${CHOST} == *-solaris* ]] && sed_args+=( |
4023 |
- -e 's/-D_XOPEN_SOURCE//' |
4024 |
- ) |
4025 |
- sed -i "${sed_args[@]}" configure{.ac,} || die |
4026 |
- |
4027 |
- eautoreconf |
4028 |
-} |
4029 |
- |
4030 |
-src_configure() { |
4031 |
- addwrite /dev/ptmx |
4032 |
- |
4033 |
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
4034 |
- use static && append-ldflags -static |
4035 |
- use xmss && append-cflags -DWITH_XMSS |
4036 |
- |
4037 |
- if [[ ${CHOST} == *-solaris* ]] ; then |
4038 |
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure |
4039 |
- # doesn't check for this, so force the replacement to be put in |
4040 |
- # place |
4041 |
- append-cppflags -DBROKEN_GLOB |
4042 |
- fi |
4043 |
- |
4044 |
- local myconf=( |
4045 |
- --with-ldflags="${LDFLAGS}" |
4046 |
- --disable-strip |
4047 |
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
4048 |
- --sysconfdir="${EPREFIX}"/etc/ssh |
4049 |
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
4050 |
- --datadir="${EPREFIX}"/usr/share/openssh |
4051 |
- --with-privsep-path="${EPREFIX}"/var/empty |
4052 |
- --with-privsep-user=sshd |
4053 |
- $(use_with audit audit linux) |
4054 |
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
4055 |
- # We apply the sctp patch conditionally, so can't pass --without-sctp |
4056 |
- # unconditionally else we get unknown flag warnings. |
4057 |
- $(use sctp && use_with sctp) |
4058 |
- $(use_with ldns ldns "${EPREFIX}"/usr) |
4059 |
- $(use_with libedit) |
4060 |
- $(use_with pam) |
4061 |
- $(use_with pie) |
4062 |
- $(use_with selinux) |
4063 |
- $(usex X509 '' "$(use_with security-key security-key-builtin)") |
4064 |
- $(use_with ssl openssl) |
4065 |
- $(use_with ssl md5-passwords) |
4066 |
- $(use_with ssl ssl-engine) |
4067 |
- $(use_with !elibc_Cygwin hardening) #659210 |
4068 |
- ) |
4069 |
- |
4070 |
- if use elibc_musl; then |
4071 |
- # stackprotect is broken on musl x86 and ppc |
4072 |
- if use x86 || use ppc; then |
4073 |
- myconf+=( --without-stackprotect ) |
4074 |
- fi |
4075 |
- |
4076 |
- # musl defines bogus values for UTMP_FILE and WTMP_FILE |
4077 |
- # https://bugs.gentoo.org/753230 |
4078 |
- myconf+=( --disable-utmp --disable-wtmp ) |
4079 |
- fi |
4080 |
- |
4081 |
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
4082 |
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
4083 |
- |
4084 |
- econf "${myconf[@]}" |
4085 |
-} |
4086 |
- |
4087 |
-src_test() { |
4088 |
- local t skipped=() failed=() passed=() |
4089 |
- local tests=( interop-tests compat-tests ) |
4090 |
- |
4091 |
- local shell=$(egetshell "${UID}") |
4092 |
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
4093 |
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" |
4094 |
- elog "user, so we will run a subset only." |
4095 |
- skipped+=( tests ) |
4096 |
- else |
4097 |
- tests+=( tests ) |
4098 |
- fi |
4099 |
- |
4100 |
- # It will also attempt to write to the homedir .ssh. |
4101 |
- local sshhome=${T}/homedir |
4102 |
- mkdir -p "${sshhome}"/.ssh |
4103 |
- for t in "${tests[@]}" ; do |
4104 |
- # Some tests read from stdin ... |
4105 |
- HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ |
4106 |
- SUDO="" SSH_SK_PROVIDER="" \ |
4107 |
- TEST_SSH_UNSAFE_PERMISSIONS=1 \ |
4108 |
- emake -k -j1 ${t} </dev/null \ |
4109 |
- && passed+=( "${t}" ) \ |
4110 |
- || failed+=( "${t}" ) |
4111 |
- done |
4112 |
- |
4113 |
- einfo "Passed tests: ${passed[*]}" |
4114 |
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" |
4115 |
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" |
4116 |
-} |
4117 |
- |
4118 |
-# Gentoo tweaks to default config files. |
4119 |
-tweak_ssh_configs() { |
4120 |
- local locale_vars=( |
4121 |
- # These are language variables that POSIX defines. |
4122 |
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 |
4123 |
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME |
4124 |
- |
4125 |
- # These are the GNU extensions. |
4126 |
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html |
4127 |
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE |
4128 |
- ) |
4129 |
- |
4130 |
- # First the server config. |
4131 |
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
4132 |
- |
4133 |
- # Allow client to pass locale environment variables. #367017 |
4134 |
- AcceptEnv ${locale_vars[*]} |
4135 |
- |
4136 |
- # Allow client to pass COLORTERM to match TERM. #658540 |
4137 |
- AcceptEnv COLORTERM |
4138 |
- EOF |
4139 |
- |
4140 |
- # Then the client config. |
4141 |
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
4142 |
- |
4143 |
- # Send locale environment variables. #367017 |
4144 |
- SendEnv ${locale_vars[*]} |
4145 |
- |
4146 |
- # Send COLORTERM to match TERM. #658540 |
4147 |
- SendEnv COLORTERM |
4148 |
- EOF |
4149 |
- |
4150 |
- if use pam ; then |
4151 |
- sed -i \ |
4152 |
- -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
4153 |
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
4154 |
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
4155 |
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
4156 |
- "${ED}"/etc/ssh/sshd_config || die |
4157 |
- fi |
4158 |
- |
4159 |
- if use livecd ; then |
4160 |
- sed -i \ |
4161 |
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ |
4162 |
- "${ED}"/etc/ssh/sshd_config || die |
4163 |
- fi |
4164 |
-} |
4165 |
- |
4166 |
-src_install() { |
4167 |
- emake install-nokeys DESTDIR="${D}" |
4168 |
- fperms 600 /etc/ssh/sshd_config |
4169 |
- dobin contrib/ssh-copy-id |
4170 |
- newinitd "${FILESDIR}"/sshd-r1.initd sshd |
4171 |
- newconfd "${FILESDIR}"/sshd-r1.confd sshd |
4172 |
- |
4173 |
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
4174 |
- |
4175 |
- tweak_ssh_configs |
4176 |
- |
4177 |
- doman contrib/ssh-copy-id.1 |
4178 |
- dodoc CREDITS OVERVIEW README* TODO sshd_config |
4179 |
- use hpn && dodoc HPN-README |
4180 |
- use X509 || dodoc ChangeLog |
4181 |
- |
4182 |
- diropts -m 0700 |
4183 |
- dodir /etc/skel/.ssh |
4184 |
- |
4185 |
- # https://bugs.gentoo.org/733802 |
4186 |
- if ! use scp; then |
4187 |
- rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ |
4188 |
- || die "failed to remove scp" |
4189 |
- fi |
4190 |
- |
4191 |
- rmdir "${ED}"/var/empty || die |
4192 |
- |
4193 |
- systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
4194 |
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
4195 |
-} |
4196 |
- |
4197 |
-pkg_preinst() { |
4198 |
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then |
4199 |
- show_ssl_warning=1 |
4200 |
- fi |
4201 |
-} |
4202 |
- |
4203 |
-pkg_postinst() { |
4204 |
- local old_ver |
4205 |
- for old_ver in ${REPLACING_VERSIONS}; do |
4206 |
- if ver_test "${old_ver}" -lt "5.8_p1"; then |
4207 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
4208 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
4209 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
4210 |
- fi |
4211 |
- if ver_test "${old_ver}" -lt "7.0_p1"; then |
4212 |
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
4213 |
- elog "Make sure to update any configs that you might have. Note that xinetd might" |
4214 |
- elog "be an alternative for you as it supports USE=tcpd." |
4215 |
- fi |
4216 |
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 |
4217 |
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
4218 |
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
4219 |
- elog "adding to your sshd_config or ~/.ssh/config files:" |
4220 |
- elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
4221 |
- elog "You should however generate new keys using rsa or ed25519." |
4222 |
- |
4223 |
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
4224 |
- elog "to 'prohibit-password'. That means password auth for root users no longer works" |
4225 |
- elog "out of the box. If you need this, please update your sshd_config explicitly." |
4226 |
- fi |
4227 |
- if ver_test "${old_ver}" -lt "7.6_p1"; then |
4228 |
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
4229 |
- elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
4230 |
- fi |
4231 |
- if ver_test "${old_ver}" -lt "7.7_p1"; then |
4232 |
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
4233 |
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
4234 |
- elog "if you need to authenticate against LDAP." |
4235 |
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." |
4236 |
- fi |
4237 |
- if ver_test "${old_ver}" -lt "8.2_p1"; then |
4238 |
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
4239 |
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
4240 |
- ewarn "connection is generally safe." |
4241 |
- fi |
4242 |
- done |
4243 |
- |
4244 |
- if [[ -n ${show_ssl_warning} ]]; then |
4245 |
- elog "Be aware that by disabling openssl support in openssh, the server and clients" |
4246 |
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
4247 |
- elog "and update all clients/servers that utilize them." |
4248 |
- fi |
4249 |
- |
4250 |
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then |
4251 |
- elog "" |
4252 |
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" |
4253 |
- elog "and therefore disabled at runtime per default." |
4254 |
- elog "Make sure your sshd_config is up to date and contains" |
4255 |
- elog "" |
4256 |
- elog " DisableMTAES yes" |
4257 |
- elog "" |
4258 |
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." |
4259 |
- elog "" |
4260 |
- fi |
4261 |
-} |