Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Thu, 31 Jan 2019 22:55:20
Message-Id: 1548975310.500a23230ac217b5dbca87f3cc22deaf1356ec2b.polynomial-c@gentoo
1 commit: 500a23230ac217b5dbca87f3cc22deaf1356ec2b
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jan 31 22:54:56 2019 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 31 22:55:10 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=500a2323
7
8 net-misc/openssh: Removed old.
9
10 Package-Manager: Portage-2.3.59, Repoman-2.3.12
11 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
12
13 net-misc/openssh/Manifest | 9 -
14 .../files/openssh-7.3-mips-seccomp-n32.patch | 21 -
15 .../files/openssh-7.5_p1-CVE-2017-15906.patch | 31 --
16 .../openssh/files/openssh-7.5_p1-GSSAPI-dns.patch | 351 ----------------
17 .../openssh/files/openssh-7.5_p1-cross-cache.patch | 39 --
18 .../files/openssh-7.5_p1-hpn-x509-10.2-glue.patch | 67 ---
19 .../files/openssh-7.5_p1-s390-seccomp.patch | 27 --
20 .../openssh/files/openssh-7.5_p1-x32-typo.patch | 25 --
21 .../files/openssh-7.8_p1-X509-no-version.patch | 19 -
22 .../files/openssh-7.8_p1-hpn-X509-glue.patch | 79 ----
23 .../openssh/files/openssh-7.8_p1-hpn-glue.patch | 112 -----
24 .../files/openssh-7.8_p1-hpn-sctp-glue.patch | 17 -
25 net-misc/openssh/metadata.xml | 2 -
26 net-misc/openssh/openssh-7.5_p1-r4.ebuild | 334 ---------------
27 net-misc/openssh/openssh-7.8_p1.ebuild | 438 --------------------
28 net-misc/openssh/openssh-7.9_p1-r1.ebuild | 450 ---------------------
29 net-misc/openssh/openssh-7.9_p1.ebuild | 450 ---------------------
30 17 files changed, 2471 deletions(-)
31
32 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
33 index e0c1d3402c2..2bb83502015 100644
34 --- a/net-misc/openssh/Manifest
35 +++ b/net-misc/openssh/Manifest
36 @@ -1,19 +1,10 @@
37 -DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4
38 -DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a
39 -DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9
40 -DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
41 DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
42 DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
43 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
44 DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
45 DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
46 -DIST openssh-7.8p1+x509-11.4.diff.gz 536597 BLAKE2B 18593135d0d4010f40a6e0c99a6a2e9fb4ca98d00b4940be5cb547fcb647adc9663245274d4e792bcc7c2ec49accaceb7c3c489707bbb7aaeed260dd2e0eb1c3 SHA512 b95d46201626797f197c5aa8488b0543d2c7c5719b99fadd94ef2c888a96c6a7b649527b78b6d6014d953ae57e05ecf116192cf498687db8cb7669c3998deecc
47 -DIST openssh-7.8p1-sctp-1.1.patch.xz 7548 BLAKE2B d74010028f097812f554f9e788aa5e46d75c12edbef18aaeaa9866665025bdad04a1a028cc862d11d718208c1b63862780840332536a535bb2eaff7661c966ef SHA512 c084f6b2cfa9cb70f46ecc9edfce6e2843cd4cd5e36ac870f5ceaaedd056ba9aa2ce8769418239ad0fe5e7350573397a222b6525a029f4492feb7b144ee22aa3
48 -DIST openssh-7.8p1.tar.gz 1548026 BLAKE2B 938428408596d24d497f245e3662a0cff3d462645683bf75cd29a0ea56fa6c280e7fa866bedf0928dd5bc4085b82d5a4ce74b7eea0b45b86f879b69f74db1642 SHA512 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
49 -DIST openssh-7.9p1+x509-11.5.diff.gz 594995 BLAKE2B 2c44df224e4114da0473cbbdfdcc4bd84b0b0235f80b43517d70fe1071f219d2631f784015ab1470eebcf8f3b6b5f8744862acebb22f217c6e76f79e6a49c099 SHA512 4d2fd950dee9721add822fdb54ff8c20fd18da85081ce8a2bd2a1050d3ff7900a7213782c479691de9dcfe4e2f91061e124d34b365edb3831e8bfe4aef3744f9
50 DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
51 DIST openssh-7.9p1-sctp-1.1.patch.xz 7552 BLAKE2B 0eeda7c8a50c0c98433b5ee0734b9f79043067be376a9ca724d574d4a595c3f7aed0626342300467b73ad9003392e22fda8abe778158ba5be5a50a57eeef79f8 SHA512 6cad32c40dd3901c4eadb0c463a35ec2d901e61220c333d3df7759f672259f66fc83e2b1ace8b0ef84cbc1a65397f00f9c670ffa23726d8309fa5060512d2c21
52 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
53 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
54 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
55 -DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
56
57 diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
58 deleted file mode 100644
59 index 7eaadaf11cd..00000000000
60 --- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
61 +++ /dev/null
62 @@ -1,21 +0,0 @@
63 -https://bugs.gentoo.org/591392
64 -https://bugzilla.mindrot.org/show_bug.cgi?id=2590
65 -
66 -7.3 added seccomp support to MIPS, but failed to handled the N32
67 -case. This patch is temporary until upstream fixes.
68 -
69 ---- openssh-7.3p1/configure.ac
70 -+++ openssh-7.3p1/configure.ac
71 -@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
72 - seccomp_audit_arch=AUDIT_ARCH_MIPSEL
73 - ;;
74 - mips64-*)
75 -- seccomp_audit_arch=AUDIT_ARCH_MIPS64
76 -+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
77 - ;;
78 - mips64el-*)
79 -- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
80 -+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
81 - ;;
82 - esac
83 - if test "x$seccomp_audit_arch" != "x" ; then
84
85 diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
86 deleted file mode 100644
87 index b97ceb4b278..00000000000
88 --- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
89 +++ /dev/null
90 @@ -1,31 +0,0 @@
91 -From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
92 -From: djm <djm@×××××××.org>
93 -Date: Tue, 4 Apr 2017 00:24:56 +0000
94 -Subject: [PATCH] disallow creation (of empty files) in read-only mode;
95 - reported by Michal Zalewski, feedback & ok deraadt@
96 -
97 ----
98 - usr.bin/ssh/sftp-server.c | 6 +++---
99 - 1 file changed, 3 insertions(+), 3 deletions(-)
100 -
101 -diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
102 -index 2510d234a3a..42249ebd60d 100644
103 ---- a/usr.bin/ssh/sftp-server.c
104 -+++ b/usr.bin/ssh/sftp-server.c
105 -@@ -1,4 +1,4 @@
106 --/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
107 -+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
108 - /*
109 - * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
110 - *
111 -@@ -683,8 +683,8 @@ process_open(u_int32_t id)
112 - logit("open \"%s\" flags %s mode 0%o",
113 - name, string_from_portable(pflags), mode);
114 - if (readonly &&
115 -- ((flags & O_ACCMODE) == O_WRONLY ||
116 -- (flags & O_ACCMODE) == O_RDWR)) {
117 -+ ((flags & O_ACCMODE) != O_RDONLY ||
118 -+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
119 - verbose("Refusing open request in read-only mode");
120 - status = SSH2_FX_PERMISSION_DENIED;
121 - } else {
122
123 diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
124 deleted file mode 100644
125 index 6b1e6dd35a4..00000000000
126 --- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
127 +++ /dev/null
128 @@ -1,351 +0,0 @@
129 -http://bugs.gentoo.org/165444
130 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008
131 -
132 ---- a/readconf.c
133 -+++ b/readconf.c
134 -@@ -148,6 +148,7 @@
135 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
136 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
137 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
138 -+ oGssTrustDns,
139 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
140 - oSendEnv, oControlPath, oControlMaster, oControlPersist,
141 - oHashKnownHosts,
142 -@@ -194,9 +195,11 @@
143 - #if defined(GSSAPI)
144 - { "gssapiauthentication", oGssAuthentication },
145 - { "gssapidelegatecredentials", oGssDelegateCreds },
146 -+ { "gssapitrustdns", oGssTrustDns },
147 - # else
148 - { "gssapiauthentication", oUnsupported },
149 - { "gssapidelegatecredentials", oUnsupported },
150 -+ { "gssapitrustdns", oUnsupported },
151 - #endif
152 - #ifdef ENABLE_PKCS11
153 - { "smartcarddevice", oPKCS11Provider },
154 -@@ -930,6 +933,10 @@
155 - intptr = &options->gss_deleg_creds;
156 - goto parse_flag;
157 -
158 -+ case oGssTrustDns:
159 -+ intptr = &options->gss_trust_dns;
160 -+ goto parse_flag;
161 -+
162 - case oBatchMode:
163 - intptr = &options->batch_mode;
164 - goto parse_flag;
165 -@@ -1649,6 +1656,7 @@
166 - options->challenge_response_authentication = -1;
167 - options->gss_authentication = -1;
168 - options->gss_deleg_creds = -1;
169 -+ options->gss_trust_dns = -1;
170 - options->password_authentication = -1;
171 - options->kbd_interactive_authentication = -1;
172 - options->kbd_interactive_devices = NULL;
173 -@@ -1779,6 +1787,8 @@
174 - options->gss_authentication = 0;
175 - if (options->gss_deleg_creds == -1)
176 - options->gss_deleg_creds = 0;
177 -+ if (options->gss_trust_dns == -1)
178 -+ options->gss_trust_dns = 0;
179 - if (options->password_authentication == -1)
180 - options->password_authentication = 1;
181 - if (options->kbd_interactive_authentication == -1)
182 ---- a/readconf.h
183 -+++ b/readconf.h
184 -@@ -46,6 +46,7 @@
185 - /* Try S/Key or TIS, authentication. */
186 - int gss_authentication; /* Try GSS authentication */
187 - int gss_deleg_creds; /* Delegate GSS credentials */
188 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
189 - int password_authentication; /* Try password
190 - * authentication. */
191 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
192 ---- a/ssh_config.5
193 -+++ b/ssh_config.5
194 -@@ -830,6 +830,16 @@
195 - Forward (delegate) credentials to the server.
196 - The default is
197 - .Cm no .
198 -+Note that this option applies to protocol version 2 connections using GSSAPI.
199 -+.It Cm GSSAPITrustDns
200 -+Set to
201 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
202 -+the name of the host being connected to. If
203 -+.Dq no, the hostname entered on the
204 -+command line will be passed untouched to the GSSAPI library.
205 -+The default is
206 -+.Dq no .
207 -+This option only applies to protocol version 2 connections using GSSAPI.
208 - .It Cm HashKnownHosts
209 - Indicates that
210 - .Xr ssh 1
211 ---- a/sshconnect2.c
212 -+++ b/sshconnect2.c
213 -@@ -656,6 +656,13 @@
214 - static u_int mech = 0;
215 - OM_uint32 min;
216 - int ok = 0;
217 -+ const char *gss_host;
218 -+
219 -+ if (options.gss_trust_dns) {
220 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
221 -+ gss_host = auth_get_canonical_hostname(active_state, 1);
222 -+ } else
223 -+ gss_host = authctxt->host;
224 -
225 - /* Try one GSSAPI method at a time, rather than sending them all at
226 - * once. */
227 -@@ -668,7 +674,7 @@
228 - /* My DER encoding requires length<128 */
229 - if (gss_supported->elements[mech].length < 128 &&
230 - ssh_gssapi_check_mechanism(&gssctxt,
231 -- &gss_supported->elements[mech], authctxt->host)) {
232 -+ &gss_supported->elements[mech], gss_host)) {
233 - ok = 1; /* Mechanism works */
234 - } else {
235 - mech++;
236 -
237 -need to move these two funcs back to canohost so they're available to clients
238 -and the server. auth.c is only used in the server.
239 -
240 ---- a/auth.c
241 -+++ b/auth.c
242 -@@ -784,117 +784,3 @@ fakepw(void)
243 -
244 - return (&fake);
245 - }
246 --
247 --/*
248 -- * Returns the remote DNS hostname as a string. The returned string must not
249 -- * be freed. NB. this will usually trigger a DNS query the first time it is
250 -- * called.
251 -- * This function does additional checks on the hostname to mitigate some
252 -- * attacks on legacy rhosts-style authentication.
253 -- * XXX is RhostsRSAAuthentication vulnerable to these?
254 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
255 -- */
256 --
257 --static char *
258 --remote_hostname(struct ssh *ssh)
259 --{
260 -- struct sockaddr_storage from;
261 -- socklen_t fromlen;
262 -- struct addrinfo hints, *ai, *aitop;
263 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
264 -- const char *ntop = ssh_remote_ipaddr(ssh);
265 --
266 -- /* Get IP address of client. */
267 -- fromlen = sizeof(from);
268 -- memset(&from, 0, sizeof(from));
269 -- if (getpeername(ssh_packet_get_connection_in(ssh),
270 -- (struct sockaddr *)&from, &fromlen) < 0) {
271 -- debug("getpeername failed: %.100s", strerror(errno));
272 -- return strdup(ntop);
273 -- }
274 --
275 -- ipv64_normalise_mapped(&from, &fromlen);
276 -- if (from.ss_family == AF_INET6)
277 -- fromlen = sizeof(struct sockaddr_in6);
278 --
279 -- debug3("Trying to reverse map address %.100s.", ntop);
280 -- /* Map the IP address to a host name. */
281 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
282 -- NULL, 0, NI_NAMEREQD) != 0) {
283 -- /* Host name not found. Use ip address. */
284 -- return strdup(ntop);
285 -- }
286 --
287 -- /*
288 -- * if reverse lookup result looks like a numeric hostname,
289 -- * someone is trying to trick us by PTR record like following:
290 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
291 -- */
292 -- memset(&hints, 0, sizeof(hints));
293 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
294 -- hints.ai_flags = AI_NUMERICHOST;
295 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
296 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
297 -- name, ntop);
298 -- freeaddrinfo(ai);
299 -- return strdup(ntop);
300 -- }
301 --
302 -- /* Names are stored in lowercase. */
303 -- lowercase(name);
304 --
305 -- /*
306 -- * Map it back to an IP address and check that the given
307 -- * address actually is an address of this host. This is
308 -- * necessary because anyone with access to a name server can
309 -- * define arbitrary names for an IP address. Mapping from
310 -- * name to IP address can be trusted better (but can still be
311 -- * fooled if the intruder has access to the name server of
312 -- * the domain).
313 -- */
314 -- memset(&hints, 0, sizeof(hints));
315 -- hints.ai_family = from.ss_family;
316 -- hints.ai_socktype = SOCK_STREAM;
317 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
318 -- logit("reverse mapping checking getaddrinfo for %.700s "
319 -- "[%s] failed.", name, ntop);
320 -- return strdup(ntop);
321 -- }
322 -- /* Look for the address from the list of addresses. */
323 -- for (ai = aitop; ai; ai = ai->ai_next) {
324 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
325 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
326 -- (strcmp(ntop, ntop2) == 0))
327 -- break;
328 -- }
329 -- freeaddrinfo(aitop);
330 -- /* If we reached the end of the list, the address was not there. */
331 -- if (ai == NULL) {
332 -- /* Address not found for the host name. */
333 -- logit("Address %.100s maps to %.600s, but this does not "
334 -- "map back to the address.", ntop, name);
335 -- return strdup(ntop);
336 -- }
337 -- return strdup(name);
338 --}
339 --
340 --/*
341 -- * Return the canonical name of the host in the other side of the current
342 -- * connection. The host name is cached, so it is efficient to call this
343 -- * several times.
344 -- */
345 --
346 --const char *
347 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
348 --{
349 -- static char *dnsname;
350 --
351 -- if (!use_dns)
352 -- return ssh_remote_ipaddr(ssh);
353 -- else if (dnsname != NULL)
354 -- return dnsname;
355 -- else {
356 -- dnsname = remote_hostname(ssh);
357 -- return dnsname;
358 -- }
359 --}
360 ---- a/canohost.c
361 -+++ b/canohost.c
362 -@@ -202,3 +202,117 @@ get_local_port(int sock)
363 - {
364 - return get_sock_port(sock, 1);
365 - }
366 -+
367 -+/*
368 -+ * Returns the remote DNS hostname as a string. The returned string must not
369 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
370 -+ * called.
371 -+ * This function does additional checks on the hostname to mitigate some
372 -+ * attacks on legacy rhosts-style authentication.
373 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
374 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
375 -+ */
376 -+
377 -+static char *
378 -+remote_hostname(struct ssh *ssh)
379 -+{
380 -+ struct sockaddr_storage from;
381 -+ socklen_t fromlen;
382 -+ struct addrinfo hints, *ai, *aitop;
383 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
384 -+ const char *ntop = ssh_remote_ipaddr(ssh);
385 -+
386 -+ /* Get IP address of client. */
387 -+ fromlen = sizeof(from);
388 -+ memset(&from, 0, sizeof(from));
389 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
390 -+ (struct sockaddr *)&from, &fromlen) < 0) {
391 -+ debug("getpeername failed: %.100s", strerror(errno));
392 -+ return strdup(ntop);
393 -+ }
394 -+
395 -+ ipv64_normalise_mapped(&from, &fromlen);
396 -+ if (from.ss_family == AF_INET6)
397 -+ fromlen = sizeof(struct sockaddr_in6);
398 -+
399 -+ debug3("Trying to reverse map address %.100s.", ntop);
400 -+ /* Map the IP address to a host name. */
401 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
402 -+ NULL, 0, NI_NAMEREQD) != 0) {
403 -+ /* Host name not found. Use ip address. */
404 -+ return strdup(ntop);
405 -+ }
406 -+
407 -+ /*
408 -+ * if reverse lookup result looks like a numeric hostname,
409 -+ * someone is trying to trick us by PTR record like following:
410 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
411 -+ */
412 -+ memset(&hints, 0, sizeof(hints));
413 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
414 -+ hints.ai_flags = AI_NUMERICHOST;
415 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
416 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
417 -+ name, ntop);
418 -+ freeaddrinfo(ai);
419 -+ return strdup(ntop);
420 -+ }
421 -+
422 -+ /* Names are stored in lowercase. */
423 -+ lowercase(name);
424 -+
425 -+ /*
426 -+ * Map it back to an IP address and check that the given
427 -+ * address actually is an address of this host. This is
428 -+ * necessary because anyone with access to a name server can
429 -+ * define arbitrary names for an IP address. Mapping from
430 -+ * name to IP address can be trusted better (but can still be
431 -+ * fooled if the intruder has access to the name server of
432 -+ * the domain).
433 -+ */
434 -+ memset(&hints, 0, sizeof(hints));
435 -+ hints.ai_family = from.ss_family;
436 -+ hints.ai_socktype = SOCK_STREAM;
437 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
438 -+ logit("reverse mapping checking getaddrinfo for %.700s "
439 -+ "[%s] failed.", name, ntop);
440 -+ return strdup(ntop);
441 -+ }
442 -+ /* Look for the address from the list of addresses. */
443 -+ for (ai = aitop; ai; ai = ai->ai_next) {
444 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
445 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
446 -+ (strcmp(ntop, ntop2) == 0))
447 -+ break;
448 -+ }
449 -+ freeaddrinfo(aitop);
450 -+ /* If we reached the end of the list, the address was not there. */
451 -+ if (ai == NULL) {
452 -+ /* Address not found for the host name. */
453 -+ logit("Address %.100s maps to %.600s, but this does not "
454 -+ "map back to the address.", ntop, name);
455 -+ return strdup(ntop);
456 -+ }
457 -+ return strdup(name);
458 -+}
459 -+
460 -+/*
461 -+ * Return the canonical name of the host in the other side of the current
462 -+ * connection. The host name is cached, so it is efficient to call this
463 -+ * several times.
464 -+ */
465 -+
466 -+const char *
467 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
468 -+{
469 -+ static char *dnsname;
470 -+
471 -+ if (!use_dns)
472 -+ return ssh_remote_ipaddr(ssh);
473 -+ else if (dnsname != NULL)
474 -+ return dnsname;
475 -+ else {
476 -+ dnsname = remote_hostname(ssh);
477 -+ return dnsname;
478 -+ }
479 -+}
480
481 diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
482 deleted file mode 100644
483 index 1c2b7b8a091..00000000000
484 --- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
485 +++ /dev/null
486 @@ -1,39 +0,0 @@
487 -From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
488 -From: Mike Frysinger <vapier@××××××××.org>
489 -Date: Wed, 24 May 2017 23:18:41 -0400
490 -Subject: [PATCH] configure: actually set cache vars when cross-compiling
491 -
492 -The cross-compiling fallback message says it's assuming the test
493 -passed, but it didn't actually set the cache var which causes
494 -later tests to fail.
495 ----
496 - configure.ac | 6 ++++--
497 - 1 file changed, 4 insertions(+), 2 deletions(-)
498 -
499 -diff --git a/configure.ac b/configure.ac
500 -index 5cfea38c0a6c..895c5211ea93 100644
501 ---- a/configure.ac
502 -+++ b/configure.ac
503 -@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
504 - select_works_with_rlimit=yes],
505 - [AC_MSG_RESULT([no])
506 - select_works_with_rlimit=no],
507 -- [AC_MSG_WARN([cross compiling: assuming yes])]
508 -+ [AC_MSG_WARN([cross compiling: assuming yes])
509 -+ select_works_with_rlimit=yes]
510 - )
511 -
512 - AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
513 -@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
514 - rlimit_nofile_zero_works=yes],
515 - [AC_MSG_RESULT([no])
516 - rlimit_nofile_zero_works=no],
517 -- [AC_MSG_WARN([cross compiling: assuming yes])]
518 -+ [AC_MSG_WARN([cross compiling: assuming yes])
519 -+ rlimit_nofile_zero_works=yes]
520 - )
521 -
522 - AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
523 ---
524 -2.12.0
525 -
526
527 diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
528 deleted file mode 100644
529 index 11a5b364be4..00000000000
530 --- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
531 +++ /dev/null
532 @@ -1,67 +0,0 @@
533 -diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
534 ---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700
535 -+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700
536 -@@ -40,7 +40,7 @@
537 - @@ -44,7 +44,7 @@ CC=@CC@
538 - LD=@LD@
539 - CFLAGS=@CFLAGS@
540 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
541 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
542 - -LIBS=@LIBS@
543 - +LIBS=@LIBS@ -lpthread
544 - K5LIBS=@K5LIBS@
545 -@@ -1023,6 +1023,3 @@
546 - do_authenticated(authctxt);
547 -
548 - /* The connection has been terminated. */
549 ----
550 --2.12.0
551 --
552 -diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
553 ---- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700
554 -+++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700
555 -@@ -926,9 +926,9 @@
556 - @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
557 - /* Send our own protocol version identification. */
558 - if (compat20) {
559 -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
560 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
561 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
562 -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
563 -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
564 -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
565 - } else {
566 - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
567 - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
568 -@@ -943,11 +943,11 @@
569 - @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
570 - char remote_version[256]; /* Must be at least as big as buf. */
571 -
572 -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
573 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
574 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
575 -+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
576 -+- major, minor, SSH_VERSION, pkix_comment,
577 -++ major, minor, SSH_RELEASE, pkix_comment,
578 - *options.version_addendum == '\0' ? "" : " ",
579 -- options.version_addendum);
580 -+ options.version_addendum, newline);
581 -
582 - @@ -1020,6 +1020,8 @@ server_listen(void)
583 - int ret, listen_sock, on = 1;
584 -@@ -1006,12 +1008,9 @@
585 - --- a/version.h
586 - +++ b/version.h
587 --@@ -3,4 +3,5 @@
588 -+@@ -3,4 +3,6 @@
589 - #define SSH_VERSION "OpenSSH_7.5"
590 -
591 -- #define SSH_PORTABLE "p1"
592 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
593 -+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
594 -++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION
595 - +#define SSH_HPN "-hpn14v12"
596 - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
597 ----
598 --2.12.0
599 --
600
601 diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
602 deleted file mode 100644
603 index d7932003f8f..00000000000
604 --- a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
605 +++ /dev/null
606 @@ -1,27 +0,0 @@
607 -From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
608 -From: Damien Miller <djm@×××××××.org>
609 -Date: Wed, 22 Mar 2017 12:43:02 +1100
610 -Subject: [PATCH] Missing header on Linux/s390
611 -
612 -Patch from Jakub Jelen
613 ----
614 - sandbox-seccomp-filter.c | 3 +++
615 - 1 file changed, 3 insertions(+)
616 -
617 -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
618 -index a8d472a63ccb..2831e9d1083c 100644
619 ---- a/sandbox-seccomp-filter.c
620 -+++ b/sandbox-seccomp-filter.c
621 -@@ -50,6 +50,9 @@
622 - #include <elf.h>
623 -
624 - #include <asm/unistd.h>
625 -+#ifdef __s390__
626 -+#include <asm/zcrypt.h>
627 -+#endif
628 -
629 - #include <errno.h>
630 - #include <signal.h>
631 ---
632 -2.15.1
633 -
634
635 diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
636 deleted file mode 100644
637 index 5dca1b0e4e1..00000000000
638 --- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
639 +++ /dev/null
640 @@ -1,25 +0,0 @@
641 -From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
642 -From: Mike Frysinger <vapier@g.o>
643 -Date: Mon, 20 Mar 2017 14:57:40 -0400
644 -Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
645 -
646 ----
647 - sandbox-seccomp-filter.c | 2 +-
648 - 1 file changed, 1 insertion(+), 1 deletion(-)
649 -
650 -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
651 -index 3a1aedce72c2..a8d472a63ccb 100644
652 ---- a/sandbox-seccomp-filter.c
653 -+++ b/sandbox-seccomp-filter.c
654 -@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
655 - * x86-64 syscall under some circumstances, e.g.
656 - * https://bugs.debian.org/849923
657 - */
658 -- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
659 -+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
660 - #endif
661 -
662 - /* Default deny */
663 ---
664 -2.12.0
665 -
666
667 diff --git a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch b/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
668 deleted file mode 100644
669 index 66641c27473..00000000000
670 --- a/net-misc/openssh/files/openssh-7.8_p1-X509-no-version.patch
671 +++ /dev/null
672 @@ -1,19 +0,0 @@
673 ---- a/openssh-7.8p1+x509-11.4.diff 2018-08-24 14:55:19.153936872 -0700
674 -+++ b/openssh-7.8p1+x509-11.4.diff 2018-08-24 14:55:58.116677254 -0700
675 -@@ -63643,16 +63643,6 @@
676 - setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
677 - return;
678 - setlocale(LC_CTYPE, "C");
679 --diff -ruN openssh-7.8p1/version.h openssh-7.8p1+x509-11.4/version.h
680 ----- openssh-7.8p1/version.h 2018-08-23 08:41:42.000000000 +0300
681 --+++ openssh-7.8p1+x509-11.4/version.h 2018-08-24 20:07:00.000000000 +0300
682 --@@ -2,5 +2,4 @@
683 --
684 -- #define SSH_VERSION "OpenSSH_7.8"
685 --
686 ---#define SSH_PORTABLE "p1"
687 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
688 --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
689 - diff -ruN openssh-7.8p1/version.m4 openssh-7.8p1+x509-11.4/version.m4
690 - --- openssh-7.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
691 - +++ openssh-7.8p1+x509-11.4/version.m4 2018-08-24 20:00:00.000000000 +0300
692
693 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
694 deleted file mode 100644
695 index c76d454c92f..00000000000
696 --- a/net-misc/openssh/files/openssh-7.8_p1-hpn-X509-glue.patch
697 +++ /dev/null
698 @@ -1,79 +0,0 @@
699 ---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig 2018-09-12 15:58:57.377986085 -0700
700 -+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2018-09-12 16:07:15.376711327 -0700
701 -@@ -4,8 +4,8 @@
702 - +++ b/Makefile.in
703 - @@ -42,7 +42,7 @@ CC=@CC@
704 - LD=@LD@
705 -- CFLAGS=@CFLAGS@
706 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
707 -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
708 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
709 - -LIBS=@LIBS@
710 - +LIBS=@LIBS@ -lpthread
711 - K5LIBS=@K5LIBS@
712 -@@ -788,8 +788,8 @@
713 - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
714 - {
715 - struct session_state *state;
716 --- const struct sshcipher *none = cipher_by_name("none");
717 --+ struct sshcipher *none = cipher_by_name("none");
718 -+- const struct sshcipher *none = cipher_none();
719 -++ struct sshcipher *none = cipher_none();
720 - int r;
721 -
722 - if (none == NULL) {
723 -@@ -933,9 +933,9 @@
724 - /* Portable-specific options */
725 - sUsePAM,
726 - + sDisableMTAES,
727 -- /* Standard Options */
728 -- sPort, sHostKeyFile, sLoginGraceTime,
729 -- sPermitRootLogin, sLogFacility, sLogLevel,
730 -+ /* X.509 Standard Options */
731 -+ sHostbasedAlgorithms,
732 -+ sPubkeyAlgorithms,
733 - @@ -626,6 +630,7 @@ static struct {
734 - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
735 - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
736 ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 16:38:16.947447218 -0700
737 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 16:32:35.479700864 -0700
738 -@@ -382,7 +382,7 @@
739 - @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
740 - int nenc, nmac, ncomp;
741 - u_int mode, ctos, need, dh_need, authlen;
742 -- int r, first_kex_follows;
743 -+ int r, first_kex_follows = 0;
744 - + int auth_flag;
745 - +
746 - + auth_flag = packet_authentication_state(ssh);
747 -@@ -1125,15 +1125,6 @@
748 - index a738c3a..b32dbe0 100644
749 - --- a/sshd.c
750 - +++ b/sshd.c
751 --@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
752 -- char remote_version[256]; /* Must be at least as big as buf. */
753 --
754 -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
755 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
756 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
757 -- *options.version_addendum == '\0' ? "" : " ",
758 -- options.version_addendum);
759 --
760 - @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
761 - int ret, listen_sock;
762 - struct addrinfo *ai;
763 -@@ -1213,14 +1204,3 @@
764 - # Example of overriding settings on a per-user basis
765 - #Match User anoncvs
766 - # X11Forwarding no
767 --diff --git a/version.h b/version.h
768 --index f1bbf00..21a70c2 100644
769 ----- a/version.h
770 --+++ b/version.h
771 --@@ -3,4 +3,5 @@
772 -- #define SSH_VERSION "OpenSSH_7.8"
773 --
774 -- #define SSH_PORTABLE "p1"
775 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
776 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
777 --+
778
779 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
780 deleted file mode 100644
781 index 0561e381406..00000000000
782 --- a/net-misc/openssh/files/openssh-7.8_p1-hpn-glue.patch
783 +++ /dev/null
784 @@ -1,112 +0,0 @@
785 ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-11 17:19:19.968420409 -0700
786 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-11 17:39:19.977535398 -0700
787 -@@ -409,18 +409,10 @@
788 - index dcf35e6..da4ced0 100644
789 - --- a/packet.c
790 - +++ b/packet.c
791 --@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
792 -+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
793 - return 0;
794 - }
795 -
796 --+/* this supports the forced rekeying required for the NONE cipher */
797 --+int rekey_requested = 0;
798 --+void
799 --+packet_request_rekeying(void)
800 --+{
801 --+ rekey_requested = 1;
802 --+}
803 --+
804 - +/* used to determine if pre or post auth when rekeying for aes-ctr
805 - + * and none cipher switch */
806 - +int
807 -@@ -434,20 +426,6 @@
808 - #define MAX_PACKETS (1U<<31)
809 - static int
810 - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
811 --@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
812 -- if (state->p_send.packets == 0 && state->p_read.packets == 0)
813 -- return 0;
814 --
815 --+ /* used to force rekeying when called for by the none
816 --+ * cipher switch methods -cjr */
817 --+ if (rekey_requested == 1) {
818 --+ rekey_requested = 0;
819 --+ return 1;
820 --+ }
821 --+
822 -- /* Time-based rekeying */
823 -- if (state->rekey_interval != 0 &&
824 -- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
825 - diff --git a/packet.h b/packet.h
826 - index 170203c..f4d9df2 100644
827 - --- a/packet.h
828 -@@ -476,9 +454,9 @@
829 - /* Format of the configuration file:
830 -
831 - @@ -166,6 +167,8 @@ typedef enum {
832 -- oHashKnownHosts,
833 - oTunnel, oTunnelDevice,
834 - oLocalCommand, oPermitLocalCommand, oRemoteCommand,
835 -+ oDisableMTAES,
836 - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
837 - + oNoneEnabled, oNoneSwitch,
838 - oVisualHostKey,
839 -@@ -615,9 +593,9 @@
840 - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
841 - SyslogFacility log_facility; /* Facility for system logging. */
842 - @@ -111,7 +115,10 @@ typedef struct {
843 --
844 - int enable_ssh_keysign;
845 - int64_t rekey_limit;
846 -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
847 - + int none_switch; /* Use none cipher */
848 - + int none_enabled; /* Allow none to be used */
849 - int rekey_interval;
850 -@@ -673,9 +651,9 @@
851 - /* Portable-specific options */
852 - if (options->use_pam == -1)
853 - @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
854 -- }
855 -- if (options->permit_tun == -1)
856 - options->permit_tun = SSH_TUNMODE_NO;
857 -+ if (options->disable_multithreaded == -1)
858 -+ options->disable_multithreaded = 0;
859 - + if (options->none_enabled == -1)
860 - + options->none_enabled = 0;
861 - + if (options->hpn_disabled == -1)
862 -@@ -1092,7 +1070,7 @@
863 - xxx_host = host;
864 - xxx_hostaddr = hostaddr;
865 -
866 --@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
867 -+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
868 -
869 - if (!authctxt.success)
870 - fatal("Authentication failed.");
871 -@@ -1117,10 +1095,9 @@
872 - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
873 - + }
874 - + }
875 --+
876 -- debug("Authentication succeeded (%s).", authctxt.method->name);
877 -- }
878 -
879 -+ #ifdef WITH_OPENSSL
880 -+ if (options.disable_multithreaded == 0) {
881 - diff --git a/sshd.c b/sshd.c
882 - index a738c3a..b32dbe0 100644
883 - --- a/sshd.c
884 -@@ -1217,11 +1194,10 @@
885 - index f1bbf00..21a70c2 100644
886 - --- a/version.h
887 - +++ b/version.h
888 --@@ -3,4 +3,6 @@
889 -+@@ -3,4 +3,5 @@
890 - #define SSH_VERSION "OpenSSH_7.8"
891 -
892 - #define SSH_PORTABLE "p1"
893 - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
894 --+#define SSH_HPN "-hpn14v16"
895 - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
896 - +
897
898 diff --git a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
899 deleted file mode 100644
900 index a7d51ad9483..00000000000
901 --- a/net-misc/openssh/files/openssh-7.8_p1-hpn-sctp-glue.patch
902 +++ /dev/null
903 @@ -1,17 +0,0 @@
904 ---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 18:18:51.851536374 -0700
905 -+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 18:19:01.116475099 -0700
906 -@@ -1190,14 +1190,3 @@
907 - # Example of overriding settings on a per-user basis
908 - #Match User anoncvs
909 - # X11Forwarding no
910 --diff --git a/version.h b/version.h
911 --index f1bbf00..21a70c2 100644
912 ----- a/version.h
913 --+++ b/version.h
914 --@@ -3,4 +3,5 @@
915 -- #define SSH_VERSION "OpenSSH_7.8"
916 --
917 -- #define SSH_PORTABLE "p1"
918 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
919 --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
920 --+
921
922 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
923 index 29134fc060d..ab669d3e59a 100644
924 --- a/net-misc/openssh/metadata.xml
925 +++ b/net-misc/openssh/metadata.xml
926 @@ -26,10 +26,8 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
927 <use>
928 <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
929 <flag name="hpn">Enable high performance ssh</flag>
930 - <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
931 <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
932 <flag name="livecd">Enable root password logins for live-cd environment.</flag>
933 - <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
934 <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
935 <flag name="X509">Adds support for X.509 certificate authentication</flag>
936 </use>
937
938 diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
939 deleted file mode 100644
940 index cbe425c4eef..00000000000
941 --- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild
942 +++ /dev/null
943 @@ -1,334 +0,0 @@
944 -# Copyright 1999-2018 Gentoo Foundation
945 -# Distributed under the terms of the GNU General Public License v2
946 -
947 -EAPI="5"
948 -
949 -inherit eutils user flag-o-matic multilib autotools pam systemd
950 -
951 -# Make it more portable between straight releases
952 -# and _p? releases.
953 -PARCH=${P/_}
954 -
955 -HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
956 -SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
957 -LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
958 -X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
959 -
960 -DESCRIPTION="Port of OpenBSD's free SSH release"
961 -HOMEPAGE="http://www.openssh.org/"
962 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
963 - ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
964 - ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
965 - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
966 - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
967 - "
968 -
969 -LICENSE="BSD GPL-2"
970 -SLOT="0"
971 -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
972 -# Probably want to drop ssl defaulting to on in a future version.
973 -IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
974 -REQUIRED_USE="ldns? ( ssl )
975 - pie? ( !static )
976 - ssh1? ( ssl )
977 - static? ( !kerberos !pam )
978 - X509? ( !ldap !sctp ssl )
979 - test? ( ssl )"
980 -
981 -LIB_DEPEND="
982 - audit? ( sys-process/audit[static-libs(+)] )
983 - ldns? (
984 - net-libs/ldns[static-libs(+)]
985 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
986 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
987 - )
988 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
989 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
990 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
991 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
992 - ssl? (
993 - !libressl? (
994 - >=dev-libs/openssl-1.0.1:0=[bindist=]
995 - dev-libs/openssl:0=[static-libs(+)]
996 - )
997 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
998 - )
999 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1000 -RDEPEND="
1001 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1002 - pam? ( virtual/pam )
1003 - kerberos? ( virtual/krb5 )
1004 - ldap? ( net-nds/openldap )"
1005 -DEPEND="${RDEPEND}
1006 - static? ( ${LIB_DEPEND} )
1007 - virtual/pkgconfig
1008 - virtual/os-headers
1009 - sys-devel/autoconf"
1010 -RDEPEND="${RDEPEND}
1011 - pam? ( >=sys-auth/pambase-20081028 )
1012 - userland_GNU? ( virtual/shadow )
1013 - X? ( x11-apps/xauth )"
1014 -
1015 -S=${WORKDIR}/${PARCH}
1016 -
1017 -pkg_pretend() {
1018 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1019 - # than not be able to log in to their server any more
1020 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1021 - local fail="
1022 - $(use X509 && maybe_fail X509 X509_PATCH)
1023 - $(use ldap && maybe_fail ldap LDAP_PATCH)
1024 - $(use hpn && maybe_fail hpn HPN_PATCH)
1025 - "
1026 - fail=$(echo ${fail})
1027 - if [[ -n ${fail} ]] ; then
1028 - eerror "Sorry, but this version does not yet support features"
1029 - eerror "that you requested: ${fail}"
1030 - eerror "Please mask ${PF} for now and check back later:"
1031 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1032 - die "booooo"
1033 - fi
1034 -
1035 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1036 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
1037 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1038 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1039 - fi
1040 -}
1041 -
1042 -save_version() {
1043 - # version.h patch conflict avoidence
1044 - mv version.h version.h.$1
1045 - cp -f version.h.pristine version.h
1046 -}
1047 -
1048 -src_prepare() {
1049 - sed -i \
1050 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
1051 - pathnames.h || die
1052 - # keep this as we need it to avoid the conflict between LPK and HPN changing
1053 - # this file.
1054 - cp version.h version.h.pristine
1055 -
1056 - # don't break .ssh/authorized_keys2 for fun
1057 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1058 -
1059 - if use X509 ; then
1060 - if use hpn ; then
1061 - pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
1062 - epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
1063 - popd >/dev/null
1064 - fi
1065 - save_version X509
1066 - epatch "${WORKDIR}"/${X509_PATCH%.*}
1067 - fi
1068 -
1069 - if use ldap ; then
1070 - epatch "${WORKDIR}"/${LDAP_PATCH%.*}
1071 - save_version LPK
1072 - fi
1073 -
1074 - epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1075 - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1076 - epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1077 - epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
1078 - epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
1079 - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
1080 - use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
1081 - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
1082 - use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
1083 -
1084 - if use hpn ; then
1085 - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
1086 - EPATCH_MULTI_MSG="Applying HPN patchset ..." \
1087 - epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
1088 - save_version HPN
1089 - fi
1090 -
1091 - tc-export PKG_CONFIG
1092 - local sed_args=(
1093 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1094 - # Disable PATH reset, trust what portage gives us #254615
1095 - -e 's:^PATH=/:#PATH=/:'
1096 - # Disable fortify flags ... our gcc does this for us
1097 - -e 's:-D_FORTIFY_SOURCE=2::'
1098 - )
1099 - # The -ftrapv flag ICEs on hppa #505182
1100 - use hppa && sed_args+=(
1101 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1102 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1103 - )
1104 - # _XOPEN_SOURCE causes header conflicts on Solaris
1105 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1106 - -e 's/-D_XOPEN_SOURCE//'
1107 - )
1108 - sed -i "${sed_args[@]}" configure{.ac,} || die
1109 -
1110 - epatch_user #473004
1111 -
1112 - # Now we can build a sane merged version.h
1113 - (
1114 - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
1115 - macros=()
1116 - for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
1117 - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
1118 - ) > version.h
1119 -
1120 - eautoreconf
1121 -}
1122 -
1123 -src_configure() {
1124 - addwrite /dev/ptmx
1125 -
1126 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1127 - use static && append-ldflags -static
1128 -
1129 - local myconf=(
1130 - --with-ldflags="${LDFLAGS}"
1131 - --disable-strip
1132 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1133 - --sysconfdir="${EPREFIX}"/etc/ssh
1134 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
1135 - --datadir="${EPREFIX}"/usr/share/openssh
1136 - --with-privsep-path="${EPREFIX}"/var/empty
1137 - --with-privsep-user=sshd
1138 - $(use_with audit audit linux)
1139 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
1140 - # We apply the ldap patch conditionally, so can't pass --without-ldap
1141 - # unconditionally else we get unknown flag warnings.
1142 - $(use ldap && use_with ldap)
1143 - $(use_with ldns)
1144 - $(use_with libedit)
1145 - $(use_with pam)
1146 - $(use_with pie)
1147 - $(use X509 || use_with sctp)
1148 - $(use_with selinux)
1149 - $(use_with skey)
1150 - $(use_with ssh1)
1151 - $(use_with ssl openssl)
1152 - $(use_with ssl md5-passwords)
1153 - $(use_with ssl ssl-engine)
1154 - )
1155 -
1156 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1157 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1158 -
1159 - econf "${myconf[@]}"
1160 -}
1161 -
1162 -src_install() {
1163 - emake install-nokeys DESTDIR="${D}"
1164 - fperms 600 /etc/ssh/sshd_config
1165 - dobin contrib/ssh-copy-id
1166 - newinitd "${FILESDIR}"/sshd.rc6.4 sshd
1167 - newconfd "${FILESDIR}"/sshd.confd sshd
1168 -
1169 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1170 - if use pam ; then
1171 - sed -i \
1172 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
1173 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1174 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1175 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1176 - "${ED}"/etc/ssh/sshd_config || die
1177 - fi
1178 -
1179 - # Gentoo tweaks to default config files
1180 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
1181 -
1182 - # Allow client to pass locale environment variables #367017
1183 - AcceptEnv LANG LC_*
1184 - EOF
1185 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
1186 -
1187 - # Send locale environment variables #367017
1188 - SendEnv LANG LC_*
1189 - EOF
1190 -
1191 - if use livecd ; then
1192 - sed -i \
1193 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
1194 - "${ED}"/etc/ssh/sshd_config || die
1195 - fi
1196 -
1197 - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
1198 - insinto /etc/openldap/schema/
1199 - newins openssh-lpk_openldap.schema openssh-lpk.schema
1200 - fi
1201 -
1202 - doman contrib/ssh-copy-id.1
1203 - dodoc CREDITS OVERVIEW README* TODO sshd_config
1204 - use X509 || dodoc ChangeLog
1205 -
1206 - diropts -m 0700
1207 - dodir /etc/skel/.ssh
1208 -
1209 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
1210 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
1211 -}
1212 -
1213 -src_test() {
1214 - local t skipped=() failed=() passed=()
1215 - local tests=( interop-tests compat-tests )
1216 -
1217 - local shell=$(egetshell "${UID}")
1218 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1219 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
1220 - elog "user, so we will run a subset only."
1221 - skipped+=( tests )
1222 - else
1223 - tests+=( tests )
1224 - fi
1225 -
1226 - # It will also attempt to write to the homedir .ssh.
1227 - local sshhome=${T}/homedir
1228 - mkdir -p "${sshhome}"/.ssh
1229 - for t in "${tests[@]}" ; do
1230 - # Some tests read from stdin ...
1231 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
1232 - emake -k -j1 ${t} </dev/null \
1233 - && passed+=( "${t}" ) \
1234 - || failed+=( "${t}" )
1235 - done
1236 -
1237 - einfo "Passed tests: ${passed[*]}"
1238 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
1239 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
1240 -}
1241 -
1242 -pkg_preinst() {
1243 - enewgroup sshd 22
1244 - enewuser sshd 22 -1 /var/empty sshd
1245 -}
1246 -
1247 -pkg_postinst() {
1248 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
1249 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
1250 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
1251 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
1252 - fi
1253 - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
1254 - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
1255 - fi
1256 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
1257 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
1258 - elog "Make sure to update any configs that you might have. Note that xinetd might"
1259 - elog "be an alternative for you as it supports USE=tcpd."
1260 - fi
1261 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
1262 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
1263 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
1264 - elog "adding to your sshd_config or ~/.ssh/config files:"
1265 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
1266 - elog "You should however generate new keys using rsa or ed25519."
1267 -
1268 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
1269 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
1270 - elog "out of the box. If you need this, please update your sshd_config explicitly."
1271 - fi
1272 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
1273 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
1274 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
1275 - elog "and update all clients/servers that utilize them."
1276 - fi
1277 -}
1278
1279 diff --git a/net-misc/openssh/openssh-7.8_p1.ebuild b/net-misc/openssh/openssh-7.8_p1.ebuild
1280 deleted file mode 100644
1281 index 3ce6916d6e9..00000000000
1282 --- a/net-misc/openssh/openssh-7.8_p1.ebuild
1283 +++ /dev/null
1284 @@ -1,438 +0,0 @@
1285 -# Copyright 1999-2018 Gentoo Foundation
1286 -# Distributed under the terms of the GNU General Public License v2
1287 -
1288 -EAPI=6
1289 -
1290 -inherit user flag-o-matic multilib autotools pam systemd
1291 -
1292 -# Make it more portable between straight releases
1293 -# and _p? releases.
1294 -PARCH=${P/_}
1295 -CAP_PV="${PV^^}"
1296 -
1297 -HPN_VER="14.16"
1298 -HPN_PATCHES=(
1299 - ${PN}-${CAP_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
1300 - ${PN}-${CAP_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
1301 -)
1302 -HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
1303 -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
1304 -X509_VER="11.4" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1305 -
1306 -DESCRIPTION="Port of OpenBSD's free SSH release"
1307 -HOMEPAGE="https://www.openssh.com/"
1308 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1309 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
1310 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
1311 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1312 - "
1313 -
1314 -LICENSE="BSD GPL-2"
1315 -SLOT="0"
1316 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1317 -# Probably want to drop ssl defaulting to on in a future version.
1318 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
1319 -RESTRICT="!test? ( test )"
1320 -REQUIRED_USE="ldns? ( ssl )
1321 - pie? ( !static )
1322 - static? ( !kerberos !pam )
1323 - X509? ( !sctp ssl )
1324 - test? ( ssl )"
1325 -
1326 -LIB_DEPEND="
1327 - audit? ( sys-process/audit[static-libs(+)] )
1328 - ldns? (
1329 - net-libs/ldns[static-libs(+)]
1330 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1331 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1332 - )
1333 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
1334 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1335 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1336 - ssl? (
1337 - !libressl? (
1338 - >=dev-libs/openssl-1.0.1:0=[bindist=]
1339 - dev-libs/openssl:0=[static-libs(+)]
1340 - )
1341 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1342 - )
1343 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1344 -RDEPEND="
1345 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1346 - pam? ( virtual/pam )
1347 - kerberos? ( virtual/krb5 )"
1348 -DEPEND="${RDEPEND}
1349 - static? ( ${LIB_DEPEND} )
1350 - virtual/pkgconfig
1351 - virtual/os-headers
1352 - sys-devel/autoconf"
1353 -RDEPEND="${RDEPEND}
1354 - pam? ( >=sys-auth/pambase-20081028 )
1355 - userland_GNU? ( virtual/shadow )
1356 - X? ( x11-apps/xauth )"
1357 -
1358 -S="${WORKDIR}/${PARCH}"
1359 -
1360 -pkg_pretend() {
1361 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1362 - # than not be able to log in to their server any more
1363 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1364 - local fail="
1365 - $(use hpn && maybe_fail hpn HPN_VER)
1366 - $(use sctp && maybe_fail sctp SCTP_PATCH)
1367 - $(use X509 && maybe_fail X509 X509_PATCH)
1368 - "
1369 - fail=$(echo ${fail})
1370 - if [[ -n ${fail} ]] ; then
1371 - eerror "Sorry, but this version does not yet support features"
1372 - eerror "that you requested: ${fail}"
1373 - eerror "Please mask ${PF} for now and check back later:"
1374 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1375 - die "booooo"
1376 - fi
1377 -
1378 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1379 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
1380 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1381 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1382 - fi
1383 -}
1384 -
1385 -src_prepare() {
1386 - sed -i \
1387 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
1388 - pathnames.h || die
1389 -
1390 - # don't break .ssh/authorized_keys2 for fun
1391 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1392 -
1393 - eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1394 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1395 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1396 -
1397 - local PATCHSET_VERSION_MACROS=()
1398 -
1399 - if use X509 ; then
1400 - pushd "${WORKDIR}" || die
1401 - eapply "${FILESDIR}/${P}-X509-no-version.patch"
1402 - popd || die
1403 -
1404 - eapply "${WORKDIR}"/${X509_PATCH%.*}
1405 -
1406 - # We need to patch package version or any X.509 sshd will reject our ssh client
1407 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
1408 - # error
1409 - einfo "Patching package version for X.509 patch set ..."
1410 - sed -i \
1411 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
1412 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
1413 -
1414 - einfo "Patching version.h to expose X.509 patch set ..."
1415 - sed -i \
1416 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
1417 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
1418 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
1419 - fi
1420 -
1421 - if use sctp ; then
1422 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
1423 -
1424 - einfo "Patching version.h to expose SCTP patch set ..."
1425 - sed -i \
1426 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
1427 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
1428 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
1429 -
1430 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
1431 - sed -i \
1432 - -e "/\t\tcfgparse \\\/d" \
1433 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
1434 - fi
1435 -
1436 - if use hpn ; then
1437 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
1438 - mkdir "${hpn_patchdir}"
1439 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
1440 - pushd "${hpn_patchdir}"
1441 - eapply "${FILESDIR}"/${P}-hpn-glue.patch
1442 - use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
1443 - use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
1444 - popd
1445 -
1446 - eapply "${hpn_patchdir}"
1447 -
1448 - einfo "Patching Makefile.in for HPN patch set ..."
1449 - sed -i \
1450 - -e "/^LIBS=/ s/\$/ -lpthread/" \
1451 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
1452 -
1453 - einfo "Patching version.h to expose HPN patch set ..."
1454 - sed -i \
1455 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
1456 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
1457 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
1458 -
1459 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1460 - einfo "Disabling known non-working MT AES cipher per default ..."
1461 -
1462 - cat > "${T}"/disable_mtaes.conf <<- EOF
1463 -
1464 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
1465 - # and therefore disabled per default.
1466 - DisableMTAES yes
1467 - EOF
1468 - sed -i \
1469 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
1470 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
1471 -
1472 - sed -i \
1473 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
1474 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
1475 - fi
1476 - fi
1477 -
1478 - if use X509 || use sctp || use hpn ; then
1479 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
1480 - sed -i \
1481 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1482 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
1483 -
1484 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
1485 - sed -i \
1486 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1487 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
1488 -
1489 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
1490 - sed -i \
1491 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
1492 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
1493 - fi
1494 -
1495 - sed -i \
1496 - -e "/#UseLogin no/d" \
1497 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
1498 -
1499 - [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
1500 -
1501 - eapply_user #473004
1502 -
1503 - tc-export PKG_CONFIG
1504 - local sed_args=(
1505 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1506 - # Disable PATH reset, trust what portage gives us #254615
1507 - -e 's:^PATH=/:#PATH=/:'
1508 - # Disable fortify flags ... our gcc does this for us
1509 - -e 's:-D_FORTIFY_SOURCE=2::'
1510 - )
1511 -
1512 - # The -ftrapv flag ICEs on hppa #505182
1513 - use hppa && sed_args+=(
1514 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1515 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1516 - )
1517 - # _XOPEN_SOURCE causes header conflicts on Solaris
1518 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1519 - -e 's/-D_XOPEN_SOURCE//'
1520 - )
1521 - sed -i "${sed_args[@]}" configure{.ac,} || die
1522 -
1523 - eautoreconf
1524 -}
1525 -
1526 -src_configure() {
1527 - addwrite /dev/ptmx
1528 -
1529 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1530 - use static && append-ldflags -static
1531 -
1532 - local myconf=(
1533 - --with-ldflags="${LDFLAGS}"
1534 - --disable-strip
1535 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1536 - --sysconfdir="${EPREFIX%/}"/etc/ssh
1537 - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
1538 - --datadir="${EPREFIX%/}"/usr/share/openssh
1539 - --with-privsep-path="${EPREFIX%/}"/var/empty
1540 - --with-privsep-user=sshd
1541 - $(use_with audit audit linux)
1542 - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
1543 - # We apply the sctp patch conditionally, so can't pass --without-sctp
1544 - # unconditionally else we get unknown flag warnings.
1545 - $(use sctp && use_with sctp)
1546 - $(use_with ldns)
1547 - $(use_with libedit)
1548 - $(use_with pam)
1549 - $(use_with pie)
1550 - $(use_with selinux)
1551 - $(use_with ssl openssl)
1552 - $(use_with ssl md5-passwords)
1553 - $(use_with ssl ssl-engine)
1554 - $(use_with !elibc_Cygwin hardening) #659210
1555 - )
1556 -
1557 - # stackprotect is broken on musl x86
1558 - use elibc_musl && use x86 && myconf+=( --without-stackprotect )
1559 -
1560 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1561 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1562 -
1563 - econf "${myconf[@]}"
1564 -}
1565 -
1566 -src_test() {
1567 - local t skipped=() failed=() passed=()
1568 - local tests=( interop-tests compat-tests )
1569 -
1570 - local shell=$(egetshell "${UID}")
1571 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
1572 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
1573 - elog "user, so we will run a subset only."
1574 - skipped+=( tests )
1575 - else
1576 - tests+=( tests )
1577 - fi
1578 -
1579 - # It will also attempt to write to the homedir .ssh.
1580 - local sshhome=${T}/homedir
1581 - mkdir -p "${sshhome}"/.ssh
1582 - for t in "${tests[@]}" ; do
1583 - # Some tests read from stdin ...
1584 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
1585 - emake -k -j1 ${t} </dev/null \
1586 - && passed+=( "${t}" ) \
1587 - || failed+=( "${t}" )
1588 - done
1589 -
1590 - einfo "Passed tests: ${passed[*]}"
1591 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
1592 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
1593 -}
1594 -
1595 -# Gentoo tweaks to default config files.
1596 -tweak_ssh_configs() {
1597 - local locale_vars=(
1598 - # These are language variables that POSIX defines.
1599 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
1600 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
1601 -
1602 - # These are the GNU extensions.
1603 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
1604 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
1605 - )
1606 -
1607 - # First the server config.
1608 - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
1609 -
1610 - # Allow client to pass locale environment variables. #367017
1611 - AcceptEnv ${locale_vars[*]}
1612 -
1613 - # Allow client to pass COLORTERM to match TERM. #658540
1614 - AcceptEnv COLORTERM
1615 - EOF
1616 -
1617 - # Then the client config.
1618 - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
1619 -
1620 - # Send locale environment variables. #367017
1621 - SendEnv ${locale_vars[*]}
1622 -
1623 - # Send COLORTERM to match TERM. #658540
1624 - SendEnv COLORTERM
1625 - EOF
1626 -
1627 - if use pam ; then
1628 - sed -i \
1629 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
1630 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1631 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
1632 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
1633 - "${ED%/}"/etc/ssh/sshd_config || die
1634 - fi
1635 -
1636 - if use livecd ; then
1637 - sed -i \
1638 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
1639 - "${ED%/}"/etc/ssh/sshd_config || die
1640 - fi
1641 -}
1642 -
1643 -src_install() {
1644 - emake install-nokeys DESTDIR="${D}"
1645 - fperms 600 /etc/ssh/sshd_config
1646 - dobin contrib/ssh-copy-id
1647 - newinitd "${FILESDIR}"/sshd.initd sshd
1648 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
1649 -
1650 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1651 -
1652 - tweak_ssh_configs
1653 -
1654 - doman contrib/ssh-copy-id.1
1655 - dodoc CREDITS OVERVIEW README* TODO sshd_config
1656 - use hpn && dodoc HPN-README
1657 - use X509 || dodoc ChangeLog
1658 -
1659 - diropts -m 0700
1660 - dodir /etc/skel/.ssh
1661 -
1662 - keepdir /var/empty
1663 -
1664 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
1665 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
1666 -}
1667 -
1668 -pkg_preinst() {
1669 - enewgroup sshd 22
1670 - enewuser sshd 22 -1 /var/empty sshd
1671 -}
1672 -
1673 -pkg_postinst() {
1674 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
1675 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
1676 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
1677 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
1678 - fi
1679 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
1680 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
1681 - elog "Make sure to update any configs that you might have. Note that xinetd might"
1682 - elog "be an alternative for you as it supports USE=tcpd."
1683 - fi
1684 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
1685 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
1686 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
1687 - elog "adding to your sshd_config or ~/.ssh/config files:"
1688 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
1689 - elog "You should however generate new keys using rsa or ed25519."
1690 -
1691 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
1692 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
1693 - elog "out of the box. If you need this, please update your sshd_config explicitly."
1694 - fi
1695 - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
1696 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
1697 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
1698 - fi
1699 - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
1700 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
1701 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
1702 - elog "if you need to authenticate against LDAP."
1703 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
1704 - fi
1705 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
1706 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
1707 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
1708 - elog "and update all clients/servers that utilize them."
1709 - fi
1710 -
1711 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1712 - elog ""
1713 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
1714 - elog "and therefore disabled at runtime per default."
1715 - elog "Make sure your sshd_config is up to date and contains"
1716 - elog ""
1717 - elog " DisableMTAES yes"
1718 - elog ""
1719 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
1720 - elog ""
1721 - fi
1722 -}
1723
1724 diff --git a/net-misc/openssh/openssh-7.9_p1-r1.ebuild b/net-misc/openssh/openssh-7.9_p1-r1.ebuild
1725 deleted file mode 100644
1726 index af3fd632c5f..00000000000
1727 --- a/net-misc/openssh/openssh-7.9_p1-r1.ebuild
1728 +++ /dev/null
1729 @@ -1,450 +0,0 @@
1730 -# Copyright 1999-2018 Gentoo Authors
1731 -# Distributed under the terms of the GNU General Public License v2
1732 -
1733 -EAPI=6
1734 -
1735 -inherit user flag-o-matic multilib autotools pam systemd
1736 -
1737 -# Make it more portable between straight releases
1738 -# and _p? releases.
1739 -PARCH=${P/_}
1740 -#HPN_PV="${PV^^}"
1741 -HPN_PV="7.8_P1"
1742 -
1743 -HPN_VER="14.16"
1744 -HPN_PATCHES=(
1745 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
1746 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
1747 -)
1748 -HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
1749 -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
1750 -X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
1751 -
1752 -DESCRIPTION="Port of OpenBSD's free SSH release"
1753 -HOMEPAGE="https://www.openssh.com/"
1754 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1755 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
1756 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
1757 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1758 - "
1759 -
1760 -LICENSE="BSD GPL-2"
1761 -SLOT="0"
1762 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1763 -# Probably want to drop ssl defaulting to on in a future version.
1764 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
1765 -RESTRICT="!test? ( test )"
1766 -REQUIRED_USE="ldns? ( ssl )
1767 - pie? ( !static )
1768 - static? ( !kerberos !pam )
1769 - X509? ( !sctp ssl )
1770 - test? ( ssl )"
1771 -
1772 -LIB_DEPEND="
1773 - audit? ( sys-process/audit[static-libs(+)] )
1774 - ldns? (
1775 - net-libs/ldns[static-libs(+)]
1776 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1777 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1778 - )
1779 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
1780 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1781 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1782 - ssl? (
1783 - !libressl? (
1784 - || (
1785 - (
1786 - >=dev-libs/openssl-1.0.1:0[bindist=]
1787 - <dev-libs/openssl-1.1.0:0[bindist=]
1788 - )
1789 - >=dev-libs/openssl-1.1.0g:0[bindist=]
1790 - )
1791 - dev-libs/openssl:0=[static-libs(+)]
1792 - )
1793 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1794 - )
1795 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1796 -RDEPEND="
1797 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1798 - pam? ( virtual/pam )
1799 - kerberos? ( virtual/krb5 )"
1800 -DEPEND="${RDEPEND}
1801 - static? ( ${LIB_DEPEND} )
1802 - virtual/pkgconfig
1803 - virtual/os-headers
1804 - sys-devel/autoconf"
1805 -RDEPEND="${RDEPEND}
1806 - pam? ( >=sys-auth/pambase-20081028 )
1807 - userland_GNU? ( virtual/shadow )
1808 - X? ( x11-apps/xauth )"
1809 -
1810 -S="${WORKDIR}/${PARCH}"
1811 -
1812 -pkg_pretend() {
1813 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1814 - # than not be able to log in to their server any more
1815 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1816 - local fail="
1817 - $(use hpn && maybe_fail hpn HPN_VER)
1818 - $(use sctp && maybe_fail sctp SCTP_PATCH)
1819 - $(use X509 && maybe_fail X509 X509_PATCH)
1820 - "
1821 - fail=$(echo ${fail})
1822 - if [[ -n ${fail} ]] ; then
1823 - eerror "Sorry, but this version does not yet support features"
1824 - eerror "that you requested: ${fail}"
1825 - eerror "Please mask ${PF} for now and check back later:"
1826 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1827 - die "booooo"
1828 - fi
1829 -
1830 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1831 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
1832 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1833 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1834 - fi
1835 -}
1836 -
1837 -src_prepare() {
1838 - sed -i \
1839 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
1840 - pathnames.h || die
1841 -
1842 - # don't break .ssh/authorized_keys2 for fun
1843 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1844 -
1845 - eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
1846 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
1847 - eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1848 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1849 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1850 -
1851 - local PATCHSET_VERSION_MACROS=()
1852 -
1853 - if use X509 ; then
1854 - pushd "${WORKDIR}" || die
1855 - eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
1856 - eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
1857 - popd || die
1858 -
1859 - eapply "${WORKDIR}"/${X509_PATCH%.*}
1860 - eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
1861 -
1862 - # We need to patch package version or any X.509 sshd will reject our ssh client
1863 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
1864 - # error
1865 - einfo "Patching package version for X.509 patch set ..."
1866 - sed -i \
1867 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
1868 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
1869 -
1870 - einfo "Patching version.h to expose X.509 patch set ..."
1871 - sed -i \
1872 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
1873 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
1874 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
1875 - fi
1876 -
1877 - if use sctp ; then
1878 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
1879 -
1880 - einfo "Patching version.h to expose SCTP patch set ..."
1881 - sed -i \
1882 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
1883 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
1884 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
1885 -
1886 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
1887 - sed -i \
1888 - -e "/\t\tcfgparse \\\/d" \
1889 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
1890 - fi
1891 -
1892 - if use hpn ; then
1893 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
1894 - mkdir "${hpn_patchdir}"
1895 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
1896 - pushd "${hpn_patchdir}"
1897 - eapply "${FILESDIR}"/${P}-hpn-glue.patch
1898 - use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
1899 - use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
1900 - popd
1901 -
1902 - eapply "${hpn_patchdir}"
1903 - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
1904 -
1905 - einfo "Patching Makefile.in for HPN patch set ..."
1906 - sed -i \
1907 - -e "/^LIBS=/ s/\$/ -lpthread/" \
1908 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
1909 -
1910 - einfo "Patching version.h to expose HPN patch set ..."
1911 - sed -i \
1912 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
1913 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
1914 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
1915 -
1916 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
1917 - einfo "Disabling known non-working MT AES cipher per default ..."
1918 -
1919 - cat > "${T}"/disable_mtaes.conf <<- EOF
1920 -
1921 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
1922 - # and therefore disabled per default.
1923 - DisableMTAES yes
1924 - EOF
1925 - sed -i \
1926 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
1927 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
1928 -
1929 - sed -i \
1930 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
1931 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
1932 - fi
1933 - fi
1934 -
1935 - if use X509 || use sctp || use hpn ; then
1936 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
1937 - sed -i \
1938 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1939 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
1940 -
1941 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
1942 - sed -i \
1943 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
1944 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
1945 -
1946 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
1947 - sed -i \
1948 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
1949 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
1950 - fi
1951 -
1952 - sed -i \
1953 - -e "/#UseLogin no/d" \
1954 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
1955 -
1956 - [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
1957 -
1958 - eapply_user #473004
1959 -
1960 - tc-export PKG_CONFIG
1961 - local sed_args=(
1962 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1963 - # Disable PATH reset, trust what portage gives us #254615
1964 - -e 's:^PATH=/:#PATH=/:'
1965 - # Disable fortify flags ... our gcc does this for us
1966 - -e 's:-D_FORTIFY_SOURCE=2::'
1967 - )
1968 -
1969 - # The -ftrapv flag ICEs on hppa #505182
1970 - use hppa && sed_args+=(
1971 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1972 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1973 - )
1974 - # _XOPEN_SOURCE causes header conflicts on Solaris
1975 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1976 - -e 's/-D_XOPEN_SOURCE//'
1977 - )
1978 - sed -i "${sed_args[@]}" configure{.ac,} || die
1979 -
1980 - eautoreconf
1981 -}
1982 -
1983 -src_configure() {
1984 - addwrite /dev/ptmx
1985 -
1986 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1987 - use static && append-ldflags -static
1988 -
1989 - local myconf=(
1990 - --with-ldflags="${LDFLAGS}"
1991 - --disable-strip
1992 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1993 - --sysconfdir="${EPREFIX%/}"/etc/ssh
1994 - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
1995 - --datadir="${EPREFIX%/}"/usr/share/openssh
1996 - --with-privsep-path="${EPREFIX%/}"/var/empty
1997 - --with-privsep-user=sshd
1998 - $(use_with audit audit linux)
1999 - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2000 - # We apply the sctp patch conditionally, so can't pass --without-sctp
2001 - # unconditionally else we get unknown flag warnings.
2002 - $(use sctp && use_with sctp)
2003 - $(use_with ldns)
2004 - $(use_with libedit)
2005 - $(use_with pam)
2006 - $(use_with pie)
2007 - $(use_with selinux)
2008 - $(use_with ssl openssl)
2009 - $(use_with ssl md5-passwords)
2010 - $(use_with ssl ssl-engine)
2011 - $(use_with !elibc_Cygwin hardening) #659210
2012 - )
2013 -
2014 - # stackprotect is broken on musl x86
2015 - use elibc_musl && use x86 && myconf+=( --without-stackprotect )
2016 -
2017 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2018 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2019 -
2020 - econf "${myconf[@]}"
2021 -}
2022 -
2023 -src_test() {
2024 - local t skipped=() failed=() passed=()
2025 - local tests=( interop-tests compat-tests )
2026 -
2027 - local shell=$(egetshell "${UID}")
2028 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2029 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2030 - elog "user, so we will run a subset only."
2031 - skipped+=( tests )
2032 - else
2033 - tests+=( tests )
2034 - fi
2035 -
2036 - # It will also attempt to write to the homedir .ssh.
2037 - local sshhome=${T}/homedir
2038 - mkdir -p "${sshhome}"/.ssh
2039 - for t in "${tests[@]}" ; do
2040 - # Some tests read from stdin ...
2041 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
2042 - emake -k -j1 ${t} </dev/null \
2043 - && passed+=( "${t}" ) \
2044 - || failed+=( "${t}" )
2045 - done
2046 -
2047 - einfo "Passed tests: ${passed[*]}"
2048 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2049 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2050 -}
2051 -
2052 -# Gentoo tweaks to default config files.
2053 -tweak_ssh_configs() {
2054 - local locale_vars=(
2055 - # These are language variables that POSIX defines.
2056 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
2057 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
2058 -
2059 - # These are the GNU extensions.
2060 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
2061 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
2062 - )
2063 -
2064 - # First the server config.
2065 - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
2066 -
2067 - # Allow client to pass locale environment variables. #367017
2068 - AcceptEnv ${locale_vars[*]}
2069 -
2070 - # Allow client to pass COLORTERM to match TERM. #658540
2071 - AcceptEnv COLORTERM
2072 - EOF
2073 -
2074 - # Then the client config.
2075 - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
2076 -
2077 - # Send locale environment variables. #367017
2078 - SendEnv ${locale_vars[*]}
2079 -
2080 - # Send COLORTERM to match TERM. #658540
2081 - SendEnv COLORTERM
2082 - EOF
2083 -
2084 - if use pam ; then
2085 - sed -i \
2086 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2087 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2088 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2089 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2090 - "${ED%/}"/etc/ssh/sshd_config || die
2091 - fi
2092 -
2093 - if use livecd ; then
2094 - sed -i \
2095 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2096 - "${ED%/}"/etc/ssh/sshd_config || die
2097 - fi
2098 -}
2099 -
2100 -src_install() {
2101 - emake install-nokeys DESTDIR="${D}"
2102 - fperms 600 /etc/ssh/sshd_config
2103 - dobin contrib/ssh-copy-id
2104 - newinitd "${FILESDIR}"/sshd.initd sshd
2105 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
2106 -
2107 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2108 -
2109 - tweak_ssh_configs
2110 -
2111 - doman contrib/ssh-copy-id.1
2112 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2113 - use hpn && dodoc HPN-README
2114 - use X509 || dodoc ChangeLog
2115 -
2116 - diropts -m 0700
2117 - dodir /etc/skel/.ssh
2118 -
2119 - keepdir /var/empty
2120 -
2121 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2122 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2123 -}
2124 -
2125 -pkg_preinst() {
2126 - enewgroup sshd 22
2127 - enewuser sshd 22 -1 /var/empty sshd
2128 -}
2129 -
2130 -pkg_postinst() {
2131 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2132 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2133 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2134 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2135 - fi
2136 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2137 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2138 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2139 - elog "be an alternative for you as it supports USE=tcpd."
2140 - fi
2141 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2142 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2143 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2144 - elog "adding to your sshd_config or ~/.ssh/config files:"
2145 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2146 - elog "You should however generate new keys using rsa or ed25519."
2147 -
2148 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2149 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2150 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2151 - fi
2152 - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
2153 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2154 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2155 - fi
2156 - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
2157 - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
2158 - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
2159 - elog "if you need to authenticate against LDAP."
2160 - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
2161 - fi
2162 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2163 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2164 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2165 - elog "and update all clients/servers that utilize them."
2166 - fi
2167 -
2168 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2169 - elog ""
2170 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
2171 - elog "and therefore disabled at runtime per default."
2172 - elog "Make sure your sshd_config is up to date and contains"
2173 - elog ""
2174 - elog " DisableMTAES yes"
2175 - elog ""
2176 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
2177 - elog ""
2178 - fi
2179 -}
2180
2181 diff --git a/net-misc/openssh/openssh-7.9_p1.ebuild b/net-misc/openssh/openssh-7.9_p1.ebuild
2182 deleted file mode 100644
2183 index f39686f32b0..00000000000
2184 --- a/net-misc/openssh/openssh-7.9_p1.ebuild
2185 +++ /dev/null
2186 @@ -1,450 +0,0 @@
2187 -# Copyright 1999-2018 Gentoo Authors
2188 -# Distributed under the terms of the GNU General Public License v2
2189 -
2190 -EAPI=6
2191 -
2192 -inherit user flag-o-matic multilib autotools pam systemd
2193 -
2194 -# Make it more portable between straight releases
2195 -# and _p? releases.
2196 -PARCH=${P/_}
2197 -#HPN_PV="${PV^^}"
2198 -HPN_PV="7.8_P1"
2199 -
2200 -HPN_VER="14.16"
2201 -HPN_PATCHES=(
2202 - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
2203 - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
2204 -)
2205 -HPN_DISABLE_MTAES=1 # unit tests hang on MT-AES-CTR
2206 -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2207 -X509_VER="11.5" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
2208 -
2209 -DESCRIPTION="Port of OpenBSD's free SSH release"
2210 -HOMEPAGE="https://www.openssh.com/"
2211 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2212 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
2213 - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
2214 - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
2215 - "
2216 -
2217 -LICENSE="BSD GPL-2"
2218 -SLOT="0"
2219 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2220 -# Probably want to drop ssl defaulting to on in a future version.
2221 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
2222 -RESTRICT="!test? ( test )"
2223 -REQUIRED_USE="ldns? ( ssl )
2224 - pie? ( !static )
2225 - static? ( !kerberos !pam )
2226 - X509? ( !sctp ssl )
2227 - test? ( ssl )"
2228 -
2229 -LIB_DEPEND="
2230 - audit? ( sys-process/audit[static-libs(+)] )
2231 - ldns? (
2232 - net-libs/ldns[static-libs(+)]
2233 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2234 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2235 - )
2236 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2237 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2238 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2239 - ssl? (
2240 - !libressl? (
2241 - || (
2242 - (
2243 - >=dev-libs/openssl-1.0.1:0[bindist=]
2244 - <dev-libs/openssl-1.1.0:0[bindist=]
2245 - )
2246 - >=dev-libs/openssl-1.1.0g:0[bindist=]
2247 - )
2248 - dev-libs/openssl:0=[static-libs(+)]
2249 - )
2250 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
2251 - )
2252 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
2253 -RDEPEND="
2254 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2255 - pam? ( virtual/pam )
2256 - kerberos? ( virtual/krb5 )"
2257 -DEPEND="${RDEPEND}
2258 - static? ( ${LIB_DEPEND} )
2259 - virtual/pkgconfig
2260 - virtual/os-headers
2261 - sys-devel/autoconf"
2262 -RDEPEND="${RDEPEND}
2263 - pam? ( >=sys-auth/pambase-20081028 )
2264 - userland_GNU? ( virtual/shadow )
2265 - X? ( x11-apps/xauth )"
2266 -
2267 -S="${WORKDIR}/${PARCH}"
2268 -
2269 -pkg_pretend() {
2270 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2271 - # than not be able to log in to their server any more
2272 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2273 - local fail="
2274 - $(use hpn && maybe_fail hpn HPN_VER)
2275 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2276 - $(use X509 && maybe_fail X509 X509_PATCH)
2277 - "
2278 - fail=$(echo ${fail})
2279 - if [[ -n ${fail} ]] ; then
2280 - eerror "Sorry, but this version does not yet support features"
2281 - eerror "that you requested: ${fail}"
2282 - eerror "Please mask ${PF} for now and check back later:"
2283 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2284 - die "booooo"
2285 - fi
2286 -
2287 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2288 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
2289 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2290 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2291 - fi
2292 -}
2293 -
2294 -src_prepare() {
2295 - sed -i \
2296 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
2297 - pathnames.h || die
2298 -
2299 - # don't break .ssh/authorized_keys2 for fun
2300 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2301 -
2302 - eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
2303 - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
2304 - eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2305 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2306 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2307 -
2308 - local PATCHSET_VERSION_MACROS=()
2309 -
2310 - if use X509 ; then
2311 - pushd "${WORKDIR}" || die
2312 - eapply "${FILESDIR}/${P}-X509-glue.patch"
2313 - eapply "${FILESDIR}/${P}-X509-dont-make-piddir.patch"
2314 - popd || die
2315 -
2316 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2317 - eapply "${FILESDIR}"/${PN}-7.9_p1-libressl-2.8.patch
2318 -
2319 - # We need to patch package version or any X.509 sshd will reject our ssh client
2320 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2321 - # error
2322 - einfo "Patching package version for X.509 patch set ..."
2323 - sed -i \
2324 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2325 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2326 -
2327 - einfo "Patching version.h to expose X.509 patch set ..."
2328 - sed -i \
2329 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2330 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2331 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2332 - fi
2333 -
2334 - if use sctp ; then
2335 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2336 -
2337 - einfo "Patching version.h to expose SCTP patch set ..."
2338 - sed -i \
2339 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2340 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2341 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2342 -
2343 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2344 - sed -i \
2345 - -e "/\t\tcfgparse \\\/d" \
2346 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2347 - fi
2348 -
2349 - if use hpn ; then
2350 - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
2351 - mkdir "${hpn_patchdir}"
2352 - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
2353 - pushd "${hpn_patchdir}"
2354 - eapply "${FILESDIR}"/${P}-hpn-glue.patch
2355 - use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
2356 - use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
2357 - popd
2358 -
2359 - eapply "${hpn_patchdir}"
2360 - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
2361 -
2362 - einfo "Patching Makefile.in for HPN patch set ..."
2363 - sed -i \
2364 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2365 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2366 -
2367 - einfo "Patching version.h to expose HPN patch set ..."
2368 - sed -i \
2369 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
2370 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2371 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2372 -
2373 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2374 - einfo "Disabling known non-working MT AES cipher per default ..."
2375 -
2376 - cat > "${T}"/disable_mtaes.conf <<- EOF
2377 -
2378 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2379 - # and therefore disabled per default.
2380 - DisableMTAES yes
2381 - EOF
2382 - sed -i \
2383 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2384 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2385 -
2386 - sed -i \
2387 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2388 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2389 - fi
2390 - fi
2391 -
2392 - if use X509 || use sctp || use hpn ; then
2393 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2394 - sed -i \
2395 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2396 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2397 -
2398 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2399 - sed -i \
2400 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2401 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2402 -
2403 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2404 - sed -i \
2405 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2406 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2407 - fi
2408 -
2409 - sed -i \
2410 - -e "/#UseLogin no/d" \
2411 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2412 -
2413 - [[ -d ${WORKDIR}/patch ]] && eapply "${WORKDIR}"/patch
2414 -
2415 - eapply_user #473004
2416 -
2417 - tc-export PKG_CONFIG
2418 - local sed_args=(
2419 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2420 - # Disable PATH reset, trust what portage gives us #254615
2421 - -e 's:^PATH=/:#PATH=/:'
2422 - # Disable fortify flags ... our gcc does this for us
2423 - -e 's:-D_FORTIFY_SOURCE=2::'
2424 - )
2425 -
2426 - # The -ftrapv flag ICEs on hppa #505182
2427 - use hppa && sed_args+=(
2428 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2429 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2430 - )
2431 - # _XOPEN_SOURCE causes header conflicts on Solaris
2432 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2433 - -e 's/-D_XOPEN_SOURCE//'
2434 - )
2435 - sed -i "${sed_args[@]}" configure{.ac,} || die
2436 -
2437 - eautoreconf
2438 -}
2439 -
2440 -src_configure() {
2441 - addwrite /dev/ptmx
2442 -
2443 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2444 - use static && append-ldflags -static
2445 -
2446 - local myconf=(
2447 - --with-ldflags="${LDFLAGS}"
2448 - --disable-strip
2449 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2450 - --sysconfdir="${EPREFIX%/}"/etc/ssh
2451 - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
2452 - --datadir="${EPREFIX%/}"/usr/share/openssh
2453 - --with-privsep-path="${EPREFIX%/}"/var/empty
2454 - --with-privsep-user=sshd
2455 - $(use_with audit audit linux)
2456 - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2457 - # We apply the sctp patch conditionally, so can't pass --without-sctp
2458 - # unconditionally else we get unknown flag warnings.
2459 - $(use sctp && use_with sctp)
2460 - $(use_with ldns)
2461 - $(use_with libedit)
2462 - $(use_with pam)
2463 - $(use_with pie)
2464 - $(use_with selinux)
2465 - $(use_with ssl openssl)
2466 - $(use_with ssl md5-passwords)
2467 - $(use_with ssl ssl-engine)
2468 - $(use_with !elibc_Cygwin hardening) #659210
2469 - )
2470 -
2471 - # stackprotect is broken on musl x86
2472 - use elibc_musl && use x86 && myconf+=( --without-stackprotect )
2473 -
2474 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2475 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2476 -
2477 - econf "${myconf[@]}"
2478 -}
2479 -
2480 -src_test() {
2481 - local t skipped=() failed=() passed=()
2482 - local tests=( interop-tests compat-tests )
2483 -
2484 - local shell=$(egetshell "${UID}")
2485 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2486 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2487 - elog "user, so we will run a subset only."
2488 - skipped+=( tests )
2489 - else
2490 - tests+=( tests )
2491 - fi
2492 -
2493 - # It will also attempt to write to the homedir .ssh.
2494 - local sshhome=${T}/homedir
2495 - mkdir -p "${sshhome}"/.ssh
2496 - for t in "${tests[@]}" ; do
2497 - # Some tests read from stdin ...
2498 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
2499 - emake -k -j1 ${t} </dev/null \
2500 - && passed+=( "${t}" ) \
2501 - || failed+=( "${t}" )
2502 - done
2503 -
2504 - einfo "Passed tests: ${passed[*]}"
2505 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2506 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2507 -}
2508 -
2509 -# Gentoo tweaks to default config files.
2510 -tweak_ssh_configs() {
2511 - local locale_vars=(
2512 - # These are language variables that POSIX defines.
2513 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02