[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Thu, 29 Oct 2015 06:14:43
Message-Id:	`1446099241.13b24dbb86a4f2013c376c65ada52d9aee2561c6.vapier@gentoo`

1

commit:     13b24dbb86a4f2013c376c65ada52d9aee2561c6

2

Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

3

AuthorDate: Thu Oct 29 06:13:41 2015 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Thu Oct 29 06:14:01 2015 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13b24dbb

7

8

net-misc/openssh: fix tun window size in hpn mode #564236

9

10

 net-misc/openssh/Manifest                 |   1 +

11

 net-misc/openssh/openssh-7.1_p1-r2.ebuild | 327 ++++++++++++++++++++++++++++++

12

 2 files changed, 328 insertions(+)

13

14

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest

15

index 461d5c1..cf1e7a0 100644

16

--- a/net-misc/openssh/Manifest

17

+++ b/net-misc/openssh/Manifest

18

@@ -15,6 +15,7 @@ DIST openssh-7.0p1+x509-8.5.diff.gz 411960 SHA256 6000557f1ddae06aff8837d440d933

19

 DIST openssh-7.0p1-hpnssh14v5.tar.xz 21428 SHA256 6032c4547c9f83a6f648ac7c39cdad2bd6fd725e5f3ab2411c5b30298aae1451 SHA512 d4cf4a628c11515bfe8c3a91b4b7039fca28c2f89ad1dde062c4cb433b984b10dec2d37b1f338f18aa7813e60d8608b65ca95b930edc33086710b82780875942 WHIRLPOOL 7b686f243c98017453b3da3e98b7524650b4a0a75fda6add80c7c233d468194d1d1333ffa4445c20856d807548aaa356c87a03ca87d8995a4b7ba350c7714d1e

20

 DIST openssh-7.0p1.tar.gz 1493376 SHA256 fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 SHA512 d82aa8e85630c3e2102e69da477185e0d30d84211d7d4ee0a1d9822bd234d649fe369bf91ce3d2b5ef0caee687d383cb761b682d3bf24bccbd2ce9a1fe9d9f50 WHIRLPOOL bb8007450ffee580df5a73e3d6ab9b54b7151c46c3b996516e5cb776034be21cbef1281a520279655137e218a757d8092cba3f66e216c6b4c6828876540cb5df

21

 DIST openssh-7.1p1+x509-8.6.diff.gz 413931 SHA256 cbf661a1fec080dc9ed335a290414154326c2a13f124985db050b86a91073d52 SHA512 c91d0f1b69b6d34984e94b391ad022271e73d0634cef2df355ba555366bc38d30649b478f245b6c51ce79d71adf1b693bc97826e6c6013a78e7ccfb7023b4bcc WHIRLPOOL 4ed4427e80026996c43a188d7d45f2c53fa6a7fd842a248b1225b27f3e9037e761f0ed172d79b53ada81c24d958a2193e94d918f6ca1320e45d5e68379845981

22

+DIST openssh-7.1p1-hpnssh14v9.tar.xz 21580 SHA256 a795c2f2621f537b3fd98172cbd1f7c71869e4da78cd280d123fa19ae4262b97 SHA512 6ce151949bf81b5518b95092a2f18d2f24581954e2c629deaf3c1d10136f32f830567aafb9b4045547e95e3ab63cf750e240eac40e2b9caa6d71cb2b132821ec WHIRLPOOL 8e3c9a1d79112092a6cb42c6766ccdf61e5d8fcd366ea5c7d3bab94cf309bcc12f3761476a288158638a340023aa24519d888caac19fb0ef25fa56bdab06412c

23

 DIST openssh-7.1p1.tar.gz 1493170 SHA256 fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428 SHA512 f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7 WHIRLPOOL a650a93657f930d20dc3fa24ab720857f63f7cd0a82d1906cf1e58145e866129207851d5e587d678655e5731fa73221ab9b6ea0754533100c25fe2acaa442e05

24

 DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73

25

 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b

26

27

diff --git a/net-misc/openssh/openssh-7.1_p1-r2.ebuild b/net-misc/openssh/openssh-7.1_p1-r2.ebuild

28

new file mode 100644

29

index 0000000..7e645fd

30

--- /dev/null

31

+++ b/net-misc/openssh/openssh-7.1_p1-r2.ebuild

32

@@ -0,0 +1,327 @@

33

+# Copyright 1999-2015 Gentoo Foundation

34

+# Distributed under the terms of the GNU General Public License v2

35

+# $Id$

36

+

37

+EAPI="4"

38

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

39

+

40

+# Make it more portable between straight releases

41

+# and _p? releases.

42

+PARCH=${P/_}

43

+

44

+HPN_PATCH="${PN}-7.1p1-hpnssh14v9.tar.xz"

45

+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"

46

+X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"

47

+

48

+DESCRIPTION="Port of OpenBSD's free SSH release"

49

+HOMEPAGE="http://www.openssh.org/"

50

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

51

+	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz

52

+	${HPN_PATCH:+hpn? (

53

+		mirror://gentoo/${HPN_PATCH}

54

+		https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}

55

+		mirror://sourceforge/hpnssh/${HPN_PATCH}

56

+	)}

57

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

58

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

59

+	"

60

+

61

+LICENSE="BSD GPL-2"

62

+SLOT="0"

63

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

64

+# Probably want to drop ssl defaulting to on in a future version.

65

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"

66

+REQUIRED_USE="ldns? ( ssl )

67

+	pie? ( !static )

68

+	ssh1? ( ssl )

69

+	static? ( !kerberos !pam )

70

+	X509? ( !ldap ssl )"

71

+

72

+LIB_DEPEND="

73

+	ldns? (

74

+		net-libs/ldns[static-libs(+)]

75

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

76

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

77

+	)

78

+	libedit? ( dev-libs/libedit[static-libs(+)] )

79

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

80

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

81

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

82

+	ssl? (

83

+		!libressl? (

84

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

85

+			dev-libs/openssl:0[static-libs(+)]

86

+		)

87

+		libressl? ( dev-libs/libressl[static-libs(+)] )

88

+	)

89

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

90

+RDEPEND="

91

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

92

+	pam? ( virtual/pam )

93

+	kerberos? ( virtual/krb5 )

94

+	ldap? ( net-nds/openldap )"

95

+DEPEND="${RDEPEND}

96

+	static? ( ${LIB_DEPEND} )

97

+	virtual/pkgconfig

98

+	virtual/os-headers

99

+	sys-devel/autoconf"

100

+RDEPEND="${RDEPEND}

101

+	pam? ( >=sys-auth/pambase-20081028 )

102

+	userland_GNU? ( virtual/shadow )

103

+	X? ( x11-apps/xauth )"

104

+

105

+S=${WORKDIR}/${PARCH}

106

+

107

+pkg_setup() {

108

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

109

+	# than not be able to log in to their server any more

110

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

111

+	local fail="

112

+		$(use X509 && maybe_fail X509 X509_PATCH)

113

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

114

+		$(use hpn && maybe_fail hpn HPN_PATCH)

115

+	"

116

+	fail=$(echo ${fail})

117

+	if [[ -n ${fail} ]] ; then

118

+		eerror "Sorry, but this version does not yet support features"

119

+		eerror "that you requested:	 ${fail}"

120

+		eerror "Please mask ${PF} for now and check back later:"

121

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

122

+		die "booooo"

123

+	fi

124

+

125

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

126

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

127

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

128

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

129

+	fi

130

+}

131

+

132

+save_version() {

133

+	# version.h patch conflict avoidence

134

+	mv version.h version.h.$1

135

+	cp -f version.h.pristine version.h

136

+}

137

+

138

+src_prepare() {

139

+	sed -i \

140

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

141

+		pathnames.h || die

142

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

143

+	# this file.

144

+	cp version.h version.h.pristine

145

+

146

+	# don't break .ssh/authorized_keys2 for fun

147

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

148

+

149

+	if use X509 ; then

150

+		pushd .. >/dev/null

151

+		epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch

152

+		epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch

153

+		popd >/dev/null

154

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

155

+		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch

156

+		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch

157

+		save_version X509

158

+	fi

159

+	if use ldap ; then

160

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

161

+		save_version LPK

162

+	fi

163

+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex

164

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

165

+	# The X509 patchset fixes this independently.

166

+	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch

167

+	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch

168

+	if use hpn ; then

169

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

170

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

171

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

172

+		save_version HPN

173

+	fi

174

+

175

+	tc-export PKG_CONFIG

176

+	local sed_args=(

177

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

178

+		# Disable PATH reset, trust what portage gives us #254615

179

+		-e 's:^PATH=/:#PATH=/:'

180

+		# Disable fortify flags ... our gcc does this for us

181

+		-e 's:-D_FORTIFY_SOURCE=2::'

182

+	)

183

+	# The -ftrapv flag ICEs on hppa #505182

184

+	use hppa && sed_args+=(

185

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

186

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

187

+	)

188

+	sed -i "${sed_args[@]}" configure{.ac,} || die

189

+

190

+	epatch_user #473004

191

+

192

+	# Now we can build a sane merged version.h

193

+	(

194

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

195

+		macros=()

196

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

197

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

198

+	) > version.h

199

+

200

+	eautoreconf

201

+}

202

+

203

+src_configure() {

204

+	addwrite /dev/ptmx

205

+	addpredict /etc/skey/skeykeys # skey configure code triggers this

206

+

207

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

208

+	use static && append-ldflags -static

209

+

210

+	local myconf=(

211

+		--with-ldflags="${LDFLAGS}"

212

+		--disable-strip

213

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

214

+		--sysconfdir="${EPREFIX}"/etc/ssh

215

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

216

+		--datadir="${EPREFIX}"/usr/share/openssh

217

+		--with-privsep-path="${EPREFIX}"/var/empty

218

+		--with-privsep-user=sshd

219

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

220

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

221

+		# unconditionally else we get unknown flag warnings.

222

+		$(use ldap && use_with ldap)

223

+		$(use_with ldns)

224

+		$(use_with libedit)

225

+		$(use_with pam)

226

+		$(use_with pie)

227

+		$(use_with sctp)

228

+		$(use_with selinux)

229

+		$(use_with skey)

230

+		$(use_with ssh1)

231

+		# The X509 patch deletes this option entirely.

232

+		$(use X509 || use_with ssl openssl)

233

+		$(use_with ssl md5-passwords)

234

+		$(use_with ssl ssl-engine)

235

+	)

236

+

237

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

238

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

239

+

240

+	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)

241

+	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then

242

+		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )

243

+		append-ldflags -lutil

244

+	fi

245

+

246

+	econf "${myconf[@]}"

247

+}

248

+

249

+src_install() {

250

+	emake install-nokeys DESTDIR="${D}"

251

+	fperms 600 /etc/ssh/sshd_config

252

+	dobin contrib/ssh-copy-id

253

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

254

+	newconfd "${FILESDIR}"/sshd.confd sshd

255

+	keepdir /var/empty

256

+

257

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

258

+	if use pam ; then

259

+		sed -i \

260

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

261

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

262

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

263

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

264

+			"${ED}"/etc/ssh/sshd_config || die

265

+	fi

266

+

267

+	# Gentoo tweaks to default config files

268

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

269

+

270

+	# Allow client to pass locale environment variables #367017

271

+	AcceptEnv LANG LC_*

272

+	EOF

273

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

274

+

275

+	# Send locale environment variables #367017

276

+	SendEnv LANG LC_*

277

+	EOF

278

+

279

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

280

+		insinto /etc/openldap/schema/

281

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

282

+	fi

283

+

284

+	doman contrib/ssh-copy-id.1

285

+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config

286

+

287

+	diropts -m 0700

288

+	dodir /etc/skel/.ssh

289

+

290

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

291

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

292

+}

293

+

294

+src_test() {

295

+	local t tests skipped failed passed shell

296

+	tests="interop-tests compat-tests"

297

+	skipped=""

298

+	shell=$(egetshell ${UID})

299

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

300

+		elog "Running the full OpenSSH testsuite"

301

+		elog "requires a usable shell for the 'portage'"

302

+		elog "user, so we will run a subset only."

303

+		skipped="${skipped} tests"

304

+	else

305

+		tests="${tests} tests"

306

+	fi

307

+	# It will also attempt to write to the homedir .ssh

308

+	local sshhome=${T}/homedir

309

+	mkdir -p "${sshhome}"/.ssh

310

+	for t in ${tests} ; do

311

+		# Some tests read from stdin ...

312

+		HOMEDIR="${sshhome}" \

313

+		emake -k -j1 ${t} </dev/null \

314

+			&& passed="${passed}${t} " \

315

+			|| failed="${failed}${t} "

316

+	done

317

+	einfo "Passed tests: ${passed}"

318

+	ewarn "Skipped tests: ${skipped}"

319

+	if [[ -n ${failed} ]] ; then

320

+		ewarn "Failed tests: ${failed}"

321

+		die "Some tests failed: ${failed}"

322

+	else

323

+		einfo "Failed tests: ${failed}"

324

+		return 0

325

+	fi

326

+}

327

+

328

+pkg_preinst() {

329

+	enewgroup sshd 22

330

+	enewuser sshd 22 -1 /var/empty sshd

331

+}

332

+

333

+pkg_postinst() {

334

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

335

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

336

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

337

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

338

+	fi

339

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

340

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

341

+	fi

342

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

343

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

344

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

345

+		elog "be an alternative for you as it supports USE=tcpd."

346

+	fi

347

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388

348

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

349

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

350

+		elog "adding to your sshd_config or ~/.ssh/config files:"

351

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

352

+		elog "You should however generate new keys using rsa or ed25519."

353

+	fi

354

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

355

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

356

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

357

+		elog "and update all clients/servers that utilize them."

358

+	fi

359

+}

1	commit: 13b24dbb86a4f2013c376c65ada52d9aee2561c6
2	Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3	AuthorDate: Thu Oct 29 06:13:41 2015 +0000
4	Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5	CommitDate: Thu Oct 29 06:14:01 2015 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13b24dbb
7
8	net-misc/openssh: fix tun window size in hpn mode #564236
9
10	net-misc/openssh/Manifest \| 1 +
11	net-misc/openssh/openssh-7.1_p1-r2.ebuild \| 327 ++++++++++++++++++++++++++++++
12	2 files changed, 328 insertions(+)
13
14	diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
15	index 461d5c1..cf1e7a0 100644
16	--- a/net-misc/openssh/Manifest
17	+++ b/net-misc/openssh/Manifest
18	@@ -15,6 +15,7 @@ DIST openssh-7.0p1+x509-8.5.diff.gz 411960 SHA256 6000557f1ddae06aff8837d440d933
19	DIST openssh-7.0p1-hpnssh14v5.tar.xz 21428 SHA256 6032c4547c9f83a6f648ac7c39cdad2bd6fd725e5f3ab2411c5b30298aae1451 SHA512 d4cf4a628c11515bfe8c3a91b4b7039fca28c2f89ad1dde062c4cb433b984b10dec2d37b1f338f18aa7813e60d8608b65ca95b930edc33086710b82780875942 WHIRLPOOL 7b686f243c98017453b3da3e98b7524650b4a0a75fda6add80c7c233d468194d1d1333ffa4445c20856d807548aaa356c87a03ca87d8995a4b7ba350c7714d1e
20	DIST openssh-7.0p1.tar.gz 1493376 SHA256 fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5 SHA512 d82aa8e85630c3e2102e69da477185e0d30d84211d7d4ee0a1d9822bd234d649fe369bf91ce3d2b5ef0caee687d383cb761b682d3bf24bccbd2ce9a1fe9d9f50 WHIRLPOOL bb8007450ffee580df5a73e3d6ab9b54b7151c46c3b996516e5cb776034be21cbef1281a520279655137e218a757d8092cba3f66e216c6b4c6828876540cb5df
21	DIST openssh-7.1p1+x509-8.6.diff.gz 413931 SHA256 cbf661a1fec080dc9ed335a290414154326c2a13f124985db050b86a91073d52 SHA512 c91d0f1b69b6d34984e94b391ad022271e73d0634cef2df355ba555366bc38d30649b478f245b6c51ce79d71adf1b693bc97826e6c6013a78e7ccfb7023b4bcc WHIRLPOOL 4ed4427e80026996c43a188d7d45f2c53fa6a7fd842a248b1225b27f3e9037e761f0ed172d79b53ada81c24d958a2193e94d918f6ca1320e45d5e68379845981
22	+DIST openssh-7.1p1-hpnssh14v9.tar.xz 21580 SHA256 a795c2f2621f537b3fd98172cbd1f7c71869e4da78cd280d123fa19ae4262b97 SHA512 6ce151949bf81b5518b95092a2f18d2f24581954e2c629deaf3c1d10136f32f830567aafb9b4045547e95e3ab63cf750e240eac40e2b9caa6d71cb2b132821ec WHIRLPOOL 8e3c9a1d79112092a6cb42c6766ccdf61e5d8fcd366ea5c7d3bab94cf309bcc12f3761476a288158638a340023aa24519d888caac19fb0ef25fa56bdab06412c
23	DIST openssh-7.1p1.tar.gz 1493170 SHA256 fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428 SHA512 f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7 WHIRLPOOL a650a93657f930d20dc3fa24ab720857f63f7cd0a82d1906cf1e58145e866129207851d5e587d678655e5731fa73221ab9b6ea0754533100c25fe2acaa442e05
24	DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
25	DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
26
27	diff --git a/net-misc/openssh/openssh-7.1_p1-r2.ebuild b/net-misc/openssh/openssh-7.1_p1-r2.ebuild
28	new file mode 100644
29	index 0000000..7e645fd
30	--- /dev/null
31	+++ b/net-misc/openssh/openssh-7.1_p1-r2.ebuild
32	@@ -0,0 +1,327 @@
33	+# Copyright 1999-2015 Gentoo Foundation
34	+# Distributed under the terms of the GNU General Public License v2
35	+# $Id$
36	+
37	+EAPI="4"
38	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
39	+
40	+# Make it more portable between straight releases
41	+# and _p? releases.
42	+PARCH=${P/_}
43	+
44	+HPN_PATCH="${PN}-7.1p1-hpnssh14v9.tar.xz"
45	+LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
46	+X509_VER="8.6" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
47	+
48	+DESCRIPTION="Port of OpenBSD's free SSH release"
49	+HOMEPAGE="http://www.openssh.org/"
50	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
51	+ mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
52	+ ${HPN_PATCH:+hpn? (
53	+ mirror://gentoo/${HPN_PATCH}
54	+ https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
55	+ mirror://sourceforge/hpnssh/${HPN_PATCH}
56	+ )}
57	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
58	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
59	+ "
60	+
61	+LICENSE="BSD GPL-2"
62	+SLOT="0"
63	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
64	+# Probably want to drop ssl defaulting to on in a future version.
65	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
66	+REQUIRED_USE="ldns? ( ssl )
67	+ pie? ( !static )
68	+ ssh1? ( ssl )
69	+ static? ( !kerberos !pam )
70	+ X509? ( !ldap ssl )"
71	+
72	+LIB_DEPEND="
73	+ ldns? (
74	+ net-libs/ldns[static-libs(+)]
75	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
76	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
77	+ )
78	+ libedit? ( dev-libs/libedit[static-libs(+)] )
79	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
80	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
81	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
82	+ ssl? (
83	+ !libressl? (
84	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
85	+ dev-libs/openssl:0[static-libs(+)]
86	+ )
87	+ libressl? ( dev-libs/libressl[static-libs(+)] )
88	+ )
89	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
90	+RDEPEND="
91	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
92	+ pam? ( virtual/pam )
93	+ kerberos? ( virtual/krb5 )
94	+ ldap? ( net-nds/openldap )"
95	+DEPEND="${RDEPEND}
96	+ static? ( ${LIB_DEPEND} )
97	+ virtual/pkgconfig
98	+ virtual/os-headers
99	+ sys-devel/autoconf"
100	+RDEPEND="${RDEPEND}
101	+ pam? ( >=sys-auth/pambase-20081028 )
102	+ userland_GNU? ( virtual/shadow )
103	+ X? ( x11-apps/xauth )"
104	+
105	+S=${WORKDIR}/${PARCH}
106	+
107	+pkg_setup() {
108	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
109	+ # than not be able to log in to their server any more
110	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
111	+ local fail="
112	+ $(use X509 && maybe_fail X509 X509_PATCH)
113	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
114	+ $(use hpn && maybe_fail hpn HPN_PATCH)
115	+ "
116	+ fail=$(echo ${fail})
117	+ if [[ -n ${fail} ]] ; then
118	+ eerror "Sorry, but this version does not yet support features"
119	+ eerror "that you requested: ${fail}"
120	+ eerror "Please mask ${PF} for now and check back later:"
121	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
122	+ die "booooo"
123	+ fi
124	+
125	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
126	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
127	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
128	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
129	+ fi
130	+}
131	+
132	+save_version() {
133	+ # version.h patch conflict avoidence
134	+ mv version.h version.h.$1
135	+ cp -f version.h.pristine version.h
136	+}
137	+
138	+src_prepare() {
139	+ sed -i \
140	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
141	+ pathnames.h \|\| die
142	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
143	+ # this file.
144	+ cp version.h version.h.pristine
145	+
146	+ # don't break .ssh/authorized_keys2 for fun
147	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
148	+
149	+ if use X509 ; then
150	+ pushd .. >/dev/null
151	+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
152	+ epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
153	+ popd >/dev/null
154	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
155	+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
156	+ epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
157	+ save_version X509
158	+ fi
159	+ if use ldap ; then
160	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
161	+ save_version LPK
162	+ fi
163	+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
164	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
165	+ # The X509 patchset fixes this independently.
166	+ use X509 \|\| epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
167	+ epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
168	+ if use hpn ; then
169	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
170	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
171	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
172	+ save_version HPN
173	+ fi
174	+
175	+ tc-export PKG_CONFIG
176	+ local sed_args=(
177	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
178	+ # Disable PATH reset, trust what portage gives us #254615
179	+ -e 's:^PATH=/:#PATH=/:'
180	+ # Disable fortify flags ... our gcc does this for us
181	+ -e 's:-D_FORTIFY_SOURCE=2::'
182	+ )
183	+ # The -ftrapv flag ICEs on hppa #505182
184	+ use hppa && sed_args+=(
185	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
186	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
187	+ )
188	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
189	+
190	+ epatch_user #473004
191	+
192	+ # Now we can build a sane merged version.h
193	+ (
194	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
195	+ macros=()
196	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
197	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
198	+ ) > version.h
199	+
200	+ eautoreconf
201	+}
202	+
203	+src_configure() {
204	+ addwrite /dev/ptmx
205	+ addpredict /etc/skey/skeykeys # skey configure code triggers this
206	+
207	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
208	+ use static && append-ldflags -static
209	+
210	+ local myconf=(
211	+ --with-ldflags="${LDFLAGS}"
212	+ --disable-strip
213	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
214	+ --sysconfdir="${EPREFIX}"/etc/ssh
215	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
216	+ --datadir="${EPREFIX}"/usr/share/openssh
217	+ --with-privsep-path="${EPREFIX}"/var/empty
218	+ --with-privsep-user=sshd
219	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
220	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
221	+ # unconditionally else we get unknown flag warnings.
222	+ $(use ldap && use_with ldap)
223	+ $(use_with ldns)
224	+ $(use_with libedit)
225	+ $(use_with pam)
226	+ $(use_with pie)
227	+ $(use_with sctp)
228	+ $(use_with selinux)
229	+ $(use_with skey)
230	+ $(use_with ssh1)
231	+ # The X509 patch deletes this option entirely.
232	+ $(use X509 \|\| use_with ssl openssl)
233	+ $(use_with ssl md5-passwords)
234	+ $(use_with ssl ssl-engine)
235	+ )
236	+
237	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
238	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
239	+
240	+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
241	+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r\|sed 's/\(.\..\).*/\1/')" ; then
242	+ myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
243	+ append-ldflags -lutil
244	+ fi
245	+
246	+ econf "${myconf[@]}"
247	+}
248	+
249	+src_install() {
250	+ emake install-nokeys DESTDIR="${D}"
251	+ fperms 600 /etc/ssh/sshd_config
252	+ dobin contrib/ssh-copy-id
253	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
254	+ newconfd "${FILESDIR}"/sshd.confd sshd
255	+ keepdir /var/empty
256	+
257	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
258	+ if use pam ; then
259	+ sed -i \
260	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
261	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
262	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
263	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
264	+ "${ED}"/etc/ssh/sshd_config \|\| die
265	+ fi
266	+
267	+ # Gentoo tweaks to default config files
268	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
269	+
270	+ # Allow client to pass locale environment variables #367017
271	+ AcceptEnv LANG LC_*
272	+ EOF
273	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
274	+
275	+ # Send locale environment variables #367017
276	+ SendEnv LANG LC_*
277	+ EOF
278	+
279	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
280	+ insinto /etc/openldap/schema/
281	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
282	+ fi
283	+
284	+ doman contrib/ssh-copy-id.1
285	+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
286	+
287	+ diropts -m 0700
288	+ dodir /etc/skel/.ssh
289	+
290	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
291	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
292	+}
293	+
294	+src_test() {
295	+ local t tests skipped failed passed shell
296	+ tests="interop-tests compat-tests"
297	+ skipped=""
298	+ shell=$(egetshell ${UID})
299	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
300	+ elog "Running the full OpenSSH testsuite"
301	+ elog "requires a usable shell for the 'portage'"
302	+ elog "user, so we will run a subset only."
303	+ skipped="${skipped} tests"
304	+ else
305	+ tests="${tests} tests"
306	+ fi
307	+ # It will also attempt to write to the homedir .ssh
308	+ local sshhome=${T}/homedir
309	+ mkdir -p "${sshhome}"/.ssh
310	+ for t in ${tests} ; do
311	+ # Some tests read from stdin ...
312	+ HOMEDIR="${sshhome}" \
313	+ emake -k -j1 ${t} </dev/null \
314	+ && passed="${passed}${t} " \
315	+ \|\| failed="${failed}${t} "
316	+ done
317	+ einfo "Passed tests: ${passed}"
318	+ ewarn "Skipped tests: ${skipped}"
319	+ if [[ -n ${failed} ]] ; then
320	+ ewarn "Failed tests: ${failed}"
321	+ die "Some tests failed: ${failed}"
322	+ else
323	+ einfo "Failed tests: ${failed}"
324	+ return 0
325	+ fi
326	+}
327	+
328	+pkg_preinst() {
329	+ enewgroup sshd 22
330	+ enewuser sshd 22 -1 /var/empty sshd
331	+}
332	+
333	+pkg_postinst() {
334	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
335	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
336	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
337	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
338	+ fi
339	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
340	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
341	+ fi
342	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
343	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
344	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
345	+ elog "be an alternative for you as it supports USE=tcpd."
346	+ fi
347	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
348	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
349	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
350	+ elog "adding to your sshd_config or ~/.ssh/config files:"
351	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
352	+ elog "You should however generate new keys using rsa or ed25519."
353	+ fi
354	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
355	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
356	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
357	+ elog "and update all clients/servers that utilize them."
358	+ fi
359	+}

Gentoo Archives: gentoo-commits