1 |
commit: c28b27ab2f2d2ed00e42b95086675c06603f1bf7 |
2 |
Author: layman <layman <AT> localhost> |
3 |
AuthorDate: Fri Mar 21 16:41:30 2014 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Mar 21 16:44:33 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c28b27ab |
7 |
|
8 |
net-misc/openssh: bump to 6.6_p1 |
9 |
|
10 |
--- |
11 |
.../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 ++++++++ |
12 |
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 ++ |
13 |
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 ++ |
14 |
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 ++ |
15 |
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 316 +++++++++++++++++++++ |
16 |
5 files changed, 489 insertions(+) |
17 |
|
18 |
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch |
19 |
new file mode 100644 |
20 |
index 0000000..cfb060f |
21 |
--- /dev/null |
22 |
+++ b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch |
23 |
@@ -0,0 +1,114 @@ |
24 |
+https://bugs.gentoo.org/498632 |
25 |
+ |
26 |
+make sure we do not use unaligned loads/stores as some arches really hate that. |
27 |
+ |
28 |
+--- a/cipher-ctr-mt.c |
29 |
++++ b/cipher-ctr-mt.c |
30 |
+@@ -58,8 +58,16 @@ |
31 |
+ /* Collect thread stats and print at cancellation when in debug mode */ |
32 |
+ /* #define CIPHER_THREAD_STATS */ |
33 |
+ |
34 |
+-/* Use single-byte XOR instead of 8-byte XOR */ |
35 |
+-/* #define CIPHER_BYTE_XOR */ |
36 |
++/* Can the system do unaligned loads natively? */ |
37 |
++#if defined(__aarch64__) || \ |
38 |
++ defined(__i386__) || \ |
39 |
++ defined(__powerpc__) || \ |
40 |
++ defined(__x86_64__) |
41 |
++# define CIPHER_UNALIGNED_OK |
42 |
++#endif |
43 |
++#if defined(__SIZEOF_INT128__) |
44 |
++# define CIPHER_INT128_OK |
45 |
++#endif |
46 |
+ /*-------------------- END TUNABLES --------------------*/ |
47 |
+ |
48 |
+ |
49 |
+@@ -285,8 +293,20 @@ thread_loop(void *x) |
50 |
+ |
51 |
+ static int |
52 |
+ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, |
53 |
+- u_int len) |
54 |
++ size_t len) |
55 |
+ { |
56 |
++ typedef union { |
57 |
++#ifdef CIPHER_INT128_OK |
58 |
++ __uint128_t *u128; |
59 |
++#endif |
60 |
++ uint64_t *u64; |
61 |
++ uint32_t *u32; |
62 |
++ uint8_t *u8; |
63 |
++ const uint8_t *cu8; |
64 |
++ uintptr_t u; |
65 |
++ } ptrs_t; |
66 |
++ ptrs_t destp, srcp, bufp; |
67 |
++ uintptr_t align; |
68 |
+ struct ssh_aes_ctr_ctx *c; |
69 |
+ struct kq *q, *oldq; |
70 |
+ int ridx; |
71 |
+@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, |
72 |
+ ridx = c->ridx; |
73 |
+ |
74 |
+ /* src already padded to block multiple */ |
75 |
++ srcp.cu8 = src; |
76 |
++ destp.u8 = dest; |
77 |
+ while (len > 0) { |
78 |
+ buf = q->keys[ridx]; |
79 |
++ bufp.u8 = buf; |
80 |
+ |
81 |
+-#ifdef CIPHER_BYTE_XOR |
82 |
+- dest[0] = src[0] ^ buf[0]; |
83 |
+- dest[1] = src[1] ^ buf[1]; |
84 |
+- dest[2] = src[2] ^ buf[2]; |
85 |
+- dest[3] = src[3] ^ buf[3]; |
86 |
+- dest[4] = src[4] ^ buf[4]; |
87 |
+- dest[5] = src[5] ^ buf[5]; |
88 |
+- dest[6] = src[6] ^ buf[6]; |
89 |
+- dest[7] = src[7] ^ buf[7]; |
90 |
+- dest[8] = src[8] ^ buf[8]; |
91 |
+- dest[9] = src[9] ^ buf[9]; |
92 |
+- dest[10] = src[10] ^ buf[10]; |
93 |
+- dest[11] = src[11] ^ buf[11]; |
94 |
+- dest[12] = src[12] ^ buf[12]; |
95 |
+- dest[13] = src[13] ^ buf[13]; |
96 |
+- dest[14] = src[14] ^ buf[14]; |
97 |
+- dest[15] = src[15] ^ buf[15]; |
98 |
+-#else |
99 |
+- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf; |
100 |
+- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^ |
101 |
+- *(uint64_t *)(buf + 8); |
102 |
+-#endif |
103 |
++ /* figure out the alignment on the fly */ |
104 |
++#ifdef CIPHER_UNALIGNED_OK |
105 |
++ align = 0; |
106 |
++#else |
107 |
++ align = destp.u | srcp.u | bufp.u; |
108 |
++#endif |
109 |
++ |
110 |
++#ifdef CIPHER_INT128_OK |
111 |
++ if ((align & 0xf) == 0) { |
112 |
++ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0]; |
113 |
++ } else |
114 |
++#endif |
115 |
++ if ((align & 0x7) == 0) { |
116 |
++ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0]; |
117 |
++ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1]; |
118 |
++ } else if ((align & 0x3) == 0) { |
119 |
++ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0]; |
120 |
++ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1]; |
121 |
++ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2]; |
122 |
++ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3]; |
123 |
++ } else { |
124 |
++ size_t i; |
125 |
++ for (i = 0; i < AES_BLOCK_SIZE; ++i) |
126 |
++ dest[i] = src[i] ^ buf[i]; |
127 |
++ } |
128 |
+ |
129 |
+- dest += 16; |
130 |
+- src += 16; |
131 |
+- len -= 16; |
132 |
++ destp.u += AES_BLOCK_SIZE; |
133 |
++ srcp.u += AES_BLOCK_SIZE; |
134 |
++ len -= AES_BLOCK_SIZE; |
135 |
+ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); |
136 |
+ |
137 |
+ /* Increment read index, switch queues on rollover */ |
138 |
|
139 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch |
140 |
new file mode 100644 |
141 |
index 0000000..6db6b97 |
142 |
--- /dev/null |
143 |
+++ b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch |
144 |
@@ -0,0 +1,17 @@ |
145 |
+the last nibble of the openssl version represents the status. that is, |
146 |
+whether it is a beta or release. when it comes to version checks in |
147 |
+openssh, this component does not matter, so ignore it. |
148 |
+ |
149 |
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212 |
150 |
+ |
151 |
+--- a/entropy.c |
152 |
++++ b/entropy.c |
153 |
+@@ -216,7 +216,7 @@ seed_rng(void) |
154 |
+ * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed |
155 |
+ * within a patch series. |
156 |
+ */ |
157 |
+- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; |
158 |
++ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L; |
159 |
+ if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || |
160 |
+ (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) |
161 |
+ fatal("OpenSSL version mismatch. Built against %lx, you " |
162 |
|
163 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch |
164 |
new file mode 100644 |
165 |
index 0000000..0ba3e45 |
166 |
--- /dev/null |
167 |
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch |
168 |
@@ -0,0 +1,16 @@ |
169 |
+Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch. |
170 |
+ |
171 |
+--- openssh-6.6p1+x509-7.9.diff |
172 |
++++ openssh-6.6p1+x509-7.9.diff |
173 |
+@@ -15473,10 +15473,9 @@ |
174 |
+ .It Cm ChallengeResponseAuthentication |
175 |
+ Specifies whether challenge-response authentication is allowed (e.g. via |
176 |
+ PAM or though authentication styles supported in |
177 |
+-@@ -499,6 +576,16 @@ |
178 |
++@@ -499,5 +576,15 @@ |
179 |
+ The default is |
180 |
+ .Dq yes . |
181 |
+- Note that this option applies to protocol version 2 only. |
182 |
+ +.It Cm HostbasedAlgorithms |
183 |
+ +Specifies the protocol version 2 algorithms used in |
184 |
+ +.Dq hostbased |
185 |
|
186 |
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch |
187 |
new file mode 100644 |
188 |
index 0000000..a69830e |
189 |
--- /dev/null |
190 |
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch |
191 |
@@ -0,0 +1,26 @@ |
192 |
+make the hpn patch apply when the x509 patch has also been applied |
193 |
+ |
194 |
+--- openssh-6.6p1-hpnssh14v4.diff |
195 |
++++ openssh-6.6p1-hpnssh14v4.diff |
196 |
+@@ -1742,18 +1742,14 @@ |
197 |
+ if (options->ip_qos_interactive == -1) |
198 |
+ options->ip_qos_interactive = IPTOS_LOWDELAY; |
199 |
+ if (options->ip_qos_bulk == -1) |
200 |
+-@@ -345,9 +393,10 @@ |
201 |
++@@ -345,6 +393,7 @@ |
202 |
+ sUsePrivilegeSeparation, sAllowAgentForwarding, |
203 |
+ sHostCertificate, |
204 |
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
205 |
+-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, |
206 |
+++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, |
207 |
+ sKexAlgorithms, sIPQoS, sVersionAddendum, |
208 |
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
209 |
+-- sAuthenticationMethods, sHostKeyAgent, |
210 |
+-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, |
211 |
+- sDeprecated, sUnsupported |
212 |
+- } ServerOpCodes; |
213 |
+- |
214 |
++ sAuthenticationMethods, sHostKeyAgent, |
215 |
+ @@ -468,6 +517,10 @@ |
216 |
+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
217 |
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
218 |
|
219 |
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild |
220 |
new file mode 100644 |
221 |
index 0000000..3232115 |
222 |
--- /dev/null |
223 |
+++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild |
224 |
@@ -0,0 +1,316 @@ |
225 |
+# Copyright 1999-2014 Gentoo Foundation |
226 |
+# Distributed under the terms of the GNU General Public License v2 |
227 |
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6_p1-r1.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $ |
228 |
+ |
229 |
+EAPI="4" |
230 |
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator |
231 |
+ |
232 |
+# Make it more portable between straight releases |
233 |
+# and _p? releases. |
234 |
+PARCH=${P/_} |
235 |
+ |
236 |
+#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz" |
237 |
+HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.xz" |
238 |
+LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz" |
239 |
+X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
240 |
+ |
241 |
+DESCRIPTION="Port of OpenBSD's free SSH release" |
242 |
+HOMEPAGE="http://www.openssh.org/" |
243 |
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
244 |
+ ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )} |
245 |
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} |
246 |
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
247 |
+ " |
248 |
+ #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )} |
249 |
+ |
250 |
+LICENSE="BSD GPL-2" |
251 |
+SLOT="0" |
252 |
+KEYWORDS="amd64 arm ~mips x86" |
253 |
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509" |
254 |
+ |
255 |
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
256 |
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) |
257 |
+ libedit? ( dev-libs/libedit[static-libs(+)] ) |
258 |
+ >=dev-libs/openssl-0.9.6d:0[bindist=] |
259 |
+ dev-libs/openssl[static-libs(+)] |
260 |
+ >=sys-libs/zlib-1.2.3[static-libs(+)] |
261 |
+ tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )" |
262 |
+RDEPEND=" |
263 |
+ !static? ( |
264 |
+ ${LIB_DEPEND//\[static-libs(+)]} |
265 |
+ ldns? ( |
266 |
+ !bindist? ( net-libs/ldns[ecdsa,ssl] ) |
267 |
+ bindist? ( net-libs/ldns[-ecdsa,ssl] ) |
268 |
+ ) |
269 |
+ ) |
270 |
+ pam? ( virtual/pam ) |
271 |
+ kerberos? ( virtual/krb5 ) |
272 |
+ ldap? ( net-nds/openldap )" |
273 |
+DEPEND="${RDEPEND} |
274 |
+ static? ( |
275 |
+ ${LIB_DEPEND} |
276 |
+ ldns? ( |
277 |
+ !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) |
278 |
+ bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) |
279 |
+ ) |
280 |
+ ) |
281 |
+ virtual/pkgconfig |
282 |
+ virtual/os-headers |
283 |
+ sys-devel/autoconf" |
284 |
+RDEPEND="${RDEPEND} |
285 |
+ pam? ( >=sys-auth/pambase-20081028 ) |
286 |
+ userland_GNU? ( virtual/shadow ) |
287 |
+ X? ( x11-apps/xauth )" |
288 |
+ |
289 |
+S=${WORKDIR}/${PARCH} |
290 |
+ |
291 |
+pkg_setup() { |
292 |
+ # this sucks, but i'd rather have people unable to `emerge -u openssh` |
293 |
+ # than not be able to log in to their server any more |
294 |
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
295 |
+ local fail=" |
296 |
+ $(use X509 && maybe_fail X509 X509_PATCH) |
297 |
+ $(use ldap && maybe_fail ldap LDAP_PATCH) |
298 |
+ $(use hpn && maybe_fail hpn HPN_PATCH) |
299 |
+ " |
300 |
+ fail=$(echo ${fail}) |
301 |
+ if [[ -n ${fail} ]] ; then |
302 |
+ eerror "Sorry, but this version does not yet support features" |
303 |
+ eerror "that you requested: ${fail}" |
304 |
+ eerror "Please mask ${PF} for now and check back later:" |
305 |
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
306 |
+ die "booooo" |
307 |
+ fi |
308 |
+} |
309 |
+ |
310 |
+save_version() { |
311 |
+ # version.h patch conflict avoidence |
312 |
+ mv version.h version.h.$1 |
313 |
+ cp -f version.h.pristine version.h |
314 |
+} |
315 |
+ |
316 |
+src_prepare() { |
317 |
+ sed -i \ |
318 |
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
319 |
+ pathnames.h || die |
320 |
+ # keep this as we need it to avoid the conflict between LPK and HPN changing |
321 |
+ # this file. |
322 |
+ cp version.h version.h.pristine |
323 |
+ |
324 |
+ # don't break .ssh/authorized_keys2 for fun |
325 |
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
326 |
+ |
327 |
+ epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361 |
328 |
+ if use X509 ; then |
329 |
+ pushd .. >/dev/null |
330 |
+ epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch |
331 |
+ use hpn && epatch "${FILESDIR}"/${PN}-6.6_p1-x509-hpn14v4-glue-p2.patch |
332 |
+ popd >/dev/null |
333 |
+ epatch "${WORKDIR}"/${X509_PATCH%.*} |
334 |
+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch |
335 |
+ save_version X509 |
336 |
+ fi |
337 |
+ if ! use X509 ; then |
338 |
+ if [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
339 |
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*} |
340 |
+ save_version LPK |
341 |
+ fi |
342 |
+ else |
343 |
+ use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" |
344 |
+ fi |
345 |
+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
346 |
+ epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch |
347 |
+ if [[ -n ${HPN_PATCH} ]] && use hpn; then |
348 |
+ epatch "${WORKDIR}"/${HPN_PATCH%.*} |
349 |
+ epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632 |
350 |
+ save_version HPN |
351 |
+ fi |
352 |
+ |
353 |
+ tc-export PKG_CONFIG |
354 |
+ local sed_args=( |
355 |
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
356 |
+ # Disable PATH reset, trust what portage gives us #254615 |
357 |
+ -e 's:^PATH=/:#PATH=/:' |
358 |
+ # Disable fortify flags ... our gcc does this for us |
359 |
+ -e 's:-D_FORTIFY_SOURCE=2::' |
360 |
+ ) |
361 |
+ sed -i "${sed_args[@]}" configure{,.ac} || die |
362 |
+ |
363 |
+ epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch |
364 |
+ epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch |
365 |
+ epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch |
366 |
+ |
367 |
+ epatch_user #473004 |
368 |
+ |
369 |
+ # Now we can build a sane merged version.h |
370 |
+ ( |
371 |
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u |
372 |
+ macros=() |
373 |
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done |
374 |
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" |
375 |
+ ) > version.h |
376 |
+ |
377 |
+ eautoreconf |
378 |
+} |
379 |
+ |
380 |
+static_use_with() { |
381 |
+ local flag=$1 |
382 |
+ if use static && use ${flag} ; then |
383 |
+ ewarn "Disabling '${flag}' support because of USE='static'" |
384 |
+ # rebuild args so that we invert the first one (USE flag) |
385 |
+ # but otherwise leave everything else working so we can |
386 |
+ # just leverage use_with |
387 |
+ shift |
388 |
+ [[ -z $1 ]] && flag="${flag} ${flag}" |
389 |
+ set -- !${flag} "$@" |
390 |
+ fi |
391 |
+ use_with "$@" |
392 |
+} |
393 |
+ |
394 |
+src_configure() { |
395 |
+ local myconf |
396 |
+ addwrite /dev/ptmx |
397 |
+ addpredict /etc/skey/skeykeys #skey configure code triggers this |
398 |
+ |
399 |
+ use static && append-ldflags -static |
400 |
+ |
401 |
+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) |
402 |
+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then |
403 |
+ myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx" |
404 |
+ append-ldflags -lutil |
405 |
+ fi |
406 |
+ |
407 |
+ econf \ |
408 |
+ --with-ldflags="${LDFLAGS}" \ |
409 |
+ --disable-strip \ |
410 |
+ --with-pid-dir="${EPREFIX}"/var/run \ |
411 |
+ --sysconfdir="${EPREFIX}"/etc/ssh \ |
412 |
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \ |
413 |
+ --datadir="${EPREFIX}"/usr/share/openssh \ |
414 |
+ --with-privsep-path="${EPREFIX}"/var/empty \ |
415 |
+ --with-privsep-user=sshd \ |
416 |
+ --with-md5-passwords \ |
417 |
+ --with-ssl-engine \ |
418 |
+ $(static_use_with pam) \ |
419 |
+ $(static_use_with kerberos kerberos5 /usr) \ |
420 |
+ ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ |
421 |
+ $(use_with ldns) \ |
422 |
+ $(use_with libedit) \ |
423 |
+ $(use_with selinux) \ |
424 |
+ $(use_with skey) \ |
425 |
+ $(use_with tcpd tcp-wrappers) \ |
426 |
+ ${myconf} |
427 |
+} |
428 |
+ |
429 |
+src_install() { |
430 |
+ emake install-nokeys DESTDIR="${D}" |
431 |
+ fperms 600 /etc/ssh/sshd_config |
432 |
+ dobin contrib/ssh-copy-id |
433 |
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd |
434 |
+ newconfd "${FILESDIR}"/sshd.confd sshd |
435 |
+ keepdir /var/empty |
436 |
+ |
437 |
+ # not all openssl installs support ecc, or are functional #352645 |
438 |
+ if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then |
439 |
+ elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support" |
440 |
+ sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die |
441 |
+ fi |
442 |
+ |
443 |
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
444 |
+ if use pam ; then |
445 |
+ sed -i \ |
446 |
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
447 |
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
448 |
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
449 |
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
450 |
+ "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed" |
451 |
+ fi |
452 |
+ |
453 |
+ # Gentoo tweaks to default config files |
454 |
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
455 |
+ |
456 |
+ # Allow client to pass locale environment variables #367017 |
457 |
+ AcceptEnv LANG LC_* |
458 |
+ EOF |
459 |
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
460 |
+ |
461 |
+ # Send locale environment variables #367017 |
462 |
+ SendEnv LANG LC_* |
463 |
+ EOF |
464 |
+ |
465 |
+ # This instruction is from the HPN webpage, |
466 |
+ # Used for the server logging functionality |
467 |
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then |
468 |
+ keepdir /var/empty/dev |
469 |
+ fi |
470 |
+ |
471 |
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
472 |
+ insinto /etc/openldap/schema/ |
473 |
+ newins openssh-lpk_openldap.schema openssh-lpk.schema |
474 |
+ fi |
475 |
+ |
476 |
+ doman contrib/ssh-copy-id.1 |
477 |
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config |
478 |
+ |
479 |
+ diropts -m 0700 |
480 |
+ dodir /etc/skel/.ssh |
481 |
+ |
482 |
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
483 |
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
484 |
+} |
485 |
+ |
486 |
+src_test() { |
487 |
+ local t tests skipped failed passed shell |
488 |
+ tests="interop-tests compat-tests" |
489 |
+ skipped="" |
490 |
+ shell=$(egetshell ${UID}) |
491 |
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
492 |
+ elog "Running the full OpenSSH testsuite" |
493 |
+ elog "requires a usable shell for the 'portage'" |
494 |
+ elog "user, so we will run a subset only." |
495 |
+ skipped="${skipped} tests" |
496 |
+ else |
497 |
+ tests="${tests} tests" |
498 |
+ fi |
499 |
+ # It will also attempt to write to the homedir .ssh |
500 |
+ local sshhome=${T}/homedir |
501 |
+ mkdir -p "${sshhome}"/.ssh |
502 |
+ for t in ${tests} ; do |
503 |
+ # Some tests read from stdin ... |
504 |
+ HOMEDIR="${sshhome}" \ |
505 |
+ emake -k -j1 ${t} </dev/null \ |
506 |
+ && passed="${passed}${t} " \ |
507 |
+ || failed="${failed}${t} " |
508 |
+ done |
509 |
+ einfo "Passed tests: ${passed}" |
510 |
+ ewarn "Skipped tests: ${skipped}" |
511 |
+ if [[ -n ${failed} ]] ; then |
512 |
+ ewarn "Failed tests: ${failed}" |
513 |
+ die "Some tests failed: ${failed}" |
514 |
+ else |
515 |
+ einfo "Failed tests: ${failed}" |
516 |
+ return 0 |
517 |
+ fi |
518 |
+} |
519 |
+ |
520 |
+pkg_preinst() { |
521 |
+ enewgroup sshd 22 |
522 |
+ enewuser sshd 22 -1 /var/empty sshd |
523 |
+} |
524 |
+ |
525 |
+pkg_postinst() { |
526 |
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
527 |
+ elog "Starting with openssh-5.8p1, the server will default to a newer key" |
528 |
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
529 |
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
530 |
+ fi |
531 |
+ ewarn "Remember to merge your config files in /etc/ssh/ and then" |
532 |
+ ewarn "reload sshd: '/etc/init.d/sshd reload'." |
533 |
+ # This instruction is from the HPN webpage, |
534 |
+ # Used for the server logging functionality |
535 |
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then |
536 |
+ echo |
537 |
+ einfo "For the HPN server logging patch, you must ensure that" |
538 |
+ einfo "your syslog application also listens at /var/empty/dev/log." |
539 |
+ fi |
540 |
+} |