Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Stefan Strogin <stefan.strogin@×××××.com>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/proj/libressl:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date: Wed, 13 Mar 2019 20:00:48
Message-Id: 1552507035.a03f9e8cf931fff314869339664a0c0718e75661.steils@gentoo
1 commit: a03f9e8cf931fff314869339664a0c0718e75661
2 Author: Stefan Strogin <stefan.strogin <AT> gmail <DOT> com>
3 AuthorDate: Wed Mar 13 19:57:15 2019 +0000
4 Commit: Stefan Strogin <stefan.strogin <AT> gmail <DOT> com>
5 CommitDate: Wed Mar 13 19:57:15 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=a03f9e8c
7
8 net-misc/openssh: drop; fixed in gentoo.git
9
10 Package-Manager: Portage-2.3.62, Repoman-2.3.12
11 Signed-off-by: Stefan Strogin <stefan.strogin <AT> gmail.com>
12
13 net-misc/openssh/Manifest | 10 -
14 .../openssh-6.7_p1-openssl-ignore-status.patch | 17 -
15 .../files/openssh-7.3-mips-seccomp-n32.patch | 21 -
16 .../files/openssh-7.5_p1-CVE-2017-15906.patch | 31 --
17 .../openssh/files/openssh-7.5_p1-GSSAPI-dns.patch | 351 ----------------
18 .../openssh/files/openssh-7.5_p1-cross-cache.patch | 39 --
19 ...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 -
20 .../files/openssh-7.5_p1-hpn-x509-10.1-glue.patch | 63 ---
21 .../files/openssh-7.5_p1-hpn-x509-10.2-glue.patch | 67 ---
22 .../files/openssh-7.5_p1-libressl_arc4random.patch | 36 --
23 .../files/openssh-7.5_p1-s390-seccomp.patch | 27 --
24 .../openssh/files/openssh-7.5_p1-x32-typo.patch | 25 --
25 .../files/openssh-7.5p1-x509-libressl.patch | 202 ---------
26 .../openssh/files/openssh-7.7_p1-GSSAPI-dns.patch | 351 ----------------
27 net-misc/openssh/files/sshd-r1.confd | 33 --
28 net-misc/openssh/files/sshd.confd | 21 -
29 net-misc/openssh/files/sshd.pam_include.2 | 4 -
30 net-misc/openssh/files/sshd.rc6.4 | 84 ----
31 net-misc/openssh/files/sshd.rc6.5 | 89 ----
32 net-misc/openssh/files/sshd.service | 11 -
33 net-misc/openssh/files/sshd.socket | 10 -
34 net-misc/openssh/files/sshd_at.service | 8 -
35 net-misc/openssh/metadata.xml | 40 --
36 net-misc/openssh/openssh-7.5_p1-r4.ebuild | 335 ---------------
37 net-misc/openssh/openssh-7.7_p1-r5.ebuild | 434 -------------------
38 net-misc/openssh/openssh-7.7_p1-r6.ebuild | 458 ---------------------
39 26 files changed, 2787 deletions(-)
40
41 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
42 deleted file mode 100644
43 index 8b18d28..0000000
44 --- a/net-misc/openssh/Manifest
45 +++ /dev/null
46 @@ -1,10 +0,0 @@
47 -DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4
48 -DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a
49 -DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9
50 -DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81
51 -DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
52 -DIST openssh-7.7p1-patches-1.1.tar.xz 16476 BLAKE2B fca2885a9e29faec40700ece37a995ba83e40bd2a6875129a5327770d8ee43663a7c063de33b4653994ed7332adb03730f613c047550d874190b95c66e2e9efa SHA512 aa5e33ce4bb4be16abf27ac1bade1dc85c51d82002be546402e0b8b0685de3ec7029f0f56bf1295ec346eb3960a6bed7cfc882722e57957a19a732f3174b3039
53 -DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
54 -DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
55 -DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
56 -DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b
57
58 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
59 deleted file mode 100644
60 index fa33af3..0000000
61 --- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
62 +++ /dev/null
63 @@ -1,17 +0,0 @@
64 -the last nibble of the openssl version represents the status. that is,
65 -whether it is a beta or release. when it comes to version checks in
66 -openssh, this component does not matter, so ignore it.
67 -
68 -https://bugzilla.mindrot.org/show_bug.cgi?id=2212
69 -
70 ---- a/openbsd-compat/openssl-compat.c
71 -+++ b/openbsd-compat/openssl-compat.c
72 -@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
73 - * For versions >= 1.0.0, major,minor,status must match and library
74 - * fix version must be equal to or newer than the header.
75 - */
76 -- mask = 0xfff0000fL; /* major,minor,status */
77 -+ mask = 0xfff00000L; /* major,minor,status */
78 - hfix = (headerver & 0x000ff000) >> 12;
79 - lfix = (libver & 0x000ff000) >> 12;
80 - if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
81
82 diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
83 deleted file mode 100644
84 index 7eaadaf..0000000
85 --- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
86 +++ /dev/null
87 @@ -1,21 +0,0 @@
88 -https://bugs.gentoo.org/591392
89 -https://bugzilla.mindrot.org/show_bug.cgi?id=2590
90 -
91 -7.3 added seccomp support to MIPS, but failed to handled the N32
92 -case. This patch is temporary until upstream fixes.
93 -
94 ---- openssh-7.3p1/configure.ac
95 -+++ openssh-7.3p1/configure.ac
96 -@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
97 - seccomp_audit_arch=AUDIT_ARCH_MIPSEL
98 - ;;
99 - mips64-*)
100 -- seccomp_audit_arch=AUDIT_ARCH_MIPS64
101 -+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
102 - ;;
103 - mips64el-*)
104 -- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
105 -+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
106 - ;;
107 - esac
108 - if test "x$seccomp_audit_arch" != "x" ; then
109
110 diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
111 deleted file mode 100644
112 index b97ceb4..0000000
113 --- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
114 +++ /dev/null
115 @@ -1,31 +0,0 @@
116 -From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
117 -From: djm <djm@×××××××.org>
118 -Date: Tue, 4 Apr 2017 00:24:56 +0000
119 -Subject: [PATCH] disallow creation (of empty files) in read-only mode;
120 - reported by Michal Zalewski, feedback & ok deraadt@
121 -
122 ----
123 - usr.bin/ssh/sftp-server.c | 6 +++---
124 - 1 file changed, 3 insertions(+), 3 deletions(-)
125 -
126 -diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
127 -index 2510d234a3a..42249ebd60d 100644
128 ---- a/usr.bin/ssh/sftp-server.c
129 -+++ b/usr.bin/ssh/sftp-server.c
130 -@@ -1,4 +1,4 @@
131 --/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
132 -+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
133 - /*
134 - * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
135 - *
136 -@@ -683,8 +683,8 @@ process_open(u_int32_t id)
137 - logit("open \"%s\" flags %s mode 0%o",
138 - name, string_from_portable(pflags), mode);
139 - if (readonly &&
140 -- ((flags & O_ACCMODE) == O_WRONLY ||
141 -- (flags & O_ACCMODE) == O_RDWR)) {
142 -+ ((flags & O_ACCMODE) != O_RDONLY ||
143 -+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
144 - verbose("Refusing open request in read-only mode");
145 - status = SSH2_FX_PERMISSION_DENIED;
146 - } else {
147
148 diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
149 deleted file mode 100644
150 index 6b1e6dd..0000000
151 --- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
152 +++ /dev/null
153 @@ -1,351 +0,0 @@
154 -http://bugs.gentoo.org/165444
155 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008
156 -
157 ---- a/readconf.c
158 -+++ b/readconf.c
159 -@@ -148,6 +148,7 @@
160 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
163 -+ oGssTrustDns,
164 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
165 - oSendEnv, oControlPath, oControlMaster, oControlPersist,
166 - oHashKnownHosts,
167 -@@ -194,9 +195,11 @@
168 - #if defined(GSSAPI)
169 - { "gssapiauthentication", oGssAuthentication },
170 - { "gssapidelegatecredentials", oGssDelegateCreds },
171 -+ { "gssapitrustdns", oGssTrustDns },
172 - # else
173 - { "gssapiauthentication", oUnsupported },
174 - { "gssapidelegatecredentials", oUnsupported },
175 -+ { "gssapitrustdns", oUnsupported },
176 - #endif
177 - #ifdef ENABLE_PKCS11
178 - { "smartcarddevice", oPKCS11Provider },
179 -@@ -930,6 +933,10 @@
180 - intptr = &options->gss_deleg_creds;
181 - goto parse_flag;
182 -
183 -+ case oGssTrustDns:
184 -+ intptr = &options->gss_trust_dns;
185 -+ goto parse_flag;
186 -+
187 - case oBatchMode:
188 - intptr = &options->batch_mode;
189 - goto parse_flag;
190 -@@ -1649,6 +1656,7 @@
191 - options->challenge_response_authentication = -1;
192 - options->gss_authentication = -1;
193 - options->gss_deleg_creds = -1;
194 -+ options->gss_trust_dns = -1;
195 - options->password_authentication = -1;
196 - options->kbd_interactive_authentication = -1;
197 - options->kbd_interactive_devices = NULL;
198 -@@ -1779,6 +1787,8 @@
199 - options->gss_authentication = 0;
200 - if (options->gss_deleg_creds == -1)
201 - options->gss_deleg_creds = 0;
202 -+ if (options->gss_trust_dns == -1)
203 -+ options->gss_trust_dns = 0;
204 - if (options->password_authentication == -1)
205 - options->password_authentication = 1;
206 - if (options->kbd_interactive_authentication == -1)
207 ---- a/readconf.h
208 -+++ b/readconf.h
209 -@@ -46,6 +46,7 @@
210 - /* Try S/Key or TIS, authentication. */
211 - int gss_authentication; /* Try GSS authentication */
212 - int gss_deleg_creds; /* Delegate GSS credentials */
213 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
214 - int password_authentication; /* Try password
215 - * authentication. */
216 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
217 ---- a/ssh_config.5
218 -+++ b/ssh_config.5
219 -@@ -830,6 +830,16 @@
220 - Forward (delegate) credentials to the server.
221 - The default is
222 - .Cm no .
223 -+Note that this option applies to protocol version 2 connections using GSSAPI.
224 -+.It Cm GSSAPITrustDns
225 -+Set to
226 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
227 -+the name of the host being connected to. If
228 -+.Dq no, the hostname entered on the
229 -+command line will be passed untouched to the GSSAPI library.
230 -+The default is
231 -+.Dq no .
232 -+This option only applies to protocol version 2 connections using GSSAPI.
233 - .It Cm HashKnownHosts
234 - Indicates that
235 - .Xr ssh 1
236 ---- a/sshconnect2.c
237 -+++ b/sshconnect2.c
238 -@@ -656,6 +656,13 @@
239 - static u_int mech = 0;
240 - OM_uint32 min;
241 - int ok = 0;
242 -+ const char *gss_host;
243 -+
244 -+ if (options.gss_trust_dns) {
245 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
246 -+ gss_host = auth_get_canonical_hostname(active_state, 1);
247 -+ } else
248 -+ gss_host = authctxt->host;
249 -
250 - /* Try one GSSAPI method at a time, rather than sending them all at
251 - * once. */
252 -@@ -668,7 +674,7 @@
253 - /* My DER encoding requires length<128 */
254 - if (gss_supported->elements[mech].length < 128 &&
255 - ssh_gssapi_check_mechanism(&gssctxt,
256 -- &gss_supported->elements[mech], authctxt->host)) {
257 -+ &gss_supported->elements[mech], gss_host)) {
258 - ok = 1; /* Mechanism works */
259 - } else {
260 - mech++;
261 -
262 -need to move these two funcs back to canohost so they're available to clients
263 -and the server. auth.c is only used in the server.
264 -
265 ---- a/auth.c
266 -+++ b/auth.c
267 -@@ -784,117 +784,3 @@ fakepw(void)
268 -
269 - return (&fake);
270 - }
271 --
272 --/*
273 -- * Returns the remote DNS hostname as a string. The returned string must not
274 -- * be freed. NB. this will usually trigger a DNS query the first time it is
275 -- * called.
276 -- * This function does additional checks on the hostname to mitigate some
277 -- * attacks on legacy rhosts-style authentication.
278 -- * XXX is RhostsRSAAuthentication vulnerable to these?
279 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
280 -- */
281 --
282 --static char *
283 --remote_hostname(struct ssh *ssh)
284 --{
285 -- struct sockaddr_storage from;
286 -- socklen_t fromlen;
287 -- struct addrinfo hints, *ai, *aitop;
288 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
289 -- const char *ntop = ssh_remote_ipaddr(ssh);
290 --
291 -- /* Get IP address of client. */
292 -- fromlen = sizeof(from);
293 -- memset(&from, 0, sizeof(from));
294 -- if (getpeername(ssh_packet_get_connection_in(ssh),
295 -- (struct sockaddr *)&from, &fromlen) < 0) {
296 -- debug("getpeername failed: %.100s", strerror(errno));
297 -- return strdup(ntop);
298 -- }
299 --
300 -- ipv64_normalise_mapped(&from, &fromlen);
301 -- if (from.ss_family == AF_INET6)
302 -- fromlen = sizeof(struct sockaddr_in6);
303 --
304 -- debug3("Trying to reverse map address %.100s.", ntop);
305 -- /* Map the IP address to a host name. */
306 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
307 -- NULL, 0, NI_NAMEREQD) != 0) {
308 -- /* Host name not found. Use ip address. */
309 -- return strdup(ntop);
310 -- }
311 --
312 -- /*
313 -- * if reverse lookup result looks like a numeric hostname,
314 -- * someone is trying to trick us by PTR record like following:
315 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
316 -- */
317 -- memset(&hints, 0, sizeof(hints));
318 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
319 -- hints.ai_flags = AI_NUMERICHOST;
320 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
321 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
322 -- name, ntop);
323 -- freeaddrinfo(ai);
324 -- return strdup(ntop);
325 -- }
326 --
327 -- /* Names are stored in lowercase. */
328 -- lowercase(name);
329 --
330 -- /*
331 -- * Map it back to an IP address and check that the given
332 -- * address actually is an address of this host. This is
333 -- * necessary because anyone with access to a name server can
334 -- * define arbitrary names for an IP address. Mapping from
335 -- * name to IP address can be trusted better (but can still be
336 -- * fooled if the intruder has access to the name server of
337 -- * the domain).
338 -- */
339 -- memset(&hints, 0, sizeof(hints));
340 -- hints.ai_family = from.ss_family;
341 -- hints.ai_socktype = SOCK_STREAM;
342 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
343 -- logit("reverse mapping checking getaddrinfo for %.700s "
344 -- "[%s] failed.", name, ntop);
345 -- return strdup(ntop);
346 -- }
347 -- /* Look for the address from the list of addresses. */
348 -- for (ai = aitop; ai; ai = ai->ai_next) {
349 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
350 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
351 -- (strcmp(ntop, ntop2) == 0))
352 -- break;
353 -- }
354 -- freeaddrinfo(aitop);
355 -- /* If we reached the end of the list, the address was not there. */
356 -- if (ai == NULL) {
357 -- /* Address not found for the host name. */
358 -- logit("Address %.100s maps to %.600s, but this does not "
359 -- "map back to the address.", ntop, name);
360 -- return strdup(ntop);
361 -- }
362 -- return strdup(name);
363 --}
364 --
365 --/*
366 -- * Return the canonical name of the host in the other side of the current
367 -- * connection. The host name is cached, so it is efficient to call this
368 -- * several times.
369 -- */
370 --
371 --const char *
372 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
373 --{
374 -- static char *dnsname;
375 --
376 -- if (!use_dns)
377 -- return ssh_remote_ipaddr(ssh);
378 -- else if (dnsname != NULL)
379 -- return dnsname;
380 -- else {
381 -- dnsname = remote_hostname(ssh);
382 -- return dnsname;
383 -- }
384 --}
385 ---- a/canohost.c
386 -+++ b/canohost.c
387 -@@ -202,3 +202,117 @@ get_local_port(int sock)
388 - {
389 - return get_sock_port(sock, 1);
390 - }
391 -+
392 -+/*
393 -+ * Returns the remote DNS hostname as a string. The returned string must not
394 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
395 -+ * called.
396 -+ * This function does additional checks on the hostname to mitigate some
397 -+ * attacks on legacy rhosts-style authentication.
398 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
399 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
400 -+ */
401 -+
402 -+static char *
403 -+remote_hostname(struct ssh *ssh)
404 -+{
405 -+ struct sockaddr_storage from;
406 -+ socklen_t fromlen;
407 -+ struct addrinfo hints, *ai, *aitop;
408 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
409 -+ const char *ntop = ssh_remote_ipaddr(ssh);
410 -+
411 -+ /* Get IP address of client. */
412 -+ fromlen = sizeof(from);
413 -+ memset(&from, 0, sizeof(from));
414 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
415 -+ (struct sockaddr *)&from, &fromlen) < 0) {
416 -+ debug("getpeername failed: %.100s", strerror(errno));
417 -+ return strdup(ntop);
418 -+ }
419 -+
420 -+ ipv64_normalise_mapped(&from, &fromlen);
421 -+ if (from.ss_family == AF_INET6)
422 -+ fromlen = sizeof(struct sockaddr_in6);
423 -+
424 -+ debug3("Trying to reverse map address %.100s.", ntop);
425 -+ /* Map the IP address to a host name. */
426 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
427 -+ NULL, 0, NI_NAMEREQD) != 0) {
428 -+ /* Host name not found. Use ip address. */
429 -+ return strdup(ntop);
430 -+ }
431 -+
432 -+ /*
433 -+ * if reverse lookup result looks like a numeric hostname,
434 -+ * someone is trying to trick us by PTR record like following:
435 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
436 -+ */
437 -+ memset(&hints, 0, sizeof(hints));
438 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
439 -+ hints.ai_flags = AI_NUMERICHOST;
440 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
441 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
442 -+ name, ntop);
443 -+ freeaddrinfo(ai);
444 -+ return strdup(ntop);
445 -+ }
446 -+
447 -+ /* Names are stored in lowercase. */
448 -+ lowercase(name);
449 -+
450 -+ /*
451 -+ * Map it back to an IP address and check that the given
452 -+ * address actually is an address of this host. This is
453 -+ * necessary because anyone with access to a name server can
454 -+ * define arbitrary names for an IP address. Mapping from
455 -+ * name to IP address can be trusted better (but can still be
456 -+ * fooled if the intruder has access to the name server of
457 -+ * the domain).
458 -+ */
459 -+ memset(&hints, 0, sizeof(hints));
460 -+ hints.ai_family = from.ss_family;
461 -+ hints.ai_socktype = SOCK_STREAM;
462 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
463 -+ logit("reverse mapping checking getaddrinfo for %.700s "
464 -+ "[%s] failed.", name, ntop);
465 -+ return strdup(ntop);
466 -+ }
467 -+ /* Look for the address from the list of addresses. */
468 -+ for (ai = aitop; ai; ai = ai->ai_next) {
469 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
470 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
471 -+ (strcmp(ntop, ntop2) == 0))
472 -+ break;
473 -+ }
474 -+ freeaddrinfo(aitop);
475 -+ /* If we reached the end of the list, the address was not there. */
476 -+ if (ai == NULL) {
477 -+ /* Address not found for the host name. */
478 -+ logit("Address %.100s maps to %.600s, but this does not "
479 -+ "map back to the address.", ntop, name);
480 -+ return strdup(ntop);
481 -+ }
482 -+ return strdup(name);
483 -+}
484 -+
485 -+/*
486 -+ * Return the canonical name of the host in the other side of the current
487 -+ * connection. The host name is cached, so it is efficient to call this
488 -+ * several times.
489 -+ */
490 -+
491 -+const char *
492 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
493 -+{
494 -+ static char *dnsname;
495 -+
496 -+ if (!use_dns)
497 -+ return ssh_remote_ipaddr(ssh);
498 -+ else if (dnsname != NULL)
499 -+ return dnsname;
500 -+ else {
501 -+ dnsname = remote_hostname(ssh);
502 -+ return dnsname;
503 -+ }
504 -+}
505
506 diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
507 deleted file mode 100644
508 index 1c2b7b8..0000000
509 --- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
510 +++ /dev/null
511 @@ -1,39 +0,0 @@
512 -From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
513 -From: Mike Frysinger <vapier@××××××××.org>
514 -Date: Wed, 24 May 2017 23:18:41 -0400
515 -Subject: [PATCH] configure: actually set cache vars when cross-compiling
516 -
517 -The cross-compiling fallback message says it's assuming the test
518 -passed, but it didn't actually set the cache var which causes
519 -later tests to fail.
520 ----
521 - configure.ac | 6 ++++--
522 - 1 file changed, 4 insertions(+), 2 deletions(-)
523 -
524 -diff --git a/configure.ac b/configure.ac
525 -index 5cfea38c0a6c..895c5211ea93 100644
526 ---- a/configure.ac
527 -+++ b/configure.ac
528 -@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
529 - select_works_with_rlimit=yes],
530 - [AC_MSG_RESULT([no])
531 - select_works_with_rlimit=no],
532 -- [AC_MSG_WARN([cross compiling: assuming yes])]
533 -+ [AC_MSG_WARN([cross compiling: assuming yes])
534 -+ select_works_with_rlimit=yes]
535 - )
536 -
537 - AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
538 -@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
539 - rlimit_nofile_zero_works=yes],
540 - [AC_MSG_RESULT([no])
541 - rlimit_nofile_zero_works=no],
542 -- [AC_MSG_WARN([cross compiling: assuming yes])]
543 -+ [AC_MSG_WARN([cross compiling: assuming yes])
544 -+ rlimit_nofile_zero_works=yes]
545 - )
546 -
547 - AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
548 ---
549 -2.12.0
550 -
551
552 diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
553 deleted file mode 100644
554 index a5647ce..0000000
555 --- a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
556 +++ /dev/null
557 @@ -1,20 +0,0 @@
558 -Disable conch interop tests which are failing when called
559 -via portage for yet unknown reason and because using conch
560 -seems to be flaky (test is failing when using Python2 but
561 -passing when using Python3).
562 -
563 -Bug: https://bugs.gentoo.org/605446
564 -
565 ---- a/regress/conch-ciphers.sh
566 -+++ b/regress/conch-ciphers.sh
567 -@@ -3,6 +3,10 @@
568 -
569 - tid="conch ciphers"
570 -
571 -+# https://bugs.gentoo.org/605446
572 -+echo "conch interop tests skipped due to Gentoo bug #605446"
573 -+exit 0
574 -+
575 - if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
576 - echo "conch interop tests not enabled"
577 - exit 0
578
579 diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch
580 deleted file mode 100644
581 index e55a8b1..0000000
582 --- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch
583 +++ /dev/null
584 @@ -1,63 +0,0 @@
585 -diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
586 ---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700
587 -+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700
588 -@@ -40,7 +40,7 @@
589 - @@ -44,7 +44,7 @@ CC=@CC@
590 - LD=@LD@
591 - CFLAGS=@CFLAGS@
592 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
593 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
594 - -LIBS=@LIBS@
595 - +LIBS=@LIBS@ -lpthread
596 - K5LIBS=@K5LIBS@
597 -@@ -1023,6 +1023,3 @@
598 - do_authenticated(authctxt);
599 -
600 - /* The connection has been terminated. */
601 ----
602 --2.12.0
603 --
604 -diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
605 ---- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700
606 -+++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700
607 -@@ -926,9 +926,9 @@
608 - @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
609 - /* Send our own protocol version identification. */
610 - if (compat20) {
611 -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
612 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
613 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
614 -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
615 -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
616 -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
617 - } else {
618 - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
619 - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
620 -@@ -943,11 +943,11 @@
621 - @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
622 - char remote_version[256]; /* Must be at least as big as buf. */
623 -
624 -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
625 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
626 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
627 -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
628 -+- major, minor, SSH_VERSION, comment,
629 -++ major, minor, SSH_RELEASE, comment,
630 - *options.version_addendum == '\0' ? "" : " ",
631 -- options.version_addendum);
632 -+ options.version_addendum, newline);
633 -
634 - @@ -1020,6 +1020,8 @@ server_listen(void)
635 - int ret, listen_sock, on = 1;
636 -@@ -1008,10 +1008,6 @@
637 - @@ -3,4 +3,5 @@
638 - #define SSH_VERSION "OpenSSH_7.5"
639 -
640 -- #define SSH_PORTABLE "p1"
641 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
642 -+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
643 - +#define SSH_HPN "-hpn14v12"
644 - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
645 ----
646 --2.12.0
647 --
648
649 diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
650 deleted file mode 100644
651 index 11a5b36..0000000
652 --- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch
653 +++ /dev/null
654 @@ -1,67 +0,0 @@
655 -diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
656 ---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700
657 -+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700
658 -@@ -40,7 +40,7 @@
659 - @@ -44,7 +44,7 @@ CC=@CC@
660 - LD=@LD@
661 - CFLAGS=@CFLAGS@
662 -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
663 -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
664 - -LIBS=@LIBS@
665 - +LIBS=@LIBS@ -lpthread
666 - K5LIBS=@K5LIBS@
667 -@@ -1023,6 +1023,3 @@
668 - do_authenticated(authctxt);
669 -
670 - /* The connection has been terminated. */
671 ----
672 --2.12.0
673 --
674 -diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch
675 ---- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700
676 -+++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700
677 -@@ -926,9 +926,9 @@
678 - @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1)
679 - /* Send our own protocol version identification. */
680 - if (compat20) {
681 -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
682 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
683 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
684 -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
685 -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
686 -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
687 - } else {
688 - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
689 - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
690 -@@ -943,11 +943,11 @@
691 - @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
692 - char remote_version[256]; /* Must be at least as big as buf. */
693 -
694 -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
695 --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
696 --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
697 -+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s",
698 -+- major, minor, SSH_VERSION, pkix_comment,
699 -++ major, minor, SSH_RELEASE, pkix_comment,
700 - *options.version_addendum == '\0' ? "" : " ",
701 -- options.version_addendum);
702 -+ options.version_addendum, newline);
703 -
704 - @@ -1020,6 +1020,8 @@ server_listen(void)
705 - int ret, listen_sock, on = 1;
706 -@@ -1006,12 +1008,9 @@
707 - --- a/version.h
708 - +++ b/version.h
709 --@@ -3,4 +3,5 @@
710 -+@@ -3,4 +3,6 @@
711 - #define SSH_VERSION "OpenSSH_7.5"
712 -
713 -- #define SSH_PORTABLE "p1"
714 ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
715 -+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
716 -++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION
717 - +#define SSH_HPN "-hpn14v12"
718 - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
719 ----
720 --2.12.0
721 --
722
723 diff --git a/net-misc/openssh/files/openssh-7.5_p1-libressl_arc4random.patch b/net-misc/openssh/files/openssh-7.5_p1-libressl_arc4random.patch
724 deleted file mode 100644
725 index 48b7b52..0000000
726 --- a/net-misc/openssh/files/openssh-7.5_p1-libressl_arc4random.patch
727 +++ /dev/null
728 @@ -1,36 +0,0 @@
729 ---- a/openbsd-compat/openbsd-compat.h
730 -+++ b/openbsd-compat/openbsd-compat.h
731 -@@ -179,20 +179,25 @@ int writev(int, struct iovec *, int);
732 - int getpeereid(int , uid_t *, gid_t *);
733 - #endif
734 -
735 --#ifdef HAVE_ARC4RANDOM
736 --# ifndef HAVE_ARC4RANDOM_STIR
737 --# define arc4random_stir()
738 --# endif
739 --#else
740 -+#if !defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
741 - unsigned int arc4random(void);
742 -+#endif
743 -+
744 -+#if defined(HAVE_ARC4RANDOM_STIR)
745 - void arc4random_stir(void);
746 --#endif /* !HAVE_ARC4RANDOM */
747 -+#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
748 -+/* Recent system/libressl implementation; no need for explicit stir */
749 -+# define arc4random_stir()
750 -+#else
751 -+/* openbsd-compat/arc4random.c provides arc4random_stir() */
752 -+void arc4random_stir(void);
753 -+#endif
754 -
755 --#ifndef HAVE_ARC4RANDOM_BUF
756 -+#if !defined(HAVE_ARC4RANDOM_BUF) || defined(LIBRESSL_VERSION_NUMBER)
757 - void arc4random_buf(void *, size_t);
758 - #endif
759 -
760 --#ifndef HAVE_ARC4RANDOM_UNIFORM
761 -+#if !defined(HAVE_ARC4RANDOM_UNIFORM) || defined(LIBRESSL_VERSION_NUMBER)
762 - u_int32_t arc4random_uniform(u_int32_t);
763 - #endif
764 -
765
766 diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
767 deleted file mode 100644
768 index d793200..0000000
769 --- a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch
770 +++ /dev/null
771 @@ -1,27 +0,0 @@
772 -From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
773 -From: Damien Miller <djm@×××××××.org>
774 -Date: Wed, 22 Mar 2017 12:43:02 +1100
775 -Subject: [PATCH] Missing header on Linux/s390
776 -
777 -Patch from Jakub Jelen
778 ----
779 - sandbox-seccomp-filter.c | 3 +++
780 - 1 file changed, 3 insertions(+)
781 -
782 -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
783 -index a8d472a63ccb..2831e9d1083c 100644
784 ---- a/sandbox-seccomp-filter.c
785 -+++ b/sandbox-seccomp-filter.c
786 -@@ -50,6 +50,9 @@
787 - #include <elf.h>
788 -
789 - #include <asm/unistd.h>
790 -+#ifdef __s390__
791 -+#include <asm/zcrypt.h>
792 -+#endif
793 -
794 - #include <errno.h>
795 - #include <signal.h>
796 ---
797 -2.15.1
798 -
799
800 diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
801 deleted file mode 100644
802 index 5dca1b0..0000000
803 --- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
804 +++ /dev/null
805 @@ -1,25 +0,0 @@
806 -From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
807 -From: Mike Frysinger <vapier@g.o>
808 -Date: Mon, 20 Mar 2017 14:57:40 -0400
809 -Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
810 -
811 ----
812 - sandbox-seccomp-filter.c | 2 +-
813 - 1 file changed, 1 insertion(+), 1 deletion(-)
814 -
815 -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
816 -index 3a1aedce72c2..a8d472a63ccb 100644
817 ---- a/sandbox-seccomp-filter.c
818 -+++ b/sandbox-seccomp-filter.c
819 -@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
820 - * x86-64 syscall under some circumstances, e.g.
821 - * https://bugs.debian.org/849923
822 - */
823 -- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
824 -+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
825 - #endif
826 -
827 - /* Default deny */
828 ---
829 -2.12.0
830 -
831
832 diff --git a/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch
833 deleted file mode 100644
834 index b4f36a5..0000000
835 --- a/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch
836 +++ /dev/null
837 @@ -1,202 +0,0 @@
838 -diff -urN openssh-7.5p1.orig/a_utf8.c openssh-7.5p1/a_utf8.c
839 ---- openssh-7.5p1.orig/a_utf8.c 1970-01-01 00:00:00.000000000 +0000
840 -+++ openssh-7.5p1/a_utf8.c 2017-03-30 17:38:25.179532110 +0000
841 -@@ -0,0 +1,186 @@
842 -+/*
843 -+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
844 -+ *
845 -+ * Licensed under the OpenSSL license (the "License"). You may not use
846 -+ * this file except in compliance with the License. You can obtain a copy
847 -+ * in the file LICENSE in the source distribution or at
848 -+ * https://www.openssl.org/source/license.html
849 -+ */
850 -+
851 -+#include <stdio.h>
852 -+
853 -+/* UTF8 utilities */
854 -+
855 -+/*-
856 -+ * This parses a UTF8 string one character at a time. It is passed a pointer
857 -+ * to the string and the length of the string. It sets 'value' to the value of
858 -+ * the current character. It returns the number of characters read or a
859 -+ * negative error code:
860 -+ * -1 = string too short
861 -+ * -2 = illegal character
862 -+ * -3 = subsequent characters not of the form 10xxxxxx
863 -+ * -4 = character encoded incorrectly (not minimal length).
864 -+ */
865 -+
866 -+int UTF8_getc(const unsigned char *str, int len, unsigned long *val)
867 -+{
868 -+ const unsigned char *p;
869 -+ unsigned long value;
870 -+ int ret;
871 -+ if (len <= 0)
872 -+ return 0;
873 -+ p = str;
874 -+
875 -+ /* Check syntax and work out the encoded value (if correct) */
876 -+ if ((*p & 0x80) == 0) {
877 -+ value = *p++ & 0x7f;
878 -+ ret = 1;
879 -+ } else if ((*p & 0xe0) == 0xc0) {
880 -+ if (len < 2)
881 -+ return -1;
882 -+ if ((p[1] & 0xc0) != 0x80)
883 -+ return -3;
884 -+ value = (*p++ & 0x1f) << 6;
885 -+ value |= *p++ & 0x3f;
886 -+ if (value < 0x80)
887 -+ return -4;
888 -+ ret = 2;
889 -+ } else if ((*p & 0xf0) == 0xe0) {
890 -+ if (len < 3)
891 -+ return -1;
892 -+ if (((p[1] & 0xc0) != 0x80)
893 -+ || ((p[2] & 0xc0) != 0x80))
894 -+ return -3;
895 -+ value = (*p++ & 0xf) << 12;
896 -+ value |= (*p++ & 0x3f) << 6;
897 -+ value |= *p++ & 0x3f;
898 -+ if (value < 0x800)
899 -+ return -4;
900 -+ ret = 3;
901 -+ } else if ((*p & 0xf8) == 0xf0) {
902 -+ if (len < 4)
903 -+ return -1;
904 -+ if (((p[1] & 0xc0) != 0x80)
905 -+ || ((p[2] & 0xc0) != 0x80)
906 -+ || ((p[3] & 0xc0) != 0x80))
907 -+ return -3;
908 -+ value = ((unsigned long)(*p++ & 0x7)) << 18;
909 -+ value |= (*p++ & 0x3f) << 12;
910 -+ value |= (*p++ & 0x3f) << 6;
911 -+ value |= *p++ & 0x3f;
912 -+ if (value < 0x10000)
913 -+ return -4;
914 -+ ret = 4;
915 -+ } else if ((*p & 0xfc) == 0xf8) {
916 -+ if (len < 5)
917 -+ return -1;
918 -+ if (((p[1] & 0xc0) != 0x80)
919 -+ || ((p[2] & 0xc0) != 0x80)
920 -+ || ((p[3] & 0xc0) != 0x80)
921 -+ || ((p[4] & 0xc0) != 0x80))
922 -+ return -3;
923 -+ value = ((unsigned long)(*p++ & 0x3)) << 24;
924 -+ value |= ((unsigned long)(*p++ & 0x3f)) << 18;
925 -+ value |= ((unsigned long)(*p++ & 0x3f)) << 12;
926 -+ value |= (*p++ & 0x3f) << 6;
927 -+ value |= *p++ & 0x3f;
928 -+ if (value < 0x200000)
929 -+ return -4;
930 -+ ret = 5;
931 -+ } else if ((*p & 0xfe) == 0xfc) {
932 -+ if (len < 6)
933 -+ return -1;
934 -+ if (((p[1] & 0xc0) != 0x80)
935 -+ || ((p[2] & 0xc0) != 0x80)
936 -+ || ((p[3] & 0xc0) != 0x80)
937 -+ || ((p[4] & 0xc0) != 0x80)
938 -+ || ((p[5] & 0xc0) != 0x80))
939 -+ return -3;
940 -+ value = ((unsigned long)(*p++ & 0x1)) << 30;
941 -+ value |= ((unsigned long)(*p++ & 0x3f)) << 24;
942 -+ value |= ((unsigned long)(*p++ & 0x3f)) << 18;
943 -+ value |= ((unsigned long)(*p++ & 0x3f)) << 12;
944 -+ value |= (*p++ & 0x3f) << 6;
945 -+ value |= *p++ & 0x3f;
946 -+ if (value < 0x4000000)
947 -+ return -4;
948 -+ ret = 6;
949 -+ } else
950 -+ return -2;
951 -+ *val = value;
952 -+ return ret;
953 -+}
954 -+
955 -+/*
956 -+ * This takes a character 'value' and writes the UTF8 encoded value in 'str'
957 -+ * where 'str' is a buffer containing 'len' characters. Returns the number of
958 -+ * characters written or -1 if 'len' is too small. 'str' can be set to NULL
959 -+ * in which case it just returns the number of characters. It will need at
960 -+ * most 6 characters.
961 -+ */
962 -+
963 -+int UTF8_putc(unsigned char *str, int len, unsigned long value)
964 -+{
965 -+ if (!str)
966 -+ len = 6; /* Maximum we will need */
967 -+ else if (len <= 0)
968 -+ return -1;
969 -+ if (value < 0x80) {
970 -+ if (str)
971 -+ *str = (unsigned char)value;
972 -+ return 1;
973 -+ }
974 -+ if (value < 0x800) {
975 -+ if (len < 2)
976 -+ return -1;
977 -+ if (str) {
978 -+ *str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0);
979 -+ *str = (unsigned char)((value & 0x3f) | 0x80);
980 -+ }
981 -+ return 2;
982 -+ }
983 -+ if (value < 0x10000) {
984 -+ if (len < 3)
985 -+ return -1;
986 -+ if (str) {
987 -+ *str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0);
988 -+ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
989 -+ *str = (unsigned char)((value & 0x3f) | 0x80);
990 -+ }
991 -+ return 3;
992 -+ }
993 -+ if (value < 0x200000) {
994 -+ if (len < 4)
995 -+ return -1;
996 -+ if (str) {
997 -+ *str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0);
998 -+ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
999 -+ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
1000 -+ *str = (unsigned char)((value & 0x3f) | 0x80);
1001 -+ }
1002 -+ return 4;
1003 -+ }
1004 -+ if (value < 0x4000000) {
1005 -+ if (len < 5)
1006 -+ return -1;
1007 -+ if (str) {
1008 -+ *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8);
1009 -+ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
1010 -+ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
1011 -+ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
1012 -+ *str = (unsigned char)((value & 0x3f) | 0x80);
1013 -+ }
1014 -+ return 5;
1015 -+ }
1016 -+ if (len < 6)
1017 -+ return -1;
1018 -+ if (str) {
1019 -+ *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc);
1020 -+ *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80);
1021 -+ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80);
1022 -+ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80);
1023 -+ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80);
1024 -+ *str = (unsigned char)((value & 0x3f) | 0x80);
1025 -+ }
1026 -+ return 6;
1027 -+}
1028 -diff -urN openssh-7.5p1.orig/Makefile.in openssh-7.5p1/Makefile.in
1029 ---- openssh-7.5p1.orig/Makefile.in 2017-03-30 17:33:30.983830629 +0000
1030 -+++ openssh-7.5p1/Makefile.in 2017-03-30 17:39:28.392905858 +0000
1031 -@@ -74,7 +74,7 @@
1032 - @OCSP_ON@OCSP_OBJS=ssh-ocsp.o
1033 - @OCSP_OFF@OCSP_OBJS=
1034 -
1035 --SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o
1036 -+SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o a_utf8.o
1037 - X509STORE_OBJS=x509store.o $(LDAP_OBJS)
1038 -
1039 - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
1040
1041 diff --git a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
1042 deleted file mode 100644
1043 index 2840652..0000000
1044 --- a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
1045 +++ /dev/null
1046 @@ -1,351 +0,0 @@
1047 -https://bugs.gentoo.org/165444
1048 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008
1049 -
1050 ---- a/auth.c
1051 -+++ b/auth.c
1052 -@@ -728,120 +728,6 @@ fakepw(void)
1053 - return (&fake);
1054 - }
1055 -
1056 --/*
1057 -- * Returns the remote DNS hostname as a string. The returned string must not
1058 -- * be freed. NB. this will usually trigger a DNS query the first time it is
1059 -- * called.
1060 -- * This function does additional checks on the hostname to mitigate some
1061 -- * attacks on legacy rhosts-style authentication.
1062 -- * XXX is RhostsRSAAuthentication vulnerable to these?
1063 -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
1064 -- */
1065 --
1066 --static char *
1067 --remote_hostname(struct ssh *ssh)
1068 --{
1069 -- struct sockaddr_storage from;
1070 -- socklen_t fromlen;
1071 -- struct addrinfo hints, *ai, *aitop;
1072 -- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
1073 -- const char *ntop = ssh_remote_ipaddr(ssh);
1074 --
1075 -- /* Get IP address of client. */
1076 -- fromlen = sizeof(from);
1077 -- memset(&from, 0, sizeof(from));
1078 -- if (getpeername(ssh_packet_get_connection_in(ssh),
1079 -- (struct sockaddr *)&from, &fromlen) < 0) {
1080 -- debug("getpeername failed: %.100s", strerror(errno));
1081 -- return strdup(ntop);
1082 -- }
1083 --
1084 -- ipv64_normalise_mapped(&from, &fromlen);
1085 -- if (from.ss_family == AF_INET6)
1086 -- fromlen = sizeof(struct sockaddr_in6);
1087 --
1088 -- debug3("Trying to reverse map address %.100s.", ntop);
1089 -- /* Map the IP address to a host name. */
1090 -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
1091 -- NULL, 0, NI_NAMEREQD) != 0) {
1092 -- /* Host name not found. Use ip address. */
1093 -- return strdup(ntop);
1094 -- }
1095 --
1096 -- /*
1097 -- * if reverse lookup result looks like a numeric hostname,
1098 -- * someone is trying to trick us by PTR record like following:
1099 -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
1100 -- */
1101 -- memset(&hints, 0, sizeof(hints));
1102 -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1103 -- hints.ai_flags = AI_NUMERICHOST;
1104 -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
1105 -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
1106 -- name, ntop);
1107 -- freeaddrinfo(ai);
1108 -- return strdup(ntop);
1109 -- }
1110 --
1111 -- /* Names are stored in lowercase. */
1112 -- lowercase(name);
1113 --
1114 -- /*
1115 -- * Map it back to an IP address and check that the given
1116 -- * address actually is an address of this host. This is
1117 -- * necessary because anyone with access to a name server can
1118 -- * define arbitrary names for an IP address. Mapping from
1119 -- * name to IP address can be trusted better (but can still be
1120 -- * fooled if the intruder has access to the name server of
1121 -- * the domain).
1122 -- */
1123 -- memset(&hints, 0, sizeof(hints));
1124 -- hints.ai_family = from.ss_family;
1125 -- hints.ai_socktype = SOCK_STREAM;
1126 -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
1127 -- logit("reverse mapping checking getaddrinfo for %.700s "
1128 -- "[%s] failed.", name, ntop);
1129 -- return strdup(ntop);
1130 -- }
1131 -- /* Look for the address from the list of addresses. */
1132 -- for (ai = aitop; ai; ai = ai->ai_next) {
1133 -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
1134 -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
1135 -- (strcmp(ntop, ntop2) == 0))
1136 -- break;
1137 -- }
1138 -- freeaddrinfo(aitop);
1139 -- /* If we reached the end of the list, the address was not there. */
1140 -- if (ai == NULL) {
1141 -- /* Address not found for the host name. */
1142 -- logit("Address %.100s maps to %.600s, but this does not "
1143 -- "map back to the address.", ntop, name);
1144 -- return strdup(ntop);
1145 -- }
1146 -- return strdup(name);
1147 --}
1148 --
1149 --/*
1150 -- * Return the canonical name of the host in the other side of the current
1151 -- * connection. The host name is cached, so it is efficient to call this
1152 -- * several times.
1153 -- */
1154 --
1155 --const char *
1156 --auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
1157 --{
1158 -- static char *dnsname;
1159 --
1160 -- if (!use_dns)
1161 -- return ssh_remote_ipaddr(ssh);
1162 -- else if (dnsname != NULL)
1163 -- return dnsname;
1164 -- else {
1165 -- dnsname = remote_hostname(ssh);
1166 -- return dnsname;
1167 -- }
1168 --}
1169 --
1170 - /*
1171 - * Runs command in a subprocess wuth a minimal environment.
1172 - * Returns pid on success, 0 on failure.
1173 ---- a/canohost.c
1174 -+++ b/canohost.c
1175 -@@ -202,3 +202,117 @@ get_local_port(int sock)
1176 - {
1177 - return get_sock_port(sock, 1);
1178 - }
1179 -+
1180 -+/*
1181 -+ * Returns the remote DNS hostname as a string. The returned string must not
1182 -+ * be freed. NB. this will usually trigger a DNS query the first time it is
1183 -+ * called.
1184 -+ * This function does additional checks on the hostname to mitigate some
1185 -+ * attacks on legacy rhosts-style authentication.
1186 -+ * XXX is RhostsRSAAuthentication vulnerable to these?
1187 -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
1188 -+ */
1189 -+
1190 -+static char *
1191 -+remote_hostname(struct ssh *ssh)
1192 -+{
1193 -+ struct sockaddr_storage from;
1194 -+ socklen_t fromlen;
1195 -+ struct addrinfo hints, *ai, *aitop;
1196 -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
1197 -+ const char *ntop = ssh_remote_ipaddr(ssh);
1198 -+
1199 -+ /* Get IP address of client. */
1200 -+ fromlen = sizeof(from);
1201 -+ memset(&from, 0, sizeof(from));
1202 -+ if (getpeername(ssh_packet_get_connection_in(ssh),
1203 -+ (struct sockaddr *)&from, &fromlen) < 0) {
1204 -+ debug("getpeername failed: %.100s", strerror(errno));
1205 -+ return strdup(ntop);
1206 -+ }
1207 -+
1208 -+ ipv64_normalise_mapped(&from, &fromlen);
1209 -+ if (from.ss_family == AF_INET6)
1210 -+ fromlen = sizeof(struct sockaddr_in6);
1211 -+
1212 -+ debug3("Trying to reverse map address %.100s.", ntop);
1213 -+ /* Map the IP address to a host name. */
1214 -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
1215 -+ NULL, 0, NI_NAMEREQD) != 0) {
1216 -+ /* Host name not found. Use ip address. */
1217 -+ return strdup(ntop);
1218 -+ }
1219 -+
1220 -+ /*
1221 -+ * if reverse lookup result looks like a numeric hostname,
1222 -+ * someone is trying to trick us by PTR record like following:
1223 -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
1224 -+ */
1225 -+ memset(&hints, 0, sizeof(hints));
1226 -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1227 -+ hints.ai_flags = AI_NUMERICHOST;
1228 -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
1229 -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
1230 -+ name, ntop);
1231 -+ freeaddrinfo(ai);
1232 -+ return strdup(ntop);
1233 -+ }
1234 -+
1235 -+ /* Names are stored in lowercase. */
1236 -+ lowercase(name);
1237 -+
1238 -+ /*
1239 -+ * Map it back to an IP address and check that the given
1240 -+ * address actually is an address of this host. This is
1241 -+ * necessary because anyone with access to a name server can
1242 -+ * define arbitrary names for an IP address. Mapping from
1243 -+ * name to IP address can be trusted better (but can still be
1244 -+ * fooled if the intruder has access to the name server of
1245 -+ * the domain).
1246 -+ */
1247 -+ memset(&hints, 0, sizeof(hints));
1248 -+ hints.ai_family = from.ss_family;
1249 -+ hints.ai_socktype = SOCK_STREAM;
1250 -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
1251 -+ logit("reverse mapping checking getaddrinfo for %.700s "
1252 -+ "[%s] failed.", name, ntop);
1253 -+ return strdup(ntop);
1254 -+ }
1255 -+ /* Look for the address from the list of addresses. */
1256 -+ for (ai = aitop; ai; ai = ai->ai_next) {
1257 -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
1258 -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
1259 -+ (strcmp(ntop, ntop2) == 0))
1260 -+ break;
1261 -+ }
1262 -+ freeaddrinfo(aitop);
1263 -+ /* If we reached the end of the list, the address was not there. */
1264 -+ if (ai == NULL) {
1265 -+ /* Address not found for the host name. */
1266 -+ logit("Address %.100s maps to %.600s, but this does not "
1267 -+ "map back to the address.", ntop, name);
1268 -+ return strdup(ntop);
1269 -+ }
1270 -+ return strdup(name);
1271 -+}
1272 -+
1273 -+/*
1274 -+ * Return the canonical name of the host in the other side of the current
1275 -+ * connection. The host name is cached, so it is efficient to call this
1276 -+ * several times.
1277 -+ */
1278 -+
1279 -+const char *
1280 -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
1281 -+{
1282 -+ static char *dnsname;
1283 -+
1284 -+ if (!use_dns)
1285 -+ return ssh_remote_ipaddr(ssh);
1286 -+ else if (dnsname != NULL)
1287 -+ return dnsname;
1288 -+ else {
1289 -+ dnsname = remote_hostname(ssh);
1290 -+ return dnsname;
1291 -+ }
1292 -+}
1293 ---- a/readconf.c
1294 -+++ b/readconf.c
1295 -@@ -160,6 +160,7 @@ typedef enum {
1296 - oClearAllForwardings, oNoHostAuthenticationForLocalhost,
1297 - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
1298 - oAddressFamily, oGssAuthentication, oGssDelegateCreds,
1299 -+ oGssTrustDns,
1300 - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
1301 - oSendEnv, oControlPath, oControlMaster, oControlPersist,
1302 - oHashKnownHosts,
1303 -@@ -200,9 +201,11 @@ static struct {
1304 - #if defined(GSSAPI)
1305 - { "gssapiauthentication", oGssAuthentication },
1306 - { "gssapidelegatecredentials", oGssDelegateCreds },
1307 -+ { "gssapitrustdns", oGssTrustDns },
1308 - # else
1309 - { "gssapiauthentication", oUnsupported },
1310 - { "gssapidelegatecredentials", oUnsupported },
1311 -+ { "gssapitrustdns", oUnsupported },
1312 - #endif
1313 - #ifdef ENABLE_PKCS11
1314 - { "smartcarddevice", oPKCS11Provider },
1315 -@@ -954,6 +957,10 @@ parse_time:
1316 - intptr = &options->gss_deleg_creds;
1317 - goto parse_flag;
1318 -
1319 -+ case oGssTrustDns:
1320 -+ intptr = &options->gss_trust_dns;
1321 -+ goto parse_flag;
1322 -+
1323 - case oBatchMode:
1324 - intptr = &options->batch_mode;
1325 - goto parse_flag;
1326 -@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
1327 - options->challenge_response_authentication = -1;
1328 - options->gss_authentication = -1;
1329 - options->gss_deleg_creds = -1;
1330 -+ options->gss_trust_dns = -1;
1331 - options->password_authentication = -1;
1332 - options->kbd_interactive_authentication = -1;
1333 - options->kbd_interactive_devices = NULL;
1334 -@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
1335 - options->gss_authentication = 0;
1336 - if (options->gss_deleg_creds == -1)
1337 - options->gss_deleg_creds = 0;
1338 -+ if (options->gss_trust_dns == -1)
1339 -+ options->gss_trust_dns = 0;
1340 - if (options->password_authentication == -1)
1341 - options->password_authentication = 1;
1342 - if (options->kbd_interactive_authentication == -1)
1343 ---- a/readconf.h
1344 -+++ b/readconf.h
1345 -@@ -43,6 +43,7 @@ typedef struct {
1346 - /* Try S/Key or TIS, authentication. */
1347 - int gss_authentication; /* Try GSS authentication */
1348 - int gss_deleg_creds; /* Delegate GSS credentials */
1349 -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
1350 - int password_authentication; /* Try password
1351 - * authentication. */
1352 - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
1353 ---- a/ssh_config.5
1354 -+++ b/ssh_config.5
1355 -@@ -731,6 +731,16 @@ The default is
1356 - Forward (delegate) credentials to the server.
1357 - The default is
1358 - .Cm no .
1359 -+Note that this option applies to protocol version 2 connections using GSSAPI.
1360 -+.It Cm GSSAPITrustDns
1361 -+Set to
1362 -+.Dq yes to indicate that the DNS is trusted to securely canonicalize
1363 -+the name of the host being connected to. If
1364 -+.Dq no, the hostname entered on the
1365 -+command line will be passed untouched to the GSSAPI library.
1366 -+The default is
1367 -+.Dq no .
1368 -+This option only applies to protocol version 2 connections using GSSAPI.
1369 - .It Cm HashKnownHosts
1370 - Indicates that
1371 - .Xr ssh 1
1372 ---- a/sshconnect2.c
1373 -+++ b/sshconnect2.c
1374 -@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
1375 - static u_int mech = 0;
1376 - OM_uint32 min;
1377 - int ok = 0;
1378 -+ const char *gss_host;
1379 -+
1380 -+ if (options.gss_trust_dns) {
1381 -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
1382 -+ gss_host = auth_get_canonical_hostname(active_state, 1);
1383 -+ } else
1384 -+ gss_host = authctxt->host;
1385 -
1386 - /* Try one GSSAPI method at a time, rather than sending them all at
1387 - * once. */
1388 -@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
1389 - /* My DER encoding requires length<128 */
1390 - if (gss_supported->elements[mech].length < 128 &&
1391 - ssh_gssapi_check_mechanism(&gssctxt,
1392 -- &gss_supported->elements[mech], authctxt->host)) {
1393 -+ &gss_supported->elements[mech], gss_host)) {
1394 - ok = 1; /* Mechanism works */
1395 - } else {
1396 - mech++;
1397 ---
1398
1399 diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
1400 deleted file mode 100644
1401 index cf43037..0000000
1402 --- a/net-misc/openssh/files/sshd-r1.confd
1403 +++ /dev/null
1404 @@ -1,33 +0,0 @@
1405 -# /etc/conf.d/sshd: config file for /etc/init.d/sshd
1406 -
1407 -# Where is your sshd_config file stored?
1408 -
1409 -SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
1410 -
1411 -
1412 -# Any random options you want to pass to sshd.
1413 -# See the sshd(8) manpage for more info.
1414 -
1415 -SSHD_OPTS=""
1416 -
1417 -
1418 -# Wait one second (length chosen arbitrarily) to see if sshd actually
1419 -# creates a PID file, or if it crashes for some reason like not being
1420 -# able to bind to the address in ListenAddress.
1421 -
1422 -#SSHD_SSD_OPTS="--wait 1000"
1423 -
1424 -
1425 -# Pid file to use (needs to be absolute path).
1426 -
1427 -#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
1428 -
1429 -
1430 -# Path to the sshd binary (needs to be absolute path).
1431 -
1432 -#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
1433 -
1434 -
1435 -# Path to the ssh-keygen binary (needs to be absolute path).
1436 -
1437 -#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
1438
1439 diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
1440 deleted file mode 100644
1441 index 28952b4..0000000
1442 --- a/net-misc/openssh/files/sshd.confd
1443 +++ /dev/null
1444 @@ -1,21 +0,0 @@
1445 -# /etc/conf.d/sshd: config file for /etc/init.d/sshd
1446 -
1447 -# Where is your sshd_config file stored?
1448 -
1449 -SSHD_CONFDIR="/etc/ssh"
1450 -
1451 -
1452 -# Any random options you want to pass to sshd.
1453 -# See the sshd(8) manpage for more info.
1454 -
1455 -SSHD_OPTS=""
1456 -
1457 -
1458 -# Pid file to use (needs to be absolute path).
1459 -
1460 -#SSHD_PIDFILE="/var/run/sshd.pid"
1461 -
1462 -
1463 -# Path to the sshd binary (needs to be absolute path).
1464 -
1465 -#SSHD_BINARY="/usr/sbin/sshd"
1466
1467 diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
1468 deleted file mode 100644
1469 index b801aaa..0000000
1470 --- a/net-misc/openssh/files/sshd.pam_include.2
1471 +++ /dev/null
1472 @@ -1,4 +0,0 @@
1473 -auth include system-remote-login
1474 -account include system-remote-login
1475 -password include system-remote-login
1476 -session include system-remote-login
1477
1478 diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
1479 deleted file mode 100644
1480 index 5e30142..0000000
1481 --- a/net-misc/openssh/files/sshd.rc6.4
1482 +++ /dev/null
1483 @@ -1,84 +0,0 @@
1484 -#!/sbin/openrc-run
1485 -# Copyright 1999-2015 Gentoo Foundation
1486 -# Distributed under the terms of the GNU General Public License v2
1487 -
1488 -extra_commands="checkconfig"
1489 -extra_started_commands="reload"
1490 -
1491 -: ${SSHD_CONFDIR:=/etc/ssh}
1492 -: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
1493 -: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
1494 -: ${SSHD_BINARY:=/usr/sbin/sshd}
1495 -
1496 -depend() {
1497 - use logger dns
1498 - if [ "${rc_need+set}" = "set" ] ; then
1499 - : # Do nothing, the user has explicitly set rc_need
1500 - else
1501 - local x warn_addr
1502 - for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
1503 - case "${x}" in
1504 - 0.0.0.0|0.0.0.0:*) ;;
1505 - ::|\[::\]*) ;;
1506 - *) warn_addr="${warn_addr} ${x}" ;;
1507 - esac
1508 - done
1509 - if [ -n "${warn_addr}" ] ; then
1510 - need net
1511 - ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
1512 - ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
1513 - ewarn "where FOO is the interface(s) providing the following address(es):"
1514 - ewarn "${warn_addr}"
1515 - fi
1516 - fi
1517 -}
1518 -
1519 -checkconfig() {
1520 - if [ ! -d /var/empty ] ; then
1521 - mkdir -p /var/empty || return 1
1522 - fi
1523 -
1524 - if [ ! -e "${SSHD_CONFIG}" ] ; then
1525 - eerror "You need an ${SSHD_CONFIG} file to run sshd"
1526 - eerror "There is a sample file in /usr/share/doc/openssh"
1527 - return 1
1528 - fi
1529 -
1530 - ssh-keygen -A || return 1
1531 -
1532 - [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
1533 - && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
1534 - [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
1535 - && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
1536 -
1537 - "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
1538 -}
1539 -
1540 -start() {
1541 - checkconfig || return 1
1542 -
1543 - ebegin "Starting ${SVCNAME}"
1544 - start-stop-daemon --start --exec "${SSHD_BINARY}" \
1545 - --pidfile "${SSHD_PIDFILE}" \
1546 - -- ${SSHD_OPTS}
1547 - eend $?
1548 -}
1549 -
1550 -stop() {
1551 - if [ "${RC_CMD}" = "restart" ] ; then
1552 - checkconfig || return 1
1553 - fi
1554 -
1555 - ebegin "Stopping ${SVCNAME}"
1556 - start-stop-daemon --stop --exec "${SSHD_BINARY}" \
1557 - --pidfile "${SSHD_PIDFILE}" --quiet
1558 - eend $?
1559 -}
1560 -
1561 -reload() {
1562 - checkconfig || return 1
1563 - ebegin "Reloading ${SVCNAME}"
1564 - start-stop-daemon --signal HUP \
1565 - --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
1566 - eend $?
1567 -}
1568
1569 diff --git a/net-misc/openssh/files/sshd.rc6.5 b/net-misc/openssh/files/sshd.rc6.5
1570 deleted file mode 100644
1571 index 044cbe7..0000000
1572 --- a/net-misc/openssh/files/sshd.rc6.5
1573 +++ /dev/null
1574 @@ -1,89 +0,0 @@
1575 -#!/sbin/openrc-run
1576 -# Copyright 1999-2018 Gentoo Foundation
1577 -# Distributed under the terms of the GNU General Public License v2
1578 -
1579 -extra_commands="checkconfig"
1580 -extra_started_commands="reload"
1581 -
1582 -: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
1583 -: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
1584 -: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
1585 -: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
1586 -: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
1587 -
1588 -command="${SSHD_BINARY}"
1589 -pidfile="${SSHD_PIDFILE}"
1590 -command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
1591 -
1592 -# Wait one second (length chosen arbitrarily) to see if sshd actually
1593 -# creates a PID file, or if it crashes for some reason like not being
1594 -# able to bind to the address in ListenAddress (bug 617596).
1595 -: ${SSHD_SSD_OPTS:=--wait 1000}
1596 -start_stop_daemon_args="${SSHD_SSD_OPTS}"
1597 -
1598 -depend() {
1599 - # Entropy can be used by ssh-keygen, among other things, but
1600 - # is not strictly required (bug 470020).
1601 - use logger dns entropy
1602 - if [ "${rc_need+set}" = "set" ] ; then
1603 - : # Do nothing, the user has explicitly set rc_need
1604 - else
1605 - local x warn_addr
1606 - for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
1607 - case "${x}" in
1608 - 0.0.0.0|0.0.0.0:*) ;;
1609 - ::|\[::\]*) ;;
1610 - *) warn_addr="${warn_addr} ${x}" ;;
1611 - esac
1612 - done
1613 - if [ -n "${warn_addr}" ] ; then
1614 - need net
1615 - ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
1616 - ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
1617 - ewarn "where FOO is the interface(s) providing the following address(es):"
1618 - ewarn "${warn_addr}"
1619 - fi
1620 - fi
1621 -}
1622 -
1623 -checkconfig() {
1624 - checkpath --directory "${RC_PREFIX%/}/var/empty"
1625 -
1626 - if [ ! -e "${SSHD_CONFIG}" ] ; then
1627 - eerror "You need an ${SSHD_CONFIG} file to run sshd"
1628 - eerror "There is a sample file in /usr/share/doc/openssh"
1629 - return 1
1630 - fi
1631 -
1632 - ${SSHD_KEYGEN_BINARY} -A || return 2
1633 -
1634 - "${command}" -t ${command_args} || return 3
1635 -}
1636 -
1637 -start_pre() {
1638 - # If this isn't a restart, make sure that the user's config isn't
1639 - # busted before we try to start the daemon (this will produce
1640 - # better error messages than if we just try to start it blindly).
1641 - #
1642 - # If, on the other hand, this *is* a restart, then the stop_pre
1643 - # action will have ensured that the config is usable and we don't
1644 - # need to do that again.
1645 - if [ "${RC_CMD}" != "restart" ] ; then
1646 - checkconfig || return $?
1647 - fi
1648 -}
1649 -
1650 -stop_pre() {
1651 - # If this is a restart, check to make sure the user's config
1652 - # isn't busted before we stop the running daemon.
1653 - if [ "${RC_CMD}" = "restart" ] ; then
1654 - checkconfig || return $?
1655 - fi
1656 -}
1657 -
1658 -reload() {
1659 - checkconfig || return $?
1660 - ebegin "Reloading ${SVCNAME}"
1661 - start-stop-daemon --signal HUP --pidfile "${pidfile}"
1662 - eend $?
1663 -}
1664
1665 diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
1666 deleted file mode 100644
1667 index b5e96b3..0000000
1668 --- a/net-misc/openssh/files/sshd.service
1669 +++ /dev/null
1670 @@ -1,11 +0,0 @@
1671 -[Unit]
1672 -Description=OpenSSH server daemon
1673 -After=syslog.target network.target auditd.service
1674 -
1675 -[Service]
1676 -ExecStartPre=/usr/bin/ssh-keygen -A
1677 -ExecStart=/usr/sbin/sshd -D -e
1678 -ExecReload=/bin/kill -HUP $MAINPID
1679 -
1680 -[Install]
1681 -WantedBy=multi-user.target
1682
1683 diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
1684 deleted file mode 100644
1685 index 94b9533..0000000
1686 --- a/net-misc/openssh/files/sshd.socket
1687 +++ /dev/null
1688 @@ -1,10 +0,0 @@
1689 -[Unit]
1690 -Description=OpenSSH Server Socket
1691 -Conflicts=sshd.service
1692 -
1693 -[Socket]
1694 -ListenStream=22
1695 -Accept=yes
1696 -
1697 -[Install]
1698 -WantedBy=sockets.target
1699
1700 diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
1701 deleted file mode 100644
1702 index 2645ad0..0000000
1703 --- a/net-misc/openssh/files/sshd_at.service
1704 +++ /dev/null
1705 @@ -1,8 +0,0 @@
1706 -[Unit]
1707 -Description=OpenSSH per-connection server daemon
1708 -After=syslog.target auditd.service
1709 -
1710 -[Service]
1711 -ExecStart=-/usr/sbin/sshd -i -e
1712 -StandardInput=socket
1713 -StandardError=syslog
1714
1715 diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
1716 deleted file mode 100644
1717 index 29134fc..0000000
1718 --- a/net-misc/openssh/metadata.xml
1719 +++ /dev/null
1720 @@ -1,40 +0,0 @@
1721 -<?xml version="1.0" encoding="UTF-8"?>
1722 -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
1723 -<pkgmetadata>
1724 - <maintainer type="project">
1725 - <email>base-system@g.o</email>
1726 - <name>Gentoo Base System</name>
1727 - </maintainer>
1728 - <maintainer type="person">
1729 - <email>robbat2@g.o</email>
1730 - <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
1731 - </maintainer>
1732 - <longdescription>
1733 -OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
1734 -increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
1735 -rlogin, ftp, and other such programs might not realize that their password is transmitted
1736 -across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
1737 -to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
1738 -Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
1739 -of authentication methods.
1740 -
1741 -The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
1742 -replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
1743 -the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
1744 -ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
1745 -</longdescription>
1746 - <use>
1747 - <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
1748 - <flag name="hpn">Enable high performance ssh</flag>
1749 - <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
1750 - <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
1751 - <flag name="livecd">Enable root password logins for live-cd environment.</flag>
1752 - <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
1753 - <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
1754 - <flag name="X509">Adds support for X.509 certificate authentication</flag>
1755 - </use>
1756 - <upstream>
1757 - <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
1758 - <remote-id type="sourceforge">hpnssh</remote-id>
1759 - </upstream>
1760 -</pkgmetadata>
1761
1762 diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild
1763 deleted file mode 100644
1764 index b5a28c5..0000000
1765 --- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild
1766 +++ /dev/null
1767 @@ -1,335 +0,0 @@
1768 -# Copyright 1999-2018 Gentoo Foundation
1769 -# Distributed under the terms of the GNU General Public License v2
1770 -
1771 -EAPI="5"
1772 -
1773 -inherit eutils user flag-o-matic multilib autotools pam systemd versionator
1774 -
1775 -# Make it more portable between straight releases
1776 -# and _p? releases.
1777 -PARCH=${P/_}
1778 -
1779 -HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
1780 -SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
1781 -LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
1782 -X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
1783 -
1784 -DESCRIPTION="Port of OpenBSD's free SSH release"
1785 -HOMEPAGE="http://www.openssh.org/"
1786 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
1787 - ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
1788 - ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
1789 - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
1790 - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
1791 - "
1792 -
1793 -LICENSE="BSD GPL-2"
1794 -SLOT="0"
1795 -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
1796 -# Probably want to drop ssl defaulting to on in a future version.
1797 -IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
1798 -REQUIRED_USE="ldns? ( ssl )
1799 - pie? ( !static )
1800 - ssh1? ( ssl )
1801 - static? ( !kerberos !pam )
1802 - X509? ( !ldap !sctp ssl )
1803 - test? ( ssl )"
1804 -
1805 -LIB_DEPEND="
1806 - audit? ( sys-process/audit[static-libs(+)] )
1807 - ldns? (
1808 - net-libs/ldns[static-libs(+)]
1809 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
1810 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
1811 - )
1812 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
1813 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
1814 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
1815 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
1816 - ssl? (
1817 - !libressl? (
1818 - >=dev-libs/openssl-1.0.1:0=[bindist=]
1819 - dev-libs/openssl:0=[static-libs(+)]
1820 - )
1821 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
1822 - )
1823 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
1824 -RDEPEND="
1825 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
1826 - pam? ( virtual/pam )
1827 - kerberos? ( virtual/krb5 )
1828 - ldap? ( net-nds/openldap )"
1829 -DEPEND="${RDEPEND}
1830 - static? ( ${LIB_DEPEND} )
1831 - virtual/pkgconfig
1832 - virtual/os-headers
1833 - sys-devel/autoconf"
1834 -RDEPEND="${RDEPEND}
1835 - pam? ( >=sys-auth/pambase-20081028 )
1836 - userland_GNU? ( virtual/shadow )
1837 - X? ( x11-apps/xauth )"
1838 -
1839 -S=${WORKDIR}/${PARCH}
1840 -
1841 -pkg_pretend() {
1842 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
1843 - # than not be able to log in to their server any more
1844 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
1845 - local fail="
1846 - $(use X509 && maybe_fail X509 X509_PATCH)
1847 - $(use ldap && maybe_fail ldap LDAP_PATCH)
1848 - $(use hpn && maybe_fail hpn HPN_PATCH)
1849 - "
1850 - fail=$(echo ${fail})
1851 - if [[ -n ${fail} ]] ; then
1852 - eerror "Sorry, but this version does not yet support features"
1853 - eerror "that you requested: ${fail}"
1854 - eerror "Please mask ${PF} for now and check back later:"
1855 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
1856 - die "booooo"
1857 - fi
1858 -
1859 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
1860 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
1861 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
1862 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
1863 - fi
1864 -}
1865 -
1866 -save_version() {
1867 - # version.h patch conflict avoidence
1868 - mv version.h version.h.$1
1869 - cp -f version.h.pristine version.h
1870 -}
1871 -
1872 -src_prepare() {
1873 - sed -i \
1874 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
1875 - pathnames.h || die
1876 - # keep this as we need it to avoid the conflict between LPK and HPN changing
1877 - # this file.
1878 - cp version.h version.h.pristine
1879 -
1880 - # don't break .ssh/authorized_keys2 for fun
1881 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
1882 -
1883 - if use X509 ; then
1884 - if use hpn ; then
1885 - pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
1886 - epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
1887 - popd >/dev/null
1888 - fi
1889 - save_version X509
1890 - epatch "${WORKDIR}"/${X509_PATCH%.*}
1891 - fi
1892 -
1893 - if use ldap ; then
1894 - epatch "${WORKDIR}"/${LDAP_PATCH%.*}
1895 - save_version LPK
1896 - fi
1897 -
1898 - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-libressl_arc4random.patch
1899 - epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
1900 - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
1901 - epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
1902 - epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
1903 - epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
1904 - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
1905 - use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
1906 - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
1907 - use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
1908 -
1909 - if use hpn ; then
1910 - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
1911 - EPATCH_MULTI_MSG="Applying HPN patchset ..." \
1912 - epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
1913 - save_version HPN
1914 - fi
1915 -
1916 - tc-export PKG_CONFIG
1917 - local sed_args=(
1918 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
1919 - # Disable PATH reset, trust what portage gives us #254615
1920 - -e 's:^PATH=/:#PATH=/:'
1921 - # Disable fortify flags ... our gcc does this for us
1922 - -e 's:-D_FORTIFY_SOURCE=2::'
1923 - )
1924 - # The -ftrapv flag ICEs on hppa #505182
1925 - use hppa && sed_args+=(
1926 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
1927 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
1928 - )
1929 - # _XOPEN_SOURCE causes header conflicts on Solaris
1930 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
1931 - -e 's/-D_XOPEN_SOURCE//'
1932 - )
1933 - sed -i "${sed_args[@]}" configure{.ac,} || die
1934 -
1935 - epatch_user #473004
1936 -
1937 - # Now we can build a sane merged version.h
1938 - (
1939 - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
1940 - macros=()
1941 - for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
1942 - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
1943 - ) > version.h
1944 -
1945 - eautoreconf
1946 -}
1947 -
1948 -src_configure() {
1949 - addwrite /dev/ptmx
1950 -
1951 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
1952 - use static && append-ldflags -static
1953 -
1954 - local myconf=(
1955 - --with-ldflags="${LDFLAGS}"
1956 - --disable-strip
1957 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
1958 - --sysconfdir="${EPREFIX}"/etc/ssh
1959 - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
1960 - --datadir="${EPREFIX}"/usr/share/openssh
1961 - --with-privsep-path="${EPREFIX}"/var/empty
1962 - --with-privsep-user=sshd
1963 - $(use_with audit audit linux)
1964 - $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
1965 - # We apply the ldap patch conditionally, so can't pass --without-ldap
1966 - # unconditionally else we get unknown flag warnings.
1967 - $(use ldap && use_with ldap)
1968 - $(use_with ldns)
1969 - $(use_with libedit)
1970 - $(use_with pam)
1971 - $(use_with pie)
1972 - $(use X509 || use_with sctp)
1973 - $(use_with selinux)
1974 - $(use_with skey)
1975 - $(use_with ssh1)
1976 - $(use_with ssl openssl)
1977 - $(use_with ssl md5-passwords)
1978 - $(use_with ssl ssl-engine)
1979 - )
1980 -
1981 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
1982 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
1983 -
1984 - econf "${myconf[@]}"
1985 -}
1986 -
1987 -src_install() {
1988 - emake install-nokeys DESTDIR="${D}"
1989 - fperms 600 /etc/ssh/sshd_config
1990 - dobin contrib/ssh-copy-id
1991 - newinitd "${FILESDIR}"/sshd.rc6.4 sshd
1992 - newconfd "${FILESDIR}"/sshd.confd sshd
1993 -
1994 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
1995 - if use pam ; then
1996 - sed -i \
1997 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
1998 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
1999 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2000 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2001 - "${ED}"/etc/ssh/sshd_config || die
2002 - fi
2003 -
2004 - # Gentoo tweaks to default config files
2005 - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
2006 -
2007 - # Allow client to pass locale environment variables #367017
2008 - AcceptEnv LANG LC_*
2009 - EOF
2010 - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
2011 -
2012 - # Send locale environment variables #367017
2013 - SendEnv LANG LC_*
2014 - EOF
2015 -
2016 - if use livecd ; then
2017 - sed -i \
2018 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2019 - "${ED}"/etc/ssh/sshd_config || die
2020 - fi
2021 -
2022 - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
2023 - insinto /etc/openldap/schema/
2024 - newins openssh-lpk_openldap.schema openssh-lpk.schema
2025 - fi
2026 -
2027 - doman contrib/ssh-copy-id.1
2028 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2029 - use X509 || dodoc ChangeLog
2030 -
2031 - diropts -m 0700
2032 - dodir /etc/skel/.ssh
2033 -
2034 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2035 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2036 -}
2037 -
2038 -src_test() {
2039 - local t skipped=() failed=() passed=()
2040 - local tests=( interop-tests compat-tests )
2041 -
2042 - local shell=$(egetshell "${UID}")
2043 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2044 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2045 - elog "user, so we will run a subset only."
2046 - skipped+=( tests )
2047 - else
2048 - tests+=( tests )
2049 - fi
2050 -
2051 - # It will also attempt to write to the homedir .ssh.
2052 - local sshhome=${T}/homedir
2053 - mkdir -p "${sshhome}"/.ssh
2054 - for t in "${tests[@]}" ; do
2055 - # Some tests read from stdin ...
2056 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
2057 - emake -k -j1 ${t} </dev/null \
2058 - && passed+=( "${t}" ) \
2059 - || failed+=( "${t}" )
2060 - done
2061 -
2062 - einfo "Passed tests: ${passed[*]}"
2063 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2064 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2065 -}
2066 -
2067 -pkg_preinst() {
2068 - enewgroup sshd 22
2069 - enewuser sshd 22 -1 /var/empty sshd
2070 -}
2071 -
2072 -pkg_postinst() {
2073 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2074 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2075 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2076 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2077 - fi
2078 - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
2079 - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
2080 - fi
2081 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2082 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2083 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2084 - elog "be an alternative for you as it supports USE=tcpd."
2085 - fi
2086 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2087 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2088 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2089 - elog "adding to your sshd_config or ~/.ssh/config files:"
2090 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2091 - elog "You should however generate new keys using rsa or ed25519."
2092 -
2093 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2094 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2095 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2096 - fi
2097 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2098 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2099 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2100 - elog "and update all clients/servers that utilize them."
2101 - fi
2102 -}
2103
2104 diff --git a/net-misc/openssh/openssh-7.7_p1-r5.ebuild b/net-misc/openssh/openssh-7.7_p1-r5.ebuild
2105 deleted file mode 100644
2106 index d29c032..0000000
2107 --- a/net-misc/openssh/openssh-7.7_p1-r5.ebuild
2108 +++ /dev/null
2109 @@ -1,434 +0,0 @@
2110 -# Copyright 1999-2018 Gentoo Foundation
2111 -# Distributed under the terms of the GNU General Public License v2
2112 -
2113 -EAPI=6
2114 -
2115 -inherit user flag-o-matic multilib autotools pam systemd versionator
2116 -
2117 -# Make it more portable between straight releases
2118 -# and _p? releases.
2119 -PARCH=${P/_}
2120 -
2121 -HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
2122 -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2123 -X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
2124 -
2125 -# Disable LDAP support until someone will rewrite the patch,
2126 -# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
2127 -#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
2128 -
2129 -PATCH_SET="openssh-7.7p1-patches-1.1"
2130 -
2131 -DESCRIPTION="Port of OpenBSD's free SSH release"
2132 -HOMEPAGE="https://www.openssh.com/"
2133 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2134 - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
2135 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
2136 - ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
2137 - ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
2138 - ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
2139 - "
2140 -
2141 -LICENSE="BSD GPL-2"
2142 -SLOT="0"
2143 -KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2144 -# Probably want to drop ssl defaulting to on in a future version.
2145 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
2146 -REQUIRED_USE="ldns? ( ssl )
2147 - pie? ( !static )
2148 - static? ( !kerberos !pam )
2149 - X509? ( !ldap !sctp ssl )
2150 - test? ( ssl )"
2151 -
2152 -LIB_DEPEND="
2153 - audit? ( sys-process/audit[static-libs(+)] )
2154 - ldns? (
2155 - net-libs/ldns[static-libs(+)]
2156 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2157 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2158 - )
2159 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2160 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2161 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2162 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
2163 - ssl? (
2164 - !libressl? (
2165 - >=dev-libs/openssl-1.0.1:0=[bindist=]
2166 - dev-libs/openssl:0=[static-libs(+)]
2167 - )
2168 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
2169 - )
2170 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
2171 -RDEPEND="
2172 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2173 - pam? ( virtual/pam )
2174 - kerberos? ( virtual/krb5 )
2175 - ldap? ( net-nds/openldap )"
2176 -DEPEND="${RDEPEND}
2177 - static? ( ${LIB_DEPEND} )
2178 - virtual/pkgconfig
2179 - virtual/os-headers
2180 - sys-devel/autoconf"
2181 -RDEPEND="${RDEPEND}
2182 - pam? ( >=sys-auth/pambase-20081028 )
2183 - userland_GNU? ( virtual/shadow )
2184 - X? ( x11-apps/xauth )"
2185 -
2186 -S="${WORKDIR}/${PARCH}"
2187 -
2188 -pkg_pretend() {
2189 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2190 - # than not be able to log in to their server any more
2191 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2192 - local fail="
2193 - $(use hpn && maybe_fail hpn HPN_PATCH)
2194 - $(use ldap && maybe_fail ldap LDAP_PATCH)
2195 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2196 - $(use X509 && maybe_fail X509 X509_PATCH)
2197 - "
2198 - fail=$(echo ${fail})
2199 - if [[ -n ${fail} ]] ; then
2200 - eerror "Sorry, but this version does not yet support features"
2201 - eerror "that you requested: ${fail}"
2202 - eerror "Please mask ${PF} for now and check back later:"
2203 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2204 - die "booooo"
2205 - fi
2206 -
2207 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2208 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
2209 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2210 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2211 - fi
2212 -}
2213 -
2214 -src_prepare() {
2215 - sed -i \
2216 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
2217 - pathnames.h || die
2218 -
2219 - # don't break .ssh/authorized_keys2 for fun
2220 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2221 -
2222 - eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2223 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2224 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2225 -
2226 - local PATCHSET_VERSION_MACROS=()
2227 -
2228 - if use X509 ; then
2229 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2230 -
2231 - # We need to patch package version or any X.509 sshd will reject our ssh client
2232 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2233 - # error
2234 - einfo "Patching package version for X.509 patch set ..."
2235 - sed -i \
2236 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2237 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2238 -
2239 - einfo "Patching version.h to expose X.509 patch set ..."
2240 - sed -i \
2241 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2242 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2243 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2244 -
2245 - einfo "Disabling broken X.509 agent test ..."
2246 - sed -i \
2247 - -e "/^ agent$/d" \
2248 - "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
2249 -
2250 - # The following patches don't apply on top of X509 patch
2251 - rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
2252 - rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
2253 - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
2254 - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
2255 - else
2256 - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
2257 - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
2258 - fi
2259 -
2260 - if use ldap ; then
2261 - eapply "${WORKDIR}"/${LDAP_PATCH%.*}
2262 -
2263 - einfo "Patching version.h to expose LDAP patch set ..."
2264 - sed -i \
2265 - -e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP \"-ldap-${LDAP_VER}\"" \
2266 - "${S}"/version.h || die "Failed to sed-in LDAP patch version"
2267 - PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
2268 - fi
2269 -
2270 - if use sctp ; then
2271 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2272 -
2273 - einfo "Patching version.h to expose SCTP patch set ..."
2274 - sed -i \
2275 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2276 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2277 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2278 -
2279 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2280 - sed -i \
2281 - -e "/\t\tcfgparse \\\/d" \
2282 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2283 - fi
2284 -
2285 - if use hpn ; then
2286 - eapply "${WORKDIR}"/${HPN_PATCH%.*}
2287 -
2288 - einfo "Patching Makefile.in for HPN patch set ..."
2289 - sed -i \
2290 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2291 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2292 -
2293 - einfo "Patching version.h to expose HPN patch set ..."
2294 - sed -i \
2295 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
2296 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2297 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2298 -
2299 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2300 - einfo "Disabling known non-working MT AES cipher per default ..."
2301 -
2302 - cat > "${T}"/disable_mtaes.conf <<- EOF
2303 -
2304 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2305 - # and therefore disabled per default.
2306 - DisableMTAES yes
2307 - EOF
2308 - sed -i \
2309 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2310 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2311 -
2312 - sed -i \
2313 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2314 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2315 - fi
2316 - fi
2317 -
2318 - if use X509 || use hpn ; then
2319 - einfo "Patching packet.c for X509 and/or HPN patch set ..."
2320 - sed -i \
2321 - -e "s/const struct sshcipher/struct sshcipher/" \
2322 - "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
2323 - fi
2324 -
2325 - if use X509 || use sctp || use ldap || use hpn ; then
2326 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2327 - sed -i \
2328 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2329 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2330 -
2331 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2332 - sed -i \
2333 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2334 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2335 -
2336 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2337 - sed -i \
2338 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2339 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2340 - fi
2341 -
2342 - sed -i \
2343 - -e "/#UseLogin no/d" \
2344 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2345 -
2346 - eapply "${WORKDIR}"/patch/*.patch
2347 -
2348 - use X509 || eapply "${FILESDIR}"/${PN}-7.5_p1-libressl_arc4random.patch
2349 - eapply_user #473004
2350 -
2351 - tc-export PKG_CONFIG
2352 - local sed_args=(
2353 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2354 - # Disable PATH reset, trust what portage gives us #254615
2355 - -e 's:^PATH=/:#PATH=/:'
2356 - # Disable fortify flags ... our gcc does this for us
2357 - -e 's:-D_FORTIFY_SOURCE=2::'
2358 - )
2359 -
2360 - # The -ftrapv flag ICEs on hppa #505182
2361 - use hppa && sed_args+=(
2362 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2363 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2364 - )
2365 - # _XOPEN_SOURCE causes header conflicts on Solaris
2366 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2367 - -e 's/-D_XOPEN_SOURCE//'
2368 - )
2369 - sed -i "${sed_args[@]}" configure{.ac,} || die
2370 -
2371 - eautoreconf
2372 -}
2373 -
2374 -src_configure() {
2375 - addwrite /dev/ptmx
2376 -
2377 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2378 - use static && append-ldflags -static
2379 -
2380 - local myconf=(
2381 - --with-ldflags="${LDFLAGS}"
2382 - --disable-strip
2383 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2384 - --sysconfdir="${EPREFIX%/}"/etc/ssh
2385 - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
2386 - --datadir="${EPREFIX%/}"/usr/share/openssh
2387 - --with-privsep-path="${EPREFIX%/}"/var/empty
2388 - --with-privsep-user=sshd
2389 - $(use_with audit audit linux)
2390 - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2391 - # We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
2392 - # unconditionally else we get unknown flag warnings.
2393 - $(use ldap && use_with ldap)
2394 - $(use sctp && use_with sctp)
2395 - $(use_with ldns)
2396 - $(use_with libedit)
2397 - $(use_with pam)
2398 - $(use_with pie)
2399 - $(use_with selinux)
2400 - $(use_with skey)
2401 - $(use_with ssl openssl)
2402 - $(use_with ssl md5-passwords)
2403 - $(use_with ssl ssl-engine)
2404 - )
2405 -
2406 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2407 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2408 -
2409 - econf "${myconf[@]}"
2410 -}
2411 -
2412 -src_test() {
2413 - local t skipped=() failed=() passed=()
2414 - local tests=( interop-tests compat-tests )
2415 -
2416 - local shell=$(egetshell "${UID}")
2417 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2418 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2419 - elog "user, so we will run a subset only."
2420 - skipped+=( tests )
2421 - else
2422 - tests+=( tests )
2423 - fi
2424 -
2425 - # It will also attempt to write to the homedir .ssh.
2426 - local sshhome=${T}/homedir
2427 - mkdir -p "${sshhome}"/.ssh
2428 - for t in "${tests[@]}" ; do
2429 - # Some tests read from stdin ...
2430 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
2431 - emake -k -j1 ${t} </dev/null \
2432 - && passed+=( "${t}" ) \
2433 - || failed+=( "${t}" )
2434 - done
2435 -
2436 - einfo "Passed tests: ${passed[*]}"
2437 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2438 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2439 -}
2440 -
2441 -src_install() {
2442 - emake install-nokeys DESTDIR="${D}"
2443 - fperms 600 /etc/ssh/sshd_config
2444 - dobin contrib/ssh-copy-id
2445 - newinitd "${FILESDIR}"/sshd.rc6.5 sshd
2446 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
2447 -
2448 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2449 - if use pam ; then
2450 - sed -i \
2451 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2452 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2453 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2454 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2455 - "${ED%/}"/etc/ssh/sshd_config || die
2456 - fi
2457 -
2458 - # Gentoo tweaks to default config files
2459 - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
2460 -
2461 - # Allow client to pass locale environment variables #367017
2462 - AcceptEnv LANG LC_*
2463 - EOF
2464 - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
2465 -
2466 - # Send locale environment variables #367017
2467 - SendEnv LANG LC_*
2468 - EOF
2469 -
2470 - if use livecd ; then
2471 - sed -i \
2472 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2473 - "${ED%/}"/etc/ssh/sshd_config || die
2474 - fi
2475 -
2476 - if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
2477 - insinto /etc/openldap/schema/
2478 - newins openssh-lpk_openldap.schema openssh-lpk.schema
2479 - fi
2480 -
2481 - doman contrib/ssh-copy-id.1
2482 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2483 - use hpn && dodoc HPN-README
2484 - use X509 || dodoc ChangeLog
2485 -
2486 - diropts -m 0700
2487 - dodir /etc/skel/.ssh
2488 -
2489 - keepdir /var/empty
2490 -
2491 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2492 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2493 -}
2494 -
2495 -pkg_preinst() {
2496 - enewgroup sshd 22
2497 - enewuser sshd 22 -1 /var/empty sshd
2498 -}
2499 -
2500 -pkg_postinst() {
2501 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2502 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2503 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2504 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2505 - fi
2506 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2507 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2508 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2509 - elog "be an alternative for you as it supports USE=tcpd."
2510 - fi
2511 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2512 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2513 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2514 - elog "adding to your sshd_config or ~/.ssh/config files:"
2515 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2516 - elog "You should however generate new keys using rsa or ed25519."
2517 -
2518 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2519 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2520 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2521 - fi
2522 - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
2523 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2524 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2525 - fi
2526 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2527 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2528 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2529 - elog "and update all clients/servers that utilize them."
2530 - fi
2531 -
2532 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2533 - elog ""
2534 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
2535 - elog "and therefore disabled at runtime per default."
2536 - elog "Make sure your sshd_config is up to date and contains"
2537 - elog ""
2538 - elog " DisableMTAES yes"
2539 - elog ""
2540 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
2541 - elog ""
2542 - fi
2543 -}
2544
2545 diff --git a/net-misc/openssh/openssh-7.7_p1-r6.ebuild b/net-misc/openssh/openssh-7.7_p1-r6.ebuild
2546 deleted file mode 100644
2547 index 3744cc2..0000000
2548 --- a/net-misc/openssh/openssh-7.7_p1-r6.ebuild
2549 +++ /dev/null
2550 @@ -1,458 +0,0 @@
2551 -# Copyright 1999-2018 Gentoo Foundation
2552 -# Distributed under the terms of the GNU General Public License v2
2553 -
2554 -EAPI=6
2555 -
2556 -inherit user flag-o-matic multilib autotools pam systemd versionator
2557 -
2558 -# Make it more portable between straight releases
2559 -# and _p? releases.
2560 -PARCH=${P/_}
2561 -
2562 -HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
2563 -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
2564 -X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
2565 -
2566 -# Disable LDAP support until someone will rewrite the patch,
2567 -# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
2568 -#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
2569 -
2570 -PATCH_SET="openssh-7.7p1-patches-1.1"
2571 -
2572 -DESCRIPTION="Port of OpenBSD's free SSH release"
2573 -HOMEPAGE="https://www.openssh.com/"
2574 -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
2575 - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
2576 - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
2577 - ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
2578 - ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
2579 - ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
2580 - "
2581 -
2582 -LICENSE="BSD GPL-2"
2583 -SLOT="0"
2584 -KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
2585 -# Probably want to drop ssl defaulting to on in a future version.
2586 -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
2587 -REQUIRED_USE="ldns? ( ssl )
2588 - pie? ( !static )
2589 - static? ( !kerberos !pam )
2590 - X509? ( !ldap !sctp ssl )
2591 - test? ( ssl )"
2592 -
2593 -LIB_DEPEND="
2594 - audit? ( sys-process/audit[static-libs(+)] )
2595 - ldns? (
2596 - net-libs/ldns[static-libs(+)]
2597 - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
2598 - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
2599 - )
2600 - libedit? ( dev-libs/libedit:=[static-libs(+)] )
2601 - sctp? ( net-misc/lksctp-tools[static-libs(+)] )
2602 - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
2603 - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
2604 - ssl? (
2605 - !libressl? (
2606 - >=dev-libs/openssl-1.0.1:0=[bindist=]
2607 - dev-libs/openssl:0=[static-libs(+)]
2608 - )
2609 - libressl? ( dev-libs/libressl:0=[static-libs(+)] )
2610 - )
2611 - >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
2612 -RDEPEND="
2613 - !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
2614 - pam? ( virtual/pam )
2615 - kerberos? ( virtual/krb5 )
2616 - ldap? ( net-nds/openldap )"
2617 -DEPEND="${RDEPEND}
2618 - static? ( ${LIB_DEPEND} )
2619 - virtual/pkgconfig
2620 - virtual/os-headers
2621 - sys-devel/autoconf"
2622 -RDEPEND="${RDEPEND}
2623 - pam? ( >=sys-auth/pambase-20081028 )
2624 - userland_GNU? ( virtual/shadow )
2625 - X? ( x11-apps/xauth )"
2626 -
2627 -S="${WORKDIR}/${PARCH}"
2628 -
2629 -pkg_pretend() {
2630 - # this sucks, but i'd rather have people unable to `emerge -u openssh`
2631 - # than not be able to log in to their server any more
2632 - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
2633 - local fail="
2634 - $(use hpn && maybe_fail hpn HPN_PATCH)
2635 - $(use ldap && maybe_fail ldap LDAP_PATCH)
2636 - $(use sctp && maybe_fail sctp SCTP_PATCH)
2637 - $(use X509 && maybe_fail X509 X509_PATCH)
2638 - "
2639 - fail=$(echo ${fail})
2640 - if [[ -n ${fail} ]] ; then
2641 - eerror "Sorry, but this version does not yet support features"
2642 - eerror "that you requested: ${fail}"
2643 - eerror "Please mask ${PF} for now and check back later:"
2644 - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
2645 - die "booooo"
2646 - fi
2647 -
2648 - # Make sure people who are using tcp wrappers are notified of its removal. #531156
2649 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
2650 - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
2651 - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
2652 - fi
2653 -}
2654 -
2655 -src_prepare() {
2656 - sed -i \
2657 - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
2658 - pathnames.h || die
2659 -
2660 - # don't break .ssh/authorized_keys2 for fun
2661 - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
2662 -
2663 - eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
2664 - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
2665 - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
2666 -
2667 - local PATCHSET_VERSION_MACROS=()
2668 -
2669 - if use X509 ; then
2670 - eapply "${WORKDIR}"/${X509_PATCH%.*}
2671 -
2672 - # We need to patch package version or any X.509 sshd will reject our ssh client
2673 - # with "userauth_pubkey: could not parse key: string is too large [preauth]"
2674 - # error
2675 - einfo "Patching package version for X.509 patch set ..."
2676 - sed -i \
2677 - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
2678 - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
2679 -
2680 - einfo "Patching version.h to expose X.509 patch set ..."
2681 - sed -i \
2682 - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
2683 - "${S}"/version.h || die "Failed to sed-in X.509 patch version"
2684 - PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
2685 -
2686 - einfo "Disabling broken X.509 agent test ..."
2687 - sed -i \
2688 - -e "/^ agent$/d" \
2689 - "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
2690 -
2691 - # The following patches don't apply on top of X509 patch
2692 - rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
2693 - rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
2694 - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
2695 - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
2696 - else
2697 - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
2698 - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
2699 - fi
2700 -
2701 - if use ldap ; then
2702 - eapply "${WORKDIR}"/${LDAP_PATCH%.*}
2703 -
2704 - einfo "Patching version.h to expose LDAP patch set ..."
2705 - sed -i \
2706 - -e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP \"-ldap-${LDAP_VER}\"" \
2707 - "${S}"/version.h || die "Failed to sed-in LDAP patch version"
2708 - PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
2709 - fi
2710 -
2711 - if use sctp ; then
2712 - eapply "${WORKDIR}"/${SCTP_PATCH%.*}
2713 -
2714 - einfo "Patching version.h to expose SCTP patch set ..."
2715 - sed -i \
2716 - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
2717 - "${S}"/version.h || die "Failed to sed-in SCTP patch version"
2718 - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
2719 -
2720 - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
2721 - sed -i \
2722 - -e "/\t\tcfgparse \\\/d" \
2723 - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
2724 - fi
2725 -
2726 - if use hpn ; then
2727 - eapply "${WORKDIR}"/${HPN_PATCH%.*}
2728 -
2729 - einfo "Patching Makefile.in for HPN patch set ..."
2730 - sed -i \
2731 - -e "/^LIBS=/ s/\$/ -lpthread/" \
2732 - "${S}"/Makefile.in || die "Failed to patch Makefile.in"
2733 -
2734 - einfo "Patching version.h to expose HPN patch set ..."
2735 - sed -i \
2736 - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
2737 - "${S}"/version.h || die "Failed to sed-in HPN patch version"
2738 - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
2739 -
2740 - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2741 - einfo "Disabling known non-working MT AES cipher per default ..."
2742 -
2743 - cat > "${T}"/disable_mtaes.conf <<- EOF
2744 -
2745 - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
2746 - # and therefore disabled per default.
2747 - DisableMTAES yes
2748 - EOF
2749 - sed -i \
2750 - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
2751 - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
2752 -
2753 - sed -i \
2754 - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
2755 - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
2756 - fi
2757 - fi
2758 -
2759 - if use X509 || use hpn ; then
2760 - einfo "Patching packet.c for X509 and/or HPN patch set ..."
2761 - sed -i \
2762 - -e "s/const struct sshcipher/struct sshcipher/" \
2763 - "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
2764 - fi
2765 -
2766 - if use X509 || use sctp || use ldap || use hpn ; then
2767 - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
2768 - sed -i \
2769 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2770 - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
2771 -
2772 - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
2773 - sed -i \
2774 - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
2775 - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
2776 -
2777 - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
2778 - sed -i \
2779 - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
2780 - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
2781 - fi
2782 -
2783 - sed -i \
2784 - -e "/#UseLogin no/d" \
2785 - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
2786 -
2787 - eapply "${WORKDIR}"/patch/*.patch
2788 -
2789 - use X509 || eapply "${FILESDIR}"/${PN}-7.5_p1-libressl_arc4random.patch
2790 - eapply_user #473004
2791 -
2792 - tc-export PKG_CONFIG
2793 - local sed_args=(
2794 - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
2795 - # Disable PATH reset, trust what portage gives us #254615
2796 - -e 's:^PATH=/:#PATH=/:'
2797 - # Disable fortify flags ... our gcc does this for us
2798 - -e 's:-D_FORTIFY_SOURCE=2::'
2799 - )
2800 -
2801 - # The -ftrapv flag ICEs on hppa #505182
2802 - use hppa && sed_args+=(
2803 - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
2804 - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
2805 - )
2806 - # _XOPEN_SOURCE causes header conflicts on Solaris
2807 - [[ ${CHOST} == *-solaris* ]] && sed_args+=(
2808 - -e 's/-D_XOPEN_SOURCE//'
2809 - )
2810 - sed -i "${sed_args[@]}" configure{.ac,} || die
2811 -
2812 - eautoreconf
2813 -}
2814 -
2815 -src_configure() {
2816 - addwrite /dev/ptmx
2817 -
2818 - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
2819 - use static && append-ldflags -static
2820 -
2821 - local myconf=(
2822 - --with-ldflags="${LDFLAGS}"
2823 - --disable-strip
2824 - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
2825 - --sysconfdir="${EPREFIX%/}"/etc/ssh
2826 - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
2827 - --datadir="${EPREFIX%/}"/usr/share/openssh
2828 - --with-privsep-path="${EPREFIX%/}"/var/empty
2829 - --with-privsep-user=sshd
2830 - $(use_with audit audit linux)
2831 - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
2832 - # We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
2833 - # unconditionally else we get unknown flag warnings.
2834 - $(use ldap && use_with ldap)
2835 - $(use sctp && use_with sctp)
2836 - $(use_with ldns)
2837 - $(use_with libedit)
2838 - $(use_with pam)
2839 - $(use_with pie)
2840 - $(use_with selinux)
2841 - $(use_with skey)
2842 - $(use_with ssl openssl)
2843 - $(use_with ssl md5-passwords)
2844 - $(use_with ssl ssl-engine)
2845 - )
2846 -
2847 - # The seccomp sandbox is broken on x32, so use the older method for now. #553748
2848 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
2849 -
2850 - econf "${myconf[@]}"
2851 -}
2852 -
2853 -src_test() {
2854 - local t skipped=() failed=() passed=()
2855 - local tests=( interop-tests compat-tests )
2856 -
2857 - local shell=$(egetshell "${UID}")
2858 - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
2859 - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
2860 - elog "user, so we will run a subset only."
2861 - skipped+=( tests )
2862 - else
2863 - tests+=( tests )
2864 - fi
2865 -
2866 - # It will also attempt to write to the homedir .ssh.
2867 - local sshhome=${T}/homedir
2868 - mkdir -p "${sshhome}"/.ssh
2869 - for t in "${tests[@]}" ; do
2870 - # Some tests read from stdin ...
2871 - HOMEDIR="${sshhome}" HOME="${sshhome}" \
2872 - emake -k -j1 ${t} </dev/null \
2873 - && passed+=( "${t}" ) \
2874 - || failed+=( "${t}" )
2875 - done
2876 -
2877 - einfo "Passed tests: ${passed[*]}"
2878 - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
2879 - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
2880 -}
2881 -
2882 -# Gentoo tweaks to default config files.
2883 -tweak_ssh_configs() {
2884 - local locale_vars=(
2885 - # These are language variables that POSIX defines.
2886 - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
2887 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
2888 -
2889 - # These are the GNU extensions.
2890 - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
2891 - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
2892 - )
2893 -
2894 - # First the server config.
2895 - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
2896 -
2897 - # Allow client to pass locale environment variables. #367017
2898 - AcceptEnv ${locale_vars[*]}
2899 -
2900 - # Allow client to pass COLORTERM to match TERM. #658540
2901 - AcceptEnv COLORTERM
2902 - EOF
2903 -
2904 - # Then the client config.
2905 - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
2906 -
2907 - # Send locale environment variables. #367017
2908 - SendEnv ${locale_vars[*]}
2909 -
2910 - # Send COLORTERM to match TERM. #658540
2911 - SendEnv COLORTERM
2912 - EOF
2913 -
2914 - if use pam ; then
2915 - sed -i \
2916 - -e "/^#UsePAM /s:.*:UsePAM yes:" \
2917 - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
2918 - -e "/^#PrintMotd /s:.*:PrintMotd no:" \
2919 - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
2920 - "${ED%/}"/etc/ssh/sshd_config || die
2921 - fi
2922 -
2923 - if use livecd ; then
2924 - sed -i \
2925 - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
2926 - "${ED%/}"/etc/ssh/sshd_config || die
2927 - fi
2928 -}
2929 -
2930 -src_install() {
2931 - emake install-nokeys DESTDIR="${D}"
2932 - fperms 600 /etc/ssh/sshd_config
2933 - dobin contrib/ssh-copy-id
2934 - newinitd "${FILESDIR}"/sshd.rc6.5 sshd
2935 - newconfd "${FILESDIR}"/sshd-r1.confd sshd
2936 -
2937 - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
2938 -
2939 - tweak_ssh_configs
2940 -
2941 - if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
2942 - insinto /etc/openldap/schema/
2943 - newins openssh-lpk_openldap.schema openssh-lpk.schema
2944 - fi
2945 -
2946 - doman contrib/ssh-copy-id.1
2947 - dodoc CREDITS OVERVIEW README* TODO sshd_config
2948 - use hpn && dodoc HPN-README
2949 - use X509 || dodoc ChangeLog
2950 -
2951 - diropts -m 0700
2952 - dodir /etc/skel/.ssh
2953 -
2954 - keepdir /var/empty
2955 -
2956 - systemd_dounit "${FILESDIR}"/sshd.{service,socket}
2957 - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
2958 -}
2959 -
2960 -pkg_preinst() {
2961 - enewgroup sshd 22
2962 - enewuser sshd 22 -1 /var/empty sshd
2963 -}
2964 -
2965 -pkg_postinst() {
2966 - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
2967 - elog "Starting with openssh-5.8p1, the server will default to a newer key"
2968 - elog "algorithm (ECDSA). You are encouraged to manually update your stored"
2969 - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
2970 - fi
2971 - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
2972 - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
2973 - elog "Make sure to update any configs that you might have. Note that xinetd might"
2974 - elog "be an alternative for you as it supports USE=tcpd."
2975 - fi
2976 - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
2977 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
2978 - elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
2979 - elog "adding to your sshd_config or ~/.ssh/config files:"
2980 - elog " PubkeyAcceptedKeyTypes=+ssh-dss"
2981 - elog "You should however generate new keys using rsa or ed25519."
2982 -
2983 - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
2984 - elog "to 'prohibit-password'. That means password auth for root users no longer works"
2985 - elog "out of the box. If you need this, please update your sshd_config explicitly."
2986 - fi
2987 - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
2988 - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
2989 - elog "Furthermore, rsa keys with less than 1024 bits will be refused."
2990 - fi
2991 - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
2992 - elog "Be aware that by disabling openssl support in openssh, the server and clients"
2993 - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
2994 - elog "and update all clients/servers that utilize them."
2995 - fi
2996 -
2997 - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
2998 - elog ""
2999 - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
3000 - elog "and therefore disabled at runtime per default."
3001 - elog "Make sure your sshd_config is up to date and contains"
3002 - elog ""
3003 - elog " DisableMTAES yes"
3004 - elog ""
3005 - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
3006 - elog ""
3007 - fi
3008 -}
Report Message
Find on MARC Find on Google Groups