1 |
commit: 771040f0b9111b4125ec068b6fd1fe7d70fb319e |
2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Sep 2 20:49:43 2016 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Sep 2 20:49:58 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=771040f0 |
7 |
|
8 |
net-misc/openssh: Revision bump, re-enable the hpn USE flag |
9 |
|
10 |
This is hard masked for now for further testing, see bug #577768, All |
11 |
the tests pass on all of my machines with USE="hpn" and USE="hpn X509". |
12 |
|
13 |
Since there does not appear to be a tarball for the upstream hpn for |
14 |
openssh-7.2+, this ebuild downloads the kitchensink diff, then patches |
15 |
it to apply against openssh-7.3p1 and remove the server logging stuff |
16 |
that get dropped from other hpn patchsets. |
17 |
|
18 |
We can unmask this once more people test it and sign off that is looks good. |
19 |
|
20 |
Package-Manager: portage-2.3.0 |
21 |
|
22 |
net-misc/openssh/Manifest | 1 + |
23 |
.../openssh/files/openssh-7.3_p1-hpn-update.patch | 277 +++++++++++++++++ |
24 |
.../files/openssh-7.3_p1-hpn-x509-glue.patch | 33 ++ |
25 |
net-misc/openssh/openssh-7.3_p1-r3.ebuild | 343 +++++++++++++++++++++ |
26 |
4 files changed, 654 insertions(+) |
27 |
|
28 |
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest |
29 |
index 7e2535f..c6667a5 100644 |
30 |
--- a/net-misc/openssh/Manifest |
31 |
+++ b/net-misc/openssh/Manifest |
32 |
@@ -9,6 +9,7 @@ DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee |
33 |
DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4 |
34 |
DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e |
35 |
DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c |
36 |
+DIST openssh-7_2_P2-hpn-14.10.diff 78587 SHA256 f083d4c4a2054808386e974accda385542ce150f0c0f079ec1a0d4fa78888b17 SHA512 49d772c6a071fe1883d5d2844aba1d327c40938af368ba349b44c643e10f4e2d02e5c889810f8914c61324fbf90e53547aa346fdbd47b22b2f8da6afc174692c WHIRLPOOL 516621cdbccae3ecc900fde1b1edd2bac807b628d631289e3002747901d7663f5a2545f6b0396415a850f9695dd57e2ab5dbc548584f2c973726b38ca4d57bac |
37 |
DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518 |
38 |
DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d |
39 |
DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c |
40 |
|
41 |
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch |
42 |
new file mode 100644 |
43 |
index 00000000..2c4cc50 |
44 |
--- /dev/null |
45 |
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch |
46 |
@@ -0,0 +1,277 @@ |
47 |
+--- openssh-7_2_P2-hpn-14.10.diff.orig 2016-09-01 10:34:05.905112131 -0700 |
48 |
++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 11:33:19.106664802 -0700 |
49 |
+@@ -156,145 +156,6 @@ |
50 |
+ compat.o crc32.o deattack.o fatal.o hostfile.o \ |
51 |
+ log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \ |
52 |
+ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ |
53 |
+-diff --git a/auth2.c b/auth2.c |
54 |
+-index 7177962..4af53f0 100644 |
55 |
+---- a/auth2.c |
56 |
+-+++ b/auth2.c |
57 |
+-@@ -50,6 +50,7 @@ |
58 |
+- #include "dispatch.h" |
59 |
+- #include "pathnames.h" |
60 |
+- #include "buffer.h" |
61 |
+-+#include "canohost.h" |
62 |
+- |
63 |
+- #ifdef GSSAPI |
64 |
+- #include "ssh-gss.h" |
65 |
+-@@ -73,6 +74,8 @@ extern Authmethod method_hostbased; |
66 |
+- extern Authmethod method_gssapi; |
67 |
+- #endif |
68 |
+- |
69 |
+-+static int log_flag = 0; |
70 |
+-+ |
71 |
+- Authmethod *authmethods[] = { |
72 |
+- &method_none, |
73 |
+- &method_pubkey, |
74 |
+-@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
75 |
+- service = packet_get_cstring(NULL); |
76 |
+- method = packet_get_cstring(NULL); |
77 |
+- debug("userauth-request for user %s service %s method %s", user, service, method); |
78 |
+-+ if (!log_flag) { |
79 |
+-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s", |
80 |
+-+ get_remote_ipaddr(), get_remote_port(), user); |
81 |
+-+ log_flag = 1; |
82 |
+-+ } |
83 |
+- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
84 |
+- |
85 |
+- if ((style = strchr(user, ':')) != NULL) |
86 |
+-diff --git a/canohost.c b/canohost.c |
87 |
+-index 223964e..db35f73 100644 |
88 |
+---- a/canohost.c |
89 |
+-+++ b/canohost.c |
90 |
+-@@ -338,13 +338,13 @@ clear_cached_addr(void) |
91 |
+- */ |
92 |
+- |
93 |
+- const char * |
94 |
+--get_remote_ipaddr(void) |
95 |
+-+ssh_get_remote_ipaddr(struct ssh *ssh) |
96 |
+- { |
97 |
+- /* Check whether we have cached the ipaddr. */ |
98 |
+- if (canonical_host_ip == NULL) { |
99 |
+-- if (packet_connection_is_on_socket()) { |
100 |
+-+ if (ssh_packet_connection_is_on_socket(ssh)) { |
101 |
+- canonical_host_ip = |
102 |
+-- get_peer_ipaddr(packet_get_connection_in()); |
103 |
+-+ get_peer_ipaddr(ssh_packet_get_connection_in(ssh)); |
104 |
+- if (canonical_host_ip == NULL) |
105 |
+- cleanup_exit(255); |
106 |
+- } else { |
107 |
+-@@ -356,6 +356,12 @@ get_remote_ipaddr(void) |
108 |
+- } |
109 |
+- |
110 |
+- const char * |
111 |
+-+get_remote_ipaddr(void) |
112 |
+-+{ |
113 |
+-+ return ssh_get_remote_ipaddr(active_state); |
114 |
+-+} |
115 |
+-+ |
116 |
+-+const char * |
117 |
+- get_remote_name_or_ip(u_int utmp_len, int use_dns) |
118 |
+- { |
119 |
+- static const char *remote = ""; |
120 |
+-@@ -410,17 +416,17 @@ get_sock_port(int sock, int local) |
121 |
+- /* Returns remote/local port number for the current connection. */ |
122 |
+- |
123 |
+- static int |
124 |
+--get_port(int local) |
125 |
+-+get_port(struct ssh *ssh, int local) |
126 |
+- { |
127 |
+- /* |
128 |
+- * If the connection is not a socket, return 65535. This is |
129 |
+- * intentionally chosen to be an unprivileged port number. |
130 |
+- */ |
131 |
+-- if (!packet_connection_is_on_socket()) |
132 |
+-+ if (!ssh_packet_connection_is_on_socket(ssh)) |
133 |
+- return 65535; |
134 |
+- |
135 |
+- /* Get socket and return the port number. */ |
136 |
+-- return get_sock_port(packet_get_connection_in(), local); |
137 |
+-+ return get_sock_port(ssh_packet_get_connection_in(ssh), local); |
138 |
+- } |
139 |
+- |
140 |
+- int |
141 |
+-@@ -430,17 +436,23 @@ get_peer_port(int sock) |
142 |
+- } |
143 |
+- |
144 |
+- int |
145 |
+--get_remote_port(void) |
146 |
+-+ssh_get_remote_port(struct ssh *ssh) |
147 |
+- { |
148 |
+- /* Cache to avoid getpeername() on a dead connection */ |
149 |
+- if (cached_port == -1) |
150 |
+-- cached_port = get_port(0); |
151 |
+-+ cached_port = get_port(ssh, 0); |
152 |
+- |
153 |
+- return cached_port; |
154 |
+- } |
155 |
+- |
156 |
+- int |
157 |
+-+get_remote_port(void) |
158 |
+-+{ |
159 |
+-+ return ssh_get_remote_port(active_state); |
160 |
+-+} |
161 |
+-+ |
162 |
+-+int |
163 |
+- get_local_port(void) |
164 |
+- { |
165 |
+-- return get_port(1); |
166 |
+-+ return get_port(active_state, 1); |
167 |
+- } |
168 |
+-diff --git a/canohost.h b/canohost.h |
169 |
+-index 4c8636f..4d60b27 100644 |
170 |
+---- a/canohost.h |
171 |
+-+++ b/canohost.h |
172 |
+-@@ -12,8 +12,11 @@ |
173 |
+- * called by a name other than "ssh" or "Secure Shell". |
174 |
+- */ |
175 |
+- |
176 |
+-+struct ssh; |
177 |
+-+ |
178 |
+- const char *get_canonical_hostname(int); |
179 |
+- const char *get_remote_ipaddr(void); |
180 |
+-+const char *ssh_get_remote_ipaddr(struct ssh *); |
181 |
+- const char *get_remote_name_or_ip(u_int, int); |
182 |
+- |
183 |
+- char *get_peer_ipaddr(int); |
184 |
+-@@ -22,6 +25,7 @@ char *get_local_ipaddr(int); |
185 |
+- char *get_local_name(int); |
186 |
+- |
187 |
+- int get_remote_port(void); |
188 |
+-+int ssh_get_remote_port(struct ssh *); |
189 |
+- int get_local_port(void); |
190 |
+- int get_sock_port(int, int); |
191 |
+- void clear_cached_addr(void); |
192 |
+ diff --git a/channels.c b/channels.c |
193 |
+ index c9d2015..13b30a1 100644 |
194 |
+ --- a/channels.c |
195 |
+@@ -1270,7 +1131,7 @@ |
196 |
+ |
197 |
+ #include "ssherr.h" |
198 |
+ #include "sshbuf.h" |
199 |
+-+#include "canohost.h" |
200 |
+++#include "packet.h" |
201 |
+ #include "digest.h" |
202 |
+ |
203 |
+ #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
204 |
+@@ -1312,8 +1173,8 @@ |
205 |
+ + */ |
206 |
+ + if (ctos && !log_flag) { |
207 |
+ + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s", |
208 |
+-+ ssh_get_remote_ipaddr(ssh), |
209 |
+-+ ssh_get_remote_port(ssh), |
210 |
+++ ssh_remote_ipaddr(ssh), |
211 |
+++ ssh_remote_port(ssh), |
212 |
+ + newkeys->enc.name, |
213 |
+ + authlen == 0 ? newkeys->mac.name : "<implicit>", |
214 |
+ + newkeys->comp.name); |
215 |
+@@ -1430,7 +1291,7 @@ |
216 |
+ + rekey_requested = 0; |
217 |
+ + return 1; |
218 |
+ + } |
219 |
+-+ |
220 |
+++ |
221 |
+ /* Time-based rekeying */ |
222 |
+ if (state->rekey_interval != 0 && |
223 |
+ state->rekey_time + state->rekey_interval <= monotime()) |
224 |
+@@ -1490,7 +1351,7 @@ |
225 |
+ |
226 |
+ transferred = *counter - (cur_pos ? cur_pos : start_pos); |
227 |
+ cur_pos = *counter; |
228 |
+- now = monotime(); |
229 |
++ now = monotime_double(); |
230 |
+ bytes_left = end_pos - cur_pos; |
231 |
+ |
232 |
+ + delta_pos = cur_pos - last_pos; |
233 |
+@@ -1564,8 +1425,8 @@ |
234 |
+ { "canonicaldomains", oCanonicalDomains }, |
235 |
+ { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, |
236 |
+ @@ -282,6 +287,11 @@ static struct { |
237 |
+- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
238 |
+ { "ignoreunknown", oIgnoreUnknown }, |
239 |
++ { "proxyjump", oProxyJump }, |
240 |
+ |
241 |
+ + { "tcprcvbufpoll", oTcpRcvBufPoll }, |
242 |
+ + { "tcprcvbuf", oTcpRcvBuf }, |
243 |
+@@ -1736,8 +1597,8 @@ |
244 |
+ off_t size, statbytes; |
245 |
+ unsigned long long ull; |
246 |
+ int setimes, targisdir, wrerrno = 0; |
247 |
+-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; |
248 |
+-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384]; |
249 |
++- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; |
250 |
+++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384]; |
251 |
+ struct timeval tv[2]; |
252 |
+ |
253 |
+ #define atime tv[0] |
254 |
+@@ -1956,32 +1817,6 @@ |
255 |
+ } |
256 |
+ |
257 |
+ /* |
258 |
+-@@ -820,11 +836,13 @@ void |
259 |
+- server_loop2(Authctxt *authctxt) |
260 |
+- { |
261 |
+- fd_set *readset = NULL, *writeset = NULL; |
262 |
+-+ double start_time, total_time; |
263 |
+- int max_fd; |
264 |
+- u_int nalloc = 0; |
265 |
+- u_int64_t rekey_timeout_ms = 0; |
266 |
+- |
267 |
+- debug("Entering interactive session for SSH2."); |
268 |
+-+ start_time = get_current_time(); |
269 |
+- |
270 |
+- mysignal(SIGCHLD, sigchld_handler); |
271 |
+- child_terminated = 0; |
272 |
+-@@ -883,6 +901,11 @@ server_loop2(Authctxt *authctxt) |
273 |
+- |
274 |
+- /* free remaining sessions, e.g. remove wtmp entries */ |
275 |
+- session_destroy_all(NULL); |
276 |
+-+ total_time = get_current_time() - start_time; |
277 |
+-+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f", |
278 |
+-+ get_remote_ipaddr(), get_remote_port(), |
279 |
+-+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time, |
280 |
+-+ fdout_bytes / total_time); |
281 |
+- } |
282 |
+- |
283 |
+- static int |
284 |
+ @@ -1041,8 +1064,12 @@ server_request_tun(void) |
285 |
+ sock = tun_open(tun, mode); |
286 |
+ if (sock < 0) |
287 |
+@@ -2372,10 +2207,10 @@ |
288 |
+ debug("Client protocol version %d.%d; client software version %.100s", |
289 |
+ remote_major, remote_minor, remote_version); |
290 |
+ + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s", |
291 |
+-+ get_remote_ipaddr(), get_remote_port(), |
292 |
+++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), |
293 |
+ + remote_major, remote_minor, remote_version); |
294 |
+ |
295 |
+- active_state->compat = compat_datafellows(remote_version); |
296 |
++ ssh->compat = compat_datafellows(remote_version); |
297 |
+ |
298 |
+ @@ -1160,6 +1163,8 @@ server_listen(void) |
299 |
+ int ret, listen_sock, on = 1; |
300 |
+@@ -2413,7 +2248,7 @@ |
301 |
+ if (options.challenge_response_authentication) |
302 |
+ options.kbd_interactive_authentication = 1; |
303 |
+ @@ -2151,6 +2168,9 @@ main(int ac, char **av) |
304 |
+- remote_ip, remote_port, laddr, get_local_port()); |
305 |
++ remote_ip, remote_port, laddr, ssh_local_port(ssh)); |
306 |
+ free(laddr); |
307 |
+ |
308 |
+ + /* set the HPN options for the child */ |
309 |
+@@ -2486,11 +2321,10 @@ |
310 |
+ index eb4e948..3692722 100644 |
311 |
+ --- a/version.h |
312 |
+ +++ b/version.h |
313 |
+-@@ -3,4 +3,6 @@ |
314 |
+- #define SSH_VERSION "OpenSSH_7.2" |
315 |
++@@ -3,4 +3,5 @@ |
316 |
++ #define SSH_VERSION "OpenSSH_7.3" |
317 |
+ |
318 |
+- #define SSH_PORTABLE "p2" |
319 |
++ #define SSH_PORTABLE "p1" |
320 |
+ -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
321 |
+ +#define SSH_HPN "-hpn14v11" |
322 |
+ +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
323 |
+-+ |
324 |
|
325 |
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch |
326 |
new file mode 100644 |
327 |
index 00000000..4433925 |
328 |
--- /dev/null |
329 |
+++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch |
330 |
@@ -0,0 +1,33 @@ |
331 |
+--- openssh-7_2_P2-hpn-14.10.diff.clean 2016-09-01 12:11:41.120750207 -0700 |
332 |
++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 14:00:44.311487904 -0700 |
333 |
+@@ -141,7 +141,7 @@ |
334 |
+ @@ -44,7 +44,7 @@ CC=@CC@ |
335 |
+ LD=@LD@ |
336 |
+ CFLAGS=@CFLAGS@ |
337 |
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
338 |
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
339 |
+ -LIBS=@LIBS@ |
340 |
+ +LIBS=@LIBS@ -lpthread |
341 |
+ K5LIBS=@K5LIBS@ |
342 |
+@@ -2098,7 +2098,7 @@ |
343 |
+ @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) |
344 |
+ /* Send our own protocol version identification. */ |
345 |
+ if (compat20) { |
346 |
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
347 |
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", |
348 |
+ - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); |
349 |
+ + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); |
350 |
+ } else { |
351 |
+@@ -2196,9 +2196,9 @@ |
352 |
+ @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
353 |
+ } |
354 |
+ |
355 |
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
356 |
+-- major, minor, SSH_VERSION, |
357 |
+-+ major, minor, SSH_RELEASE, |
358 |
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", |
359 |
++- major, minor, SSH_VERSION, comment, |
360 |
+++ major, minor, SSH_RELEASE, comment, |
361 |
+ *options.version_addendum == '\0' ? "" : " ", |
362 |
+ options.version_addendum, newline); |
363 |
+ |
364 |
|
365 |
diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild |
366 |
new file mode 100644 |
367 |
index 00000000..ddaf458 |
368 |
--- /dev/null |
369 |
+++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild |
370 |
@@ -0,0 +1,343 @@ |
371 |
+# Copyright 1999-2016 Gentoo Foundation |
372 |
+# Distributed under the terms of the GNU General Public License v2 |
373 |
+# $Id$ |
374 |
+ |
375 |
+EAPI="5" |
376 |
+ |
377 |
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator |
378 |
+ |
379 |
+# Make it more portable between straight releases |
380 |
+# and _p? releases. |
381 |
+PARCH=${P/_} |
382 |
+HPN_PV="7.2_p2" |
383 |
+HPN_VER="14.10" |
384 |
+ |
385 |
+HPN_DIR_PV="${HPN_PV/_}" |
386 |
+HPN_PV="${HPN_PV/./_}" |
387 |
+ |
388 |
+HPN_PATCH="${PN}-${HPN_PV/p/P}-hpn-14.10.diff" |
389 |
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" |
390 |
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" |
391 |
+X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" |
392 |
+ |
393 |
+DESCRIPTION="Port of OpenBSD's free SSH release" |
394 |
+HOMEPAGE="http://www.openssh.org/" |
395 |
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz |
396 |
+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} |
397 |
+ ${HPN_PATCH:+hpn? ( |
398 |
+ mirror://gentoo/${HPN_PATCH} |
399 |
+ mirror://sourceforge/project/hpnssh/HPN-SSH%20${HPN_VER/./v}%20${HPN_DIR_PV}/${HPN_PATCH} |
400 |
+ )} |
401 |
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} |
402 |
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} |
403 |
+ " |
404 |
+ |
405 |
+LICENSE="BSD GPL-2" |
406 |
+SLOT="0" |
407 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" |
408 |
+# Probably want to drop ssl defaulting to on in a future version. |
409 |
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509" |
410 |
+REQUIRED_USE="ldns? ( ssl ) |
411 |
+ pie? ( !static ) |
412 |
+ ssh1? ( ssl ) |
413 |
+ static? ( !kerberos !pam ) |
414 |
+ X509? ( !ldap ssl )" |
415 |
+ |
416 |
+LIB_DEPEND=" |
417 |
+ ldns? ( |
418 |
+ net-libs/ldns[static-libs(+)] |
419 |
+ !bindist? ( net-libs/ldns[ecdsa,ssl] ) |
420 |
+ bindist? ( net-libs/ldns[-ecdsa,ssl] ) |
421 |
+ ) |
422 |
+ libedit? ( dev-libs/libedit[static-libs(+)] ) |
423 |
+ sctp? ( net-misc/lksctp-tools[static-libs(+)] ) |
424 |
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) |
425 |
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) |
426 |
+ ssl? ( |
427 |
+ !libressl? ( |
428 |
+ >=dev-libs/openssl-0.9.8f:0[bindist=] |
429 |
+ dev-libs/openssl:0[static-libs(+)] |
430 |
+ ) |
431 |
+ libressl? ( dev-libs/libressl[static-libs(+)] ) |
432 |
+ ) |
433 |
+ >=sys-libs/zlib-1.2.3[static-libs(+)]" |
434 |
+RDEPEND=" |
435 |
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) |
436 |
+ pam? ( virtual/pam ) |
437 |
+ kerberos? ( virtual/krb5 ) |
438 |
+ ldap? ( net-nds/openldap )" |
439 |
+DEPEND="${RDEPEND} |
440 |
+ static? ( ${LIB_DEPEND} ) |
441 |
+ virtual/pkgconfig |
442 |
+ virtual/os-headers |
443 |
+ sys-devel/autoconf" |
444 |
+RDEPEND="${RDEPEND} |
445 |
+ pam? ( >=sys-auth/pambase-20081028 ) |
446 |
+ userland_GNU? ( virtual/shadow ) |
447 |
+ X? ( x11-apps/xauth )" |
448 |
+ |
449 |
+S=${WORKDIR}/${PARCH} |
450 |
+ |
451 |
+pkg_setup() { |
452 |
+ # this sucks, but i'd rather have people unable to `emerge -u openssh` |
453 |
+ # than not be able to log in to their server any more |
454 |
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } |
455 |
+ local fail=" |
456 |
+ $(use X509 && maybe_fail X509 X509_PATCH) |
457 |
+ $(use ldap && maybe_fail ldap LDAP_PATCH) |
458 |
+ $(use hpn && maybe_fail hpn HPN_PATCH) |
459 |
+ " |
460 |
+ fail=$(echo ${fail}) |
461 |
+ if [[ -n ${fail} ]] ; then |
462 |
+ eerror "Sorry, but this version does not yet support features" |
463 |
+ eerror "that you requested: ${fail}" |
464 |
+ eerror "Please mask ${PF} for now and check back later:" |
465 |
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" |
466 |
+ die "booooo" |
467 |
+ fi |
468 |
+ |
469 |
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156 |
470 |
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then |
471 |
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" |
472 |
+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." |
473 |
+ fi |
474 |
+} |
475 |
+ |
476 |
+save_version() { |
477 |
+ # version.h patch conflict avoidence |
478 |
+ mv version.h version.h.$1 |
479 |
+ cp -f version.h.pristine version.h |
480 |
+} |
481 |
+ |
482 |
+src_prepare() { |
483 |
+ sed -i \ |
484 |
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ |
485 |
+ pathnames.h || die |
486 |
+ # keep this as we need it to avoid the conflict between LPK and HPN changing |
487 |
+ # this file. |
488 |
+ cp version.h version.h.pristine |
489 |
+ |
490 |
+ # don't break .ssh/authorized_keys2 for fun |
491 |
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die |
492 |
+ |
493 |
+ use hpn && cp -L "${DISTDIR}"/${HPN_PATCH} "${WORKDIR}"/${HPN_PATCH} |
494 |
+ |
495 |
+ if use X509 ; then |
496 |
+ pushd .. >/dev/null |
497 |
+ if use hpn ; then |
498 |
+ pushd "${WORKDIR}" >/dev/null |
499 |
+ epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch |
500 |
+ popd >/dev/null |
501 |
+ fi |
502 |
+ epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch |
503 |
+ popd >/dev/null |
504 |
+ epatch "${WORKDIR}"/${X509_PATCH%.*} |
505 |
+ #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch |
506 |
+ #save_version X509 |
507 |
+ fi |
508 |
+ if use ldap ; then |
509 |
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*} |
510 |
+ save_version LPK |
511 |
+ fi |
512 |
+ epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex |
513 |
+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch |
514 |
+ epatch "${WORKDIR}"/${SCTP_PATCH%.*} |
515 |
+ if use hpn ; then |
516 |
+ #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ |
517 |
+ # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ |
518 |
+ # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} |
519 |
+ pushd "${WORKDIR}" >/dev/null |
520 |
+ epatch "${FILESDIR}"/${P}-hpn-update.patch |
521 |
+ popd >/dev/null |
522 |
+ epatch "${WORKDIR}"/${HPN_PATCH} |
523 |
+ save_version HPN |
524 |
+ fi |
525 |
+ |
526 |
+ tc-export PKG_CONFIG |
527 |
+ local sed_args=( |
528 |
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" |
529 |
+ # Disable PATH reset, trust what portage gives us #254615 |
530 |
+ -e 's:^PATH=/:#PATH=/:' |
531 |
+ # Disable fortify flags ... our gcc does this for us |
532 |
+ -e 's:-D_FORTIFY_SOURCE=2::' |
533 |
+ ) |
534 |
+ # The -ftrapv flag ICEs on hppa #505182 |
535 |
+ use hppa && sed_args+=( |
536 |
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' |
537 |
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' |
538 |
+ ) |
539 |
+ sed -i "${sed_args[@]}" configure{.ac,} || die |
540 |
+ |
541 |
+ epatch_user #473004 |
542 |
+ |
543 |
+ # Now we can build a sane merged version.h |
544 |
+ ( |
545 |
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u |
546 |
+ macros=() |
547 |
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done |
548 |
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" |
549 |
+ ) > version.h |
550 |
+ |
551 |
+ eautoreconf |
552 |
+} |
553 |
+ |
554 |
+src_configure() { |
555 |
+ addwrite /dev/ptmx |
556 |
+ |
557 |
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG |
558 |
+ use static && append-ldflags -static |
559 |
+ |
560 |
+ local myconf=( |
561 |
+ --with-ldflags="${LDFLAGS}" |
562 |
+ --disable-strip |
563 |
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run |
564 |
+ --sysconfdir="${EPREFIX}"/etc/ssh |
565 |
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc |
566 |
+ --datadir="${EPREFIX}"/usr/share/openssh |
567 |
+ --with-privsep-path="${EPREFIX}"/var/empty |
568 |
+ --with-privsep-user=sshd |
569 |
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr) |
570 |
+ # We apply the ldap patch conditionally, so can't pass --without-ldap |
571 |
+ # unconditionally else we get unknown flag warnings. |
572 |
+ $(use ldap && use_with ldap) |
573 |
+ $(use_with ldns) |
574 |
+ $(use_with libedit) |
575 |
+ $(use_with pam) |
576 |
+ $(use_with pie) |
577 |
+ $(use_with sctp) |
578 |
+ $(use_with selinux) |
579 |
+ $(use_with skey) |
580 |
+ $(use_with ssh1) |
581 |
+ $(use_with ssl openssl) |
582 |
+ $(use_with ssl md5-passwords) |
583 |
+ $(use_with ssl ssl-engine) |
584 |
+ ) |
585 |
+ |
586 |
+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748 |
587 |
+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) |
588 |
+ |
589 |
+ econf "${myconf[@]}" |
590 |
+} |
591 |
+ |
592 |
+src_install() { |
593 |
+ emake install-nokeys DESTDIR="${D}" |
594 |
+ fperms 600 /etc/ssh/sshd_config |
595 |
+ dobin contrib/ssh-copy-id |
596 |
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd |
597 |
+ newconfd "${FILESDIR}"/sshd.confd sshd |
598 |
+ keepdir /var/empty |
599 |
+ |
600 |
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd |
601 |
+ if use pam ; then |
602 |
+ sed -i \ |
603 |
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \ |
604 |
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ |
605 |
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \ |
606 |
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ |
607 |
+ "${ED}"/etc/ssh/sshd_config || die |
608 |
+ fi |
609 |
+ |
610 |
+ # Gentoo tweaks to default config files |
611 |
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config |
612 |
+ |
613 |
+ # Allow client to pass locale environment variables #367017 |
614 |
+ AcceptEnv LANG LC_* |
615 |
+ EOF |
616 |
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config |
617 |
+ |
618 |
+ # Send locale environment variables #367017 |
619 |
+ SendEnv LANG LC_* |
620 |
+ EOF |
621 |
+ |
622 |
+ if use livecd ; then |
623 |
+ sed -i \ |
624 |
+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ |
625 |
+ "${ED}"/etc/ssh/sshd_config || die |
626 |
+ fi |
627 |
+ |
628 |
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then |
629 |
+ insinto /etc/openldap/schema/ |
630 |
+ newins openssh-lpk_openldap.schema openssh-lpk.schema |
631 |
+ fi |
632 |
+ |
633 |
+ doman contrib/ssh-copy-id.1 |
634 |
+ dodoc CREDITS OVERVIEW README* TODO sshd_config |
635 |
+ use X509 || dodoc ChangeLog |
636 |
+ |
637 |
+ diropts -m 0700 |
638 |
+ dodir /etc/skel/.ssh |
639 |
+ |
640 |
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket} |
641 |
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
642 |
+} |
643 |
+ |
644 |
+src_test() { |
645 |
+ local t tests skipped failed passed shell |
646 |
+ tests="interop-tests compat-tests" |
647 |
+ skipped="" |
648 |
+ shell=$(egetshell ${UID}) |
649 |
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then |
650 |
+ elog "Running the full OpenSSH testsuite" |
651 |
+ elog "requires a usable shell for the 'portage'" |
652 |
+ elog "user, so we will run a subset only." |
653 |
+ skipped="${skipped} tests" |
654 |
+ else |
655 |
+ tests="${tests} tests" |
656 |
+ fi |
657 |
+ # It will also attempt to write to the homedir .ssh |
658 |
+ local sshhome=${T}/homedir |
659 |
+ mkdir -p "${sshhome}"/.ssh |
660 |
+ for t in ${tests} ; do |
661 |
+ # Some tests read from stdin ... |
662 |
+ HOMEDIR="${sshhome}" HOME="${sshhome}" \ |
663 |
+ emake -k -j1 ${t} </dev/null \ |
664 |
+ && passed="${passed}${t} " \ |
665 |
+ || failed="${failed}${t} " |
666 |
+ done |
667 |
+ einfo "Passed tests: ${passed}" |
668 |
+ ewarn "Skipped tests: ${skipped}" |
669 |
+ if [[ -n ${failed} ]] ; then |
670 |
+ ewarn "Failed tests: ${failed}" |
671 |
+ die "Some tests failed: ${failed}" |
672 |
+ else |
673 |
+ einfo "Failed tests: ${failed}" |
674 |
+ return 0 |
675 |
+ fi |
676 |
+} |
677 |
+ |
678 |
+pkg_preinst() { |
679 |
+ enewgroup sshd 22 |
680 |
+ enewuser sshd 22 -1 /var/empty sshd |
681 |
+} |
682 |
+ |
683 |
+pkg_postinst() { |
684 |
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
685 |
+ elog "Starting with openssh-5.8p1, the server will default to a newer key" |
686 |
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
687 |
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
688 |
+ fi |
689 |
+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then |
690 |
+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." |
691 |
+ fi |
692 |
+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then |
693 |
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
694 |
+ elog "Make sure to update any configs that you might have. Note that xinetd might" |
695 |
+ elog "be an alternative for you as it supports USE=tcpd." |
696 |
+ fi |
697 |
+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 |
698 |
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
699 |
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
700 |
+ elog "adding to your sshd_config or ~/.ssh/config files:" |
701 |
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
702 |
+ elog "You should however generate new keys using rsa or ed25519." |
703 |
+ |
704 |
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
705 |
+ elog "to 'prohibit-password'. That means password auth for root users no longer works" |
706 |
+ elog "out of the box. If you need this, please update your sshd_config explicitly." |
707 |
+ fi |
708 |
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then |
709 |
+ elog "Be aware that by disabling openssl support in openssh, the server and clients" |
710 |
+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
711 |
+ elog "and update all clients/servers that utilize them." |
712 |
+ fi |
713 |
+} |