Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Patrick McLean <chutzpah@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Fri, 02 Sep 2016 20:50:41
Message-Id: 1472849398.771040f0b9111b4125ec068b6fd1fe7d70fb319e.chutzpah@gentoo
1 commit: 771040f0b9111b4125ec068b6fd1fe7d70fb319e
2 Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3 AuthorDate: Fri Sep 2 20:49:43 2016 +0000
4 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5 CommitDate: Fri Sep 2 20:49:58 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=771040f0
7
8 net-misc/openssh: Revision bump, re-enable the hpn USE flag
9
10 This is hard masked for now for further testing, see bug #577768, All
11 the tests pass on all of my machines with USE="hpn" and USE="hpn X509".
12
13 Since there does not appear to be a tarball for the upstream hpn for
14 openssh-7.2+, this ebuild downloads the kitchensink diff, then patches
15 it to apply against openssh-7.3p1 and remove the server logging stuff
16 that get dropped from other hpn patchsets.
17
18 We can unmask this once more people test it and sign off that is looks good.
19
20 Package-Manager: portage-2.3.0
21
22 net-misc/openssh/Manifest | 1 +
23 .../openssh/files/openssh-7.3_p1-hpn-update.patch | 277 +++++++++++++++++
24 .../files/openssh-7.3_p1-hpn-x509-glue.patch | 33 ++
25 net-misc/openssh/openssh-7.3_p1-r3.ebuild | 343 +++++++++++++++++++++
26 4 files changed, 654 insertions(+)
27
28 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
29 index 7e2535f..c6667a5 100644
30 --- a/net-misc/openssh/Manifest
31 +++ b/net-misc/openssh/Manifest
32 @@ -9,6 +9,7 @@ DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee
33 DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
34 DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e
35 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
36 +DIST openssh-7_2_P2-hpn-14.10.diff 78587 SHA256 f083d4c4a2054808386e974accda385542ce150f0c0f079ec1a0d4fa78888b17 SHA512 49d772c6a071fe1883d5d2844aba1d327c40938af368ba349b44c643e10f4e2d02e5c889810f8914c61324fbf90e53547aa346fdbd47b22b2f8da6afc174692c WHIRLPOOL 516621cdbccae3ecc900fde1b1edd2bac807b628d631289e3002747901d7663f5a2545f6b0396415a850f9695dd57e2ab5dbc548584f2c973726b38ca4d57bac
37 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
38 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
39 DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
40
41 diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
42 new file mode 100644
43 index 00000000..2c4cc50
44 --- /dev/null
45 +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-update.patch
46 @@ -0,0 +1,277 @@
47 +--- openssh-7_2_P2-hpn-14.10.diff.orig 2016-09-01 10:34:05.905112131 -0700
48 ++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 11:33:19.106664802 -0700
49 +@@ -156,145 +156,6 @@
50 + compat.o crc32.o deattack.o fatal.o hostfile.o \
51 + log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
52 + readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
53 +-diff --git a/auth2.c b/auth2.c
54 +-index 7177962..4af53f0 100644
55 +---- a/auth2.c
56 +-+++ b/auth2.c
57 +-@@ -50,6 +50,7 @@
58 +- #include "dispatch.h"
59 +- #include "pathnames.h"
60 +- #include "buffer.h"
61 +-+#include "canohost.h"
62 +-
63 +- #ifdef GSSAPI
64 +- #include "ssh-gss.h"
65 +-@@ -73,6 +74,8 @@ extern Authmethod method_hostbased;
66 +- extern Authmethod method_gssapi;
67 +- #endif
68 +-
69 +-+static int log_flag = 0;
70 +-+
71 +- Authmethod *authmethods[] = {
72 +- &method_none,
73 +- &method_pubkey,
74 +-@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
75 +- service = packet_get_cstring(NULL);
76 +- method = packet_get_cstring(NULL);
77 +- debug("userauth-request for user %s service %s method %s", user, service, method);
78 +-+ if (!log_flag) {
79 +-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
80 +-+ get_remote_ipaddr(), get_remote_port(), user);
81 +-+ log_flag = 1;
82 +-+ }
83 +- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
84 +-
85 +- if ((style = strchr(user, ':')) != NULL)
86 +-diff --git a/canohost.c b/canohost.c
87 +-index 223964e..db35f73 100644
88 +---- a/canohost.c
89 +-+++ b/canohost.c
90 +-@@ -338,13 +338,13 @@ clear_cached_addr(void)
91 +- */
92 +-
93 +- const char *
94 +--get_remote_ipaddr(void)
95 +-+ssh_get_remote_ipaddr(struct ssh *ssh)
96 +- {
97 +- /* Check whether we have cached the ipaddr. */
98 +- if (canonical_host_ip == NULL) {
99 +-- if (packet_connection_is_on_socket()) {
100 +-+ if (ssh_packet_connection_is_on_socket(ssh)) {
101 +- canonical_host_ip =
102 +-- get_peer_ipaddr(packet_get_connection_in());
103 +-+ get_peer_ipaddr(ssh_packet_get_connection_in(ssh));
104 +- if (canonical_host_ip == NULL)
105 +- cleanup_exit(255);
106 +- } else {
107 +-@@ -356,6 +356,12 @@ get_remote_ipaddr(void)
108 +- }
109 +-
110 +- const char *
111 +-+get_remote_ipaddr(void)
112 +-+{
113 +-+ return ssh_get_remote_ipaddr(active_state);
114 +-+}
115 +-+
116 +-+const char *
117 +- get_remote_name_or_ip(u_int utmp_len, int use_dns)
118 +- {
119 +- static const char *remote = "";
120 +-@@ -410,17 +416,17 @@ get_sock_port(int sock, int local)
121 +- /* Returns remote/local port number for the current connection. */
122 +-
123 +- static int
124 +--get_port(int local)
125 +-+get_port(struct ssh *ssh, int local)
126 +- {
127 +- /*
128 +- * If the connection is not a socket, return 65535. This is
129 +- * intentionally chosen to be an unprivileged port number.
130 +- */
131 +-- if (!packet_connection_is_on_socket())
132 +-+ if (!ssh_packet_connection_is_on_socket(ssh))
133 +- return 65535;
134 +-
135 +- /* Get socket and return the port number. */
136 +-- return get_sock_port(packet_get_connection_in(), local);
137 +-+ return get_sock_port(ssh_packet_get_connection_in(ssh), local);
138 +- }
139 +-
140 +- int
141 +-@@ -430,17 +436,23 @@ get_peer_port(int sock)
142 +- }
143 +-
144 +- int
145 +--get_remote_port(void)
146 +-+ssh_get_remote_port(struct ssh *ssh)
147 +- {
148 +- /* Cache to avoid getpeername() on a dead connection */
149 +- if (cached_port == -1)
150 +-- cached_port = get_port(0);
151 +-+ cached_port = get_port(ssh, 0);
152 +-
153 +- return cached_port;
154 +- }
155 +-
156 +- int
157 +-+get_remote_port(void)
158 +-+{
159 +-+ return ssh_get_remote_port(active_state);
160 +-+}
161 +-+
162 +-+int
163 +- get_local_port(void)
164 +- {
165 +-- return get_port(1);
166 +-+ return get_port(active_state, 1);
167 +- }
168 +-diff --git a/canohost.h b/canohost.h
169 +-index 4c8636f..4d60b27 100644
170 +---- a/canohost.h
171 +-+++ b/canohost.h
172 +-@@ -12,8 +12,11 @@
173 +- * called by a name other than "ssh" or "Secure Shell".
174 +- */
175 +-
176 +-+struct ssh;
177 +-+
178 +- const char *get_canonical_hostname(int);
179 +- const char *get_remote_ipaddr(void);
180 +-+const char *ssh_get_remote_ipaddr(struct ssh *);
181 +- const char *get_remote_name_or_ip(u_int, int);
182 +-
183 +- char *get_peer_ipaddr(int);
184 +-@@ -22,6 +25,7 @@ char *get_local_ipaddr(int);
185 +- char *get_local_name(int);
186 +-
187 +- int get_remote_port(void);
188 +-+int ssh_get_remote_port(struct ssh *);
189 +- int get_local_port(void);
190 +- int get_sock_port(int, int);
191 +- void clear_cached_addr(void);
192 + diff --git a/channels.c b/channels.c
193 + index c9d2015..13b30a1 100644
194 + --- a/channels.c
195 +@@ -1270,7 +1131,7 @@
196 +
197 + #include "ssherr.h"
198 + #include "sshbuf.h"
199 +-+#include "canohost.h"
200 +++#include "packet.h"
201 + #include "digest.h"
202 +
203 + #if OPENSSL_VERSION_NUMBER >= 0x00907000L
204 +@@ -1312,8 +1173,8 @@
205 + + */
206 + + if (ctos && !log_flag) {
207 + + logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
208 +-+ ssh_get_remote_ipaddr(ssh),
209 +-+ ssh_get_remote_port(ssh),
210 +++ ssh_remote_ipaddr(ssh),
211 +++ ssh_remote_port(ssh),
212 + + newkeys->enc.name,
213 + + authlen == 0 ? newkeys->mac.name : "<implicit>",
214 + + newkeys->comp.name);
215 +@@ -1430,7 +1291,7 @@
216 + + rekey_requested = 0;
217 + + return 1;
218 + + }
219 +-+
220 +++
221 + /* Time-based rekeying */
222 + if (state->rekey_interval != 0 &&
223 + state->rekey_time + state->rekey_interval <= monotime())
224 +@@ -1490,7 +1351,7 @@
225 +
226 + transferred = *counter - (cur_pos ? cur_pos : start_pos);
227 + cur_pos = *counter;
228 +- now = monotime();
229 ++ now = monotime_double();
230 + bytes_left = end_pos - cur_pos;
231 +
232 + + delta_pos = cur_pos - last_pos;
233 +@@ -1564,8 +1425,8 @@
234 + { "canonicaldomains", oCanonicalDomains },
235 + { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
236 + @@ -282,6 +287,11 @@ static struct {
237 +- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
238 + { "ignoreunknown", oIgnoreUnknown },
239 ++ { "proxyjump", oProxyJump },
240 +
241 + + { "tcprcvbufpoll", oTcpRcvBufPoll },
242 + + { "tcprcvbuf", oTcpRcvBuf },
243 +@@ -1736,8 +1597,8 @@
244 + off_t size, statbytes;
245 + unsigned long long ull;
246 + int setimes, targisdir, wrerrno = 0;
247 +-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
248 +-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
249 ++- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
250 +++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
251 + struct timeval tv[2];
252 +
253 + #define atime tv[0]
254 +@@ -1956,32 +1817,6 @@
255 + }
256 +
257 + /*
258 +-@@ -820,11 +836,13 @@ void
259 +- server_loop2(Authctxt *authctxt)
260 +- {
261 +- fd_set *readset = NULL, *writeset = NULL;
262 +-+ double start_time, total_time;
263 +- int max_fd;
264 +- u_int nalloc = 0;
265 +- u_int64_t rekey_timeout_ms = 0;
266 +-
267 +- debug("Entering interactive session for SSH2.");
268 +-+ start_time = get_current_time();
269 +-
270 +- mysignal(SIGCHLD, sigchld_handler);
271 +- child_terminated = 0;
272 +-@@ -883,6 +901,11 @@ server_loop2(Authctxt *authctxt)
273 +-
274 +- /* free remaining sessions, e.g. remove wtmp entries */
275 +- session_destroy_all(NULL);
276 +-+ total_time = get_current_time() - start_time;
277 +-+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
278 +-+ get_remote_ipaddr(), get_remote_port(),
279 +-+ stdin_bytes, fdout_bytes, total_time, stdin_bytes / total_time,
280 +-+ fdout_bytes / total_time);
281 +- }
282 +-
283 +- static int
284 + @@ -1041,8 +1064,12 @@ server_request_tun(void)
285 + sock = tun_open(tun, mode);
286 + if (sock < 0)
287 +@@ -2372,10 +2207,10 @@
288 + debug("Client protocol version %d.%d; client software version %.100s",
289 + remote_major, remote_minor, remote_version);
290 + + logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
291 +-+ get_remote_ipaddr(), get_remote_port(),
292 +++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
293 + + remote_major, remote_minor, remote_version);
294 +
295 +- active_state->compat = compat_datafellows(remote_version);
296 ++ ssh->compat = compat_datafellows(remote_version);
297 +
298 + @@ -1160,6 +1163,8 @@ server_listen(void)
299 + int ret, listen_sock, on = 1;
300 +@@ -2413,7 +2248,7 @@
301 + if (options.challenge_response_authentication)
302 + options.kbd_interactive_authentication = 1;
303 + @@ -2151,6 +2168,9 @@ main(int ac, char **av)
304 +- remote_ip, remote_port, laddr, get_local_port());
305 ++ remote_ip, remote_port, laddr, ssh_local_port(ssh));
306 + free(laddr);
307 +
308 + + /* set the HPN options for the child */
309 +@@ -2486,11 +2321,10 @@
310 + index eb4e948..3692722 100644
311 + --- a/version.h
312 + +++ b/version.h
313 +-@@ -3,4 +3,6 @@
314 +- #define SSH_VERSION "OpenSSH_7.2"
315 ++@@ -3,4 +3,5 @@
316 ++ #define SSH_VERSION "OpenSSH_7.3"
317 +
318 +- #define SSH_PORTABLE "p2"
319 ++ #define SSH_PORTABLE "p1"
320 + -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
321 + +#define SSH_HPN "-hpn14v11"
322 + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
323 +-+
324
325 diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch
326 new file mode 100644
327 index 00000000..4433925
328 --- /dev/null
329 +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch
330 @@ -0,0 +1,33 @@
331 +--- openssh-7_2_P2-hpn-14.10.diff.clean 2016-09-01 12:11:41.120750207 -0700
332 ++++ openssh-7_2_P2-hpn-14.10.diff 2016-09-01 14:00:44.311487904 -0700
333 +@@ -141,7 +141,7 @@
334 + @@ -44,7 +44,7 @@ CC=@CC@
335 + LD=@LD@
336 + CFLAGS=@CFLAGS@
337 +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
338 ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
339 + -LIBS=@LIBS@
340 + +LIBS=@LIBS@ -lpthread
341 + K5LIBS=@K5LIBS@
342 +@@ -2098,7 +2098,7 @@
343 + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
344 + /* Send our own protocol version identification. */
345 + if (compat20) {
346 +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
347 ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
348 + - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
349 + + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
350 + } else {
351 +@@ -2196,9 +2196,9 @@
352 + @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
353 + }
354 +
355 +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
356 +-- major, minor, SSH_VERSION,
357 +-+ major, minor, SSH_RELEASE,
358 ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
359 ++- major, minor, SSH_VERSION, comment,
360 +++ major, minor, SSH_RELEASE, comment,
361 + *options.version_addendum == '\0' ? "" : " ",
362 + options.version_addendum, newline);
363 +
364
365 diff --git a/net-misc/openssh/openssh-7.3_p1-r3.ebuild b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
366 new file mode 100644
367 index 00000000..ddaf458
368 --- /dev/null
369 +++ b/net-misc/openssh/openssh-7.3_p1-r3.ebuild
370 @@ -0,0 +1,343 @@
371 +# Copyright 1999-2016 Gentoo Foundation
372 +# Distributed under the terms of the GNU General Public License v2
373 +# $Id$
374 +
375 +EAPI="5"
376 +
377 +inherit eutils user flag-o-matic multilib autotools pam systemd versionator
378 +
379 +# Make it more portable between straight releases
380 +# and _p? releases.
381 +PARCH=${P/_}
382 +HPN_PV="7.2_p2"
383 +HPN_VER="14.10"
384 +
385 +HPN_DIR_PV="${HPN_PV/_}"
386 +HPN_PV="${HPN_PV/./_}"
387 +
388 +HPN_PATCH="${PN}-${HPN_PV/p/P}-hpn-14.10.diff"
389 +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
390 +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
391 +X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
392 +
393 +DESCRIPTION="Port of OpenBSD's free SSH release"
394 +HOMEPAGE="http://www.openssh.org/"
395 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
396 + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
397 + ${HPN_PATCH:+hpn? (
398 + mirror://gentoo/${HPN_PATCH}
399 + mirror://sourceforge/project/hpnssh/HPN-SSH%20${HPN_VER/./v}%20${HPN_DIR_PV}/${HPN_PATCH}
400 + )}
401 + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
402 + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
403 + "
404 +
405 +LICENSE="BSD GPL-2"
406 +SLOT="0"
407 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
408 +# Probably want to drop ssl defaulting to on in a future version.
409 +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
410 +REQUIRED_USE="ldns? ( ssl )
411 + pie? ( !static )
412 + ssh1? ( ssl )
413 + static? ( !kerberos !pam )
414 + X509? ( !ldap ssl )"
415 +
416 +LIB_DEPEND="
417 + ldns? (
418 + net-libs/ldns[static-libs(+)]
419 + !bindist? ( net-libs/ldns[ecdsa,ssl] )
420 + bindist? ( net-libs/ldns[-ecdsa,ssl] )
421 + )
422 + libedit? ( dev-libs/libedit[static-libs(+)] )
423 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
424 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
425 + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
426 + ssl? (
427 + !libressl? (
428 + >=dev-libs/openssl-0.9.8f:0[bindist=]
429 + dev-libs/openssl:0[static-libs(+)]
430 + )
431 + libressl? ( dev-libs/libressl[static-libs(+)] )
432 + )
433 + >=sys-libs/zlib-1.2.3[static-libs(+)]"
434 +RDEPEND="
435 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
436 + pam? ( virtual/pam )
437 + kerberos? ( virtual/krb5 )
438 + ldap? ( net-nds/openldap )"
439 +DEPEND="${RDEPEND}
440 + static? ( ${LIB_DEPEND} )
441 + virtual/pkgconfig
442 + virtual/os-headers
443 + sys-devel/autoconf"
444 +RDEPEND="${RDEPEND}
445 + pam? ( >=sys-auth/pambase-20081028 )
446 + userland_GNU? ( virtual/shadow )
447 + X? ( x11-apps/xauth )"
448 +
449 +S=${WORKDIR}/${PARCH}
450 +
451 +pkg_setup() {
452 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
453 + # than not be able to log in to their server any more
454 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
455 + local fail="
456 + $(use X509 && maybe_fail X509 X509_PATCH)
457 + $(use ldap && maybe_fail ldap LDAP_PATCH)
458 + $(use hpn && maybe_fail hpn HPN_PATCH)
459 + "
460 + fail=$(echo ${fail})
461 + if [[ -n ${fail} ]] ; then
462 + eerror "Sorry, but this version does not yet support features"
463 + eerror "that you requested: ${fail}"
464 + eerror "Please mask ${PF} for now and check back later:"
465 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
466 + die "booooo"
467 + fi
468 +
469 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
470 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
471 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
472 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
473 + fi
474 +}
475 +
476 +save_version() {
477 + # version.h patch conflict avoidence
478 + mv version.h version.h.$1
479 + cp -f version.h.pristine version.h
480 +}
481 +
482 +src_prepare() {
483 + sed -i \
484 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
485 + pathnames.h || die
486 + # keep this as we need it to avoid the conflict between LPK and HPN changing
487 + # this file.
488 + cp version.h version.h.pristine
489 +
490 + # don't break .ssh/authorized_keys2 for fun
491 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
492 +
493 + use hpn && cp -L "${DISTDIR}"/${HPN_PATCH} "${WORKDIR}"/${HPN_PATCH}
494 +
495 + if use X509 ; then
496 + pushd .. >/dev/null
497 + if use hpn ; then
498 + pushd "${WORKDIR}" >/dev/null
499 + epatch "${FILESDIR}"/${P}-hpn-x509-glue.patch
500 + popd >/dev/null
501 + fi
502 + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
503 + popd >/dev/null
504 + epatch "${WORKDIR}"/${X509_PATCH%.*}
505 + #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
506 + #save_version X509
507 + fi
508 + if use ldap ; then
509 + epatch "${WORKDIR}"/${LDAP_PATCH%.*}
510 + save_version LPK
511 + fi
512 + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
513 + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
514 + epatch "${WORKDIR}"/${SCTP_PATCH%.*}
515 + if use hpn ; then
516 + #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
517 + # EPATCH_MULTI_MSG="Applying HPN patchset ..." \
518 + # epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
519 + pushd "${WORKDIR}" >/dev/null
520 + epatch "${FILESDIR}"/${P}-hpn-update.patch
521 + popd >/dev/null
522 + epatch "${WORKDIR}"/${HPN_PATCH}
523 + save_version HPN
524 + fi
525 +
526 + tc-export PKG_CONFIG
527 + local sed_args=(
528 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
529 + # Disable PATH reset, trust what portage gives us #254615
530 + -e 's:^PATH=/:#PATH=/:'
531 + # Disable fortify flags ... our gcc does this for us
532 + -e 's:-D_FORTIFY_SOURCE=2::'
533 + )
534 + # The -ftrapv flag ICEs on hppa #505182
535 + use hppa && sed_args+=(
536 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
537 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
538 + )
539 + sed -i "${sed_args[@]}" configure{.ac,} || die
540 +
541 + epatch_user #473004
542 +
543 + # Now we can build a sane merged version.h
544 + (
545 + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
546 + macros=()
547 + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
548 + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
549 + ) > version.h
550 +
551 + eautoreconf
552 +}
553 +
554 +src_configure() {
555 + addwrite /dev/ptmx
556 +
557 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
558 + use static && append-ldflags -static
559 +
560 + local myconf=(
561 + --with-ldflags="${LDFLAGS}"
562 + --disable-strip
563 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
564 + --sysconfdir="${EPREFIX}"/etc/ssh
565 + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
566 + --datadir="${EPREFIX}"/usr/share/openssh
567 + --with-privsep-path="${EPREFIX}"/var/empty
568 + --with-privsep-user=sshd
569 + $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
570 + # We apply the ldap patch conditionally, so can't pass --without-ldap
571 + # unconditionally else we get unknown flag warnings.
572 + $(use ldap && use_with ldap)
573 + $(use_with ldns)
574 + $(use_with libedit)
575 + $(use_with pam)
576 + $(use_with pie)
577 + $(use_with sctp)
578 + $(use_with selinux)
579 + $(use_with skey)
580 + $(use_with ssh1)
581 + $(use_with ssl openssl)
582 + $(use_with ssl md5-passwords)
583 + $(use_with ssl ssl-engine)
584 + )
585 +
586 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
587 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
588 +
589 + econf "${myconf[@]}"
590 +}
591 +
592 +src_install() {
593 + emake install-nokeys DESTDIR="${D}"
594 + fperms 600 /etc/ssh/sshd_config
595 + dobin contrib/ssh-copy-id
596 + newinitd "${FILESDIR}"/sshd.rc6.4 sshd
597 + newconfd "${FILESDIR}"/sshd.confd sshd
598 + keepdir /var/empty
599 +
600 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
601 + if use pam ; then
602 + sed -i \
603 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
604 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
605 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
606 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
607 + "${ED}"/etc/ssh/sshd_config || die
608 + fi
609 +
610 + # Gentoo tweaks to default config files
611 + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
612 +
613 + # Allow client to pass locale environment variables #367017
614 + AcceptEnv LANG LC_*
615 + EOF
616 + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
617 +
618 + # Send locale environment variables #367017
619 + SendEnv LANG LC_*
620 + EOF
621 +
622 + if use livecd ; then
623 + sed -i \
624 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
625 + "${ED}"/etc/ssh/sshd_config || die
626 + fi
627 +
628 + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
629 + insinto /etc/openldap/schema/
630 + newins openssh-lpk_openldap.schema openssh-lpk.schema
631 + fi
632 +
633 + doman contrib/ssh-copy-id.1
634 + dodoc CREDITS OVERVIEW README* TODO sshd_config
635 + use X509 || dodoc ChangeLog
636 +
637 + diropts -m 0700
638 + dodir /etc/skel/.ssh
639 +
640 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
641 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
642 +}
643 +
644 +src_test() {
645 + local t tests skipped failed passed shell
646 + tests="interop-tests compat-tests"
647 + skipped=""
648 + shell=$(egetshell ${UID})
649 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
650 + elog "Running the full OpenSSH testsuite"
651 + elog "requires a usable shell for the 'portage'"
652 + elog "user, so we will run a subset only."
653 + skipped="${skipped} tests"
654 + else
655 + tests="${tests} tests"
656 + fi
657 + # It will also attempt to write to the homedir .ssh
658 + local sshhome=${T}/homedir
659 + mkdir -p "${sshhome}"/.ssh
660 + for t in ${tests} ; do
661 + # Some tests read from stdin ...
662 + HOMEDIR="${sshhome}" HOME="${sshhome}" \
663 + emake -k -j1 ${t} </dev/null \
664 + && passed="${passed}${t} " \
665 + || failed="${failed}${t} "
666 + done
667 + einfo "Passed tests: ${passed}"
668 + ewarn "Skipped tests: ${skipped}"
669 + if [[ -n ${failed} ]] ; then
670 + ewarn "Failed tests: ${failed}"
671 + die "Some tests failed: ${failed}"
672 + else
673 + einfo "Failed tests: ${failed}"
674 + return 0
675 + fi
676 +}
677 +
678 +pkg_preinst() {
679 + enewgroup sshd 22
680 + enewuser sshd 22 -1 /var/empty sshd
681 +}
682 +
683 +pkg_postinst() {
684 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
685 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
686 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
687 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
688 + fi
689 + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
690 + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
691 + fi
692 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
693 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
694 + elog "Make sure to update any configs that you might have. Note that xinetd might"
695 + elog "be an alternative for you as it supports USE=tcpd."
696 + fi
697 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
698 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
699 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
700 + elog "adding to your sshd_config or ~/.ssh/config files:"
701 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
702 + elog "You should however generate new keys using rsa or ed25519."
703 +
704 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
705 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
706 + elog "out of the box. If you need this, please update your sshd_config explicitly."
707 + fi
708 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
709 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
710 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
711 + elog "and update all clients/servers that utilize them."
712 + fi
713 +}
Report Message
Find on MARC Find on Google Groups