Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Patrick McLean <chutzpah@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date: Mon, 29 Apr 2019 23:35:57
Message-Id: 1556580926.7351114de5d681350557fe029ce34159749d75a0.chutzpah@gentoo
1 commit: 7351114de5d681350557fe029ce34159749d75a0
2 Author: Patrick McLean <patrick.mclean <AT> sony <DOT> com>
3 AuthorDate: Mon Apr 29 23:29:30 2019 +0000
4 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5 CommitDate: Mon Apr 29 23:35:26 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7351114d
7
8 net-misc/openssh: Revbump to 8.0_p1-r1, pick up 12.0.1 X509 bugfix
9
10 Copyright: Sony Interactive Entertainment Inc.
11 Package-Manager: Portage-2.3.65, Repoman-2.3.12
12 Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
13
14 net-misc/openssh/Manifest | 1 +
15 ...enssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch | 16 +
16 .../files/openssh-8.0_p1-X509-glue-12.0.1.patch | 19 +
17 net-misc/openssh/openssh-8.0_p1-r1.ebuild | 461 +++++++++++++++++++++
18 4 files changed, 497 insertions(+)
19
20 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
21 index c37252ba192..8e4d889a09e 100644
22 --- a/net-misc/openssh/Manifest
23 +++ b/net-misc/openssh/Manifest
24 @@ -13,6 +13,7 @@ DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4
25 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
26 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
27 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
28 +DIST openssh-8.0p1+x509-12.0.1.diff.gz 629849 BLAKE2B 9366244434c525ddf8f19a476b8b49d13f8c54374986bda8585db1288e7b61c60e26e2a315bec71b52f5e0f5bf4131f0f325039909b91874baab401272418fab SHA512 c6ea243f49674bba64ee372e0532eb9fe6f109d0d5e70f10995d97b5ad5e340275b1b84c3c3bfc7eda1865619dea1370e06e34bbcc3d76af6aa7a00feccaea06
29 DIST openssh-8.0p1+x509-12.0.diff.gz 623765 BLAKE2B b1c0d533a58c55b0f8451ce5aa8ee9b462afdc1eee44018f30962d3427c73b12a57c2c88bc8656c09c2b39a2ac72755539eeb29e7060ced5d3e8470647f88c0a SHA512 5f678fd303e39df7a2fb23af682c5a02b33f7fdcafe6171b9db2067098a2048677c415c3bee75225eb9fbaf308cfac7f37b0865951cdb6dda0577908499a8295
30 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f
31 DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
32
33 diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch
34 new file mode 100644
35 index 00000000000..e4aca305e00
36 --- /dev/null
37 +++ b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.1.patch
38 @@ -0,0 +1,16 @@
39 +--- a/openssh-8.0p1+x509-12.0.1.diff 2019-04-29 14:11:55.210175168 -0700
40 ++++ b/openssh-8.0p1+x509-12.0.1.diff 2019-04-29 14:12:55.603761971 -0700
41 +@@ -34176,12 +34176,11 @@
42 +
43 + install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
44 + install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
45 +-@@ -334,6 +352,8 @@
46 ++@@ -334,6 +352,7 @@
47 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
48 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
49 + $(MKDIR_P) $(DESTDIR)$(libexecdir)
50 + + $(MKDIR_P) $(DESTDIR)$(sshcadir)
51 +-+ $(MKDIR_P) $(DESTDIR)$(piddir)
52 + $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
53 + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
54 + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
55
56 diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch
57 new file mode 100644
58 index 00000000000..244aef4c399
59 --- /dev/null
60 +++ b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.1.patch
61 @@ -0,0 +1,19 @@
62 +--- a/openssh-8.0p1+x509-12.0.1.diff 2019-04-29 14:07:39.687923384 -0700
63 ++++ b/openssh-8.0p1+x509-12.0.1.diff 2019-04-29 14:08:11.330706892 -0700
64 +@@ -76610,16 +76610,6 @@
65 + + return mbtowc(NULL, s, n);
66 + +}
67 + +#endif
68 +-diff -ruN openssh-8.0p1/version.h openssh-8.0p1+x509-12.0.1/version.h
69 +---- openssh-8.0p1/version.h 2019-04-18 01:52:57.000000000 +0300
70 +-+++ openssh-8.0p1+x509-12.0.1/version.h 2019-04-29 19:07:00.000000000 +0300
71 +-@@ -2,5 +2,4 @@
72 +-
73 +- #define SSH_VERSION "OpenSSH_8.0"
74 +-
75 +--#define SSH_PORTABLE "p1"
76 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
77 +-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
78 + diff -ruN openssh-8.0p1/version.m4 openssh-8.0p1+x509-12.0.1/version.m4
79 + --- openssh-8.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
80 + +++ openssh-8.0p1+x509-12.0.1/version.m4 2019-04-29 19:07:00.000000000 +0300
81
82 diff --git a/net-misc/openssh/openssh-8.0_p1-r1.ebuild b/net-misc/openssh/openssh-8.0_p1-r1.ebuild
83 new file mode 100644
84 index 00000000000..333774349e2
85 --- /dev/null
86 +++ b/net-misc/openssh/openssh-8.0_p1-r1.ebuild
87 @@ -0,0 +1,461 @@
88 +# Copyright 1999-2019 Gentoo Authors
89 +# Distributed under the terms of the GNU General Public License v2
90 +
91 +EAPI=6
92 +
93 +inherit user eapi7-ver flag-o-matic multilib autotools pam systemd
94 +
95 +# Make it more portable between straight releases
96 +# and _p? releases.
97 +PARCH=${P/_}
98 +#HPN_PV="${PV^^}"
99 +HPN_PV="7.8_P1"
100 +
101 +HPN_VER="14.16"
102 +HPN_PATCHES=(
103 + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
104 + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
105 +)
106 +
107 +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
108 +X509_VER="12.0.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
109 +
110 +PATCH_SET="openssh-7.9p1-patches-1.0"
111 +
112 +DESCRIPTION="Port of OpenBSD's free SSH release"
113 +HOMEPAGE="https://www.openssh.com/"
114 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
115 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
116 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
117 + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
118 + "
119 +
120 +LICENSE="BSD GPL-2"
121 +SLOT="0"
122 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
123 +# Probably want to drop ssl defaulting to on in a future version.
124 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
125 +RESTRICT="!test? ( test )"
126 +REQUIRED_USE="ldns? ( ssl )
127 + pie? ( !static )
128 + static? ( !kerberos !pam )
129 + X509? ( !sctp ssl )
130 + test? ( ssl )"
131 +
132 +LIB_DEPEND="
133 + audit? ( sys-process/audit[static-libs(+)] )
134 + ldns? (
135 + net-libs/ldns[static-libs(+)]
136 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
137 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
138 + )
139 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
140 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
141 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
142 + ssl? (
143 + !libressl? (
144 + || (
145 + (
146 + >=dev-libs/openssl-1.0.1:0[bindist=]
147 + <dev-libs/openssl-1.1.0:0[bindist=]
148 + )
149 + >=dev-libs/openssl-1.1.0g:0[bindist=]
150 + )
151 + dev-libs/openssl:0=[static-libs(+)]
152 + )
153 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
154 + )
155 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
156 +RDEPEND="
157 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
158 + pam? ( virtual/pam )
159 + kerberos? ( virtual/krb5 )"
160 +DEPEND="${RDEPEND}
161 + static? ( ${LIB_DEPEND} )
162 + virtual/pkgconfig
163 + virtual/os-headers
164 + sys-devel/autoconf"
165 +RDEPEND="${RDEPEND}
166 + pam? ( >=sys-auth/pambase-20081028 )
167 + userland_GNU? ( virtual/shadow )
168 + X? ( x11-apps/xauth )"
169 +
170 +S="${WORKDIR}/${PARCH}"
171 +
172 +pkg_pretend() {
173 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
174 + # than not be able to log in to their server any more
175 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
176 + local fail="
177 + $(use hpn && maybe_fail hpn HPN_VER)
178 + $(use sctp && maybe_fail sctp SCTP_PATCH)
179 + $(use X509 && maybe_fail X509 X509_PATCH)
180 + "
181 + fail=$(echo ${fail})
182 + if [[ -n ${fail} ]] ; then
183 + eerror "Sorry, but this version does not yet support features"
184 + eerror "that you requested: ${fail}"
185 + eerror "Please mask ${PF} for now and check back later:"
186 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
187 + die "booooo"
188 + fi
189 +
190 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
191 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
192 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
193 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
194 + fi
195 +}
196 +
197 +src_prepare() {
198 + sed -i \
199 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
200 + pathnames.h || die
201 +
202 + # don't break .ssh/authorized_keys2 for fun
203 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
204 +
205 + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
206 + eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex
207 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
208 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
209 + eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch
210 +
211 + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
212 +
213 + local PATCHSET_VERSION_MACROS=()
214 +
215 + if use X509 ; then
216 + pushd "${WORKDIR}" || die
217 + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
218 + eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch"
219 + popd || die
220 +
221 + eapply "${WORKDIR}"/${X509_PATCH%.*}
222 + eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
223 +
224 + # We need to patch package version or any X.509 sshd will reject our ssh client
225 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
226 + # error
227 + einfo "Patching package version for X.509 patch set ..."
228 + sed -i \
229 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
230 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
231 +
232 + einfo "Patching version.h to expose X.509 patch set ..."
233 + sed -i \
234 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
235 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
236 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
237 + fi
238 +
239 + if use sctp ; then
240 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
241 +
242 + einfo "Patching version.h to expose SCTP patch set ..."
243 + sed -i \
244 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
245 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
246 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
247 +
248 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
249 + sed -i \
250 + -e "/\t\tcfgparse \\\/d" \
251 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
252 + fi
253 +
254 + if use hpn ; then
255 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
256 + mkdir "${hpn_patchdir}"
257 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
258 + pushd "${hpn_patchdir}"
259 + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch
260 + if use X509; then
261 + einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
262 + # X509 and AES-CTR-MT don't get along, let's just drop it
263 + rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
264 + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch
265 + fi
266 + use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch
267 + popd
268 +
269 + eapply "${hpn_patchdir}"
270 +
271 + if ! use X509; then
272 + eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
273 + eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
274 + fi
275 +
276 + einfo "Patching Makefile.in for HPN patch set ..."
277 + sed -i \
278 + -e "/^LIBS=/ s/\$/ -lpthread/" \
279 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
280 +
281 + einfo "Patching version.h to expose HPN patch set ..."
282 + sed -i \
283 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
284 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
285 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
286 +
287 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
288 + einfo "Disabling known non-working MT AES cipher per default ..."
289 +
290 + cat > "${T}"/disable_mtaes.conf <<- EOF
291 +
292 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
293 + # and therefore disabled per default.
294 + DisableMTAES yes
295 + EOF
296 + sed -i \
297 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
298 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
299 +
300 + sed -i \
301 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
302 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
303 + fi
304 + fi
305 +
306 + if use X509 || use sctp || use hpn ; then
307 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
308 + sed -i \
309 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
310 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
311 +
312 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
313 + sed -i \
314 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
315 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
316 +
317 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
318 + sed -i \
319 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
320 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
321 + fi
322 +
323 + sed -i \
324 + -e "/#UseLogin no/d" \
325 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
326 +
327 + eapply_user #473004
328 +
329 + tc-export PKG_CONFIG
330 + local sed_args=(
331 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
332 + # Disable PATH reset, trust what portage gives us #254615
333 + -e 's:^PATH=/:#PATH=/:'
334 + # Disable fortify flags ... our gcc does this for us
335 + -e 's:-D_FORTIFY_SOURCE=2::'
336 + )
337 +
338 + # The -ftrapv flag ICEs on hppa #505182
339 + use hppa && sed_args+=(
340 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
341 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
342 + )
343 + # _XOPEN_SOURCE causes header conflicts on Solaris
344 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
345 + -e 's/-D_XOPEN_SOURCE//'
346 + )
347 + sed -i "${sed_args[@]}" configure{.ac,} || die
348 +
349 + eautoreconf
350 +}
351 +
352 +src_configure() {
353 + addwrite /dev/ptmx
354 +
355 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
356 + use static && append-ldflags -static
357 +
358 + local myconf=(
359 + --with-ldflags="${LDFLAGS}"
360 + --disable-strip
361 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
362 + --sysconfdir="${EPREFIX%/}"/etc/ssh
363 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
364 + --datadir="${EPREFIX%/}"/usr/share/openssh
365 + --with-privsep-path="${EPREFIX%/}"/var/empty
366 + --with-privsep-user=sshd
367 + $(use_with audit audit linux)
368 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
369 + # We apply the sctp patch conditionally, so can't pass --without-sctp
370 + # unconditionally else we get unknown flag warnings.
371 + $(use sctp && use_with sctp)
372 + $(use_with ldns ldns "${EPREFIX%/}"/usr)
373 + $(use_with libedit)
374 + $(use_with pam)
375 + $(use_with pie)
376 + $(use_with selinux)
377 + $(use_with ssl openssl)
378 + $(use_with ssl md5-passwords)
379 + $(use_with ssl ssl-engine)
380 + $(use_with !elibc_Cygwin hardening) #659210
381 + )
382 +
383 + # stackprotect is broken on musl x86
384 + use elibc_musl && use x86 && myconf+=( --without-stackprotect )
385 +
386 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
387 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
388 +
389 + econf "${myconf[@]}"
390 +}
391 +
392 +src_test() {
393 + local t skipped=() failed=() passed=()
394 + local tests=( interop-tests compat-tests )
395 +
396 + local shell=$(egetshell "${UID}")
397 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
398 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
399 + elog "user, so we will run a subset only."
400 + skipped+=( tests )
401 + else
402 + tests+=( tests )
403 + fi
404 +
405 + # It will also attempt to write to the homedir .ssh.
406 + local sshhome=${T}/homedir
407 + mkdir -p "${sshhome}"/.ssh
408 + for t in "${tests[@]}" ; do
409 + # Some tests read from stdin ...
410 + HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
411 + emake -k -j1 ${t} </dev/null \
412 + && passed+=( "${t}" ) \
413 + || failed+=( "${t}" )
414 + done
415 +
416 + einfo "Passed tests: ${passed[*]}"
417 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
418 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
419 +}
420 +
421 +# Gentoo tweaks to default config files.
422 +tweak_ssh_configs() {
423 + local locale_vars=(
424 + # These are language variables that POSIX defines.
425 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
426 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
427 +
428 + # These are the GNU extensions.
429 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
430 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
431 + )
432 +
433 + # First the server config.
434 + cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
435 +
436 + # Allow client to pass locale environment variables. #367017
437 + AcceptEnv ${locale_vars[*]}
438 +
439 + # Allow client to pass COLORTERM to match TERM. #658540
440 + AcceptEnv COLORTERM
441 + EOF
442 +
443 + # Then the client config.
444 + cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
445 +
446 + # Send locale environment variables. #367017
447 + SendEnv ${locale_vars[*]}
448 +
449 + # Send COLORTERM to match TERM. #658540
450 + SendEnv COLORTERM
451 + EOF
452 +
453 + if use pam ; then
454 + sed -i \
455 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
456 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
457 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
458 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
459 + "${ED%/}"/etc/ssh/sshd_config || die
460 + fi
461 +
462 + if use livecd ; then
463 + sed -i \
464 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
465 + "${ED%/}"/etc/ssh/sshd_config || die
466 + fi
467 +}
468 +
469 +src_install() {
470 + emake install-nokeys DESTDIR="${D}"
471 + fperms 600 /etc/ssh/sshd_config
472 + dobin contrib/ssh-copy-id
473 + newinitd "${FILESDIR}"/sshd-r1.initd sshd
474 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
475 +
476 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
477 +
478 + tweak_ssh_configs
479 +
480 + doman contrib/ssh-copy-id.1
481 + dodoc CREDITS OVERVIEW README* TODO sshd_config
482 + use hpn && dodoc HPN-README
483 + use X509 || dodoc ChangeLog
484 +
485 + diropts -m 0700
486 + dodir /etc/skel/.ssh
487 +
488 + keepdir /var/empty
489 +
490 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
491 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
492 +}
493 +
494 +pkg_preinst() {
495 + enewgroup sshd 22
496 + enewuser sshd 22 -1 /var/empty sshd
497 +}
498 +
499 +pkg_postinst() {
500 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
501 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
502 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
503 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
504 + fi
505 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
506 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
507 + elog "Make sure to update any configs that you might have. Note that xinetd might"
508 + elog "be an alternative for you as it supports USE=tcpd."
509 + fi
510 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
511 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
512 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
513 + elog "adding to your sshd_config or ~/.ssh/config files:"
514 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
515 + elog "You should however generate new keys using rsa or ed25519."
516 +
517 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
518 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
519 + elog "out of the box. If you need this, please update your sshd_config explicitly."
520 + fi
521 + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
522 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
523 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
524 + fi
525 + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
526 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
527 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
528 + elog "if you need to authenticate against LDAP."
529 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
530 + fi
531 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
532 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
533 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
534 + elog "and update all clients/servers that utilize them."
535 + fi
536 +
537 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
538 + elog ""
539 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
540 + elog "and therefore disabled at runtime per default."
541 + elog "Make sure your sshd_config is up to date and contains"
542 + elog ""
543 + elog " DisableMTAES yes"
544 + elog ""
545 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
546 + elog ""
547 + fi
548 +}
Report Message
Find on MARC Find on Google Groups