[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Sat, 27 Aug 2016 18:34:32
Message-Id:	`1472322857.540dbda686e517a25e75fbd576a993a040dfb1c8.chutzpah@gentoo`

1

commit:     540dbda686e517a25e75fbd576a993a040dfb1c8

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Sat Aug 27 18:33:16 2016 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Sat Aug 27 18:34:17 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=540dbda6

7

8

net-misc/openssh: Revision bump to update X509 patch to version 9.1

9

10

Package-Manager: portage-2.3.0

11

12

 net-misc/openssh/Manifest                 |   1 +

13

 net-misc/openssh/openssh-7.3_p1-r2.ebuild | 332 ++++++++++++++++++++++++++++++

14

 2 files changed, 333 insertions(+)

15

16

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest

17

index 958961b..7e2535f 100644

18

--- a/net-misc/openssh/Manifest

19

+++ b/net-misc/openssh/Manifest

20

@@ -7,6 +7,7 @@ DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe

21

 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386

22

 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99

23

 DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4

24

+DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e

25

 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c

26

 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518

27

 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d

28

29

diff --git a/net-misc/openssh/openssh-7.3_p1-r2.ebuild b/net-misc/openssh/openssh-7.3_p1-r2.ebuild

30

new file mode 100644

31

index 00000000..753d73e

32

--- /dev/null

33

+++ b/net-misc/openssh/openssh-7.3_p1-r2.ebuild

34

@@ -0,0 +1,332 @@

35

+# Copyright 1999-2016 Gentoo Foundation

36

+# Distributed under the terms of the GNU General Public License v2

37

+# $Id$

38

+

39

+EAPI="5"

40

+

41

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

42

+

43

+# Make it more portable between straight releases

44

+# and _p? releases.

45

+PARCH=${P/_}

46

+

47

+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"

48

+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"

49

+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"

50

+X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"

51

+

52

+DESCRIPTION="Port of OpenBSD's free SSH release"

53

+HOMEPAGE="http://www.openssh.org/"

54

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

55

+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}

56

+	${HPN_PATCH:+hpn? (

57

+		mirror://gentoo/${HPN_PATCH}

58

+		mirror://sourceforge/hpnssh/${HPN_PATCH}

59

+	)}

60

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

61

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

62

+	"

63

+

64

+LICENSE="BSD GPL-2"

65

+SLOT="0"

66

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

67

+# Probably want to drop ssl defaulting to on in a future version.

68

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"

69

+REQUIRED_USE="ldns? ( ssl )

70

+	pie? ( !static )

71

+	ssh1? ( ssl )

72

+	static? ( !kerberos !pam )

73

+	X509? ( !ldap ssl )"

74

+

75

+LIB_DEPEND="

76

+	ldns? (

77

+		net-libs/ldns[static-libs(+)]

78

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

79

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

80

+	)

81

+	libedit? ( dev-libs/libedit[static-libs(+)] )

82

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

83

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

84

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

85

+	ssl? (

86

+		!libressl? (

87

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

88

+			dev-libs/openssl:0[static-libs(+)]

89

+		)

90

+		libressl? ( dev-libs/libressl[static-libs(+)] )

91

+	)

92

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

93

+RDEPEND="

94

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

95

+	pam? ( virtual/pam )

96

+	kerberos? ( virtual/krb5 )

97

+	ldap? ( net-nds/openldap )"

98

+DEPEND="${RDEPEND}

99

+	static? ( ${LIB_DEPEND} )

100

+	virtual/pkgconfig

101

+	virtual/os-headers

102

+	sys-devel/autoconf"

103

+RDEPEND="${RDEPEND}

104

+	pam? ( >=sys-auth/pambase-20081028 )

105

+	userland_GNU? ( virtual/shadow )

106

+	X? ( x11-apps/xauth )"

107

+

108

+S=${WORKDIR}/${PARCH}

109

+

110

+pkg_setup() {

111

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

112

+	# than not be able to log in to their server any more

113

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

114

+	local fail="

115

+		$(use X509 && maybe_fail X509 X509_PATCH)

116

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

117

+		$(use hpn && maybe_fail hpn HPN_PATCH)

118

+	"

119

+	fail=$(echo ${fail})

120

+	if [[ -n ${fail} ]] ; then

121

+		eerror "Sorry, but this version does not yet support features"

122

+		eerror "that you requested:	 ${fail}"

123

+		eerror "Please mask ${PF} for now and check back later:"

124

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

125

+		die "booooo"

126

+	fi

127

+

128

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

129

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

130

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

131

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

132

+	fi

133

+}

134

+

135

+save_version() {

136

+	# version.h patch conflict avoidence

137

+	mv version.h version.h.$1

138

+	cp -f version.h.pristine version.h

139

+}

140

+

141

+src_prepare() {

142

+	sed -i \

143

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

144

+		pathnames.h || die

145

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

146

+	# this file.

147

+	cp version.h version.h.pristine

148

+

149

+	# don't break .ssh/authorized_keys2 for fun

150

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

151

+

152

+	if use X509 ; then

153

+		pushd .. >/dev/null

154

+		if use hpn ; then

155

+			pushd ${HPN_PATCH%.*.*} >/dev/null

156

+			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch

157

+			popd >/dev/null

158

+		fi

159

+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch

160

+		popd >/dev/null

161

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

162

+		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch

163

+		#save_version X509

164

+	fi

165

+	if use ldap ; then

166

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

167

+		save_version LPK

168

+	fi

169

+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex

170

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

171

+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}

172

+	if use hpn ; then

173

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

174

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

175

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

176

+		save_version HPN

177

+	fi

178

+

179

+	tc-export PKG_CONFIG

180

+	local sed_args=(

181

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

182

+		# Disable PATH reset, trust what portage gives us #254615

183

+		-e 's:^PATH=/:#PATH=/:'

184

+		# Disable fortify flags ... our gcc does this for us

185

+		-e 's:-D_FORTIFY_SOURCE=2::'

186

+	)

187

+	# The -ftrapv flag ICEs on hppa #505182

188

+	use hppa && sed_args+=(

189

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

190

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

191

+	)

192

+	sed -i "${sed_args[@]}" configure{.ac,} || die

193

+

194

+	epatch_user #473004

195

+

196

+	# Now we can build a sane merged version.h

197

+	(

198

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

199

+		macros=()

200

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

201

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

202

+	) > version.h

203

+

204

+	eautoreconf

205

+}

206

+

207

+src_configure() {

208

+	addwrite /dev/ptmx

209

+

210

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

211

+	use static && append-ldflags -static

212

+

213

+	local myconf=(

214

+		--with-ldflags="${LDFLAGS}"

215

+		--disable-strip

216

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

217

+		--sysconfdir="${EPREFIX}"/etc/ssh

218

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

219

+		--datadir="${EPREFIX}"/usr/share/openssh

220

+		--with-privsep-path="${EPREFIX}"/var/empty

221

+		--with-privsep-user=sshd

222

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

223

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

224

+		# unconditionally else we get unknown flag warnings.

225

+		$(use ldap && use_with ldap)

226

+		$(use_with ldns)

227

+		$(use_with libedit)

228

+		$(use_with pam)

229

+		$(use_with pie)

230

+		$(use_with sctp)

231

+		$(use_with selinux)

232

+		$(use_with skey)

233

+		$(use_with ssh1)

234

+		$(use_with ssl openssl)

235

+		$(use_with ssl md5-passwords)

236

+		$(use_with ssl ssl-engine)

237

+	)

238

+

239

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

240

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

241

+

242

+	econf "${myconf[@]}"

243

+}

244

+

245

+src_install() {

246

+	emake install-nokeys DESTDIR="${D}"

247

+	fperms 600 /etc/ssh/sshd_config

248

+	dobin contrib/ssh-copy-id

249

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

250

+	newconfd "${FILESDIR}"/sshd.confd sshd

251

+	keepdir /var/empty

252

+

253

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

254

+	if use pam ; then

255

+		sed -i \

256

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

257

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

258

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

259

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

260

+			"${ED}"/etc/ssh/sshd_config || die

261

+	fi

262

+

263

+	# Gentoo tweaks to default config files

264

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

265

+

266

+	# Allow client to pass locale environment variables #367017

267

+	AcceptEnv LANG LC_*

268

+	EOF

269

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

270

+

271

+	# Send locale environment variables #367017

272

+	SendEnv LANG LC_*

273

+	EOF

274

+

275

+	if use livecd ; then

276

+		sed -i \

277

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

278

+			"${ED}"/etc/ssh/sshd_config || die

279

+	fi

280

+

281

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

282

+		insinto /etc/openldap/schema/

283

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

284

+	fi

285

+

286

+	doman contrib/ssh-copy-id.1

287

+	dodoc CREDITS OVERVIEW README* TODO sshd_config

288

+	use X509 || dodoc ChangeLog

289

+

290

+	diropts -m 0700

291

+	dodir /etc/skel/.ssh

292

+

293

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

294

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

295

+}

296

+

297

+src_test() {

298

+	local t tests skipped failed passed shell

299

+	tests="interop-tests compat-tests"

300

+	skipped=""

301

+	shell=$(egetshell ${UID})

302

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

303

+		elog "Running the full OpenSSH testsuite"

304

+		elog "requires a usable shell for the 'portage'"

305

+		elog "user, so we will run a subset only."

306

+		skipped="${skipped} tests"

307

+	else

308

+		tests="${tests} tests"

309

+	fi

310

+	# It will also attempt to write to the homedir .ssh

311

+	local sshhome=${T}/homedir

312

+	mkdir -p "${sshhome}"/.ssh

313

+	for t in ${tests} ; do

314

+		# Some tests read from stdin ...

315

+		HOMEDIR="${sshhome}" \

316

+		emake -k -j1 ${t} </dev/null \

317

+			&& passed="${passed}${t} " \

318

+			|| failed="${failed}${t} "

319

+	done

320

+	einfo "Passed tests: ${passed}"

321

+	ewarn "Skipped tests: ${skipped}"

322

+	if [[ -n ${failed} ]] ; then

323

+		ewarn "Failed tests: ${failed}"

324

+		die "Some tests failed: ${failed}"

325

+	else

326

+		einfo "Failed tests: ${failed}"

327

+		return 0

328

+	fi

329

+}

330

+

331

+pkg_preinst() {

332

+	enewgroup sshd 22

333

+	enewuser sshd 22 -1 /var/empty sshd

334

+}

335

+

336

+pkg_postinst() {

337

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

338

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

339

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

340

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

341

+	fi

342

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

343

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

344

+	fi

345

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

346

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

347

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

348

+		elog "be an alternative for you as it supports USE=tcpd."

349

+	fi

350

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

351

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

352

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

353

+		elog "adding to your sshd_config or ~/.ssh/config files:"

354

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

355

+		elog "You should however generate new keys using rsa or ed25519."

356

+

357

+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

358

+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

359

+		elog "out of the box.  If you need this, please update your sshd_config explicitly."

360

+	fi

361

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

362

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

363

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

364

+		elog "and update all clients/servers that utilize them."

365

+	fi

366

+}

1	commit: 540dbda686e517a25e75fbd576a993a040dfb1c8
2	Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3	AuthorDate: Sat Aug 27 18:33:16 2016 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Sat Aug 27 18:34:17 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=540dbda6
7
8	net-misc/openssh: Revision bump to update X509 patch to version 9.1
9
10	Package-Manager: portage-2.3.0
11
12	net-misc/openssh/Manifest \| 1 +
13	net-misc/openssh/openssh-7.3_p1-r2.ebuild \| 332 ++++++++++++++++++++++++++++++
14	2 files changed, 333 insertions(+)
15
16	diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
17	index 958961b..7e2535f 100644
18	--- a/net-misc/openssh/Manifest
19	+++ b/net-misc/openssh/Manifest
20	@@ -7,6 +7,7 @@ DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe
21	DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
22	DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
23	DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
24	+DIST openssh-7.3p1+x509-9.1.diff.gz 584945 SHA256 1ce361813d585fb543f632d19f73a583e257a404c013587a2ee7a1c57710ae95 SHA512 11165544513eaff2b2e1f6dd11b9fb2870e59eb7e16377cf8fc1bf7e459cf8d09a91cf52f0d252df1bf618423ea8fb93099b96670cebc42aa2523dd439e59a89 WHIRLPOOL 8732cc52ef851a35c0dc8b35e8b6666d347f40ee60792aa23bae8e193ec6fa24928b67e6d8ebfc2c52090e78c525e908596020071495452965fa6244df1e459e
25	DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
26	DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
27	DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
28
29	diff --git a/net-misc/openssh/openssh-7.3_p1-r2.ebuild b/net-misc/openssh/openssh-7.3_p1-r2.ebuild
30	new file mode 100644
31	index 00000000..753d73e
32	--- /dev/null
33	+++ b/net-misc/openssh/openssh-7.3_p1-r2.ebuild
34	@@ -0,0 +1,332 @@
35	+# Copyright 1999-2016 Gentoo Foundation
36	+# Distributed under the terms of the GNU General Public License v2
37	+# $Id$
38	+
39	+EAPI="5"
40	+
41	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
42	+
43	+# Make it more portable between straight releases
44	+# and _p? releases.
45	+PARCH=${P/_}
46	+
47	+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
48	+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
49	+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
50	+X509_VER="9.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
51	+
52	+DESCRIPTION="Port of OpenBSD's free SSH release"
53	+HOMEPAGE="http://www.openssh.org/"
54	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
55	+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
56	+ ${HPN_PATCH:+hpn? (
57	+ mirror://gentoo/${HPN_PATCH}
58	+ mirror://sourceforge/hpnssh/${HPN_PATCH}
59	+ )}
60	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
61	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
62	+ "
63	+
64	+LICENSE="BSD GPL-2"
65	+SLOT="0"
66	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
67	+# Probably want to drop ssl defaulting to on in a future version.
68	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
69	+REQUIRED_USE="ldns? ( ssl )
70	+ pie? ( !static )
71	+ ssh1? ( ssl )
72	+ static? ( !kerberos !pam )
73	+ X509? ( !ldap ssl )"
74	+
75	+LIB_DEPEND="
76	+ ldns? (
77	+ net-libs/ldns[static-libs(+)]
78	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
79	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
80	+ )
81	+ libedit? ( dev-libs/libedit[static-libs(+)] )
82	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
83	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
84	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
85	+ ssl? (
86	+ !libressl? (
87	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
88	+ dev-libs/openssl:0[static-libs(+)]
89	+ )
90	+ libressl? ( dev-libs/libressl[static-libs(+)] )
91	+ )
92	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
93	+RDEPEND="
94	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
95	+ pam? ( virtual/pam )
96	+ kerberos? ( virtual/krb5 )
97	+ ldap? ( net-nds/openldap )"
98	+DEPEND="${RDEPEND}
99	+ static? ( ${LIB_DEPEND} )
100	+ virtual/pkgconfig
101	+ virtual/os-headers
102	+ sys-devel/autoconf"
103	+RDEPEND="${RDEPEND}
104	+ pam? ( >=sys-auth/pambase-20081028 )
105	+ userland_GNU? ( virtual/shadow )
106	+ X? ( x11-apps/xauth )"
107	+
108	+S=${WORKDIR}/${PARCH}
109	+
110	+pkg_setup() {
111	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
112	+ # than not be able to log in to their server any more
113	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
114	+ local fail="
115	+ $(use X509 && maybe_fail X509 X509_PATCH)
116	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
117	+ $(use hpn && maybe_fail hpn HPN_PATCH)
118	+ "
119	+ fail=$(echo ${fail})
120	+ if [[ -n ${fail} ]] ; then
121	+ eerror "Sorry, but this version does not yet support features"
122	+ eerror "that you requested: ${fail}"
123	+ eerror "Please mask ${PF} for now and check back later:"
124	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
125	+ die "booooo"
126	+ fi
127	+
128	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
129	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
130	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
131	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
132	+ fi
133	+}
134	+
135	+save_version() {
136	+ # version.h patch conflict avoidence
137	+ mv version.h version.h.$1
138	+ cp -f version.h.pristine version.h
139	+}
140	+
141	+src_prepare() {
142	+ sed -i \
143	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
144	+ pathnames.h \|\| die
145	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
146	+ # this file.
147	+ cp version.h version.h.pristine
148	+
149	+ # don't break .ssh/authorized_keys2 for fun
150	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
151	+
152	+ if use X509 ; then
153	+ pushd .. >/dev/null
154	+ if use hpn ; then
155	+ pushd ${HPN_PATCH%..} >/dev/null
156	+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
157	+ popd >/dev/null
158	+ fi
159	+ epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
160	+ popd >/dev/null
161	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
162	+ #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
163	+ #save_version X509
164	+ fi
165	+ if use ldap ; then
166	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
167	+ save_version LPK
168	+ fi
169	+ epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
170	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
171	+ epatch "${WORKDIR}"/${SCTP_PATCH%.*}
172	+ if use hpn ; then
173	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
174	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
175	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
176	+ save_version HPN
177	+ fi
178	+
179	+ tc-export PKG_CONFIG
180	+ local sed_args=(
181	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
182	+ # Disable PATH reset, trust what portage gives us #254615
183	+ -e 's:^PATH=/:#PATH=/:'
184	+ # Disable fortify flags ... our gcc does this for us
185	+ -e 's:-D_FORTIFY_SOURCE=2::'
186	+ )
187	+ # The -ftrapv flag ICEs on hppa #505182
188	+ use hppa && sed_args+=(
189	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
190	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
191	+ )
192	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
193	+
194	+ epatch_user #473004
195	+
196	+ # Now we can build a sane merged version.h
197	+ (
198	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
199	+ macros=()
200	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
201	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
202	+ ) > version.h
203	+
204	+ eautoreconf
205	+}
206	+
207	+src_configure() {
208	+ addwrite /dev/ptmx
209	+
210	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
211	+ use static && append-ldflags -static
212	+
213	+ local myconf=(
214	+ --with-ldflags="${LDFLAGS}"
215	+ --disable-strip
216	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
217	+ --sysconfdir="${EPREFIX}"/etc/ssh
218	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
219	+ --datadir="${EPREFIX}"/usr/share/openssh
220	+ --with-privsep-path="${EPREFIX}"/var/empty
221	+ --with-privsep-user=sshd
222	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
223	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
224	+ # unconditionally else we get unknown flag warnings.
225	+ $(use ldap && use_with ldap)
226	+ $(use_with ldns)
227	+ $(use_with libedit)
228	+ $(use_with pam)
229	+ $(use_with pie)
230	+ $(use_with sctp)
231	+ $(use_with selinux)
232	+ $(use_with skey)
233	+ $(use_with ssh1)
234	+ $(use_with ssl openssl)
235	+ $(use_with ssl md5-passwords)
236	+ $(use_with ssl ssl-engine)
237	+ )
238	+
239	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
240	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
241	+
242	+ econf "${myconf[@]}"
243	+}
244	+
245	+src_install() {
246	+ emake install-nokeys DESTDIR="${D}"
247	+ fperms 600 /etc/ssh/sshd_config
248	+ dobin contrib/ssh-copy-id
249	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
250	+ newconfd "${FILESDIR}"/sshd.confd sshd
251	+ keepdir /var/empty
252	+
253	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
254	+ if use pam ; then
255	+ sed -i \
256	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
257	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
258	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
259	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
260	+ "${ED}"/etc/ssh/sshd_config \|\| die
261	+ fi
262	+
263	+ # Gentoo tweaks to default config files
264	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
265	+
266	+ # Allow client to pass locale environment variables #367017
267	+ AcceptEnv LANG LC_*
268	+ EOF
269	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
270	+
271	+ # Send locale environment variables #367017
272	+ SendEnv LANG LC_*
273	+ EOF
274	+
275	+ if use livecd ; then
276	+ sed -i \
277	+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
278	+ "${ED}"/etc/ssh/sshd_config \|\| die
279	+ fi
280	+
281	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
282	+ insinto /etc/openldap/schema/
283	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
284	+ fi
285	+
286	+ doman contrib/ssh-copy-id.1
287	+ dodoc CREDITS OVERVIEW README* TODO sshd_config
288	+ use X509 \|\| dodoc ChangeLog
289	+
290	+ diropts -m 0700
291	+ dodir /etc/skel/.ssh
292	+
293	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
294	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
295	+}
296	+
297	+src_test() {
298	+ local t tests skipped failed passed shell
299	+ tests="interop-tests compat-tests"
300	+ skipped=""
301	+ shell=$(egetshell ${UID})
302	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
303	+ elog "Running the full OpenSSH testsuite"
304	+ elog "requires a usable shell for the 'portage'"
305	+ elog "user, so we will run a subset only."
306	+ skipped="${skipped} tests"
307	+ else
308	+ tests="${tests} tests"
309	+ fi
310	+ # It will also attempt to write to the homedir .ssh
311	+ local sshhome=${T}/homedir
312	+ mkdir -p "${sshhome}"/.ssh
313	+ for t in ${tests} ; do
314	+ # Some tests read from stdin ...
315	+ HOMEDIR="${sshhome}" \
316	+ emake -k -j1 ${t} </dev/null \
317	+ && passed="${passed}${t} " \
318	+ \|\| failed="${failed}${t} "
319	+ done
320	+ einfo "Passed tests: ${passed}"
321	+ ewarn "Skipped tests: ${skipped}"
322	+ if [[ -n ${failed} ]] ; then
323	+ ewarn "Failed tests: ${failed}"
324	+ die "Some tests failed: ${failed}"
325	+ else
326	+ einfo "Failed tests: ${failed}"
327	+ return 0
328	+ fi
329	+}
330	+
331	+pkg_preinst() {
332	+ enewgroup sshd 22
333	+ enewuser sshd 22 -1 /var/empty sshd
334	+}
335	+
336	+pkg_postinst() {
337	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
338	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
339	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
340	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
341	+ fi
342	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
343	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
344	+ fi
345	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
346	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
347	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
348	+ elog "be an alternative for you as it supports USE=tcpd."
349	+ fi
350	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
351	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
352	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
353	+ elog "adding to your sshd_config or ~/.ssh/config files:"
354	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
355	+ elog "You should however generate new keys using rsa or ed25519."
356	+
357	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
358	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
359	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
360	+ fi
361	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
362	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
363	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
364	+ elog "and update all clients/servers that utilize them."
365	+ fi
366	+}

Gentoo Archives: gentoo-commits