[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Tue, 02 Aug 2016 14:57:56
Message-Id:	`1470149818.efb18910010dbddfe868628999922c205ed43634.vapier@gentoo`

1

commit:     efb18910010dbddfe868628999922c205ed43634

2

Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

3

AuthorDate: Tue Aug  2 09:33:22 2016 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Tue Aug  2 14:56:58 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efb18910

7

8

net-misc/openssh: version bump to 7.3_p1

9

10

 net-misc/openssh/Manifest              |   3 +

11

 net-misc/openssh/openssh-7.3_p1.ebuild | 330 +++++++++++++++++++++++++++++++++

12

 2 files changed, 333 insertions(+)

13

14

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest

15

index ea15d13..f3b4f04 100644

16

--- a/net-misc/openssh/Manifest

17

+++ b/net-misc/openssh/Manifest

18

@@ -5,5 +5,8 @@ DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6

19

 DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306

20

 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f

21

 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386

22

+DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99

23

+DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c

24

 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518

25

 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d

26

+DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c

27

28

diff --git a/net-misc/openssh/openssh-7.3_p1.ebuild b/net-misc/openssh/openssh-7.3_p1.ebuild

29

new file mode 100644

30

index 0000000..09e100e

31

--- /dev/null

32

+++ b/net-misc/openssh/openssh-7.3_p1.ebuild

33

@@ -0,0 +1,330 @@

34

+# Copyright 1999-2016 Gentoo Foundation

35

+# Distributed under the terms of the GNU General Public License v2

36

+

37

+EAPI="5"

38

+

39

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

40

+

41

+# Make it more portable between straight releases

42

+# and _p? releases.

43

+PARCH=${P/_}

44

+

45

+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"

46

+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"

47

+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"

48

+#X509_VER="8.9" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"

49

+

50

+DESCRIPTION="Port of OpenBSD's free SSH release"

51

+HOMEPAGE="http://www.openssh.org/"

52

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

53

+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}

54

+	${HPN_PATCH:+hpn? (

55

+		mirror://gentoo/${HPN_PATCH}

56

+		mirror://sourceforge/hpnssh/${HPN_PATCH}

57

+	)}

58

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

59

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

60

+	"

61

+

62

+LICENSE="BSD GPL-2"

63

+SLOT="0"

64

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

65

+# Probably want to drop ssl defaulting to on in a future version.

66

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"

67

+REQUIRED_USE="ldns? ( ssl )

68

+	pie? ( !static )

69

+	ssh1? ( ssl )

70

+	static? ( !kerberos !pam )

71

+	X509? ( !ldap ssl )"

72

+

73

+LIB_DEPEND="

74

+	ldns? (

75

+		net-libs/ldns[static-libs(+)]

76

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

77

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

78

+	)

79

+	libedit? ( dev-libs/libedit[static-libs(+)] )

80

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

81

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

82

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

83

+	ssl? (

84

+		!libressl? (

85

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

86

+			dev-libs/openssl:0[static-libs(+)]

87

+		)

88

+		libressl? ( dev-libs/libressl[static-libs(+)] )

89

+	)

90

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

91

+RDEPEND="

92

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

93

+	pam? ( virtual/pam )

94

+	kerberos? ( virtual/krb5 )

95

+	ldap? ( net-nds/openldap )"

96

+DEPEND="${RDEPEND}

97

+	static? ( ${LIB_DEPEND} )

98

+	virtual/pkgconfig

99

+	virtual/os-headers

100

+	sys-devel/autoconf"

101

+RDEPEND="${RDEPEND}

102

+	pam? ( >=sys-auth/pambase-20081028 )

103

+	userland_GNU? ( virtual/shadow )

104

+	X? ( x11-apps/xauth )"

105

+

106

+S=${WORKDIR}/${PARCH}

107

+

108

+pkg_setup() {

109

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

110

+	# than not be able to log in to their server any more

111

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

112

+	local fail="

113

+		$(use X509 && maybe_fail X509 X509_PATCH)

114

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

115

+		$(use hpn && maybe_fail hpn HPN_PATCH)

116

+	"

117

+	fail=$(echo ${fail})

118

+	if [[ -n ${fail} ]] ; then

119

+		eerror "Sorry, but this version does not yet support features"

120

+		eerror "that you requested:	 ${fail}"

121

+		eerror "Please mask ${PF} for now and check back later:"

122

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

123

+		die "booooo"

124

+	fi

125

+

126

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

127

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

128

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

129

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

130

+	fi

131

+}

132

+

133

+save_version() {

134

+	# version.h patch conflict avoidence

135

+	mv version.h version.h.$1

136

+	cp -f version.h.pristine version.h

137

+}

138

+

139

+src_prepare() {

140

+	sed -i \

141

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

142

+		pathnames.h || die

143

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

144

+	# this file.

145

+	cp version.h version.h.pristine

146

+

147

+	# don't break .ssh/authorized_keys2 for fun

148

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

149

+

150

+	if use X509 ; then

151

+		pushd .. >/dev/null

152

+		if use hpn ; then

153

+			pushd ${HPN_PATCH%.*.*} >/dev/null

154

+			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch

155

+			popd >/dev/null

156

+		fi

157

+		epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch

158

+		popd >/dev/null

159

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

160

+		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch

161

+		#save_version X509

162

+	fi

163

+	if use ldap ; then

164

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

165

+		save_version LPK

166

+	fi

167

+	epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex

168

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

169

+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}

170

+	if use hpn ; then

171

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

172

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

173

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

174

+		save_version HPN

175

+	fi

176

+

177

+	tc-export PKG_CONFIG

178

+	local sed_args=(

179

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

180

+		# Disable PATH reset, trust what portage gives us #254615

181

+		-e 's:^PATH=/:#PATH=/:'

182

+		# Disable fortify flags ... our gcc does this for us

183

+		-e 's:-D_FORTIFY_SOURCE=2::'

184

+	)

185

+	# The -ftrapv flag ICEs on hppa #505182

186

+	use hppa && sed_args+=(

187

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

188

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

189

+	)

190

+	sed -i "${sed_args[@]}" configure{.ac,} || die

191

+

192

+	epatch_user #473004

193

+

194

+	# Now we can build a sane merged version.h

195

+	(

196

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

197

+		macros=()

198

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

199

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

200

+	) > version.h

201

+

202

+	eautoreconf

203

+}

204

+

205

+src_configure() {

206

+	addwrite /dev/ptmx

207

+

208

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

209

+	use static && append-ldflags -static

210

+

211

+	local myconf=(

212

+		--with-ldflags="${LDFLAGS}"

213

+		--disable-strip

214

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

215

+		--sysconfdir="${EPREFIX}"/etc/ssh

216

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

217

+		--datadir="${EPREFIX}"/usr/share/openssh

218

+		--with-privsep-path="${EPREFIX}"/var/empty

219

+		--with-privsep-user=sshd

220

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

221

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

222

+		# unconditionally else we get unknown flag warnings.

223

+		$(use ldap && use_with ldap)

224

+		$(use_with ldns)

225

+		$(use_with libedit)

226

+		$(use_with pam)

227

+		$(use_with pie)

228

+		$(use_with sctp)

229

+		$(use_with selinux)

230

+		$(use_with skey)

231

+		$(use_with ssh1)

232

+		$(use_with ssl openssl)

233

+		$(use_with ssl md5-passwords)

234

+		$(use_with ssl ssl-engine)

235

+	)

236

+

237

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

238

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

239

+

240

+	econf "${myconf[@]}"

241

+}

242

+

243

+src_install() {

244

+	emake install-nokeys DESTDIR="${D}"

245

+	fperms 600 /etc/ssh/sshd_config

246

+	dobin contrib/ssh-copy-id

247

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

248

+	newconfd "${FILESDIR}"/sshd.confd sshd

249

+	keepdir /var/empty

250

+

251

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

252

+	if use pam ; then

253

+		sed -i \

254

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

255

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

256

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

257

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

258

+			"${ED}"/etc/ssh/sshd_config || die

259

+	fi

260

+

261

+	# Gentoo tweaks to default config files

262

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

263

+

264

+	# Allow client to pass locale environment variables #367017

265

+	AcceptEnv LANG LC_*

266

+	EOF

267

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

268

+

269

+	# Send locale environment variables #367017

270

+	SendEnv LANG LC_*

271

+	EOF

272

+

273

+	if use livecd ; then

274

+		sed -i \

275

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

276

+			"${ED}"/etc/ssh/sshd_config || die

277

+	fi

278

+

279

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

280

+		insinto /etc/openldap/schema/

281

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

282

+	fi

283

+

284

+	doman contrib/ssh-copy-id.1

285

+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config

286

+

287

+	diropts -m 0700

288

+	dodir /etc/skel/.ssh

289

+

290

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

291

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

292

+}

293

+

294

+src_test() {

295

+	local t tests skipped failed passed shell

296

+	tests="interop-tests compat-tests"

297

+	skipped=""

298

+	shell=$(egetshell ${UID})

299

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

300

+		elog "Running the full OpenSSH testsuite"

301

+		elog "requires a usable shell for the 'portage'"

302

+		elog "user, so we will run a subset only."

303

+		skipped="${skipped} tests"

304

+	else

305

+		tests="${tests} tests"

306

+	fi

307

+	# It will also attempt to write to the homedir .ssh

308

+	local sshhome=${T}/homedir

309

+	mkdir -p "${sshhome}"/.ssh

310

+	for t in ${tests} ; do

311

+		# Some tests read from stdin ...

312

+		HOMEDIR="${sshhome}" \

313

+		emake -k -j1 ${t} </dev/null \

314

+			&& passed="${passed}${t} " \

315

+			|| failed="${failed}${t} "

316

+	done

317

+	einfo "Passed tests: ${passed}"

318

+	ewarn "Skipped tests: ${skipped}"

319

+	if [[ -n ${failed} ]] ; then

320

+		ewarn "Failed tests: ${failed}"

321

+		die "Some tests failed: ${failed}"

322

+	else

323

+		einfo "Failed tests: ${failed}"

324

+		return 0

325

+	fi

326

+}

327

+

328

+pkg_preinst() {

329

+	enewgroup sshd 22

330

+	enewuser sshd 22 -1 /var/empty sshd

331

+}

332

+

333

+pkg_postinst() {

334

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

335

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

336

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

337

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

338

+	fi

339

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

340

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

341

+	fi

342

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

343

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

344

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

345

+		elog "be an alternative for you as it supports USE=tcpd."

346

+	fi

347

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

348

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

349

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

350

+		elog "adding to your sshd_config or ~/.ssh/config files:"

351

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

352

+		elog "You should however generate new keys using rsa or ed25519."

353

+

354

+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

355

+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

356

+		elog "out of the box.  If you need this, please update your sshd_config explicitly."

357

+	fi

358

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

359

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

360

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

361

+		elog "and update all clients/servers that utilize them."

362

+	fi

363

+}

1	commit: efb18910010dbddfe868628999922c205ed43634
2	Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3	AuthorDate: Tue Aug 2 09:33:22 2016 +0000
4	Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5	CommitDate: Tue Aug 2 14:56:58 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efb18910
7
8	net-misc/openssh: version bump to 7.3_p1
9
10	net-misc/openssh/Manifest \| 3 +
11	net-misc/openssh/openssh-7.3_p1.ebuild \| 330 +++++++++++++++++++++++++++++++++
12	2 files changed, 333 insertions(+)
13
14	diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
15	index ea15d13..f3b4f04 100644
16	--- a/net-misc/openssh/Manifest
17	+++ b/net-misc/openssh/Manifest
18	@@ -5,5 +5,8 @@ DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6
19	DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306
20	DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
21	DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
22	+DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
23	+DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
24	DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
25	DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
26	+DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
27
28	diff --git a/net-misc/openssh/openssh-7.3_p1.ebuild b/net-misc/openssh/openssh-7.3_p1.ebuild
29	new file mode 100644
30	index 0000000..09e100e
31	--- /dev/null
32	+++ b/net-misc/openssh/openssh-7.3_p1.ebuild
33	@@ -0,0 +1,330 @@
34	+# Copyright 1999-2016 Gentoo Foundation
35	+# Distributed under the terms of the GNU General Public License v2
36	+
37	+EAPI="5"
38	+
39	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
40	+
41	+# Make it more portable between straight releases
42	+# and _p? releases.
43	+PARCH=${P/_}
44	+
45	+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
46	+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
47	+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
48	+#X509_VER="8.9" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
49	+
50	+DESCRIPTION="Port of OpenBSD's free SSH release"
51	+HOMEPAGE="http://www.openssh.org/"
52	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
53	+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
54	+ ${HPN_PATCH:+hpn? (
55	+ mirror://gentoo/${HPN_PATCH}
56	+ mirror://sourceforge/hpnssh/${HPN_PATCH}
57	+ )}
58	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
59	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
60	+ "
61	+
62	+LICENSE="BSD GPL-2"
63	+SLOT="0"
64	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
65	+# Probably want to drop ssl defaulting to on in a future version.
66	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
67	+REQUIRED_USE="ldns? ( ssl )
68	+ pie? ( !static )
69	+ ssh1? ( ssl )
70	+ static? ( !kerberos !pam )
71	+ X509? ( !ldap ssl )"
72	+
73	+LIB_DEPEND="
74	+ ldns? (
75	+ net-libs/ldns[static-libs(+)]
76	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
77	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
78	+ )
79	+ libedit? ( dev-libs/libedit[static-libs(+)] )
80	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
81	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
82	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
83	+ ssl? (
84	+ !libressl? (
85	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
86	+ dev-libs/openssl:0[static-libs(+)]
87	+ )
88	+ libressl? ( dev-libs/libressl[static-libs(+)] )
89	+ )
90	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
91	+RDEPEND="
92	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
93	+ pam? ( virtual/pam )
94	+ kerberos? ( virtual/krb5 )
95	+ ldap? ( net-nds/openldap )"
96	+DEPEND="${RDEPEND}
97	+ static? ( ${LIB_DEPEND} )
98	+ virtual/pkgconfig
99	+ virtual/os-headers
100	+ sys-devel/autoconf"
101	+RDEPEND="${RDEPEND}
102	+ pam? ( >=sys-auth/pambase-20081028 )
103	+ userland_GNU? ( virtual/shadow )
104	+ X? ( x11-apps/xauth )"
105	+
106	+S=${WORKDIR}/${PARCH}
107	+
108	+pkg_setup() {
109	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
110	+ # than not be able to log in to their server any more
111	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
112	+ local fail="
113	+ $(use X509 && maybe_fail X509 X509_PATCH)
114	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
115	+ $(use hpn && maybe_fail hpn HPN_PATCH)
116	+ "
117	+ fail=$(echo ${fail})
118	+ if [[ -n ${fail} ]] ; then
119	+ eerror "Sorry, but this version does not yet support features"
120	+ eerror "that you requested: ${fail}"
121	+ eerror "Please mask ${PF} for now and check back later:"
122	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
123	+ die "booooo"
124	+ fi
125	+
126	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
127	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
128	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
129	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
130	+ fi
131	+}
132	+
133	+save_version() {
134	+ # version.h patch conflict avoidence
135	+ mv version.h version.h.$1
136	+ cp -f version.h.pristine version.h
137	+}
138	+
139	+src_prepare() {
140	+ sed -i \
141	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
142	+ pathnames.h \|\| die
143	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
144	+ # this file.
145	+ cp version.h version.h.pristine
146	+
147	+ # don't break .ssh/authorized_keys2 for fun
148	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
149	+
150	+ if use X509 ; then
151	+ pushd .. >/dev/null
152	+ if use hpn ; then
153	+ pushd ${HPN_PATCH%..} >/dev/null
154	+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
155	+ popd >/dev/null
156	+ fi
157	+ epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch
158	+ popd >/dev/null
159	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
160	+ #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
161	+ #save_version X509
162	+ fi
163	+ if use ldap ; then
164	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
165	+ save_version LPK
166	+ fi
167	+ epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
168	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
169	+ epatch "${WORKDIR}"/${SCTP_PATCH%.*}
170	+ if use hpn ; then
171	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
172	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
173	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
174	+ save_version HPN
175	+ fi
176	+
177	+ tc-export PKG_CONFIG
178	+ local sed_args=(
179	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
180	+ # Disable PATH reset, trust what portage gives us #254615
181	+ -e 's:^PATH=/:#PATH=/:'
182	+ # Disable fortify flags ... our gcc does this for us
183	+ -e 's:-D_FORTIFY_SOURCE=2::'
184	+ )
185	+ # The -ftrapv flag ICEs on hppa #505182
186	+ use hppa && sed_args+=(
187	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
188	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
189	+ )
190	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
191	+
192	+ epatch_user #473004
193	+
194	+ # Now we can build a sane merged version.h
195	+ (
196	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
197	+ macros=()
198	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
199	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
200	+ ) > version.h
201	+
202	+ eautoreconf
203	+}
204	+
205	+src_configure() {
206	+ addwrite /dev/ptmx
207	+
208	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
209	+ use static && append-ldflags -static
210	+
211	+ local myconf=(
212	+ --with-ldflags="${LDFLAGS}"
213	+ --disable-strip
214	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
215	+ --sysconfdir="${EPREFIX}"/etc/ssh
216	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
217	+ --datadir="${EPREFIX}"/usr/share/openssh
218	+ --with-privsep-path="${EPREFIX}"/var/empty
219	+ --with-privsep-user=sshd
220	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
221	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
222	+ # unconditionally else we get unknown flag warnings.
223	+ $(use ldap && use_with ldap)
224	+ $(use_with ldns)
225	+ $(use_with libedit)
226	+ $(use_with pam)
227	+ $(use_with pie)
228	+ $(use_with sctp)
229	+ $(use_with selinux)
230	+ $(use_with skey)
231	+ $(use_with ssh1)
232	+ $(use_with ssl openssl)
233	+ $(use_with ssl md5-passwords)
234	+ $(use_with ssl ssl-engine)
235	+ )
236	+
237	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
238	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
239	+
240	+ econf "${myconf[@]}"
241	+}
242	+
243	+src_install() {
244	+ emake install-nokeys DESTDIR="${D}"
245	+ fperms 600 /etc/ssh/sshd_config
246	+ dobin contrib/ssh-copy-id
247	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
248	+ newconfd "${FILESDIR}"/sshd.confd sshd
249	+ keepdir /var/empty
250	+
251	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
252	+ if use pam ; then
253	+ sed -i \
254	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
255	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
256	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
257	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
258	+ "${ED}"/etc/ssh/sshd_config \|\| die
259	+ fi
260	+
261	+ # Gentoo tweaks to default config files
262	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
263	+
264	+ # Allow client to pass locale environment variables #367017
265	+ AcceptEnv LANG LC_*
266	+ EOF
267	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
268	+
269	+ # Send locale environment variables #367017
270	+ SendEnv LANG LC_*
271	+ EOF
272	+
273	+ if use livecd ; then
274	+ sed -i \
275	+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
276	+ "${ED}"/etc/ssh/sshd_config \|\| die
277	+ fi
278	+
279	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
280	+ insinto /etc/openldap/schema/
281	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
282	+ fi
283	+
284	+ doman contrib/ssh-copy-id.1
285	+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
286	+
287	+ diropts -m 0700
288	+ dodir /etc/skel/.ssh
289	+
290	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
291	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
292	+}
293	+
294	+src_test() {
295	+ local t tests skipped failed passed shell
296	+ tests="interop-tests compat-tests"
297	+ skipped=""
298	+ shell=$(egetshell ${UID})
299	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
300	+ elog "Running the full OpenSSH testsuite"
301	+ elog "requires a usable shell for the 'portage'"
302	+ elog "user, so we will run a subset only."
303	+ skipped="${skipped} tests"
304	+ else
305	+ tests="${tests} tests"
306	+ fi
307	+ # It will also attempt to write to the homedir .ssh
308	+ local sshhome=${T}/homedir
309	+ mkdir -p "${sshhome}"/.ssh
310	+ for t in ${tests} ; do
311	+ # Some tests read from stdin ...
312	+ HOMEDIR="${sshhome}" \
313	+ emake -k -j1 ${t} </dev/null \
314	+ && passed="${passed}${t} " \
315	+ \|\| failed="${failed}${t} "
316	+ done
317	+ einfo "Passed tests: ${passed}"
318	+ ewarn "Skipped tests: ${skipped}"
319	+ if [[ -n ${failed} ]] ; then
320	+ ewarn "Failed tests: ${failed}"
321	+ die "Some tests failed: ${failed}"
322	+ else
323	+ einfo "Failed tests: ${failed}"
324	+ return 0
325	+ fi
326	+}
327	+
328	+pkg_preinst() {
329	+ enewgroup sshd 22
330	+ enewuser sshd 22 -1 /var/empty sshd
331	+}
332	+
333	+pkg_postinst() {
334	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
335	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
336	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
337	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
338	+ fi
339	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
340	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
341	+ fi
342	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
343	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
344	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
345	+ elog "be an alternative for you as it supports USE=tcpd."
346	+ fi
347	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
348	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
349	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
350	+ elog "adding to your sshd_config or ~/.ssh/config files:"
351	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
352	+ elog "You should however generate new keys using rsa or ed25519."
353	+
354	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
355	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
356	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
357	+ fi
358	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
359	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
360	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
361	+ elog "and update all clients/servers that utilize them."
362	+ fi
363	+}

Gentoo Archives: gentoo-commits