[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date:	Wed, 03 Aug 2016 21:06:24
Message-Id:	`1470258369.0b7038ba6edab3a037851c87160c2338314358ca.chutzpah@gentoo`

1

commit:     0b7038ba6edab3a037851c87160c2338314358ca

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Wed Aug  3 21:03:18 2016 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Wed Aug  3 21:06:09 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b7038ba

7

8

net-misc/openssh: Revision bump, enable the X509 patch

9

10

Package-Manager: portage-2.3.0

11

12

 net-misc/openssh/Manifest                          |   1 +

13

 .../files/openssh-7.3_p1-sctp-x509-glue.patch      |  67 +++++

14

 net-misc/openssh/openssh-7.3_p1-r1.ebuild          | 332 +++++++++++++++++++++

15

 3 files changed, 400 insertions(+)

16

17

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest

18

index f3b4f04..958961b 100644

19

--- a/net-misc/openssh/Manifest

20

+++ b/net-misc/openssh/Manifest

21

@@ -6,6 +6,7 @@ DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac8

22

 DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f

23

 DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386

24

 DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99

25

+DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4

26

 DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c

27

 DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518

28

 DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d

29

30

diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch

31

new file mode 100644

32

index 0000000..2def699

33

--- /dev/null

34

+++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch

35

@@ -0,0 +1,67 @@

36

+--- a/openssh-7.3_p1-sctp.patch	2016-08-03 13:10:15.733228732 -0700

37

++++ b/openssh-7.3_p1-sctp.patch	2016-08-03 13:25:53.274630002 -0700

38

+@@ -226,14 +226,6 @@

39

+  .Op Fl c Ar cipher

40

+  .Op Fl F Ar ssh_config

41

+  .Op Fl i Ar identity_file

42

+-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see

43

+- .It ServerAliveCountMax

44

+- .It StrictHostKeyChecking

45

+- .It TCPKeepAlive

46

+-+.It Transport

47

+- .It UpdateHostKeys

48

+- .It UsePrivilegedPort

49

+- .It User

50

+ @@ -224,6 +225,8 @@ and

51

+  to print debugging messages about their progress.

52

+  This is helpful in

53

+@@ -493,19 +485,11 @@

54

+  .Sh SYNOPSIS

55

+  .Nm ssh

56

+  .Bk -words

57

+--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy

58

+-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz

59

++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy

60

+++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz

61

+  .Op Fl b Ar bind_address

62

+  .Op Fl c Ar cipher_spec

63

+  .Op Fl D Oo Ar bind_address : Oc Ns Ar port

64

+-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see

65

+- .It StreamLocalBindUnlink

66

+- .It StrictHostKeyChecking

67

+- .It TCPKeepAlive

68

+-+.It Transport

69

+- .It Tunnel

70

+- .It TunnelDevice

71

+- .It UpdateHostKeys

72

+ @@ -795,6 +796,8 @@ controls.

73

+  .Pp

74

+  .It Fl y

75

+@@ -533,18 +517,18 @@

76

+  usage(void)

77

+  {

78

+  	fprintf(stderr,

79

+--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"

80

+-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"

81

++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"

82

+++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"

83

+  "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"

84

+- "           [-F configfile] [-I pkcs11] [-i identity_file]\n"

85

+- "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"

86

++ "           [-F configfile]\n"

87

++ #ifdef USE_OPENSSL_ENGINE

88

+ @@ -608,7 +613,7 @@ main(int ac, char **av)

89

+- 	argv0 = av[0];

90

++ #  define ENGCONFIG ""

91

++ #endif

92

+

93

+-  again:

94

+--	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"

95

+-+	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT

96

+- 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {

97

++-	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"

98

+++	while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT

99

++ 	    "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {

100

+  		switch (opt) {

101

+  		case '1':

102

+ @@ -857,6 +862,11 @@ main(int ac, char **av)

103

104

diff --git a/net-misc/openssh/openssh-7.3_p1-r1.ebuild b/net-misc/openssh/openssh-7.3_p1-r1.ebuild

105

new file mode 100644

106

index 0000000..4a4a2e0

107

--- /dev/null

108

+++ b/net-misc/openssh/openssh-7.3_p1-r1.ebuild

109

@@ -0,0 +1,332 @@

110

+# Copyright 1999-2016 Gentoo Foundation

111

+# Distributed under the terms of the GNU General Public License v2

112

+# $Id$

113

+

114

+EAPI="5"

115

+

116

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

117

+

118

+# Make it more portable between straight releases

119

+# and _p? releases.

120

+PARCH=${P/_}

121

+

122

+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"

123

+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"

124

+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"

125

+X509_VER="9.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"

126

+

127

+DESCRIPTION="Port of OpenBSD's free SSH release"

128

+HOMEPAGE="http://www.openssh.org/"

129

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

130

+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}

131

+	${HPN_PATCH:+hpn? (

132

+		mirror://gentoo/${HPN_PATCH}

133

+		mirror://sourceforge/hpnssh/${HPN_PATCH}

134

+	)}

135

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

136

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

137

+	"

138

+

139

+LICENSE="BSD GPL-2"

140

+SLOT="0"

141

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

142

+# Probably want to drop ssl defaulting to on in a future version.

143

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"

144

+REQUIRED_USE="ldns? ( ssl )

145

+	pie? ( !static )

146

+	ssh1? ( ssl )

147

+	static? ( !kerberos !pam )

148

+	X509? ( !ldap ssl )"

149

+

150

+LIB_DEPEND="

151

+	ldns? (

152

+		net-libs/ldns[static-libs(+)]

153

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

154

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

155

+	)

156

+	libedit? ( dev-libs/libedit[static-libs(+)] )

157

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

158

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

159

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

160

+	ssl? (

161

+		!libressl? (

162

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

163

+			dev-libs/openssl:0[static-libs(+)]

164

+		)

165

+		libressl? ( dev-libs/libressl[static-libs(+)] )

166

+	)

167

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

168

+RDEPEND="

169

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

170

+	pam? ( virtual/pam )

171

+	kerberos? ( virtual/krb5 )

172

+	ldap? ( net-nds/openldap )"

173

+DEPEND="${RDEPEND}

174

+	static? ( ${LIB_DEPEND} )

175

+	virtual/pkgconfig

176

+	virtual/os-headers

177

+	sys-devel/autoconf"

178

+RDEPEND="${RDEPEND}

179

+	pam? ( >=sys-auth/pambase-20081028 )

180

+	userland_GNU? ( virtual/shadow )

181

+	X? ( x11-apps/xauth )"

182

+

183

+S=${WORKDIR}/${PARCH}

184

+

185

+pkg_setup() {

186

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

187

+	# than not be able to log in to their server any more

188

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

189

+	local fail="

190

+		$(use X509 && maybe_fail X509 X509_PATCH)

191

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

192

+		$(use hpn && maybe_fail hpn HPN_PATCH)

193

+	"

194

+	fail=$(echo ${fail})

195

+	if [[ -n ${fail} ]] ; then

196

+		eerror "Sorry, but this version does not yet support features"

197

+		eerror "that you requested:	 ${fail}"

198

+		eerror "Please mask ${PF} for now and check back later:"

199

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

200

+		die "booooo"

201

+	fi

202

+

203

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

204

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

205

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

206

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

207

+	fi

208

+}

209

+

210

+save_version() {

211

+	# version.h patch conflict avoidence

212

+	mv version.h version.h.$1

213

+	cp -f version.h.pristine version.h

214

+}

215

+

216

+src_prepare() {

217

+	sed -i \

218

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

219

+		pathnames.h || die

220

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

221

+	# this file.

222

+	cp version.h version.h.pristine

223

+

224

+	# don't break .ssh/authorized_keys2 for fun

225

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

226

+

227

+	if use X509 ; then

228

+		pushd .. >/dev/null

229

+		if use hpn ; then

230

+			pushd ${HPN_PATCH%.*.*} >/dev/null

231

+			epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch

232

+			popd >/dev/null

233

+		fi

234

+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch

235

+		popd >/dev/null

236

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

237

+		#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch

238

+		#save_version X509

239

+	fi

240

+	if use ldap ; then

241

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

242

+		save_version LPK

243

+	fi

244

+	epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex

245

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

246

+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}

247

+	if use hpn ; then

248

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

249

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

250

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

251

+		save_version HPN

252

+	fi

253

+

254

+	tc-export PKG_CONFIG

255

+	local sed_args=(

256

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

257

+		# Disable PATH reset, trust what portage gives us #254615

258

+		-e 's:^PATH=/:#PATH=/:'

259

+		# Disable fortify flags ... our gcc does this for us

260

+		-e 's:-D_FORTIFY_SOURCE=2::'

261

+	)

262

+	# The -ftrapv flag ICEs on hppa #505182

263

+	use hppa && sed_args+=(

264

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

265

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

266

+	)

267

+	sed -i "${sed_args[@]}" configure{.ac,} || die

268

+

269

+	epatch_user #473004

270

+

271

+	# Now we can build a sane merged version.h

272

+	(

273

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

274

+		macros=()

275

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

276

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

277

+	) > version.h

278

+

279

+	eautoreconf

280

+}

281

+

282

+src_configure() {

283

+	addwrite /dev/ptmx

284

+

285

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

286

+	use static && append-ldflags -static

287

+

288

+	local myconf=(

289

+		--with-ldflags="${LDFLAGS}"

290

+		--disable-strip

291

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

292

+		--sysconfdir="${EPREFIX}"/etc/ssh

293

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

294

+		--datadir="${EPREFIX}"/usr/share/openssh

295

+		--with-privsep-path="${EPREFIX}"/var/empty

296

+		--with-privsep-user=sshd

297

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

298

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

299

+		# unconditionally else we get unknown flag warnings.

300

+		$(use ldap && use_with ldap)

301

+		$(use_with ldns)

302

+		$(use_with libedit)

303

+		$(use_with pam)

304

+		$(use_with pie)

305

+		$(use_with sctp)

306

+		$(use_with selinux)

307

+		$(use_with skey)

308

+		$(use_with ssh1)

309

+		$(use_with ssl openssl)

310

+		$(use_with ssl md5-passwords)

311

+		$(use_with ssl ssl-engine)

312

+	)

313

+

314

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

315

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

316

+

317

+	econf "${myconf[@]}"

318

+}

319

+

320

+src_install() {

321

+	emake install-nokeys DESTDIR="${D}"

322

+	fperms 600 /etc/ssh/sshd_config

323

+	dobin contrib/ssh-copy-id

324

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

325

+	newconfd "${FILESDIR}"/sshd.confd sshd

326

+	keepdir /var/empty

327

+

328

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

329

+	if use pam ; then

330

+		sed -i \

331

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

332

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

333

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

334

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

335

+			"${ED}"/etc/ssh/sshd_config || die

336

+	fi

337

+

338

+	# Gentoo tweaks to default config files

339

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

340

+

341

+	# Allow client to pass locale environment variables #367017

342

+	AcceptEnv LANG LC_*

343

+	EOF

344

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

345

+

346

+	# Send locale environment variables #367017

347

+	SendEnv LANG LC_*

348

+	EOF

349

+

350

+	if use livecd ; then

351

+		sed -i \

352

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

353

+			"${ED}"/etc/ssh/sshd_config || die

354

+	fi

355

+

356

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

357

+		insinto /etc/openldap/schema/

358

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

359

+	fi

360

+

361

+	doman contrib/ssh-copy-id.1

362

+	dodoc CREDITS OVERVIEW README* TODO sshd_config

363

+	use X509 || dodoc ChangeLog

364

+

365

+	diropts -m 0700

366

+	dodir /etc/skel/.ssh

367

+

368

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

369

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

370

+}

371

+

372

+src_test() {

373

+	local t tests skipped failed passed shell

374

+	tests="interop-tests compat-tests"

375

+	skipped=""

376

+	shell=$(egetshell ${UID})

377

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

378

+		elog "Running the full OpenSSH testsuite"

379

+		elog "requires a usable shell for the 'portage'"

380

+		elog "user, so we will run a subset only."

381

+		skipped="${skipped} tests"

382

+	else

383

+		tests="${tests} tests"

384

+	fi

385

+	# It will also attempt to write to the homedir .ssh

386

+	local sshhome=${T}/homedir

387

+	mkdir -p "${sshhome}"/.ssh

388

+	for t in ${tests} ; do

389

+		# Some tests read from stdin ...

390

+		HOMEDIR="${sshhome}" \

391

+		emake -k -j1 ${t} </dev/null \

392

+			&& passed="${passed}${t} " \

393

+			|| failed="${failed}${t} "

394

+	done

395

+	einfo "Passed tests: ${passed}"

396

+	ewarn "Skipped tests: ${skipped}"

397

+	if [[ -n ${failed} ]] ; then

398

+		ewarn "Failed tests: ${failed}"

399

+		die "Some tests failed: ${failed}"

400

+	else

401

+		einfo "Failed tests: ${failed}"

402

+		return 0

403

+	fi

404

+}

405

+

406

+pkg_preinst() {

407

+	enewgroup sshd 22

408

+	enewuser sshd 22 -1 /var/empty sshd

409

+}

410

+

411

+pkg_postinst() {

412

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

413

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

414

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

415

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

416

+	fi

417

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

418

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

419

+	fi

420

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

421

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

422

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

423

+		elog "be an alternative for you as it supports USE=tcpd."

424

+	fi

425

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

426

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

427

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

428

+		elog "adding to your sshd_config or ~/.ssh/config files:"

429

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

430

+		elog "You should however generate new keys using rsa or ed25519."

431

+

432

+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

433

+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

434

+		elog "out of the box.  If you need this, please update your sshd_config explicitly."

435

+	fi

436

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

437

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

438

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

439

+		elog "and update all clients/servers that utilize them."

440

+	fi

441

+}

1	commit: 0b7038ba6edab3a037851c87160c2338314358ca
2	Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3	AuthorDate: Wed Aug 3 21:03:18 2016 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Wed Aug 3 21:06:09 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b7038ba
7
8	net-misc/openssh: Revision bump, enable the X509 patch
9
10	Package-Manager: portage-2.3.0
11
12	net-misc/openssh/Manifest \| 1 +
13	.../files/openssh-7.3_p1-sctp-x509-glue.patch \| 67 +++++
14	net-misc/openssh/openssh-7.3_p1-r1.ebuild \| 332 +++++++++++++++++++++
15	3 files changed, 400 insertions(+)
16
17	diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
18	index f3b4f04..958961b 100644
19	--- a/net-misc/openssh/Manifest
20	+++ b/net-misc/openssh/Manifest
21	@@ -6,6 +6,7 @@ DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac8
22	DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
23	DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
24	DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
25	+DIST openssh-7.3p1+x509-9.0.diff.gz 571918 SHA256 ed468fe2e6220065b2bf3e2ed9eb0c7c8183f32f50fa50d64505d5feaef2d900 SHA512 b6183f4441eb036a6e70e35290454faa67da411b60315f6d51779c187abdef377895d5ecfc4fbebac08d5a7a49ce16378b2ed208aee701337f256fd66f779dcd WHIRLPOOL 91107f0040a7d9e09340a1c67547df34c9ed2e7a61d0ca59161574d9e9db90d2a99b1f2a7fa1edf0f820db5712695287c5731cc46cc9264297b5d348d4ce53c4
26	DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
27	DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
28	DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
29
30	diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
31	new file mode 100644
32	index 0000000..2def699
33	--- /dev/null
34	+++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
35	@@ -0,0 +1,67 @@
36	+--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
37	++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
38	+@@ -226,14 +226,6 @@
39	+ .Op Fl c Ar cipher
40	+ .Op Fl F Ar ssh_config
41	+ .Op Fl i Ar identity_file
42	+-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
43	+- .It ServerAliveCountMax
44	+- .It StrictHostKeyChecking
45	+- .It TCPKeepAlive
46	+-+.It Transport
47	+- .It UpdateHostKeys
48	+- .It UsePrivilegedPort
49	+- .It User
50	+ @@ -224,6 +225,8 @@ and
51	+ to print debugging messages about their progress.
52	+ This is helpful in
53	+@@ -493,19 +485,11 @@
54	+ .Sh SYNOPSIS
55	+ .Nm ssh
56	+ .Bk -words
57	+--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
58	+-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
59	++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
60	+++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
61	+ .Op Fl b Ar bind_address
62	+ .Op Fl c Ar cipher_spec
63	+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
64	+-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
65	+- .It StreamLocalBindUnlink
66	+- .It StrictHostKeyChecking
67	+- .It TCPKeepAlive
68	+-+.It Transport
69	+- .It Tunnel
70	+- .It TunnelDevice
71	+- .It UpdateHostKeys
72	+ @@ -795,6 +796,8 @@ controls.
73	+ .Pp
74	+ .It Fl y
75	+@@ -533,18 +517,18 @@
76	+ usage(void)
77	+ {
78	+ fprintf(stderr,
79	+--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
80	+-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
81	++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
82	+++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
83	+ " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
84	+- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
85	+- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
86	++ " [-F configfile]\n"
87	++ #ifdef USE_OPENSSL_ENGINE
88	+ @@ -608,7 +613,7 @@ main(int ac, char **av)
89	+- argv0 = av[0];
90	++ # define ENGCONFIG ""
91	++ #endif
92	+
93	+- again:
94	+-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
95	+-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
96	+- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
97	++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
98	+++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
99	++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
100	+ switch (opt) {
101	+ case '1':
102	+ @@ -857,6 +862,11 @@ main(int ac, char **av)
103
104	diff --git a/net-misc/openssh/openssh-7.3_p1-r1.ebuild b/net-misc/openssh/openssh-7.3_p1-r1.ebuild
105	new file mode 100644
106	index 0000000..4a4a2e0
107	--- /dev/null
108	+++ b/net-misc/openssh/openssh-7.3_p1-r1.ebuild
109	@@ -0,0 +1,332 @@
110	+# Copyright 1999-2016 Gentoo Foundation
111	+# Distributed under the terms of the GNU General Public License v2
112	+# $Id$
113	+
114	+EAPI="5"
115	+
116	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
117	+
118	+# Make it more portable between straight releases
119	+# and _p? releases.
120	+PARCH=${P/_}
121	+
122	+#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
123	+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
124	+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
125	+X509_VER="9.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
126	+
127	+DESCRIPTION="Port of OpenBSD's free SSH release"
128	+HOMEPAGE="http://www.openssh.org/"
129	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
130	+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
131	+ ${HPN_PATCH:+hpn? (
132	+ mirror://gentoo/${HPN_PATCH}
133	+ mirror://sourceforge/hpnssh/${HPN_PATCH}
134	+ )}
135	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
136	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
137	+ "
138	+
139	+LICENSE="BSD GPL-2"
140	+SLOT="0"
141	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
142	+# Probably want to drop ssl defaulting to on in a future version.
143	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static X X509"
144	+REQUIRED_USE="ldns? ( ssl )
145	+ pie? ( !static )
146	+ ssh1? ( ssl )
147	+ static? ( !kerberos !pam )
148	+ X509? ( !ldap ssl )"
149	+
150	+LIB_DEPEND="
151	+ ldns? (
152	+ net-libs/ldns[static-libs(+)]
153	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
154	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
155	+ )
156	+ libedit? ( dev-libs/libedit[static-libs(+)] )
157	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
158	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
159	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
160	+ ssl? (
161	+ !libressl? (
162	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
163	+ dev-libs/openssl:0[static-libs(+)]
164	+ )
165	+ libressl? ( dev-libs/libressl[static-libs(+)] )
166	+ )
167	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
168	+RDEPEND="
169	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
170	+ pam? ( virtual/pam )
171	+ kerberos? ( virtual/krb5 )
172	+ ldap? ( net-nds/openldap )"
173	+DEPEND="${RDEPEND}
174	+ static? ( ${LIB_DEPEND} )
175	+ virtual/pkgconfig
176	+ virtual/os-headers
177	+ sys-devel/autoconf"
178	+RDEPEND="${RDEPEND}
179	+ pam? ( >=sys-auth/pambase-20081028 )
180	+ userland_GNU? ( virtual/shadow )
181	+ X? ( x11-apps/xauth )"
182	+
183	+S=${WORKDIR}/${PARCH}
184	+
185	+pkg_setup() {
186	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
187	+ # than not be able to log in to their server any more
188	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
189	+ local fail="
190	+ $(use X509 && maybe_fail X509 X509_PATCH)
191	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
192	+ $(use hpn && maybe_fail hpn HPN_PATCH)
193	+ "
194	+ fail=$(echo ${fail})
195	+ if [[ -n ${fail} ]] ; then
196	+ eerror "Sorry, but this version does not yet support features"
197	+ eerror "that you requested: ${fail}"
198	+ eerror "Please mask ${PF} for now and check back later:"
199	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
200	+ die "booooo"
201	+ fi
202	+
203	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
204	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
205	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
206	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
207	+ fi
208	+}
209	+
210	+save_version() {
211	+ # version.h patch conflict avoidence
212	+ mv version.h version.h.$1
213	+ cp -f version.h.pristine version.h
214	+}
215	+
216	+src_prepare() {
217	+ sed -i \
218	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
219	+ pathnames.h \|\| die
220	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
221	+ # this file.
222	+ cp version.h version.h.pristine
223	+
224	+ # don't break .ssh/authorized_keys2 for fun
225	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
226	+
227	+ if use X509 ; then
228	+ pushd .. >/dev/null
229	+ if use hpn ; then
230	+ pushd ${HPN_PATCH%..} >/dev/null
231	+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
232	+ popd >/dev/null
233	+ fi
234	+ epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
235	+ popd >/dev/null
236	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
237	+ #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
238	+ #save_version X509
239	+ fi
240	+ if use ldap ; then
241	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
242	+ save_version LPK
243	+ fi
244	+ epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
245	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
246	+ epatch "${WORKDIR}"/${SCTP_PATCH%.*}
247	+ if use hpn ; then
248	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
249	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
250	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
251	+ save_version HPN
252	+ fi
253	+
254	+ tc-export PKG_CONFIG
255	+ local sed_args=(
256	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
257	+ # Disable PATH reset, trust what portage gives us #254615
258	+ -e 's:^PATH=/:#PATH=/:'
259	+ # Disable fortify flags ... our gcc does this for us
260	+ -e 's:-D_FORTIFY_SOURCE=2::'
261	+ )
262	+ # The -ftrapv flag ICEs on hppa #505182
263	+ use hppa && sed_args+=(
264	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
265	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
266	+ )
267	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
268	+
269	+ epatch_user #473004
270	+
271	+ # Now we can build a sane merged version.h
272	+ (
273	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
274	+ macros=()
275	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
276	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
277	+ ) > version.h
278	+
279	+ eautoreconf
280	+}
281	+
282	+src_configure() {
283	+ addwrite /dev/ptmx
284	+
285	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
286	+ use static && append-ldflags -static
287	+
288	+ local myconf=(
289	+ --with-ldflags="${LDFLAGS}"
290	+ --disable-strip
291	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
292	+ --sysconfdir="${EPREFIX}"/etc/ssh
293	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
294	+ --datadir="${EPREFIX}"/usr/share/openssh
295	+ --with-privsep-path="${EPREFIX}"/var/empty
296	+ --with-privsep-user=sshd
297	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
298	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
299	+ # unconditionally else we get unknown flag warnings.
300	+ $(use ldap && use_with ldap)
301	+ $(use_with ldns)
302	+ $(use_with libedit)
303	+ $(use_with pam)
304	+ $(use_with pie)
305	+ $(use_with sctp)
306	+ $(use_with selinux)
307	+ $(use_with skey)
308	+ $(use_with ssh1)
309	+ $(use_with ssl openssl)
310	+ $(use_with ssl md5-passwords)
311	+ $(use_with ssl ssl-engine)
312	+ )
313	+
314	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
315	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
316	+
317	+ econf "${myconf[@]}"
318	+}
319	+
320	+src_install() {
321	+ emake install-nokeys DESTDIR="${D}"
322	+ fperms 600 /etc/ssh/sshd_config
323	+ dobin contrib/ssh-copy-id
324	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
325	+ newconfd "${FILESDIR}"/sshd.confd sshd
326	+ keepdir /var/empty
327	+
328	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
329	+ if use pam ; then
330	+ sed -i \
331	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
332	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
333	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
334	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
335	+ "${ED}"/etc/ssh/sshd_config \|\| die
336	+ fi
337	+
338	+ # Gentoo tweaks to default config files
339	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
340	+
341	+ # Allow client to pass locale environment variables #367017
342	+ AcceptEnv LANG LC_*
343	+ EOF
344	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
345	+
346	+ # Send locale environment variables #367017
347	+ SendEnv LANG LC_*
348	+ EOF
349	+
350	+ if use livecd ; then
351	+ sed -i \
352	+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
353	+ "${ED}"/etc/ssh/sshd_config \|\| die
354	+ fi
355	+
356	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
357	+ insinto /etc/openldap/schema/
358	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
359	+ fi
360	+
361	+ doman contrib/ssh-copy-id.1
362	+ dodoc CREDITS OVERVIEW README* TODO sshd_config
363	+ use X509 \|\| dodoc ChangeLog
364	+
365	+ diropts -m 0700
366	+ dodir /etc/skel/.ssh
367	+
368	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
369	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
370	+}
371	+
372	+src_test() {
373	+ local t tests skipped failed passed shell
374	+ tests="interop-tests compat-tests"
375	+ skipped=""
376	+ shell=$(egetshell ${UID})
377	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
378	+ elog "Running the full OpenSSH testsuite"
379	+ elog "requires a usable shell for the 'portage'"
380	+ elog "user, so we will run a subset only."
381	+ skipped="${skipped} tests"
382	+ else
383	+ tests="${tests} tests"
384	+ fi
385	+ # It will also attempt to write to the homedir .ssh
386	+ local sshhome=${T}/homedir
387	+ mkdir -p "${sshhome}"/.ssh
388	+ for t in ${tests} ; do
389	+ # Some tests read from stdin ...
390	+ HOMEDIR="${sshhome}" \
391	+ emake -k -j1 ${t} </dev/null \
392	+ && passed="${passed}${t} " \
393	+ \|\| failed="${failed}${t} "
394	+ done
395	+ einfo "Passed tests: ${passed}"
396	+ ewarn "Skipped tests: ${skipped}"
397	+ if [[ -n ${failed} ]] ; then
398	+ ewarn "Failed tests: ${failed}"
399	+ die "Some tests failed: ${failed}"
400	+ else
401	+ einfo "Failed tests: ${failed}"
402	+ return 0
403	+ fi
404	+}
405	+
406	+pkg_preinst() {
407	+ enewgroup sshd 22
408	+ enewuser sshd 22 -1 /var/empty sshd
409	+}
410	+
411	+pkg_postinst() {
412	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
413	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
414	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
415	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
416	+ fi
417	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
418	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
419	+ fi
420	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
421	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
422	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
423	+ elog "be an alternative for you as it supports USE=tcpd."
424	+ fi
425	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
426	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
427	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
428	+ elog "adding to your sshd_config or ~/.ssh/config files:"
429	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
430	+ elog "You should however generate new keys using rsa or ed25519."
431	+
432	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
433	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
434	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
435	+ fi
436	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
437	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
438	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
439	+ elog "and update all clients/servers that utilize them."
440	+ fi
441	+}

Gentoo Archives: gentoo-commits