From 186fd9b27ea1a0937877781b489aec6b31ddf541 Mon Sep 17 00:00:00 2001 From: Patrik Gornicz Date: Tue, 22 May 2012 21:41:03 -0400 Subject: [PATCH] added openssh-5.9_p1-r4 ebuild --- .../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 ++++++++++ .../openssh/files/openssh-5.2p1-ldap-stdargs.diff | 10 + .../files/openssh-5.6_p1-hpn-progressmeter.patch | 15 ++ .../files/openssh-5.8_p1-x509-hpn-glue.patch | 61 +++++ .../files/openssh-5.9_p1-drop-openssl-check.patch | 25 ++ .../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 ++++++++++++++ .../openssh/files/openssh-5.9_p1-x509-glue.patch | 15 ++ net-misc/openssh/files/sshd.confd | 21 ++ net-misc/openssh/files/sshd.pam_include.2 | 4 + net-misc/openssh/files/sshd.rc6.3 | 85 +++++++ net-misc/openssh/files/sshd.service | 10 + net-misc/openssh/files/sshd.socket | 10 + net-misc/openssh/files/sshd_at.service | 8 + net-misc/openssh/metadata.xml | 29 +++ net-misc/openssh/openssh-5.9_p1-r4.ebuild | 279 +++++++++++++++++++++ 15 files changed, 883 insertions(+) create mode 100644 net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch create mode 100644 net-misc/openssh/files/openssh-5.2p1-ldap-stdargs.diff create mode 100644 net-misc/openssh/files/openssh-5.6_p1-hpn-progressmeter.patch create mode 100644 net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch create mode 100644 net-misc/openssh/files/openssh-5.9_p1-drop-openssl-check.patch create mode 100644 net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch create mode 100644 net-misc/openssh/files/openssh-5.9_p1-x509-glue.patch create mode 100644 net-misc/openssh/files/sshd.confd create mode 100644 net-misc/openssh/files/sshd.pam_include.2 create mode 100755 net-misc/openssh/files/sshd.rc6.3 create mode 100644 net-misc/openssh/files/sshd.service create mode 100644 net-misc/openssh/files/sshd.socket create mode 100644 net-misc/openssh/files/sshd_at.service create mode 100644 net-misc/openssh/metadata.xml create mode 100644 net-misc/openssh/openssh-5.9_p1-r4.ebuild diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch new file mode 100644 index 0000000..c81ae5c --- /dev/null +++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch @@ -0,0 +1,127 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +Index: readconf.c +=================================================================== +RCS file: /cvs/openssh/readconf.c,v +retrieving revision 1.135 +diff -u -r1.135 readconf.c +--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 ++++ readconf.c 19 Aug 2006 11:59:52 -0000 +@@ -126,6 +126,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -163,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -444,6 +447,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1010,6 +1017,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1100,6 +1108,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +Index: readconf.h +=================================================================== +RCS file: /cvs/openssh/readconf.h,v +retrieving revision 1.63 +diff -u -r1.63 readconf.h +--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 ++++ readconf.h 19 Aug 2006 11:59:52 -0000 +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +Index: ssh_config.5 +=================================================================== +RCS file: /cvs/openssh/ssh_config.5,v +retrieving revision 1.97 +diff -u -r1.97 ssh_config.5 +--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 ++++ ssh_config.5 19 Aug 2006 11:59:53 -0000 +@@ -483,7 +483,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +Index: sshconnect2.c +=================================================================== +RCS file: /cvs/openssh/sshconnect2.c,v +retrieving revision 1.151 +diff -u -r1.151 sshconnect2.c +--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 ++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 +@@ -499,6 +499,12 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -511,7 +517,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/net-misc/openssh/files/openssh-5.2p1-ldap-stdargs.diff b/net-misc/openssh/files/openssh-5.2p1-ldap-stdargs.diff new file mode 100644 index 0000000..346d527 --- /dev/null +++ b/net-misc/openssh/files/openssh-5.2p1-ldap-stdargs.diff @@ -0,0 +1,10 @@ +--- ldapauth.c.orig 2009-04-18 18:06:38.000000000 +0200 ++++ ldapauth.c 2009-04-18 18:06:11.000000000 +0200 +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "ldapauth.h" + #include "log.h" diff --git a/net-misc/openssh/files/openssh-5.6_p1-hpn-progressmeter.patch b/net-misc/openssh/files/openssh-5.6_p1-hpn-progressmeter.patch new file mode 100644 index 0000000..5fe18df --- /dev/null +++ b/net-misc/openssh/files/openssh-5.6_p1-hpn-progressmeter.patch @@ -0,0 +1,15 @@ +don't go reading random stack values + +already e-mailed to upstream hpn devs + +--- progressmeter.c ++++ progressmeter.c +@@ -183,7 +183,7 @@ + else + percent = 100; + +- snprintf(buf + strlen(buf), win_size - strlen(buf-8), ++ snprintf(buf + strlen(buf), win_size - strlen(buf) - 8, + " %3d%% ", percent); + + /* amount transferred */ diff --git a/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch b/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch new file mode 100644 index 0000000..74d06c7 --- /dev/null +++ b/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch @@ -0,0 +1,61 @@ +Move things around so hpn applies cleanly when using X509. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -46,12 +46,13 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHLIBS=@SSHLIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- a/servconf.c ++++ b/servconf.c +@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options) + options->zero_knowledge_password_authentication = -1; + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; +- options->authorized_principals_file = NULL; +- options->ip_qos_interactive = -1; +- options->ip_qos_bulk = -1; + + options->hostbased_algorithms = NULL; + options->pubkey_algorithms = NULL; +@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options) + options->va.certificate_file = NULL; + options->va.responder_url = NULL; + #endif /*def SSH_OCSP_ENABLED*/ ++ options->authorized_principals_file = NULL; ++ options->ip_qos_interactive = -1; ++ options->ip_qos_bulk = -1; + } + + void +@@ -367,9 +367,6 @@ typedef enum { + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, +- sZeroKnowledgePasswordAuthentication, sHostCertificate, +- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +- sKexAlgorithms, sIPQoS, + sHostbasedAlgorithms, + sPubkeyAlgorithms, + sX509KeyAlgorithm, +@@ -380,6 +377,9 @@ typedef enum { + sCAldapVersion, sCAldapURL, + sVAType, sVACertificateFile, + sVAOCSPResponderURL, ++ sZeroKnowledgePasswordAuthentication, sHostCertificate, ++ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, ++ sKexAlgorithms, sIPQoS, + sDeprecated, sUnsupported + } ServerOpCodes; + diff --git a/net-misc/openssh/files/openssh-5.9_p1-drop-openssl-check.patch b/net-misc/openssh/files/openssh-5.9_p1-drop-openssl-check.patch new file mode 100644 index 0000000..eb621ab --- /dev/null +++ b/net-misc/openssh/files/openssh-5.9_p1-drop-openssl-check.patch @@ -0,0 +1,25 @@ +newer versions of openssl have started to be compatible across minor versions +too, so this sanity check fails. since we already handle compatibility with +openssl via SONAME checks, we don't need this openssh check at all. + +http://marc.info/?l=openssl-dev&m=133176786215023&w=2 + +--- a/entropy.c ++++ b/entropy.c +@@ -208,16 +208,7 @@ seed_rng(void) + { + #ifndef OPENSSL_PRNG_ONLY + unsigned char buf[RANDOM_SEED_SIZE]; +-#endif +- /* +- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) +- */ +- if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) +- fatal("OpenSSL version mismatch. Built against %lx, you " +- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + +-#ifndef OPENSSL_PRNG_ONLY + if (RAND_status() == 1) { + debug3("RNG is ready, skipping seeding"); + return; diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 0000000..6377d03 --- /dev/null +++ b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,184 @@ +Index: gss-serv.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v +retrieving revision 1.22 +diff -u -p -r1.22 gss-serv.c +--- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 ++++ gss-serv.c 11 Jan 2010 05:38:29 -0000 +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[MAXHOSTNAMELEN]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, MAXHOSTNAMELEN)) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +Index: servconf.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/servconf.c,v +retrieving revision 1.201 +diff -u -p -r1.201 servconf.c +--- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 ++++ servconf.c 11 Jan 2010 05:34:56 -0000 +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +Index: servconf.h +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/servconf.h,v +retrieving revision 1.89 +diff -u -p -r1.89 servconf.h +--- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 ++++ servconf.h 11 Jan 2010 05:32:28 -0000 +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +Index: sshd_config +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/sshd_config,v +retrieving revision 1.81 +diff -u -p -r1.81 sshd_config +--- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 ++++ sshd_config 11 Jan 2010 05:32:28 -0000 +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +Index: sshd_config.5 +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v +retrieving revision 1.116 +diff -u -p -r1.116 sshd_config.5 +--- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 ++++ sshd_config.5 11 Jan 2010 05:37:20 -0000 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed diff --git a/net-misc/openssh/files/openssh-5.9_p1-x509-glue.patch b/net-misc/openssh/files/openssh-5.9_p1-x509-glue.patch new file mode 100644 index 0000000..6fbb88b --- /dev/null +++ b/net-misc/openssh/files/openssh-5.9_p1-x509-glue.patch @@ -0,0 +1,15 @@ +make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch + +--- openssh-5.9p1+x509-7.0.diff ++++ openssh-5.9p1+x509-7.0.diff +@@ -11995,9 +11995,9 @@ + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in + @@ -430,6 +507,16 @@ ++ This facility is provided to assist with operation on multi homed machines. + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 0000000..28952b4 --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 0000000..b801aaa --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.3 b/net-misc/openssh/files/sshd.rc6.3 new file mode 100755 index 0000000..c55116e --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.3 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.3,v 1.2 2011/09/14 21:46:19 polynomial-c Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +gen_key() { + local type=$1 key ks + [ $# -eq 1 ] && ks="${type}_" + key="${SSHD_CONFDIR}/ssh_host_${ks}key" + if [ ! -e "${key}" ] ; then + ebegin "Generating ${type} host key" + ssh-keygen -t ${type} -f "${key}" -N '' + eend $? || return $? + fi +} + +gen_keys() { + if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + gen_key rsa1 "" || return 1 + fi + gen_key dsa && gen_key rsa && gen_key ecdsa + return $? +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 0000000..45f823a --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 0000000..94b9533 --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 0000000..2645ad0 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml new file mode 100644 index 0000000..6bf483a --- /dev/null +++ b/net-misc/openssh/metadata.xml @@ -0,0 +1,29 @@ + + + + base-system + + robbat2@gentoo.org + LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else. + + +OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that +increasing numbers of people on the Internet are coming to rely on. Many users of telnet, +rlogin, ftp, and other such programs might not realize that their password is transmitted +across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) +to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety +of authentication methods. + +The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which +replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of +the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, +ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. + + + Enable high performance ssh + Add support for storing SSH public keys in LDAP + Enable PKCS#11 smartcard support + Adds support for X.509 certificate authentication + + diff --git a/net-misc/openssh/openssh-5.9_p1-r4.ebuild b/net-misc/openssh/openssh-5.9_p1-r4.ebuild new file mode 100644 index 0000000..1bba1af --- /dev/null +++ b/net-misc/openssh/openssh-5.9_p1-r4.ebuild @@ -0,0 +1,279 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.9_p1-r4.ebuild,v 1.8 2012/05/08 15:39:19 ranger Exp $ + +EAPI="2" +inherit eutils flag-o-matic multilib autotools pam systemd + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpn13v11.diff.gz" +LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz" +X509_VER="7.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha amd64 arm hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh ~sparc x86 ~sparc-fbsd ~x86-fbsd" +IUSE="${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509" + +RDEPEND="pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + selinux? ( >=sys-libs/libselinux-1.28 ) + skey? ( >=sys-auth/skey-1.1.5-r1 ) + ldap? ( net-nds/openldap ) + libedit? ( dev-libs/libedit ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.2.3 + tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) + X? ( x11-apps/xauth ) + userland_GNU? ( virtual/shadow )" +DEPEND="${RDEPEND} + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi +} + +src_prepare() { + sed -i \ + -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${PN}-5.9_p1-drop-openssl-check.patch + epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${FILESDIR}"/${PN}-5.9_p1-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-5.8_p1-x509-hpn-glue.patch + fi + if ! use X509 ; then + if [[ -n ${LDAP_PATCH} ]] && use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + #epatch "${FILESDIR}"/${PN}-5.2p1-ldap-stdargs.diff #266654 - merged + # version.h patch conflict avoidence + mv version.h version.h.lpk + cp -f version.h.pristine version.h + fi + else + use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + if [[ -n ${HPN_PATCH} ]] && use hpn; then + epatch "${WORKDIR}"/${HPN_PATCH%.*} + epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch + # version.h patch conflict avoidence + mv version.h version.h.hpn + cp -f version.h.pristine version.h + # The AES-CTR multithreaded variant is broken, and causes random hangs + # when combined background threading and control sockets. To avoid + # this, we change the internal table to use the non-multithread version + # for the meantime. Do NOT remove this in new versions. See bug #354113 + # comment #6 for testcase. + # Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/ + ## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode + ## cipher. Be aware that if the client process is forked using the -f command line + ## option the process will hang as the parent thread gets 'divorced' from the key + ## generation threads. This issue will be resolved as soon as possible + sed -i \ + -e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \ + cipher.c || die + fi + + sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die + + # Disable PATH reset, trust what portage gives us. bug 254615 + sed -i -e 's:^PATH=/:#PATH=/:' configure || die + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s %s\n' \ + "$([ -e version.h.hpn ] && echo SSH_HPN)" \ + "$([ -e version.h.lpk ] && echo SSH_LPK)" + ) > version.h + + eautoreconf +} + +static_use_with() { + local flag=$1 + if use static && use ${flag} ; then + ewarn "Disabling '${flag}' support because of USE='static'" + # rebuild args so that we invert the first one (USE flag) + # but otherwise leave everything else working so we can + # just leverage use_with + shift + [[ -z $1 ]] && flag="${flag} ${flag}" + set -- !${flag} "$@" + fi + use_with "$@" +} + +src_configure() { + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys #skey configure code triggers this + + use static && append-ldflags -static + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --sysconfdir=/etc/ssh \ + --libexecdir=/usr/$(get_libdir)/misc \ + --datadir=/usr/share/openssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --with-ssl-engine \ + $(static_use_with pam) \ + $(static_use_with kerberos kerberos5 /usr) \ + ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ + $(use_with libedit) \ + $(use_with selinux) \ + $(use_with skey) \ + $(use_with tcpd tcp-wrappers) +} + +src_install() { + emake install-nokeys DESTDIR="${D}" || die + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id || die + newinitd "${FILESDIR}"/sshd.rc6.3 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + # not all openssl installs support ecc, or are functional #352645 + if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then + elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support" + dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd || die + fi + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${D}"/etc/ssh/sshd_config || die "sed of configuration file failed" + fi + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} || die + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' || die +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t}