mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-02 19:11:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1251 from kinvolk/dongsu/openssh-8.7

Browse Source 
net-misc/openssh: update to 8.7_p1-r1
This commit is contained in:
Dongsu Park 2021-09-03 15:09:00 +02:00 committed by GitHub
commit 0e27b92071
26 changed files with 339 additions and 3483 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,19 +1,6 @@
DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3
DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
DIST openssh-8.5p1+x509-13.0.1.diff.gz 997005 BLAKE2B b6cdc9ba12dc642c7073463fb8b153a32019e8bc4c1778c2371d89cdc8d9b43e86523d0c03ebeeafa7004a16ad46dfbc18b338bf95f46101d8865709d45aa6b0 SHA512 b0247885d3a0718eb4df123c552f9e95ad9ffd55f96189aca35006c23d76ec76b28420cac4d7b2167c07f2e0a0652edfa20c2ce60aea3f7607a1e747f836ff91
DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb
DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63
DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540
DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch vendored
View File

@ -1,13 +0,0 @@
diff --git a/kex.c b/kex.c
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));

359
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch vendored
View File

@ -1,359 +0,0 @@
diff --git a/auth.c b/auth.c
index 086b8ebb..a267353c 100644
--- a/auth.c
+++ b/auth.c
@@ -724,120 +724,6 @@ fakepw(void)
return (&fake);
}
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) == -1) {
- debug("getpeername failed: %.100s", strerror(errno));
- return xstrdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return xstrdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return xstrdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return xstrdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return xstrdup(ntop);
- }
- return xstrdup(name);
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-{
- static char *dnsname;
-
- if (!use_dns)
- return ssh_remote_ipaddr(ssh);
- else if (dnsname != NULL)
- return dnsname;
- else {
- dnsname = remote_hostname(ssh);
- return dnsname;
- }
-}
-
/*
* Runs command in a subprocess with a minimal environment.
* Returns pid on success, 0 on failure.
diff --git a/canohost.c b/canohost.c
index abea9c6e..4f4524d2 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
}
+
+/*
+ * Returns the remote DNS hostname as a string. The returned string must not
+ * be freed. NB. this will usually trigger a DNS query the first time it is
+ * called.
+ * This function does additional checks on the hostname to mitigate some
+ * attacks on legacy rhosts-style authentication.
+ * XXX is RhostsRSAAuthentication vulnerable to these?
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+ */
+
+static char *
+remote_hostname(struct ssh *ssh)
+{
+ struct sockaddr_storage from;
+ socklen_t fromlen;
+ struct addrinfo hints, *ai, *aitop;
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+ const char *ntop = ssh_remote_ipaddr(ssh);
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
+ if (from.ss_family == AF_INET6)
+ fromlen = sizeof(struct sockaddr_in6);
+
+ debug3("Trying to reverse map address %.100s.", ntop);
+ /* Map the IP address to a host name. */
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ }
+
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
+ lowercase(name);
+
+ /*
+ * Map it back to an IP address and check that the given
+ * address actually is an address of this host. This is
+ * necessary because anyone with access to a name server can
+ * define arbitrary names for an IP address. Mapping from
+ * name to IP address can be trusted better (but can still be
+ * fooled if the intruder has access to the name server of
+ * the domain).
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = from.ss_family;
+ hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+ (strcmp(ntop, ntop2) == 0))
+ break;
+ }
+ freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+ if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ }
+ return strdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+{
+ static char *dnsname;
+
+ if (!use_dns)
+ return ssh_remote_ipaddr(ssh);
+ else if (dnsname != NULL)
+ return dnsname;
+ else {
+ dnsname = remote_hostname(ssh);
+ return dnsname;
+ }
+}
diff --git a/readconf.c b/readconf.c
index f3cac6b3..adfd7a4e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -205,9 +206,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -1033,6 +1036,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index feedb3d2..c7139c1b 100644
--- a/readconf.h
+++ b/readconf.h
@@ -42,6 +42,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index 06a32d31..6871ff36 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -770,6 +770,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index af00fb30..652463c5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(ssh, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
- mech, authctxt->host)) {
+ mech, gss_host)) {
ok = 1; /* Mechanism works */
} else {
authctxt->mech_tried++;

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch vendored
View File

@ -1,13 +0,0 @@
diff --git a/Makefile.in b/Makefile.in
index c9e4294d..2dbfac24 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CFLAGS_NOPIE=@CFLAGS_NOPIE@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
PICFLAG=@PICFLAG@
LIBS=@LIBS@
K5LIBS=@K5LIBS@

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch vendored
View File

@ -1,34 +0,0 @@
diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
--- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
@@ -39348,12 +39348,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -384,6 +365,8 @@
+@@ -384,6 +365,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -103950,16 +103949,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
---- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
-+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.4"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
--- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300

30
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch vendored
View File

@ -1,30 +0,0 @@
From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
From: Oleg <Fallmay@users.noreply.github.com>
Date: Thu, 1 Oct 2020 12:09:08 +0300
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
---
contrib/ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f94..a76907717 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"

129
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch vendored
View File

@ -1,129 +0,0 @@
diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
--- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,7 +803,7 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
+ struct sshcipher *none = cipher_by_name("none");
int r;
@@ -901,17 +901,18 @@
}
/*
-@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
++
+ /* expand KEX and etc. name lists */
+ { char *all;
+ #define ASSEMBLE(what, defaults, all) \
diff --git a/readconf.h b/readconf.h
index e143a108..1383a3cd 100644
--- a/readconf.h
@@ -950,9 +951,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -679,6 +683,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
@@ -382,7 +382,7 @@
@@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1193,14 +1193,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index a2eca3ec..ff654fc3 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v22"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
--- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
+- int file_len = win_size - 36;
++ if (win_size > 45) {
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);

94
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch vendored
View File

@ -1,94 +0,0 @@
diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
@@ -409,18 +409,10 @@
index e7abb341..c23276d4 100644
--- a/packet.c
+++ b/packet.c
-@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index c2544bd9..ebd85c88 100644
--- a/packet.h
@@ -481,9 +459,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -294,6 +297,8 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -114,7 +118,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -519,6 +565,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1081,11 +1059,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ }
+ }
+ #endif
- if (!authctxt.success)
- fatal("Authentication failed.");
-+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch vendored
View File

@ -1,18 +0,0 @@
diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
@@ -1171,14 +1171,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index a2eca3ec..ff654fc3 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v22"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

72
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch vendored
View File

@ -1,72 +0,0 @@
--- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700
+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700
@@ -46675,12 +46675,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -380,6 +364,8 @@
+@@ -380,6 +364,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -63967,7 +63966,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -63982,7 +63981,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -63997,7 +63996,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -64129,9 +64128,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
-+ unset_arg=''
++ unset_arg=
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -122247,16 +122246,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
-+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.5"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
--- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200

73
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch vendored
View File

@ -1,73 +0,0 @@
diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
--- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
@@ -46675,12 +46675,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -380,6 +364,8 @@
+@@ -380,6 +364,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -63967,7 +63966,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -63982,7 +63981,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -63997,7 +63996,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -64129,9 +64128,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
-+ unset_arg=''
++ unset_arg=
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -122238,16 +122237,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
-+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.5"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
--- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200

325
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch vendored
View File

@ -1,325 +0,0 @@
diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -894,24 +894,24 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ options->revoked_host_keys = NULL;
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
}
/*
@@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index d6a15550..d2d20548 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -672,6 +676,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index e4917f3c..e0db582e 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -234,10 +264,12 @@
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0)
+- fatal_fr(r, "channel %d", c->self);
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
++ (r = sshpkt_send(ssh)) != 0) {
++ fatal_fr(r, "channel %i", c->self);
++ }
debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -384,20 +416,38 @@
index dec8e7e9..3c11558e 100644
--- a/compat.c
+++ b/compat.c
-@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,19 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
-+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ if (strstr(version, "OpenSSH") != NULL) {
-+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-+ debug("Remote is NON-HPN aware");
-+ }
-+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index 66db42cc..d4e811e4 100644
--- a/compat.h
@@ -456,7 +506,7 @@
@@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1033,19 +1083,6 @@
/* File to read commands from */
FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a5..8b839219 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error("Unable to load resident keys: %s", ssh_err(r));
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index f34ca0d7..d7d134f7 100644
--- a/ssh.c
@@ -1091,7 +1128,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1331,6 +1368,26 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
+@@ -1625,12 +1625,13 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ }
+ ssh_digest_free(ctx);
+ ctx = NULL;
+ return;
@@ -1746,6 +1753,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1401,14 +1458,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index c2f9c55b..f2e7fa80 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.4"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v1"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
--- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +63,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a5..76b22338 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

242
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch vendored
View File

@ -1,242 +0,0 @@
diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
@@ -894,9 +894,9 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
- options->update_hostkeys = -1;
- options->hostbased_key_types = NULL;
- options->pubkey_key_types = NULL;
+ options->hostbased_accepted_algos = NULL;
+ options->pubkey_accepted_algos = NULL;
+ options->known_hosts_command = NULL;
+ options->disable_multithreaded = -1;
}
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
@@ -209,7 +209,7 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
@@ -229,22 +229,19 @@
+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ }
if (!c->have_remote_id)
- fatal(":%s: channel %d: no remote id",
- __func__, c->self);
+ fatal_f("channel %d: no remote id", c->self);
if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
- fatal("%s: channel %i: %s", __func__,
- c->self, ssh_err(r));
+ fatal_fr(r, "channel %i", c->self);
}
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
-- c->local_consumed);
+ debug2("channel %d: window %d sent adjust %d", c->self,
+- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
-+ c->local_consumed + addition);
++ c->local_window, c->local_consumed + addition);
+ c->local_window += c->local_consumed + addition;
c->local_consumed = 0;
}
@@ -387,18 +384,18 @@
index dec8e7e9..3c11558e 100644
--- a/compat.c
+++ b/compat.c
-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
- debug("match: %s pat %s compat 0x%08x",
+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+ debug_f("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- datafellows = check[i].bugs; /* XXX for now */
+ ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ datafellows |= SSH_BUG_LARGEWINDOW;
++ ssh->compat |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return check[i].bugs;
+ return;
}
}
diff --git a/compat.h b/compat.h
@@ -431,9 +428,9 @@
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
{ SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
{ -1, NULL, 0, NULL },
};
@@ -536,18 +533,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +550,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -622,9 +597,9 @@
/* Format of the configuration file:
@@ -165,6 +166,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
oVisualHostKey,
@@ -778,9 +753,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -115,7 +119,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -888,9 +863,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -511,6 +564,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1091,7 +1066,7 @@
}
+static void
-+hpn_options_init(void)
++hpn_options_init(struct ssh *ssh)
+{
+ /*
+ * We need to check to see if what they want to do about buffer
@@ -1116,7 +1091,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1186,7 +1161,7 @@
+ c->dynamic_window = 1;
+ debug("Enabled Dynamic Window Scaling");
+ }
- debug3("%s: channel_new: %d", __func__, c->self);
+ debug3_f("channel_new: %d", c->self);
channel_send_open(ssh, c->self);
@@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
@@ -1198,7 +1173,7 @@
+ * might open channels that use the hpn buffer sizes. We can't send a
+ * window of -1 (the default) to the server as it breaks things.
+ */
-+ hpn_options_init();
++ hpn_options_init(ssh);
+
/* XXX should be pre-session */
if (!options.control_persist)
@@ -1297,11 +1272,10 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-
+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1329,9 +1303,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 8aa7f3df..d0e3f1b0 100644
--- a/sshd.c
@@ -1397,9 +1371,9 @@
+ if (options.nonemac_enabled == 1)
+ debug("WARNING: None MAC enabled");
+
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
options.kex_algorithms);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
diff --git a/sshd_config b/sshd_config
index 19b7c91a..cdd889b2 100644
--- a/sshd_config

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch vendored
View File

@ -1,18 +0,0 @@
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800
@@ -1401,14 +1401,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index c2f9c55b..f2e7fa80 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.4"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v1"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

328
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch vendored
View File

@ -1,328 +0,0 @@
diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -898,20 +898,20 @@
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ }
+
+ /*
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
+ (r = sshpkt_send(ssh)) != 0)
+ fatal_fr(r, "channel %d", c->self);
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -386,21 +415,45 @@
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ /* TODO: need to use new method to test for this */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
++ bugs |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +512,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1035,19 +1088,6 @@
/* File to read commands from */
FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1335,6 +1375,28 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
+@@ -1625,13 +1625,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
+- ssh_digest_free(ctx);
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ ssh_digest_free(ctx);
++ }
+ ctx = NULL;
+ return;
+ }
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
+
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

104
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch vendored
View File

@ -1,104 +0,0 @@
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +553,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -598,12 +576,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -1330,9 +1307,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c

49
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch vendored
View File

@ -1,6 +1,8 @@
--- a/auth.c 2021-03-02 04:31:47.000000000 -0600
+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
@@ -727,119 +727,6 @@ fakepw(void)
diff --git a/auth.c b/auth.c
index 00b168b4..8ee93581 100644
--- a/auth.c
+++ b/auth.c
@@ -729,118 +729,6 @@ fakepw(void)
return (&fake);
}
@ -9,9 +11,7 @@
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
@ -117,11 +117,14 @@
- return dnsname;
- }
-}
-
/* These functions link key/cert options to the auth framework */
--- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
/* Log sshauthopt options locally and (optionally) for remote transmission */
diff --git a/canohost.c b/canohost.c
index a810da0e..18e9d8d4 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
@ -241,7 +244,7 @@
+ }
+}
diff --git a/readconf.c b/readconf.c
index 724974b7..97a1ffd8 100644
index 03369a08..b45898ce 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,7 @@ typedef enum {
@ -252,7 +255,7 @@ index 724974b7..97a1ffd8 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -206,9 +207,11 @@ static struct {
@@ -207,9 +208,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -264,7 +267,7 @@ index 724974b7..97a1ffd8 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -1083,6 +1086,10 @@ parse_time:
@@ -1117,6 +1120,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@ -275,15 +278,15 @@ index 724974b7..97a1ffd8 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@ -293,11 +296,11 @@ index 724974b7..97a1ffd8 100644
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index 2fba866e..da3ce87a 100644
index f7d53b06..c3a91898 100644
--- a/readconf.h
+++ b/readconf.h
@@ -42,6 +42,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
@@ -40,6 +40,7 @@ typedef struct {
int hostbased_authentication; /* ssh2's rhosts_rsa */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
@ -305,10 +308,10 @@ index 2fba866e..da3ce87a 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index f8119189..e0fd0d76 100644
index cd0eea86..27101943 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -783,6 +783,16 @@ The default is
@@ -832,6 +832,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@ -326,10 +329,10 @@ index f8119189..e0fd0d76 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index 059c9480..ab6f6832 100644
index fea50fab..aeff639b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@ -343,7 +346,7 @@ index 059c9480..ab6f6832 100644
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,

35
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch vendored
View File

@ -1,11 +1,12 @@
--- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700
+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700
@@ -47728,12 +47728,11 @@
diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff
--- a/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:47:40.415668320 -0700
+++ b/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:49:14.916114987 -0700
@@ -51082,12 +51082,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -389,6 +366,8 @@
+@@ -389,6 +366,7 @@
-@@ -391,6 +368,8 @@
+@@ -391,6 +368,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
@ -14,7 +15,7 @@
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -65001,7 +65000,7 @@
@@ -69793,7 +69792,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@ -23,7 +24,7 @@
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -65016,7 +65015,7 @@
@@ -69808,7 +69807,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@ -32,7 +33,7 @@
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -65031,7 +65030,7 @@
@@ -69823,7 +69822,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
@ -41,7 +42,7 @@
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -65163,9 +65162,9 @@
@@ -70130,9 +70129,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
@ -53,20 +54,20 @@
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -124084,16 +124083,6 @@
@@ -131673,16 +131672,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
---- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300
-+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300
-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h
---- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300
-+++ openssh-8.7p1+x509-13.2/version.h 2021-08-30 20:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.6"
- #define SSH_VERSION "OpenSSH_8.7"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
--- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300
diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4
--- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.7p1+x509-13.2/version.m4 2021-08-30 20:07:00.000000000 +0300

138
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch vendored
View File

@ -1,6 +1,6 @@
diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@ -25,9 +25,14 @@ diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.
int r;
if (none == NULL) {
@@ -898,20 +898,20 @@
@@ -894,24 +894,24 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2272,6 +2278,7 @@ initialize_options(Options * options)
- options->revoked_host_keys = NULL;
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->known_hosts_command = NULL;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
@ -65,9 +70,9 @@ diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
@ -135,7 +140,75 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -386,21 +415,45 @@
@@ -337,70 +366,92 @@
index 70f492f8..5503af1d 100644
--- a/clientloop.c
+++ b/clientloop.c
-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
- c = channel_new(ssh, "x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+ c = channel_new(ssh, "x11",
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+ /* again is this really necessary for X11? */
-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
+- CHANNEL_NONBLOCK_SET);
++ c = channel_new(ssh, "x11",
++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
++ /* again is this really necessary for X11? */
++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
c->force_drain = 1;
return c;
}
-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
return NULL;
}
c = channel_new(ssh, "authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-- "authentication agent connection", 1);
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_TCP_PACKET_DEFAULT, 0,
-+ "authentication agent connection", 1);
+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
++ SSH_CHANNEL_OPEN, sock, sock, -1,
++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
++ CHAN_TCP_PACKET_DEFAULT, 0,
++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
c->force_drain = 1;
return c;
}
-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
+- CHANNEL_NONBLOCK_SET);
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
c->datagram = 1;
-+
-+
#if defined(SSH_TUN_FILTER)
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
- channel_register_filter(ssh, c->self, sys_tun_infilter,
diff --git a/compat.c b/compat.c
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
@ -187,7 +260,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +512,7 @@
@@ -459,7 +510,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
@ -196,7 +269,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -553,7 +606,7 @@
@@ -553,7 +604,7 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
@ -205,7 +278,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
struct session_state *state = ssh->state;
int len, r, ms_remain;
fd_set *setp;
@@ -1035,19 +1088,6 @@
@@ -1035,19 +1086,6 @@
/* Minimum amount of data to read at a time */
#define MIN_READ_SIZE 512
@ -225,7 +298,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1133,7 @@
@@ -1093,7 +1131,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
@ -234,7 +307,24 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1335,7 +1375,29 @@
@@ -1157,14 +1195,14 @@
}
@@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
+ if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ c->dynamic_window = 1;
+ debug("Enabled Dynamic Window Scaling");
+ }
+
- debug3_f("channel_new: %d", c->self);
+ debug2_f("channel %d", c->self);
channel_send_open(ssh, c->self);
@@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
@@ -1335,7 +1373,29 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
@ -262,19 +352,19 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
+ return;
+ }
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
fatal("AuthorizedPrincipalsCommand set without "
"AuthorizedPrincipalsCommandUser");
@@ -1355,7 +1417,7 @@
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
@@ -1355,7 +1415,7 @@
/*
* Check whether there is any path through configured auth methods.
* Unfortunately it is not possible to verify this generally before
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@@ -1365,7 +1427,7 @@
@@ -1365,7 +1425,7 @@
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@ -283,7 +373,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
struct kex *kex;
int r;
@@ -1405,14 +1467,3 @@
@@ -1405,14 +1465,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
@ -298,9 +388,9 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */

72
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch vendored
View File

@ -1,6 +1,22 @@
diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
@@ -1026,9 +1026,9 @@
+ }
+#endif
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
diff --git a/sshd.c b/sshd.c
index 6277e6d6..bf3d6e4a 100644
--- a/sshd.c
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
@ -67,6 +83,32 @@ diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/op
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -637,9 +614,9 @@
+ { "noneenabled", oNoneEnabled },
+ { "nonemacenabled", oNoneMacEnabled },
+ { "noneswitch", oNoneSwitch },
- { "proxyusefdpass", oProxyUseFdpass },
- { "canonicaldomains", oCanonicalDomains },
- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
+ { "sessiontype", oSessionType },
+ { "stdinnull", oStdinNull },
+ { "forkafterauthentication", oForkAfterAuthentication },
@@ -317,6 +323,11 @@ static struct {
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
@@ -717,9 +694,9 @@
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
- options->proxy_use_fdpass = -1;
- options->ignored_unknown = NULL;
- options->num_canonical_domains = 0;
+ options->session_type = -1;
+ options->stdin_null = -1;
+ options->fork_after_authentication = -1;
@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@ -130,3 +172,27 @@ diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/op
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c
@@ -1359,8 +1336,8 @@
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+ if (options.none_enabled == 1) {
+ char *old_ciphers = options.ciphers;
@@ -1375,9 +1352,9 @@
+ }
+ }
+
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
@@ -2166,6 +2186,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);

100
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r2.initd vendored Normal file
View File

@ -0,0 +1,100 @@
#!/sbin/openrc-run
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
command="${SSHD_BINARY}"
pidfile="${SSHD_PIDFILE}"
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress (bug 617596).
: ${SSHD_SSD_OPTS:=--wait 1000}
start_stop_daemon_args="${SSHD_SSD_OPTS}"
depend() {
# Entropy can be used by ssh-keygen, among other things, but
# is not strictly required (bug 470020).
use logger dns entropy
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
${SSHD_KEYGEN_BINARY} -A || return 2
"${command}" -t ${command_args} || return 3
}
start_pre() {
# Make sure that the user's config isn't busted before we try
# to start the daemon (this will produce better error messages
# than if we just try to start it blindly).
#
# We always need to call checkconfig because this function will
# also generate any missing host key and you can start a
# non-running service with "restart" argument.
checkconfig || return $?
}
stop_pre() {
if [ "${RC_CMD}" = "restart" ] ; then
# If this is a restart, check to make sure the user's config
# isn't busted before we stop the running daemon.
checkconfig || return $?
elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then
# Disconnect any clients before killing the master process
local pid=$(cat "${pidfile}" 2>/dev/null)
if [ -n "${pid}" ] ; then
local ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
IFS="${IFS}@"
local daemon pid pty user
pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do
ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..."
kill "${pid}" || true
done
fi
fi
}
reload() {
checkconfig || return $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

515
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.4_p1-r3.ebuild vendored
View File

@ -1,515 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.3_P1"
HPN_VER="14.22"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# https://bugs.gentoo.org/749026
use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}

510
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1-r1.ebuild vendored
View File

@ -1,510 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
HPN_PV="${PV^^}"
HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.0.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
use sctp && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch"
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}

512
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1.ebuild vendored
View File

@ -1,512 +0,0 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.4_P1"
HPN_VER="15.1"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.6_p1-r1.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.7_p1-r1.ebuild vendored
View File

@ -1,5 +1,5 @@
# Difference to upstream from ./update_ebuilds:
# - Ported changes from 529e323aad6b43a9a0c06520c1e4f6ae69b9bafa
# - Ported changes from 11d6f23704e7ab84191e28e034816bfdb151d406
#
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
@ -24,7 +24,7 @@ HPN_PATCHES=(
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
@ -44,6 +44,7 @@ IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit li
RESTRICT="!test? ( test )"
REQUIRED_USE="
hpn? ( ssl )
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
@ -69,10 +70,10 @@ LIB_DEPEND="
ssl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
>=dev-libs/openssl-1.0.1:0[bindist(-)=]
<dev-libs/openssl-1.1.0:0[bindist(-)=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
)
dev-libs/openssl:0=[static-libs(+)]
)
@ -135,15 +136,12 @@ src_prepare() {
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
@ -191,7 +189,7 @@ src_prepare() {
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -76,7 +76,7 @@ dev-util/checkbashisms
=sec-policy/selinux-unconfined-2.20200818-r2 **
=sec-policy/selinux-virt-2.20200818-r2 **
=net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64
=net-misc/openssh-8.7_p1-r1 ~amd64 ~arm64
=sys-firmware/sgabios-0.1_pre8-r1 ~amd64 ~arm64