net-misc/openssh: Sync with Gentoo's latest stable

This commit is contained in:
Kai Lüke 2020-08-05 19:54:15 +00:00
parent b3c4c2f834
commit 406ad6140a
23 changed files with 2239 additions and 154 deletions

View File

@ -2,6 +2,12 @@ DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba78
DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192
DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566
DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d

View File

@ -0,0 +1,111 @@
diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800
@@ -4,8 +4,8 @@
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
LD=@LD@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -948,9 +948,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -643,6 +647,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800
@@ -382,7 +382,7 @@
@@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -391,8 +391,8 @@
debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
@@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
- peer[ncomp] = NULL;
- goto out;
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
}
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -1169,15 +1169,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+
diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800
+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);

View File

@ -1,114 +0,0 @@
--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700
+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 20:05:12.622588051 -0700
@@ -382,7 +382,7 @@
@@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -441,6 +441,39 @@
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
+diff --git a/packet.c b/packet.c
+index dcf35e6..9433f08 100644
+--- a/packet.c
++++ b/packet.c
+@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+ return 0;
+ }
+
++/* this supports the forced rekeying required for the NONE cipher */
++int rekey_requested = 0;
++void
++packet_request_rekeying(void)
++{
++ rekey_requested = 1;
++}
++
+ #define MAX_PACKETS (1U<<31)
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+ if (state->p_send.packets == 0 && state->p_read.packets == 0)
+ return 0;
+
++ /* used to force rekeying when called for by the none
++ * cipher switch and aes-mt-ctr methods -cjr */
++ if (rekey_requested == 1) {
++ rekey_requested = 0;
++ return 1;
++ }
++
+ /* Time-based rekeying */
+ if (state->rekey_interval != 0 &&
+ (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/readconf.c b/readconf.c
index db5f2d5..33f18c9 100644
--- a/readconf.c
@@ -453,10 +486,9 @@
/* Format of the configuration file:
-@@ -166,6 +167,8 @@ typedef enum {
+@@ -166,5 +167,7 @@ typedef enum {
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -592,10 +624,9 @@
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
-@@ -111,7 +115,10 @@ typedef struct {
+@@ -111,6 +115,9 @@ typedef struct {
int enable_ssh_keysign;
int64_t rekey_limit;
- int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -650,10 +681,8 @@
/* Portable-specific options */
if (options->use_pam == -1)
-@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
+@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options)
options->permit_tun = SSH_TUNMODE_NO;
- if (options->disable_multithreaded == -1)
- options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->hpn_disabled == -1)
@@ -1095,9 +1124,9 @@
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ }
+ }
+ debug("Authentication succeeded (%s).", authctxt.method->name);
+ }
- #ifdef WITH_OPENSSL
- if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index a738c3a..b32dbe0 100644
--- a/sshd.c
@@ -1181,14 +1210,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index f1bbf00..21a70c2 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_7.8"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

View File

@ -0,0 +1,11 @@
--- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700
+++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700
@@ -7,7 +7,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@

View File

@ -0,0 +1,35 @@
Only in b: .openssh-8.1p1+x509-12.3.diff.un~
diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff
--- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700
+++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700
@@ -35343,12 +35343,11 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -339,6 +360,8 @@
+@@ -339,6 +360,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -83536,16 +83535,6 @@
+ return mbtowc(NULL, s, n);
+}
+#endif
-diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h
---- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300
-+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.1"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4
--- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300

View File

@ -0,0 +1,359 @@
diff --git a/auth.c b/auth.c
index 086b8ebb..a267353c 100644
--- a/auth.c
+++ b/auth.c
@@ -724,120 +724,6 @@ fakepw(void)
return (&fake);
}
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) == -1) {
- debug("getpeername failed: %.100s", strerror(errno));
- return xstrdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return xstrdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return xstrdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return xstrdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return xstrdup(ntop);
- }
- return xstrdup(name);
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-{
- static char *dnsname;
-
- if (!use_dns)
- return ssh_remote_ipaddr(ssh);
- else if (dnsname != NULL)
- return dnsname;
- else {
- dnsname = remote_hostname(ssh);
- return dnsname;
- }
-}
-
/*
* Runs command in a subprocess with a minimal environment.
* Returns pid on success, 0 on failure.
diff --git a/canohost.c b/canohost.c
index abea9c6e..4f4524d2 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
}
+
+/*
+ * Returns the remote DNS hostname as a string. The returned string must not
+ * be freed. NB. this will usually trigger a DNS query the first time it is
+ * called.
+ * This function does additional checks on the hostname to mitigate some
+ * attacks on legacy rhosts-style authentication.
+ * XXX is RhostsRSAAuthentication vulnerable to these?
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+ */
+
+static char *
+remote_hostname(struct ssh *ssh)
+{
+ struct sockaddr_storage from;
+ socklen_t fromlen;
+ struct addrinfo hints, *ai, *aitop;
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+ const char *ntop = ssh_remote_ipaddr(ssh);
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
+ if (from.ss_family == AF_INET6)
+ fromlen = sizeof(struct sockaddr_in6);
+
+ debug3("Trying to reverse map address %.100s.", ntop);
+ /* Map the IP address to a host name. */
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ }
+
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
+ lowercase(name);
+
+ /*
+ * Map it back to an IP address and check that the given
+ * address actually is an address of this host. This is
+ * necessary because anyone with access to a name server can
+ * define arbitrary names for an IP address. Mapping from
+ * name to IP address can be trusted better (but can still be
+ * fooled if the intruder has access to the name server of
+ * the domain).
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = from.ss_family;
+ hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+ (strcmp(ntop, ntop2) == 0))
+ break;
+ }
+ freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+ if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ }
+ return strdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+{
+ static char *dnsname;
+
+ if (!use_dns)
+ return ssh_remote_ipaddr(ssh);
+ else if (dnsname != NULL)
+ return dnsname;
+ else {
+ dnsname = remote_hostname(ssh);
+ return dnsname;
+ }
+}
diff --git a/readconf.c b/readconf.c
index f3cac6b3..adfd7a4e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -205,9 +206,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -1033,6 +1036,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1912,6 +1919,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2061,6 +2069,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index feedb3d2..c7139c1b 100644
--- a/readconf.h
+++ b/readconf.h
@@ -42,6 +42,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index 06a32d31..6871ff36 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -770,6 +770,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index af00fb30..652463c5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(ssh, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
- mech, authctxt->host)) {
+ mech, gss_host)) {
ok = 1; /* Mechanism works */
} else {
authctxt->mech_tried++;

View File

@ -0,0 +1,11 @@
--- a/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:01.210601434 -0700
+++ b/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:18.753485852 -0700
@@ -7,7 +7,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@

View File

@ -0,0 +1,128 @@
--- a/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:15:05.939809371 -0700
+++ b/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:23:15.424752355 -0700
@@ -39298,16 +39298,15 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -378,6 +379,8 @@
+@@ -378,6 +379,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -386,11 +389,14 @@
+@@ -386,11 +388,14 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -39326,7 +39325,7 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -400,12 +406,12 @@
+@@ -400,12 +405,12 @@
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
@@ -39340,7 +39339,7 @@
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -463,10 +469,9 @@
+@@ -463,10 +468,9 @@
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -39354,7 +39353,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -478,7 +483,6 @@
+@@ -478,7 +482,6 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -39362,7 +39361,7 @@
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
-@@ -491,11 +495,11 @@
+@@ -491,11 +494,11 @@
$(MKDIR_P) `pwd`/regress/unittests/match
$(MKDIR_P) `pwd`/regress/unittests/utf8
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
@@ -39376,7 +39375,7 @@
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
-@@ -546,8 +550,7 @@
+@@ -546,8 +549,7 @@
regress/unittests/sshkey/tests.o \
regress/unittests/sshkey/common.o \
regress/unittests/sshkey/test_file.o \
@@ -39406,7 +39405,7 @@
regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
${UNITTESTS_TEST_HOSTKEYS_OBJS} \
-@@ -618,35 +619,18 @@
+@@ -618,35 +618,18 @@
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
MISC_KEX_FUZZ_OBJS=\
@@ -39444,7 +39443,7 @@
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/bitmap/test_bitmap$(EXEEXT) \
-@@ -657,36 +641,29 @@
+@@ -657,36 +640,29 @@
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
@@ -39501,7 +39500,7 @@
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
-@@ -708,8 +685,6 @@
+@@ -708,8 +684,6 @@
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
@@ -39510,7 +39509,7 @@
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
-@@ -717,17 +692,35 @@
+@@ -717,17 +691,35 @@
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
@@ -39549,7 +39548,7 @@
survey: survey.sh ssh
@$(SHELL) ./survey.sh > survey
-@@ -743,4 +736,8 @@
+@@ -743,4 +735,8 @@
sh buildpkg.sh; \
fi
@@ -98215,16 +98214,6 @@
+ return mbtowc(NULL, s, n);
+}
+#endif
-diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.3/version.h
---- openssh-8.2p1/version.h 2020-02-14 02:40:54.000000000 +0200
-+++ openssh-8.2p1+x509-12.4.3/version.h 2020-03-21 19:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.2"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.3/version.m4
--- openssh-8.2p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.2p1+x509-12.4.3/version.m4 2020-03-21 19:07:00.000000000 +0200

View File

@ -0,0 +1,133 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:41:56.143193830 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:46:40.060133610 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
- options->canonicalize_hostname = SSH_CANONICALISE_NO;
- if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- #ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("internal");
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -948,9 +948,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -643,6 +647,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
Only in b: openssh-8_1_P1-hpn-AES-CTR-14.20.diff.orig
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:41:56.144193830 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:45:36.665147504 -0800
@@ -382,7 +382,7 @@
@@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -391,8 +391,8 @@
debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
@@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
- peer[ncomp] = NULL;
- goto out;
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
}
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -1169,15 +1169,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:41:43.834196317 -0800
+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:45:36.665147504 -0800
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);

View File

@ -0,0 +1,151 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -952,9 +952,9 @@
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -643,6 +647,7 @@ static struct {
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "include", sInclude, SSHCFG_ALL },
+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1079,11 +1057,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1083,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c

View File

@ -0,0 +1,20 @@
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:31:37.392120799 -0700
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:32:46.143684424 -0700
@@ -672,7 +672,7 @@
+const EVP_CIPHER *
+evp_aes_ctr_mt(void)
+{
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
+ static EVP_CIPHER *aes_ctr;
+ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
@@ -701,7 +701,7 @@
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+# endif /*SSH_OLD_EVP*/
+ return &aes_ctr;
-+# endif /*OPENSSH_VERSION_NUMBER*/
++# endif /*OPENSSL_VERSION_NUMBER*/
+}
+
+#endif /* defined(WITH_OPENSSL) */

View File

@ -0,0 +1,19 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:00.321998279 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:21.759980508 -0800
@@ -1169,15 +1169,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

View File

@ -0,0 +1,35 @@
Only in b: .openssh-8.3p1+x509-12.5.1.diff.un~
diff -u a/openssh-8.3p1+x509-12.5.1.diff b/openssh-8.3p1+x509-12.5.1.diff
--- a/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:13:08.937543708 -0700
+++ b/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:16:33.417271984 -0700
@@ -35541,12 +35541,11 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -382,6 +363,8 @@
+@@ -382,6 +363,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -97028,16 +97027,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5.1/version.h
---- openssh-8.3p1/version.h 2020-05-27 03:38:00.000000000 +0300
-+++ openssh-8.3p1+x509-12.5.1/version.h 2020-06-07 11:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.3"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5.1/version.m4
--- openssh-8.3p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.3p1+x509-12.5.1/version.m4 2020-06-07 11:07:00.000000000 +0300

View File

@ -0,0 +1,177 @@
Only in b: .openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff.un~
diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:27.704108928 -0700
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:49.803967500 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -952,9 +952,9 @@
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -643,6 +647,7 @@ static struct {
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "include", sInclude, SSHCFG_ALL },
+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 13:52:27.705108921 -0700
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 14:03:57.888683100 -0700
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -731,11 +709,10 @@
*flags = keywords[i].flags;
return keywords[i].opcode;
}
-@@ -1424,10 +1477,27 @@ process_server_config_line(ServerOptions *options, char *line,
- multistate_ptr = multistate_flag;
+@@ -1424,12 +1477,28 @@ process_server_config_line(ServerOptions *options, char *line,
+ multistate_ptr = multistate_ignore_rhosts;
goto parse_multistate;
-+
+ case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
@@ -750,7 +727,9 @@
+
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
- goto parse_flag;
+ parse_flag:
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
@@ -1079,11 +1058,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1084,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c

View File

@ -0,0 +1,13 @@
diff --git a/Makefile.in b/Makefile.in
index c9e4294d..2dbfac24 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
CFLAGS_NOPIE=@CFLAGS_NOPIE@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@
PICFLAG=@PICFLAG@
LIBS=@LIBS@
K5LIBS=@K5LIBS@

View File

@ -0,0 +1,33 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress.
#SSHD_SSD_OPTS="--wait 1000"
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
# Path to the ssh-keygen binary (needs to be absolute path).
#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"

View File

@ -1,5 +1,5 @@
#!/sbin/openrc-run
# Copyright 1999-2018 Gentoo Foundation
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
@ -61,16 +61,14 @@ checkconfig() {
}
start_pre() {
# If this isn't a restart, make sure that the user's config isn't
# busted before we try to start the daemon (this will produce
# better error messages than if we just try to start it blindly).
# Make sure that the user's config isn't busted before we try
# to start the daemon (this will produce better error messages
# than if we just try to start it blindly).
#
# If, on the other hand, this *is* a restart, then the stop_pre
# action will have ensured that the config is usable and we don't
# need to do that again.
if [ "${RC_CMD}" != "restart" ] ; then
checkconfig || return $?
fi
# We always need to call checkconfig because this function will
# also generate any missing host key and you can start a
# non-running service with "restart" argument.
checkconfig || return $?
}
stop_pre() {

View File

@ -1,21 +0,0 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="/var/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="/usr/sbin/sshd"

View File

@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
TriggerLimitBurst=0
[Install]
WantedBy=sockets.target

View File

@ -5,10 +5,6 @@
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<maintainer type="person">
<email>robbat2@gentoo.org</email>
<description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
</maintainer>
<longdescription>
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
@ -25,18 +21,17 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
</longdescription>
<use>
<flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
<remote-id type="sourceforge">hpnssh</remote-id>
</upstream>
</pkgmetadata>

View File

@ -34,7 +34,7 @@ S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
@ -395,6 +395,8 @@ src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

View File

@ -0,0 +1,483 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
HPN_PV="8.1_P1"
HPN_VER="14.20"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( || ( ssl libressl ) )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( dev-libs/libfido2:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
!libressl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/os-headers
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch
if use X509; then
# einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
# # X509 and AES-CTR-MT don't get along, let's just drop it
# rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch
fi
use sctp && eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86 and ppc
use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
keepdir /var/empty
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}

View File

@ -0,0 +1,501 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.1_P1"
HPN_VER="14.20"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( || ( ssl libressl ) )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.4.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
!libressl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/os-headers
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-libressl.patch
if use X509; then
# einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
# # X509 and AES-CTR-MT don't get along, let's just drop it
# rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
fi
use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86 and ppc
use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
keepdir /var/empty
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}