mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-05 12:16:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo

Browse Source 
It's from Gentoo commit aed2f54db7d13229bf80a8b728a7ae62d601ff4f.
This commit is contained in:
Flatcar Buildbot 2024-11-11 07:08:21 +00:00 committed by Krzesimir Nowak
parent 7af8f0a27f
commit 908060b400
16 changed files with 878 additions and 545 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest vendored
View File

@ -1,6 +1,6 @@
DIST openssh-9.6p1.tar.gz 1857862 BLAKE2B dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd SHA512 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509
DIST openssh-9.6p1.tar.gz.asc 833 BLAKE2B 9363d02f85457aa90069020827306a2f49d8406e32f5ee1d231844648dd2ffa02fa9b7325b8677a11e46a0ba0d9ffc86d9c989435d691a02f5354a956c49f9f9 SHA512 aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d
DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf
DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
DIST openssh-9.9p1.tar.gz 1964864 BLAKE2B 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997 SHA512 3cc0ed97f3e29ecbd882eca79239f02eb5a1606fce4f3119ddc3c5e86128aa3ff12dc85000879fccc87b60e7d651cfe37376607ac66075fede2118deaa685d6d
DIST openssh-9.9p1.tar.gz.asc 833 BLAKE2B 0e19668eb5cadea0e7b06caf2bc2f4cee7e7656a780a128090dcdf2acc25c6e0e0fc7c4c83c95ffcd567cd03941ec772b0f5b273e6f79ff4e440e1d9f22bcdb7 SHA512 916e975c54eb68c0b2f0b0006522b241cbe54c4caa88d31537a6278490c93d9d732c2ab3a080ac084bf75cbdd5402901ec68583cbe7c7cde4a8e40e7a8b78c28

39
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch vendored Normal file
View File

@ -0,0 +1,39 @@
From 27996b32a8b0fe908effc469e5c7d496e40c6671 Mon Sep 17 00:00:00 2001
Message-ID: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Christoph Ostarek <christoph@zededa.com>
Date: Wed, 3 Jul 2024 12:46:59 +0200
Subject: [PATCH 1/8] fix utmpx ifdef
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
utmpx, but forgot to change the ifdef appropriately
(cherry picked from commit c7fda601186ff28128cfe3eab9c9c0622de096e1)
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 7460bb2c0..45f13dee8 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
void
construct_utmpx(struct logininfo *li, struct utmpx *utx)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
struct sockaddr_in6 *sa6;
# endif
memset(utx, '\0', sizeof(*utx));
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
if (li->hostaddr.sa.sa_family == AF_INET)
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
/* this is just a 128-bit IPv6 address */
if (li->hostaddr.sa.sa_family == AF_INET6) {
sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
--
2.47.0

40
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From c606840894ca805472ddbd4ebad4b0a6f231ccb5 Mon Sep 17 00:00:00 2001
Message-ID: <c606840894ca805472ddbd4ebad4b0a6f231ccb5.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 25 Sep 2024 11:13:05 +1000
Subject: [PATCH 2/8] build construct_utmp() when USE_BTMP is set
Fixes compile error on Void Linux/Musl
(cherry picked from commit 2c12ae8cf9b0b7549ae097c4123abeda0ee63e5b)
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 45f13dee8..7b1818b86 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -614,7 +614,7 @@ line_abbrevname(char *dst, const char *src, int dstsize)
** into account.
**/
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
/* build the utmp structure */
void
@@ -698,7 +698,7 @@ construct_utmp(struct logininfo *li,
}
# endif
}
-#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
+#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */
/**
** utmpx utility functions
--
2.47.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From d1e0cfefc3a0f2d371f280d270e9ebc2188950c6 Mon Sep 17 00:00:00 2001
Message-ID: <d1e0cfefc3a0f2d371f280d270e9ebc2188950c6.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 25 Sep 2024 11:15:45 +1000
Subject: [PATCH 3/8] gss-serv.c needs sys/param.h
From Void Linux
(cherry picked from commit ff2cd1dd5711ff88efdf26662d6189d980439a1f)
---
gss-serv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/gss-serv.c b/gss-serv.c
index 00e3d118b..025a118f8 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -29,6 +29,7 @@
#ifdef GSSAPI
#include <sys/types.h>
+#include <sys/param.h>
#include <stdarg.h>
#include <string.h>
--
2.47.0

296
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch vendored Normal file
View File

@ -0,0 +1,296 @@
From dda58ae078f4cba21c3b874e81f1d28121636985 Mon Sep 17 00:00:00 2001
Message-ID: <dda58ae078f4cba21c3b874e81f1d28121636985.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 25 Sep 2024 01:24:04 +0000
Subject: [PATCH 4/8] upstream: fix regression introduced when I switched the
"Match"
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
(cherry picked from commit 66878e12a207fa9746dee3e2bdcca29b704cf035)
---
misc.c | 23 +++++++++++++++++++++-
misc.h | 3 ++-
readconf.c | 28 ++++++++++++++++++++++-----
servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++--------------
4 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/misc.c b/misc.c
index afdf5142e..1b4b55c50 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -107,6 +107,27 @@ rtrim(char *s)
}
}
+/*
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
+ * if the prefix is not present.
+ */
+const char *
+strprefix(const char *s, const char *prefix, int ignorecase)
+{
+ size_t prefixlen;
+
+ if ((prefixlen = strlen(prefix)) == 0)
+ return s;
+ if (ignorecase) {
+ if (strncasecmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ } else {
+ if (strncmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ }
+ return s + prefixlen;
+}
+
/* set/unset filedescriptor to non-blocking */
int
set_nonblock(int fd)
diff --git a/misc.h b/misc.h
index 113403896..efecdf1ad 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,6 +56,7 @@ struct ForwardOptions {
char *chop(char *);
void rtrim(char *);
void skip_space(char **);
+const char *strprefix(const char *, const char *, int);
char *strdelim(char **);
char *strdelimw(char **);
int set_nonblock(int);
diff --git a/readconf.c b/readconf.c
index 3d9cc6dbb..de42fb6ff 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
this_result ? "" : "not ", oattrib);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "originalhost=", 1) != NULL ||
+ strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "localuser=", 1) != NULL ||
+ strprefix(attrib, "localnetwork=", 1) != NULL ||
+ strprefix(attrib, "tagged=", 1) != NULL ||
+ strprefix(attrib, "exec=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
goto out;
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
+ free(attrib);
free(host);
return result;
}
diff --git a/servconf.c b/servconf.c
index 89b8413e8..dd774f468 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
int line, struct connection_info *ci)
{
int result = 1, attributes = 0, port;
- char *arg, *attrib;
+ char *arg, *attrib = NULL, *oattrib;
if (ci == NULL)
debug3("checking syntax for 'Match %s'", full_line);
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
ci->laddress ? ci->laddress : "(null)", ci->lport);
}
- while ((attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp); /* mark all arguments consumed */
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
*arg != '\0' && *arg != '#')) {
error("'all' cannot be combined with other "
"Match attributes");
- return -1;
+ result = -1;
+ goto out;
}
if (arg != NULL && *arg == '#')
argv_consume(acp); /* consume remaining args */
- return 1;
+ result = 1;
+ goto out;
}
/* Criterion "invalid-user" also has no argument */
if (strcasecmp(attrib, "invalid-user") == 0) {
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("matched invalid-user at line %d", line);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "group=", 1) != NULL ||
+ strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "address=", 1) != NULL ||
+ strprefix(attrib, "localaddress=", 1) != NULL ||
+ strprefix(attrib, "localport=", 1) != NULL ||
+ strprefix(attrib, "rdomain=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
- return -1;
+ result = -1;
+ goto out;
}
if (strcasecmp(attrib, "user") == 0) {
if (ci == NULL || (ci->test && ci->user == NULL)) {
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
match_test_missing_fatal("Group", "user");
switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
- return -1;
+ result = -1;
+ goto out;
case 0:
result = 0;
}
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localport") == 0) {
if ((port = a2port(arg)) == -1) {
error("Invalid LocalPort '%s' on Match line",
arg);
- return -1;
+ result = -1;
+ goto out;
}
if (ci == NULL || (ci->test && ci->lport == -1)) {
result = 0;
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("user %.100s matched 'RDomain %.100s' at "
"line %d", ci->rdomain, arg, line);
} else {
- error("Unsupported Match attribute %s", attrib);
- return -1;
+ error("Unsupported Match attribute %s", oattrib);
+ result = -1;
+ goto out;
}
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
return -1;
}
- if (ci != NULL)
+ out:
+ if (ci != NULL && result != -1)
debug3("match %sfound", result ? "" : "not ");
+ free(attrib);
return result;
}
--
2.47.0

70
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch vendored Normal file
View File

@ -0,0 +1,70 @@
From 3e95023995e1d0249febab2b804f51b7673e07de Mon Sep 17 00:00:00 2001
Message-ID: <3e95023995e1d0249febab2b804f51b7673e07de.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 26 Sep 2024 23:55:08 +0000
Subject: [PATCH 5/8] upstream: fix previous change to ssh_config Match, which
broken on
negated Matches; spotted by phessler@ ok deraadt@
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
(cherry picked from commit 19bcb2d90c6caf14abf386b644fb24eb7afab889)
---
readconf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/readconf.c b/readconf.c
index de42fb6ff..9f5592698 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = argv_next(acp, avp)) != NULL) {
- attrib = xstrdup(oattrib);
+ while ((attrib = argv_next(acp, avp)) != NULL) {
+ attrib = oattrib = xstrdup(attrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
- free(attrib);
- attrib = NULL;
+ free(oattrib);
+ oattrib = attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
- free(attrib);
+ free(oattrib);
free(host);
return result;
}
--
2.47.0

99
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch vendored Normal file
View File

@ -0,0 +1,99 @@
From 3c10bf179b0029e0412e4b0fecf2e31d53b4ef08 Mon Sep 17 00:00:00 2001
Message-ID: <3c10bf179b0029e0412e4b0fecf2e31d53b4ef08.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:01 +0000
Subject: [PATCH 6/8] upstream: fix ML-KEM768x25519 KEX on big-endian systems;
spotted by
jsg@ feedback/ok deraadt@
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
(cherry picked from commit 11f348196b3fb51c3d8d1f4f36db9d73f03149ed)
---
libcrux_mlkem768_sha3.h | 8 +++++---
mlkem768.sh | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index a82d60e83..b8ac1436f 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
+
/* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
/*
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
// CORE STUFF (conversions, endianness, ...)
static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+ v = htole64(v);
memcpy(buf, &v, sizeof(v));
}
static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
uint64_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le64toh(v);
}
static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
uint32_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le32toh(v);
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
diff --git a/mlkem768.sh b/mlkem768.sh
index 2fdc28312..3d12b2ed8 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -1,9 +1,10 @@
#!/bin/sh
-# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
# Placed in the Public Domain.
#
-WANT_LIBCRUX_REVISION="origin/main"
+#WANT_LIBCRUX_REVISION="origin/main"
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
FILES="
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -56,11 +58,16 @@ for i in $FILES; do
-e 's/[ ]*$//' \
$i | \
case "$i" in
- # XXX per-file handling goes here.
+ */libcrux-ml-kem/cg/eurydice_glue.h)
+ # Replace endian functions with versions that work.
+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ ;;
# Default: pass through.
*)
- cat
- ;;
+ cat
+ ;;
esac
echo
done
--
2.47.0

37
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch vendored Normal file
View File

@ -0,0 +1,37 @@
From f87403aba3e7926ab47f4c9a821300a705b070f2 Mon Sep 17 00:00:00 2001
Message-ID: <f87403aba3e7926ab47f4c9a821300a705b070f2.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:59 +0000
Subject: [PATCH 7/8] upstream: explicitly include endian.h
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
(cherry picked from commit fe8d28a7ebbaa35cfc04a21263627f05c237e460)
---
kexmlkem768x25519.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c
index 679446e97..2b5d39608 100644
--- a/kexmlkem768x25519.c
+++ b/kexmlkem768x25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */
/*
* Copyright (c) 2023 Markus Friedl. All rights reserved.
*
@@ -34,6 +34,9 @@
#include <stdbool.h>
#include <string.h>
#include <signal.h>
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
#include "sshkey.h"
#include "kex.h"
--
2.47.0

66
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch vendored Normal file
View File

@ -0,0 +1,66 @@
From 88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c Mon Sep 17 00:00:00 2001
Message-ID: <88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Sun, 27 Oct 2024 13:28:11 +1100
Subject: [PATCH 8/8] htole64() etc for systems without endian.h
(cherry picked from commit 33c5f384ae03a5d1a0bd46ca0fac3c62e4eaf784)
---
configure.ac | 1 -
defines.h | 26 ++++++++++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 591d5a388..9053a9a2b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2013,7 +2013,6 @@ AC_CHECK_FUNCS([ \
strtoll \
strtoul \
strtoull \
- swap32 \
sysconf \
tcgetpgrp \
timegm \
diff --git a/defines.h b/defines.h
index ed860e78b..b02f2942a 100644
--- a/defines.h
+++ b/defines.h
@@ -646,6 +646,32 @@ struct winsize {
# endif /* WORDS_BIGENDIAN */
#endif /* BYTE_ORDER */
+#ifndef HAVE_ENDIAN_H
+# define openssh_swap32(v) \
+ (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \
+ ((uint32_t)(v) & 0xff00) << 8 | \
+ ((uint32_t)(v) & 0xff0000) >> 8 | \
+ ((uint32_t)(v) & 0xff000000) >> 24)
+# define openssh_swap64(v) \
+ (__uint64_t)((((__uint64_t)(v) & 0xff) << 56) | \
+ ((__uint64_t)(v) & 0xff00ULL) << 40 | \
+ ((__uint64_t)(v) & 0xff0000ULL) << 24 | \
+ ((__uint64_t)(v) & 0xff000000ULL) << 8 | \
+ ((__uint64_t)(v) & 0xff00000000ULL) >> 8 | \
+ ((__uint64_t)(v) & 0xff0000000000ULL) >> 24 | \
+ ((__uint64_t)(v) & 0xff000000000000ULL) >> 40 | \
+ ((__uint64_t)(v) & 0xff00000000000000ULL) >> 56)
+# ifdef WORDS_BIGENDIAN
+# define le32toh(v) (openssh_swap32(v))
+# define le64toh(v) (openssh_swap64(v))
+# define htole64(v) (openssh_swap64(v))
+# else
+# define le32toh(v) ((uint32_t)v)
+# define le64toh(v) ((uint64_t)v)
+# define htole64(v) ((uint64_t)v)
+# endif
+#endif
+
/* Function replacement / compatibility hacks */
#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
--
2.47.0

20
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch vendored
View File

@ -1,20 +0,0 @@
Disable conch interop tests which are failing when called
via portage for yet unknown reason and because using conch
seems to be flaky (test is failing when using Python2 but
passing when using Python3).
Bug: https://bugs.gentoo.org/605446
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -3,6 +3,10 @@
tid="conch ciphers"
+# https://bugs.gentoo.org/605446
+echo "conch interop tests skipped due to Gentoo bug #605446"
+exit 0
+
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
echo "conch interop tests not enabled"
exit 0

57
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch vendored
View File

@ -1,57 +0,0 @@
Make sure that host keys are already accepted before
running tests.
https://bugs.gentoo.org/493866
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -16,11 +16,17 @@
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
+ rm -f ${COPY}
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/cipher_$c
echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
- rm -f ${COPY}
+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
+ -i ${OBJ}/putty.rsa2 "exit"
+ if [ $? -ne 0 ]; then
+ fail "failed to pre-cache host key"
+ fi
+
env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -20,6 +20,12 @@
${OBJ}/.putty/sessions/kex_$k
echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
+ -i ${OBJ}/putty.rsa2 "exit"
+ if [ $? -ne 0 ]; then
+ fail "failed to pre-cache host key"
+ fi
+
env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
if [ $? -ne 0 ]; then
fail "KEX $k failed"
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -26,6 +26,13 @@
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/compression_$c
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
+
+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
+ -i ${OBJ}/putty.rsa2 "exit"
+ if [ $? -ne 0 ]; then
+ fail "failed to pre-cache host key"
+ fi
+
env HOME=$PWD ${PLINK} -load compression_$c -batch \
-i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then

66
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.9_p1-x-forwarding-slow.patch vendored Normal file
View File

@ -0,0 +1,66 @@
https://bugzilla.mindrot.org/show_bug.cgi?id=3655
https://github.com/openssh/openssh-portable/commit/fe6c6330c1a94c7a537efe9069853ce7a275c50a
https://bugs.gentoo.org/929191
From fe6c6330c1a94c7a537efe9069853ce7a275c50a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 13 Oct 2024 22:20:06 +0000
Subject: [PATCH] upstream: don't start the ObscureKeystrokeTiming mitigations
if
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting is
enabled. Patch from Antonio Larrosa via bz3655
OpenBSD-Commit-ID: 820284a92eb4592fcd3d181a62c1b86b08a4a7ab
--- a/channels.c
+++ b/channels.c
@@ -5336,3 +5336,22 @@ x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
fatal_fr(r, "send x11-req");
free(new_data);
}
+
+/*
+ * Returns whether an x11 channel was used recently (less than a second ago)
+ */
+int
+x11_channel_used_recently(struct ssh *ssh) {
+ u_int i;
+ Channel *c;
+ time_t lastused = 0;
+
+ for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
+ c = ssh->chanctxt->channels[i];
+ if (c == NULL || c->ctype == NULL || c->lastused == 0 ||
+ strcmp(c->ctype, "x11-connection") != 0)
+ continue;
+ lastused = c->lastused;
+ }
+ return lastused != 0 && monotime() > lastused + 1;
+}
--- a/channels.h
+++ b/channels.h
@@ -382,6 +382,7 @@ int x11_connect_display(struct ssh *);
int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
+int x11_channel_used_recently(struct ssh *ssh);
/* channel close */
--- a/clientloop.c
+++ b/clientloop.c
@@ -659,9 +659,10 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
if (just_started)
return 1;
- /* Don't arm output fd for poll until the timing interval has elapsed */
+ /* Don't arm output fd for poll until the timing interval has elapsed... */
if (timespeccmp(&now, &next_interval, <))
- return 0;
+ /* ...unless there's x11 communicattion happening */
+ return x11_channel_used_recently(ssh);
/* Calculate number of intervals missed since the last check */
n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000;

5
sdk_container/src/third_party/portage-stable/net-misc/openssh/metadata.xml vendored
View File

@ -21,6 +21,11 @@
</longdescription>
<use>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="legacy-ciphers">
Enable support for deprecated, soon-to-be-dropped DSA keys.
See https://marc.info/?l=openssh-unix-dev&gt;m=170494903207436&gt;w=2.
</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>

389
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.6_p1-r3.ebuild vendored
View File

@ -1,389 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
xmss? ( ssl )
test? ( ssl )
"
# tests currently fail with XMSS
REQUIRED_USE+="test? ( !xmss )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="
${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="
${RDEPEND}
!net-misc/openssh-contrib
pam? ( >=sys-auth/pambase-20081028 )
!prefix? ( sys-apps/shadow )
"
BDEPEND="
dev-build/autoconf
virtual/pkgconfig
verify-sig? ( sec-keys/openpgp-keys-openssh )
"
PATCHES=(
"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
)
pkg_pretend() {
local i enabled_eol_flags disabled_eol_flags
for i in hpn sctp X509; do
if has_version "net-misc/openssh[${i}]"; then
enabled_eol_flags+="${i},"
disabled_eol_flags+="-${i},"
fi
done
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
# Skip for binary packages entirely because of environment saving, bug #907892
[[ ${MERGE_TYPE} == binary ]] && return
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
ewarn "since these USE flags required third-party patches that often trigger bugs"
ewarn "and are of questionable provenance."
ewarn
ewarn "If you must continue relying on this functionality, switch to"
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
ewarn
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
ewarn "variant, when re-emerging you will have to set"
ewarn
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
default
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
# optional at runtime; guarantee a known path
--with-xauth="${EPREFIX}"/usr/bin/xauth
# --with-hardening adds the following in addition to flags we
# already set in our toolchain:
# * -ftrapv (which is broken with GCC anyway),
# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
# the world to not have)
# * -fzero-call-used-regs=used (history of miscompilations with
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
# gcc PR104820, gcc PR104817, gcc PR110934)).
#
# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK,
# so we cannot just disable -fzero-call-used-regs=used.
#
# Therefore, just pass --without-hardening, given it doesn't negate
# our already hardened toolchain defaults, and avoids adding flags
# which are known-broken in both Clang and GCC and haven't been
# proven reliable.
--without-hardening
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl ssl-engine)
)
if use elibc_musl; then
# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
myconf+=( --disable-utmp --disable-wtmp )
fi
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
tc-is-clang && myconf+=( --without-hardening )
econf "${myconf[@]}"
}
src_test() {
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests )
else
tests+=( tests )
fi
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
mkdir -p "${HOME}"/.ssh || die
emake -j1 "${tests[@]}" </dev/null
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
if use pam ; then
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
diropts -m 0700
dodir /etc/skel/.ssh
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.socket
systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
# bug #139235
optfeature "x11 forwarding" x11-apps/xauth
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
ewarn "set 'Restart=no' in your sshd unit file."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
}

5
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild vendored
View File

@ -20,9 +20,9 @@ S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss"
RESTRICT="!test? ( test )"
@ -199,6 +199,7 @@ src_configure() {
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_enable legacy-ciphers dsa-keys)
$(use_with libedit)
$(use_with pam)
$(use_with pie)

200
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.6_p1-r5.ebuild → sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p1.ebuild vendored
View File

@ -3,6 +3,9 @@
EAPI=8
# Remember to check the upstream release/stable branches for patches
# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2.
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
@ -20,9 +23,9 @@ S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss"
IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss"
RESTRICT="!test? ( test )"
@ -76,12 +79,13 @@ BDEPEND="
"
PATCHES=(
"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
"${FILESDIR}/${PN}-9.6_p1-CVE-2024-6387.patch"
"${FILESDIR}/${PN}-9.6_p1-chaff-logic.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
"${FILESDIR}/${PV}"
# Our own backports
"${FILESDIR}/${P}-x-forwarding-slow.patch"
)
pkg_pretend() {
@ -200,6 +204,7 @@ src_configure() {
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_enable legacy-ciphers dsa-keys)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
@ -221,6 +226,73 @@ src_configure() {
econf "${myconf[@]}"
}
create_config_dropins() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
# override default of no subsystems
Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server
EOF
if use pam ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_compile() {
default
create_config_dropins
}
src_test() {
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
@ -237,70 +309,6 @@ src_test() {
emake -j1 "${tests[@]}" </dev/null
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
if use pam ; then
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
@ -312,18 +320,24 @@ src_install() {
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
diropts -m 0700
dodir /etc/skel/.ssh
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.socket
systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
# Install dropins with explicit mode, bug 906638, 915840
diropts -m0755
insopts -m0644
insinto /etc/ssh
doins -r "${WORKDIR}"/etc/ssh/ssh_config.d
doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts
diropts -m0700
insopts -m0600
doins -r "${WORKDIR}"/etc/ssh/sshd_config.d
}
pkg_preinst() {
@ -389,4 +403,40 @@ pkg_postinst() {
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
openssh_maybe_restart
}
openssh_maybe_restart() {
local ver
declare -a versions
read -ra versions <<<"${REPLACING_VERSIONS}"
for ver in "${versions[@]}"; do
# Exclude 9.8_p1 because it didn't have the safety check
[[ ${ver} == 9.8_p1 ]] && break
if [[ ${ver%_*} == "${PV%_*}" ]]; then
# No major version change has occurred
return
fi
done
if [[ ${ROOT} ]]; then
return
elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
systemctl try-restart sshd
eend $?
elif [[ -d /run/openrc ]]; then
# We don't check for sshd -t here because the OpenRC init script
# has a stop_pre() which does checkconfig, i.e. we defer to it
# to give nicer output for a failed sanity check.
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
rc-service -q --ifstarted --nodeps sshd restart
eend $?
fi
}