mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-22 22:21:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo

Browse Source 
It's from Gentoo commit 912850f59174a65693859c4a171ef5e98fbdab6b.
This commit is contained in:
Krzesimir Nowak 2023-07-05 16:12:00 +02:00
parent 263bf49b16
commit eefd9ffbb0
17 changed files with 225 additions and 375 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,10 +1,2 @@
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4

48
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch vendored
View File

@ -1,48 +0,0 @@
diff --git a/auth-options.c b/auth-options.c
index b05d6d6f..d1f42f04 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -26,6 +26,7 @@
#include <stdarg.h>
#include <ctype.h>
#include <limits.h>
+#include <stdlib.h>
#include "openbsd-compat/sys-queue.h"
diff --git a/hmac.c b/hmac.c
index 1c879640..a29f32c5 100644
--- a/hmac.c
+++ b/hmac.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdlib.h>
#include "sshbuf.h"
#include "digest.h"
diff --git a/krl.c b/krl.c
index 8e2d5d5d..c32e147a 100644
--- a/krl.c
+++ b/krl.c
@@ -28,6 +28,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <stdlib.h>
#include "sshbuf.h"
#include "ssherr.h"
diff --git a/mac.c b/mac.c
index 51dc11d7..3d11eba6 100644
--- a/mac.c
+++ b/mac.c
@@ -29,6 +29,7 @@
#include <string.h>
#include <stdio.h>
+#include <stdlib.h>
#include "digest.h"
#include "hmac.h"

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch vendored
View File

@ -1,18 +0,0 @@
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
@@ -1414,14 +1414,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch vendored
View File

@ -1,13 +0,0 @@
diff --git a/kex.c b/kex.c
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;

14
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch vendored
View File

@ -1,14 +0,0 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e065ba3..4ce80cb2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_ppoll
SC_ALLOW(__NR_ppoll),
#endif
+#ifdef __NR_ppoll_time64
+ SC_ALLOW(__NR_ppoll_time64),
+#endif
#ifdef __NR_poll
SC_ALLOW(__NR_poll),
#endif

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch vendored
View File

@ -1,12 +0,0 @@
diff -ur a/auth2.c b/auth2.c
--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700
+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700
@@ -226,7 +226,7 @@
int digest_alg;
size_t len;
u_char *hash;
- double delay;
+ double delay = 0;
digest_alg = ssh_digest_maxbytes();
if (len = ssh_digest_bytes(digest_alg) > 0) {

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-GSSAPI-dns.patch vendored
View File

@ -1,8 +1,6 @@
diff --git a/auth.c b/auth.c
index 00b168b4..8ee93581 100644
--- a/auth.c
+++ b/auth.c
@@ -729,118 +729,6 @@ fakepw(void)
@@ -637,118 +637,6 @@
return (&fake);
}
@ -121,11 +119,9 @@ index 00b168b4..8ee93581 100644
/* These functions link key/cert options to the auth framework */
/* Log sshauthopt options locally and (optionally) for remote transmission */
diff --git a/canohost.c b/canohost.c
index a810da0e..18e9d8d4 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@@ -205,3 +205,117 @@
{
return get_sock_port(sock, 1);
}
@ -243,11 +239,9 @@ index a810da0e..18e9d8d4 100644
+ return dnsname;
+ }
+}
diff --git a/readconf.c b/readconf.c
index 03369a08..b45898ce 100644
--- a/readconf.c
+++ b/readconf.c
@@ -161,6 +161,7 @@ typedef enum {
@@ -160,6 +160,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -255,7 +249,7 @@ index 03369a08..b45898ce 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -207,9 +208,11 @@ static struct {
@@ -207,9 +208,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -267,7 +261,7 @@ index 03369a08..b45898ce 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -1117,6 +1120,10 @@ parse_time:
@@ -1125,6 +1128,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
@ -278,7 +272,7 @@ index 03369a08..b45898ce 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
@@ -2341,6 +2348,7 @@
options->pubkey_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
@ -286,7 +280,7 @@ index 03369a08..b45898ce 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
@@ -2501,6 +2509,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@ -295,11 +289,9 @@ index 03369a08..b45898ce 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index f7d53b06..c3a91898 100644
--- a/readconf.h
+++ b/readconf.h
@@ -40,6 +40,7 @@ typedef struct {
@@ -41,6 +41,7 @@
int hostbased_authentication; /* ssh2's rhosts_rsa */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
@ -307,11 +299,9 @@ index f7d53b06..c3a91898 100644
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index cd0eea86..27101943 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -832,6 +832,16 @@ The default is
@@ -843,6 +843,16 @@
Forward (delegate) credentials to the server.
The default is
.Cm no .
@ -328,11 +318,9 @@ index cd0eea86..27101943 100644
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index fea50fab..aeff639b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
@@ -764,6 +764,13 @@
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@ -346,7 +334,7 @@ index fea50fab..aeff639b 100644
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
@@ -778,7 +785,7 @@
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,

2
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch vendored
View File

@ -1,5 +1,3 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 23b40b643..d93a357c6 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {

0
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch vendored
View File

8
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch vendored
View File

@ -5,9 +5,9 @@ https://bugs.gentoo.org/493866
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -10,11 +10,17 @@ fi
@@ -16,11 +16,17 @@
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
+ rm -f ${COPY}
cp ${OBJ}/.putty/sessions/localhost_proxy \
@ -26,7 +26,7 @@ https://bugs.gentoo.org/493866
if [ $? -ne 0 ]; then
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
@@ -20,6 +20,12 @@
${OBJ}/.putty/sessions/kex_$k
echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
@ -41,7 +41,7 @@ https://bugs.gentoo.org/493866
fail "KEX $k failed"
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -14,6 +14,13 @@ for c in 0 1 ; do
@@ -26,6 +26,13 @@
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/compression_$c
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k

2
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch vendored
View File

@ -1,5 +1,3 @@
diff --git a/gss-serv.c b/gss-serv.c
index b5d4bb2d..00e3d118 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)

0
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-ignore-status.patch vendored
View File

33
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd vendored Normal file
View File

@ -0,0 +1,33 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress.
#SSHD_SSD_OPTS="--wait 1000"
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
# Path to the ssh-keygen binary (needs to be absolute path).
#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"

87
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd vendored Normal file
View File

@ -0,0 +1,87 @@
#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
command="${SSHD_BINARY}"
pidfile="${SSHD_PIDFILE}"
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress (bug 617596).
: ${SSHD_SSD_OPTS:=--wait 1000}
start_stop_daemon_args="${SSHD_SSD_OPTS}"
depend() {
# Entropy can be used by ssh-keygen, among other things, but
# is not strictly required (bug 470020).
use logger dns entropy
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
${SSHD_KEYGEN_BINARY} -A || return 2
"${command}" -t ${command_args} || return 3
}
start_pre() {
# Make sure that the user's config isn't busted before we try
# to start the daemon (this will produce better error messages
# than if we just try to start it blindly).
#
# We always need to call checkconfig because this function will
# also generate any missing host key and you can start a
# non-running service with "restart" argument.
checkconfig || return $?
}
stop_pre() {
# If this is a restart, check to make sure the user's config
# isn't busted before we stop the running daemon.
if [ "${RC_CMD}" = "restart" ] ; then
checkconfig || return $?
fi
}
reload() {
checkconfig || return $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

1
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket vendored
View File

@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
TriggerLimitBurst=0
[Install]
WantedBy=sockets.target

25
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml vendored
View File

@ -6,31 +6,28 @@
<name>Gentoo Base System</name>
</maintainer>
<longdescription>
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
rlogin, ftp, and other such programs might not realize that their password is transmitted
across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
of authentication methods.
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
rlogin, ftp, and other such programs might not realize that their password is transmitted
across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
of authentication methods.
The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
<remote-id type="github">openssh/openssh-portable</remote-id>
<remote-id type="sourceforge">hpnssh</remote-id>
</upstream>
</pkgmetadata>

295
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r1.ebuild vendored
View File

@ -9,59 +9,26 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.5_P1"
HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch"
HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
SCTP_VER="1.2"
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="14.1.1"
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? (
$(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}")
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
)}
${X509_VER:+X509? (
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
)}
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )"
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
hpn? ( ssl )
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
@ -69,16 +36,13 @@ REQUIRED_USE="
# tests currently fail with XMSS
REQUIRED_USE+="test? ( !xmss )"
# Blocker on older gcc-config for bug #872416
LIB_DEPEND="
!<sys-devel/gcc-config-2.6
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
@ -98,6 +62,7 @@ DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
!net-misc/openssh-contrib
pam? ( >=sys-auth/pambase-20081028 )
!prefix? ( sys-apps/shadow )
X? ( x11-apps/xauth )
@ -116,31 +81,41 @@ BDEPEND="
"
PATCHES=(
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-9.3_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
"${FILESDIR}/${PN}-9.3_p1-openssl-ignore-status.patch"
"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
)
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
local missing=()
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
check_feature hpn HPN_VER
check_feature sctp SCTP_PATCH
check_feature X509 X509_PATCH
if [[ ${#missing[@]} -ne 0 ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${missing[*]}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
local i enabled_eol_flags disabled_eol_flags
for i in hpn sctp X509; do
if has_version "net-misc/openssh[${i}]"; then
enabled_eol_flags+="${i},"
disabled_eol_flags+="-${i},"
fi
done
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
ewarn "since these USE flags required third-party patches that often trigger bugs"
ewarn "and are of questionable provenance."
ewarn
ewarn "If you must continue relying on this functionality, switch to"
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
ewarn
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
ewarn "variant, when re-emerging you will have to set"
ewarn
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@ -150,13 +125,6 @@ pkg_pretend() {
fi
}
src_unpack() {
default
# We don't have signatures for HPN, X509, so we have to write this ourselves
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@ -169,107 +137,6 @@ src_prepare() {
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
@ -283,11 +150,6 @@ src_prepare() {
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
@ -323,20 +185,17 @@ src_configure() {
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
--with-hardening
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
@ -380,39 +239,55 @@ tweak_ssh_configs() {
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
@ -420,6 +295,8 @@ src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
@ -428,9 +305,7 @@ src_install() {
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
diropts -m 0700
dodir /etc/skel/.ssh
@ -501,16 +376,4 @@ pkg_postinst() {
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}