From eefd9ffbb0300a7867c7d3c6e2f6b1987c2e14b5 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 5 Jul 2023 16:12:00 +0200 Subject: [PATCH] net-misc/openssh: Sync with Gentoo It's from Gentoo commit 912850f59174a65693859c4a171ef5e98fbdab6b. --- .../coreos-overlay/net-misc/openssh/Manifest | 8 - .../files/openssh-7.9_p1-include-stdlib.patch | 48 --- .../openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 -- .../files/openssh-8.6_p1-hpn-version.patch | 13 - .../openssh-8.9_p1-allow-ppoll_time64.patch | 14 - ...nssh-9.0_p1-X509-uninitialized-delay.patch | 12 - ....patch => openssh-9.3_p1-GSSAPI-dns.patch} | 34 +- ...shmat-shmdt-in-preauth-privsep-child.patch | 2 - ...-9.3_p1-disable-conch-interop-tests.patch} | 0 ...h => openssh-9.3_p1-fix-putty-tests.patch} | 8 +- ...penssh-9.3_p1-gss-use-HOST_NAME_MAX.patch} | 2 - ...penssh-9.3_p1-openssl-ignore-status.patch} | 0 .../net-misc/openssh/files/sshd-r1.confd | 33 ++ .../net-misc/openssh/files/sshd-r1.initd | 87 ++++++ .../net-misc/openssh/files/sshd.socket | 1 - .../net-misc/openssh/metadata.xml | 25 +- ...9.3_p1.ebuild => openssh-9.3_p1-r1.ebuild} | 295 +++++------------- 17 files changed, 225 insertions(+), 375 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/{openssh-8.7_p1-GSSAPI-dns.patch => openssh-9.3_p1-GSSAPI-dns.patch} (92%) rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/{openssh-7.5_p1-disable-conch-interop-tests.patch => openssh-9.3_p1-disable-conch-interop-tests.patch} (100%) rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/{openssh-8.0_p1-fix-putty-tests.patch => openssh-9.3_p1-fix-putty-tests.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/{openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch => openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch} (83%) rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/{openssh-6.7_p1-openssl-ignore-status.patch => openssh-9.3_p1-openssl-ignore-status.patch} (100%) create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.3_p1.ebuild => openssh-9.3_p1-r1.ebuild} (53%) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 680eb4cd06..6f31cfab6a 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,10 +1,2 @@ -DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f -DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a -DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 -DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d -DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387 -DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909 -DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d -DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71 DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19 DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch deleted file mode 100644 index c5697c2b8b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/auth-options.c b/auth-options.c -index b05d6d6f..d1f42f04 100644 ---- a/auth-options.c -+++ b/auth-options.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - - #include "openbsd-compat/sys-queue.h" - -diff --git a/hmac.c b/hmac.c -index 1c879640..a29f32c5 100644 ---- a/hmac.c -+++ b/hmac.c -@@ -19,6 +19,7 @@ - - #include - #include -+#include - - #include "sshbuf.h" - #include "digest.h" -diff --git a/krl.c b/krl.c -index 8e2d5d5d..c32e147a 100644 ---- a/krl.c -+++ b/krl.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - - #include "sshbuf.h" - #include "ssherr.h" -diff --git a/mac.c b/mac.c -index 51dc11d7..3d11eba6 100644 ---- a/mac.c -+++ b/mac.c -@@ -29,6 +29,7 @@ - - #include - #include -+#include - - #include "digest.h" - #include "hmac.h" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch deleted file mode 100644 index 7199227589..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 -@@ -1414,14 +1414,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch deleted file mode 100644 index 6dc290d673..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/kex.c b/kex.c -index 34808b5c..88d7ccac 100644 ---- a/kex.c -+++ b/kex.c -@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - oerrno = errno; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch deleted file mode 100644 index 8c46625aa2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 2e065ba3..4ce80cb2 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_ppoll - SC_ALLOW(__NR_ppoll), - #endif -+#ifdef __NR_ppoll_time64 -+ SC_ALLOW(__NR_ppoll_time64), -+#endif - #ifdef __NR_poll - SC_ALLOW(__NR_poll), - #endif diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch deleted file mode 100644 index 2a83ed37d1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur a/auth2.c b/auth2.c ---- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 -+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 -@@ -226,7 +226,7 @@ - int digest_alg; - size_t len; - u_char *hash; -- double delay; -+ double delay = 0; - - digest_alg = ssh_digest_maxbytes(); - if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-GSSAPI-dns.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-GSSAPI-dns.patch index ffc40b70ae..cbc0ec2d9c 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-GSSAPI-dns.patch @@ -1,8 +1,6 @@ -diff --git a/auth.c b/auth.c -index 00b168b4..8ee93581 100644 --- a/auth.c +++ b/auth.c -@@ -729,118 +729,6 @@ fakepw(void) +@@ -637,118 +637,6 @@ return (&fake); } @@ -121,11 +119,9 @@ index 00b168b4..8ee93581 100644 /* These functions link key/cert options to the auth framework */ /* Log sshauthopt options locally and (optionally) for remote transmission */ -diff --git a/canohost.c b/canohost.c -index a810da0e..18e9d8d4 100644 --- a/canohost.c +++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) +@@ -205,3 +205,117 @@ { return get_sock_port(sock, 1); } @@ -243,11 +239,9 @@ index a810da0e..18e9d8d4 100644 + return dnsname; + } +} -diff --git a/readconf.c b/readconf.c -index 03369a08..b45898ce 100644 --- a/readconf.c +++ b/readconf.c -@@ -161,6 +161,7 @@ typedef enum { +@@ -160,6 +160,7 @@ oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -255,7 +249,7 @@ index 03369a08..b45898ce 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -207,9 +208,11 @@ static struct { +@@ -207,9 +208,11 @@ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -267,7 +261,7 @@ index 03369a08..b45898ce 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1117,6 +1120,10 @@ parse_time: +@@ -1125,6 +1128,10 @@ intptr = &options->gss_deleg_creds; goto parse_flag; @@ -278,7 +272,7 @@ index 03369a08..b45898ce 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -2307,6 +2314,7 @@ initialize_options(Options * options) +@@ -2341,6 +2348,7 @@ options->pubkey_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -286,7 +280,7 @@ index 03369a08..b45898ce 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2465,6 +2473,8 @@ fill_default_options(Options * options) +@@ -2501,6 +2509,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -295,11 +289,9 @@ index 03369a08..b45898ce 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index f7d53b06..c3a91898 100644 --- a/readconf.h +++ b/readconf.h -@@ -40,6 +40,7 @@ typedef struct { +@@ -41,6 +41,7 @@ int hostbased_authentication; /* ssh2's rhosts_rsa */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ @@ -307,11 +299,9 @@ index f7d53b06..c3a91898 100644 int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index cd0eea86..27101943 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -832,6 +832,16 @@ The default is +@@ -843,6 +843,16 @@ Forward (delegate) credentials to the server. The default is .Cm no . @@ -328,11 +318,9 @@ index cd0eea86..27101943 100644 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index fea50fab..aeff639b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh) +@@ -764,6 +764,13 @@ OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; @@ -346,7 +334,7 @@ index fea50fab..aeff639b 100644 /* Try one GSSAPI method at a time, rather than sending them all at * once. */ -@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh) +@@ -778,7 +785,7 @@ elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch index 4d098b2231..7e9334a781 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch @@ -1,5 +1,3 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 23b40b643..d93a357c6 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = { diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-disable-conch-interop-tests.patch diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch index 4310aa123f..9ac02c1880 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-fix-putty-tests.patch @@ -5,9 +5,9 @@ https://bugs.gentoo.org/493866 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh -@@ -10,11 +10,17 @@ fi +@@ -16,11 +16,17 @@ - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do verbose "$tid: cipher $c" + rm -f ${COPY} cp ${OBJ}/.putty/sessions/localhost_proxy \ @@ -26,7 +26,7 @@ https://bugs.gentoo.org/493866 if [ $? -ne 0 ]; then --- a/regress/putty-kex.sh +++ b/regress/putty-kex.sh -@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do +@@ -20,6 +20,12 @@ ${OBJ}/.putty/sessions/kex_$k echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k @@ -41,7 +41,7 @@ https://bugs.gentoo.org/493866 fail "KEX $k failed" --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh -@@ -14,6 +14,13 @@ for c in 0 1 ; do +@@ -26,6 +26,13 @@ cp ${OBJ}/.putty/sessions/localhost_proxy \ ${OBJ}/.putty/sessions/compression_$c echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch index 9e08b2a553..b50ac7c001 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch @@ -1,5 +1,3 @@ -diff --git a/gss-serv.c b/gss-serv.c -index b5d4bb2d..00e3d118 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-ignore-status.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-ignore-status.patch diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd new file mode 100644 index 0000000000..cf430371bf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd @@ -0,0 +1,33 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress. + +#SSHD_SSD_OPTS="--wait 1000" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd" + + +# Path to the ssh-keygen binary (needs to be absolute path). + +#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd new file mode 100644 index 0000000000..e91cd0116c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd @@ -0,0 +1,87 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # Make sure that the user's config isn't busted before we try + # to start the daemon (this will produce better error messages + # than if we just try to start it blindly). + # + # We always need to call checkconfig because this function will + # also generate any missing host key and you can start a + # non-running service with "restart" argument. + checkconfig || return $? +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket index d19f34be86..94b9533180 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket @@ -5,7 +5,6 @@ Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes -TriggerLimitBurst=0 [Install] WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml index 9f064cdd11..da1b4330c4 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml @@ -6,31 +6,28 @@ Gentoo Base System -OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that -increasing numbers of people on the Internet are coming to rely on. Many users of telnet, -rlogin, ftp, and other such programs might not realize that their password is transmitted -across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) -to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. -Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety -of authentication methods. + OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that + increasing numbers of people on the Internet are coming to rely on. Many users of telnet, + rlogin, ftp, and other such programs might not realize that their password is transmitted + across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) + to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. + Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety + of authentication methods. -The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which -replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of -the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, -ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. + The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which + replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of + the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, + ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. - Enable high performance ssh Use LDNS for DNSSEC/SSHFP validation. Enable root password logins for live-cd environment. Include builtin U2F/FIDO support Enable additional crypto algorithms via OpenSSL - Adds support for X.509 certificate authentication Enable XMSS post-quantum authentication algorithm cpe:/a:openbsd:openssh openssh/openssh-portable - hpnssh diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r1.ebuild similarity index 53% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r1.ebuild index 278c62cfab..e3184f35c2 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r1.ebuild @@ -9,59 +9,26 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig # and _p? releases. PARCH=${P/_} -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -SCTP_VER="1.2" -SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" - -X509_VER="14.1.1" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch" -X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" - DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( - $(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )" VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss" RESTRICT="!test? ( test )" REQUIRED_USE=" - hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) " @@ -69,16 +36,13 @@ REQUIRED_USE=" # tests currently fail with XMSS REQUIRED_USE+="test? ( !xmss )" -# Blocker on older gcc-config for bug #872416 LIB_DEPEND=" - !=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) @@ -98,6 +62,7 @@ DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) " RDEPEND="${RDEPEND} + !net-misc/openssh-contrib pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth ) @@ -116,31 +81,41 @@ BDEPEND=" " PATCHES=( - "${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch" - "${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex - "${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch" - "${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch" - "${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch" + "${FILESDIR}/${PN}-9.3_p1-GSSAPI-dns.patch" #165444 integrated into gsskex + "${FILESDIR}/${PN}-9.3_p1-openssl-ignore-status.patch" + "${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch" + "${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch" "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 - "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 + "${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044 "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch" ) pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature sctp SCTP_PATCH - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" fi # Make sure people who are using tcp wrappers are notified of its removal. #531156 @@ -150,13 +125,6 @@ pkg_pretend() { fi } -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - src_prepare() { sed -i \ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ @@ -169,107 +137,6 @@ src_prepare() { [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - eapply_user #473004 # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox @@ -283,11 +150,6 @@ src_prepare() { -e 's:-D_FORTIFY_SOURCE=2::' ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) # _XOPEN_SOURCE causes header conflicts on Solaris [[ ${CHOST} == *-solaris* ]] && sed_args+=( -e 's/-D_XOPEN_SOURCE//' @@ -323,20 +185,17 @@ src_configure() { --datadir="${EPREFIX}"/usr/share/openssh --with-privsep-path="${EPREFIX}"/var/empty --with-privsep-user=sshd + --with-hardening $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) $(use_with ldns) $(use_with libedit) $(use_with pam) $(use_with pie) $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with security-key security-key-builtin) $(use_with ssl openssl) $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 ) if use elibc_musl; then @@ -380,39 +239,55 @@ tweak_ssh_configs() { LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE ) - # First the server config. - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM + dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" EOF - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) SendEnv ${locale_vars[*]} - # Send COLORTERM to match TERM. #658540 + # Send COLORTERM to match TERM (bug #658540) SendEnv COLORTERM EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF fi if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF fi } @@ -420,6 +295,8 @@ src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd if use pam; then newpamd "${FILESDIR}"/sshd.pam_include.2 sshd @@ -428,9 +305,7 @@ src_install() { tweak_ssh_configs doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config diropts -m 0700 dodir /etc/skel/.ssh @@ -501,16 +376,4 @@ pkg_postinst() { elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" elog "and update all clients/servers that utilize them." fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi }