mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-20 05:51:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with the latest stable from Gentoo

Browse Source 
This fixes CVE-2018-15473.
This commit is contained in:
David Michael 2018-10-07 18:24:33 +00:00
parent 6c15c04528
commit f6927a3de4
13 changed files with 704 additions and 545 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,4 +1,5 @@
DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626 DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29 DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751 DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261

2
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/README vendored
View File

@ -1,2 +0,0 @@
If sshd.pam_include.2 changes make sure to apply the change to sys-auth/google-oslogin
Those files must be kept in sync.

21
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch vendored
View File

@ -1,21 +0,0 @@
https://bugs.gentoo.org/591392
https://bugzilla.mindrot.org/show_bug.cgi?id=2590
7.3 added seccomp support to MIPS, but failed to handled the N32
case. This patch is temporary until upstream fixes.
--- openssh-7.3p1/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
;;
mips64el-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then

20
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch vendored Normal file
View File

@ -0,0 +1,20 @@
Disable conch interop tests which are failing when called
via portage for yet unknown reason and because using conch
seems to be flaky (test is failing when using Python2 but
passing when using Python3).
Bug: https://bugs.gentoo.org/605446
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -3,6 +3,10 @@
tid="conch ciphers"
+# https://bugs.gentoo.org/605446
+echo "conch interop tests skipped due to Gentoo bug #605446"
+exit 0
+
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
echo "conch interop tests not enabled"
exit 0

50
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch vendored
View File

@ -1,50 +0,0 @@
--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:02:11.850912525 -0700
+++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:35:06.223424844 -0700
@@ -907,9 +907,9 @@
@@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
fatal("write: %.100s", strerror(errno));
@@ -918,11 +918,11 @@
--- a/sshd.c
+++ b/sshd.c
@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
+ }
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum);
@@ -982,13 +982,14 @@
index e093f623..83f0932d 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,5 @@
+@@ -3,3 +3,6 @@
#define SSH_VERSION "OpenSSH_7.6"
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
++#define SSH_PORTABLE "p1"
+#define SSH_HPN "-hpn14v12"
++#define SSH_X509 "-PKIXSSH-11.0"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
--
2.14.2

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch vendored
View File

@ -1,12 +0,0 @@
diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c
index 3af8f4a7..7f6bc7fa 100644
--- a/openbsd-compat/freezero.c
+++ b/openbsd-compat/freezero.c
@@ -14,6 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <string.h>
#include "includes.h"
#ifndef HAVE_FREEZERO

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch vendored
View File

@ -1,11 +0,0 @@
--- a/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:28.334140140 -0800
+++ b/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:55.338223563 -0800
@@ -54732,7 +54732,7 @@
+int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+
+typedef char SSHXSTOREPATH;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+DECLARE_STACK_OF(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_new_null() SKM_sk_new_null(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_num(st) SKM_sk_num(SSHXSTOREPATH, (st))

224
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch vendored
View File

@ -1,121 +1,12 @@
http://bugs.gentoo.org/165444 https://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008 https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -656,6 +656,13 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
need to move these two funcs back to canohost so they're available to clients
and the server. auth.c is only used in the server.
--- a/auth.c --- a/auth.c
+++ b/auth.c +++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void) @@ -728,120 +728,6 @@ fakepw(void)
return (&fake); return (&fake);
} }
-
-/* -/*
- * Returns the remote DNS hostname as a string. The returned string must not - * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is - * be freed. NB. this will usually trigger a DNS query the first time it is
@ -229,6 +120,10 @@ and the server. auth.c is only used in the server.
- return dnsname; - return dnsname;
- } - }
-} -}
-
/*
* Runs command in a subprocess wuth a minimal environment.
* Returns pid on success, 0 on failure.
--- a/canohost.c --- a/canohost.c
+++ b/canohost.c +++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock) @@ -202,3 +202,117 @@ get_local_port(int sock)
@ -349,3 +244,108 @@ and the server. auth.c is only used in the server.
+ return dnsname; + return dnsname;
+ } + }
+} +}
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -200,9 +201,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -954,6 +957,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -43,6 +43,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -731,6 +731,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
--

33
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd vendored Normal file
View File

@ -0,0 +1,33 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress.
#SSHD_SSD_OPTS="--wait 1000"
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
# Path to the ssh-keygen binary (needs to be absolute path).
#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"

89
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.initd vendored Normal file
View File

@ -0,0 +1,89 @@
#!/sbin/openrc-run
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
command="${SSHD_BINARY}"
pidfile="${SSHD_PIDFILE}"
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress (bug 617596).
: ${SSHD_SSD_OPTS:=--wait 1000}
start_stop_daemon_args="${SSHD_SSD_OPTS}"
depend() {
# Entropy can be used by ssh-keygen, among other things, but
# is not strictly required (bug 470020).
use logger dns entropy
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
${SSHD_KEYGEN_BINARY} -A || return 2
"${command}" -t ${command_args} || return 3
}
start_pre() {
# If this isn't a restart, make sure that the user's config isn't
# busted before we try to start the daemon (this will produce
# better error messages than if we just try to start it blindly).
#
# If, on the other hand, this *is* a restart, then the stop_pre
# action will have ensured that the config is usable and we don't
# need to do that again.
if [ "${RC_CMD}" != "restart" ] ; then
checkconfig || return $?
fi
}
stop_pre() {
# If this is a restart, check to make sure the user's config
# isn't busted before we stop the running daemon.
if [ "${RC_CMD}" = "restart" ] ; then
checkconfig || return $?
fi
}
reload() {
checkconfig || return $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

1
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket vendored
View File

@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket] [Socket]
ListenStream=22 ListenStream=22
Accept=yes Accept=yes
TriggerLimitBurst=0
[Install] [Install]
WantedBy=sockets.target WantedBy=sockets.target

332
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild vendored
View File

@ -1,332 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !ldap !sctp ssl )
test? ( ssl )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl,static-libs(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-1.0.1:0=[-bindist(-)]
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
kerberos? ( virtual/krb5 )
ldap? ( net-nds/openldap )"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/pkgconfig
virtual/os-headers
sys-devel/autoconf"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use X509 && maybe_fail X509 X509_PATCH)
$(use ldap && maybe_fail ldap LDAP_PATCH)
$(use hpn && maybe_fail hpn HPN_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
fi
}
save_version() {
# version.h patch conflict avoidence
mv version.h version.h.$1
cp -f version.h.pristine version.h
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# keep this as we need it to avoid the conflict between LPK and HPN changing
# this file.
cp version.h version.h.pristine
eapply "${FILESDIR}/${P}-warnings.patch"
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
if use X509 ; then
if use hpn ; then
pushd "${WORKDIR}" >/dev/null
eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
popd >/dev/null
fi
save_version X509
eapply "${WORKDIR}"/${X509_PATCH%.*}
fi
if use ldap ; then
eapply "${WORKDIR}"/${LDAP_PATCH%.*}
save_version LPK
fi
eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
if use hpn ; then
elog "Applying HPN patchset ..."
eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
save_version HPN
fi
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eapply_user #473004
# Now we can build a sane merged version.h
(
sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
macros=()
for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
) > version.h
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the ldap patch conditionally, so can't pass --without-ldap
# unconditionally else we get unknown flag warnings.
$(use ldap && use_with ldap)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use X509 || use_with sctp)
$(use_with selinux)
$(use_with skey)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
)
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
# Gentoo tweaks to default config files
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables #367017
SendEnv LANG LC_*
EOF
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
insinto /etc/openldap/schema/
newins openssh-lpk_openldap.schema openssh-lpk.schema
fi
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
}
pkg_postinst() {
if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
# remove this if aes-ctr-mt gets fixed
if use hpn; then
elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
elog "set since it does not (yet) work with >=openssh-7.6p1."
fi
}

445
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.7_p1-r9.ebuild vendored Normal file
View File

@ -0,0 +1,445 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit user flag-o-matic multilib autotools pam systemd
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
PATCH_SET="openssh-7.7p1-patches-1.2"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
RESTRICT="!test? ( test )"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp ssl )
test? ( ssl )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-1.0.1:0=[bindist=]
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
kerberos? ( virtual/krb5 )"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/pkgconfig
virtual/os-headers
sys-devel/autoconf"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_PATCH)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
einfo "Disabling broken X.509 agent test ..."
sed -i \
-e "/^ agent$/d" \
"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
# The following patches don't apply on top of X509 patch
rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
else
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
eapply "${WORKDIR}"/${HPN_PATCH%.*}
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use hpn ; then
einfo "Patching packet.c for X509 and/or HPN patch set ..."
sed -i \
-e "s/const struct sshcipher/struct sshcipher/" \
"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply "${WORKDIR}"/patch/*.patch
eapply_user #473004
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX%/}"/etc/ssh
--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX%/}"/usr/share/openssh
--with-privsep-path="${EPREFIX%/}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with skey)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86
use elibc_musl && use x86 && myconf+=( --without-stackprotect )
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED%/}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED%/}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
keepdir /var/empty
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
}
pkg_postinst() {
if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}