mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-31 19:31:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3430 from dm0-/openssh

Browse Source 
Bump OpenSSH to fix CVE-2018-15473
This commit is contained in:
David Michael 2018-10-08 13:11:50 -04:00 committed by GitHub
commit f8f23ac697
16 changed files with 606 additions and 569 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/acbuild-0.2.2-r1 → sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/acbuild-0.4.0 vendored
View File

@ -10,4 +10,4 @@ RDEPEND=sys-apps/kmod app-crypt/gnupg sys-apps/systemd
REQUIRED_USE=go_version_go1_11
SLOT=0
_eclasses_=coreos-go 6ac9cfd14732c366af8df9447772fa8c coreos-go-depend c1ef355151971b96934101203331f30c coreos-go-utils c34072f13165bb85e5106cc6e082a4e1 cros-workon 4ad6e6491a1010ad7c875302b3be18ba desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 git-r3 8f6de46b0aa318aea0e8cac62ece098b ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e multiprocessing cac3169468f893670dac3e7cb940e045 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=d19b7cf74a34bcb5e60b8c68f6e9187e
_md5_=a2d16c15d941041288005d1f9afceb02

2
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/acbuild-9999 vendored
View File

@ -10,4 +10,4 @@ RDEPEND=sys-apps/kmod app-crypt/gnupg sys-apps/systemd
REQUIRED_USE=go_version_go1_11
SLOT=0
_eclasses_=coreos-go 6ac9cfd14732c366af8df9447772fa8c coreos-go-depend c1ef355151971b96934101203331f30c coreos-go-utils c34072f13165bb85e5106cc6e082a4e1 cros-workon 4ad6e6491a1010ad7c875302b3be18ba desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 git-r3 8f6de46b0aa318aea0e8cac62ece098b ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e multiprocessing cac3169468f893670dac3e7cb940e045 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=d19b7cf74a34bcb5e60b8c68f6e9187e
_md5_=a2d16c15d941041288005d1f9afceb02

2
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/actool-0.5.1-r1 → sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/actool-0.8.11 vendored
View File

@ -9,4 +9,4 @@ LICENSE=Apache-2.0
REQUIRED_USE=go_version_go1_11
SLOT=0
_eclasses_=coreos-go 6ac9cfd14732c366af8df9447772fa8c coreos-go-depend c1ef355151971b96934101203331f30c coreos-go-utils c34072f13165bb85e5106cc6e082a4e1 cros-workon 4ad6e6491a1010ad7c875302b3be18ba desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 git-r3 8f6de46b0aa318aea0e8cac62ece098b ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e multiprocessing cac3169468f893670dac3e7cb940e045 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=f0f83c5041dace50483122a72038374a
_md5_=453420db911bdfd2e42309589b4dd789

2
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-emulation/actool-9999 vendored
View File

@ -9,4 +9,4 @@ LICENSE=Apache-2.0
REQUIRED_USE=go_version_go1_11
SLOT=0
_eclasses_=coreos-go 6ac9cfd14732c366af8df9447772fa8c coreos-go-depend c1ef355151971b96934101203331f30c coreos-go-utils c34072f13165bb85e5106cc6e082a4e1 cros-workon 4ad6e6491a1010ad7c875302b3be18ba desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 git-r3 8f6de46b0aa318aea0e8cac62ece098b ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e multiprocessing cac3169468f893670dac3e7cb940e045 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=f0f83c5041dace50483122a72038374a
_md5_=453420db911bdfd2e42309589b4dd789

14
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/net-misc/openssh-7.6_p1-r1 vendored
View File

@ -1,14 +0,0 @@
DEFINED_PHASES=configure install postinst preinst prepare pretend test
DEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) ldap? ( net-nds/openldap ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0=[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) virtual/pkgconfig virtual/os-headers sys-devel/autoconf >=app-portage/elt-patches-20170422 !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4 virtual/pkgconfig
DESCRIPTION=Port of OpenBSD's free SSH release
EAPI=6
HOMEPAGE=http://www.openssh.org/
IUSE=abi_mips_n32 audit debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509
KEYWORDS=~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
LICENSE=BSD GPL-2
RDEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) ldap? ( net-nds/openldap ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( virtual/shadow ) X? ( x11-apps/xauth )
REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !ldap !sctp ssl ) test? ( ssl )
SLOT=0
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-7.6p1.tar.gz https://dev.gentoo.org/~polynomial-c/openssh-7.6_p1-sctp.patch.xz ldap? ( https://dev.gentoo.org/~polynomial-c/openssh-lpk-7.6p1-0.3.14.patch.xz ) X509? ( http://roumenpetrov.info/openssh/x509-11.0/openssh-7.6p1+x509-11.0.diff.gz )
_eclasses_=autotools d0e5375d47f4c809f406eb892e531513 desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 libtool 0081a71a261724730ec4c248494f044d ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e pam 3e788d86170dfcd5b06824d898315e18 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 04e50685fbf3d89e5c67ac6a385dd595 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 user 8bc2845510e2109af75e3eeac607ec81 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf versionator 26ca8a8bd95d6a74122c08ba98a4ee72
_md5_=338097d10bf2670379f922493b32f25a

15
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/net-misc/openssh-7.7_p1-r9 vendored Normal file
View File

@ -0,0 +1,15 @@
DEFINED_PHASES=configure install postinst preinst prepare pretend test
DEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0=[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) virtual/pkgconfig virtual/os-headers sys-devel/autoconf >=app-portage/elt-patches-20170422 !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4 virtual/pkgconfig
DESCRIPTION=Port of OpenBSD's free SSH release
EAPI=6
HOMEPAGE=https://www.openssh.com/
IUSE=abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509
KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
LICENSE=BSD GPL-2
RDEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( virtual/shadow ) X? ( x11-apps/xauth )
REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl ) test? ( ssl )
RESTRICT=!test? ( test )
SLOT=0
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-7.7p1.tar.gz https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-patches-1.2.tar.xz sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-sctp-1.1.patch.xz ) hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz ) X509? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-x509-11.3.1.patch.xz )
_eclasses_=autotools d0e5375d47f4c809f406eb892e531513 desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 libtool 0081a71a261724730ec4c248494f044d ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e pam 3e788d86170dfcd5b06824d898315e18 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 04e50685fbf3d89e5c67ac6a385dd595 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 user 8bc2845510e2109af75e3eeac607ec81 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=08499a610fc3ccb2d6e5ca779fbae997

18
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/sys-libs/glibc-2.25-r11 → sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/sys-libs/glibc-2.26-r7 vendored
View File

@ -1,15 +1,15 @@
DEFINED_PHASES=compile configure install postinst preinst prepare pretend setup test unpack
DEPEND=nscd? ( selinux? ( audit? ( sys-process/audit ) caps? ( sys-libs/libcap ) ) ) suid? ( caps? ( sys-libs/libcap ) ) selinux? ( sys-libs/libselinux ) systemtap? ( dev-util/systemtap ) >=app-misc/pax-utils-0.1.10 !<sys-apps/sandbox-1.6 !<sys-apps/portage-2.1.2 >=sys-devel/binutils-2.24 >=sys-devel/gcc-4.7 virtual/os-headers sys-devel/gnuconfig virtual/pkgconfig
DESCRIPTION=GNU libc6 (also called glibc2) C library
EAPI=5
HOMEPAGE=https://www.gnu.org/software/libc/libc.html
IUSE=audit caps debug gd hardened multilib nscd +rpc selinux systemtap profile suid vanilla headers-only
KEYWORDS=alpha amd64 ~arm arm64 ~hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86
DEFINED_PHASES=compile configure install postinst preinst prepare pretend test unpack
DEPEND=nscd? ( selinux? ( audit? ( sys-process/audit ) caps? ( sys-libs/libcap ) ) ) suid? ( caps? ( sys-libs/libcap ) ) selinux? ( sys-libs/libselinux ) systemtap? ( dev-util/systemtap ) >=app-misc/pax-utils-0.1.10 !<sys-apps/sandbox-1.6 !<sys-apps/portage-2.1.2 doc? ( sys-apps/texinfo ) >=sys-devel/binutils-2.24 >=sys-devel/gcc-4.9 virtual/os-headers sys-devel/gnuconfig virtual/pkgconfig
DESCRIPTION=GNU libc C library
EAPI=6
HOMEPAGE=https://www.gnu.org/software/libc/
IUSE=audit caps debug doc gd hardened multilib nscd selinux systemtap profile suid vanilla headers-only
KEYWORDS=alpha amd64 arm arm64 ~hppa ia64 m68k ~mips ~ppc ~ppc64 s390 sh sparc x86
LICENSE=LGPL-2.1+ BSD HPND ISC inner-net rc PCRE
PDEPEND=!vanilla? ( sys-libs/timezone-data )
RDEPEND=nscd? ( selinux? ( audit? ( sys-process/audit ) caps? ( sys-libs/libcap ) ) ) suid? ( caps? ( sys-libs/libcap ) ) selinux? ( sys-libs/libselinux ) systemtap? ( dev-util/systemtap ) !sys-kernel/ps3-sources sys-apps/gentoo-functions !sys-libs/nss-db vanilla? ( !sys-libs/timezone-data )
RESTRICT=strip
SLOT=2.2
SRC_URI=mirror://gnu/glibc/glibc-2.25.tar.xz ftp://sourceware.org/pub/glibc/releases/glibc-2.25.tar.xz ftp://sourceware.org/pub/glibc/snapshots/glibc-2.25.tar.xz mirror://gentoo/glibc-2.25.tar.xz mirror://gentoo/glibc-2.25-patches-15.tar.bz2 https://dev.gentoo.org/~vapier/dist/glibc-2.25-patches-15.tar.bz2 https://dev.gentoo.org/~dilfridge/distfiles/glibc-2.25-patches-15.tar.bz2 https://dev.gentoo.org/~tamiko/distfiles/glibc-2.25-patches-15.tar.bz2 https://dev.gentoo.org/~slyfox/distfiles/glibc-2.25-patches-15.tar.bz2 multilib? ( mirror://gentoo/gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 https://dev.gentoo.org/~vapier/dist/gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 https://dev.gentoo.org/~dilfridge/distfiles/gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 https://dev.gentoo.org/~tamiko/distfiles/gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 https://dev.gentoo.org/~slyfox/distfiles/gcc-4.7.3-r1-multilib-bootstrap.tar.bz2 )
SRC_URI=mirror://gnu/glibc/glibc-2.26.tar.xz https://dev.gentoo.org/~dilfridge/distfiles/glibc-2.26-patches-7.tar.bz2 multilib? ( https://dev.gentoo.org/~dilfridge/distfiles/gcc-multilib-bootstrap-20180511.tar.xz )
_eclasses_=desktop 1b286a7e7143d8c4ec89cd0d2743a097 epatch 9a5f039771f143195164a15a4faa41a1 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 5b8ce72259e08104b337fe28c6de5dbc flag-o-matic 5128c4729303400bd8d4b0b966530955 gnuconfig b8ec1c34be4ff9dac7ad4034d277936b ltprune 607e058da37aa6dabfa408b7d61da72e multilib 97f470f374f2e94ccab04a2fb21d811e multiprocessing cac3169468f893670dac3e7cb940e045 prefix e51c7882b7b721e54e684f7eb143cbfe preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 04e50685fbf3d89e5c67ac6a385dd595 toolchain-funcs 1e35303c63cd707f6c3422b4493d5607 toolchain-glibc 2c8bd4294e48b6d4e6cd4568d318bb5e unpacker f40f7b4bd5aa88c2a4ba7b0d1e0ded70 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf versionator 26ca8a8bd95d6a74122c08ba98a4ee72
_md5_=1bd7e585ac93d28c6806e114f09e0c08
_md5_=a21a7a670a9be09f4dcf8a50a19431d7

9
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,4 +1,5 @@
DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626
DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29
DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751
DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c
DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261

21
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch vendored
View File

@ -1,21 +0,0 @@
https://bugs.gentoo.org/591392
https://bugzilla.mindrot.org/show_bug.cgi?id=2590
7.3 added seccomp support to MIPS, but failed to handled the N32
case. This patch is temporary until upstream fixes.
--- openssh-7.3p1/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
;;
mips64el-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then

20
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch vendored Normal file
View File

@ -0,0 +1,20 @@
Disable conch interop tests which are failing when called
via portage for yet unknown reason and because using conch
seems to be flaky (test is failing when using Python2 but
passing when using Python3).
Bug: https://bugs.gentoo.org/605446
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -3,6 +3,10 @@
tid="conch ciphers"
+# https://bugs.gentoo.org/605446
+echo "conch interop tests skipped due to Gentoo bug #605446"
+exit 0
+
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
echo "conch interop tests not enabled"
exit 0

50
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch vendored
View File

@ -1,50 +0,0 @@
--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:02:11.850912525 -0700
+++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:35:06.223424844 -0700
@@ -907,9 +907,9 @@
@@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
fatal("write: %.100s", strerror(errno));
@@ -918,11 +918,11 @@
--- a/sshd.c
+++ b/sshd.c
@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
+ }
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum);
@@ -982,13 +982,14 @@
index e093f623..83f0932d 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,5 @@
+@@ -3,3 +3,6 @@
#define SSH_VERSION "OpenSSH_7.6"
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
++#define SSH_PORTABLE "p1"
+#define SSH_HPN "-hpn14v12"
++#define SSH_X509 "-PKIXSSH-11.0"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
--
2.14.2

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch vendored
View File

@ -1,12 +0,0 @@
diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c
index 3af8f4a7..7f6bc7fa 100644
--- a/openbsd-compat/freezero.c
+++ b/openbsd-compat/freezero.c
@@ -14,6 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <string.h>
#include "includes.h"
#ifndef HAVE_FREEZERO

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch vendored
View File

@ -1,11 +0,0 @@
--- a/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:28.334140140 -0800
+++ b/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:55.338223563 -0800
@@ -54732,7 +54732,7 @@
+int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+
+typedef char SSHXSTOREPATH;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+DECLARE_STACK_OF(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_new_null() SKM_sk_new_null(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_num(st) SKM_sk_num(SSHXSTOREPATH, (st))

224
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch vendored
View File

@ -1,121 +1,12 @@
http://bugs.gentoo.org/165444
https://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -656,6 +656,13 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
need to move these two funcs back to canohost so they're available to clients
and the server. auth.c is only used in the server.
--- a/auth.c
+++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void)
@@ -728,120 +728,6 @@ fakepw(void)
return (&fake);
}
-
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
@ -229,6 +120,10 @@ and the server. auth.c is only used in the server.
- return dnsname;
- }
-}
-
/*
* Runs command in a subprocess wuth a minimal environment.
* Returns pid on success, 0 on failure.
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@ -349,3 +244,108 @@ and the server. auth.c is only used in the server.
+ return dnsname;
+ }
+}
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -200,9 +201,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -954,6 +957,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -43,6 +43,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -731,6 +731,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
--

332
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild vendored
View File

@ -1,332 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
inherit user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !ldap !sctp ssl )
test? ( ssl )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl,static-libs(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-1.0.1:0=[-bindist(-)]
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
kerberos? ( virtual/krb5 )
ldap? ( net-nds/openldap )"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/pkgconfig
virtual/os-headers
sys-devel/autoconf"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use X509 && maybe_fail X509 X509_PATCH)
$(use ldap && maybe_fail ldap LDAP_PATCH)
$(use hpn && maybe_fail hpn HPN_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
fi
}
save_version() {
# version.h patch conflict avoidence
mv version.h version.h.$1
cp -f version.h.pristine version.h
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# keep this as we need it to avoid the conflict between LPK and HPN changing
# this file.
cp version.h version.h.pristine
eapply "${FILESDIR}/${P}-warnings.patch"
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
if use X509 ; then
if use hpn ; then
pushd "${WORKDIR}" >/dev/null
eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
popd >/dev/null
fi
save_version X509
eapply "${WORKDIR}"/${X509_PATCH%.*}
fi
if use ldap ; then
eapply "${WORKDIR}"/${LDAP_PATCH%.*}
save_version LPK
fi
eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
if use hpn ; then
elog "Applying HPN patchset ..."
eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
save_version HPN
fi
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eapply_user #473004
# Now we can build a sane merged version.h
(
sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
macros=()
for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
) > version.h
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the ldap patch conditionally, so can't pass --without-ldap
# unconditionally else we get unknown flag warnings.
$(use ldap && use_with ldap)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use X509 || use_with sctp)
$(use_with selinux)
$(use_with skey)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
)
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
# Gentoo tweaks to default config files
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*
EOF
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables #367017
SendEnv LANG LC_*
EOF
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
insinto /etc/openldap/schema/
newins openssh-lpk_openldap.schema openssh-lpk.schema
fi
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
}
pkg_postinst() {
if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
# remove this if aes-ctr-mt gets fixed
if use hpn; then
elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
elog "set since it does not (yet) work with >=openssh-7.6p1."
fi
}

441
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.7_p1-r9.ebuild vendored Normal file
View File

@ -0,0 +1,441 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit user flag-o-matic multilib autotools pam systemd
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
PATCH_SET="openssh-7.7p1-patches-1.2"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
RESTRICT="!test? ( test )"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp ssl )
test? ( ssl )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl(+),static-libs(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-1.0.1:0=[-bindist(-)]
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
kerberos? ( virtual/krb5 )"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/pkgconfig
virtual/os-headers
sys-devel/autoconf"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_PATCH)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
einfo "Disabling broken X.509 agent test ..."
sed -i \
-e "/^ agent$/d" \
"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
# The following patches don't apply on top of X509 patch
rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
else
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
eapply "${WORKDIR}"/${HPN_PATCH%.*}
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use hpn ; then
einfo "Patching packet.c for X509 and/or HPN patch set ..."
sed -i \
-e "s/const struct sshcipher/struct sshcipher/" \
"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply "${WORKDIR}"/patch/*.patch
eapply_user #473004
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX%/}"/etc/ssh
--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX%/}"/usr/share/openssh
--with-privsep-path="${EPREFIX%/}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with skey)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86
use elibc_musl && use x86 && myconf+=( --without-stackprotect )
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED%/}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED%/}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
keepdir /var/empty
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
}
pkg_postinst() {
if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}