* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2015-09-04 6:37 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2015-09-04 6:37 UTC (permalink / raw
To: gentoo-commits
commit: 99b805179536586a517d225966a7f026e27c2e29
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Sep 4 06:41:20 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Sep 4 06:41:20 2015 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=99b80517
net-misc/openssh: remove stack-protector checks
Package-Manager: portage-2.2.20.1
RepoMan-Options: --force
Manifest-Sign-Key: 0x9384FA6EF52D4BBA
net-misc/openssh/Manifest | 3 +-
.../openssh-6.9_p1-remove-stackprotector.patch | 51 ++++++++++++++++++++++
net-misc/openssh/openssh-6.9_p1-r99.ebuild | 6 +--
3 files changed, 56 insertions(+), 4 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 93e1dc2..5d2f675 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -2,6 +2,7 @@ AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1a
AUX openssh-6.3_p1-x509-hpn14v2-glue.patch 1451 SHA256 d7179b3c16edd065977aaf56a410e2b9b237206fb619474f312972b430b73c8d SHA512 02577e3f718ff994bb4e962189f17048b4c03104d0a1981683f3c6a1d6d30701db368e132102c8396da2c0f5eb2f6602b26f32f74d19382af34bd9a93fc508f3 WHIRLPOOL b7d224d71634f380bd31b3a1dd3e588a29582255f717a6a308738ad58b485b693d827a53704479995ec2ebca53c9dc9b2113d8de52a1336b67ce83943f946b77
AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
AUX openssh-6.8_p1-ssl-engine-configure.patch 936 SHA256 cb3f34ef031aa5360b082468b4afb8b7fd2c778c990c2f20fda250167725ff88 SHA512 4b7840f719ad58c1f196327a52534f0a21264ce47e8df4a335e9f58d9d5eae33dbb9a75a2a714c3bdae6bee04728e66020ed57eb521fc1164521c4c5aa4a9a93 WHIRLPOOL 662d6eedb091021d5da4cdbd6d623e3678e54fb75cb52d8afdc4ef9c31f98d95f8445c2fde834d622b0aabf8b9593244847da574201ed176c350747526a28fe5
+AUX openssh-6.9_p1-remove-stackprotector.patch 1574 SHA256 a8d96a7f273f8920a96c87ad258fd88d939ae51dd05893869f4b0ab4ffe7563b SHA512 4e720add3384031173ed86d147d062a2f3b6cb3f87bd9d47a0369d2634c1beaf791c613d1498031e9b476d47a1c8682bb0297fd2c97724a6a09a769c2182de0e WHIRLPOOL 1bd560bb1befcafea2fe3e60f9a20a9e214c38516cca763b99e188a5ffafba7590b7ee7f370688c4d50476505e9b8412349fe37f69d51263eb4461d016c53a23
AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
AUX sshd.rc6.4 2313 SHA256 97221a017d8ee9de996277c5a794d973a0b5e8180c29c97b3652bd1984a7b5d0 SHA512 88826bc9923299ac4c1502e7076483d6c197fd5a0e693bc2e1690f82bcd7d1bbd144aae2ffd92acb28d6fe912233aa93346e00c72917de65c22811ce9cd5bff7 WHIRLPOOL a77bad5891eb74770ae12e79131a99e5645a83841d14f1d60e39581a23b9d86e66b2e5fb7d0c989afac410eb5c6a627b83389d54085d1b78c89fc07852f8eb66
@@ -13,5 +14,5 @@ DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3
DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
-EBUILD openssh-6.9_p1-r99.ebuild 9784 SHA256 41579ef5715c5a7a6b96b290830cf52189d26ddd73c932763e5078a9b27286e1 SHA512 3c6885e8f6ff5b43dfcf99c8dfc303fb01c31d383c51439a9bfd731a7111d4c79393f1df8567c028e6bd553958d381d6d0d2585b3f88273083e20a3e05fc941a WHIRLPOOL b669a92baf88cc26c024db804240a7f5bca2feef1bb634674837d6c83d78436e01008072e6d18682e2526e4b1427a753e46821495b768df2c49adef28addfd28
+EBUILD openssh-6.9_p1-r99.ebuild 9806 SHA256 2360ba25d6c04203dc83316981212858358412aba721a950a149fe90de06a3a7 SHA512 c3e3a9ead1e3b9d7416d942ea1b9a9ab908efca3d09ecf52ff5d2987e90ec4362c73597bc5b4dd42725559abc2a835f37b49ae96b8371120e1a70e6abf07e0a0 WHIRLPOOL 602cd12b21ed055fa5c83e08c903fa790a476302a69df9b23442e507e54fa627dea325e6c4fd0c244e8bc3c366f70302b1398d603d31dfbe87ebe87a6e5c1fdc
MISC metadata.xml 1912 SHA256 7b838285f09ad395f237a0d0b9963eee86d0e85b58e6e5b4d5edb093fa888a0a SHA512 e55c10ffd12488720c3da19e55942cfedec63fe767fc1608439b5a3932eeb5488086ad7ef4e1f858c89381e737426f035845ea5e8bede4ed8a0ccabdc656d9b5 WHIRLPOOL 5c07b3dd4a4002cff5df62133ecf570bf79f58e9477d0ad25d60f185ee029183d11118147e3adfec373542659d921e99e787054cfe9284031c974d694de6e9ed
diff --git a/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch b/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch
new file mode 100644
index 0000000..98e867f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch
@@ -0,0 +1,51 @@
+diff -Naur openssh-6.9p1.orig/configure.ac openssh-6.9p1/configure.ac
+--- openssh-6.9p1.orig/configure.ac 2015-06-30 22:35:31.000000000 -0400
++++ openssh-6.9p1/configure.ac 2015-09-04 02:29:02.746836099 -0400
+@@ -234,47 +234,6 @@
+ CFLAGS="$saved_CFLAGS" ]
+ )
+
+- # -fstack-protector-all doesn't always work for some GCC versions
+- # and/or platforms, so we test if we can. If it's not supported
+- # on a given platform gcc will emit a warning so we use -Werror.
+- if test "x$use_stack_protector" = "x1"; then
+- for t in -fstack-protector-strong -fstack-protector-all \
+- -fstack-protector; do
+- AC_MSG_CHECKING([if $CC supports $t])
+- saved_CFLAGS="$CFLAGS"
+- saved_LDFLAGS="$LDFLAGS"
+- CFLAGS="$CFLAGS $t -Werror"
+- LDFLAGS="$LDFLAGS $t -Werror"
+- AC_LINK_IFELSE(
+- [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
+- [[
+- char x[256];
+- snprintf(x, sizeof(x), "XXX");
+- ]])],
+- [ AC_MSG_RESULT([yes])
+- CFLAGS="$saved_CFLAGS $t"
+- LDFLAGS="$saved_LDFLAGS $t"
+- AC_MSG_CHECKING([if $t works])
+- AC_RUN_IFELSE(
+- [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
+- [[
+- char x[256];
+- snprintf(x, sizeof(x), "XXX");
+- ]])],
+- [ AC_MSG_RESULT([yes])
+- break ],
+- [ AC_MSG_RESULT([no]) ],
+- [ AC_MSG_WARN([cross compiling: cannot test])
+- break ]
+- )
+- ],
+- [ AC_MSG_RESULT([no]) ]
+- )
+- CFLAGS="$saved_CFLAGS"
+- LDFLAGS="$saved_LDFLAGS"
+- done
+- fi
+-
+ if test -z "$have_llong_max"; then
+ # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
+ unset ac_cv_have_decl_LLONG_MAX
diff --git a/net-misc/openssh/openssh-6.9_p1-r99.ebuild b/net-misc/openssh/openssh-6.9_p1-r99.ebuild
index d763f9b..0ab549d 100644
--- a/net-misc/openssh/openssh-6.9_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.9_p1-r99.ebuild
@@ -152,6 +152,9 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{.ac,} || die
+ # ppc musl lacks __stack_chk_fail_local()
+ epatch "${FILESDIR}"/${P}-remove-stackprotector.patch
+
epatch_user #473004
# Now we can build a sane merged version.h
@@ -202,9 +205,6 @@ src_configure() {
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
- # ppc musl lacks __stack_chk_fail_local()
- myconf+=( --without-hardening )
-
# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2015-11-25 0:59 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2015-11-25 0:59 UTC (permalink / raw
To: gentoo-commits
commit: f2e20d1658c7955020ef48cfde79717ac5af4a97
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 25 01:06:16 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov 25 01:06:16 2015 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=f2e20d16
net-misc/openssh: in tree version works.
net-misc/openssh/Manifest | 18 --
.../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 ---------
.../files/openssh-6.3_p1-x509-hpn14v2-glue.patch | 51 ----
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 --
.../openssh-6.8_p1-ssl-engine-configure.patch | 33 ---
.../openssh-6.9_p1-remove-stackprotector.patch | 51 ----
net-misc/openssh/files/sshd.confd | 21 --
net-misc/openssh/files/sshd.pam_include.2 | 4 -
net-misc/openssh/files/sshd.rc6.4 | 87 ------
net-misc/openssh/files/sshd.service | 11 -
net-misc/openssh/files/sshd.socket | 10 -
net-misc/openssh/files/sshd_at.service | 8 -
net-misc/openssh/metadata.xml | 34 ---
net-misc/openssh/openssh-6.9_p1-r99.ebuild | 314 ---------------------
14 files changed, 786 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
deleted file mode 100644
index 5d2f675..0000000
--- a/net-misc/openssh/Manifest
+++ /dev/null
@@ -1,18 +0,0 @@
-AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb
-AUX openssh-6.3_p1-x509-hpn14v2-glue.patch 1451 SHA256 d7179b3c16edd065977aaf56a410e2b9b237206fb619474f312972b430b73c8d SHA512 02577e3f718ff994bb4e962189f17048b4c03104d0a1981683f3c6a1d6d30701db368e132102c8396da2c0f5eb2f6602b26f32f74d19382af34bd9a93fc508f3 WHIRLPOOL b7d224d71634f380bd31b3a1dd3e588a29582255f717a6a308738ad58b485b693d827a53704479995ec2ebca53c9dc9b2113d8de52a1336b67ce83943f946b77
-AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
-AUX openssh-6.8_p1-ssl-engine-configure.patch 936 SHA256 cb3f34ef031aa5360b082468b4afb8b7fd2c778c990c2f20fda250167725ff88 SHA512 4b7840f719ad58c1f196327a52534f0a21264ce47e8df4a335e9f58d9d5eae33dbb9a75a2a714c3bdae6bee04728e66020ed57eb521fc1164521c4c5aa4a9a93 WHIRLPOOL 662d6eedb091021d5da4cdbd6d623e3678e54fb75cb52d8afdc4ef9c31f98d95f8445c2fde834d622b0aabf8b9593244847da574201ed176c350747526a28fe5
-AUX openssh-6.9_p1-remove-stackprotector.patch 1574 SHA256 a8d96a7f273f8920a96c87ad258fd88d939ae51dd05893869f4b0ab4ffe7563b SHA512 4e720add3384031173ed86d147d062a2f3b6cb3f87bd9d47a0369d2634c1beaf791c613d1498031e9b476d47a1c8682bb0297fd2c97724a6a09a769c2182de0e WHIRLPOOL 1bd560bb1befcafea2fe3e60f9a20a9e214c38516cca763b99e188a5ffafba7590b7ee7f370688c4d50476505e9b8412349fe37f69d51263eb4461d016c53a23
-AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
-AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
-AUX sshd.rc6.4 2313 SHA256 97221a017d8ee9de996277c5a794d973a0b5e8180c29c97b3652bd1984a7b5d0 SHA512 88826bc9923299ac4c1502e7076483d6c197fd5a0e693bc2e1690f82bcd7d1bbd144aae2ffd92acb28d6fe912233aa93346e00c72917de65c22811ce9cd5bff7 WHIRLPOOL a77bad5891eb74770ae12e79131a99e5645a83841d14f1d60e39581a23b9d86e66b2e5fb7d0c989afac410eb5c6a627b83389d54085d1b78c89fc07852f8eb66
-AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989
-AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
-AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
-DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
-DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2
-DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
-DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
-DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
-EBUILD openssh-6.9_p1-r99.ebuild 9806 SHA256 2360ba25d6c04203dc83316981212858358412aba721a950a149fe90de06a3a7 SHA512 c3e3a9ead1e3b9d7416d942ea1b9a9ab908efca3d09ecf52ff5d2987e90ec4362c73597bc5b4dd42725559abc2a835f37b49ae96b8371120e1a70e6abf07e0a0 WHIRLPOOL 602cd12b21ed055fa5c83e08c903fa790a476302a69df9b23442e507e54fa627dea325e6c4fd0c244e8bc3c366f70302b1398d603d31dfbe87ebe87a6e5c1fdc
-MISC metadata.xml 1912 SHA256 7b838285f09ad395f237a0d0b9963eee86d0e85b58e6e5b4d5edb093fa888a0a SHA512 e55c10ffd12488720c3da19e55942cfedec63fe767fc1608439b5a3932eeb5488086ad7ef4e1f858c89381e737426f035845ea5e8bede4ed8a0ccabdc656d9b5 WHIRLPOOL 5c07b3dd4a4002cff5df62133ecf570bf79f58e9477d0ad25d60f185ee029183d11118147e3adfec373542659d921e99e787054cfe9284031c974d694de6e9ed
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index c81ae5c..0000000
--- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
-Index: readconf.c
-===================================================================
-RCS file: /cvs/openssh/readconf.c,v
-retrieving revision 1.135
-diff -u -r1.135 readconf.c
---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
-+++ readconf.c 19 Aug 2006 11:59:52 -0000
-@@ -126,6 +126,7 @@
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -163,9 +164,11 @@
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- #else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- { "fallbacktorsh", oDeprecated },
- { "usersh", oDeprecated },
-@@ -444,6 +447,10 @@
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1010,6 +1017,7 @@
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -1100,6 +1108,8 @@
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-Index: readconf.h
-===================================================================
-RCS file: /cvs/openssh/readconf.h,v
-retrieving revision 1.63
-diff -u -r1.63 readconf.h
---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
-+++ readconf.h 19 Aug 2006 11:59:52 -0000
-@@ -45,6 +45,7 @@
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-Index: ssh_config.5
-===================================================================
-RCS file: /cvs/openssh/ssh_config.5,v
-retrieving revision 1.97
-diff -u -r1.97 ssh_config.5
---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
-+++ ssh_config.5 19 Aug 2006 11:59:53 -0000
-@@ -483,7 +483,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
--Note that this option applies to protocol version 2 only.
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-Index: sshconnect2.c
-===================================================================
-RCS file: /cvs/openssh/sshconnect2.c,v
-retrieving revision 1.151
-diff -u -r1.151 sshconnect2.c
---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
-+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
-@@ -499,6 +499,12 @@
- static u_int mech = 0;
- OM_uint32 min;
- int ok = 0;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns)
-+ gss_host = get_canonical_hostname(1);
-+ else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -511,7 +517,7 @@
- /* My DER encoding requires length<128 */
- if (gss_supported->elements[mech].length < 128 &&
- ssh_gssapi_check_mechanism(&gssctxt,
-- &gss_supported->elements[mech], authctxt->host)) {
-+ &gss_supported->elements[mech], gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- mech++;
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
deleted file mode 100644
index c3647d5..0000000
--- a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
+++ /dev/null
@@ -1,51 +0,0 @@
---- openssh-6.3p1/Makefile.in
-+++ openssh-6.3p1/Makefile.in
-@@ -45,7 +45,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- LIBS=@LIBS@
- K5LIBS=@K5LIBS@
- GSSLIBS=@GSSLIBS@
-@@ -53,6 +53,7 @@
- SSHDLIBS=@SSHDLIBS@
- LIBEDIT=@LIBEDIT@
- LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
-+CPPFLAGS+=@LDAP_CPPFLAGS@
- AR=@AR@
- AWK=@AWK@
- RANLIB=@RANLIB@
---- openssh-6.3p1/sshconnect.c
-+++ openssh-6.3p1/sshconnect.c
-@@ -465,7 +465,7 @@
- {
- /* Send our own protocol version identification. */
- if (compat20) {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
- } else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
---- openssh-6.3p1/sshd.c
-+++ openssh-6.3p1/sshd.c
-@@ -472,8 +472,8 @@
- comment = "";
- }
-
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-- major, minor, SSH_VERSION, comment,
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-+ major, minor, SSH_VERSION,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
-
---- openssh-6.3p1/version.h
-+++ openssh-6.3p1/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_6.3"
-
- #define SSH_PORTABLE "p1"
-+#define SSH_X509 " PKIX"
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
deleted file mode 100644
index fa33af3..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-the last nibble of the openssl version represents the status. that is,
-whether it is a beta or release. when it comes to version checks in
-openssh, this component does not matter, so ignore it.
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212
-
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
- * For versions >= 1.0.0, major,minor,status must match and library
- * fix version must be equal to or newer than the header.
- */
-- mask = 0xfff0000fL; /* major,minor,status */
-+ mask = 0xfff00000L; /* major,minor,status */
- hfix = (headerver & 0x000ff000) >> 12;
- lfix = (libver & 0x000ff000) >> 12;
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
deleted file mode 100644
index a355e2c..0000000
--- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://github.com/openssh/openssh-portable/pull/29
-
-From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Wed, 18 Mar 2015 12:37:24 -0400
-Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
- set
-
----
- configure.ac | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index b4d6598..7806d20 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -2276,10 +2276,10 @@ openssl_engine=no
- AC_ARG_WITH([ssl-engine],
- [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
- [
-- if test "x$openssl" = "xno" ; then
-- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
-- fi
- if test "x$withval" != "xno" ; then
-+ if test "x$openssl" = "xno" ; then
-+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
-+ fi
- openssl_engine=yes
- fi
- ]
---
-2.3.2
-
diff --git a/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch b/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch
deleted file mode 100644
index 98e867f..0000000
--- a/net-misc/openssh/files/openssh-6.9_p1-remove-stackprotector.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -Naur openssh-6.9p1.orig/configure.ac openssh-6.9p1/configure.ac
---- openssh-6.9p1.orig/configure.ac 2015-06-30 22:35:31.000000000 -0400
-+++ openssh-6.9p1/configure.ac 2015-09-04 02:29:02.746836099 -0400
-@@ -234,47 +234,6 @@
- CFLAGS="$saved_CFLAGS" ]
- )
-
-- # -fstack-protector-all doesn't always work for some GCC versions
-- # and/or platforms, so we test if we can. If it's not supported
-- # on a given platform gcc will emit a warning so we use -Werror.
-- if test "x$use_stack_protector" = "x1"; then
-- for t in -fstack-protector-strong -fstack-protector-all \
-- -fstack-protector; do
-- AC_MSG_CHECKING([if $CC supports $t])
-- saved_CFLAGS="$CFLAGS"
-- saved_LDFLAGS="$LDFLAGS"
-- CFLAGS="$CFLAGS $t -Werror"
-- LDFLAGS="$LDFLAGS $t -Werror"
-- AC_LINK_IFELSE(
-- [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
-- [[
-- char x[256];
-- snprintf(x, sizeof(x), "XXX");
-- ]])],
-- [ AC_MSG_RESULT([yes])
-- CFLAGS="$saved_CFLAGS $t"
-- LDFLAGS="$saved_LDFLAGS $t"
-- AC_MSG_CHECKING([if $t works])
-- AC_RUN_IFELSE(
-- [AC_LANG_PROGRAM([[ #include <stdio.h> ]],
-- [[
-- char x[256];
-- snprintf(x, sizeof(x), "XXX");
-- ]])],
-- [ AC_MSG_RESULT([yes])
-- break ],
-- [ AC_MSG_RESULT([no]) ],
-- [ AC_MSG_WARN([cross compiling: cannot test])
-- break ]
-- )
-- ],
-- [ AC_MSG_RESULT([no]) ]
-- )
-- CFLAGS="$saved_CFLAGS"
-- LDFLAGS="$saved_LDFLAGS"
-- done
-- fi
--
- if test -z "$have_llong_max"; then
- # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
- unset ac_cv_have_decl_LLONG_MAX
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
deleted file mode 100644
index 28952b4..0000000
--- a/net-misc/openssh/files/sshd.confd
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd
-
-# Where is your sshd_config file stored?
-
-SSHD_CONFDIR="/etc/ssh"
-
-
-# Any random options you want to pass to sshd.
-# See the sshd(8) manpage for more info.
-
-SSHD_OPTS=""
-
-
-# Pid file to use (needs to be absolute path).
-
-#SSHD_PIDFILE="/var/run/sshd.pid"
-
-
-# Path to the sshd binary (needs to be absolute path).
-
-#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
deleted file mode 100644
index b801aaa..0000000
--- a/net-misc/openssh/files/sshd.pam_include.2
+++ /dev/null
@@ -1,4 +0,0 @@
-auth include system-remote-login
-account include system-remote-login
-password include system-remote-login
-session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
deleted file mode 100755
index 1b872bc..0000000
--- a/net-misc/openssh/files/sshd.rc6.4
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.3 2013/04/24 03:13:03 vapier Exp $
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-
-SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
-SSHD_CONFIG=${SSHD_CONFIG:-${SSHD_CONFDIR}/sshd_config}
-SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
-SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
-
-depend() {
- use logger dns
- if [ "${rc_need+set}" = "set" ]; then
- : # Do nothing, the user has explicitly set rc_need
- else
- warn_addr=''
- for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
- case "$x" in
- 0.0.0.0|0.0.0.0:*) ;;
- ::|\[::\]*) ;;
- *) warn_addr="${warn_addr} $x" ;;
- esac
- done
- unset x
- if [ "${warn_addr:+set}" = "set" ]; then
- need net
- ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
- ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
- ewarn "where FOO is the interface(s) providing the following address(es):"
- ewarn "${warn_addr}"
- fi
- unset warn_addr
- fi
-}
-
-checkconfig() {
- if [ ! -d /var/empty ] ; then
- mkdir -p /var/empty || return 1
- fi
-
- if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
- eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
- eerror "There is a sample file in /usr/share/doc/openssh"
- return 1
- fi
-
- ssh-keygen -A || return 1
-
- [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
- && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
- [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
- && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config"
-
- "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
-}
-
-start() {
- checkconfig || return 1
-
- ebegin "Starting ${SVCNAME}"
- start-stop-daemon --start --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" \
- -- ${SSHD_OPTS}
- eend $?
-}
-
-stop() {
- if [ "${RC_CMD}" = "restart" ] ; then
- checkconfig || return 1
- fi
-
- ebegin "Stopping ${SVCNAME}"
- start-stop-daemon --stop --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" --quiet
- eend $?
-}
-
-reload() {
- checkconfig || return 1
- ebegin "Reloading ${SVCNAME}"
- start-stop-daemon --signal HUP \
- --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
- eend $?
-}
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
deleted file mode 100644
index b5e96b3..0000000
--- a/net-misc/openssh/files/sshd.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
-
-[Service]
-ExecStartPre=/usr/bin/ssh-keygen -A
-ExecStart=/usr/sbin/sshd -D -e
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
deleted file mode 100644
index 94b9533..0000000
--- a/net-misc/openssh/files/sshd.socket
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=OpenSSH Server Socket
-Conflicts=sshd.service
-
-[Socket]
-ListenStream=22
-Accept=yes
-
-[Install]
-WantedBy=sockets.target
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
deleted file mode 100644
index 2645ad0..0000000
--- a/net-misc/openssh/files/sshd_at.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=OpenSSH per-connection server daemon
-After=syslog.target auditd.service
-
-[Service]
-ExecStart=-/usr/sbin/sshd -i -e
-StandardInput=socket
-StandardError=syslog
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
deleted file mode 100644
index 885648b..0000000
--- a/net-misc/openssh/metadata.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
- <herd>base-system</herd>
- <maintainer restrict="net-misc/openssh[ldap]">
- <email>robbat2@gentoo.org</email>
- <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
- </maintainer>
- <longdescription>
-OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
-increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
-rlogin, ftp, and other such programs might not realize that their password is transmitted
-across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
-to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
-Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
-of authentication methods.
-
-The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
-replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
-the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
-ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
-</longdescription>
- <use>
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
- <flag name="hpn">Enable high performance ssh</flag>
- <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
- <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
- <flag name="sctp">Support for Stream Control Transmission Protocol</flag>
- <flag name="X509">Adds support for X.509 certificate authentication</flag>
- </use>
- <upstream>
- <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
- </upstream>
-</pkgmetadata>
diff --git a/net-misc/openssh/openssh-6.9_p1-r99.ebuild b/net-misc/openssh/openssh-6.9_p1-r99.ebuild
deleted file mode 100644
index 0ab549d..0000000
--- a/net-misc/openssh/openssh-6.9_p1-r99.ebuild
+++ /dev/null
@@ -1,314 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.9p1-r1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
- ${HPN_PATCH:+hpn? (
- mirror://gentoo/${HPN_PATCH}
- https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
- mirror://sourceforge/hpnssh/${HPN_PATCH}
- )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- "
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="ppc"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="ldns? ( ssl )
- pie? ( !static )
- ssh1? ( ssl )
- static? ( !kerberos !pam )
- X509? ( !ldap ssl )"
-
-LIB_DEPEND="
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl] )
- bindist? ( net-libs/ldns[-ecdsa,ssl] )
- )
- libedit? ( dev-libs/libedit[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- ssl? (
- >=dev-libs/openssl-0.9.6d:0[bindist=]
- dev-libs/openssl[static-libs(+)]
- )
- >=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? ( ${LIB_DEPEND} )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use X509 && maybe_fail X509 X509_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use hpn && maybe_fail hpn HPN_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
- fi
-}
-
-save_version() {
- # version.h patch conflict avoidence
- mv version.h version.h.$1
- cp -f version.h.pristine version.h
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
- # keep this as we need it to avoid the conflict between LPK and HPN changing
- # this file.
- cp version.h version.h.pristine
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- if use X509 ; then
- pushd .. >/dev/null
- #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
- epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
- popd >/dev/null
- epatch "${WORKDIR}"/${X509_PATCH%.*}
- epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
- epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
- save_version X509
- fi
- if use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
- fi
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- # The X509 patchset fixes this independently.
- use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
- epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
- if use hpn ; then
- EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
- EPATCH_MULTI_MSG="Applying HPN patchset ..." \
- epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
- save_version HPN
- fi
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- # ppc musl lacks __stack_chk_fail_local()
- epatch "${FILESDIR}"/${P}-remove-stackprotector.patch
-
- epatch_user #473004
-
- # Now we can build a sane merged version.h
- (
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
- macros=()
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
- ) > version.h
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
- addpredict /etc/skey/skeykeys # skey configure code triggers this
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the ldap patch conditionally, so can't pass --without-ldap
- # unconditionally else we get unknown flag warnings.
- $(use ldap && use_with ldap)
- $(use_with ldns)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with sctp)
- $(use_with selinux)
- $(use_with skey)
- $(use_with ssh1)
- # The X509 patch deletes this option entirely.
- $(use X509 || use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- )
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
- if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
- myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
- append-ldflags -lutil
- fi
-
- econf "${myconf[@]}"
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
- keepdir /var/empty
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- # Gentoo tweaks to default config files
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables #367017
- AcceptEnv LANG LC_*
- EOF
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables #367017
- SendEnv LANG LC_*
- EOF
-
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
- local t tests skipped failed passed shell
- tests="interop-tests compat-tests"
- skipped=""
- shell=$(egetshell ${UID})
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite"
- elog "requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped="${skipped} tests"
- else
- tests="${tests} tests"
- fi
- # It will also attempt to write to the homedir .ssh
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in ${tests} ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed="${passed}${t} " \
- || failed="${failed}${t} "
- done
- einfo "Passed tests: ${passed}"
- ewarn "Skipped tests: ${skipped}"
- if [[ -n ${failed} ]] ; then
- ewarn "Failed tests: ${failed}"
- die "Some tests failed: ${failed}"
- else
- einfo "Failed tests: ${failed}"
- return 0
- fi
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
- elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
- fi
- ewarn "Remember to merge your config files in /etc/ssh/ and then"
- ewarn "reload sshd: '/etc/init.d/sshd reload'."
- elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
- elog " dropped it. Make sure to update any configs that you might have."
-}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2016-02-13 17:18 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2016-02-13 17:18 UTC (permalink / raw
To: gentoo-commits
commit: 6eef306b2fd5638411819065d30a1710f6a4e966
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 13 17:17:32 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Feb 13 17:17:32 2016 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=6eef306b
net-misc/openssh: turn off hardening on x86
net-misc/openssh/Manifest | 19 ++
.../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 ++++++++
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 ++
.../openssh-6.8_p1-ssl-engine-configure.patch | 33 +++
.../files/openssh-7.0_p1-sctp-x509-glue.patch | 74 +++++
.../files/openssh-7.1_p1-hpn-x509-glue.patch | 11 +
.../files/openssh-7.1_p2-x509-hpn14v10-glue.patch | 51 ++++
net-misc/openssh/files/sshd.confd | 21 ++
net-misc/openssh/files/sshd.pam_include.2 | 4 +
net-misc/openssh/files/sshd.rc6.4 | 85 ++++++
net-misc/openssh/files/sshd.service | 11 +
net-misc/openssh/files/sshd.socket | 10 +
net-misc/openssh/files/sshd_at.service | 8 +
net-misc/openssh/metadata.xml | 40 +++
net-misc/openssh/openssh-7.1_p2-r99.ebuild | 327 +++++++++++++++++++++
15 files changed, 838 insertions(+)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
new file mode 100644
index 0000000..4a0e718
--- /dev/null
+++ b/net-misc/openssh/Manifest
@@ -0,0 +1,19 @@
+AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb
+AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
+AUX openssh-6.8_p1-ssl-engine-configure.patch 936 SHA256 cb3f34ef031aa5360b082468b4afb8b7fd2c778c990c2f20fda250167725ff88 SHA512 4b7840f719ad58c1f196327a52534f0a21264ce47e8df4a335e9f58d9d5eae33dbb9a75a2a714c3bdae6bee04728e66020ed57eb521fc1164521c4c5aa4a9a93 WHIRLPOOL 662d6eedb091021d5da4cdbd6d623e3678e54fb75cb52d8afdc4ef9c31f98d95f8445c2fde834d622b0aabf8b9593244847da574201ed176c350747526a28fe5
+AUX openssh-7.0_p1-sctp-x509-glue.patch 2655 SHA256 f01218be5cc344797d6a1db034e6916b0383ea7188d0341ec1e4a3281c5917a6 SHA512 b53aaca05e671be9d8456e7d1aea3ed32afd333922f39c58aa3f9c2539a2d40bdf02ec23c438602e9a590702bcdf96901fb09dfaad93f4ab3fc735d7d189752d WHIRLPOOL 1d6a1947accb77fbd5b578d9e57a51f6ffc9d0d30c806beabea9b2a672ce1af17a283422fb58c835edd8370a5dbe4500ef515ec59af8a3948af5fc15a58a6da0
+AUX openssh-7.1_p1-hpn-x509-glue.patch 535 SHA256 28fabcb503632c57f4f4dfdbdd3e5f2eea97a1f1f216e19125d382820db484b5 SHA512 7f81586e8f755a2451bee962da6a76285fa1609cf761e1ed335e14b07dc28dd0dd9741654a26039d1029e34a45950cdf869132a137461118d9fd1ca142675010 WHIRLPOOL 4e55dd712f7e24f03d7a72017e7238c7bbda53aa54e4068a37a7dadc0f73f4777f9a8c58fefe4d671755ab24c747108dc57af6a08918f70e3425abe7faadc96a
+AUX openssh-7.1_p2-x509-hpn14v10-glue.patch 1451 SHA256 13eb0540a6cd951f2a1c59ea979201fd15ea22ed1c73d153b329f0c8eb9e306e SHA512 e649981c553275baafb34b4d7d05c733cf9a3a829b68dbee206bfde969fb827c54244e67650626915d3403f9d6df9d633eec9a4eebe67face492fa2b16dcb392 WHIRLPOOL 701f4ded357ac8497e60c39d78ef64cb7052f90a0c66748e3fb85713605acd00843f607993b6dc9ccec3af12623cfc9365eeddc274b5eadaaaca9db56a2cfa90
+AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
+AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
+AUX sshd.rc6.4 2114 SHA256 b577e0ac07558205e2229b32bf52ab52d050acda3748708d9a36dc4365a3a725 SHA512 8bde7a1acf3a743982f0d1c951319adf9a401839a17c0bc55e5541940440187e08d46e0def650bcc758669841bcabb9d80afe81f37efee39bb451f131a58f0eb WHIRLPOOL fa4372c2673762bb5f2a9a67e0fea130b45ba7b76244c972fd14845b3689d9f841ffcd5ca21dcbaa58d547eea385936e65ef4a48279c95bc795c6b4cc90b2ddb
+AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989
+AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
+AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
+DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
+DIST openssh-7.1p2+x509-8.7.diff.gz 438584 SHA256 23030dff924a78718686fad6442b1083293b0c2a057714291bd0af9ed8ef5868 SHA512 d9aa43f5fc06b88b442285a9f9a15d01b52796c36f0cb228c756edca473a89eadb296c45503a14514fdb156d3bc9d90ff33271ccfa9461a9bb2b798a581cc007 WHIRLPOOL ef3f4486fff0addad1a6bdcde3ba606d55d6e3ea5d2cd6e79bfe2494d660c38f0e9f1c157af72c3b6ad5e6eb3731168f975b26c94f8357154e54c08e5d876652
+DIST openssh-7.1p2-hpnssh14v10.tar.xz 22388 SHA256 729e20a2627ca403da6cfff8ef251c03421022123a21c68003181b4e5409bcc5 SHA512 b8e88ac5891ed632416db8da6377512614f19f5f7a7c093b55ecfe3e3f50979c61c0674e9381c316632d8daed90f8cce958c9b77bd00084a4ee1b0297cf321ba WHIRLPOOL c466cc33dc4a40e9466148beb154c539e095ac1b9cdcc5b3d235cbcf12ca10255d63da2f0e1da10d1afa1a0d2ebd436ca0d9e542c732df6ef67fb8f4d2d0192c
+DIST openssh-7.1p2.tar.gz 1475829 SHA256 dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd SHA512 d5be60f3645ec238b21e1f2dfd801b2136146674bbc086ebdb14be516c613819bc87c84b5089f3a45fe6e137a7458404f79f42572c69d91571e45ebed9d5e3af WHIRLPOOL 9f48952b82db3983c20e84bcff5b6761f5b284174072c828698dced3a53ca8bbc2e1f89d2e82b62a68f4606b52c980fcf097250f86c1a67ad343d20e3ec9d1f4
+DIST openssh-lpk-7.1p2-0.3.14.patch.xz 17704 SHA256 fbf2e1560cac707f819a539999c758a444ba6bfe140ef80d1af7ef1c9a95f0df SHA512 95851baa699da16720358249d54d2f6a3c57b0ae082375bef228b97697c501c626ab860916c5b17e3c649b44f14f4009ff369962597438dfd60480a0e4882471 WHIRLPOOL 4629b3a7d1f373a678935e889a6cd0d66d70b420e93e40ae0ad19aa7f91be7dcf2169fb797d89df93005a885d54ebaa0d46c2e5418bd2d0a77ad64e65897b518
+EBUILD openssh-7.1_p2-r99.ebuild 10393 SHA256 0eaa7e1064de2d0f0bdc563779fce1dfcfb91c0d1b296e81b43c5c60a3a53f19 SHA512 304f182148f27a7cca36e5ebab0b0db16f814b5c11b0458cd26ba51c1778f5a4f1b5b0650b4a353935cfb023172444b493428c2b0f2bee957e5301934e7b64ca WHIRLPOOL c071539112865fb4d5a965630bafbe3bbd8062aac0b8d76bf3c77bb0cbced3fbddbfdc40aaf76f0e9f7b408fb55408479c3b8d08c017b32210ba089c5d50621d
+MISC metadata.xml 2240 SHA256 1a1ca86748452626c89e6089a0de75155a2919878d8238212f3d460345341ce5 SHA512 1baaf891e3a6922d5b3d130b2330613b45089b921e66f8a03abad069e1b19b5a6b66d013d77a67ca91e53646bb200cf5a3ee4186e614b0393f2e5c41ebe75269 WHIRLPOOL 20652dff4c961f82dc9f3c26dc89ae84121afe185b1a96d24dcad029ae119eb145a15847befdd2a09214d3d1ac311f137258d2a12a57596ebee94cbf17765523
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
new file mode 100644
index 0000000..c81ae5c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,127 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.135
+diff -u -r1.135 readconf.c
+--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
++++ readconf.c 19 Aug 2006 11:59:52 -0000
+@@ -126,6 +126,7 @@
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -163,9 +164,11 @@
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ #else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
+@@ -444,6 +447,10 @@
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1010,6 +1017,7 @@
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1100,6 +1108,8 @@
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.63
+diff -u -r1.63 readconf.h
+--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
++++ readconf.h 19 Aug 2006 11:59:52 -0000
+@@ -45,6 +45,7 @@
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+Index: ssh_config.5
+===================================================================
+RCS file: /cvs/openssh/ssh_config.5,v
+retrieving revision 1.97
+diff -u -r1.97 ssh_config.5
+--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
++++ ssh_config.5 19 Aug 2006 11:59:53 -0000
+@@ -483,7 +483,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
+-Note that this option applies to protocol version 2 only.
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+Index: sshconnect2.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect2.c,v
+retrieving revision 1.151
+diff -u -r1.151 sshconnect2.c
+--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
+@@ -499,6 +499,12 @@
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns)
++ gss_host = get_canonical_hostname(1);
++ else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -511,7 +517,7 @@
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 0000000..fa33af3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ * For versions >= 1.0.0, major,minor,status must match and library
+ * fix version must be equal to or newer than the header.
+ */
+- mask = 0xfff0000fL; /* major,minor,status */
++ mask = 0xfff00000L; /* major,minor,status */
+ hfix = (headerver & 0x000ff000) >> 12;
+ lfix = (libver & 0x000ff000) >> 12;
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
new file mode 100644
index 0000000..a355e2c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch
@@ -0,0 +1,33 @@
+https://github.com/openssh/openssh-portable/pull/29
+
+From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 18 Mar 2015 12:37:24 -0400
+Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is
+ set
+
+---
+ configure.ac | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b4d6598..7806d20 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2276,10 +2276,10 @@ openssl_engine=no
+ AC_ARG_WITH([ssl-engine],
+ [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
+ [
+- if test "x$openssl" = "xno" ; then
+- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
+- fi
+ if test "x$withval" != "xno" ; then
++ if test "x$openssl" = "xno" ; then
++ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
++ fi
+ openssl_engine=yes
+ fi
+ ]
+--
+2.3.2
+
diff --git a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch
new file mode 100644
index 0000000..d793f90
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch
@@ -0,0 +1,74 @@
+--- openssh-6.8_p1-sctp.patch.1 2015-08-12 16:01:13.854769013 -0700
++++ openssh-6.8_p1-sctp.patch 2015-08-12 16:00:38.208488789 -0700
+@@ -195,14 +195,6 @@
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+-@@ -178,6 +178,7 @@ For full details of the options listed b
+- .It ServerAliveCountMax
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It UpdateHostKeys
+- .It UsePrivilegedPort
+- .It User
+ @@ -218,6 +219,8 @@ and
+ to print debugging messages about their progress.
+ This is helpful in
+@@ -477,19 +469,11 @@
+ .Sh SYNOPSIS
+ .Nm ssh
+ .Bk -words
+--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
+-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
+++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
+ .Op Fl b Ar bind_address
+ .Op Fl c Ar cipher_spec
+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+-@@ -473,6 +473,7 @@ For full details of the options listed b
+- .It StreamLocalBindUnlink
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It Tunnel
+- .It TunnelDevice
+- .It UsePrivilegedPort
+ @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
+ controls.
+ .It Fl y
+@@ -501,7 +485,7 @@
+ By default this information is sent to stderr.
+ --- a/ssh.c
+ +++ b/ssh.c
+-@@ -194,12 +194,17 @@ extern int muxserver_sock;
++@@ -194,11 +194,16 @@ extern int muxserver_sock;
+ extern u_int muxclient_command;
+
+ /* Prints a help message to the user. This function never returns. */
+@@ -515,18 +499,17 @@
+ usage(void)
+ {
+ fprintf(stderr,
+--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
+++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+ " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
+ " [-F configfile] [-I pkcs11] [-i identity_file]\n"
+- " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
+ @@ -506,7 +512,7 @@ main(int ac, char **av)
+- argv0 = av[0];
++ # define ENGCONFIG ""
++ #endif
+
+- again:
+-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
+-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
+- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
+++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ switch (opt) {
+ case '1':
+ @@ -732,6 +738,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch
new file mode 100644
index 0000000..393ea99
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch
@@ -0,0 +1,11 @@
+--- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig 2015-08-24 11:17:05.379280954 -0700
++++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch 2015-08-24 11:19:30.788424050 -0700
+@@ -80,7 +80,7 @@
+ + else
+ + fatal("Pre-authentication none cipher requests are not allowed.");
+ + }
+- debug("kex: %s %s %s %s",
++ debug("kex: %s cipher: %s MAC: %s compression: %s",
+ ctos ? "client->server" : "server->client",
+ newkeys->enc.name,
+ diff --git a/myproposal.h b/myproposal.h
diff --git a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch
new file mode 100644
index 0000000..5124569
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch
@@ -0,0 +1,51 @@
+--- openssh-7.1p2/Makefile.in
++++ openssh-7.1p2/Makefile.in
+@@ -45,7 +45,7 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ K5LIBS=@K5LIBS@
+ GSSLIBS=@GSSLIBS@
+@@ -53,6 +53,7 @@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- openssh-7.1p2/sshconnect.c
++++ openssh-7.1p2/sshconnect.c
+@@ -465,7 +465,7 @@
+ {
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ } else {
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+--- openssh-7.1p2/sshd.c
++++ openssh-7.1p2/sshd.c
+@@ -472,8 +472,8 @@
+ comment = "";
+ }
+
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
++ major, minor, SSH_VERSION,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
+--- openssh-7.1p2/version.h
++++ openssh-7.1p2/version.h
+@@ -3,4 +3,5 @@
+ #define SSH_VERSION "OpenSSH_7.1"
+
+ #define SSH_PORTABLE "p2"
++#define SSH_X509 " PKIX"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
new file mode 100644
index 0000000..28952b4
--- /dev/null
+++ b/net-misc/openssh/files/sshd.confd
@@ -0,0 +1,21 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
new file mode 100644
index 0000000..b801aaa
--- /dev/null
+++ b/net-misc/openssh/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
new file mode 100644
index 0000000..34e1970
--- /dev/null
+++ b/net-misc/openssh/files/sshd.rc6.4
@@ -0,0 +1,85 @@
+#!/sbin/runscript
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=/usr/sbin/sshd}
+
+depend() {
+ use logger dns
+ if [ "${rc_need+set}" = "set" ] ; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_addr
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "${x}" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} ${x}" ;;
+ esac
+ done
+ if [ -n "${warn_addr}" ] ; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ fi
+}
+
+checkconfig() {
+ if [ ! -d /var/empty ] ; then
+ mkdir -p /var/empty || return 1
+ fi
+
+ if [ ! -e "${SSHD_CONFIG}" ] ; then
+ eerror "You need an ${SSHD_CONFIG} file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ssh-keygen -A || return 1
+
+ [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+ [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
+
+ "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+start() {
+ checkconfig || return 1
+
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" \
+ -- ${SSHD_OPTS}
+ eend $?
+}
+
+stop() {
+ if [ "${RC_CMD}" = "restart" ] ; then
+ checkconfig || return 1
+ fi
+
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" --quiet
+ eend $?
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP \
+ --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+ eend $?
+}
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
new file mode 100644
index 0000000..b5e96b3
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH server daemon
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
new file mode 100644
index 0000000..94b9533
--- /dev/null
+++ b/net-misc/openssh/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
new file mode 100644
index 0000000..2645ad0
--- /dev/null
+++ b/net-misc/openssh/files/sshd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=syslog.target auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=syslog
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
new file mode 100644
index 0000000..1d275bd
--- /dev/null
+++ b/net-misc/openssh/metadata.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer restrict="net-misc/openssh[ldap]" type="person">
+ <email>robbat2@gentoo.org</email>
+ <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
+ </maintainer>
+ <maintainer type="project">
+ <email>base-system@gentoo.org</email>
+ <name>Gentoo Base System</name>
+ </maintainer>
+ <longdescription>
+OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+rlogin, ftp, and other such programs might not realize that their password is transmitted
+across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+of authentication methods.
+
+The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+</longdescription>
+ <use>
+ <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
+ <flag name="hpn">Enable high performance ssh</flag>
+ <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
+ <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+ <flag name="sctp">Support for Stream Control Transmission Protocol</flag>
+ <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
+ <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
+ <flag name="X509">Adds support for X.509 certificate authentication</flag>
+ </use>
+ <upstream>
+ <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
+ <remote-id type="sourceforge">hpnssh</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-misc/openssh/openssh-7.1_p2-r99.ebuild b/net-misc/openssh/openssh-7.1_p2-r99.ebuild
new file mode 100644
index 0000000..f53e827
--- /dev/null
+++ b/net-misc/openssh/openssh-7.1_p2-r99.ebuild
@@ -0,0 +1,327 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
+LDAP_PATCH="${PN}-lpk-7.1p2-0.3.14.patch.xz"
+X509_VER="8.7" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
+ ${HPN_PATCH:+hpn? (
+ mirror://gentoo/${HPN_PATCH}
+ mirror://sourceforge/hpnssh/${HPN_PATCH}
+ )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~x86"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
+REQUIRED_USE="ldns? ( ssl )
+ pie? ( !static )
+ ssh1? ( ssl )
+ static? ( !kerberos !pam )
+ X509? ( !ldap ssl )"
+
+LIB_DEPEND="
+ ldns? (
+ net-libs/ldns[static-libs(+)]
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ ssl? (
+ !libressl? (
+ >=dev-libs/openssl-0.9.8f:0[bindist=]
+ dev-libs/openssl:0[static-libs(+)]
+ )
+ libressl? ( dev-libs/libressl[static-libs(+)] )
+ )
+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? ( ${LIB_DEPEND} )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ if use X509 ; then
+ pushd .. >/dev/null
+ if use hpn ; then
+ pushd ${HPN_PATCH%.*.*} >/dev/null
+ epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
+ popd >/dev/null
+ fi
+ epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
+ popd >/dev/null
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
+ save_version X509
+ fi
+ if use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+ # The X509 patchset fixes this independently.
+ use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
+ epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
+ if use hpn ; then
+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+ epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+src_configure() {
+ addwrite /dev/ptmx
+
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+ use static && append-ldflags -static
+
+ local myconf=(
+ --without-hardening
+ --with-ldflags="${LDFLAGS}"
+ --disable-strip
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+ --sysconfdir="${EPREFIX}"/etc/ssh
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX}"/var/empty
+ --with-privsep-user=sshd
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+ # We apply the ldap patch conditionally, so can't pass --without-ldap
+ # unconditionally else we get unknown flag warnings.
+ $(use ldap && use_with ldap)
+ $(use_with ldns)
+ $(use_with libedit)
+ $(use_with pam)
+ $(use_with pie)
+ $(use_with sctp)
+ $(use_with selinux)
+ $(use_with skey)
+ $(use_with ssh1)
+ $(use_with ssl openssl)
+ $(use_with ssl md5-passwords)
+ $(use_with ssl ssl-engine)
+ )
+
+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+ econf "${myconf[@]}"
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+ keepdir /var/empty
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t tests skipped failed passed shell
+ tests="interop-tests compat-tests"
+ skipped=""
+ shell=$(egetshell ${UID})
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite"
+ elog "requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped="${skipped} tests"
+ else
+ tests="${tests} tests"
+ fi
+ # It will also attempt to write to the homedir .ssh
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in ${tests} ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed="${passed}${t} " \
+ || failed="${failed}${t} "
+ done
+ einfo "Passed tests: ${passed}"
+ ewarn "Skipped tests: ${skipped}"
+ if [[ -n ${failed} ]] ; then
+ ewarn "Failed tests: ${failed}"
+ die "Some tests failed: ${failed}"
+ else
+ einfo "Failed tests: ${failed}"
+ return 0
+ fi
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+ elog "Make sure to update any configs that you might have. Note that xinetd might"
+ elog "be an alternative for you as it supports USE=tcpd."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or ed25519."
+
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
+ elog "out of the box. If you need this, please update your sshd_config explicitly."
+ fi
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
+ elog "and update all clients/servers that utilize them."
+ fi
+}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2017-06-16 13:29 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2017-06-16 13:29 UTC (permalink / raw
To: gentoo-commits
commit: 0d711a943ca5c3290d8c08db1368f152de2c2f8b
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 16 12:15:59 2017 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Jun 16 12:15:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=0d711a94
net-misc/openssh: restrict --without-stackprotector to just i686
Package-Manager: Portage-2.3.5, Repoman-2.3.1
net-misc/openssh/Manifest | 9 +
.../openssh/files/openssh-7.5_p1-GSSAPI-dns.patch | 351 +++++++++++++++++++++
.../openssh/files/openssh-7.5_p1-cross-cache.patch | 39 +++
.../openssh/files/openssh-7.5_p1-x32-typo.patch | 25 ++
net-misc/openssh/openssh-7.5_p1-r1.ebuild | 336 ++++++++++++++++++++
5 files changed, 760 insertions(+)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 858bae0..eb543f6 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -9,6 +9,9 @@ AUX openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch 7005 SHA256 44ae73966a98
AUX openssh-7.3_p1-hpn-x509-9.2-glue.patch 1611 SHA256 7d04d19e62e688c9c12c25fd479933dd2c707f838ac810263dd1dc79a5ff55f1 SHA512 3604f0f1ea6c74b8418ac158df47910dfb2d54c7ce77f78f1a6c072acd20dc5751e24156acd9dda02aecaac250f43c8d968382f2f4b15b4706e4c4bde8ebde9a WHIRLPOOL b327a94c5b37da296caaa925bf13adf81ab3a53dffe691b33010b89b07366445613e553b4f486bacab658e2dcec143971001b4158f493e9b7e5bd427f0e072fb
AUX openssh-7.3_p1-sctp-x509-glue.patch 2447 SHA256 a6758b9bff99022b1aa1bc729fcdcc8e4e91d0a617c903d72964cc1fca1ea061 SHA512 f48c2bba7707542741e52f5d794aaafe4468d088e28bc02878c0eb9aa76d31b57dca69b85705f7a9a2d745272df3fdc39a1d13ba337cab34dd0e9d545cee7d41 WHIRLPOOL 77e2574065a78a0f7014213f5e5d64651d41f24c7652542589f1106a6a114cf27d9922ef2cddee9e62c0f0f118691d91ebe9dc4a0ae04654843f18bdd20e2cef
AUX openssh-7.3_p1-x509-9.2-warnings.patch 3060 SHA256 e7963f4946db01390831ee07a49c3a2291518b06144e95cfc47326c7209fa2e3 SHA512 f029d6f922e1632b32ac6e7b627378854f78c9d9b828dde37273b1b1a09167273fc6934bcb0653209b9e5ffd06c95d564d1bf5f1ea745993e19b062a4532f1c0 WHIRLPOOL cd4eb68bf861a50e9452c453c903946b8d067fd00171d39c6bad797d20c07631cda2379d9e41246bc93b22252a8d1bd55186e13ba492c7b8cf94048910f3a8a9
+AUX openssh-7.5_p1-GSSAPI-dns.patch 11137 SHA256 e0b256646651edd7a4bf60ebe4cf2021d85a5f8f3d30393bd499655c0b0c64c1 SHA512 f84e1d3fdda7a534d9351884caaefc136be7599e735200f0393db0acad03a57abe6585f9402018b50e3454e6842c3281d630120d479ff819f591c4693252dd0e WHIRLPOOL 000276fe1e0cc9ac33da8974cc6e24803a69b3d63c20096a92d6d10206c6e27110bdcaa26c0dbd2e0d0feb501681a738d5adb9d57ae21c7c55f67396f8b26c0e
+AUX openssh-7.5_p1-cross-cache.patch 1220 SHA256 693c6e28d4c1da71c67b64ef25d286f0d5128f9aebb3450283fa9ce6887186a7 SHA512 03cf3b5556fcf43c7053d1550c8aa35189759a0a2274a67427b28176ba7938b8d0019992de25fb614dc556c5f45a67649bb5d2d82889ac2c37edd986fc632550 WHIRLPOOL f7a04e19816cadce138a0beec4f1ad5f975773a1802fd1db245846ce8d5d6ec5ddfdcfa099e391172457a29eedb30c416dfa7bf4a56e99cfe507be00d2e1e718
+AUX openssh-7.5_p1-x32-typo.patch 772 SHA256 17f2baad36e5b6d270d7377db4ebdf157f2eb3bc99d596c32a47d584a1040307 SHA512 20d19301873d4b8e908527f462f40c2f4a513d0bb89d4c7b885f9fc7eb5d483eea544eb108d87ff6aaa3d988d360c2029910c18f7125c96e8367485553f59a5e WHIRLPOOL 5141fd3a19575593f84890aaa84123373ffb81aa3e860cda2468c7578754acf0a5d8ce0ea9c5ab25a83574ad5b272b9240cdcb29724c3b7cbdc059518da8c609
AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
AUX sshd.rc6.4 2108 SHA256 43a483014bf177f9238e54a7b8210d5a76830beb67c18999409e543fd744c9e4 SHA512 fe58e950514743a72467233ff2f2a63112c50e5db843d61e141a5ca3dd8ef8f42a616cd9de7748ae582054c47c2cc38ce48b638e2d88be39c1387f77e79c83e1 WHIRLPOOL ef30b1e3a118b40617e3c1de6b4ebb360f466e90e18157a08d0ed50a4acb488eb7f6159120525e2b7e85393cd19b062c97188460ea51959467eb6ab52632d064
@@ -19,6 +22,12 @@ DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec7
DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
+DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
+DIST openssh-7.5p1+x509-10.1.diff.gz 460721 SHA256 e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 SHA512 d3b5a8f5e3a88eda7989b002236811867b7e2c39bf7cd29a6dbbce277fca3fbedbfdbeaf1fba7d8c19f3dea32a17790e90604765f18576bcc5627a9c1d39109c WHIRLPOOL 2d4f96b47bcde9eabd19cad2fdc4da01a3d207f6ad5f4f1ea5a7dbd708d61783ae6a53e4cb622feed838106f57dbe6a7ecd1b41426325870378caf44803ff9ef
+DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627a8dd51595fd3ee9f95dc70e6b50fe779ce2 SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 WHIRLPOOL 6089ad8ae16c112a6f15d168c092e7f057b9e6d815724346b5a6a1cd0de932f779d5f410d48c904d935fcb3bad3f597fa4de075ab1f49cadc9842ce7bd8fdf42
+DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 WHIRLPOOL 1a42c68d8e350bc4790dd4c1a98dd6571bfa353ad6871b1462c53b6412f752719daabd1a13bb4434d294de966a00428ac66334bab45f371420029b5e34a6914c
DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c
+DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93
EBUILD openssh-7.3_p1-r7.ebuild 11605 SHA256 9e0c2be8c1053141a64150e7254bec720d5100435ef56bcb6408346d80881285 SHA512 24719eaadbe2089cd7c58e878a5a8b4e3da2468ff4282d7278021408676cb549dcf993aa0f770076d1144adacc3d98e8264699680a3ab637e02cbc40057da6bd WHIRLPOOL 06e438e61d120e3274212a594881843866d32b8b5b2410d58557116eaed0f8be1b3d6dcfda9ad63fab4950427c8213e94a340e641693cc889b5d3e14027eba54
+EBUILD openssh-7.5_p1-r1.ebuild 11110 SHA256 c0d2f65e5c84dedc85fd3fb7380d2c7ca58956739a70b53d1610da570d5aab54 SHA512 36762d3840473ac618b33c3e3448f8ea9542c461141f2f3e09aff53696e2382ded01c84bcb149d16f3d819a35acb19bb4e0d6e22f204d2f92d6ec25414a923af WHIRLPOOL 65e08f3165655bd719d301efc3f9e901e4d409815d7631d9eb6110114a0f4b9028cdc2e5339de6fc452b698d5c34c191b4acebe4c3222d67a2d0022eb8b34d26
MISC metadata.xml 2212 SHA256 50f6e3651c8aeb86cfe90d92cef6a2b55640c400584f5fdbb6418cef7ac16f25 SHA512 958845fbdfb4f1d267fdbc3a005c6338da54c6a0715180a1982416a841ab4865c536de5f10bb8493d07830e182786d0c3f2ac710c9168434b3d077a59ed2ddd5 WHIRLPOOL 6d1080bc5c3b10a63836b5286d0d66b925a9d27d35e9855c9f966445458c1d6a752854d019c1740420ea78aef6f60105bef4c771fe61a95aae898034cf100705
diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
new file mode 100644
index 0000000..6b1e6dd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
@@ -0,0 +1,351 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+--- a/readconf.c
++++ b/readconf.c
+@@ -148,6 +148,7 @@
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ oHashKnownHosts,
+@@ -194,9 +195,11 @@
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ # else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ { "smartcarddevice", oPKCS11Provider },
+@@ -930,6 +933,10 @@
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1649,6 +1656,7 @@
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1779,6 +1787,8 @@
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -46,6 +46,7 @@
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -830,6 +830,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -656,6 +656,13 @@
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns) {
++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++ gss_host = auth_get_canonical_hostname(active_state, 1);
++ } else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -668,7 +674,7 @@
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
+
+need to move these two funcs back to canohost so they're available to clients
+and the server. auth.c is only used in the server.
+
+--- a/auth.c
++++ b/auth.c
+@@ -784,117 +784,3 @@ fakepw(void)
+
+ return (&fake);
+ }
+-
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+- struct sockaddr_storage from;
+- socklen_t fromlen;
+- struct addrinfo hints, *ai, *aitop;
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+- const char *ntop = ssh_remote_ipaddr(ssh);
+-
+- /* Get IP address of client. */
+- fromlen = sizeof(from);
+- memset(&from, 0, sizeof(from));
+- if (getpeername(ssh_packet_get_connection_in(ssh),
+- (struct sockaddr *)&from, &fromlen) < 0) {
+- debug("getpeername failed: %.100s", strerror(errno));
+- return strdup(ntop);
+- }
+-
+- ipv64_normalise_mapped(&from, &fromlen);
+- if (from.ss_family == AF_INET6)
+- fromlen = sizeof(struct sockaddr_in6);
+-
+- debug3("Trying to reverse map address %.100s.", ntop);
+- /* Map the IP address to a host name. */
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+- NULL, 0, NI_NAMEREQD) != 0) {
+- /* Host name not found. Use ip address. */
+- return strdup(ntop);
+- }
+-
+- /*
+- * if reverse lookup result looks like a numeric hostname,
+- * someone is trying to trick us by PTR record like following:
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+- hints.ai_flags = AI_NUMERICHOST;
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+- name, ntop);
+- freeaddrinfo(ai);
+- return strdup(ntop);
+- }
+-
+- /* Names are stored in lowercase. */
+- lowercase(name);
+-
+- /*
+- * Map it back to an IP address and check that the given
+- * address actually is an address of this host. This is
+- * necessary because anyone with access to a name server can
+- * define arbitrary names for an IP address. Mapping from
+- * name to IP address can be trusted better (but can still be
+- * fooled if the intruder has access to the name server of
+- * the domain).
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = from.ss_family;
+- hints.ai_socktype = SOCK_STREAM;
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+- logit("reverse mapping checking getaddrinfo for %.700s "
+- "[%s] failed.", name, ntop);
+- return strdup(ntop);
+- }
+- /* Look for the address from the list of addresses. */
+- for (ai = aitop; ai; ai = ai->ai_next) {
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+- (strcmp(ntop, ntop2) == 0))
+- break;
+- }
+- freeaddrinfo(aitop);
+- /* If we reached the end of the list, the address was not there. */
+- if (ai == NULL) {
+- /* Address not found for the host name. */
+- logit("Address %.100s maps to %.600s, but this does not "
+- "map back to the address.", ntop, name);
+- return strdup(ntop);
+- }
+- return strdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection. The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+- static char *dnsname;
+-
+- if (!use_dns)
+- return ssh_remote_ipaddr(ssh);
+- else if (dnsname != NULL)
+- return dnsname;
+- else {
+- dnsname = remote_hostname(ssh);
+- return dnsname;
+- }
+-}
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++ struct sockaddr_storage from;
++ socklen_t fromlen;
++ struct addrinfo hints, *ai, *aitop;
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++ const char *ntop = ssh_remote_ipaddr(ssh);
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getpeername(ssh_packet_get_connection_in(ssh),
++ (struct sockaddr *)&from, &fromlen) < 0) {
++ debug("getpeername failed: %.100s", strerror(errno));
++ return strdup(ntop);
++ }
++
++ ipv64_normalise_mapped(&from, &fromlen);
++ if (from.ss_family == AF_INET6)
++ fromlen = sizeof(struct sockaddr_in6);
++
++ debug3("Trying to reverse map address %.100s.", ntop);
++ /* Map the IP address to a host name. */
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++ NULL, 0, NI_NAMEREQD) != 0) {
++ /* Host name not found. Use ip address. */
++ return strdup(ntop);
++ }
++
++ /*
++ * if reverse lookup result looks like a numeric hostname,
++ * someone is trying to trick us by PTR record like following:
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++ name, ntop);
++ freeaddrinfo(ai);
++ return strdup(ntop);
++ }
++
++ /* Names are stored in lowercase. */
++ lowercase(name);
++
++ /*
++ * Map it back to an IP address and check that the given
++ * address actually is an address of this host. This is
++ * necessary because anyone with access to a name server can
++ * define arbitrary names for an IP address. Mapping from
++ * name to IP address can be trusted better (but can still be
++ * fooled if the intruder has access to the name server of
++ * the domain).
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = from.ss_family;
++ hints.ai_socktype = SOCK_STREAM;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++ logit("reverse mapping checking getaddrinfo for %.700s "
++ "[%s] failed.", name, ntop);
++ return strdup(ntop);
++ }
++ /* Look for the address from the list of addresses. */
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++ (strcmp(ntop, ntop2) == 0))
++ break;
++ }
++ freeaddrinfo(aitop);
++ /* If we reached the end of the list, the address was not there. */
++ if (ai == NULL) {
++ /* Address not found for the host name. */
++ logit("Address %.100s maps to %.600s, but this does not "
++ "map back to the address.", ntop, name);
++ return strdup(ntop);
++ }
++ return strdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection. The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++ static char *dnsname;
++
++ if (!use_dns)
++ return ssh_remote_ipaddr(ssh);
++ else if (dnsname != NULL)
++ return dnsname;
++ else {
++ dnsname = remote_hostname(ssh);
++ return dnsname;
++ }
++}
diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
new file mode 100644
index 0000000..1c2b7b8
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
@@ -0,0 +1,39 @@
+From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@chromium.org>
+Date: Wed, 24 May 2017 23:18:41 -0400
+Subject: [PATCH] configure: actually set cache vars when cross-compiling
+
+The cross-compiling fallback message says it's assuming the test
+passed, but it didn't actually set the cache var which causes
+later tests to fail.
+---
+ configure.ac | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 5cfea38c0a6c..895c5211ea93 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
+ select_works_with_rlimit=yes],
+ [AC_MSG_RESULT([no])
+ select_works_with_rlimit=no],
+- [AC_MSG_WARN([cross compiling: assuming yes])]
++ [AC_MSG_WARN([cross compiling: assuming yes])
++ select_works_with_rlimit=yes]
+ )
+
+ AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
+@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
+ rlimit_nofile_zero_works=yes],
+ [AC_MSG_RESULT([no])
+ rlimit_nofile_zero_works=no],
+- [AC_MSG_WARN([cross compiling: assuming yes])]
++ [AC_MSG_WARN([cross compiling: assuming yes])
++ rlimit_nofile_zero_works=yes]
+ )
+
+ AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
+--
+2.12.0
+
diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
new file mode 100644
index 0000000..5dca1b0
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
@@ -0,0 +1,25 @@
+From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 20 Mar 2017 14:57:40 -0400
+Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
+
+---
+ sandbox-seccomp-filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3a1aedce72c2..a8d472a63ccb 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
+ * x86-64 syscall under some circumstances, e.g.
+ * https://bugs.debian.org/849923
+ */
+- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
++ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
+ #endif
+
+ /* Default deny */
+--
+2.12.0
+
diff --git a/net-misc/openssh/openssh-7.5_p1-r1.ebuild b/net-misc/openssh/openssh-7.5_p1-r1.ebuild
new file mode 100644
index 0000000..f1194dc
--- /dev/null
+++ b/net-misc/openssh/openssh-7.5_p1-r1.ebuild
@@ -0,0 +1,336 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
+X509_VER="10.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+ ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+REQUIRED_USE="ldns? ( ssl )
+ pie? ( !static )
+ ssh1? ( ssl )
+ static? ( !kerberos !pam )
+ X509? ( !ldap !sctp ssl )
+ test? ( ssl )"
+
+LIB_DEPEND="
+ audit? ( sys-process/audit[static-libs(+)] )
+ ldns? (
+ net-libs/ldns[static-libs(+)]
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ libedit? ( dev-libs/libedit:=[static-libs(+)] )
+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ ssl? (
+ !libressl? (
+ >=dev-libs/openssl-1.0.1:0=[bindist=]
+ dev-libs/openssl:0=[static-libs(+)]
+ )
+ libressl? ( dev-libs/libressl:0=[static-libs(+)] )
+ )
+ >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+RDEPEND="
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? ( ${LIB_DEPEND} )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_pretend() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ if use X509 ; then
+ if use hpn ; then
+ pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
+ epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
+ popd >/dev/null
+ fi
+ save_version X509
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ use libressl && epatch "${FILESDIR}"/${PN}-7.5p1-x509-libressl.patch
+ fi
+
+ if use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+
+ epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+ epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
+ use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+ use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
+ use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+ if use hpn ; then
+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+ epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ # _XOPEN_SOURCE causes header conflicts on Solaris
+ [[ ${CHOST} == *-solaris* ]] && sed_args+=(
+ -e 's/-D_XOPEN_SOURCE//'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+src_configure() {
+ addwrite /dev/ptmx
+
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+ use static && append-ldflags -static
+
+ local myconf=(
+ --with-ldflags="${LDFLAGS}"
+ --disable-strip
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+ --sysconfdir="${EPREFIX}"/etc/ssh
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX}"/var/empty
+ --with-privsep-user=sshd
+ $(use_with audit audit linux)
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+ # We apply the ldap patch conditionally, so can't pass --without-ldap
+ # unconditionally else we get unknown flag warnings.
+ $(use ldap && use_with ldap)
+ $(use_with ldns)
+ $(use_with libedit)
+ $(use_with pam)
+ $(use_with pie)
+ $(use X509 || use_with sctp)
+ $(use_with selinux)
+ $(use_with skey)
+ $(use_with ssh1)
+ $(use_with ssl openssl)
+ $(use_with ssl md5-passwords)
+ $(use_with ssl ssl-engine)
+ )
+
+ if [[ $(tc-arch) == x86 ]]; then
+ myconf+=( --without-stackprotect)
+ fi
+
+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+
+ econf "${myconf[@]}"
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ if use livecd ; then
+ sed -i \
+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+ "${ED}"/etc/ssh/sshd_config || die
+ fi
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc CREDITS OVERVIEW README* TODO sshd_config
+ use X509 || dodoc ChangeLog
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t skipped=() failed=() passed=()
+ local tests=( interop-tests compat-tests )
+
+ local shell=$(egetshell "${UID}")
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped+=( tests )
+ else
+ tests+=( tests )
+ fi
+
+ # It will also attempt to write to the homedir .ssh.
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in "${tests[@]}" ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" HOME="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed+=( "${t}" ) \
+ || failed+=( "${t}" )
+ done
+
+ einfo "Passed tests: ${passed[*]}"
+ [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+ [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+ elog "Make sure to update any configs that you might have. Note that xinetd might"
+ elog "be an alternative for you as it supports USE=tcpd."
+ fi
+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or ed25519."
+
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
+ elog "out of the box. If you need this, please update your sshd_config explicitly."
+ fi
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
+ elog "and update all clients/servers that utilize them."
+ fi
+}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-06-15 9:04 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2018-06-15 9:04 UTC (permalink / raw
To: gentoo-commits
commit: 71699a51c170e05dd92e6b79f7dedb2f8b50f0fb
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Jun 15 09:03:59 2018 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Jun 15 09:03:59 2018 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=71699a51
net-misc/openssh: sync with tree
Package-Manager: Portage-2.3.40, Repoman-2.3.9
RepoMan-Options: --force
net-misc/openssh/Manifest | 10 +-
.../files/openssh-7.3-mips-seccomp-n32.patch | 21 --
.../openssh/files/openssh-7.3_p1-GSSAPI-dns.patch | 351 ---------------------
.../files/openssh-7.3_p1-NEWKEYS_null_deref.patch | 29 --
...egister-the-KEXINIT-handler-after-receive.patch | 32 --
...ssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch | 34 --
.../openssh-7.3_p1-hpn-12-x509-9.2-glue.patch | 39 ---
...ssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch | 245 --------------
.../files/openssh-7.3_p1-hpn-x509-9.2-glue.patch | 41 ---
.../files/openssh-7.3_p1-sctp-x509-glue.patch | 67 ----
.../files/openssh-7.3_p1-x509-9.2-warnings.patch | 109 -------
.../files/openssh-7.5_p1-CVE-2017-15906.patch | 31 --
.../openssh/files/openssh-7.5_p1-cross-cache.patch | 39 ---
...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 ++
.../openssh/files/openssh-7.5_p1-x32-typo.patch | 25 --
...I-dns.patch => openssh-7.7_p1-GSSAPI-dns.patch} | 224 ++++++-------
net-misc/openssh/files/sshd-r1.confd | 33 ++
net-misc/openssh/files/sshd.confd | 21 --
net-misc/openssh/files/sshd.rc6.4 | 84 -----
net-misc/openssh/files/sshd.rc6.5 | 89 ++++++
...h-7.5_p1-r4.ebuild => openssh-7.7_p1-r4.ebuild} | 309 ++++++++++++------
21 files changed, 464 insertions(+), 1389 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index bda2277..8ec1580 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,5 +1,5 @@
-DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
-DIST openssh-7.5p1+x509-10.2.diff.gz 467040 SHA256 24d5c1949d245b432abf2db6c28554a09bcffdcb4f4247826c0a33bdbee8b92c SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a WHIRLPOOL 3291a3e39b1a47efe149cdf805de11217fd55c4260477f2a6c6cc0bfa376b98a5dc7f56a49ae184fb57bae6226c73d1794db7b2285e3ea26a8fea4bc9304655b
-DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627a8dd51595fd3ee9f95dc70e6b50fe779ce2 SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 WHIRLPOOL 6089ad8ae16c112a6f15d168c092e7f057b9e6d815724346b5a6a1cd0de932f779d5f410d48c904d935fcb3bad3f597fa4de075ab1f49cadc9842ce7bd8fdf42
-DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 WHIRLPOOL 1a42c68d8e350bc4790dd4c1a98dd6571bfa353ad6871b1462c53b6412f752719daabd1a13bb4434d294de966a00428ac66334bab45f371420029b5e34a6914c
-DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93
+DIST openssh-7.7p1-hpnssh14v15-gentoo1.patch.xz 22060 BLAKE2B 81a7f3d1346718c154b39920c126eb0b00ae43f1369d882b8a1bd0b885668805639d869581fb49a8e7c67b61d72a904fde45841e4396af426b136d6d2f0a0dc3 SHA512 7b437bc061677aeabe561ad74bb19bc6f85369119ad8a92fb430fb5c1394c2bb3afd472ee66b285362b2041f871c56633dc94fec33cb062c6b1817d63c1d4a78
+DIST openssh-7.7p1-patches-1.1.tar.xz 16476 BLAKE2B fca2885a9e29faec40700ece37a995ba83e40bd2a6875129a5327770d8ee43663a7c063de33b4653994ed7332adb03730f613c047550d874190b95c66e2e9efa SHA512 aa5e33ce4bb4be16abf27ac1bade1dc85c51d82002be546402e0b8b0685de3ec7029f0f56bf1295ec346eb3960a6bed7cfc882722e57957a19a732f3174b3039
+DIST openssh-7.7p1-sctp-1.0.patch.xz 7380 BLAKE2B 6ad40972ece131ff148ede6ba94d63bffc606e0bcabb959d4c9056196cb6f4fddc285f97d7b49b73fde7ee84e3c981c07bddb058ad88eb7c7c2fe716e657c630 SHA512 bc5f50805ba25415f93f61b6654e5bcbaef673b0af48d339116ca9c94b6152afae294c5a9144adeb40190da97c2fc73b43e3ac7ac34feb4a647628327a7cac0a
+DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
+DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
deleted file mode 100644
index 7eaadaf..0000000
--- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/591392
-https://bugzilla.mindrot.org/show_bug.cgi?id=2590
-
-7.3 added seccomp support to MIPS, but failed to handled the N32
-case. This patch is temporary until upstream fixes.
-
---- openssh-7.3p1/configure.ac
-+++ openssh-7.3p1/configure.ac
-@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL
- ;;
- mips64-*)
-- seccomp_audit_arch=AUDIT_ARCH_MIPS64
-+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
- ;;
- mips64el-*)
-- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
-+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
- ;;
- esac
- if test "x$seccomp_audit_arch" != "x" ; then
diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
deleted file mode 100644
index 806b36d..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-http://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- #else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- { "fallbacktorsh", oDeprecated },
- { "usersh", oDeprecated },
-@@ -930,6 +933,10 @@
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1649,6 +1656,7 @@
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Dq no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- static u_int mech = 0;
- OM_uint32 min;
- int ok = 0;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(active_state, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -668,7 +674,7 @@
- /* My DER encoding requires length<128 */
- if (gss_supported->elements[mech].length < 128 &&
- ssh_gssapi_check_mechanism(&gssctxt,
-- &gss_supported->elements[mech], authctxt->host)) {
-+ &gss_supported->elements[mech], gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server. auth.c is only used in the server.
-
---- a/auth.c
-+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
-
- return (&fake);
- }
--
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) < 0) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return strdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return strdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return strdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return strdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return strdup(ntop);
-- }
-- return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection. The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
-- static char *dnsname;
--
-- if (!use_dns)
-- return ssh_remote_ipaddr(ssh);
-- else if (dnsname != NULL)
-- return dnsname;
-- else {
-- dnsname = remote_hostname(ssh);
-- return dnsname;
-- }
--}
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) < 0) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return strdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return strdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return strdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return strdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return strdup(ntop);
-+ }
-+ return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection. The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+ static char *dnsname;
-+
-+ if (!use_dns)
-+ return ssh_remote_ipaddr(ssh);
-+ else if (dnsname != NULL)
-+ return dnsname;
-+ else {
-+ dnsname = remote_hostname(ssh);
-+ return dnsname;
-+ }
-+}
diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
deleted file mode 100644
index 784cd2a..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-https://bugs.gentoo.org/595342
-
-Backport of
-https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
-
---- openssh-7.3p1/kex.c
-+++ openssh-7.3p1/kex.c
-@@ -419,6 +419,8 @@
- ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
- if ((r = sshpkt_get_end(ssh)) != 0)
- return r;
-+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
-+ return r;
- kex->done = 1;
- sshbuf_reset(kex->peer);
- /* sshbuf_reset(kex->my); */
---- openssh-7.3p1/packet.c
-+++ openssh-7.3p1/packet.c
-@@ -1919,9 +1919,7 @@
- return r;
- return SSH_ERR_PROTOCOL_ERROR;
- }
-- if (*typep == SSH2_MSG_NEWKEYS)
-- r = ssh_set_newkeys(ssh, MODE_IN);
-- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
-+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
- r = ssh_packet_enable_delayed_compress(ssh);
- else
- r = 0;
diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
deleted file mode 100644
index 8603601..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-https://bugs.gentoo.org/597360
-
-From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
-From: "markus@openbsd.org" <markus@openbsd.org>
-Date: Mon, 10 Oct 2016 19:28:48 +0000
-Subject: [PATCH] upstream commit
-
-Unregister the KEXINIT handler after message has been
-received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
-allocation of up to 128MB -- until the connection is closed. Reported by
-shilei-c at 360.cn
-
-Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
----
- kex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/kex.c b/kex.c
-index 3f97f8c00919..6a94bc535bd7 100644
---- a/kex.c
-+++ b/kex.c
-@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
- if (kex == NULL)
- return SSH_ERR_INVALID_ARGUMENT;
-
-+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
- ptr = sshpkt_ptr(ssh, &dlen);
- if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
- return r;
---
-2.11.0.rc2
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
deleted file mode 100644
index 7fb0d80..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://bugs.gentoo.org/592122
-
-From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Wed, 3 Aug 2016 04:23:55 +0000
-Subject: [PATCH] upstream commit
-
-Fix bug introduced in rev 1.467 which causes
-"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
-and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
-2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
-ok deraadt@
-
-Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
----
- sshd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sshd.c b/sshd.c
-index 799c7711f49c..9fc829a91bc8 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- } else
- #endif
-- if ((r = sshbuf_put_u32(m, 1)) != 0)
-+ if ((r = sshbuf_put_u32(m, 0)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
- #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
---
-2.11.0.rc2
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
deleted file mode 100644
index 0602307..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
- LD=@LD@
- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
---- a/0004-support-dynamically-sized-receive-buffers.patch
-+++ b/0004-support-dynamically-sized-receive-buffers.patch
-@@ -2144,9 +2144,9 @@
- @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
- /* Send our own protocol version identification. */
- if (compat20) {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
--- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
- } else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
- }
-
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
--- major, minor, SSH_VERSION,
--+ major, minor, SSH_RELEASE,
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+- major, minor, SSH_VERSION, comment,
-++ major, minor, SSH_RELEASE, comment,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
deleted file mode 100644
index 9cc7b61..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
-index fdc9b2f..300cd90 100644
---- a/cipher-ctr-mt.c
-+++ b/cipher-ctr-mt.c
-@@ -127,7 +127,7 @@ struct kq {
- u_char keys[KQLEN][AES_BLOCK_SIZE];
- u_char ctr[AES_BLOCK_SIZE];
- u_char pad0[CACHELINE_LEN];
-- volatile int qstate;
-+ int qstate;
- pthread_mutex_t lock;
- pthread_cond_t cond;
- u_char pad1[CACHELINE_LEN];
-@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
- STATS_STRUCT(stats);
- u_char aes_counter[AES_BLOCK_SIZE];
- pthread_t tid[CIPHER_THREADS];
-+ pthread_rwlock_t tid_lock;
-+#ifdef __APPLE__
-+ pthread_rwlock_t stop_lock;
-+ int exit_flag;
-+#endif /* __APPLE__ */
- int state;
- int qidx;
- int ridx;
-@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
- pthread_mutex_unlock((pthread_mutex_t *)x);
- }
-
-+#ifdef __APPLE__
-+/* Check if we should exit, we are doing both cancel and exit condition
-+ * since on OSX threads seem to occasionally fail to notice when they have
-+ * been cancelled. We want to have a backup to make sure that we won't hang
-+ * when the main process join()-s the cancelled thread.
-+ */
-+static void
-+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
-+{
-+ int exit_flag;
-+
-+ pthread_rwlock_rdlock(&c->stop_lock);
-+ exit_flag = c->exit_flag;
-+ pthread_rwlock_unlock(&c->stop_lock);
-+
-+ if (exit_flag)
-+ pthread_exit(NULL);
-+}
-+#else
-+# define thread_loop_check_exit(s)
-+#endif /* __APPLE__ */
-+
-+/*
-+ * Helper function to terminate the helper threads
-+ */
-+static void
-+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
-+{
-+ int i;
-+
-+#ifdef __APPLE__
-+ /* notify threads that they should exit */
-+ pthread_rwlock_wrlock(&c->stop_lock);
-+ c->exit_flag = TRUE;
-+ pthread_rwlock_unlock(&c->stop_lock);
-+#endif /* __APPLE__ */
-+
-+ /* Cancel pregen threads */
-+ for (i = 0; i < CIPHER_THREADS; i++) {
-+ pthread_cancel(c->tid[i]);
-+ }
-+ for (i = 0; i < NUMKQ; i++) {
-+ pthread_mutex_lock(&c->q[i].lock);
-+ pthread_cond_broadcast(&c->q[i].cond);
-+ pthread_mutex_unlock(&c->q[i].lock);
-+ }
-+ for (i = 0; i < CIPHER_THREADS; i++) {
-+ pthread_join(c->tid[i], NULL);
-+ }
-+}
-+
- /*
- * The life of a pregen thread:
- * Find empty keystream queues and fill them using their counter.
-@@ -201,6 +257,7 @@ thread_loop(void *x)
- struct kq *q;
- int i;
- int qidx;
-+ pthread_t first_tid;
-
- /* Threads stats on cancellation */
- STATS_INIT(stats);
-@@ -211,11 +268,15 @@ thread_loop(void *x)
- /* Thread local copy of AES key */
- memcpy(&key, &c->aes_ctx, sizeof(key));
-
-+ pthread_rwlock_rdlock(&c->tid_lock);
-+ first_tid = c->tid[0];
-+ pthread_rwlock_unlock(&c->tid_lock);
-+
- /*
- * Handle the special case of startup, one thread must fill
- * the first KQ then mark it as draining. Lock held throughout.
- */
-- if (pthread_equal(pthread_self(), c->tid[0])) {
-+ if (pthread_equal(pthread_self(), first_tid)) {
- q = &c->q[0];
- pthread_mutex_lock(&q->lock);
- if (q->qstate == KQINIT) {
-@@ -245,12 +306,16 @@ thread_loop(void *x)
- /* Check if I was cancelled, also checked in cond_wait */
- pthread_testcancel();
-
-+ /* Check if we should exit as well */
-+ thread_loop_check_exit(c);
-+
- /* Lock queue and block if its draining */
- q = &c->q[qidx];
- pthread_mutex_lock(&q->lock);
- pthread_cleanup_push(thread_loop_cleanup, &q->lock);
- while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
- STATS_WAIT(stats);
-+ thread_loop_check_exit(c);
- pthread_cond_wait(&q->cond, &q->lock);
- }
- pthread_cleanup_pop(0);
-@@ -268,6 +333,7 @@ thread_loop(void *x)
- * can see that it's being filled.
- */
- q->qstate = KQFILLING;
-+ pthread_cond_broadcast(&q->cond);
- pthread_mutex_unlock(&q->lock);
- for (i = 0; i < KQLEN; i++) {
- AES_encrypt(q->ctr, q->keys[i], &key);
-@@ -279,7 +345,7 @@ thread_loop(void *x)
- ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
- q->qstate = KQFULL;
- STATS_FILL(stats);
-- pthread_cond_signal(&q->cond);
-+ pthread_cond_broadcast(&q->cond);
- pthread_mutex_unlock(&q->lock);
- }
-
-@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- pthread_cond_wait(&q->cond, &q->lock);
- }
- q->qstate = KQDRAINING;
-+ pthread_cond_broadcast(&q->cond);
- pthread_mutex_unlock(&q->lock);
-
- /* Mark consumed queue empty and signal producers */
-@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-
- if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
- c = xmalloc(sizeof(*c));
-+ pthread_rwlock_init(&c->tid_lock, NULL);
-+#ifdef __APPLE__
-+ pthread_rwlock_init(&c->stop_lock, NULL);
-+ c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
-
- c->state = HAVE_NONE;
- for (i = 0; i < NUMKQ; i++) {
-@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- }
-
- if (c->state == (HAVE_KEY | HAVE_IV)) {
-- /* Cancel pregen threads */
-- for (i = 0; i < CIPHER_THREADS; i++)
-- pthread_cancel(c->tid[i]);
-- for (i = 0; i < CIPHER_THREADS; i++)
-- pthread_join(c->tid[i], NULL);
-+ /* tell the pregen threads to exit */
-+ stop_and_join_pregen_threads(c);
-+
-+#ifdef __APPLE__
-+ /* reset the exit flag */
-+ c->exit_flag = FALSE;
-+#endif /* __APPLE__ */
-+
- /* Start over getting key & iv */
- c->state = HAVE_NONE;
- }
-@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
- /* Start threads */
- for (i = 0; i < CIPHER_THREADS; i++) {
- debug("spawned a thread");
-+ pthread_rwlock_wrlock(&c->tid_lock);
- pthread_create(&c->tid[i], NULL, thread_loop, c);
-+ pthread_rwlock_unlock(&c->tid_lock);
- }
- pthread_mutex_lock(&c->q[0].lock);
-- while (c->q[0].qstate != KQDRAINING)
-+ while (c->q[0].qstate == KQINIT)
- pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
- pthread_mutex_unlock(&c->q[0].lock);
- }
-@@ -461,15 +538,10 @@ void
- ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
- {
- struct ssh_aes_ctr_ctx *c;
-- int i;
-+
- c = EVP_CIPHER_CTX_get_app_data(ctx);
-- /* destroy threads */
-- for (i = 0; i < CIPHER_THREADS; i++) {
-- pthread_cancel(c->tid[i]);
-- }
-- for (i = 0; i < CIPHER_THREADS; i++) {
-- pthread_join(c->tid[i], NULL);
-- }
-+
-+ stop_and_join_pregen_threads(c);
- }
-
- void
-@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
- /* reconstruct threads */
- for (i = 0; i < CIPHER_THREADS; i++) {
- debug("spawned a thread");
-+ pthread_rwlock_wrlock(&c->tid_lock);
- pthread_create(&c->tid[i], NULL, thread_loop, c);
-+ pthread_rwlock_unlock(&c->tid_lock);
- }
- }
-
-@@ -489,18 +563,13 @@ static int
- ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
- {
- struct ssh_aes_ctr_ctx *c;
-- int i;
-
- if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
- #ifdef CIPHER_THREAD_STATS
- debug("main thread: %u drains, %u waits", c->stats.drains,
- c->stats.waits);
- #endif
-- /* Cancel pregen threads */
-- for (i = 0; i < CIPHER_THREADS; i++)
-- pthread_cancel(c->tid[i]);
-- for (i = 0; i < CIPHER_THREADS; i++)
-- pthread_join(c->tid[i], NULL);
-+ stop_and_join_pregen_threads(c);
-
- memset(c, 0, sizeof(*c));
- free(c);
diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
deleted file mode 100644
index f077c05..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch
+++ /dev/null
@@ -1,41 +0,0 @@
---- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700
-+++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700
-@@ -1155,7 +1155,7 @@
- @@ -44,7 +44,7 @@
- LD=@LD@
- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -2144,12 +2144,12 @@
- /* Bind the socket to an alternative local IP address */
- if (options.bind_address == NULL && !privileged)
- return sock;
--@@ -527,10 +555,10 @@
-+@@ -555,10 +583,10 @@
- /* Send our own protocol version identification. */
- if (compat20) {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
--- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
--+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
-+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
-++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
- } else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- - PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
-@@ -2163,9 +2163,9 @@
- @@ -432,7 +432,7 @@
- }
-
-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
--- major, minor, SSH_VERSION,
--+ major, minor, SSH_RELEASE,
-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
-+- major, minor, SSH_VERSION, comment,
-++ major, minor, SSH_RELEASE, comment,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
-
diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
deleted file mode 100644
index 2def699..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,67 +0,0 @@
---- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
-+++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
-@@ -226,14 +226,6 @@
- .Op Fl c Ar cipher
- .Op Fl F Ar ssh_config
- .Op Fl i Ar identity_file
--@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UpdateHostKeys
-- .It UsePrivilegedPort
-- .It User
- @@ -224,6 +225,8 @@ and
- to print debugging messages about their progress.
- This is helpful in
-@@ -493,19 +485,11 @@
- .Sh SYNOPSIS
- .Nm ssh
- .Bk -words
---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
--+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
-+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
-++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
- .Op Fl b Ar bind_address
- .Op Fl c Ar cipher_spec
- .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UpdateHostKeys
- @@ -795,6 +796,8 @@ controls.
- .Pp
- .It Fl y
-@@ -533,18 +517,18 @@
- usage(void)
- {
- fprintf(stderr,
---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
--+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
-+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
- " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
-- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
-- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
-+ " [-F configfile]\n"
-+ #ifdef USE_OPENSSL_ENGINE
- @@ -608,7 +613,7 @@ main(int ac, char **av)
-- argv0 = av[0];
-+ # define ENGCONFIG ""
-+ #endif
-
-- again:
--- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
--+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
-++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
-+ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
- switch (opt) {
- case '1':
- @@ -857,6 +862,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
deleted file mode 100644
index 528dc6f..0000000
--- a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 143227a..c9b84c2 100644
---- a/kex.c
-+++ b/kex.c
-@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
- static int
- kex_send_ext_info(struct ssh *ssh)
- {
-+#ifdef EXPERIMENTAL_RSA_SHA2_256
- int r;
-
--#ifdef EXPERIMENTAL_RSA_SHA2_256
- /* IMPORTANT NOTE:
- * Do not offer rsa-sha2-* until is resolved misconfiguration issue
- * with allowed public key algorithms!
-diff --git a/key-eng.c b/key-eng.c
-index 9bc50fd..bc0d03d 100644
---- a/key-eng.c
-+++ b/key-eng.c
-@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
- while (buffer_len(&eng_list) > 0) {
- u_int k = 0;
- char *s;
-- ENGINE *e;
-
- s = buffer_get_cstring_ret(&eng_list, &k);
- ssh_engine_reset(s);
-diff --git a/monitor.c b/monitor.c
-index 345d3df..0de30ad 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
- (r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
- (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-- if (keyid > INT_MAX)
-+ if (keyid32 > INT_MAX)
- fatal("%s: invalid key ID", __func__);
-
- keyid = keyid32; /*save cast*/
-diff --git a/readconf.c b/readconf.c
-index beb38a0..1cbda7e 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -1459,7 +1459,9 @@ parse_int:
-
- case oHostKeyAlgorithms:
- charptr = &options->hostkeyalgorithms;
-+# if 0
- parse_keytypes:
-+# endif
- arg = strdelim(&s);
- if (!arg || *arg == '\0')
- fatal("%.200s line %d: Missing argument.",
-diff --git a/servconf.c b/servconf.c
-index a540138..e77a344 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -1574,7 +1573,9 @@ parse_string:
-
- case sHostKeyAlgorithms:
- charptr = &options->hostkeyalgorithms;
-+# if 0
- parse_keytypes:
-+#endif
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
- fatal("%s line %d: Missing argument.",
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 50f04b7..3f9a7bf 100644
---- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
- }
-
- #ifdef OPENSSL_HAS_ECC
-+#ifdef HAVE_EC_KEY_METHOD_NEW
- /* openssl callback for freeing an EC key */
- static void
- pkcs11_ec_finish(EC_KEY *ec)
- {
- struct pkcs11_key *k11;
-
--#ifdef HAVE_EC_KEY_METHOD_NEW
- k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#else
-- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
-- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
--#endif
- pkcs11_key_free(k11);
- }
-+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
- #endif /*def OPENSSL_HAS_ECC*/
-
-
-diff --git a/sshconnect.c b/sshconnect.c
-index fd2a70e..0960be1 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
- {
- /* Send our own protocol version identification. */
- if (compat20) {
-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
- } else {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
deleted file mode 100644
index b97ceb4..0000000
--- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
-From: djm <djm@openbsd.org>
-Date: Tue, 4 Apr 2017 00:24:56 +0000
-Subject: [PATCH] disallow creation (of empty files) in read-only mode;
- reported by Michal Zalewski, feedback & ok deraadt@
-
----
- usr.bin/ssh/sftp-server.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
-index 2510d234a3a..42249ebd60d 100644
---- a/usr.bin/ssh/sftp-server.c
-+++ b/usr.bin/ssh/sftp-server.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
-+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
- /*
- * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
- *
-@@ -683,8 +683,8 @@ process_open(u_int32_t id)
- logit("open \"%s\" flags %s mode 0%o",
- name, string_from_portable(pflags), mode);
- if (readonly &&
-- ((flags & O_ACCMODE) == O_WRONLY ||
-- (flags & O_ACCMODE) == O_RDWR)) {
-+ ((flags & O_ACCMODE) != O_RDONLY ||
-+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
- verbose("Refusing open request in read-only mode");
- status = SSH2_FX_PERMISSION_DENIED;
- } else {
diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
deleted file mode 100644
index 1c2b7b8..0000000
--- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@chromium.org>
-Date: Wed, 24 May 2017 23:18:41 -0400
-Subject: [PATCH] configure: actually set cache vars when cross-compiling
-
-The cross-compiling fallback message says it's assuming the test
-passed, but it didn't actually set the cache var which causes
-later tests to fail.
----
- configure.ac | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5cfea38c0a6c..895c5211ea93 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE(
- select_works_with_rlimit=yes],
- [AC_MSG_RESULT([no])
- select_works_with_rlimit=no],
-- [AC_MSG_WARN([cross compiling: assuming yes])]
-+ [AC_MSG_WARN([cross compiling: assuming yes])
-+ select_works_with_rlimit=yes]
- )
-
- AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
-@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE(
- rlimit_nofile_zero_works=yes],
- [AC_MSG_RESULT([no])
- rlimit_nofile_zero_works=no],
-- [AC_MSG_WARN([cross compiling: assuming yes])]
-+ [AC_MSG_WARN([cross compiling: assuming yes])
-+ rlimit_nofile_zero_works=yes]
- )
-
- AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
---
-2.12.0
-
diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
new file mode 100644
index 0000000..a5647ce
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
@@ -0,0 +1,20 @@
+Disable conch interop tests which are failing when called
+via portage for yet unknown reason and because using conch
+seems to be flaky (test is failing when using Python2 but
+passing when using Python3).
+
+Bug: https://bugs.gentoo.org/605446
+
+--- a/regress/conch-ciphers.sh
++++ b/regress/conch-ciphers.sh
+@@ -3,6 +3,10 @@
+
+ tid="conch ciphers"
+
++# https://bugs.gentoo.org/605446
++echo "conch interop tests skipped due to Gentoo bug #605446"
++exit 0
++
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+ echo "conch interop tests not enabled"
+ exit 0
diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
deleted file mode 100644
index 5dca1b0..0000000
--- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 20 Mar 2017 14:57:40 -0400
-Subject: [PATCH] seccomp sandbox: fix typo w/x32 check
-
----
- sandbox-seccomp-filter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3a1aedce72c2..a8d472a63ccb 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
- * x86-64 syscall under some circumstances, e.g.
- * https://bugs.debian.org/849923
- */
-- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
-+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
- #endif
-
- /* Default deny */
---
-2.12.0
-
diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
similarity index 94%
rename from net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
rename to net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
index 6b1e6dd..2840652 100644
--- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch
+++ b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
@@ -1,121 +1,12 @@
-http://bugs.gentoo.org/165444
+https://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
---- a/readconf.c
-+++ b/readconf.c
-@@ -148,6 +148,7 @@
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -194,9 +195,11 @@
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- # else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- { "smartcarddevice", oPKCS11Provider },
-@@ -930,6 +933,10 @@
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1649,6 +1656,7 @@
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -1779,6 +1787,8 @@
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -46,6 +46,7 @@
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -830,6 +830,16 @@
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -656,6 +656,13 @@
- static u_int mech = 0;
- OM_uint32 min;
- int ok = 0;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(active_state, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -668,7 +674,7 @@
- /* My DER encoding requires length<128 */
- if (gss_supported->elements[mech].length < 128 &&
- ssh_gssapi_check_mechanism(&gssctxt,
-- &gss_supported->elements[mech], authctxt->host)) {
-+ &gss_supported->elements[mech], gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- mech++;
-
-need to move these two funcs back to canohost so they're available to clients
-and the server. auth.c is only used in the server.
-
--- a/auth.c
+++ b/auth.c
-@@ -784,117 +784,3 @@ fakepw(void)
-
+@@ -728,120 +728,6 @@ fakepw(void)
return (&fake);
}
--
+
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
@@ -229,6 +120,10 @@ and the server. auth.c is only used in the server.
- return dnsname;
- }
-}
+-
+ /*
+ * Runs command in a subprocess wuth a minimal environment.
+ * Returns pid on success, 0 on failure.
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@@ -349,3 +244,108 @@ and the server. auth.c is only used in the server.
+ return dnsname;
+ }
+}
+--- a/readconf.c
++++ b/readconf.c
+@@ -160,6 +160,7 @@ typedef enum {
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ oHashKnownHosts,
+@@ -200,9 +201,11 @@ static struct {
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ # else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ { "smartcarddevice", oPKCS11Provider },
+@@ -954,6 +957,10 @@ parse_time:
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+--- a/readconf.h
++++ b/readconf.h
+@@ -43,6 +43,7 @@ typedef struct {
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -731,6 +731,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns) {
++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++ gss_host = auth_get_canonical_hostname(active_state, 1);
++ } else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
+--
diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
new file mode 100644
index 0000000..cf43037
--- /dev/null
+++ b/net-misc/openssh/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
deleted file mode 100644
index 28952b4..0000000
--- a/net-misc/openssh/files/sshd.confd
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd
-
-# Where is your sshd_config file stored?
-
-SSHD_CONFDIR="/etc/ssh"
-
-
-# Any random options you want to pass to sshd.
-# See the sshd(8) manpage for more info.
-
-SSHD_OPTS=""
-
-
-# Pid file to use (needs to be absolute path).
-
-#SSHD_PIDFILE="/var/run/sshd.pid"
-
-
-# Path to the sshd binary (needs to be absolute path).
-
-#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
deleted file mode 100644
index 5e30142..0000000
--- a/net-misc/openssh/files/sshd.rc6.4
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-
-: ${SSHD_CONFDIR:=/etc/ssh}
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
-: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
-: ${SSHD_BINARY:=/usr/sbin/sshd}
-
-depend() {
- use logger dns
- if [ "${rc_need+set}" = "set" ] ; then
- : # Do nothing, the user has explicitly set rc_need
- else
- local x warn_addr
- for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
- case "${x}" in
- 0.0.0.0|0.0.0.0:*) ;;
- ::|\[::\]*) ;;
- *) warn_addr="${warn_addr} ${x}" ;;
- esac
- done
- if [ -n "${warn_addr}" ] ; then
- need net
- ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
- ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
- ewarn "where FOO is the interface(s) providing the following address(es):"
- ewarn "${warn_addr}"
- fi
- fi
-}
-
-checkconfig() {
- if [ ! -d /var/empty ] ; then
- mkdir -p /var/empty || return 1
- fi
-
- if [ ! -e "${SSHD_CONFIG}" ] ; then
- eerror "You need an ${SSHD_CONFIG} file to run sshd"
- eerror "There is a sample file in /usr/share/doc/openssh"
- return 1
- fi
-
- ssh-keygen -A || return 1
-
- [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
- && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
- [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
- && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
-
- "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
-}
-
-start() {
- checkconfig || return 1
-
- ebegin "Starting ${SVCNAME}"
- start-stop-daemon --start --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" \
- -- ${SSHD_OPTS}
- eend $?
-}
-
-stop() {
- if [ "${RC_CMD}" = "restart" ] ; then
- checkconfig || return 1
- fi
-
- ebegin "Stopping ${SVCNAME}"
- start-stop-daemon --stop --exec "${SSHD_BINARY}" \
- --pidfile "${SSHD_PIDFILE}" --quiet
- eend $?
-}
-
-reload() {
- checkconfig || return 1
- ebegin "Reloading ${SVCNAME}"
- start-stop-daemon --signal HUP \
- --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
- eend $?
-}
diff --git a/net-misc/openssh/files/sshd.rc6.5 b/net-misc/openssh/files/sshd.rc6.5
new file mode 100644
index 0000000..044cbe7
--- /dev/null
+++ b/net-misc/openssh/files/sshd.rc6.5
@@ -0,0 +1,89 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+ # Entropy can be used by ssh-keygen, among other things, but
+ # is not strictly required (bug 470020).
+ use logger dns entropy
+ if [ "${rc_need+set}" = "set" ] ; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_addr
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "${x}" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} ${x}" ;;
+ esac
+ done
+ if [ -n "${warn_addr}" ] ; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ fi
+}
+
+checkconfig() {
+ checkpath --directory "${RC_PREFIX%/}/var/empty"
+
+ if [ ! -e "${SSHD_CONFIG}" ] ; then
+ eerror "You need an ${SSHD_CONFIG} file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ${SSHD_KEYGEN_BINARY} -A || return 2
+
+ "${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+ # If this isn't a restart, make sure that the user's config isn't
+ # busted before we try to start the daemon (this will produce
+ # better error messages than if we just try to start it blindly).
+ #
+ # If, on the other hand, this *is* a restart, then the stop_pre
+ # action will have ensured that the config is usable and we don't
+ # need to do that again.
+ if [ "${RC_CMD}" != "restart" ] ; then
+ checkconfig || return $?
+ fi
+}
+
+stop_pre() {
+ # If this is a restart, check to make sure the user's config
+ # isn't busted before we stop the running daemon.
+ if [ "${RC_CMD}" = "restart" ] ; then
+ checkconfig || return $?
+ fi
+}
+
+reload() {
+ checkconfig || return $?
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP --pidfile "${pidfile}"
+ eend $?
+}
diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.7_p1-r4.ebuild
similarity index 50%
rename from net-misc/openssh/openssh-7.5_p1-r4.ebuild
rename to net-misc/openssh/openssh-7.7_p1-r4.ebuild
index 291e377..e91ac97 100644
--- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-7.7_p1-r4.ebuild
@@ -1,36 +1,41 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-EAPI="5"
+EAPI=6
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+inherit user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
-HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
-SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
-LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
-X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+HPN_VER="14v15-gentoo1" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
+SCTP_VER="1.0" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
+
+# Disable LDAP support until someone will rewrite the patch,
+# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
+#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
+
+PATCH_SET="openssh-7.7p1-patches-1.1"
DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
+HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
- ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
+ ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
+ ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
+ ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="amd64 arm ~mips ppc x86"
# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
- ssh1? ( ssl )
static? ( !kerberos !pam )
X509? ( !ldap !sctp ssl )
test? ( ssl )"
@@ -69,16 +74,17 @@ RDEPEND="${RDEPEND}
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
-S=${WORKDIR}/${PARCH}
+S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
- $(use X509 && maybe_fail X509 X509_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
$(use hpn && maybe_fail hpn HPN_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use sctp && maybe_fail sctp SCTP_PATCH)
+ $(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
@@ -90,59 +96,148 @@ pkg_pretend() {
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
fi
}
-save_version() {
- # version.h patch conflict avoidence
- mv version.h version.h.$1
- cp -f version.h.pristine version.h
-}
-
src_prepare() {
sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
pathnames.h || die
- # keep this as we need it to avoid the conflict between LPK and HPN changing
- # this file.
- cp version.h version.h.pristine
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+ eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+ eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
+
+ local PATCHSET_VERSION_MACROS=()
+
if use X509 ; then
- if use hpn ; then
- pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
- epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
- popd >/dev/null
- fi
- save_version X509
- epatch "${WORKDIR}"/${X509_PATCH%.*}
+ eapply "${WORKDIR}"/${X509_PATCH%.*}
+
+ # We need to patch package version or any X.509 sshd will reject our ssh client
+ # with "userauth_pubkey: could not parse key: string is too large [preauth]"
+ # error
+ einfo "Patching package version for X.509 patch set ..."
+ sed -i \
+ -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
+ "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
+
+ einfo "Patching version.h to expose X.509 patch set ..."
+ sed -i \
+ -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
+ "${S}"/version.h || die "Failed to sed-in X.509 patch version"
+ PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
+
+ einfo "Disabling broken X.509 agent test ..."
+ sed -i \
+ -e "/^ agent$/d" \
+ "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
+
+ # The following patches don't apply on top of X509 patch
+ rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
+ rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
+ rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
+ rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
+ else
+ rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
+ rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
fi
if use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
+ eapply "${WORKDIR}"/${LDAP_PATCH%.*}
+
+ einfo "Patching version.h to expose LDAP patch set ..."
+ sed -i \
+ -e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP \"-ldap-${LDAP_VER}\"" \
+ "${S}"/version.h || die "Failed to sed-in LDAP patch version"
+ PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
fi
- epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
- epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
- use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
- use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
- use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+ if use sctp ; then
+ eapply "${WORKDIR}"/${SCTP_PATCH%.*}
+
+ einfo "Patching version.h to expose SCTP patch set ..."
+ sed -i \
+ -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
+ "${S}"/version.h || die "Failed to sed-in SCTP patch version"
+ PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
+
+ einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+ sed -i \
+ -e "/\t\tcfgparse \\\/d" \
+ "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
+ fi
if use hpn ; then
- EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
- EPATCH_MULTI_MSG="Applying HPN patchset ..." \
- epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
- save_version HPN
+ eapply "${WORKDIR}"/${HPN_PATCH%.*}
+
+ einfo "Patching Makefile.in for HPN patch set ..."
+ sed -i \
+ -e "/^LIBS=/ s/\$/ -lpthread/" \
+ "${S}"/Makefile.in || die "Failed to patch Makefile.in"
+
+ einfo "Patching version.h to expose HPN patch set ..."
+ sed -i \
+ -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
+ "${S}"/version.h || die "Failed to sed-in HPN patch version"
+ PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
+
+ if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+ einfo "Disabling known non-working MT AES cipher per default ..."
+
+ cat > "${T}"/disable_mtaes.conf <<- EOF
+
+ # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
+ # and therefore disabled per default.
+ DisableMTAES yes
+ EOF
+ sed -i \
+ -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
+ "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
+
+ sed -i \
+ -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
+ "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
+ fi
+ fi
+
+ if use X509 || use hpn ; then
+ einfo "Patching packet.c for X509 and/or HPN patch set ..."
+ sed -i \
+ -e "s/const struct sshcipher/struct sshcipher/" \
+ "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
+ fi
+
+ if use X509 || use sctp || use ldap || use hpn ; then
+ einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
+ sed -i \
+ -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+ "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
+
+ einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
+ sed -i \
+ -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
+ "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
+
+ einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
+ sed -i \
+ -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
+ "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
+ sed -i \
+ -e "/#UseLogin no/d" \
+ "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
+
+ eapply "${WORKDIR}"/patch/*.patch
+
+ eapply_user #473004
+
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
@@ -151,6 +246,7 @@ src_prepare() {
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
+
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
@@ -162,16 +258,6 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{.ac,} || die
- epatch_user #473004
-
- # Now we can build a sane merged version.h
- (
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
- macros=()
- for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
- ) > version.h
-
eautoreconf
}
@@ -185,24 +271,23 @@ src_configure() {
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
+ --sysconfdir="${EPREFIX%/}"/etc/ssh
+ --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX%/}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX%/}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the ldap patch conditionally, so can't pass --without-ldap
+ $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+ # We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
# unconditionally else we get unknown flag warnings.
$(use ldap && use_with ldap)
+ $(use sctp && use_with sctp)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
- $(use X509 || use_with sctp)
$(use_with selinux)
$(use_with skey)
- $(use_with ssh1)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
@@ -218,12 +303,41 @@ src_configure() {
econf "${myconf[@]}"
}
+src_test() {
+ local t skipped=() failed=() passed=()
+ local tests=( interop-tests compat-tests )
+
+ local shell=$(egetshell "${UID}")
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped+=( tests )
+ else
+ tests+=( tests )
+ fi
+
+ # It will also attempt to write to the homedir .ssh.
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in "${tests[@]}" ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" HOME="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed+=( "${t}" ) \
+ || failed+=( "${t}" )
+ done
+
+ einfo "Passed tests: ${passed[*]}"
+ [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
+ [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
+}
+
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
+ newinitd "${FILESDIR}"/sshd.rc6.5 sshd
+ newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then
@@ -232,16 +346,16 @@ src_install() {
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
+ "${ED%/}"/etc/ssh/sshd_config || die
fi
# Gentoo tweaks to default config files
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+ cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*
EOF
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+ cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
# Send locale environment variables #367017
SendEnv LANG LC_*
@@ -250,54 +364,28 @@ src_install() {
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
+ "${ED%/}"/etc/ssh/sshd_config || die
fi
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
insinto /etc/openldap/schema/
newins openssh-lpk_openldap.schema openssh-lpk.schema
fi
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
+ use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
+ keepdir /var/empty
+
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
@@ -309,9 +397,6 @@ pkg_postinst() {
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
- if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
- elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
- fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
@@ -328,9 +413,25 @@ pkg_postinst() {
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
+ if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
+ elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+ elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+ fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
+
+ if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+ elog ""
+ elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
+ elog "and therefore disabled at runtime per default."
+ elog "Make sure your sshd_config is up to date and contains"
+ elog ""
+ elog " DisableMTAES yes"
+ elog ""
+ elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
+ elog ""
+ fi
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2018-06-28 20:08 Anthony G. Basile
0 siblings, 0 replies; 6+ messages in thread
From: Anthony G. Basile @ 2018-06-28 20:08 UTC (permalink / raw
To: gentoo-commits
commit: 60461ca1385809bacf6a114a7f1ecfe22f6da47f
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Jun 28 20:08:07 2018 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Jun 28 20:08:07 2018 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=60461ca1
net-misc/openssh: fix is now in the tree
net-misc/openssh/Manifest | 5 -
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 -
...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 -
.../openssh/files/openssh-7.7_p1-GSSAPI-dns.patch | 351 ----------------
net-misc/openssh/files/sshd-r1.confd | 33 --
net-misc/openssh/files/sshd.pam_include.2 | 4 -
net-misc/openssh/files/sshd.rc6.5 | 89 ----
net-misc/openssh/files/sshd.service | 11 -
net-misc/openssh/files/sshd.socket | 10 -
net-misc/openssh/files/sshd_at.service | 8 -
net-misc/openssh/metadata.xml | 39 --
net-misc/openssh/openssh-7.7_p1-r5.ebuild | 437 --------------------
net-misc/openssh/openssh-7.7_p1-r6.ebuild | 460 ---------------------
13 files changed, 1484 deletions(-)
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
deleted file mode 100644
index e720a87..0000000
--- a/net-misc/openssh/Manifest
+++ /dev/null
@@ -1,5 +0,0 @@
-DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
-DIST openssh-7.7p1-patches-1.1.tar.xz 16476 BLAKE2B fca2885a9e29faec40700ece37a995ba83e40bd2a6875129a5327770d8ee43663a7c063de33b4653994ed7332adb03730f613c047550d874190b95c66e2e9efa SHA512 aa5e33ce4bb4be16abf27ac1bade1dc85c51d82002be546402e0b8b0685de3ec7029f0f56bf1295ec346eb3960a6bed7cfc882722e57957a19a732f3174b3039
-DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
-DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
-DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
deleted file mode 100644
index fa33af3..0000000
--- a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-the last nibble of the openssl version represents the status. that is,
-whether it is a beta or release. when it comes to version checks in
-openssh, this component does not matter, so ignore it.
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212
-
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
- * For versions >= 1.0.0, major,minor,status must match and library
- * fix version must be equal to or newer than the header.
- */
-- mask = 0xfff0000fL; /* major,minor,status */
-+ mask = 0xfff00000L; /* major,minor,status */
- hfix = (headerver & 0x000ff000) >> 12;
- lfix = (libver & 0x000ff000) >> 12;
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
deleted file mode 100644
index a5647ce..0000000
--- a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Disable conch interop tests which are failing when called
-via portage for yet unknown reason and because using conch
-seems to be flaky (test is failing when using Python2 but
-passing when using Python3).
-
-Bug: https://bugs.gentoo.org/605446
-
---- a/regress/conch-ciphers.sh
-+++ b/regress/conch-ciphers.sh
-@@ -3,6 +3,10 @@
-
- tid="conch ciphers"
-
-+# https://bugs.gentoo.org/605446
-+echo "conch interop tests skipped due to Gentoo bug #605446"
-+exit 0
-+
- if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
- echo "conch interop tests not enabled"
- exit 0
diff --git a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index 2840652..0000000
--- a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-https://bugs.gentoo.org/165444
-https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-
---- a/auth.c
-+++ b/auth.c
-@@ -728,120 +728,6 @@ fakepw(void)
- return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on legacy rhosts-style authentication.
-- * XXX is RhostsRSAAuthentication vulnerable to these?
-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) < 0) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return strdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return strdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return strdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return strdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return strdup(ntop);
-- }
-- return strdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection. The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
-- static char *dnsname;
--
-- if (!use_dns)
-- return ssh_remote_ipaddr(ssh);
-- else if (dnsname != NULL)
-- return dnsname;
-- else {
-- dnsname = remote_hostname(ssh);
-- return dnsname;
-- }
--}
--
- /*
- * Runs command in a subprocess wuth a minimal environment.
- * Returns pid on success, 0 on failure.
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) < 0) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return strdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return strdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return strdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return strdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return strdup(ntop);
-+ }
-+ return strdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection. The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+ static char *dnsname;
-+
-+ if (!use_dns)
-+ return ssh_remote_ipaddr(ssh);
-+ else if (dnsname != NULL)
-+ return dnsname;
-+ else {
-+ dnsname = remote_hostname(ssh);
-+ return dnsname;
-+ }
-+}
---- a/readconf.c
-+++ b/readconf.c
-@@ -160,6 +160,7 @@ typedef enum {
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -200,9 +201,11 @@ static struct {
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- # else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- { "smartcarddevice", oPKCS11Provider },
-@@ -954,6 +957,10 @@ parse_time:
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
- options->challenge_response_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
---- a/readconf.h
-+++ b/readconf.h
-@@ -43,6 +43,7 @@ typedef struct {
- /* Try S/Key or TIS, authentication. */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -731,6 +731,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
- static u_int mech = 0;
- OM_uint32 min;
- int ok = 0;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(active_state, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
- /* My DER encoding requires length<128 */
- if (gss_supported->elements[mech].length < 128 &&
- ssh_gssapi_check_mechanism(&gssctxt,
-- &gss_supported->elements[mech], authctxt->host)) {
-+ &gss_supported->elements[mech], gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- mech++;
---
diff --git a/net-misc/openssh/files/sshd-r1.confd b/net-misc/openssh/files/sshd-r1.confd
deleted file mode 100644
index cf43037..0000000
--- a/net-misc/openssh/files/sshd-r1.confd
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/conf.d/sshd: config file for /etc/init.d/sshd
-
-# Where is your sshd_config file stored?
-
-SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
-
-
-# Any random options you want to pass to sshd.
-# See the sshd(8) manpage for more info.
-
-SSHD_OPTS=""
-
-
-# Wait one second (length chosen arbitrarily) to see if sshd actually
-# creates a PID file, or if it crashes for some reason like not being
-# able to bind to the address in ListenAddress.
-
-#SSHD_SSD_OPTS="--wait 1000"
-
-
-# Pid file to use (needs to be absolute path).
-
-#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
-
-
-# Path to the sshd binary (needs to be absolute path).
-
-#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
-
-
-# Path to the ssh-keygen binary (needs to be absolute path).
-
-#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
deleted file mode 100644
index b801aaa..0000000
--- a/net-misc/openssh/files/sshd.pam_include.2
+++ /dev/null
@@ -1,4 +0,0 @@
-auth include system-remote-login
-account include system-remote-login
-password include system-remote-login
-session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6.5 b/net-misc/openssh/files/sshd.rc6.5
deleted file mode 100644
index 044cbe7..0000000
--- a/net-misc/openssh/files/sshd.rc6.5
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-
-: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
-: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
-: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
-: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
-: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
-
-command="${SSHD_BINARY}"
-pidfile="${SSHD_PIDFILE}"
-command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
-
-# Wait one second (length chosen arbitrarily) to see if sshd actually
-# creates a PID file, or if it crashes for some reason like not being
-# able to bind to the address in ListenAddress (bug 617596).
-: ${SSHD_SSD_OPTS:=--wait 1000}
-start_stop_daemon_args="${SSHD_SSD_OPTS}"
-
-depend() {
- # Entropy can be used by ssh-keygen, among other things, but
- # is not strictly required (bug 470020).
- use logger dns entropy
- if [ "${rc_need+set}" = "set" ] ; then
- : # Do nothing, the user has explicitly set rc_need
- else
- local x warn_addr
- for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
- case "${x}" in
- 0.0.0.0|0.0.0.0:*) ;;
- ::|\[::\]*) ;;
- *) warn_addr="${warn_addr} ${x}" ;;
- esac
- done
- if [ -n "${warn_addr}" ] ; then
- need net
- ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
- ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
- ewarn "where FOO is the interface(s) providing the following address(es):"
- ewarn "${warn_addr}"
- fi
- fi
-}
-
-checkconfig() {
- checkpath --directory "${RC_PREFIX%/}/var/empty"
-
- if [ ! -e "${SSHD_CONFIG}" ] ; then
- eerror "You need an ${SSHD_CONFIG} file to run sshd"
- eerror "There is a sample file in /usr/share/doc/openssh"
- return 1
- fi
-
- ${SSHD_KEYGEN_BINARY} -A || return 2
-
- "${command}" -t ${command_args} || return 3
-}
-
-start_pre() {
- # If this isn't a restart, make sure that the user's config isn't
- # busted before we try to start the daemon (this will produce
- # better error messages than if we just try to start it blindly).
- #
- # If, on the other hand, this *is* a restart, then the stop_pre
- # action will have ensured that the config is usable and we don't
- # need to do that again.
- if [ "${RC_CMD}" != "restart" ] ; then
- checkconfig || return $?
- fi
-}
-
-stop_pre() {
- # If this is a restart, check to make sure the user's config
- # isn't busted before we stop the running daemon.
- if [ "${RC_CMD}" = "restart" ] ; then
- checkconfig || return $?
- fi
-}
-
-reload() {
- checkconfig || return $?
- ebegin "Reloading ${SVCNAME}"
- start-stop-daemon --signal HUP --pidfile "${pidfile}"
- eend $?
-}
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
deleted file mode 100644
index b5e96b3..0000000
--- a/net-misc/openssh/files/sshd.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
-
-[Service]
-ExecStartPre=/usr/bin/ssh-keygen -A
-ExecStart=/usr/sbin/sshd -D -e
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
deleted file mode 100644
index 94b9533..0000000
--- a/net-misc/openssh/files/sshd.socket
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=OpenSSH Server Socket
-Conflicts=sshd.service
-
-[Socket]
-ListenStream=22
-Accept=yes
-
-[Install]
-WantedBy=sockets.target
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
deleted file mode 100644
index 2645ad0..0000000
--- a/net-misc/openssh/files/sshd_at.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=OpenSSH per-connection server daemon
-After=syslog.target auditd.service
-
-[Service]
-ExecStart=-/usr/sbin/sshd -i -e
-StandardInput=socket
-StandardError=syslog
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
deleted file mode 100644
index 03b12f0..0000000
--- a/net-misc/openssh/metadata.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
- <maintainer type="project">
- <email>base-system@gentoo.org</email>
- <name>Gentoo Base System</name>
- </maintainer>
- <maintainer type="person">
- <email>robbat2@gentoo.org</email>
- <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
- </maintainer>
- <longdescription>
-OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
-increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
-rlogin, ftp, and other such programs might not realize that their password is transmitted
-across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
-to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
-Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
-of authentication methods.
-
-The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
-replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
-the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
-ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
-</longdescription>
- <use>
- <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
- <flag name="hpn">Enable high performance ssh</flag>
- <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
- <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
- <flag name="livecd">Enable root password logins for live-cd environment.</flag>
- <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
- <flag name="X509">Adds support for X.509 certificate authentication</flag>
- </use>
- <upstream>
- <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
- <remote-id type="sourceforge">hpnssh</remote-id>
- </upstream>
-</pkgmetadata>
diff --git a/net-misc/openssh/openssh-7.7_p1-r5.ebuild b/net-misc/openssh/openssh-7.7_p1-r5.ebuild
deleted file mode 100644
index 2425ed8..0000000
--- a/net-misc/openssh/openssh-7.7_p1-r5.ebuild
+++ /dev/null
@@ -1,437 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
-
-# Disable LDAP support until someone will rewrite the patch,
-# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
-#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
-
-PATCH_SET="openssh-7.7p1-patches-1.1"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
- ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
- "
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !ldap !sctp ssl )
- test? ( ssl )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- ssl? (
- !libressl? (
- >=dev-libs/openssl-1.0.1:0=[bindist=]
- dev-libs/openssl:0=[static-libs(+)]
- )
- libressl? ( dev-libs/libressl:0=[static-libs(+)] )
- )
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? ( ${LIB_DEPEND} )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
- fi
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-
- einfo "Disabling broken X.509 agent test ..."
- sed -i \
- -e "/^ agent$/d" \
- "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
-
- # The following patches don't apply on top of X509 patch
- rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
- rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
- rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
- rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
- else
- rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
- rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
- fi
-
- if use ldap ; then
- eapply "${WORKDIR}"/${LDAP_PATCH%.*}
-
- einfo "Patching version.h to expose LDAP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP \"-ldap-${LDAP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in LDAP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- eapply "${WORKDIR}"/${HPN_PATCH%.*}
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use hpn ; then
- einfo "Patching packet.c for X509 and/or HPN patch set ..."
- sed -i \
- -e "s/const struct sshcipher/struct sshcipher/" \
- "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
- fi
-
- if use X509 || use sctp || use ldap || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply "${WORKDIR}"/patch/*.patch
-
- eapply_user #473004
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX%/}"/etc/ssh
- --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX%/}"/usr/share/openssh
- --with-privsep-path="${EPREFIX%/}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
- # We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
- # unconditionally else we get unknown flag warnings.
- $(use ldap && use_with ldap)
- $(use sctp && use_with sctp)
- $(use_with ldns)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(use_with skey)
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- )
-
- if [[ $(tc-arch) == x86 ]]; then
- myconf+=( --without-stackprotect)
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.5 sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED%/}"/etc/ssh/sshd_config || die
- fi
-
- # Gentoo tweaks to default config files
- cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables #367017
- AcceptEnv LANG LC_*
- EOF
- cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
- # Send locale environment variables #367017
- SendEnv LANG LC_*
- EOF
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED%/}"/etc/ssh/sshd_config || die
- fi
-
- if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- keepdir /var/empty
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}
diff --git a/net-misc/openssh/openssh-7.7_p1-r6.ebuild b/net-misc/openssh/openssh-7.7_p1-r6.ebuild
deleted file mode 100644
index 9eeea10..0000000
--- a/net-misc/openssh/openssh-7.7_p1-r6.ebuild
+++ /dev/null
@@ -1,460 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
-SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
-
-# Disable LDAP support until someone will rewrite the patch,
-# upstream removed auth_parse_options() via commit 7c856857607112a3dfe6414696bf4c7ab7fb0cb3
-#LDAP_VER="0.3.14" LDAP_PATCH="${PN}-lpk-7.7p1-${LDAP_VER}.patch.xz"
-
-PATCH_SET="openssh-7.7p1-patches-1.1"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
- ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~whissi/dist/openssh/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
- "
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
-REQUIRED_USE="ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !ldap !sctp ssl )
- test? ( ssl )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- ssl? (
- !libressl? (
- >=dev-libs/openssl-1.0.1:0=[bindist=]
- dev-libs/openssl:0=[static-libs(+)]
- )
- libressl? ( dev-libs/libressl:0=[static-libs(+)] )
- )
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
-RDEPEND="
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? ( ${LIB_DEPEND} )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S="${WORKDIR}/${PARCH}"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use hpn && maybe_fail hpn HPN_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use sctp && maybe_fail sctp SCTP_PATCH)
- $(use X509 && maybe_fail X509 X509_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
- fi
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
-
- einfo "Disabling broken X.509 agent test ..."
- sed -i \
- -e "/^ agent$/d" \
- "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
-
- # The following patches don't apply on top of X509 patch
- rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
- rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
- rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
- rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
- else
- rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
- rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
- fi
-
- if use ldap ; then
- eapply "${WORKDIR}"/${LDAP_PATCH%.*}
-
- einfo "Patching version.h to expose LDAP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_LDAP \"-ldap-${LDAP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in LDAP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_LDAP' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- eapply "${WORKDIR}"/${HPN_PATCH%.*}
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use hpn ; then
- einfo "Patching packet.c for X509 and/or HPN patch set ..."
- sed -i \
- -e "s/const struct sshcipher/struct sshcipher/" \
- "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
- fi
-
- if use X509 || use sctp || use ldap || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply "${WORKDIR}"/patch/*.patch
-
- eapply_user #473004
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX%/}"/etc/ssh
- --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX%/}"/usr/share/openssh
- --with-privsep-path="${EPREFIX%/}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
- # We apply the ldap and sctp patch conditionally, so can't pass --without-{ldap,sctp}
- # unconditionally else we get unknown flag warnings.
- $(use ldap && use_with ldap)
- $(use sctp && use_with sctp)
- $(use_with ldns)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(use_with skey)
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- )
-
- # stackprotect is broken on musl x86
- use elibc_musl && use x86 && myconf+=( --without-stackprotect )
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local t skipped=() failed=() passed=()
- local tests=( interop-tests compat-tests )
-
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped+=( tests )
- else
- tests+=( tests )
- fi
-
- # It will also attempt to write to the homedir .ssh.
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in "${tests[@]}" ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" HOME="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed+=( "${t}" ) \
- || failed+=( "${t}" )
- done
-
- einfo "Passed tests: ${passed[*]}"
- [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
- [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
- local locale_vars=(
- # These are language variables that POSIX defines.
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
- # These are the GNU extensions.
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
- )
-
- # First the server config.
- cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
-
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
- EOF
-
- # Then the client config.
- cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
-
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
-
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
- EOF
-
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED%/}"/etc/ssh/sshd_config || die
- fi
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED%/}"/etc/ssh/sshd_config || die
- fi
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.5 sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-
- tweak_ssh_configs
-
- if use ldap && [[ -n ${LDAP_PATCH} ]] ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- keepdir /var/empty
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-06-28 20:08 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-15 9:04 [gentoo-commits] proj/musl:master commit in: net-misc/openssh/files/, net-misc/openssh/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2018-06-28 20:08 Anthony G. Basile
2017-06-16 13:29 Anthony G. Basile
2016-02-13 17:18 Anthony G. Basile
2015-11-25 0:59 Anthony G. Basile
2015-09-04 6:37 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox