From 02930d1eb5af78d32b1597af6af24163895d9e0f Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 11 May 2023 23:47:37 +0100 Subject: gentoo auto-resync : 11:05:2023 - 23:47:37 --- net-misc/Manifest.gz | Bin 53771 -> 53962 bytes net-misc/autossh/Manifest | 2 +- net-misc/autossh/autossh-1.4g-r1.ebuild | 20 + net-misc/autossh/autossh-1.4g.ebuild | 20 - net-misc/electrum/Manifest | 2 + net-misc/electrum/electrum-4.4.3.ebuild | 112 +++++ net-misc/openssh-contrib/Manifest | 30 ++ .../openssh-6.7_p1-openssl-ignore-status.patch | 17 + ...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 + .../files/openssh-7.9_p1-include-stdlib.patch | 48 ++ .../files/openssh-8.0_p1-fix-putty-tests.patch | 57 +++ .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 + .../files/openssh-8.6_p1-hpn-version.patch | 13 + .../files/openssh-8.7_p1-GSSAPI-dns.patch | 357 ++++++++++++++ .../files/openssh-8.9_p1-allow-ppoll_time64.patch | 14 + .../openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch | 13 + .../openssh-9.0_p1-X509-uninitialized-delay.patch | 12 + ...mget-shmat-shmdt-in-preauth-privsep-child.patch | 20 + ...enssh-9.3_p1-openssl-version-compat-check.patch | 58 +++ net-misc/openssh-contrib/files/sshd-r1.confd | 33 ++ net-misc/openssh-contrib/files/sshd-r1.initd | 87 ++++ net-misc/openssh-contrib/files/sshd.pam_include.2 | 4 + net-misc/openssh-contrib/files/sshd.service.1 | 15 + net-misc/openssh-contrib/files/sshd.socket | 10 + net-misc/openssh-contrib/files/sshd_at.service.1 | 8 + net-misc/openssh-contrib/metadata.xml | 59 +++ .../openssh-contrib/openssh-contrib-9.3_p1.ebuild | 531 +++++++++++++++++++++ net-misc/openssh/Manifest | 15 +- .../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 - .../openssh/files/openssh-8.6_p1-hpn-version.patch | 13 - .../openssh-9.0_p1-X509-uninitialized-delay.patch | 12 - net-misc/openssh/metadata.xml | 3 - net-misc/openssh/openssh-9.3_p1-r1.ebuild | 381 +++++++++++++++ net-misc/openssh/openssh-9.3_p1.ebuild | 518 -------------------- net-misc/pssh/Manifest | 2 +- net-misc/pssh/pssh-2.3.4-r2.ebuild | 31 -- net-misc/pssh/pssh-2.3.4-r3.ebuild | 31 ++ net-misc/scponly/Manifest | 2 +- net-misc/scponly/scponly-4.8-r7.ebuild | 245 ---------- net-misc/scponly/scponly-4.8-r8.ebuild | 245 ++++++++++ net-misc/sshpass/Manifest | 2 +- net-misc/sshpass/sshpass-1.09-r1.ebuild | 14 + net-misc/sshpass/sshpass-1.09.ebuild | 14 - net-misc/x2goserver/Manifest | 2 +- net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild | 104 ---- net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild | 104 ++++ net-misc/zssh/Manifest | 2 +- net-misc/zssh/zssh-1.5c-r1.ebuild | 45 -- net-misc/zssh/zssh-1.5c-r2.ebuild | 45 ++ 49 files changed, 2386 insertions(+), 1042 deletions(-) create mode 100644 net-misc/autossh/autossh-1.4g-r1.ebuild delete mode 100644 net-misc/autossh/autossh-1.4g.ebuild create mode 100644 net-misc/electrum/electrum-4.4.3.ebuild create mode 100644 net-misc/openssh-contrib/Manifest create mode 100644 net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch create mode 100644 net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch create mode 100644 net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch create mode 100644 net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch create mode 100644 net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch create mode 100644 net-misc/openssh-contrib/files/sshd-r1.confd create mode 100644 net-misc/openssh-contrib/files/sshd-r1.initd create mode 100644 net-misc/openssh-contrib/files/sshd.pam_include.2 create mode 100644 net-misc/openssh-contrib/files/sshd.service.1 create mode 100644 net-misc/openssh-contrib/files/sshd.socket create mode 100644 net-misc/openssh-contrib/files/sshd_at.service.1 create mode 100644 net-misc/openssh-contrib/metadata.xml create mode 100644 net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild delete mode 100644 net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch delete mode 100644 net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch create mode 100644 net-misc/openssh/openssh-9.3_p1-r1.ebuild delete mode 100644 net-misc/openssh/openssh-9.3_p1.ebuild delete mode 100644 net-misc/pssh/pssh-2.3.4-r2.ebuild create mode 100644 net-misc/pssh/pssh-2.3.4-r3.ebuild delete mode 100644 net-misc/scponly/scponly-4.8-r7.ebuild create mode 100644 net-misc/scponly/scponly-4.8-r8.ebuild create mode 100644 net-misc/sshpass/sshpass-1.09-r1.ebuild delete mode 100644 net-misc/sshpass/sshpass-1.09.ebuild delete mode 100644 net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild create mode 100644 net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild delete mode 100644 net-misc/zssh/zssh-1.5c-r1.ebuild create mode 100644 net-misc/zssh/zssh-1.5c-r2.ebuild (limited to 'net-misc') diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz index 821c401ea31f..a112a58552a9 100644 Binary files a/net-misc/Manifest.gz and b/net-misc/Manifest.gz differ diff --git a/net-misc/autossh/Manifest b/net-misc/autossh/Manifest index 288c2ddf9efd..227c3360dfd2 100644 --- a/net-misc/autossh/Manifest +++ b/net-misc/autossh/Manifest @@ -1,3 +1,3 @@ DIST autossh-1.4g.tgz 67599 BLAKE2B 179af97ee6f3b9c1c4fcbad1593118aa5d69dbd2b6215efd4a16ab7641f6f0194faaca3c3101b3a918d652988a06b5fa8ce6e52f85f81edd95b3d71d49aad076 SHA512 499b560d978736f4e764d5d828282fdaba1cbf94811ae6be0be5434d9c1cdc6ca5513d728b6372aa243843cb1b91e61cfc5fdeb77ddb0b6a7ce027218ba67466 -EBUILD autossh-1.4g.ebuild 509 BLAKE2B 509bbbe439478b442f003cd85f2269ade39eb08fd2ff689244fcb8e11114e66535961efa1d4d41ead706d2df2eddd6778b0fb0eb7aa4ce67be25ca01ab357fb7 SHA512 e7141ea8802a88c8147436819e084d12b8a60580c72e68c7efb0dae2c75ce83930e125cd5fee7e2d04d53d697e0f4a6325085bf98a8754b7fbad3476b676fa6d +EBUILD autossh-1.4g-r1.ebuild 508 BLAKE2B 415ec316b485e2931effc4bf25ebf48a9dad4e0a4b72fc44d54a1bb40744504e56f82b12196812c878aae4ab9b1d0d18fd613acd03776071f67d39f3e01a3a28 SHA512 77ddc6fdd1c13d890b504fb91bb9716941705ef157d6677c7be8ebef3ca5e3b81132c89457d4df0c0ef443fc4de308a4ea010655994ae0a5bf55a3b9ca6a9cb6 MISC metadata.xml 247 BLAKE2B 6536db65878d9128a555200c64e8ff6a6992576c1563139308514c6da0908880f96f957d38b795f6e8de20c6318ddcdd40fd6d1b426bc54f823d9c5cf8e56e89 SHA512 74fe62941d0c26582e1cd28ca71bf6664c52361293c1150c3544c48f2bc812b6be88b13e92468f1e896e986a0369d7320453542653113735cca75fd0ceb20009 diff --git a/net-misc/autossh/autossh-1.4g-r1.ebuild b/net-misc/autossh/autossh-1.4g-r1.ebuild new file mode 100644 index 000000000000..4a227c8620c6 --- /dev/null +++ b/net-misc/autossh/autossh-1.4g-r1.ebuild @@ -0,0 +1,20 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DESCRIPTION="Automatically restart SSH sessions and tunnels" +HOMEPAGE="https://www.harding.motd.ca/autossh/" +SRC_URI="https://www.harding.motd.ca/${PN}/${P}.tgz" + +LICENSE="BSD" +KEYWORDS="amd64 ~arm ~arm64 ~hppa ppc ~ppc64 ~riscv ~sparc x86 ~amd64-linux ~x86-linux" +SLOT="0" + +RDEPEND="virtual/openssh" + +src_install() { + dobin autossh + dodoc CHANGES README autossh.host rscreen + doman autossh.1 +} diff --git a/net-misc/autossh/autossh-1.4g.ebuild b/net-misc/autossh/autossh-1.4g.ebuild deleted file mode 100644 index 57c7452cb478..000000000000 --- a/net-misc/autossh/autossh-1.4g.ebuild +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -DESCRIPTION="Automatically restart SSH sessions and tunnels" -HOMEPAGE="https://www.harding.motd.ca/autossh/" -SRC_URI="https://www.harding.motd.ca/${PN}/${P}.tgz" - -LICENSE="BSD" -KEYWORDS="amd64 ~arm ~arm64 ~hppa ppc ~ppc64 ~riscv ~sparc x86 ~amd64-linux ~x86-linux" -SLOT="0" - -RDEPEND="net-misc/openssh" - -src_install() { - dobin autossh - dodoc CHANGES README autossh.host rscreen - doman autossh.1 -} diff --git a/net-misc/electrum/Manifest b/net-misc/electrum/Manifest index 8890f12f1b6a..ef9765c4ffbc 100644 --- a/net-misc/electrum/Manifest +++ b/net-misc/electrum/Manifest @@ -2,8 +2,10 @@ DIST electrum-4.3.4.gh.tar.gz 5512701 BLAKE2B a57e3ffddacfd5c63dc7f5cb59bbfe0632 DIST electrum-4.4.0.gh.tar.gz 5627801 BLAKE2B 27ed9fff7586f9efe18a76f3cfa6d0cc4df4d5bc542b68ce9cd78ac5d6b033114b9caea23edbbd2a531d6f877a8891a02fc321741d8ecf4eb473894f1d9c94a6 SHA512 dfa5020a2609b8faa21c1ae97e152b89cd235151c18bb2b6a0bb4b9cd5217697e3c6515d832c8f04291fb10e062c3a4d9a92c48874687ef99adfd7cf04f363f8 DIST electrum-4.4.1.gh.tar.gz 5631256 BLAKE2B cefa27c7b770429004a221143f4291285f2ad6f3ca6f1f58c5c98ce6b6efbc316ea6b857a6abf8ed899cf5feac1f3505fd83189849aab72f144af9e7ce4d546d SHA512 075253fc89063d8fa6adcdc9d3e4c7cbd5caa27efe9f5dca8ddf5ef3863ca25690f2a4280a4999d6d3da7d32ece10dd9faf2ba560d2b13a0c9887237daa6382e DIST electrum-4.4.2.gh.tar.gz 5635869 BLAKE2B 7ba1941a59e5db7578d2b7fe26997c9bda92467362422fc3b3741eefc5c52b872cbb0c9c5caf7454ae4b6136a37b498ba2afd1b0f19ace0f566de68a9e40b3bb SHA512 50509a7890a9697dfb59ec6d8cb3f2d5243b37acbff2c322cb7a6f4b350dd18fc5a963a30af6cd4e918ea02306df4da7252158ddf268fc87762ff598e2eb33e8 +DIST electrum-4.4.3.gh.tar.gz 5629690 BLAKE2B 56f1bf2500500eb9fcd3b0397adee2f46865ab628004c62b2ffc36b7a019b1bd94b7c84576b35afda70116fb290476432fb1363eeb511d8cd4e6342c3a920975 SHA512 077742c404cce57fbf330b28a36c277dc22c10027c8f412ea192a7f7b917b37b22bbb85dc6cdc654daaacc28f98659dac406879a183448b20b0377a86697f486 EBUILD electrum-4.3.4-r1.ebuild 2896 BLAKE2B c5d42f5a55aab16022835b66633d77a156fe7c69b8ee3ee889a9609be5e824eebfafee27114776af6cfd03ac887fcb52c29f4cd44cd70faaeb58bbe33653a4c7 SHA512 11a88ece051a5107df2916717b7c0f5b08792a88d43f5d4d512ea91ad9683b01236fd9caa75d267a52888a01fccec63dffed51f1b66685749685b355dff262d3 EBUILD electrum-4.4.0.ebuild 2898 BLAKE2B a8ef6fc4fffef8e44732cd7e3f523357738db98da2907e361644df6c5da236f8e6989d3b9f2047a65538fb045d509cadb21af22a600ae99ec23f1a8e36e4d362 SHA512 1785c57717ec7cbb733cb3585d7a7f80a9c57a0e6427416b56a20a28d672f01fda7561a8df25305c886c3ba2b0b92c42c04c7aeb079054bc23c895d1c135714a EBUILD electrum-4.4.1.ebuild 2898 BLAKE2B a8ef6fc4fffef8e44732cd7e3f523357738db98da2907e361644df6c5da236f8e6989d3b9f2047a65538fb045d509cadb21af22a600ae99ec23f1a8e36e4d362 SHA512 1785c57717ec7cbb733cb3585d7a7f80a9c57a0e6427416b56a20a28d672f01fda7561a8df25305c886c3ba2b0b92c42c04c7aeb079054bc23c895d1c135714a EBUILD electrum-4.4.2-r1.ebuild 2898 BLAKE2B add50631480377c0e949a09c6177cdb01ab5fe5bba55c863c49bce88e929268985f8bdcdb82f1d7611c17ad72010712e4f6a551b63b47d9cdfebcfc360da5129 SHA512 e858b342327d8be65e74654287c360c65708e0d046f498c3ac1626db4af5ffa910eb33f8c6ae21063ba95b9755aa4728f65f156b5f06d9856252016dd7c0e4aa +EBUILD electrum-4.4.3.ebuild 2898 BLAKE2B add50631480377c0e949a09c6177cdb01ab5fe5bba55c863c49bce88e929268985f8bdcdb82f1d7611c17ad72010712e4f6a551b63b47d9cdfebcfc360da5129 SHA512 e858b342327d8be65e74654287c360c65708e0d046f498c3ac1626db4af5ffa910eb33f8c6ae21063ba95b9755aa4728f65f156b5f06d9856252016dd7c0e4aa MISC metadata.xml 637 BLAKE2B ec4a0e57a1a11fa3a430c40b317e9a857b4128c7815fcd9fabe44adf85c47985325f4df3da9476b19f687026a145c7abf16a6a1ef6c8e25dd217732cdf77a076 SHA512 599ade68d31da44232ab7f520f0b9c054e7a26757aa7eed4f06350487d6c7c1dfc12bf2ba3dbddeb8ef8e8f0b67d093b91999cec422b3a5ea6dfadc9acf2fbc1 diff --git a/net-misc/electrum/electrum-4.4.3.ebuild b/net-misc/electrum/electrum-4.4.3.ebuild new file mode 100644 index 000000000000..151ffd5e2cfe --- /dev/null +++ b/net-misc/electrum/electrum-4.4.3.ebuild @@ -0,0 +1,112 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="ncurses?" + +inherit distutils-r1 xdg-utils + +DESCRIPTION="User friendly Bitcoin client" +HOMEPAGE=" + https://electrum.org/ + https://github.com/spesmilo/electrum/ +" +SRC_URI=" + https://github.com/spesmilo/electrum/archive/${PV}.tar.gz + -> ${P}.gh.tar.gz +" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="cli ncurses qrcode +qt5" +REQUIRED_USE="|| ( cli ncurses qt5 )" + +RDEPEND=" + ${PYTHON_DEPS} + =dev-python/aiohttp-socks-0.3[${PYTHON_USEDEP}] + =dev-python/aiorpcX-0.22*[${PYTHON_USEDEP}] + >=dev-python/attrs-19.2.0[${PYTHON_USEDEP}] + dev-python/bitstring[${PYTHON_USEDEP}] + dev-python/cryptography[${PYTHON_USEDEP}] + >=dev-python/dnspython-2[${PYTHON_USEDEP}] + dev-python/pbkdf2[${PYTHON_USEDEP}] + dev-python/PySocks[${PYTHON_USEDEP}] + dev-python/qrcode[${PYTHON_USEDEP}] + dev-python/requests[${PYTHON_USEDEP}] + dev-python/setuptools[${PYTHON_USEDEP}] + dev-python/six[${PYTHON_USEDEP}] + >=dev-python/protobuf-python-3.20[${PYTHON_USEDEP}] + qrcode? ( media-gfx/zbar[v4l] ) + qt5? ( + dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}] + ) + ncurses? ( $(python_gen_impl_dep 'ncurses') ) +" +BDEPEND=" + test? ( + dev-python/pyaes[${PYTHON_USEDEP}] + dev-python/pycryptodome[${PYTHON_USEDEP}] + ) +" + +distutils_enable_tests pytest + +src_prepare() { + # use backwards-compatible cryptodome API + sed -i -e 's:Cryptodome:Crypto:' electrum/crypto.py || die + + # make qdarkstyle dep optional + sed -i -e '/qdarkstyle/d' contrib/requirements/requirements.txt || die + + # remove upper bounds from deps + sed -i -e 's:,<[0-9.]*::' contrib/requirements/requirements.txt || die + + local bestgui + if use qt5; then + bestgui=qt + elif use ncurses; then + bestgui=text + else + bestgui=stdio + fi + sed -i 's/^\([[:space:]]*\)\(config_options\['\''cwd'\''\] = .*\)$/\1\2\n\1config_options.setdefault("gui", "'"${bestgui}"'")\n/' ${PN}/${PN} || die + + eapply_user + + xdg_environment_reset + distutils-r1_src_prepare +} + +src_install() { + dodoc RELEASE-NOTES + distutils-r1_src_install +} + +pkg_postinst() { + xdg_icon_cache_update + xdg_desktop_database_update + + local v + for v in ${REPLACING_VERSIONS}; do + ver_test "${v}" -ge 4.3.4 && return + done + + ewarn "If you are new to BitCoin, please be aware that:" + ewarn "1. Cryptocurrencies are volatile. BTC has been subject to rapid" + ewarn " changes of value in the past." + ewarn "2. Cryptocurrency ownership is determined solely by the access to" + ewarn " the private key. If the key is lost or stolen, BTC are unrevocably" + ewarn " lost." + ewarn "3. Proof-of-work based cryptocurrencies have negative environmental" + ewarn " impact. BTC mining is consuming huge amounts of electricity." +} + +pkg_postrm() { + xdg_icon_cache_update + xdg_desktop_database_update +} diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest new file mode 100644 index 000000000000..04a027091998 --- /dev/null +++ b/net-misc/openssh-contrib/Manifest @@ -0,0 +1,30 @@ +AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb8f1fddac34048b94592e54f8e31dc11717fe872f3d66a7e6877d2449102fbe18a0ee2a35732991abe946b1fe10abfa48bbec6871b26 SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 +AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f +AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70 +AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 +AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd +AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02 +AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd +AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0 +AUX openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch 419 BLAKE2B c5ef82ed92da96213c84d954541dc3d99040f95a3ce6d81ea585360200128154daaa7717a553a91e693ee11044f11b4a2c3f9f0137c4b92cb1aee01514ec7763 SHA512 cdc0894728e01b132346bf1358b2193d5349f281a086a784a4bbdf1a6ad736632cf4c4fbb900c4ebb6b31a13313ed8660dae95968f4e906d40b2aa0b7a7c2303 +AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5 +AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b +AUX openssh-9.3_p1-openssl-version-compat-check.patch 2588 BLAKE2B 635e9d4e0ca515d4da190075371b85b5c1885fd7d9b621d6f21399be0faf0be96e5e31875611392386b897f74087d75a00203a74c9f9ecf0be447bf354fcf4a2 SHA512 a27afa1b07a47f0ecf74d30ca85e7b4f8c79857c8019d274aeaed88b81149ce6241fd16f1023f14dbdc701e8c9d8671f6aadda2e21d620a47af8778b8531b991 +AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe +AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 +AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391af5769798e0b0185f0a588bc089d229c76138fd2db39fbe6bd33924f0d53e0513074d9c2d7abf88dcb78 SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c +AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf49b9ae9600cccfb19a64e09f4cf718e8054fc997f21656f609eb3af15ee2e3576531a88b5709842 SHA512 efc936ca412999e3b1acabe6cf4e87c033fe468cede1c3c499499e252cf7cdeca0841e5e1862ebe316ff3f4bf758fba674f08d081b403713e154b6bbc37da365 +AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 +AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f +DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f +DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a +DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 +DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d +DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387 +DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909 +DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d +DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71 +DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19 +DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4 +EBUILD openssh-contrib-9.3_p1.ebuild 19020 BLAKE2B 65b72abbf8db1fd00dd8baf7e8695ab366e020e8509076fe02a587f499d5d997c470ed90c73104fa565eb00754cd9fd54cd85f06d0a11b639d251b66b634a7a1 SHA512 204a8c4e3ad06dcf6470b024372d4b84f4ed3c75fdb33a4124803fa8b3dfea1b75bb9fd8ff5a40a09fd626c455523d84d946c9cca5769533421e1670639569b2 +MISC metadata.xml 2975 BLAKE2B 068d52ba2e5de0b696e7fe995e4c2a041206a59258f24704ca3a72fe1d85323c2aad7899f055b48a4045d6303491822c59f2b86b85fc428a26f8259ea583796a SHA512 83fef701188c00af53382b5099fc2ebf83c903c3edefc3d2cf6deb0a667c0d0d9531c18728eef9b5b703903d31fbdb55a68e5b76890ea090bc1d79fef3ae6b89 diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000000000000..fa33af39b6f8 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch new file mode 100644 index 000000000000..a5647ce9d8d3 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch @@ -0,0 +1,20 @@ +Disable conch interop tests which are failing when called +via portage for yet unknown reason and because using conch +seems to be flaky (test is failing when using Python2 but +passing when using Python3). + +Bug: https://bugs.gentoo.org/605446 + +--- a/regress/conch-ciphers.sh ++++ b/regress/conch-ciphers.sh +@@ -3,6 +3,10 @@ + + tid="conch ciphers" + ++# https://bugs.gentoo.org/605446 ++echo "conch interop tests skipped due to Gentoo bug #605446" ++exit 0 ++ + if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then + echo "conch interop tests not enabled" + exit 0 diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch new file mode 100644 index 000000000000..c5697c2b8bd1 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch @@ -0,0 +1,48 @@ +diff --git a/auth-options.c b/auth-options.c +index b05d6d6f..d1f42f04 100644 +--- a/auth-options.c ++++ b/auth-options.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include "openbsd-compat/sys-queue.h" + +diff --git a/hmac.c b/hmac.c +index 1c879640..a29f32c5 100644 +--- a/hmac.c ++++ b/hmac.c +@@ -19,6 +19,7 @@ + + #include + #include ++#include + + #include "sshbuf.h" + #include "digest.h" +diff --git a/krl.c b/krl.c +index 8e2d5d5d..c32e147a 100644 +--- a/krl.c ++++ b/krl.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "sshbuf.h" + #include "ssherr.h" +diff --git a/mac.c b/mac.c +index 51dc11d7..3d11eba6 100644 +--- a/mac.c ++++ b/mac.c +@@ -29,6 +29,7 @@ + + #include + #include ++#include + + #include "digest.h" + #include "hmac.h" diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch new file mode 100644 index 000000000000..4310aa123fc8 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch @@ -0,0 +1,57 @@ +Make sure that host keys are already accepted before +running tests. + +https://bugs.gentoo.org/493866 + +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -10,11 +10,17 @@ fi + + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" ++ rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + +- rm -f ${COPY} ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -14,6 +14,13 @@ for c in 0 1 ; do + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k ++ ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then diff --git a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch new file mode 100644 index 000000000000..7199227589c6 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch @@ -0,0 +1,18 @@ +diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 +@@ -1414,14 +1414,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b4fa372..332fb486 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,5 @@ +- #define SSH_VERSION "OpenSSH_8.5" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn15v2" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch new file mode 100644 index 000000000000..6dc290d6737b --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch @@ -0,0 +1,13 @@ +diff --git a/kex.c b/kex.c +index 34808b5c..88d7ccac 100644 +--- a/kex.c ++++ b/kex.c +@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + oerrno = errno; diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..ffc40b70ae3d --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch @@ -0,0 +1,357 @@ +diff --git a/auth.c b/auth.c +index 00b168b4..8ee93581 100644 +--- a/auth.c ++++ b/auth.c +@@ -729,118 +729,6 @@ fakepw(void) + return (&fake); + } + +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on based on conflation of hostnames and IP addresses. +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) == -1) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return xstrdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return xstrdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return xstrdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return xstrdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return xstrdup(ntop); +- } +- return xstrdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +- + /* These functions link key/cert options to the auth framework */ + + /* Log sshauthopt options locally and (optionally) for remote transmission */ +diff --git a/canohost.c b/canohost.c +index a810da0e..18e9d8d4 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) == -1) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return xstrdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return xstrdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return xstrdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return xstrdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return xstrdup(ntop); ++ } ++ return xstrdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} +diff --git a/readconf.c b/readconf.c +index 03369a08..b45898ce 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -161,6 +161,7 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -207,9 +208,11 @@ static struct { + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "pkcs11provider", oPKCS11Provider }, +@@ -1117,6 +1120,10 @@ parse_time: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -2307,6 +2314,7 @@ initialize_options(Options * options) + options->pubkey_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -2465,6 +2473,8 @@ fill_default_options(Options * options) + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index f7d53b06..c3a91898 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -40,6 +40,7 @@ typedef struct { + int hostbased_authentication; /* ssh2's rhosts_rsa */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/ssh_config.5 b/ssh_config.5 +index cd0eea86..27101943 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -832,6 +832,16 @@ The default is + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index fea50fab..aeff639b 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh) + OM_uint32 min; + int r, ok = 0; + gss_OID mech = NULL; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(ssh, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; + /* My DER encoding requires length<128 */ + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { + ok = 1; /* Mechanism works */ + } else { + authctxt->mech_tried++; diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch new file mode 100644 index 000000000000..8c46625aa29c --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch @@ -0,0 +1,14 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 2e065ba3..4ce80cb2 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_ppoll + SC_ALLOW(__NR_ppoll), + #endif ++#ifdef __NR_ppoll_time64 ++ SC_ALLOW(__NR_ppoll_time64), ++#endif + #ifdef __NR_poll + SC_ALLOW(__NR_poll), + #endif diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch new file mode 100644 index 000000000000..9e08b2a553c2 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch @@ -0,0 +1,13 @@ +diff --git a/gss-serv.c b/gss-serv.c +index b5d4bb2d..00e3d118 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + gss_create_empty_oid_set(&status, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset); + +- if (gethostname(lname, MAXHOSTNAMELEN)) { ++ if (gethostname(lname, HOST_NAME_MAX)) { + gss_release_oid_set(&status, &oidset); + return (-1); + } diff --git a/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch new file mode 100644 index 000000000000..2a83ed37d138 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch @@ -0,0 +1,12 @@ +diff -ur a/auth2.c b/auth2.c +--- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 ++++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 +@@ -226,7 +226,7 @@ + int digest_alg; + size_t len; + u_char *hash; +- double delay; ++ double delay = 0; + + digest_alg = ssh_digest_maxbytes(); + if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch new file mode 100644 index 000000000000..4d098b2231c7 --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch @@ -0,0 +1,20 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 23b40b643..d93a357c6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_statx + SC_DENY(__NR_statx, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch new file mode 100644 index 000000000000..b571ae253fff --- /dev/null +++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch @@ -0,0 +1,58 @@ +https://bugzilla.mindrot.org/show_bug.cgi?id=3548 +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver) + if (headerver == libver) + return 1; + +- /* for versions < 1.0.0, major,minor,fix,status must match */ +- if (headerver < 0x1000000f) { +- mask = 0xfffff00fL; /* major,minor,fix,status */ +- return (headerver & mask) == (libver & mask); ++ /* ++ * For versions < 3.0.0, major,minor,status must match and library ++ * fix version must be equal to or newer than the header. ++ */ ++ if (headerver < 0x3000000f) { ++ mask = 0xfff0000fL; /* major,minor,status */ ++ hfix = (headerver & 0x000ff000) >> 12; ++ lfix = (libver & 0x000ff000) >> 12; ++ if ( (headerver & mask) == (libver & mask) && lfix >= hfix) ++ return 1; + } + + /* +- * For versions >= 1.0.0, major,minor,status must match and library +- * fix version must be equal to or newer than the header. ++ * For versions >= 3.0.0, major must match and minor,status must be ++ * equal to or greater than the header. + */ +- mask = 0xfff00000L; /* major,minor,status */ +- hfix = (headerver & 0x000ff000) >> 12; +- lfix = (libver & 0x000ff000) >> 12; ++ mask = 0xf000000fL; /* major, status */ ++ hfix = (headerver & 0x0ffffff0L) >> 12; ++ lfix = (libver & 0x0ffffff0L) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) + return 1; + return 0; +--- a/openbsd-compat/regress/opensslvertest.c ++++ b/openbsd-compat/regress/opensslvertest.c +@@ -31,7 +31,7 @@ struct version_test { + { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ + { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ + { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ +- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ ++ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */ + { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ + { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ + +@@ -41,7 +41,7 @@ struct version_test { + { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ + { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ + { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ +- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ ++ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */ + { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ + { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ + }; diff --git a/net-misc/openssh-contrib/files/sshd-r1.confd b/net-misc/openssh-contrib/files/sshd-r1.confd new file mode 100644 index 000000000000..cf430371bf0f --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd-r1.confd @@ -0,0 +1,33 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress. + +#SSHD_SSD_OPTS="--wait 1000" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd" + + +# Path to the ssh-keygen binary (needs to be absolute path). + +#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen" diff --git a/net-misc/openssh-contrib/files/sshd-r1.initd b/net-misc/openssh-contrib/files/sshd-r1.initd new file mode 100644 index 000000000000..e91cd0116cd4 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd-r1.initd @@ -0,0 +1,87 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # Make sure that the user's config isn't busted before we try + # to start the daemon (this will produce better error messages + # than if we just try to start it blindly). + # + # We always need to call checkconfig because this function will + # also generate any missing host key and you can start a + # non-running service with "restart" argument. + checkconfig || return $? +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/net-misc/openssh-contrib/files/sshd.pam_include.2 b/net-misc/openssh-contrib/files/sshd.pam_include.2 new file mode 100644 index 000000000000..b801aaafa0f9 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh-contrib/files/sshd.service.1 b/net-misc/openssh-contrib/files/sshd.service.1 new file mode 100644 index 000000000000..a541164cd7f2 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.service.1 @@ -0,0 +1,15 @@ +[Unit] +Description=OpenSSH server daemon +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +OOMPolicy=continue +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh-contrib/files/sshd.socket b/net-misc/openssh-contrib/files/sshd.socket new file mode 100644 index 000000000000..94b9533180da --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh-contrib/files/sshd_at.service.1 b/net-misc/openssh-contrib/files/sshd_at.service.1 new file mode 100644 index 000000000000..e43a457994f4 --- /dev/null +++ b/net-misc/openssh-contrib/files/sshd_at.service.1 @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=journal diff --git a/net-misc/openssh-contrib/metadata.xml b/net-misc/openssh-contrib/metadata.xml new file mode 100644 index 000000000000..2982a0304511 --- /dev/null +++ b/net-misc/openssh-contrib/metadata.xml @@ -0,0 +1,59 @@ + + + + + chutzpah@gentoo.org + Patrick McLean + + + robbat2@gentoo.org + Robin H. Johnson + + + OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that + increasing numbers of people on the Internet are coming to rely on. Many users of telnet, + rlogin, ftp, and other such programs might not realize that their password is transmitted + across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) + to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. + Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety + of authentication methods. + + The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which + replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of + the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, + ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. + + This package represents an effort to extend upstream OpenSSH with three big patchsets. + + WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have + correctness issues. + + The patches are: + + * HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive + buffering and/or multithreading, leading to better network throughput. Many of these + optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or + because more CPU performant ciphers are being used in this day and age (ChaCha20). + + WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon. + + * SCTP patches by Patrick McLean. These enable SSH over SCTP. + + * X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for + authenticating users. This patch series adds support for X509 certificates. + + + Enable high performance ssh + Use LDNS for DNSSEC/SSHFP validation. + Enable root password logins for live-cd environment. + Include builtin U2F/FIDO support + Enable additional crypto algorithms via OpenSSL + Adds support for X.509 certificate authentication + Enable XMSS post-quantum authentication algorithm + + + cpe:/a:openbsd:openssh + openssh/openssh-portable + hpnssh + + diff --git a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild new file mode 100644 index 000000000000..8fa1eabcaa5c --- /dev/null +++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild @@ -0,0 +1,531 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig + +# Make it more portable between straight releases +# and _p? releases. +MY_P=${P/-contrib/} +PARCH=${MY_P/_} + +# PV to USE for HPN patches +#HPN_PV="${PV^^}" +HPN_PV="8.5_P1" + +HPN_VER="15.2" +HPN_PATCHES=( + openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff + openssh-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff + openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff +) +HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-glue.patch" +HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" + +SCTP_VER="1.2" +SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" + +X509_VER="14.1.1" +X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch" +X509_HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" + +DESCRIPTION="Port of OpenBSD's free SSH release with HPN/SCTP/X509 patches" +HOMEPAGE="https://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${HPN_VER:+hpn? ( + $(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") + https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz + )} + ${X509_VER:+X509? ( + https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} + https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz + ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} + )} + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~amd64" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + hpn? ( ssl ) + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + X509? ( !sctp ssl !xmss ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + !net-misc/openssh + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND="${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) + X? ( x11-apps/xauth ) +" +# Weird dep construct for newer gcc-config for bug #872416 +BDEPEND=" + sys-devel/autoconf + virtual/pkgconfig + || ( + >=sys-devel/gcc-config-2.6 + >=sys-devel/clang-toolchain-symlinks-14-r1:14 + >=sys-devel/clang-toolchain-symlinks-15-r1:15 + >=sys-devel/clang-toolchain-symlinks-16-r1:* + ) + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/openssh-7.9_p1-include-stdlib.patch" + "${FILESDIR}/openssh-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex + "${FILESDIR}/openssh-6.7_p1-openssl-ignore-status.patch" + "${FILESDIR}/openssh-7.5_p1-disable-conch-interop-tests.patch" + "${FILESDIR}/openssh-8.0_p1-fix-putty-tests.patch" + "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" + "${FILESDIR}/openssh-8.9_p1-allow-ppoll_time64.patch" #834019 + "${FILESDIR}/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 + "${FILESDIR}/openssh-9.3_p1-openssl-version-compat-check.patch" +) + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + local missing=() + check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } + check_feature hpn HPN_VER + check_feature sctp SCTP_PATCH + check_feature X509 X509_PATCH + if [[ ${#missing[@]} -ne 0 ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${missing[*]}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "Missing requested third party patch." + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_unpack() { + default + + # We don't have signatures for HPN, X509, so we have to write this ourselves + use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + eapply -- "${PATCHES[@]}" + + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches + + local PATCHSET_VERSION_MACROS=() + + if use X509 ; then + pushd "${WORKDIR}" &>/dev/null || die + eapply "${WORKDIR}/${X509_GLUE_PATCH}" + popd &>/dev/null || die + + eapply "${WORKDIR}"/${X509_PATCH%.*} + eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch" + + # We need to patch package version or any X.509 sshd will reject our ssh client + # with "userauth_pubkey: could not parse key: string is too large [preauth]" + # error + einfo "Patching package version for X.509 patch set ..." + sed -i \ + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" + + einfo "Patching version.h to expose X.509 patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in X.509 patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + fi + + if use sctp ; then + eapply "${WORKDIR}"/${SCTP_PATCH%.*} + + einfo "Patching version.h to expose SCTP patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in SCTP patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) + + einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." + sed -i \ + -e "/\t\tcfgparse \\\/d" \ + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" + fi + + if use hpn ; then + local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}" + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${WORKDIR}/${HPN_GLUE_PATCH}" + use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" + use sctp && eapply "${FILESDIR}"/openssh-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch + popd &>/dev/null || die + + eapply "${hpn_patchdir}" + + use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" + + einfo "Patching Makefile.in for HPN patch set ..." + sed -i \ + -e "/^LIBS=/ s/\$/ -lpthread/" \ + "${S}"/Makefile.in || die "Failed to patch Makefile.in" + + einfo "Patching version.h to expose HPN patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ + "${S}"/version.h || die "Failed to sed-in HPN patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) + + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + # Before re-enabling, check https://bugs.gentoo.org/354113#c6 + # and be sure to have tested it. + einfo "Disabling known non-working MT AES cipher per default ..." + + cat > "${T}"/disable_mtaes.conf <<- EOF + + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken + # and therefore disabled per default. + DisableMTAES yes + EOF + sed -i \ + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" + + sed -i \ + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" + fi + fi + + if use X509 || use sctp || use hpn ; then + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" + + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" + + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." + sed -i \ + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" + fi + + eapply_user #473004 + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the sctp patch conditionally, so can't pass --without-sctp + # unconditionally else we get unknown flag warnings. + $(use sctp && use_with sctp) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + $(use_with !elibc_Cygwin hardening) #659210 + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE + # https://bugs.gentoo.org/753230 + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all + # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) + tc-is-clang && myconf+=( --without-hardening ) + + econf "${myconf[@]}" +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" > "${ED}"/etc/ssh/ssh_config || die + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + if use pam ; then + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + tweak_ssh_configs + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use hpn && dodoc HPN-README + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + elog "" + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" + elog "and therefore disabled at runtime per default." + elog "Make sure your sshd_config is up to date and contains" + elog "" + elog " DisableMTAES yes" + elog "" + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." + elog "" + fi +} diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 6346e7741780..3472427f1673 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -2,12 +2,9 @@ AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70 AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 -AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd -AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02 AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0 AUX openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch 419 BLAKE2B c5ef82ed92da96213c84d954541dc3d99040f95a3ce6d81ea585360200128154daaa7717a553a91e693ee11044f11b4a2c3f9f0137c4b92cb1aee01514ec7763 SHA512 cdc0894728e01b132346bf1358b2193d5349f281a086a784a4bbdf1a6ad736632cf4c4fbb900c4ebb6b31a13313ed8660dae95968f4e906d40b2aa0b7a7c2303 -AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5 AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b AUX openssh-9.3_p1-openssl-version-compat-check.patch 2588 BLAKE2B 635e9d4e0ca515d4da190075371b85b5c1885fd7d9b621d6f21399be0faf0be96e5e31875611392386b897f74087d75a00203a74c9f9ecf0be447bf354fcf4a2 SHA512 a27afa1b07a47f0ecf74d30ca85e7b4f8c79857c8019d274aeaed88b81149ce6241fd16f1023f14dbdc701e8c9d8671f6aadda2e21d620a47af8778b8531b991 AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe @@ -16,15 +13,7 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf49b9ae9600cccfb19a64e09f4cf718e8054fc997f21656f609eb3af15ee2e3576531a88b5709842 SHA512 efc936ca412999e3b1acabe6cf4e87c033fe468cede1c3c499499e252cf7cdeca0841e5e1862ebe316ff3f4bf758fba674f08d081b403713e154b6bbc37da365 AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f -DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f -DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a -DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 -DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d -DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387 -DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909 -DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d -DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71 DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19 DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4 -EBUILD openssh-9.3_p1.ebuild 18303 BLAKE2B 008384b33dd35dbbf604abd51674146edd5a9766c247671d9080324c24a22a696373abfe1a44a1e4f309071b5388b729395d38efb81e38ff64083952ecc32df9 SHA512 0b2a3af3ba5b18bda746142129521ef012d6e3fa378f11f605c02dee4b8bc24c08e8169f4af32f6282456346e5dad997fa7e1c4f84ef54aef184866c2fbf91c6 -MISC metadata.xml 1970 BLAKE2B 3099c31852827b4f7b5dd82643a1388a0c1572bad3266f275b2b0de38e768e22cd2f9ff52982d03b418babca8a4ec2e62bc1fee47fba0a3df187e5a33d4e986a SHA512 1d9b54459c3ae78d0afea2b7632c2e27664d9033b6fa10f31d1a865326f495dce42a053cd77e930ca06467a61a80a096c58abbd10d9a0925d71452d173fe72de +EBUILD openssh-9.3_p1-r1.ebuild 13585 BLAKE2B 10de35ae0eb44b677c7bca48c2282c7576853615086ff347b80b5ae6b50ae701f505e38472ba594fda193ea7f21a62f1f707ac8ae76d421598b9ee266b2dc361 SHA512 ae204df789e501ce619296a6b4aab010c905410a18a941cbf3910134f67369dc5e0d64286ec47069b10efc230bc4850a51adbbe0906b3f07615ccc79dce795bd +MISC metadata.xml 1788 BLAKE2B d04d3030f70f3615522672fa56e684acaa67ddce8d16cce86ba8911fb8fc11ed152be012ecf560427d271868c4841a7422aaa644305947302d3ebab62bdb577d SHA512 bd328e3a33ce04b989149333db5f774f1b52540f12ef83b08b7fcf136ae2a3a9c83bef42c28991d3536249098ca0b9ffd21e583d93599580510d8619e9fd01ca diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch deleted file mode 100644 index 7199227589c6..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 -@@ -1414,14 +1414,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch deleted file mode 100644 index 6dc290d6737b..000000000000 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/kex.c b/kex.c -index 34808b5c..88d7ccac 100644 ---- a/kex.c -+++ b/kex.c -@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - oerrno = errno; diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch deleted file mode 100644 index 2a83ed37d138..000000000000 --- a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur a/auth2.c b/auth2.c ---- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 -+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 -@@ -226,7 +226,7 @@ - int digest_alg; - size_t len; - u_char *hash; -- double delay; -+ double delay = 0; - - digest_alg = ssh_digest_maxbytes(); - if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 0ed696c82ad6..da1b4330c4d7 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -20,17 +20,14 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. - Enable high performance ssh Use LDNS for DNSSEC/SSHFP validation. Enable root password logins for live-cd environment. Include builtin U2F/FIDO support Enable additional crypto algorithms via OpenSSL - Adds support for X.509 certificate authentication Enable XMSS post-quantum authentication algorithm cpe:/a:openbsd:openssh openssh/openssh-portable - hpnssh diff --git a/net-misc/openssh/openssh-9.3_p1-r1.ebuild b/net-misc/openssh/openssh-9.3_p1-r1.ebuild new file mode 100644 index 000000000000..ea2cc9a83d0c --- /dev/null +++ b/net-misc/openssh/openssh-9.3_p1-r1.ebuild @@ -0,0 +1,381 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )" +VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND="${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND="${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) + X? ( x11-apps/xauth ) +" +# Weird dep construct for newer gcc-config for bug #872416 +BDEPEND=" + sys-devel/autoconf + virtual/pkgconfig + || ( + >=sys-devel/gcc-config-2.6 + >=sys-devel/clang-toolchain-symlinks-14-r1:14 + >=sys-devel/clang-toolchain-symlinks-15-r1:15 + >=sys-devel/clang-toolchain-symlinks-16-r1:* + ) + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch" + "${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex + "${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch" + "${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch" + "${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch" + "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" + "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 + "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 + "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch" +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + eapply -- "${PATCHES[@]}" + + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches + + eapply_user #473004 + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + $(use_with !elibc_Cygwin hardening) #659210 + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE + # https://bugs.gentoo.org/753230 + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all + # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) + tc-is-clang && myconf+=( --without-hardening ) + + econf "${myconf[@]}" +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" > "${ED}"/etc/ssh/ssh_config || die + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + if use pam ; then + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + tweak_ssh_configs + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-9.3_p1.ebuild b/net-misc/openssh/openssh-9.3_p1.ebuild deleted file mode 100644 index c3084f573734..000000000000 --- a/net-misc/openssh/openssh-9.3_p1.ebuild +++ /dev/null @@ -1,518 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -SCTP_VER="1.2" -SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" - -X509_VER="14.1.1" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch" -X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( - $(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -# Blocker on older gcc-config for bug #872416 -LIB_DEPEND=" - !=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) - X? ( x11-apps/xauth ) -" -# Weird dep construct for newer gcc-config for bug #872416 -BDEPEND=" - sys-devel/autoconf - virtual/pkgconfig - || ( - >=sys-devel/gcc-config-2.6 - >=sys-devel/clang-toolchain-symlinks-14-r1:14 - >=sys-devel/clang-toolchain-symlinks-15-r1:15 - >=sys-devel/clang-toolchain-symlinks-16-r1:* - ) - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -PATCHES=( - "${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch" - "${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex - "${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch" - "${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch" - "${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch" - "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 - "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 - "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch" -) - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature sctp SCTP_PATCH - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply -- "${PATCHES[@]}" - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - - econf "${myconf[@]}" -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.socket - systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service - systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then - ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" - ewarn "'Restart=on-failure', which causes the service to automatically restart if it" - ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," - ewarn "but it can increase the vulnerability of the system in the event of a future exploit." - ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" - ewarn "set 'Restart=no' in your sshd unit file." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/pssh/Manifest b/net-misc/pssh/Manifest index 2b5621a26ad6..6c67736bf442 100644 --- a/net-misc/pssh/Manifest +++ b/net-misc/pssh/Manifest @@ -1,3 +1,3 @@ DIST pssh-2.3.4.tar.gz 51859 BLAKE2B 788f5239cd35e240cc1961e73b532c60e5221ede9de48878f9636339b18235dc67109948eeb4f64871985bb24e1a7f823b1718da3dbe2ea893af58fd45495c61 SHA512 7abf327ca53dda2402465254e447eb837babdd2b4d865abb5b52a1135bd234694b84c1148cb3e4ed0198271ed29333fc1b5d0d01dc653fcf6d3e5b9f170b9d4e -EBUILD pssh-2.3.4-r2.ebuild 725 BLAKE2B 4f23897773a38711d92ff7f78b099e05c9939786986baf4011e8bef45df30669089308c4b0171098e0181fadd5e1d801447639fff1daf6eb2114f0221ffeeee1 SHA512 e35472cd4a3d1da32c7f4d301e736761789f501c4389c0a9cc57a27fa4f2befa7619e143038d1809cbd580aa57d07a121f5c089a5e49899adebf3ac166bb31b1 +EBUILD pssh-2.3.4-r3.ebuild 724 BLAKE2B f1ce371ccb35bde605fbbffd6c8138680e7818c5d0ce6244c7c49e82b9596ab86e8e8df25a437f3ae33ea6d8302fecc82465128b3cf108e7dcc6b7d72051d674 SHA512 2157c7cfb6cc1a7c1607374b2607855b27ac810e9c01ddf679b72a5c8a30aa9ea0f241f4e5f44fb3025a6ae85064b0d3e9549bfa7fc0189188ebdcaae2016884 MISC metadata.xml 415 BLAKE2B 86f4588a2dc1da92bbe426b844de02c18a87ff1b8f4566c63f48854e8b38ed014530e4d63b96a44feb6d1f41477ff9317a1b434eb74c83dc995f24ef2d7cfab3 SHA512 113cc042c12d46038f0a9f441cb9fd40f91d3c7b668bc9949786eb755754a45f17fcb478948fb21e7f669617a393939566c187ca06342e10017718384873bb04 diff --git a/net-misc/pssh/pssh-2.3.4-r2.ebuild b/net-misc/pssh/pssh-2.3.4-r2.ebuild deleted file mode 100644 index 68c5f74fd4b4..000000000000 --- a/net-misc/pssh/pssh-2.3.4-r2.ebuild +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_SINGLE_IMPL=1 -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{9..11} ) -inherit distutils-r1 - -DESCRIPTION="PSSH provides parallel versions of OpenSSH and related tools" -HOMEPAGE="https://github.com/lilydjwg/pssh" -SRC_URI="https://github.com/lilydjwg/pssh/archive/v${PV}.tar.gz -> ${P}.tar.gz" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="~amd64 ~ppc ~x86 ~amd64-linux ~x86-linux" - -RDEPEND=" - !net-misc/putty - net-misc/openssh -" -DEPEND="${RDEPEND}" - -# Requires ssh access to run. -RESTRICT="test" - -python_prepare_all() { - sed -i -e "s|man/man1'|share/&|g" setup.py || die - distutils-r1_python_prepare_all -} diff --git a/net-misc/pssh/pssh-2.3.4-r3.ebuild b/net-misc/pssh/pssh-2.3.4-r3.ebuild new file mode 100644 index 000000000000..7992ab01da29 --- /dev/null +++ b/net-misc/pssh/pssh-2.3.4-r3.ebuild @@ -0,0 +1,31 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_SINGLE_IMPL=1 +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{9..11} ) +inherit distutils-r1 + +DESCRIPTION="PSSH provides parallel versions of OpenSSH and related tools" +HOMEPAGE="https://github.com/lilydjwg/pssh" +SRC_URI="https://github.com/lilydjwg/pssh/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86 ~amd64-linux ~x86-linux" + +RDEPEND=" + !net-misc/putty + virtual/openssh +" +DEPEND="${RDEPEND}" + +# Requires ssh access to run. +RESTRICT="test" + +python_prepare_all() { + sed -i -e "s|man/man1'|share/&|g" setup.py || die + distutils-r1_python_prepare_all +} diff --git a/net-misc/scponly/Manifest b/net-misc/scponly/Manifest index e34ae3b5918f..61cbd2d16a14 100644 --- a/net-misc/scponly/Manifest +++ b/net-misc/scponly/Manifest @@ -2,5 +2,5 @@ AUX scponly-4.8-gcc4.4.0.patch 555 BLAKE2B 0eff2d5cd94f60540dd1bbb6b6f9f1486abbb AUX scponly-4.8-rsync.patch 7838 BLAKE2B 1d6191aee86b0e3e75e527dbb1f8dbf631940a34da3f29f36b0e55577555dc9ad02e2e787a8cd53aeab5a28d93da7dd528a486f1133fd7a04b91971774b4b2a1 SHA512 37885c9b46422ac034182f9c9f230b4e806ce8c894ebb6c621f0e2b3d5f46c91db902c2dae6aefe5471907025d400320e4eff37cc7c5cc4c6f7d8c88a38e53f8 AUX scponly-4.8-sftp-server-path.patch 2692 BLAKE2B ead282d46cb25a6d8606fa65e538142c15dd0be82956c2c8a48c7d46cc9ec59605a4f1c10fc5235acb584945b00ee4c187391d198571d841b45225c328765b49 SHA512 86171549d894426d12eb2f8d65959d1be2e137327c135be31c762820a55256f5c4ac90a01f989c8bffd2b46b275de408912306209b5aba9a94b81dbc06ff5a24 DIST scponly-4.8.tgz 101687 BLAKE2B aa7250464fa3b51a439d35418c64d49f8595eaac6ffe710137c7c53b96bcf66a5ead38e9520b2cead7a829b57520f988f873eb713d5f52045cba4ef02c8e9b61 SHA512 134c008a7377cef7b8e0be483df8413e162a515967147f561d23b72bdef3dfbe70a8313811dfff6372b88f15c1ac8a4385831fcf329261276993c64d5040f29b -EBUILD scponly-4.8-r7.ebuild 6932 BLAKE2B 547c40d3b53c068fd61181fb50d7282daf9bee37c4807b4db692906a5e2198094c3755d88b1fa7be4cdba60b575d12ada4279407e7899721955f531b1b62b30b SHA512 04fa9b4f54a9827b599346a57587f515af7b427d4d93ce577fb31dfb8275c991a62b26d213b6f09c39eae915aa974f2488bcc719c600350756a8eec8bfbd2068 +EBUILD scponly-4.8-r8.ebuild 6931 BLAKE2B 55f735601eddda7ac58d4469ea01eb250509a9c2d6233bdd0e3edeead397eb03e2596e03664780313c239a5222edc07ab4e0998ba2e9330a096f5b0dea35adef SHA512 178d6bb61c755050bfa80b4332920631b7fbb14bf28287f796f97a8a2e442a66c66ead56105f1a3cc09f2760512c88274d80f8733be7f857c7092b5f37db7b96 MISC metadata.xml 1761 BLAKE2B a2fbdcc0e9b89e85180548a97a12eeb27a5d973673451972c32184dfc932d6634950e0620fa2a1e2962d8a08508c31439f9a3e29a6e2a3e4f76d53933ac425e5 SHA512 bdfe9ab129bc9c939850756b23510c91908c21aa417529501b2ada83a30335ce4446f5bbc6dcb728df09e1b27d4cf7ba4eee4f43b96a1b92c0ea476d05ca7592 diff --git a/net-misc/scponly/scponly-4.8-r7.ebuild b/net-misc/scponly/scponly-4.8-r7.ebuild deleted file mode 100644 index db5e7ae99a4f..000000000000 --- a/net-misc/scponly/scponly-4.8-r7.ebuild +++ /dev/null @@ -1,245 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit readme.gentoo-r1 toolchain-funcs - -DESCRIPTION="A tiny pseudoshell which only permits scp and sftp" -HOMEPAGE="https://github.com/scponly/scponly" -SRC_URI="mirror://sourceforge/scponly/${P}.tgz" - -LICENSE="BSD-2" -SLOT="0" -KEYWORDS="amd64 ~ppc sparc x86" -IUSE="chroot +sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging" -REQUIRED_USE=" - || ( sftp scp winscp rsync unison subversion ) -" - -RDEPEND=" - sys-apps/sed - net-misc/openssh - chroot? ( acct-user/scponly acct-group/scponly ) - quota? ( sys-fs/quota ) - rsync? ( net-misc/rsync ) - subversion? ( dev-vcs/subversion ) - unison? ( net-misc/unison:= ) -" -DEPEND="${RDEPEND}" - -PATCHES=( - "${FILESDIR}/${P}-rsync.patch" - "${FILESDIR}/${P}-gcc4.4.0.patch" - "${FILESDIR}/${P}-sftp-server-path.patch" -) - -src_configure() { - CFLAGS="${CFLAGS} ${LDFLAGS}" econf \ - --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ - --disable-restrictive-names \ - $(use_enable chroot chrooted-binary) \ - $(use_enable chroot chrooted-checkdir) \ - $(use_enable winscp winscp-compat) \ - $(use_enable gftp gftp-compat) \ - $(use_enable scp scp-compat) \ - $(use_enable sftp sftp) \ - $(use_enable quota quota-compat) \ - $(use_enable passwd passwd-compat) \ - $(use_enable rsync rsync-compat) \ - $(use_enable unison unison-compat) \ - $(use_enable subversion svn-compat) \ - $(use_enable subversion svnserv-compat) \ - $(use_enable logging sftp-logging-compat) \ - $(use_enable wildcards wildcards) -} - -src_compile() { - emake CC="$(tc-getCC)" -} - -src_install() { - emake DESTDIR="${D}" install - - dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO - - if use chroot ; then - local DOC_CONTENTS="You might want to run\n - emerge --config =${CATEGORY}/${PF}\n - \nto setup the chroot. Otherwise you will have to setup chroot - manually. Please read the docs in /usr/share/doc/${PF} for more - informations, also the SECURITY file." - ( docinto chroot; dodoc setup_chroot.sh config.h ) - # don't compress setup-script, so it is usable if necessary - docompress -x /usr/share/doc/${PF}/chroot - readme.gentoo_create_doc - fi -} - -pkg_config() { - if ! use chroot ; then - einfo "USE=chroot not enabled, nothing to configure." - return - fi - - myuser="scponly" - myhome="/var/chroot/${myuser}" - mysubdir="/pub" - - # pkg_postinst is based on ${S}/setup_chroot.sh. - - einfo "Collecting binaries and libraries..." - - # Binaries launched in sftp compat mode - if has_version "=${CATEGORY}/${PF}[sftp]" ; then - BINARIES="/usr/$(get_libdir)/misc/sftp-server" - fi - - # Binaries launched by vanilla- and WinSCP modes - if has_version "=${CATEGORY}/${PF}[scp]" || \ - has_version "=${CATEGORY}/${PF}[winscp]" ; then - BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv" - BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir" - fi - - # Binaries launched in WinSCP compatibility mode - if has_version "=${CATEGORY}/${PF}[winscp]" ; then - BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo" - fi - - # Rsync compatability mode - if has_version "=${CATEGORY}/${PF}[rsync]" ; then - BINARIES="${BINARIES} /usr/bin/rsync" - fi - - # Unison compatability mode - if has_version "=${CATEGORY}/${PF}[unison]" ; then - BINARIES="${BINARIES} /usr/bin/unison" - fi - - # subversion cli/svnserv compatibility - if has_version "=${CATEGORY}/${PF}[subversion]" ; then - BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve" - fi - - # passwd compatibility - if has_version "=${CATEGORY}/${PF}[passwd]" ; then - BINARIES="${BINARIES} /usr/bin/passwd" - fi - - # quota compatibility - if has_version "=${CATEGORY}/${PF}[quota]" ; then - BINARIES="${BINARIES} /usr/bin/quota" - fi - - # build lib dependencies - LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u) - - # search and add ld*.so - for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \ - /usr/libexec/ld.so /$(get_libdir)/ld-linux*.so.2 /usr/libexec/ld-elf.so.1; do - [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" - done - - # search and add libnss_*.so - for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do - [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" - done - - # create base dirs - if [ ! -d "${myhome}" ]; then - die "Home '${myhome}' should have been created by acct-user but does not exist." - else - einfo "Setting owner for ${myhome}" - chown 0:0 "${myhome}" - fi - - if [ ! -d "${myhome}/etc" ]; then - einfo "Creating ${myhome}/etc" - install -o0 -g0 -m0755 -d "${myhome}/etc" - fi - - if [ ! -d "${myhome}/$(get_libdir)" ]; then - einfo "Creating ${myhome}/$(get_libdir)" - install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)" - fi - - if [ ! -e "${myhome}/lib" ]; then - einfo "Creating ${myhome}/lib" - ln -snf $(get_libdir) "${myhome}/lib" - fi - - if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then - einfo "Creating ${myhome}/usr/$(get_libdir)" - install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)" - fi - - if [ ! -e "${myhome}/usr/lib" ]; then - einfo "Creating ${myhome}/usr/lib" - ln -snf $(get_libdir) "${myhome}/usr/lib" - fi - - if [ ! -d "${myhome}${mysubdir}" ]; then - einfo "Creating ${myhome}${mysubdir} directory for uploading files" - install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}" - fi - - # create /dev/null (Bug 135505) - if [ ! -e "${myhome}/dev/null" ]; then - install -o0 -g0 -m0755 -d "${myhome}/dev" - mknod -m0777 "${myhome}/dev/null" c 1 3 - fi - - # install binaries - for BIN in ${BINARIES}; do - einfo "Install ${BIN}" - install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})" - if [ "${BIN}" = "/usr/bin/passwd" ]; then # needs suid - install -p -o0 -g0 -m04711 "${BIN}" "${myhome}/${BIN}" - else - install -p -o0 -g0 -m0755 "${BIN}" "${myhome}/${BIN}" - fi - done - - # install libs - for LIB in ${LIB_LIST}; do - einfo "Install ${LIB}" - install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})" - install -p -o0 -g0 -m0755 "${LIB}" "${myhome}/${LIB}" - done - - # create ld.so.conf - einfo "Creating /etc/ld.so.conf" - for LIB in ${LIB_LIST}; do - dirname ${LIB} - done | sort -u | while read DIR; do - if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then - echo "${DIR}" >> "${myhome}/etc/ld.so.conf" - fi - done - ldconfig -r "${myhome}" - - # update shells - einfo "Updating /etc/shells" - grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \ - || echo "/usr/bin/scponly" >> /etc/shells - - grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \ - || echo "/usr/sbin/scponlyc" >> /etc/shells - - # create /etc/passwd - if [ ! -e "${myhome}/etc/passwd" ]; then - ( - echo "root:x:0:0:root:/:/bin/sh" - sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd - ) > "${myhome}/etc/passwd" - fi - - # create /etc/group - if [ ! -e "${myhome}/etc/group" ]; then - ( - echo "root:x:0:" - sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group - ) > "${myhome}/etc/group" - fi -} diff --git a/net-misc/scponly/scponly-4.8-r8.ebuild b/net-misc/scponly/scponly-4.8-r8.ebuild new file mode 100644 index 000000000000..7a1600c22c27 --- /dev/null +++ b/net-misc/scponly/scponly-4.8-r8.ebuild @@ -0,0 +1,245 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit readme.gentoo-r1 toolchain-funcs + +DESCRIPTION="A tiny pseudoshell which only permits scp and sftp" +HOMEPAGE="https://github.com/scponly/scponly" +SRC_URI="mirror://sourceforge/scponly/${P}.tgz" + +LICENSE="BSD-2" +SLOT="0" +KEYWORDS="amd64 ~ppc sparc x86" +IUSE="chroot +sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging" +REQUIRED_USE=" + || ( sftp scp winscp rsync unison subversion ) +" + +RDEPEND=" + sys-apps/sed + virtual/openssh + chroot? ( acct-user/scponly acct-group/scponly ) + quota? ( sys-fs/quota ) + rsync? ( net-misc/rsync ) + subversion? ( dev-vcs/subversion ) + unison? ( net-misc/unison:= ) +" +DEPEND="${RDEPEND}" + +PATCHES=( + "${FILESDIR}/${P}-rsync.patch" + "${FILESDIR}/${P}-gcc4.4.0.patch" + "${FILESDIR}/${P}-sftp-server-path.patch" +) + +src_configure() { + CFLAGS="${CFLAGS} ${LDFLAGS}" econf \ + --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ + --disable-restrictive-names \ + $(use_enable chroot chrooted-binary) \ + $(use_enable chroot chrooted-checkdir) \ + $(use_enable winscp winscp-compat) \ + $(use_enable gftp gftp-compat) \ + $(use_enable scp scp-compat) \ + $(use_enable sftp sftp) \ + $(use_enable quota quota-compat) \ + $(use_enable passwd passwd-compat) \ + $(use_enable rsync rsync-compat) \ + $(use_enable unison unison-compat) \ + $(use_enable subversion svn-compat) \ + $(use_enable subversion svnserv-compat) \ + $(use_enable logging sftp-logging-compat) \ + $(use_enable wildcards wildcards) +} + +src_compile() { + emake CC="$(tc-getCC)" +} + +src_install() { + emake DESTDIR="${D}" install + + dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO + + if use chroot ; then + local DOC_CONTENTS="You might want to run\n + emerge --config =${CATEGORY}/${PF}\n + \nto setup the chroot. Otherwise you will have to setup chroot + manually. Please read the docs in /usr/share/doc/${PF} for more + informations, also the SECURITY file." + ( docinto chroot; dodoc setup_chroot.sh config.h ) + # don't compress setup-script, so it is usable if necessary + docompress -x /usr/share/doc/${PF}/chroot + readme.gentoo_create_doc + fi +} + +pkg_config() { + if ! use chroot ; then + einfo "USE=chroot not enabled, nothing to configure." + return + fi + + myuser="scponly" + myhome="/var/chroot/${myuser}" + mysubdir="/pub" + + # pkg_postinst is based on ${S}/setup_chroot.sh. + + einfo "Collecting binaries and libraries..." + + # Binaries launched in sftp compat mode + if has_version "=${CATEGORY}/${PF}[sftp]" ; then + BINARIES="/usr/$(get_libdir)/misc/sftp-server" + fi + + # Binaries launched by vanilla- and WinSCP modes + if has_version "=${CATEGORY}/${PF}[scp]" || \ + has_version "=${CATEGORY}/${PF}[winscp]" ; then + BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv" + BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir" + fi + + # Binaries launched in WinSCP compatibility mode + if has_version "=${CATEGORY}/${PF}[winscp]" ; then + BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo" + fi + + # Rsync compatability mode + if has_version "=${CATEGORY}/${PF}[rsync]" ; then + BINARIES="${BINARIES} /usr/bin/rsync" + fi + + # Unison compatability mode + if has_version "=${CATEGORY}/${PF}[unison]" ; then + BINARIES="${BINARIES} /usr/bin/unison" + fi + + # subversion cli/svnserv compatibility + if has_version "=${CATEGORY}/${PF}[subversion]" ; then + BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve" + fi + + # passwd compatibility + if has_version "=${CATEGORY}/${PF}[passwd]" ; then + BINARIES="${BINARIES} /usr/bin/passwd" + fi + + # quota compatibility + if has_version "=${CATEGORY}/${PF}[quota]" ; then + BINARIES="${BINARIES} /usr/bin/quota" + fi + + # build lib dependencies + LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u) + + # search and add ld*.so + for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \ + /usr/libexec/ld.so /$(get_libdir)/ld-linux*.so.2 /usr/libexec/ld-elf.so.1; do + [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" + done + + # search and add libnss_*.so + for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do + [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" + done + + # create base dirs + if [ ! -d "${myhome}" ]; then + die "Home '${myhome}' should have been created by acct-user but does not exist." + else + einfo "Setting owner for ${myhome}" + chown 0:0 "${myhome}" + fi + + if [ ! -d "${myhome}/etc" ]; then + einfo "Creating ${myhome}/etc" + install -o0 -g0 -m0755 -d "${myhome}/etc" + fi + + if [ ! -d "${myhome}/$(get_libdir)" ]; then + einfo "Creating ${myhome}/$(get_libdir)" + install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)" + fi + + if [ ! -e "${myhome}/lib" ]; then + einfo "Creating ${myhome}/lib" + ln -snf $(get_libdir) "${myhome}/lib" + fi + + if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then + einfo "Creating ${myhome}/usr/$(get_libdir)" + install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)" + fi + + if [ ! -e "${myhome}/usr/lib" ]; then + einfo "Creating ${myhome}/usr/lib" + ln -snf $(get_libdir) "${myhome}/usr/lib" + fi + + if [ ! -d "${myhome}${mysubdir}" ]; then + einfo "Creating ${myhome}${mysubdir} directory for uploading files" + install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}" + fi + + # create /dev/null (Bug 135505) + if [ ! -e "${myhome}/dev/null" ]; then + install -o0 -g0 -m0755 -d "${myhome}/dev" + mknod -m0777 "${myhome}/dev/null" c 1 3 + fi + + # install binaries + for BIN in ${BINARIES}; do + einfo "Install ${BIN}" + install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})" + if [ "${BIN}" = "/usr/bin/passwd" ]; then # needs suid + install -p -o0 -g0 -m04711 "${BIN}" "${myhome}/${BIN}" + else + install -p -o0 -g0 -m0755 "${BIN}" "${myhome}/${BIN}" + fi + done + + # install libs + for LIB in ${LIB_LIST}; do + einfo "Install ${LIB}" + install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})" + install -p -o0 -g0 -m0755 "${LIB}" "${myhome}/${LIB}" + done + + # create ld.so.conf + einfo "Creating /etc/ld.so.conf" + for LIB in ${LIB_LIST}; do + dirname ${LIB} + done | sort -u | while read DIR; do + if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then + echo "${DIR}" >> "${myhome}/etc/ld.so.conf" + fi + done + ldconfig -r "${myhome}" + + # update shells + einfo "Updating /etc/shells" + grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \ + || echo "/usr/bin/scponly" >> /etc/shells + + grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \ + || echo "/usr/sbin/scponlyc" >> /etc/shells + + # create /etc/passwd + if [ ! -e "${myhome}/etc/passwd" ]; then + ( + echo "root:x:0:0:root:/:/bin/sh" + sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd + ) > "${myhome}/etc/passwd" + fi + + # create /etc/group + if [ ! -e "${myhome}/etc/group" ]; then + ( + echo "root:x:0:" + sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group + ) > "${myhome}/etc/group" + fi +} diff --git a/net-misc/sshpass/Manifest b/net-misc/sshpass/Manifest index cc6340517863..1cc04cf11854 100644 --- a/net-misc/sshpass/Manifest +++ b/net-misc/sshpass/Manifest @@ -1,3 +1,3 @@ DIST sshpass-1.09.tar.gz 112857 BLAKE2B b19e1b7d057e286a895312c62453b9aa5369efb3c617bb24fc7b6b0e521d4c65fad091c68b93cda17aef8350c243bdc2c22d5d58590f6359715159d9dca57bae SHA512 9b4ba83ca4d34364e7c43e29f98493dc3d595d24dc68c2fe3c244600d92a0f8bc0a6a7f8f43d64c0b4d714eb196516f297d904fa66035a76dae89a3726c0f2ff -EBUILD sshpass-1.09.ebuild 416 BLAKE2B 7c94d8cab7415a5501d6fd635078844613268a705e68753326416494c4b508298831c34279332930a5ffd6c6db0ac99b44886b70cc0d5d5d88b2692b9841b497 SHA512 8c72ac293b39e6206c24a9a4ff14d3e29729cf9908ae7b483014ed6ec4a1cae10d1fc8081900e1ca2dcca911f50a2bdb78a2c85c93ec9f96859504549e1f23ae +EBUILD sshpass-1.09-r1.ebuild 415 BLAKE2B 5e24c826e093e66f2f86e578b752521d450730b3641bbde7b51c8fea5f5421863bd4489d4ac5269274c667f9eadb9b0ac6506a2ae88b11f67b180e49610ea5a4 SHA512 d9a8d1d7c65a32eeb112bf8b2c2787c983445607dd02d241887a0c99a294c457f9a7c7c8f92c82456194d7345275c7461b2799947ce939b0beba90e042dbcdb1 MISC metadata.xml 245 BLAKE2B 742dd0549c543a09d1713679990f7aed20165c67c2ecca674c272200e3d4f64d7f1b663d4669792dd476eeb7fc8960e87429f702ee1db96563fb816d3ef8ccee SHA512 f88712849405e0e495d0b476eeeb43814f569db2ec6a24b36ef8065f166c2cc977fbc4c64cf3a7fadf145bedbaa25af2ae3a280e6abaa29a7ad4a010c08f19c5 diff --git a/net-misc/sshpass/sshpass-1.09-r1.ebuild b/net-misc/sshpass/sshpass-1.09-r1.ebuild new file mode 100644 index 000000000000..d9bb7d1c42f9 --- /dev/null +++ b/net-misc/sshpass/sshpass-1.09-r1.ebuild @@ -0,0 +1,14 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="Tool for noninteractively performing password authentication with ssh" +HOMEPAGE="https://sourceforge.net/projects/sshpass/" +SRC_URI="mirror://sourceforge/${PN}/${PV}/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv x86 ~x64-macos" + +RDEPEND="virtual/openssh" diff --git a/net-misc/sshpass/sshpass-1.09.ebuild b/net-misc/sshpass/sshpass-1.09.ebuild deleted file mode 100644 index 96550de1476d..000000000000 --- a/net-misc/sshpass/sshpass-1.09.ebuild +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DESCRIPTION="Tool for noninteractively performing password authentication with ssh" -HOMEPAGE="https://sourceforge.net/projects/sshpass/" -SRC_URI="mirror://sourceforge/${PN}/${PV}/${P}.tar.gz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv x86 ~x64-macos" - -RDEPEND="net-misc/openssh" diff --git a/net-misc/x2goserver/Manifest b/net-misc/x2goserver/Manifest index de7f4d53e4ec..9ce8dc9e4fc1 100644 --- a/net-misc/x2goserver/Manifest +++ b/net-misc/x2goserver/Manifest @@ -3,5 +3,5 @@ AUX x2goserver-4.1.0.0-Xresources.patch 1139 BLAKE2B f48f329836a86958866836949a4 AUX x2goserver-4.1.0.0-skip_man2html.patch 2936 BLAKE2B 6b18439c5dc994c5a8ec073e2767047dcd94ebb61b0418ba5d55d55d2860530ab818b87192bdc85124be6a9d52d5c19872063555b7bdcd721429ccfa8593cabb SHA512 7b56c725c42f0813ecb88ed7f34feb0cecd1eaedd157c19068f3e6607bd8510fbba177079744f9e93fc83a4bcc65e7df40f8b1bb6acf4124fda847bc4fb86986 AUX x2goserver.init 442 BLAKE2B 11e29bed398d23cae9fccc29d2ccce6ef59422a3d258139f91dd100562bb3029202a0bb0174fcb71dd776b075a708558eeaf8b1d9914c671bd8e59799772be44 SHA512 4e5add80aedbfb732552158b8c2b97b711e333f45740b8e3dd37089e7a512bd145d64812ec651cd7b022065129cced5730e1b28ab3758fcd81bea5b84b46d93c DIST x2goserver-4.1.0.3.tar.gz 141581 BLAKE2B 79401a146e8a18451d6521f4b9556b2f22746bd752f39dc45764bacca085f2bb66a92327aaeb292979ce43ffbde24541e492cec814f1f8a535614cbdc2dc3ebd SHA512 9d7257dd454bfedca9e3ef1b07bc38b540cb833fae4535f2225a1f0bfea93c0f04c638d411b57c50e7170106a5ae1d7f41c19f043832129a7a9460dcfd34c56a -EBUILD x2goserver-4.1.0.3-r1.ebuild 2570 BLAKE2B 1a6a443cc0e99ceb32412fdcf50a1f663a57ce28b7829c46ac59f3fcfda3633c32d61591e94d95193a99d1924cfc340519927e5127905e2de16d900d3e4b51f0 SHA512 b0aaa74b25f77fbe7feb8d0a4c2fb72e7c1d315c02d82591e2215e7607cfa07741a3bee90d7a56f9ac4eb6a78e4a1bd574c36afde37c25425ad20b54cafce2db +EBUILD x2goserver-4.1.0.3-r2.ebuild 2569 BLAKE2B 38c8444f3d247f0336175fe2476fa54ab582745e860f25b7ce854c6577e3ed1274a4a43da5173d043914c7fb698fcc26927698e5e80ca1879b5fa713bc212ede SHA512 b595b0acfff6a71a381b7660ab92c16b08d7688a346be150bad0c14f7c731fa32cdf2897dcf5a12dd0d05fd449231cc62c0a4e8ea6ae695aa5b820562fcd78bb MISC metadata.xml 347 BLAKE2B 0049573365d07c584439ec94fc6e914a7de76325daf1ac951b765f4b2bff0968c1c0ef1320525d0912d2e09e45733ceaaf7d46da3778f7e5833e53a0c29b9588 SHA512 ad22f31dd176be856023516ee7c6c500567dbce33f534b094b60093f293a81a3a0a3c69f5b7d2c65efb671dffa223de3840bc23c47dd63f8deba242e349b1a79 diff --git a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild b/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild deleted file mode 100644 index 78bc8c8e9fb2..000000000000 --- a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit systemd tmpfiles toolchain-funcs xdg - -DESCRIPTION="The X2Go server" -HOMEPAGE="http://www.x2go.org" -SRC_URI="http://code.x2go.org/releases/source/${PN}/${P}.tar.gz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="+fuse postgres +sqlite" - -REQUIRED_USE="|| ( postgres sqlite )" - -DEPEND="virtual/perl-ExtUtils-MakeMaker" -RDEPEND="acct-user/x2gouser - acct-user/x2goprint - dev-lang/perl:= - dev-perl/Capture-Tiny - dev-perl/Config-Simple - dev-perl/File-BaseDir - dev-perl/File-ReadBackwards - dev-perl/File-Which - dev-perl/Switch - dev-perl/Try-Tiny - media-fonts/font-cursor-misc - media-fonts/font-misc-misc[nls] - >=net-misc/nx-3.5.99.14 - net-misc/openssh - >=sys-apps/iproute2-4.3.0 - x11-apps/xauth - x11-apps/xhost - x11-apps/xwininfo - fuse? ( net-fs/sshfs ) - postgres? ( dev-perl/DBD-Pg ) - sqlite? ( dev-perl/DBD-SQLite )" - -PATCHES=( - "${FILESDIR}"/${PN}-4.1.0.0-Xresources.patch - "${FILESDIR}"/${PN}-4.1.0.0-skip_man2html.patch -) - -src_prepare() { - default - # Multilib clean - sed -e "s#/lib/#/$(get_libdir)/#" -i x2goserver/bin/x2gopath || die - - # Do not compress man pages by default - sed '/^[[:space:]]*gzip.*man/d' -i */Makefile || die -} - -src_compile() { - emake \ - CC="$(tc-getCC)" \ - LIBDIR="/usr/$(get_libdir)/x2go" \ - PREFIX=/usr -} - -src_install() { - emake \ - DESTDIR="${D}" \ - LIBDIR="/usr/$(get_libdir)/x2go" \ - NXLIBDIR="/usr/$(get_libdir)/nx" \ - PREFIX=/usr \ - install - - fowners root:x2goprint /usr/bin/x2goprint - fperms 2755 /usr/bin/x2goprint - fperms 0750 /etc/sudoers.d - fperms 0440 /etc/sudoers.d/x2goserver - dosym ../../usr/share/applications /etc/x2go/applications - - newinitd "${FILESDIR}"/${PN}.init x2gocleansessions - systemd_dounit "${FILESDIR}"/x2gocleansessions.service -} - -pkg_postinst() { - tmpfiles_process x2goserver.conf - xdg_pkg_postinst - - if use sqlite ; then - if [[ -f "${EROOT}"/var/lib/x2go/x2go_sessions ]] ; then - elog "To use sqlite and update your existing database, run:" - elog " # x2godbadmin --updatedb" - else - elog "To use sqlite and create the initial database, run:" - elog " # x2godbadmin --createdb" - fi - - fi - - if use postgres ; then - elog "To use a PostgreSQL database, more information is availabe here:" - elog "http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-pgsql" - fi - - elog "For password authentication, you need to enable PasswordAuthentication" - elog "in /etc/ssh/sshd_config (disabled by default in Gentoo)" - elog "An init script was installed for x2gocleansessions" -} diff --git a/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild new file mode 100644 index 000000000000..9fefa7ac2dc3 --- /dev/null +++ b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit systemd tmpfiles toolchain-funcs xdg + +DESCRIPTION="The X2Go server" +HOMEPAGE="http://www.x2go.org" +SRC_URI="http://code.x2go.org/releases/source/${PN}/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 x86" +IUSE="+fuse postgres +sqlite" + +REQUIRED_USE="|| ( postgres sqlite )" + +DEPEND="virtual/perl-ExtUtils-MakeMaker" +RDEPEND="acct-user/x2gouser + acct-user/x2goprint + dev-lang/perl:= + dev-perl/Capture-Tiny + dev-perl/Config-Simple + dev-perl/File-BaseDir + dev-perl/File-ReadBackwards + dev-perl/File-Which + dev-perl/Switch + dev-perl/Try-Tiny + media-fonts/font-cursor-misc + media-fonts/font-misc-misc[nls] + >=net-misc/nx-3.5.99.14 + >=sys-apps/iproute2-4.3.0 + virtual/openssh + x11-apps/xauth + x11-apps/xhost + x11-apps/xwininfo + fuse? ( net-fs/sshfs ) + postgres? ( dev-perl/DBD-Pg ) + sqlite? ( dev-perl/DBD-SQLite )" + +PATCHES=( + "${FILESDIR}"/${PN}-4.1.0.0-Xresources.patch + "${FILESDIR}"/${PN}-4.1.0.0-skip_man2html.patch +) + +src_prepare() { + default + # Multilib clean + sed -e "s#/lib/#/$(get_libdir)/#" -i x2goserver/bin/x2gopath || die + + # Do not compress man pages by default + sed '/^[[:space:]]*gzip.*man/d' -i */Makefile || die +} + +src_compile() { + emake \ + CC="$(tc-getCC)" \ + LIBDIR="/usr/$(get_libdir)/x2go" \ + PREFIX=/usr +} + +src_install() { + emake \ + DESTDIR="${D}" \ + LIBDIR="/usr/$(get_libdir)/x2go" \ + NXLIBDIR="/usr/$(get_libdir)/nx" \ + PREFIX=/usr \ + install + + fowners root:x2goprint /usr/bin/x2goprint + fperms 2755 /usr/bin/x2goprint + fperms 0750 /etc/sudoers.d + fperms 0440 /etc/sudoers.d/x2goserver + dosym ../../usr/share/applications /etc/x2go/applications + + newinitd "${FILESDIR}"/${PN}.init x2gocleansessions + systemd_dounit "${FILESDIR}"/x2gocleansessions.service +} + +pkg_postinst() { + tmpfiles_process x2goserver.conf + xdg_pkg_postinst + + if use sqlite ; then + if [[ -f "${EROOT}"/var/lib/x2go/x2go_sessions ]] ; then + elog "To use sqlite and update your existing database, run:" + elog " # x2godbadmin --updatedb" + else + elog "To use sqlite and create the initial database, run:" + elog " # x2godbadmin --createdb" + fi + + fi + + if use postgres ; then + elog "To use a PostgreSQL database, more information is availabe here:" + elog "http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-pgsql" + fi + + elog "For password authentication, you need to enable PasswordAuthentication" + elog "in /etc/ssh/sshd_config (disabled by default in Gentoo)" + elog "An init script was installed for x2gocleansessions" +} diff --git a/net-misc/zssh/Manifest b/net-misc/zssh/Manifest index d13b95e23b0c..99b3f0af5145 100644 --- a/net-misc/zssh/Manifest +++ b/net-misc/zssh/Manifest @@ -1,4 +1,4 @@ AUX zssh-1.5a-gentoo-include.diff 320 BLAKE2B b5ba88091ba1804f22f735ef3d2229a70f24bdddb11a02c128d2c31cccf44a79b532e2455b4f03fc5e273889716e293c3dac2c7a33cf838b8350eed68e752f1d SHA512 447a1aeb095907473ef18a6b2bc6a1a4bfc9baf7ed532382a636ea044667c2f7cbd86c8d0e20ffea7c9751cb9c50249d3085bf65aee7ab7fab5362aae27d8ba5 DIST zssh-1.5c.tgz 344964 BLAKE2B 35b41125ec7a49cae741666516b17e3f0b22b159d0fc2b490565e8eaef366bb4b418895ad028822647a4b946577b2ef9dc588e9dbfe657ce7c1c8300207ca603 SHA512 799ce3bbea5e94a800f61e6c38879746a579992396304861b7584b6bad967214b811b6bf9aecb36d9d60a15857377cb2fee80b495ad69778903fc45593efeebd -EBUILD zssh-1.5c-r1.ebuild 881 BLAKE2B 74bd997e30a849b6f8e796950dbdaf7fe946fb856f3f0b6b5796e4872d38adcecd50f5647528df83991bb1fc7b0c049ff693d4b3e11773af2b58d0209194ba57 SHA512 dd0d715e974142dda5ee086f2745c258d599db794755f273224d5aca24170ab43c8f6a6a845a06ea66ac00772e802ffdcac7708803470bc78dd93b548b19d38d +EBUILD zssh-1.5c-r2.ebuild 880 BLAKE2B bf170ecfd554c989b4c37c8c2b660bc7ebc80d126c7c999727643f28ec9010c4606b1a6f668f6eb31f13db7857c011494b1675c92362880174e543bfe0ca0811 SHA512 cc5f237c5b09fa5e1d0122801f25924504a79349206a60fceb4f21e6d6d3718004f91197ad04552f8c01aa243f64c71dd4dfb372ced0749f1e1a462f57955344 MISC metadata.xml 242 BLAKE2B 0219a28d20cce3e716b2e6737277182560a5b292d94b89a3b57385d14393ab6b28a6aac667aac11ff744c6be8042a411c6aef63b2fddf60c40024d6a35e0f2ab SHA512 1214868537bf0006e32453e2962570693e6e18474c468ebe7bc00bf9fb2e6c60775644ebf02471af8fa8e326332ca51f05a2d47b04f7fdbe1d0ad63400b74211 diff --git a/net-misc/zssh/zssh-1.5c-r1.ebuild b/net-misc/zssh/zssh-1.5c-r1.ebuild deleted file mode 100644 index 8f469edf927c..000000000000 --- a/net-misc/zssh/zssh-1.5c-r1.ebuild +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit toolchain-funcs - -DESCRIPTION="SSH wrapper enabling zmodem up/download in ssh" -HOMEPAGE="https://zssh.sourceforge.net/" -SRC_URI="mirror://sourceforge/${PN}/${P}.tgz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="amd64 ~ppc sparc x86" -IUSE="nls readline" - -DEPEND="readline? ( - sys-libs/ncurses:0 - sys-libs/readline:0 - )" -RDEPEND="${DEPEND} - net-misc/openssh - net-dialup/lrzsz" - -src_prepare() { - eapply "${FILESDIR}/${PN}-1.5a-gentoo-include.diff" - - # Fix linking with sys-libs/ncurses[tinfo], bug #527036 - sed -i -e 's/-ltermcap/-ltinfo/g' configure || die - - eapply_user -} - -src_configure() { - tc-export AR CC RANLIB - econf \ - $(use_enable nls) \ - $(use_enable readline) -} - -src_install() { - dobin ${PN} ztelnet - doman ${PN}.1 ztelnet.1 - dodoc CHANGES FAQ README TODO -} diff --git a/net-misc/zssh/zssh-1.5c-r2.ebuild b/net-misc/zssh/zssh-1.5c-r2.ebuild new file mode 100644 index 000000000000..e63204a2c9bb --- /dev/null +++ b/net-misc/zssh/zssh-1.5c-r2.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit toolchain-funcs + +DESCRIPTION="SSH wrapper enabling zmodem up/download in ssh" +HOMEPAGE="https://zssh.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tgz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 ~ppc sparc x86" +IUSE="nls readline" + +DEPEND="readline? ( + sys-libs/ncurses:0 + sys-libs/readline:0 + )" +RDEPEND="${DEPEND} + net-dialup/lrzsz + virtual/openssh" + +src_prepare() { + eapply "${FILESDIR}/${PN}-1.5a-gentoo-include.diff" + + # Fix linking with sys-libs/ncurses[tinfo], bug #527036 + sed -i -e 's/-ltermcap/-ltinfo/g' configure || die + + eapply_user +} + +src_configure() { + tc-export AR CC RANLIB + econf \ + $(use_enable nls) \ + $(use_enable readline) +} + +src_install() { + dobin ${PN} ztelnet + doman ${PN}.1 ztelnet.1 + dodoc CHANGES FAQ README TODO +} -- cgit v1.2.3