From 0ebcd2cbf178600b5eb36b2f24cdbb3d2f4a9000 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 13 Jun 2024 00:08:30 +0100 Subject: gentoo auto-resync : 13:06:2024 - 00:08:29 --- net-misc/Manifest.gz | Bin 54364 -> 54374 bytes net-misc/connman-gtk/Manifest | 2 +- net-misc/connman-gtk/connman-gtk-1.1.1-r2.ebuild | 2 +- net-misc/memcached/Manifest | 4 +- net-misc/memcached/memcached-1.6.26.ebuild | 2 +- net-misc/memcached/memcached-1.6.27.ebuild | 2 +- net-misc/openssh-contrib/Manifest | 2 +- .../openssh-contrib-9.7_p1-r2.ebuild | 524 --------------------- .../openssh-contrib-9.7_p1-r3.ebuild | 524 +++++++++++++++++++++ net-misc/openssh/Manifest | 2 +- net-misc/openssh/openssh-9.7_p1-r4.ebuild | 398 ---------------- net-misc/openssh/openssh-9.7_p1-r5.ebuild | 398 ++++++++++++++++ net-misc/smb4k/Manifest | 2 + net-misc/smb4k/smb4k-3.2.71.ebuild | 76 +++ 14 files changed, 1008 insertions(+), 930 deletions(-) delete mode 100644 net-misc/openssh-contrib/openssh-contrib-9.7_p1-r2.ebuild create mode 100644 net-misc/openssh-contrib/openssh-contrib-9.7_p1-r3.ebuild delete mode 100644 net-misc/openssh/openssh-9.7_p1-r4.ebuild create mode 100644 net-misc/openssh/openssh-9.7_p1-r5.ebuild create mode 100644 net-misc/smb4k/smb4k-3.2.71.ebuild (limited to 'net-misc') diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz index c17ad6d05760..13402a884be6 100644 Binary files a/net-misc/Manifest.gz and b/net-misc/Manifest.gz differ diff --git a/net-misc/connman-gtk/Manifest b/net-misc/connman-gtk/Manifest index 3474a939a72f..976cfb155125 100644 --- a/net-misc/connman-gtk/Manifest +++ b/net-misc/connman-gtk/Manifest @@ -1,5 +1,5 @@ AUX connman-gtk-1.1.1-gtk_typecasts.patch 290 BLAKE2B d56657aa0eabb6523207f5e7c66298b5c3685b9cd4a8cf91f676c290f9447d04c8a1ba372428f7a32f6da24fc06e38cbd3defdcbc4a04b0c544f7102d0e98355 SHA512 3f08a980cdbbde155ab058867e3473edeac2f8fec49940dc7f34b0d2dc87de128970de3ac9c02ba3295270a4e4b8b8f156340afebda5b7b092e191416f0fe246 DIST connman-gtk-1.1.1.tar.gz 61789 BLAKE2B d04d508b5bb03abe78c9b6734df919b6589cea9e7f38c41059210e62795ce79a17b6ba8b3ab1b0c403a43fa2712893bc0d00b1e5f15d9910ca45108b9e760e12 SHA512 78fd41a37370c76f118e3fb8a707b96fd6bf1234a8832d047302d4b0fa350f87316f6e2e749860b2cdf0ff6e6eb76e4d7d398dc7fc084403ca2f8682d2907553 EBUILD connman-gtk-1.1.1-r1.ebuild 987 BLAKE2B 9d8ae2bb547e3a7c182bcac06a31c5242f80efc1dac4519ec3647821afebed4d61150c51ad06a1f3d92708155e668d7b2e84a9017af76f6696821dc1afbb8c42 SHA512 5f9a78571c0511b4cab543c6af9e64eb87554e4446d9a41ba879ca3d4a85add9793855db137b2e5c476595f9cc791dfcce1e4ca90e7a54a484dd219a9e71d970 -EBUILD connman-gtk-1.1.1-r2.ebuild 989 BLAKE2B e9f7fd9f5e79da361a3e481bc3828e64d8fa967466de1d8a6556128f734aef6bf157f2dc1a3bbbcdad11adfd131209deecd9ed60292c04f7db8cb382ef758205 SHA512 95498238132306d6eba7b467641fcc2649802fec64d542b2aedd32d9d093f63b79bb666719dc87ed8b9559e9b2c665e1c197992c900774fbe92a9aa11f44f06b +EBUILD connman-gtk-1.1.1-r2.ebuild 988 BLAKE2B 46f9d7683ad82cc7774b47c1baf0ed434b602900c1b4299d631aad0817ac9c9f8ed38d79a9b68228d0830508235a27892ced062247a0e3ef4aba7138e1051689 SHA512 4044dea495ff680995f69ccfc4144ad2fb35eda7e94742c8c806ed0ae54a1587f2825b97d05f3dfe675ef35e01ab327f79b609f658f73ba22d895916824e79e3 MISC metadata.xml 411 BLAKE2B de0c8db99b67633368f44da8c385ab0cc930d665f2042b31caa4395c41aefed85bdc452037bb96b10c98913ee817906bc0690d0714553243a5763aebe6d56e38 SHA512 092462662e6262788704b608882f8f0b3e546f587de1fe0a1588c654d5b7dafcc4a55ec76d59a28580453e4afec1f8f4b1db879e2d31c53eee975336f04a2cf1 diff --git a/net-misc/connman-gtk/connman-gtk-1.1.1-r2.ebuild b/net-misc/connman-gtk/connman-gtk-1.1.1-r2.ebuild index 89e484d62819..e6d9b62a7bdd 100644 --- a/net-misc/connman-gtk/connman-gtk-1.1.1-r2.ebuild +++ b/net-misc/connman-gtk/connman-gtk-1.1.1-r2.ebuild @@ -11,7 +11,7 @@ SRC_URI="https://github.com/jgke/connman-gtk/archive/v${PV}.tar.gz -> ${P}.tar.g LICENSE="GPL-2+" SLOT="0" -KEYWORDS="~amd64 ~x86" +KEYWORDS="amd64 ~x86" IUSE="openconnect" CDEPEND=" diff --git a/net-misc/memcached/Manifest b/net-misc/memcached/Manifest index de9bd454dd4c..2683fe172e0e 100644 --- a/net-misc/memcached/Manifest +++ b/net-misc/memcached/Manifest @@ -5,6 +5,6 @@ AUX memcached.init2 2200 BLAKE2B 9bc5fe76047b7559aec93030829963111353fb5adc3ba55 AUX memcached.service 273 BLAKE2B bfe217d2ec7fd9aead468f4f5b100843287a49bef163dd106349f3275acbffaca60e09c8b723a566a96065d8208eb52f44f7c3ad24a8aaf3980471e8d0478b77 SHA512 647f06160142c5e38e4009203609bf2152dd1bdd4b94be9e2bf3c5741e631419fc9cf300575a65a905956eec916d736c4e3b3d3e3c80438f1b33cd10fe4dcd95 DIST memcached-1.6.26.tar.gz 1178446 BLAKE2B 95919a83bd46bcddc7d055467954da6d64d42d0b9d1ee8e373e6c2a79cf518b768e0bd5d10f25a0eb27e642dd5fbc825f24c968d12034aa6e885a945a018e761 SHA512 7bd0d0dc0d228cde2fc3841c8973a2dde86bd50a4819f9737a22e12435f61d7459655029da390b63b8e6c3ca555b92a9c4c125a7c0bef5e6b051216414f1d49e DIST memcached-1.6.27.tar.gz 1189608 BLAKE2B 056f9555dda758ebb46f62c7eb65712107b1e50b4e4e9696ad4962abdd584df0e0d398590b0e6bfabad33ca18f2a7596d9410d8b35fe069bce6f812ecedd3c35 SHA512 d9de26887339d456e1cace60bf5b2cc2a78231a52ec6f6f36ed7d3ad373eaf231419601be46e80963a3a0254638d03198141647f81fa530b85dbdc4a6071c4cd -EBUILD memcached-1.6.26.ebuild 2869 BLAKE2B 17f3fd3f6fa7e3734a0a7c9fe7a0f80cc1147002842bf7918cc5c2bd00ae71a41849387436f0fd698198bba383bd35283780c52d29d45954d0f545ec22697b34 SHA512 7a0bc969aa426ff6ee1f693bb94b62755401e1ef8dcf367fb64fae0aac717ec59e8f38027e0697d35a357e311eccedb029a99c04dfc777bee33c1398b16b8434 -EBUILD memcached-1.6.27.ebuild 2869 BLAKE2B 17f3fd3f6fa7e3734a0a7c9fe7a0f80cc1147002842bf7918cc5c2bd00ae71a41849387436f0fd698198bba383bd35283780c52d29d45954d0f545ec22697b34 SHA512 7a0bc969aa426ff6ee1f693bb94b62755401e1ef8dcf367fb64fae0aac717ec59e8f38027e0697d35a357e311eccedb029a99c04dfc777bee33c1398b16b8434 +EBUILD memcached-1.6.26.ebuild 2863 BLAKE2B 26ffd0a5c630ec4678de734fcf0f4504b5822b176c6db1cdf4d172c881000ad83f74d6f591920fbf8bc4cdad16ee62c792ebda307781f693d03a66776f8f2a8a SHA512 5742631d35f85c0dd3d3b5588508711f595c947b3b652014e03d990555b5c765f2911aa7cd66ca92ebde12d75d8475e308aceb6a054f651a6b7b6ab8875c6292 +EBUILD memcached-1.6.27.ebuild 2863 BLAKE2B 26ffd0a5c630ec4678de734fcf0f4504b5822b176c6db1cdf4d172c881000ad83f74d6f591920fbf8bc4cdad16ee62c792ebda307781f693d03a66776f8f2a8a SHA512 5742631d35f85c0dd3d3b5588508711f595c947b3b652014e03d990555b5c765f2911aa7cd66ca92ebde12d75d8475e308aceb6a054f651a6b7b6ab8875c6292 MISC metadata.xml 1135 BLAKE2B d16930abfea735bd634c90e0add475eab661c6309c83f418586f0fb3a23e001888bb9c455d886a074d652da98bdaf99c2292357d6241b06c33bd046aac67b0ce SHA512 7bc61552d088369f7ad0204444371140dbd75aa10e9340bdafd2046c0dbfe1921edf8806ff8f96dde8e1e9a9239e82f1d8019e386b44c1e916aa39157c29b6de diff --git a/net-misc/memcached/memcached-1.6.26.ebuild b/net-misc/memcached/memcached-1.6.26.ebuild index bd837580012f..774569713225 100644 --- a/net-misc/memcached/memcached-1.6.26.ebuild +++ b/net-misc/memcached/memcached-1.6.26.ebuild @@ -15,7 +15,7 @@ SRC_URI="https://www.memcached.org/files/${MY_P}.tar.gz LICENSE="BSD" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~ppc-macos" IUSE="debug sasl seccomp selinux slabs-reassign ssl test" # hugetlbfs later RDEPEND=">=dev-libs/libevent-1.4:= diff --git a/net-misc/memcached/memcached-1.6.27.ebuild b/net-misc/memcached/memcached-1.6.27.ebuild index bd837580012f..774569713225 100644 --- a/net-misc/memcached/memcached-1.6.27.ebuild +++ b/net-misc/memcached/memcached-1.6.27.ebuild @@ -15,7 +15,7 @@ SRC_URI="https://www.memcached.org/files/${MY_P}.tar.gz LICENSE="BSD" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 x86 ~amd64-linux ~x86-linux ~ppc-macos" IUSE="debug sasl seccomp selinux slabs-reassign ssl test" # hugetlbfs later RDEPEND=">=dev-libs/libevent-1.4:= diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest index 816e8b6d66b3..c66a2cab577f 100644 --- a/net-misc/openssh-contrib/Manifest +++ b/net-misc/openssh-contrib/Manifest @@ -30,5 +30,5 @@ DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a80 DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf EBUILD openssh-contrib-9.6_p1.ebuild 17830 BLAKE2B a99f2b5b8a6ad4557c0b26bd173471dd5091973b3c7d91e2817cfb93e3f4aed48833fbfda5cd83e9d8cd4231d7785c381ee091e10c4f9c4bcb775fcc53fd6a89 SHA512 729cf8d95395836998ac0433c7c43718dd764cb3af8767a1bf5fb5dbb8c119cacb9bfb2db041cfc5e25f12fd389c3dbfaf355b2faadd373387fdabf25ca714be EBUILD openssh-contrib-9.7_p1-r1.ebuild 18480 BLAKE2B bec8883ea8439c99050c3552d7761465f283fc149e6cd39acce517f10c8f616b86f2b3a8dbf96c0c0ae4a97a493df493c1aa45584c7cc603e52c6112f65c19d9 SHA512 b2fb79bd1732936f1fce7c2ee80fa6de309c4e1050aa4985ade5274a04d4495dca2bb489edd3ae7584eae57bfd7ee1ca764c2ca9fad2d7a7e347fed69c74dbb8 -EBUILD openssh-contrib-9.7_p1-r2.ebuild 18477 BLAKE2B 8044b6a1ba1bc632fdca9868c91b418ec34fce38fe5f14af3c45736184cea5923c7eb3bf4ae1f220eff8cec3bff6599730b502c4472604a6b9357bfbb7c7ffd5 SHA512 0c87616a97126a670a4185ff97236841308d85766e3fe4179162b0e99b1c6e4b9d19fdae269522f0914d5c7c3d7a7c95cbfcada86f093e590e705ee9a5db91f2 +EBUILD openssh-contrib-9.7_p1-r3.ebuild 18488 BLAKE2B 48399860bd7f81ffa43abf63f4402da352a6fa84974bf9f8df5256b74175ea895c715f5f3bd885e1a67eac7d8e4a4af08e01d2ea4361df6bb162ce6a769e4815 SHA512 ead3af131a810d1f8dedca35ad3ebb7b89c38058641c380d8ac442f170813fae40a9823b14163ad4772e97618141809ea4289491edf83b66b0d18fa42d609d28 MISC metadata.xml 2975 BLAKE2B 068d52ba2e5de0b696e7fe995e4c2a041206a59258f24704ca3a72fe1d85323c2aad7899f055b48a4045d6303491822c59f2b86b85fc428a26f8259ea583796a SHA512 83fef701188c00af53382b5099fc2ebf83c903c3edefc3d2cf6deb0a667c0d0d9531c18728eef9b5b703903d31fbdb55a68e5b76890ea090bc1d79fef3ae6b89 diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r2.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r2.ebuild deleted file mode 100644 index 0f9dacf37bf1..000000000000 --- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r2.ebuild +++ /dev/null @@ -1,524 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit user-info optfeature flag-o-matic autotools pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -MY_P=${P/-contrib/} -PARCH=${MY_P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="openssh-9.6_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -X509_VER="15.0" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_PATCH="${X509_PATCH/p2/p1}" -X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch" -#X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" -X509_HPN_GLUE_PATCH="${MY_P}-hpn-${HPN_VER}-X509-${X509_VER%.1}-glue.patch" - -DESCRIPTION="Port of OpenBSD's free SSH release with HPN/X509 patches" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${HPN_VER:+hpn? ( - $(printf "https://downloads.sourceforge.net/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~amd64" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( ssl !xmss !security-key ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa(+),ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND=" - ${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND=" - ${RDEPEND} - !net-misc/openssh - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) -" -BDEPEND=" - dev-build/autoconf - virtual/pkgconfig - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -PATCHES=( - "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch" - "${FILESDIR}/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" - "${FILESDIR}/openssh-9.7_p1-config-tweaks.patch" -) - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) - - eapply -- "${PATCHES[@]}" - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use hpn ; then - local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-9.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - # Before re-enabling, check https://bugs.gentoo.org/354113#c6 - # and be sure to have tested it. - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - # optional at runtime; guarantee a known path - --with-xauth="${EPREFIX}"/usr/bin/xauth - - # --with-hardening adds the following in addition to flags we - # already set in our toolchain: - # * -ftrapv (which is broken with GCC anyway), - # * -ftrivial-auto-var-init=zero (which is nice, but not the end of - # the world to not have) - # * -fzero-call-used-regs=used (history of miscompilations with - # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, - # gcc PR104820, gcc PR104817, gcc PR110934)). - # - # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, - # so we cannot just disable -fzero-call-used-regs=used. - # - # Therefore, just pass --without-hardening, given it doesn't negate - # our already hardened toolchain defaults, and avoids adding flags - # which are known-broken in both Clang and GCC and haven't been - # proven reliable. - --without-hardening - - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl ssl-engine) - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - - econf "${myconf[@]}" -} - -create_config_dropins() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die - # Send locale environment variables (bug #367017) - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM (bug #658540) - SendEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die - RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die - # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die - # Allow client to pass locale environment variables (bug #367017) - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM (bug #658540) - AcceptEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die - # override default of no subsystems - Subsystem sftp ${EPREFIX}/usr/libexec/sftp-server - EOF - - if use pam ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die - UsePAM yes - # This interferes with PAM. - PasswordAuthentication no - # PAM can do its own handling of MOTD. - PrintMotd no - PrintLastLog no - EOF - fi - - if use livecd ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die - # Allow root login with password on livecds. - PermitRootLogin Yes - EOF - fi -} - -src_compile() { - default - create_config_dropins -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 REGRESS_INTEROP_PUTTY=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" > /etc/portage/package.mask" + die "Missing requested third party patch." + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_unpack() { + default + + # We don't have signatures for HPN, X509, so we have to write this ourselves + use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + eapply -- "${PATCHES[@]}" + + local PATCHSET_VERSION_MACROS=() + + if use X509 ; then + pushd "${WORKDIR}" &>/dev/null || die + eapply "${WORKDIR}/${X509_GLUE_PATCH}" + popd &>/dev/null || die + + eapply "${WORKDIR}"/${X509_PATCH%.*} + eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch" + + # We need to patch package version or any X.509 sshd will reject our ssh client + # with "userauth_pubkey: could not parse key: string is too large [preauth]" + # error + einfo "Patching package version for X.509 patch set ..." + sed -i \ + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" + + einfo "Patching version.h to expose X.509 patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in X.509 patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + fi + + if use hpn ; then + local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}" + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${WORKDIR}/${HPN_GLUE_PATCH}" + use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" + popd &>/dev/null || die + + eapply "${hpn_patchdir}" + + use X509 || eapply "${FILESDIR}/openssh-9.6_p1-hpn-version.patch" + + einfo "Patching Makefile.in for HPN patch set ..." + sed -i \ + -e "/^LIBS=/ s/\$/ -lpthread/" \ + "${S}"/Makefile.in || die "Failed to patch Makefile.in" + + einfo "Patching version.h to expose HPN patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ + "${S}"/version.h || die "Failed to sed-in HPN patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) + + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + # Before re-enabling, check https://bugs.gentoo.org/354113#c6 + # and be sure to have tested it. + einfo "Disabling known non-working MT AES cipher per default ..." + + cat > "${T}"/disable_mtaes.conf <<- EOF + + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken + # and therefore disabled per default. + DisableMTAES yes + EOF + sed -i \ + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" + + sed -i \ + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" + fi + fi + + if use X509 || use hpn ; then + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" + + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" + + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." + sed -i \ + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" + fi + + eapply_user #473004 + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, + # so we cannot just disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all + # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) + tc-is-clang && myconf+=( --without-hardening ) + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 REGRESS_INTEROP_PUTTY=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die - # Send locale environment variables (bug #367017) - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM (bug #658540) - SendEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die - RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die - # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die - # Allow client to pass locale environment variables (bug #367017) - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM (bug #658540) - AcceptEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die - # override default of no subsystems - Subsystem sftp ${EPREFIX}/usr/libexec/sftp-server - EOF - - if use pam ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die - UsePAM yes - # This interferes with PAM. - PasswordAuthentication no - # PAM can do its own handling of MOTD. - PrintMotd no - PrintLastLog no - EOF - fi - - if use livecd ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die - # Allow root login with password on livecds. - PermitRootLogin Yes - EOF - fi -} - -src_compile() { - default - create_config_dropins -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}"