diff options
Diffstat (limited to 'net-misc/openssh-x/files')
31 files changed, 1291 insertions, 0 deletions
diff --git a/net-misc/openssh-x/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh-x/files/openssh-4.7_p1-GSSAPI-dns.patch new file mode 100644 index 00000000..c81ae5cb --- /dev/null +++ b/net-misc/openssh-x/files/openssh-4.7_p1-GSSAPI-dns.patch @@ -0,0 +1,127 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +Index: readconf.c +=================================================================== +RCS file: /cvs/openssh/readconf.c,v +retrieving revision 1.135 +diff -u -r1.135 readconf.c +--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 ++++ readconf.c 19 Aug 2006 11:59:52 -0000 +@@ -126,6 +126,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, +@@ -163,9 +164,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -444,6 +447,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1010,6 +1017,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1100,6 +1108,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +Index: readconf.h +=================================================================== +RCS file: /cvs/openssh/readconf.h,v +retrieving revision 1.63 +diff -u -r1.63 readconf.h +--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 ++++ readconf.h 19 Aug 2006 11:59:52 -0000 +@@ -45,6 +45,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +Index: ssh_config.5 +=================================================================== +RCS file: /cvs/openssh/ssh_config.5,v +retrieving revision 1.97 +diff -u -r1.97 ssh_config.5 +--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 ++++ ssh_config.5 19 Aug 2006 11:59:53 -0000 +@@ -483,7 +483,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +Index: sshconnect2.c +=================================================================== +RCS file: /cvs/openssh/sshconnect2.c,v +retrieving revision 1.151 +diff -u -r1.151 sshconnect2.c +--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 ++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 +@@ -499,6 +499,12 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -511,7 +517,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; diff --git a/net-misc/openssh-x/files/openssh-5.2_p1-autoconf.patch b/net-misc/openssh-x/files/openssh-5.2_p1-autoconf.patch new file mode 100644 index 00000000..24ad7a9c --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.2_p1-autoconf.patch @@ -0,0 +1,15 @@ +workaround problems with autoconf-2.63 + +http://lists.gnu.org/archive/html/autoconf/2009-04/msg00007.html + +--- a/configure.ac ++++ b/configure.ac +@@ -3603,7 +3603,7 @@ + #include <shadow.h> + struct spwd sp; + ],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ], +- [ sp_expire_available=yes ], [] ++ [ sp_expire_available=yes ], [:] + ) + + if test "x$sp_expire_available" = "xyes" ; then diff --git a/net-misc/openssh-x/files/openssh-5.2_p1-gsskex-fix.patch b/net-misc/openssh-x/files/openssh-5.2_p1-gsskex-fix.patch new file mode 100644 index 00000000..8112d625 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.2_p1-gsskex-fix.patch @@ -0,0 +1,16 @@ +--- clientloop.c ++++ clientloop.c +@@ -1434,11 +1434,13 @@ + if (!rekeying) { + channel_after_select(readset, writeset); + ++#ifdef GSSAPI + if (options.gss_renewal_rekey && + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { + debug("credentials updated - forcing rekey"); + need_rekeying = 1; + } ++#endif + + if (need_rekeying || packet_need_rekeying()) { + debug("need rekeying"); diff --git a/net-misc/openssh-x/files/openssh-5.2_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-5.2_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..9428b74f --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.2_p1-x509-hpn-glue.patch @@ -0,0 +1,91 @@ +Move things around so hpn applies cleanly when using X509. + +--- openssh-5.2p1+x509/Makefile.in ++++ openssh-5.2p1+x509/Makefile.in +@@ -44,11 +44,12 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS += @LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- openssh-5.2p1+x509/servconf.c ++++ openssh-5.2p1+x509/servconf.c +@@ -108,6 +108,17 @@ + options->log_level = SYSLOG_LEVEL_NOT_SET; + options->rhosts_rsa_authentication = -1; + options->hostbased_authentication = -1; ++ options->hostbased_algorithms = NULL; ++ options->pubkey_algorithms = NULL; ++ ssh_x509flags_initialize(&options->x509flags, 1); ++#ifndef SSH_X509STORE_DISABLED ++ ssh_x509store_initialize(&options->ca); ++#endif /*ndef SSH_X509STORE_DISABLED*/ ++#ifdef SSH_OCSP_ENABLED ++ options->va.type = -1; ++ options->va.certificate_file = NULL; ++ options->va.responder_url = NULL; ++#endif /*def SSH_OCSP_ENABLED*/ + options->hostbased_uses_name_from_packet_only = -1; + options->rsa_authentication = -1; + options->pubkey_authentication = -1; +@@ -152,18 +163,6 @@ + options->adm_forced_command = NULL; + options->chroot_directory = NULL; + options->zero_knowledge_password_authentication = -1; +- +- options->hostbased_algorithms = NULL; +- options->pubkey_algorithms = NULL; +- ssh_x509flags_initialize(&options->x509flags, 1); +-#ifndef SSH_X509STORE_DISABLED +- ssh_x509store_initialize(&options->ca); +-#endif /*ndef SSH_X509STORE_DISABLED*/ +-#ifdef SSH_OCSP_ENABLED +- options->va.type = -1; +- options->va.certificate_file = NULL; +- options->va.responder_url = NULL; +-#endif /*def SSH_OCSP_ENABLED*/ + } + + void +@@ -341,6 +340,16 @@ + /* Portable-specific options */ + sUsePAM, + /* Standard Options */ ++ sHostbasedAlgorithms, ++ sPubkeyAlgorithms, ++ sX509KeyAlgorithm, ++ sAllowedClientCertPurpose, ++ sKeyAllowSelfIssued, sMandatoryCRL, ++ sCACertificateFile, sCACertificatePath, ++ sCARevocationFile, sCARevocationPath, ++ sCAldapVersion, sCAldapURL, ++ sVAType, sVACertificateFile, ++ sVAOCSPResponderURL, + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sLogFacility, sLogLevel, + sRhostsRSAAuthentication, sRSAAuthentication, +@@ -364,16 +373,6 @@ + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, +- sHostbasedAlgorithms, +- sPubkeyAlgorithms, +- sX509KeyAlgorithm, +- sAllowedClientCertPurpose, +- sKeyAllowSelfIssued, sMandatoryCRL, +- sCACertificateFile, sCACertificatePath, +- sCARevocationFile, sCARevocationPath, +- sCAldapVersion, sCAldapURL, +- sVAType, sVACertificateFile, +- sVAOCSPResponderURL, + sDeprecated, sUnsupported + } ServerOpCodes; + diff --git a/net-misc/openssh-x/files/openssh-5.2p1-ldap-stdargs.diff b/net-misc/openssh-x/files/openssh-5.2p1-ldap-stdargs.diff new file mode 100644 index 00000000..346d5271 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.2p1-ldap-stdargs.diff @@ -0,0 +1,10 @@ +--- ldapauth.c.orig 2009-04-18 18:06:38.000000000 +0200 ++++ ldapauth.c 2009-04-18 18:06:11.000000000 +0200 +@@ -31,6 +31,7 @@ + #include <stdlib.h> + #include <unistd.h> + #include <string.h> ++#include <stdarg.h> + + #include "ldapauth.h" + #include "log.h" diff --git a/net-misc/openssh-x/files/openssh-5.4_p1-openssl.patch b/net-misc/openssh-x/files/openssh-5.4_p1-openssl.patch new file mode 100644 index 00000000..e4cdb63a --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.4_p1-openssl.patch @@ -0,0 +1,12 @@ +pull in openssl/conf.h for OPENSSL_config() prototype + +--- openbsd-compat/openssl-compat.c ++++ openbsd-compat/openssl-compat.c +@@ -59,6 +59,7 @@ + #endif + + #ifdef USE_OPENSSL_ENGINE ++#include <openssl/conf.h> + void + ssh_SSLeay_add_all_algorithms(void) + { diff --git a/net-misc/openssh-x/files/openssh-5.6_p1-hpn-progressmeter.patch b/net-misc/openssh-x/files/openssh-5.6_p1-hpn-progressmeter.patch new file mode 100644 index 00000000..5fe18dfc --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.6_p1-hpn-progressmeter.patch @@ -0,0 +1,15 @@ +don't go reading random stack values + +already e-mailed to upstream hpn devs + +--- progressmeter.c ++++ progressmeter.c +@@ -183,7 +183,7 @@ + else + percent = 100; + +- snprintf(buf + strlen(buf), win_size - strlen(buf-8), ++ snprintf(buf + strlen(buf), win_size - strlen(buf) - 8, + " %3d%% ", percent); + + /* amount transferred */ diff --git a/net-misc/openssh-x/files/openssh-5.6_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-5.6_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..e793311f --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.6_p1-x509-hpn-glue.patch @@ -0,0 +1,60 @@ +Move things around so hpn applies cleanly when using X509. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -46,11 +46,12 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- a/servconf.c ++++ b/servconf.c +@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options) + options->adm_forced_command = NULL; + options->chroot_directory = NULL; + options->zero_knowledge_password_authentication = -1; +- options->revoked_keys_file = NULL; +- options->trusted_user_ca_keys = NULL; +- options->authorized_principals_file = NULL; + + options->hostbased_algorithms = NULL; + options->pubkey_algorithms = NULL; +@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options) + options->va.certificate_file = NULL; + options->va.responder_url = NULL; + #endif /*def SSH_OCSP_ENABLED*/ ++ options->revoked_keys_file = NULL; ++ options->trusted_user_ca_keys = NULL; ++ options->authorized_principals_file = NULL; + } + + void +@@ -367,9 +367,6 @@ typedef enum { + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, +- sUsePrivilegeSeparation, sAllowAgentForwarding, +- sZeroKnowledgePasswordAuthentication, sHostCertificate, +- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sHostbasedAlgorithms, + sPubkeyAlgorithms, + sX509KeyAlgorithm, +@@ -380,6 +377,9 @@ typedef enum { + sCAldapVersion, sCAldapURL, + sVAType, sVACertificateFile, + sVAOCSPResponderURL, ++ sUsePrivilegeSeparation, sAllowAgentForwarding, ++ sZeroKnowledgePasswordAuthentication, sHostCertificate, ++ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sDeprecated, sUnsupported + } ServerOpCodes; + diff --git a/net-misc/openssh-x/files/openssh-5.7_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-5.7_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..ee3e7574 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.7_p1-x509-hpn-glue.patch @@ -0,0 +1,60 @@ +Move things around so hpn applies cleanly when using X509. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -46,11 +46,12 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- a/servconf.c ++++ b/servconf.c +@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options) + options->zero_knowledge_password_authentication = -1; + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; +- options->authorized_principals_file = NULL; +- options->ip_qos_interactive = -1; +- options->ip_qos_bulk = -1; + + options->hostbased_algorithms = NULL; + options->pubkey_algorithms = NULL; +@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options) + options->va.certificate_file = NULL; + options->va.responder_url = NULL; + #endif /*def SSH_OCSP_ENABLED*/ ++ options->authorized_principals_file = NULL; ++ options->ip_qos_interactive = -1; ++ options->ip_qos_bulk = -1; + } + + void +@@ -367,9 +367,6 @@ typedef enum { + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, +- sZeroKnowledgePasswordAuthentication, sHostCertificate, +- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +- sKexAlgorithms, sIPQoS, + sHostbasedAlgorithms, + sPubkeyAlgorithms, + sX509KeyAlgorithm, +@@ -380,6 +377,9 @@ typedef enum { + sCAldapVersion, sCAldapURL, + sVAType, sVACertificateFile, + sVAOCSPResponderURL, ++ sZeroKnowledgePasswordAuthentication, sHostCertificate, ++ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, ++ sKexAlgorithms, sIPQoS, + sDeprecated, sUnsupported + } ServerOpCodes; + diff --git a/net-misc/openssh-x/files/openssh-5.8_p1-selinux.patch b/net-misc/openssh-x/files/openssh-5.8_p1-selinux.patch new file mode 100644 index 00000000..7be2879f --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.8_p1-selinux.patch @@ -0,0 +1,18 @@ +http://bugs.gentoo.org/354247 + +[openbsd-compat/port-linux.c] Bug #1851: fix syntax error in + selinux code. Patch from Leonardo Chiquitto. + +/* $Id: openssh-5.8_p1-selinux.patch,v 1.1 2011/02/10 02:44:53 vapier Exp $ */ + +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -213,7 +213,7 @@ + + if (!ssh_selinux_enabled()) + return; +- if (path == NULL) ++ if (path == NULL) { + setfscreatecon(NULL); + return; + } diff --git a/net-misc/openssh-x/files/openssh-5.8_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-5.8_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..74d06c79 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.8_p1-x509-hpn-glue.patch @@ -0,0 +1,61 @@ +Move things around so hpn applies cleanly when using X509. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -46,12 +46,13 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHLIBS=@SSHLIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- a/servconf.c ++++ b/servconf.c +@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options) + options->zero_knowledge_password_authentication = -1; + options->revoked_keys_file = NULL; + options->trusted_user_ca_keys = NULL; +- options->authorized_principals_file = NULL; +- options->ip_qos_interactive = -1; +- options->ip_qos_bulk = -1; + + options->hostbased_algorithms = NULL; + options->pubkey_algorithms = NULL; +@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options) + options->va.certificate_file = NULL; + options->va.responder_url = NULL; + #endif /*def SSH_OCSP_ENABLED*/ ++ options->authorized_principals_file = NULL; ++ options->ip_qos_interactive = -1; ++ options->ip_qos_bulk = -1; + } + + void +@@ -367,9 +367,6 @@ typedef enum { + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, +- sZeroKnowledgePasswordAuthentication, sHostCertificate, +- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +- sKexAlgorithms, sIPQoS, + sHostbasedAlgorithms, + sPubkeyAlgorithms, + sX509KeyAlgorithm, +@@ -380,6 +377,9 @@ typedef enum { + sCAldapVersion, sCAldapURL, + sVAType, sVACertificateFile, + sVAOCSPResponderURL, ++ sZeroKnowledgePasswordAuthentication, sHostCertificate, ++ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, ++ sKexAlgorithms, sIPQoS, + sDeprecated, sUnsupported + } ServerOpCodes; + diff --git a/net-misc/openssh-x/files/openssh-5.9_p1-drop-openssl-check.patch b/net-misc/openssh-x/files/openssh-5.9_p1-drop-openssl-check.patch new file mode 100644 index 00000000..eb621abb --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.9_p1-drop-openssl-check.patch @@ -0,0 +1,25 @@ +newer versions of openssl have started to be compatible across minor versions +too, so this sanity check fails. since we already handle compatibility with +openssl via SONAME checks, we don't need this openssh check at all. + +http://marc.info/?l=openssl-dev&m=133176786215023&w=2 + +--- a/entropy.c ++++ b/entropy.c +@@ -208,16 +208,7 @@ seed_rng(void) + { + #ifndef OPENSSL_PRNG_ONLY + unsigned char buf[RANDOM_SEED_SIZE]; +-#endif +- /* +- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status +- * We match major, minor, fix and status (not patch) +- */ +- if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) +- fatal("OpenSSL version mismatch. Built against %lx, you " +- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + +-#ifndef OPENSSL_PRNG_ONLY + if (RAND_status() == 1) { + debug3("RNG is ready, skipping seeding"); + return; diff --git a/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 00000000..6377d036 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,184 @@ +Index: gss-serv.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v +retrieving revision 1.22 +diff -u -p -r1.22 gss-serv.c +--- gss-serv.c 8 May 2008 12:02:23 -0000 1.22 ++++ gss-serv.c 11 Jan 2010 05:38:29 -0000 +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[MAXHOSTNAMELEN]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, MAXHOSTNAMELEN)) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +Index: servconf.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/servconf.c,v +retrieving revision 1.201 +diff -u -p -r1.201 servconf.c +--- servconf.c 10 Jan 2010 03:51:17 -0000 1.201 ++++ servconf.c 11 Jan 2010 05:34:56 -0000 +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sZeroKnowledgePasswordAuthentication, sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +Index: servconf.h +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/servconf.h,v +retrieving revision 1.89 +diff -u -p -r1.89 servconf.h +--- servconf.h 9 Jan 2010 23:04:13 -0000 1.89 ++++ servconf.h 11 Jan 2010 05:32:28 -0000 +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +Index: sshd_config +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/sshd_config,v +retrieving revision 1.81 +diff -u -p -r1.81 sshd_config +--- sshd_config 8 Oct 2009 14:03:41 -0000 1.81 ++++ sshd_config 11 Jan 2010 05:32:28 -0000 +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +Index: sshd_config.5 +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v +retrieving revision 1.116 +diff -u -p -r1.116 sshd_config.5 +--- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116 ++++ sshd_config.5 11 Jan 2010 05:37:20 -0000 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed diff --git a/net-misc/openssh-x/files/openssh-5.9_p1-x509-glue.patch b/net-misc/openssh-x/files/openssh-5.9_p1-x509-glue.patch new file mode 100644 index 00000000..6fbb88b6 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-5.9_p1-x509-glue.patch @@ -0,0 +1,15 @@ +make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch + +--- openssh-5.9p1+x509-7.0.diff ++++ openssh-5.9p1+x509-7.0.diff +@@ -11995,9 +11995,9 @@ + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in + @@ -430,6 +507,16 @@ ++ This facility is provided to assist with operation on multi homed machines. + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh-x/files/openssh-6.0_p1-fix-freebsd-compilation.patch b/net-misc/openssh-x/files/openssh-6.0_p1-fix-freebsd-compilation.patch new file mode 100644 index 00000000..3b34cd2e --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.0_p1-fix-freebsd-compilation.patch @@ -0,0 +1,15 @@ +diff --git a/configure.ac b/configure.ac +index 2b60300..21b6112 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -725,6 +725,10 @@ mips-sony-bsd|mips-sony-newsos4) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support])) + AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need]) ++ AC_DEFINE([DISABLE_UTMP], [1], ++ [Define if you don't want to use utmp]) ++ AC_DEFINE([DISABLE_WTMP], [1], ++ [Define if you don't want to use wtmp]) + ;; + *-*-bsdi*) + AC_DEFINE([SETEUID_BREAKS_SETUID]) diff --git a/net-misc/openssh-x/files/openssh-6.0_p1-hpn-progressmeter.patch b/net-misc/openssh-x/files/openssh-6.0_p1-hpn-progressmeter.patch new file mode 100644 index 00000000..56805d12 --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.0_p1-hpn-progressmeter.patch @@ -0,0 +1,15 @@ +don't go reading random stack values + +already e-mailed to upstream hpn devs + +--- progressmeter.c ++++ progressmeter.c +@@ -183,7 +183,7 @@ + percent = ((float)cur_pos / end_pos) * 100; + else + percent = 100; +- snprintf(buf + strlen(buf), win_size - strlen(buf-8), ++ snprintf(buf + strlen(buf), win_size - strlen(buf) - 8, + " %3d%% ", percent); + + /* amount transferred */ diff --git a/net-misc/openssh-x/files/openssh-6.0_p1-test.patch b/net-misc/openssh-x/files/openssh-6.0_p1-test.patch new file mode 100644 index 00000000..8b988aed --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.0_p1-test.patch @@ -0,0 +1,19 @@ +changeset: 10701:b159befd3104 +tag: tip +user: Mike Frysinger <vapier@gentoo.org> +date: Sun Apr 29 00:26:33 2012 -0400 +summary: use = with `test`, not == + +diff -r d8a3ea854288 -r b159befd3104 configure.ac +--- a/configure.ac Fri Apr 27 00:55:42 2012 +0000 ++++ b/configure.ac Sun Apr 29 00:26:33 2012 -0400 +@@ -2591,7 +2591,7 @@ + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) + elif test "x$sandbox_arg" = "xseccomp_filter" || \ + ( test -z "$sandbox_arg" && \ +- test "x$have_seccomp_filter" == "x1" && \ ++ test "x$have_seccomp_filter" = "x1" && \ + test "x$ac_cv_header_linux_audit_h" = "xyes" && \ + test "x$have_seccomp_audit_arch" = "x1" && \ + test "x$have_linux_no_new_privs" = "x1" && \ + diff --git a/net-misc/openssh-x/files/openssh-6.0_p1-x509-glue.patch b/net-misc/openssh-x/files/openssh-6.0_p1-x509-glue.patch new file mode 100644 index 00000000..3633a2af --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.0_p1-x509-glue.patch @@ -0,0 +1,15 @@ +make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch + +--- openssh-6.0p1+x509-7.1.diff ++++ openssh-6.0p1+x509-7.1.diff +@@ -13502,9 +13502,9 @@ + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in + @@ -430,6 +507,16 @@ ++ This facility is provided to assist with operation on multi homed machines. + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh-x/files/openssh-6.0_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-6.0_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..9e3dfdbe --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.0_p1-x509-hpn-glue.patch @@ -0,0 +1,57 @@ +diff --git a/Makefile.in b/Makefile.in +index ecb45cd..7834fb1 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -45,12 +45,13 @@ FIPSLD_CC=@FIPSLD_CC@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHLIBS=@SSHLIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +diff --git a/sshconnect.c b/sshconnect.c +index 19a2b06..dd75f78 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -580,7 +580,7 @@ ssh_exchange_identification(int timeout_ms) + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", + compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, + compat20 ? PROTOCOL_MINOR_2 : minor1, +- SSH_VERSION, compat20 ? " PKIX\r\n" : "\n"); ++ SSH_VERSION, compat20 ? "\r\n" : "\n"); + if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) + != strlen(buf)) + fatal("write: %.100s", strerror(errno)); +diff --git a/sshd.c b/sshd.c +index a5c437d..a1105a0 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -428,8 +428,8 @@ sshd_exchange_identification(int sock_in, int sock_out) + minor = PROTOCOL_MINOR_1; + comment = ""; + } +- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s%s", major, minor, +- SSH_VERSION, comment, newline); ++ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, ++ SSH_VERSION, newline); + server_version_string = xstrdup(buf); + + /* Send our protocol version identification. */ +diff --git a/version.h b/version.h +index 78983d9..ec1746d 100644 +--- a/version.h ++++ b/version.h +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_6.0" + + #define SSH_PORTABLE "p1" ++#define SSH_X509 " PKIX" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh-x/files/openssh-6.1_p1-x509-glue.patch b/net-misc/openssh-x/files/openssh-6.1_p1-x509-glue.patch new file mode 100644 index 00000000..e6db835d --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.1_p1-x509-glue.patch @@ -0,0 +1,15 @@ +make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch + +--- openssh-6.1p1+x509-7.2.1.diff ++++ openssh-6.1p1+x509-7.2.1.diff +@@ -13502,9 +13502,9 @@ + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or though authentication styles supported in + @@ -432,6 +509,16 @@ ++ This facility is provided to assist with operation on multi homed machines. + The default is + .Dq yes . +- Note that this option applies to protocol version 2 only. + +.It Cm HostbasedAlgorithms + +Specifies the protocol version 2 algorithms used in + +.Dq hostbased diff --git a/net-misc/openssh-x/files/openssh-6.1_p1-x509-hpn-glue.patch b/net-misc/openssh-x/files/openssh-6.1_p1-x509-hpn-glue.patch new file mode 100644 index 00000000..5d69a50b --- /dev/null +++ b/net-misc/openssh-x/files/openssh-6.1_p1-x509-hpn-glue.patch @@ -0,0 +1,49 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -45,12 +45,13 @@ FIPSLD_CC=@FIPSLD_CC@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ ++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + LIBS=@LIBS@ + SSHLIBS=@SSHLIBS@ + SSHDLIBS=@SSHDLIBS@ + LIBEDIT=@LIBEDIT@ + LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ ++CPPFLAGS+=@LDAP_CPPFLAGS@ + AR=@AR@ + AWK=@AWK@ + RANLIB=@RANLIB@ +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -580,7 +580,7 @@ ssh_exchange_identification(int timeout_ms) + snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", + compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, + compat20 ? PROTOCOL_MINOR_2 : minor1, +- SSH_VERSION, compat20 ? " PKIX\r\n" : "\n"); ++ SSH_VERSION, compat20 ? "\r\n" : "\n"); + if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) + != strlen(buf)) + fatal("write: %.100s", strerror(errno)); +--- a/sshd.c ++++ b/sshd.c +@@ -428,8 +428,8 @@ sshd_exchange_identification(int sock_in, int sock_out) + comment = ""; + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +- major, minor, SSH_VERSION, comment, ++ major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +--- a/version.h ++++ b/version.h +@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_6.0" + + #define SSH_PORTABLE "p1" ++#define SSH_X509 " PKIX" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh-x/files/sshd.confd b/net-misc/openssh-x/files/sshd.confd new file mode 100644 index 00000000..28952b4a --- /dev/null +++ b/net-misc/openssh-x/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh-x/files/sshd.pam b/net-misc/openssh-x/files/sshd.pam new file mode 100644 index 00000000..51149402 --- /dev/null +++ b/net-misc/openssh-x/files/sshd.pam @@ -0,0 +1,9 @@ +#%PAM-1.0 + +auth required pam_stack.so service=system-auth +auth required pam_shells.so +auth required pam_nologin.so +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth + diff --git a/net-misc/openssh-x/files/sshd.pam_include.2 b/net-misc/openssh-x/files/sshd.pam_include.2 new file mode 100644 index 00000000..b801aaaf --- /dev/null +++ b/net-misc/openssh-x/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh-x/files/sshd.rc6 b/net-misc/openssh-x/files/sshd.rc6 new file mode 100644 index 00000000..03160686 --- /dev/null +++ b/net-misc/openssh-x/files/sshd.rc6 @@ -0,0 +1,82 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.28 2011/12/04 10:08:19 swegener Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + "${SSHD_BINARY}" -t ${myopts} || return 1 +} + +gen_keys() { + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] ; then + einfo "Generating Hostkey..." + /usr/bin/ssh-keygen -t rsa1 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then + einfo "Generating DSA-Hostkey..." + /usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then + einfo "Generating RSA-Hostkey..." + /usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1 + fi + return 0 +} + +start() { + local myopts="" + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config" + + checkconfig || return 1 + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${myopts} ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh-x/files/sshd.rc6.1 b/net-misc/openssh-x/files/sshd.rc6.1 new file mode 100644 index 00000000..6524601c --- /dev/null +++ b/net-misc/openssh-x/files/sshd.rc6.1 @@ -0,0 +1,83 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.1,v 1.2 2011/12/04 10:08:19 swegener Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + "${SSHD_BINARY}" -t ${myopts} || return 1 +} + +gen_keys() { + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] && \ + egrep -q '^[ \t]*Protocol[ \t]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + einfo "Generating RSA1-Hostkey..." + /usr/bin/ssh-keygen -t rsa1 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then + einfo "Generating DSA-Hostkey..." + /usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then + einfo "Generating RSA-Hostkey..." + /usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1 + fi + return 0 +} + +start() { + local myopts="" + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config" + + checkconfig || return 1 + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${myopts} ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh-x/files/sshd.rc6.2 b/net-misc/openssh-x/files/sshd.rc6.2 new file mode 100644 index 00000000..22aaaad2 --- /dev/null +++ b/net-misc/openssh-x/files/sshd.rc6.2 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.3 2011/12/04 10:08:19 swegener Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +gen_key() { + local type=$1 key ks + [ $# -eq 1 ] && ks="${type}_" + key="${SSHD_CONFDIR}/ssh_host_${ks}key" + if [ ! -e "${key}" ] ; then + ebegin "Generating ${type} host key" + ssh-keygen -t ${type} -f "${key}" -N '' + eend $? || return $? + fi +} + +gen_keys() { + if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + gen_key rsa1 "" || return 1 + fi + gen_key dsa && gen_key rsa && gen_key ecdsa + return $? +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh-x/files/sshd.rc6.3 b/net-misc/openssh-x/files/sshd.rc6.3 new file mode 100755 index 00000000..c55116e9 --- /dev/null +++ b/net-misc/openssh-x/files/sshd.rc6.3 @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.3,v 1.2 2011/09/14 21:46:19 polynomial-c Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +gen_key() { + local type=$1 key ks + [ $# -eq 1 ] && ks="${type}_" + key="${SSHD_CONFDIR}/ssh_host_${ks}key" + if [ ! -e "${key}" ] ; then + ebegin "Generating ${type} host key" + ssh-keygen -t ${type} -f "${key}" -N '' + eend $? || return $? + fi +} + +gen_keys() { + if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + gen_key rsa1 "" || return 1 + fi + gen_key dsa && gen_key rsa && gen_key ecdsa + return $? +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh-x/files/sshd.service b/net-misc/openssh-x/files/sshd.service new file mode 100644 index 00000000..45f823ac --- /dev/null +++ b/net-misc/openssh-x/files/sshd.service @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh-x/files/sshd.socket b/net-misc/openssh-x/files/sshd.socket new file mode 100644 index 00000000..94b95331 --- /dev/null +++ b/net-misc/openssh-x/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh-x/files/sshd_at.service b/net-misc/openssh-x/files/sshd_at.service new file mode 100644 index 00000000..2645ad04 --- /dev/null +++ b/net-misc/openssh-x/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog |