bump to update selinux patch

(Portage version: 2.1_pre5-r3)
author: Chris PeBenito <pebenito@gentoo.org> 2006-03-05 00:20:01 +0000
committer: Chris PeBenito <pebenito@gentoo.org> 2006-03-05 00:20:01 +0000
commit: 58cc9862acefd8c2f327530fc42fcbc318e13bea (patch)
tree: b81ebb282843830d7cca2da72f7d7f9723b4f014 /net-misc/openssh
parent: Add ~x86 to net-im/kopete. (diff)
download: gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.tar.gz
gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.tar.bz2
gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.zip
4 files changed, 570 insertions, 1 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index 9f528fa42508..e118c3f83123 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for net-misc/openssh
 # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.157 2006/03/04 01:48:14 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.158 2006/03/05 00:20:01 pebenito Exp $
+
+*openssh-4.3_p2-r1 (05 Mar 2006)
+
+  05 Mar 2006; Chris PeBenito <pebenito@gentoo.org>
+  +files/openssh-4.3_p2-selinux.patch, +openssh-4.3_p2-r1.ebuild:
+  Bump to update SELinux patch.
 
 *openssh-4.3_p2 (04 Mar 2006)
 
diff --git a/net-misc/openssh/files/digest-openssh-4.3_p2-r1 b/net-misc/openssh/files/digest-openssh-4.3_p2-r1
new file mode 100644
index 000000000000..30255f76e935
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-4.3_p2-r1
@@ -0,0 +1,12 @@
+MD5 7dd2a6716b81da33af4ca960185fdd1b openssh-4.3p1-hpn11.diff 11024
+RMD160 c3b807437fd9f40f2ab73c52586de194b84cce6e openssh-4.3p1-hpn11.diff 11024
+SHA256 0a0b0e07bd845fdbf2112769c426a3b47b795076c8459f6dbc3e7c9060abb740 openssh-4.3p1-hpn11.diff 11024
+MD5 3611a21a0098c32416d4b8f75232c796 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+RMD160 90c719e8b7576d06bda5fdfb86287bfa577c5e1a openssh-4.3p2+SecurID_v1.3.2.patch 47650
+SHA256 d6fc92a11c23f3fa0c77f50e6d76cb6c6635ae4907df724a12e460b90c90e988 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+MD5 c60e16b0bdf3a825f2a2b501b34cdef4 openssh-4.3p2+x509-5.3.diff.gz 131147
+RMD160 d42a7e14b72bf850b9898e3707582b4b345ca27b openssh-4.3p2+x509-5.3.diff.gz 131147
+SHA256 768c44ae60b57e7571843996255204c1678736fb16616e965844bda982ebd44d openssh-4.3p2+x509-5.3.diff.gz 131147
+MD5 7e9880ac20a9b9db0d3fea30a9ff3d46 openssh-4.3p2.tar.gz 941455
+RMD160 ccd5967e3296347e6dd2be43c3d6caacde2b6833 openssh-4.3p2.tar.gz 941455
+SHA256 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f openssh-4.3p2.tar.gz 941455
diff --git a/net-misc/openssh/files/openssh-4.3_p2-selinux.patch b/net-misc/openssh/files/openssh-4.3_p2-selinux.patch
new file mode 100644
index 000000000000..90bc2d3d3d37
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p2-selinux.patch
@@ -0,0 +1,381 @@
+diff -urN openssh-4.3p1.orig/Makefile.in openssh-4.3p1/Makefile.in
+--- openssh-4.3p1.orig/Makefile.in	2006-01-01 03:47:05.000000000 -0500
++++ openssh-4.3p1/Makefile.in	2006-02-26 22:43:35.093149679 -0500
+@@ -43,6 +43,7 @@
+ CFLAGS=@CFLAGS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
++LIBSELINUX=@LIBSELINUX@
+ LIBEDIT=@LIBEDIT@
+ LIBPAM=@LIBPAM@
+ LIBWRAP=@LIBWRAP@
+@@ -77,7 +78,7 @@
+ 	sshconnect.o sshconnect1.o sshconnect2.o
+ 
+ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+-	sshpty.o sshlogin.o servconf.o serverloop.o \
++	sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \
+ 	auth.o auth1.o auth2.o auth-options.o session.o \
+ 	auth-chall.o auth2-chall.o groupaccess.o \
+ 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
+@@ -136,7 +137,7 @@
+ 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -urN openssh-4.3p1.orig/auth.h openssh-4.3p1/auth.h
+--- openssh-4.3p1.orig/auth.h	2005-07-06 21:50:20.000000000 -0400
++++ openssh-4.3p1/auth.h	2006-02-26 22:43:35.174141912 -0500
+@@ -58,6 +58,7 @@
+ 	char		*service;
+ 	struct passwd	*pw;		/* set if 'valid' */
+ 	char		*style;
++	char		*role;
+ 	void		*kbdintctxt;
+ #ifdef BSD_AUTH
+ 	auth_session_t	*as;
+diff -urN openssh-4.3p1.orig/auth1.c openssh-4.3p1/auth1.c
+--- openssh-4.3p1.orig/auth1.c	2005-07-17 03:26:44.000000000 -0400
++++ openssh-4.3p1/auth1.c	2006-02-26 22:43:35.099149104 -0500
+@@ -370,7 +370,7 @@
+ do_authentication(Authctxt *authctxt)
+ {
+ 	u_int ulen;
+-	char *user, *style = NULL;
++	char *user, *style = NULL, *role=NULL;
+ 
+ 	/* Get the name of the user that we wish to log in as. */
+ 	packet_read_expect(SSH_CMSG_USER);
+@@ -379,11 +379,19 @@
+ 	user = packet_get_string(&ulen);
+ 	packet_check_eom();
+ 
++	if ((role = strchr(user, '/')) != NULL)
++		*role++ = '\0';
++
+ 	if ((style = strchr(user, ':')) != NULL)
+ 		*style++ = '\0';
++	else
++		if (role && (style = strchr(role, ':')) != NULL)
++			*style++ = '\0';
++			
+ 
+ 	authctxt->user = user;
+ 	authctxt->style = style;
++	authctxt->role = role;
+ 
+ 	/* Verify that the user is a valid user. */
+ 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+diff -urN openssh-4.3p1.orig/auth2.c openssh-4.3p1/auth2.c
+--- openssh-4.3p1.orig/auth2.c	2005-09-23 22:43:51.000000000 -0400
++++ openssh-4.3p1/auth2.c	2006-02-26 22:43:35.096149391 -0500
+@@ -134,7 +134,7 @@
+ {
+ 	Authctxt *authctxt = ctxt;
+ 	Authmethod *m = NULL;
+-	char *user, *service, *method, *style = NULL;
++	char *user, *service, *method, *style = NULL, *role = NULL;
+ 	int authenticated = 0;
+ 
+ 	if (authctxt == NULL)
+@@ -146,6 +146,9 @@
+ 	debug("userauth-request for user %s service %s method %s", user, service, method);
+ 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
++	if ((role = strchr(user, '/')) != NULL)
++		*role++ = 0;
++
+ 	if ((style = strchr(user, ':')) != NULL)
+ 		*style++ = 0;
+ 
+@@ -171,8 +174,11 @@
+ 		    use_privsep ? " [net]" : "");
+ 		authctxt->service = xstrdup(service);
+ 		authctxt->style = style ? xstrdup(style) : NULL;
+-		if (use_privsep)
++		authctxt->role = role ? xstrdup(role) : NULL;
++		if (use_privsep) {
+ 			mm_inform_authserv(service, style);
++			mm_inform_authrole(role);
++		}
+ 	} else if (strcmp(user, authctxt->user) != 0 ||
+ 	    strcmp(service, authctxt->service) != 0) {
+ 		packet_disconnect("Change of username or service not allowed: "
+diff -urN openssh-4.3p1.orig/configure.ac openssh-4.3p1/configure.ac
+--- openssh-4.3p1.orig/configure.ac	2006-01-29 08:22:39.000000000 -0500
++++ openssh-4.3p1/configure.ac	2006-02-26 22:43:35.164142871 -0500
+@@ -2945,6 +2945,20 @@
+ 			[#include <arpa/nameser.h>])
+ 	])
+ 
++# Check whether user wants SELinux support
++SELINUX_MSG="no"
++LIBSELINUX=""
++AC_ARG_WITH(selinux,
++	[  --with-selinux   Enable SELinux support],
++	[ if test "x$withval" != "xno" ; then
++		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
++		SELINUX_MSG="yes"
++		AC_CHECK_HEADERS(selinux.h)
++		LIBSELINUX="-lselinux"
++	fi
++	])
++AC_SUBST(LIBSELINUX)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -3763,6 +3777,7 @@
+ echo "                    Manpage format: $MANTYPE"
+ echo "                       PAM support: $PAM_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
++echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
+diff -urN openssh-4.3p1.orig/monitor.c openssh-4.3p1/monitor.c
+--- openssh-4.3p1.orig/monitor.c	2005-11-04 23:07:05.000000000 -0500
++++ openssh-4.3p1/monitor.c	2006-02-26 22:43:35.086150350 -0500
+@@ -111,6 +111,7 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
++int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -181,6 +182,7 @@
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
++    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -623,6 +625,7 @@
+ 	else {
+ 		/* Allow service/style information on the auth context */
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
++		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+ 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ 	}
+ 
+@@ -671,6 +674,23 @@
+ }
+ 
+ int
++mm_answer_authrole(int sock, Buffer *m)
++{
++	monitor_permit_authentications(1);
++
++	authctxt->role = buffer_get_string(m, NULL);
++	debug3("%s: role=%s",
++	    __func__, authctxt->role);
++
++	if (strlen(authctxt->role) == 0) {
++		xfree(authctxt->role);
++		authctxt->role = NULL;
++	}
++
++	return (0);
++}
++
++int
+ mm_answer_authpassword(int sock, Buffer *m)
+ {
+ 	static int call_count;
+diff -urN openssh-4.3p1.orig/monitor.h openssh-4.3p1/monitor.h
+--- openssh-4.3p1.orig/monitor.h	2005-02-02 08:20:53.000000000 -0500
++++ openssh-4.3p1/monitor.h	2006-02-26 22:43:35.081150830 -0500
+@@ -30,7 +30,7 @@
+ 
+ enum monitor_reqtype {
+ 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
++	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
+ 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+ 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+ 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+diff -urN openssh-4.3p1.orig/monitor_wrap.c openssh-4.3p1/monitor_wrap.c
+--- openssh-4.3p1.orig/monitor_wrap.c	2005-09-29 08:01:10.000000000 -0400
++++ openssh-4.3p1/monitor_wrap.c	2006-02-26 22:43:35.090149967 -0500
+@@ -271,6 +271,23 @@
+ 	buffer_free(&m);
+ }
+ 
++/* Inform the privileged process about role */
++
++void
++mm_inform_authrole(char *role)
++{
++	Buffer m;
++
++	debug3("%s entering", __func__);
++
++	buffer_init(&m);
++	buffer_put_cstring(&m, role ? role : "");
++
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
++
++	buffer_free(&m);
++}
++
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+diff -urN openssh-4.3p1.orig/monitor_wrap.h openssh-4.3p1/monitor_wrap.h
+--- openssh-4.3p1.orig/monitor_wrap.h	2005-02-08 05:52:48.000000000 -0500
++++ openssh-4.3p1/monitor_wrap.h	2006-02-26 22:43:35.444116023 -0500
+@@ -44,6 +44,7 @@
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+ void mm_inform_authserv(char *, char *);
++void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+diff -urN openssh-4.3p1.orig/selinux.c openssh-4.3p1/selinux.c
+--- openssh-4.3p1.orig/selinux.c	1969-12-31 19:00:00.000000000 -0500
++++ openssh-4.3p1/selinux.c	2006-02-26 22:44:55.287459540 -0500
+@@ -0,0 +1,86 @@
++#include "includes.h"
++#include "auth.h"
++#include "log.h"
++
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/flask.h>
++#include <selinux/context.h>
++#include <selinux/get_context_list.h>
++#include <selinux/get_default_type.h>
++extern Authctxt *the_authctxt;
++
++static const security_context_t selinux_get_user_context(const char *name) {
++	security_context_t user_context=NULL;
++	char *role=NULL;
++	int ret=-1;
++	char *seuser=NULL;
++	char *level=NULL;
++
++	if (the_authctxt) 
++		role=the_authctxt->role;
++
++	if (getseuserbyname(name, &seuser, &level)==0) {
++		if (role != NULL && role[0]) 
++			ret=get_default_context_with_rolelevel(seuser, role, level,NULL,&user_context);
++		else
++			ret=get_default_context_with_level(seuser, level, NULL,&user_context);
++	}
++
++	if ( ret < 0 ) {
++		if (security_getenforce() > 0) 
++			fatal("Failed to get default security context for %s.", name);
++		else 
++			error("Failed to get default security context for %s. Continuing in permissive mode", name);
++	} 
++	return user_context;
++}
++
++void setup_selinux_pty(const char *name, const char *tty) {
++	if (is_selinux_enabled() > 0) {
++		security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; 
++
++		user_context=selinux_get_user_context(name);
++
++		if (getfilecon(tty, &old_tty_context) < 0) {
++			error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno));
++		} else {
++			if (security_compute_relabel(user_context,old_tty_context,
++						     SECCLASS_CHR_FILE,
++						     &new_tty_context) != 0) {
++				error("security_compute_relabel(%.100s) failed: %.100s", tty,
++				      strerror(errno));
++			} else {
++				if (setfilecon (tty, new_tty_context) != 0) 
++					error("setfilecon(%.100s, %s) failed: %.100s",
++					      tty, new_tty_context, 
++					      strerror(errno));
++				freecon(new_tty_context);
++			}
++			freecon(old_tty_context);
++		}
++		if (user_context) {
++			freecon(user_context);
++		}
++	}
++}
++
++void setup_selinux_exec_context(char *name) {
++
++	if (is_selinux_enabled() > 0) {
++		security_context_t user_context=selinux_get_user_context(name);
++		if (setexeccon(user_context)) {
++			if (security_getenforce() > 0) 
++				fatal("Failed to set exec security context %s for %s.", user_context, name);
++			else 
++				error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name);
++		}
++		if (user_context) {
++			freecon(user_context);
++		}
++	}
++}
++#else
++inline void setup_selinux_pty(const char *name, const char *tty) {}
++inline void setup_selinux_exec_context(const char *name) {} 
++#endif /* WITH_SELINUX */
+diff -urN openssh-4.3p1.orig/selinux.h openssh-4.3p1/selinux.h
+--- openssh-4.3p1.orig/selinux.h	1969-12-31 19:00:00.000000000 -0500
++++ openssh-4.3p1/selinux.h	2006-02-26 22:45:09.627084500 -0500
+@@ -0,0 +1,5 @@
++#ifndef __SELINUX_H_
++#define __SELINUX_H_
++extern void setup_selinux_pty(const char *name, const char *tty);
++extern void setup_selinux_exec_context(const char *name);
++#endif /* __SELINUX_H_ */
+diff -urN openssh-4.3p1.orig/session.c openssh-4.3p1/session.c
+--- openssh-4.3p1.orig/session.c	2005-12-23 22:59:12.000000000 -0500
++++ openssh-4.3p1/session.c	2006-02-26 22:43:35.171142200 -0500
+@@ -59,6 +59,8 @@
+ #include "kex.h"
+ #include "monitor_wrap.h"
+ 
++#include "selinux.h"
++
+ #if defined(KRB5) && defined(USE_AFS)
+ #include <kafs.h>
+ #endif
+@@ -1340,6 +1342,8 @@
+ #endif
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
++
++	setup_selinux_exec_context(pw->pw_name);
+ }
+ 
+ static void
+diff -urN openssh-4.3p1.orig/sshpty.c openssh-4.3p1/sshpty.c
+--- openssh-4.3p1.orig/sshpty.c	2005-05-27 07:13:41.000000000 -0400
++++ openssh-4.3p1/sshpty.c	2006-02-26 22:43:35.155143734 -0500
+@@ -22,6 +22,8 @@
+ #include "log.h"
+ #include "misc.h"
+ 
++#include "selinux.h"
++
+ #ifdef HAVE_PTY_H
+ # include <pty.h>
+ #endif
+@@ -200,6 +202,8 @@
+ 		fatal("stat(%.100s) failed: %.100s", tty,
+ 		    strerror(errno));
+ 
++	setup_selinux_pty(pw->pw_name, tty);
++
+ 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ 		if (chown(tty, pw->pw_uid, gid) < 0) {
+ 			if (errno == EROFS &&
diff --git a/net-misc/openssh/openssh-4.3_p2-r1.ebuild b/net-misc/openssh/openssh-4.3_p2-r1.ebuild
new file mode 100644
index 000000000000..9e2440177789
--- /dev/null
+++ b/net-misc/openssh/openssh-4.3_p2-r1.ebuild
@@ -0,0 +1,170 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.3_p2-r1.ebuild,v 1.1 2006/03/05 00:20:01 pebenito Exp $
+
+inherit eutils flag-o-matic ccc pam
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH="${PARCH}+x509-5.3.diff.gz"
+SECURID_PATCH="${PARCH}+SecurID_v1.3.2.patch"
+LDAP_PATCH="" #${PARCH/-4.3/-lpk-4.1}-0.3.6.patch"
+HPN_PATCH="${PARCH/p2/p1}-hpn11.diff"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
+	X509? ( http://roumenpetrov.info/openssh/x509-5.3/${X509_PATCH} )
+	smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )"
+#	ldap? ( http://www.opendarwin.org/en/projects/openssh-lpk/files/${LDAP_PATCH} )
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard sftplogging hpn libedit"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=app-admin/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( dev-libs/libedit )
+	>=dev-libs/openssl-0.9.6d
+	>=sys-libs/zlib-1.2.3
+	smartcard? ( dev-libs/opensc )
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	sys-devel/autoconf"
+PROVIDE="virtual/ssh"
+
+S=${WORKDIR}/${PARCH}
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz
+	cd "${S}"
+
+	if use ldap ; then
+		eerror "Sorry, but this version does not yet support"
+		eerror "ldap.  Please mask 4.3_p2 for"
+		eerror "now and check back later:"
+		eerror " # echo '=net-misc/openssh-4.3_p2' >> /etc/portage/package.mask"
+		die "boooooooooooooo"
+	fi
+
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+
+	epatch "${FILESDIR}"/openssh-4.3_p1-krb5-typos.patch #124494
+	use X509 && epatch "${DISTDIR}"/${X509_PATCH}
+	use sftplogging && epatch "${FILESDIR}"/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2
+	use chroot && epatch "${FILESDIR}"/openssh-3.9_p1-chroot.patch
+	epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch
+	use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
+	if ! use X509 ; then
+		if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
+			epatch "${DISTDIR}"/${SECURID_PATCH}
+			use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch
+		fi
+		if use ldap ; then
+			use sftplogging \
+				&& ewarn "Sorry, sftplogging and ldap don't get along, disabling ldap" \
+				|| epatch "${DISTDIR}"/${LDAP_PATCH}
+		fi
+	elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then
+		ewarn "Sorry, x509 and smartcard/ldap don't get along"
+	fi
+	[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
+
+	sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid"
+
+	autoconf || die "autoconf failed"
+}
+
+src_compile() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	local myconf
+	# make sure .sbss is large enough
+	use skey && use alpha && append-ldflags -mlarge-data
+	if use ldap ; then
+		filter-flags -funroll-loops
+		myconf="${myconf} --with-ldap"
+	fi
+	use selinux && append-flags -DWITH_SELINUX && append-ldflags -lselinux
+
+	if use static ; then
+		append-ldflags -static
+		use pam && ewarn "Disabling pam support becuse of static flag"
+		myconf="${myconf} --without-pam"
+	else
+		myconf="${myconf} $(use_with pam)"
+	fi
+
+	use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--disable-suid-ssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		$(use_with libedit) \
+		$(use_with kerberos kerberos5 /usr) \
+		$(use_with tcpd tcp-wrappers) \
+		$(use_with skey) \
+		$(use_with smartcard opensc) \
+		${myconf} \
+		|| die "bad configure"
+
+	emake || die "compile problem"
+}
+
+src_install() {
+	make install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include sshd
+	dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config
+	use pam \
+		&& dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \
+		&& dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+}
+
+pkg_postinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "restart sshd: '/etc/init.d/sshd restart'."
+	ewarn
+	einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+	einfo "functionality, but please ensure that you do not explicitly disable"
+	einfo "this in your configuration as disabling it opens security holes"
+	einfo
+	einfo "This revision has removed your sshd user id and replaced it with a"
+	einfo "new one with UID 22.  If you have any scripts or programs that"
+	einfo "that referenced the old UID directly, you will need to update them."
+	einfo
+	if use pam ; then
+		einfo "Please be aware users need a valid shell in /etc/passwd"
+		einfo "in order to be allowed to login."
+		einfo
+	fi
+}
author	Chris PeBenito <pebenito@gentoo.org>	2006-03-05 00:20:01 +0000
committer	Chris PeBenito <pebenito@gentoo.org>	2006-03-05 00:20:01 +0000
commit	58cc9862acefd8c2f327530fc42fcbc318e13bea (patch)
tree	b81ebb282843830d7cca2da72f7d7f9723b4f014 /net-misc/openssh
parent	Add ~x86 to net-im/kopete. (diff)
download	gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.tar.gz gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.tar.bz2 gentoo-2-58cc9862acefd8c2f327530fc42fcbc318e13bea.zip