diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2015-03-18 20:24:50 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2015-03-18 20:24:50 +0000 |
| commit | 062856cfd0bf621690d4d136d62bc282806825bf (patch) | |
| tree | 214917cb12960461c93eec207177aa59d0352f6b /net-misc | |
| parent | Fix building fix python 3 selected. Thanks for Benjamin Southall for the patc... (diff) | |
| download | historical-062856cfd0bf621690d4d136d62bc282806825bf.tar.gz historical-062856cfd0bf621690d4d136d62bc282806825bf.tar.bz2 historical-062856cfd0bf621690d4d136d62bc282806825bf.zip | |
Version bump #543694 by Jason A. Donenfeld.
Package-Manager: portage-2.2.18/cvs/Linux x86_64
Manifest-Sign-Key: 0xD2E96200
Diffstat (limited to 'net-misc')
| -rw-r--r-- | net-misc/openssh/ChangeLog | 10 | ||||
| -rw-r--r-- | net-misc/openssh/Manifest | 36 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch | 162 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch | 31 | ||||
| -rw-r--r-- | net-misc/openssh/metadata.xml | 2 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-6.8_p1.ebuild | 319 |
6 files changed, 544 insertions, 16 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index b04934afe1d9..16771cd3b9c3 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-misc/openssh # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.544 2015/02/27 22:06:53 chutzpah Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.545 2015/03/18 20:24:48 vapier Exp $ + +*openssh-6.8_p1 (18 Mar 2015) + + 18 Mar 2015; Mike Frysinger <vapier@gentoo.org> + +files/openssh-6.8_p1-sshd-gssapi-multihomed.patch, + +files/openssh-6.8_p1-ssl-engine-configure.patch, +openssh-6.8_p1.ebuild, + metadata.xml: + Version bump #543694 by Jason A. Donenfeld. *openssh-6.7_p1-r4 (27 Feb 2015) diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 2a7a9ff085ae..431246fd3601 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -10,6 +10,8 @@ AUX openssh-6.7_p1-sctp-x509-glue.patch 1326 SHA256 42eb87eda1685e19add23c1304f1 AUX openssh-6.7_p1-sshd-gssapi-multihomed.patch 5489 SHA256 d2a1735b523709a4b4ceaa57862ecb21a95656678bacc5b7da59dc46187ad997 SHA512 a8b8d2c2ab4520c8c7315f6130ee44fec48935a129ce7c7e51a068a4de2c7528980437246b61e4abc4cff614466f8054c554cdbaad4eb0d1f4afcfb434c30bbc WHIRLPOOL e4b97398c324360576a04792357f66be3ed9f17e4113f75275f8422ee0b7ecf28073c7cde01a63e24fa0901b14db822d22d7d2c5936bbee3bd5874a867066967 AUX openssh-6.7_p1-x509-glue.patch 1633 SHA256 58031e90e0bf220028934ab590af6ccfc45722629b2416df13d84f10c9b94478 SHA512 364ca0280be5cc83d1dedf7727323fd5fc0093c6dbcf9cc8ccaa30ee754b866584be28da1166953f03faf8745d6364e33fad7daad9be9a29681a8674eb9d292b WHIRLPOOL b79a6cff897be78793bbf2ca03154103aa1380647b8c53e104155fd68122568a8e7dea23996213b192e4269f980b1035d3ca395dbd2c318fd81a45f44d110c31 AUX openssh-6.7_p1-xmalloc-include.patch 390 SHA256 ea43a6a211d8cae4a078b748736f43d4a9d11804ace65886dec826b878dec28e SHA512 b51d9149418217828bdc53c234e248f8be1703b480ccf808814d37cd2589bccdbecff0046d2f2d0e4626420d0d4c2e02d25a9cc07ae31b365cd0b848ccc02035 WHIRLPOOL 04b298eb481fef585b055eb3d706cca55ad6efed6168246f0031e5f614085ae5e70cbb77717047d6c70d7d13a6846657e4a0089d4b8cdf5d9d05652ee22f7209 +AUX openssh-6.8_p1-sshd-gssapi-multihomed.patch 5464 SHA256 5f3506f0d45c22de85cf170c7dfeff134a144ec94f9fc1c57c5b3b797ee82756 SHA512 7bfbf720af2728abb55f73b67609967f34da27fea9a9dd6e0293e486a03d7d1167f506623771792d782707bfe58b46c69675bb3c5ad83332b7a50ee748176fbc WHIRLPOOL 81432c4ba7e34d216d73f63945f3c8d52d9113c07fb1f7c3dd5b39ac96223d38d2321a6d6de21b58b29767576c2a779a5703fa2e5727cd3fe4981581e822155d +AUX openssh-6.8_p1-ssl-engine-configure.patch 883 SHA256 c25d219d8baea01bde40dce34378d4f185b83968debded0b2d4e2035f6467530 SHA512 ce8c3362af9dd9d95174b8248b0e9c08463e6fa18d3e83bf01687756c2df77607674a95acd2930ee85994aa186b5229d93e32662e13caae0b45980fddc00e65e WHIRLPOOL d7f285e3317ddd797222a4d584da385a14fa5c7316b8002faa1005ae5129cb580abc9a70189470c0ff5feb0368de4b0b171596d1aa3705556037084c8eff3d34 AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53 AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b AUX sshd.rc6.4 2313 SHA256 97221a017d8ee9de996277c5a794d973a0b5e8180c29c97b3652bd1984a7b5d0 SHA512 88826bc9923299ac4c1502e7076483d6c197fd5a0e693bc2e1690f82bcd7d1bbd144aae2ffd92acb28d6fe912233aa93346e00c72917de65c22811ce9cd5bff7 WHIRLPOOL a77bad5891eb74770ae12e79131a99e5645a83841d14f1d60e39581a23b9d86e66b2e5fb7d0c989afac410eb5c6a627b83389d54085d1b78c89fc07852f8eb66 @@ -20,26 +22,30 @@ DIST openssh-6.7_p1-sctp.patch.xz 7408 SHA256 b33e82309195f2a3f21a9fb14e6da2080b DIST openssh-6.7p1+x509-8.2.diff.gz 241798 SHA256 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SHA512 d33ece7ddf382235b032875cf961845b308dc5e4cd1888cb68fee11c95066bb90938f9043cb9410f372efb578b61dfd5d50341da95a92fab5a4c209ac54e1f5e WHIRLPOOL b1fe2b88f0e77312099171f5c83dc670abc4c40d215fdff1e43161e44f806de9e0537cfa3a0001e1c7bbc0d0aed555079455f88b8ff313b00d8e9a19dabcb7d8 DIST openssh-6.7p1-hpnssh14v5.tar.xz 25652 SHA256 7284db65548b6b04142930da86972f96b1f5aa8ad3fc125134412f904f369d7e SHA512 21929805f40c79684ee3ecdb2b495d3204dca90b932aa633c4e0f6a093a417259cdeee10b3e49f3dff426febc6792f45ee23cc0688f05bf047630f3016e0926a WHIRLPOOL 5515cd4c745b061a3e92ac03e8121fb3ffc4b2ff116140625ca7ab2c0211c673b6345e5b08134df8b1743e03f9964017e789e1f0b9da99a0fd5970e14665e681 DIST openssh-6.7p1.tar.gz 1351367 SHA256 b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SHA512 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d WHIRLPOOL ac8ce86d0f6c78c4cb3624b480f189f951d508db38b22d7a5550b7302d5277c1c7d18eaa713d52139abc0f77edacfdb03ced2603125e3ddf9bc09c69e6b70518 +DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476 +DIST openssh-6.8p1-hpnssh14v5.tar.xz 24660 SHA256 dea2c5cdfd08d09f832a88aaf9d8285e57a67bbc68e6652ca3e0bf8b0213d99e SHA512 0b77e5d7d13ac7e2392d52e18240e5a0233d0a452d6cb7d1a0bf7ea7b640df5edc64cfcbe8c4fcb7c011b0eaa6a7aa3d6585292be753387af369d726345b7f5c WHIRLPOOL 2385c4f8ce5b9a2359991b9ca38362ec19482d3c904b10ceeb77c5044c88edabc2470db2ed156931d1c3ab6f93872809bef66a6848e9b39969f7c59d144c31ba +DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73 EBUILD openssh-6.7_p1-r3.ebuild 10078 SHA256 1a58e95c28b5b938f2f15b3fec5688dc9509bb038805b0348b11ac31ed3c57e0 SHA512 add8eaebb3c91983a7bac78011700c110917dea6409bf46e784d7e17b1891facb3baacaa0bda71eb2c9b6017fbf1a21b5846434fba8d588724da871e7824f498 WHIRLPOOL 47e04a0644a592e29aaa9ac00b03a377e81cdb1d886119c21a77a0a351c0cea34018a24406449faa814c2f06e1c03b43ac16a78983bb4a9f57c36834ad7babcb EBUILD openssh-6.7_p1-r4.ebuild 10138 SHA256 e4f6c4e80485352cc75e62c0212670a0d7f4a19bcf1eed9972bbeaff8b7a2743 SHA512 fdcd7759a85412bdf05be5003d20289a862f13f945e1972e56a36602df426641ef3497399e06ff0da9a51cf2bd54831b6208ac399d42d3ce3e3b1493ffa7655c WHIRLPOOL ae24dbcc182627c356961f4ce290cb1b489e29fa13beaf27212bd4847a36f02af53a8508320cf2a76be88741297ac7533faf53c1d3b15d70299cff536ae8502f EBUILD openssh-6.7_p1.ebuild 10067 SHA256 970be3a06c0293262f6c59d068d290cc71935fe91f4295b1352b6c41c46c3bf7 SHA512 f2b689767c8da075f16e9e5d9fe258e22fb4019034539883d63632c1543d3141787883ec7013f87c23d709a554b4f994c4c2f41b1829e5301b55f7a5da3fbf46 WHIRLPOOL 8d70fd99a1f3307b801999a9c80be4bcc603cbc151170160d78a2fa8a50ceb701657cbb0b0eb9ccfe1287bff9299dcffb36f884b860a5ca88ac4a9936b21a574 -MISC ChangeLog 90520 SHA256 7c454f72794840d7da66364b62442136c3e91daf02055252c4f92b7cd9199c47 SHA512 572532d5c72adeff37a120419dc58e8d56252dafbc5f1bd8cdb8bf0547b81ddc2878a0b1944d9ff6d51fbabbee61f22c0283b38e09a60293c6ea7303cd4f94c2 WHIRLPOOL bc29ceca24b297a1f3cb2739bd0806564f792d1d58c2c781cbec437a75436b775ac2baf8985404a47fdf3129c9157ee35de18e7d8a50de5c66561df58d50e56b -MISC metadata.xml 1912 SHA256 7b838285f09ad395f237a0d0b9963eee86d0e85b58e6e5b4d5edb093fa888a0a SHA512 e55c10ffd12488720c3da19e55942cfedec63fe767fc1608439b5a3932eeb5488086ad7ef4e1f858c89381e737426f035845ea5e8bede4ed8a0ccabdc656d9b5 WHIRLPOOL 5c07b3dd4a4002cff5df62133ecf570bf79f58e9477d0ad25d60f185ee029183d11118147e3adfec373542659d921e99e787054cfe9284031c974d694de6e9ed +EBUILD openssh-6.8_p1.ebuild 10045 SHA256 13378c09cc4ceec7cd1b8c12ad925db87c9d37910edb679eb2404527226ee18d SHA512 daa5ba19f6fbc0ac7104c8c7822b22745736bf864999ade1e205d1b7184e0fd67f997c4635ab2335eafdf2d2917cf677764080d3004b24935f4189fce338010f WHIRLPOOL b8d40e35bf44bf26296c8d87e3b293b31f767920afb288a10deff8a9ceeb1c130b4da2697d7ce970091d0810c5d1e3839640e2ebee2f0d63b8ca5b0f430c0c0c +MISC ChangeLog 90792 SHA256 24fd0ac71712fbd97154f682e20ab011f2200014de7b0e0b7d39317c5ae83058 SHA512 4465871c0bd1fece5b8691f1509e027b536709e2453eeeda8ca6ec287d39f77f040196713fe84e1886687545b5645b670e98c42d4ab222615a2b1a7f71f103ed WHIRLPOOL cb9621b8674f522d8b63861205b7fa5a6a5206425aecae02626a8223d025e617afa9d873e55755bcf7f7af04837f0b8ad3e7199631798a9d2bab37609660e3e4 +MISC metadata.xml 2049 SHA256 db7830f81086b967b8212af7c318bf27d22ac7db58b1a4d9c80cc86453ff03ab SHA512 3641e38203376c78fddc11b9d5861bdb629a1f9faf2768be5dc35f62ef3d37636a2f9f990e3ade1de2cec45d33a5fcdf7bb0dcd5f4376d40753fe29b354da42e WHIRLPOOL 6a7497491a150ede87bf20f5da5ed9003d545c9c376db7b78a6c1db66b1b90213f5f97d9211fb8b1ab204c1814c1a90d7be77a2d83cc045cf0762b4d2708c56a -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iQIcBAEBCAAGBQJU8OqIAAoJEHy/RO9cNQiDxxsQAKcwgw0LRAp0fN2tCyitm0sW -EQJfzjXV8bzPW1PRIVsru3SR5gkTaeig139jPDswmcxm3EDj+AEvQZW8UU9YnF4P -o/RXaGkuwquOpvDEoJ4cE1qjIYzUIIsCiaMdBshweD/Gkur+gUOYI892kHuJXPUs -+nTpCMyhcj7mW8Ueu65xvYXxndoJq3z5ULGivex1HEGz2lPLA1TAhIaPoxIjx/dj -9IVLqw8pZiHYY3pgqqdA880xqIXWNmPPGPFFitt3jUrCR6kisiBLdGF1edIH5+4V -3aogwWyvdoziiRN9iPtOetZT/q0KRewHUdYyEeKndtXNzb0naINOcR3IjX1RMg0V -3Qcda+RwOnvG2NfsvkcYK59Ar8thQag3+xLEhTHV7K1Sgl7ndXmRA0e/Obj7TH5M -0Ql7L/kLkNakpZ8GNv0ZjqX2dAsjdUe0eVYKn/I+2PxIR+aw7Hjz1dtfZnXKKQM1 -LMoVvQHJz4qR7fFu67edz3PybtOS+4BRy1Lw88I3eg1ql9hhsqQtneD2xXp8us03 -SbuKR3GLnW1o6Ax5VDMkkW0oY2VB9FQQ3pJybkFUzjejo8hn5PG6OiM6aP15iI/Z -0GG7VGKasywc52HEj0hq3FI/sgJDmrqk0vPBfxdsdp5e0z8uMZCBhLV5I0MVBTbK -Jdi46gtdvo7eCnXY8+Fk -=nfVc +iQIcBAEBCAAGBQJVCd8SAAoJEPGu1DbS6WIAJjEP/jy6QL5Ja5j3ndiXH9jy3FKQ +MtmzCYv/yjLSRCw+n1QyMNjcIDQR3zt4p0HK6NeXbfhDllsMOk1afqN5boTgPwgs +y9Bq++zSlFEDgaOR/PncOhsXnkFnJH8XebAdz5SjLpdtdwF7pY/ZYEuFl11Wy6T+ +6jYJ3SIjjTQoGIkBffMLisKSnFzBIFgN/DoR+d3V2awZ/nHe6KaDscgwe+29vg+h +zKfRfVLQAMBLCETzQNMkKQ07DhZBHhElpqNerF6GMVWygxVIBpCsx1q9aBw0LcgW +SiaOgR8q4xYTjsC2i93Bndioip6h6nVzSqRp/6Qluoq+VK1SCHpwbpj0d2YdwGZr +vQw5RfECIR+bO9h4FOFhu0ccbQXri+fFA7FYJUg0lpUTJVdxMchkIMoAlmq+G9Aq +1UWM6rpwbdkYf2XHz2Dui10EngWXb6V3nxHA37wLOLSaGSmoB8JCQg0Ffwq7gHlv +2dpUC3NNbTQExtYFMedszmv+GXWYZk5KMXjDhZF7eEGRiO/cILNbNpsOut7xNblm +MlIgEd4wrHQikOan7fFx/5iR4lfONZz9gVBRGoByU06305Cc6pVdklCrF77oi8fv +o/tRFnra6/tdLNv9aqBcZPBj6f9Z1LCCvPGXxrj3qU9q+TVaybhGVTjYKwoyhLNX +1qkDg5PwlLcTAiGUcbx5 +=zv6h -----END PGP SIGNATURE----- diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 000000000000..48fce1e2c294 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,162 @@ +https://bugs.gentoo.org/378361 +https://bugzilla.mindrot.org/show_bug.cgi?id=928 + +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -41,9 +41,12 @@ + #include "channels.h" + #include "session.h" + #include "misc.h" ++#include "servconf.h" + + #include "ssh-gss.h" + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[NI_MAXHOST]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(&status, &oidset); +- gss_add_oid_set_member(&status, ctx->oid, &oidset); +- +- if (gethostname(lname, sizeof(lname))) { +- gss_release_oid_set(&status, &oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ gss_release_oid_set(&status, &oidset); ++ return (-1); ++ } ++ ++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { ++ gss_release_oid_set(&status, &oidset); ++ return (ctx->major); ++ } ++ ++ if ((ctx->major = gss_acquire_cred(&ctx->minor, ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, ++ NULL, NULL))) ++ ssh_gssapi_error(ctx); + +- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; + } +- +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- +- gss_release_oid_set(&status, &oidset); +- return (ctx->major); ++ return GSS_S_COMPLETE; + } + + /* Privileged */ +--- a/servconf.c ++++ b/servconf.c +@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; ++ options->gss_strict_acceptor = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption + options->gss_authentication = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; ++ if (options->gss_strict_acceptor == -1) ++ options->gss_strict_acceptor = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -277,7 +280,8 @@ typedef enum { + sBanner, sUseDNS, sHostbasedAuthentication, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, +- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, ++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, +@@ -327,9 +331,11 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, +@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions + + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; ++ goto parse_flag; ++ ++ case sGssStrictAcceptor: ++ intptr = &options->gss_strict_acceptor; + goto parse_flag; + + case sPasswordAuthentication: +--- a/servconf.h ++++ b/servconf.h +@@ -92,6 +92,7 @@ typedef struct { + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ ++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +--- a/sshd_config ++++ b/sshd_config +@@ -69,6 +69,7 @@ + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -386,6 +386,21 @@ on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. ++If set to ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. ++If set to ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. ++This facility is provided to assist with operation on multi homed machines. ++The default is ++.Dq yes . + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication + as a comma-separated pattern list. diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch new file mode 100644 index 000000000000..9fad386ccb6c --- /dev/null +++ b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch @@ -0,0 +1,31 @@ +From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Wed, 18 Mar 2015 12:37:24 -0400 +Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is + set + +--- + configure.ac | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b4d6598..7806d20 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2276,10 +2276,10 @@ openssl_engine=no + AC_ARG_WITH([ssl-engine], + [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], + [ +- if test "x$openssl" = "xno" ; then +- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) +- fi + if test "x$withval" != "xno" ; then ++ if test "x$openssl" = "xno" ; then ++ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) ++ fi + openssl_engine=yes + fi + ] +-- +2.3.2 + diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 885648b44dd7..cd16a1391834 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -26,6 +26,8 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> <flag name="sctp">Support for Stream Control Transmission Protocol</flag> + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> + <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> <flag name="X509">Adds support for X.509 certificate authentication</flag> </use> <upstream> diff --git a/net-misc/openssh/openssh-6.8_p1.ebuild b/net-misc/openssh/openssh-6.8_p1.ebuild new file mode 100644 index 000000000000..d32402f42271 --- /dev/null +++ b/net-misc/openssh/openssh-6.8_p1.ebuild @@ -0,0 +1,319 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.8_p1.ebuild,v 1.1 2015/03/18 20:24:48 vapier Exp $ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PN}-6.8p1-hpnssh14v5.tar.xz" +LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz" +#X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + mirror://gentoo/${P}-sctp.patch.xz + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH} + http://dev.gentoo.org/~vapier/dist/${HPN_PATCH} + mirror://sourceforge/hpnssh/${HPN_PATCH} + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +# Probably want to drop ssh1/ssl defaulting to on in a future version. +IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509" +REQUIRED_USE="pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam )" + +LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + ssl? ( + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.deny ; then + eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + eerror "you're trying to use it. Update your ${EROOT}etc/hosts.deny please." + die "USE=tcpd no longer works" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${FILESDIR}"/${P}-x509-glue.patch + epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + epatch "${FILESDIR}"/${PN}-6.7_p1-xmalloc-include.patch + save_version X509 + fi + if ! use X509 ; then + if [[ -n ${LDAP_PATCH} ]] && use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + else + use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch + epatch "${WORKDIR}"/${P}-sctp.patch + if [[ -n ${HPN_PATCH} ]] && use hpn; then + epatch "${WORKDIR}"/${HPN_PATCH%.*.*}/* + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + local myconf=() + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys # skey configure code triggers this + + use static && append-ldflags -static + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx ) + append-ldflags -lutil + fi + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run \ + --sysconfdir="${EPREFIX}"/etc/ssh \ + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \ + --datadir="${EPREFIX}"/usr/share/openssh \ + --with-privsep-path="${EPREFIX}"/var/empty \ + --with-privsep-user=sshd \ + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) \ + ${LDAP_PATCH:+$(use X509 || (use ldap && use_with ldap))} \ + $(use_with ldns) \ + $(use_with libedit) \ + $(use_with pam) \ + $(use_with pie) \ + $(use_with sctp) \ + $(use_with selinux) \ + $(use_with skey) \ + $(use_with ssh1) \ + $(use_with ssl openssl) \ + $(use_with ssl md5-passwords) \ + $(use_with ssl ssl-engine) \ + "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi + elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has" + elog " dropped it. Make sure to update any configs that you might have." +} |