diff options
Diffstat (limited to 'net-misc')
| -rw-r--r-- | net-misc/Manifest.gz | bin | 53475 -> 53474 bytes | |||
| -rw-r--r-- | net-misc/openssh/Manifest | 6 | ||||
| -rw-r--r-- | net-misc/openssh/files/ssh-agent.initd | 7 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-9.7_p1-r6.ebuild | 400 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-9.9_p2-r3.ebuild (renamed from net-misc/openssh/openssh-9.8_p1-r2.ebuild) | 110 |
5 files changed, 67 insertions, 456 deletions
diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz Binary files differindex b3c2d445ed0d..f1146b24ecdc 100644 --- a/net-misc/Manifest.gz +++ b/net-misc/Manifest.gz diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 6dc4410ecfbe..c42ec67d79c8 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -14,6 +14,7 @@ AUX openssh-9.7_p1-config-tweaks.patch 1032 BLAKE2B 52f20d412722b00a452b92c8b45a AUX openssh-9.8_p1-inetd.patch 895 BLAKE2B 4e64abf32c0dd8ff9ad742bc2c230b9330b5994ecbc3f3c559f929e73992ea69d3085954cfa571c9a2ee33921d2eeeba5e7031808a87583003ca914e4927bbda SHA512 7a6f7c035ea0284deca7d5de30580d621b2ae3d6a51386a553f6adf7f6209b000a1da588f0c5b865c1d5e82f79f3d84d3409532d42e367702e99b321b08bf3fe AUX openssh-9.8_p1-musl-connect.patch 478 BLAKE2B da4043516412f5cc443c06c1f1bbd090a29408d774959e7f8cc84cc5fdacbfa927b4f89c53c9320334e7c715b6e9f24a8abff1d44adc5f0bc45b9c0432729cc8 SHA512 1953656561e952659fd38d8be96421945040c4cfb5e144bfccb77dd755adf72b6e1ca7751139bd6b20d1bafacab70c606b9e274aa7e091e437b6f399dc9e2352 AUX openssh-9.9_p1-x-forwarding-slow.patch 2296 BLAKE2B 463f2cfb493e205bf421d5aa9f6cc70ed0e11ecd6debc629dd13bddf11b3c1d771a209ddca1513a221b3cbdca92ca7102dddf56d43d055376a8d329019ee2806 SHA512 c16f8fe16ab2f9eb86960b3b88fd063d85adb76452ad8290855e52270886aef865b385849bc0dfd95567b49e72529b8208493dba6cfd405e18a344a16f96c406 +AUX ssh-agent.initd 246 BLAKE2B cb3ccce0436a12bfa91c65e55162ef8c96f336a5a51234ef74edacb3605e35f24301bac732ff8ea76085296ed47f944def27c9ee186c32d07fcd33c6d4520309 SHA512 2643aeb53f6664e8d3bb75e0a7f2a48e2e80e3747fd234424d59afc477d21085a15309510ad5b0d8e0a0fdf0f1a755e30e8d898d565d0394bddde2292f61cbbd AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391af5769798e0b0185f0a588bc089d229c76138fd2db39fbe6bd33924f0d53e0513074d9c2d7abf88dcb78 SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c @@ -21,17 +22,14 @@ AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf AUX sshd.service.2 282 BLAKE2B df9efc9bf73c0824bd0e290bf8e5ad442003461013fa30c18beddfa5760f257274aaaf045f845ee8700b780c8b792b02bb9e7d458d77fee48dbfb6da55b34563 SHA512 24c04f0608b478b3aa600a0bdfeb31b196bd9524fdd9c78bcbef5f603a797e17ffbf2ce503af707800b67d789b24fbe1ce15e87df58003752156709d497fca3b AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f -DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55 -DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7 DIST openssh-9.9p1.tar.gz 1964864 BLAKE2B 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997 SHA512 3cc0ed97f3e29ecbd882eca79239f02eb5a1606fce4f3119ddc3c5e86128aa3ff12dc85000879fccc87b60e7d651cfe37376607ac66075fede2118deaa685d6d DIST openssh-9.9p1.tar.gz.asc 833 BLAKE2B 0e19668eb5cadea0e7b06caf2bc2f4cee7e7656a780a128090dcdf2acc25c6e0e0fc7c4c83c95ffcd567cd03941ec772b0f5b273e6f79ff4e440e1d9f22bcdb7 SHA512 916e975c54eb68c0b2f0b0006522b241cbe54c4caa88d31537a6278490c93d9d732c2ab3a080ac084bf75cbdd5402901ec68583cbe7c7cde4a8e40e7a8b78c28 DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 DIST openssh-9.9p2.tar.gz.asc 833 BLAKE2B 21d9ef3da2b54be47420327f1c724e38eef951ea11d646de81ac3ee2abf3d81f218424432cf5ac7d60cdae72e2190001f923dbdf5bed57f4a105ee1895261c9d SHA512 e7f9bc74d27e5cf8cbf4f5831fddd1d8ad00b03e51e7deb7f95ef17c5017ab7ce0116f4770374aaf6bd3a5f6013dab651a7651b21fa303d05ad6d14b537ab955 -EBUILD openssh-9.7_p1-r6.ebuild 14116 BLAKE2B 423d6ab5e9af91f0996bb74e70984fbdc41f276e3364f35d9e1db39d2cd72582b8ca5192c67d07e57a6322289061e9e1ddcfc2cddcee9137cd7e79486157178a SHA512 fe3ceb2912f342fbd0ac9bd6229ddb4c00c0d7c0c0225763d68dfcd2dc69c128ae2cd5101bdac91a4baa179544b273708770dc63c686b2b9751d3391b2799239 -EBUILD openssh-9.8_p1-r2.ebuild 15271 BLAKE2B d8d4f794f7e9b7f9e9d74acc813bb4860ccdf660c38a629cd4c3553e0ddcc2eabbd1dab7603ae06e4bbe031421083e0a4813c25ca38625989f0a74fb06620e24 SHA512 3b36919fce944984eeb9c21d6df80e3dd9a7c34846165a31e8c48652fb0c3428599b505147092e14aee3e6f5ac6b4ef37aabcb3a7300d3b04da6f32eb47e18a6 EBUILD openssh-9.8_p1-r3.ebuild 15365 BLAKE2B 51da05b6b53b1326871328aa14387f10794de1e643f18a14b9ecc51830d3ebbfa772d1402bd86d3a118d5be1fb0760e7f608ddd7cd93b960617ad86f5a66beb7 SHA512 f3e294a30591621c96acf1ab054b2f84801b8ad9eb0932597a6eeda7b3b0cc01560c21944954dc6d9da6f4eaafa34592def5a2a80c27c113e48fe194a986f83d EBUILD openssh-9.9_p1.ebuild 15405 BLAKE2B bfea4b4b5370bcd9b898624982a9950107163b3a2f1deca4182aaa3f31d02ca6bca89956f93887e503a25db3d5a58a960d4a6b68ec2a742943b5810808d8476d SHA512 ec64e2ef14a82fc94a99c33f5da19f2a3b255841b7ed982a936dc1dfd980fceaa8f3711d47a962e7dea1a6eb2fe8b1692159ad16786bc752c66cfa0749b9fbd9 +EBUILD openssh-9.9_p2-r3.ebuild 15495 BLAKE2B c277036e9d462351c661e57e471497c3beef6204a91f1e73f10b4473929aa76329098a02dd1fc4fda35db81d32fb00d509d3317bdc138f37007bcc01ab0176e9 SHA512 c03866a6a83d20ab5a2683fb5f8a8a6039870adbc3d79bf2c1873fa3510c005f4a578e78121cd44584c1d49776ebca5df9f9c0da01a54587b656d8f3bf7a0759 EBUILD openssh-9.9_p2.ebuild 15415 BLAKE2B 9e45b48d639e71a127de67c4b7cccc69932165835ad102b63f84d452cdbacf4496e35c2419a37619661a8e4f59bd9e028b953eb24448a26173b00d6f34157f02 SHA512 0b941a42b1b93b9bfbff8a87a06c54dc7122e360e9e282ab796fc37feb0cfdb7f71b22c48aa3e7b69d44ae8598e732a304b684e2e5a7d922a3c40a20507f419c MISC metadata.xml 1967 BLAKE2B 9e586a4c515035bc31be950c3872c379e01dae2cc460239cde37b83d6ca8494d36d1e1f858195b34af76074a966278c323ab24ba5e78adfa70be297c1f21336f SHA512 83563c27789a4c12149f037d9318b66d6caf383a82f0f6f7025378bd2a3017d41ff96b5aea3d08e4407d85f3d1a089a51ae6c7fa3970c20b2d8d721962ddbf69 diff --git a/net-misc/openssh/files/ssh-agent.initd b/net-misc/openssh/files/ssh-agent.initd new file mode 100644 index 000000000000..49d3b125b83f --- /dev/null +++ b/net-misc/openssh/files/ssh-agent.initd @@ -0,0 +1,7 @@ +#!/sbin/openrc-run +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License, v2 or later + +supervisor=supervise-daemon +command="/usr/bin/ssh-agent" +command_args="-D -a ${XDG_RUNTIME_DIR}/ssh-agent.sock" diff --git a/net-misc/openssh/openssh-9.7_p1-r6.ebuild b/net-misc/openssh/openssh-9.7_p1-r6.ebuild deleted file mode 100644 index 010b1c7eaaa2..000000000000 --- a/net-misc/openssh/openssh-9.7_p1-r6.ebuild +++ /dev/null @@ -1,400 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc -inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI=" - mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa(+),ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND=" - ${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND=" - ${RDEPEND} - !net-misc/openssh-contrib - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) -" -BDEPEND=" - dev-build/autoconf - virtual/pkgconfig - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -PATCHES=( - "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" - "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" - "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" - "${FILESDIR}/${PN}-9.6_p1-CVE-2024-6387.patch" - "${FILESDIR}/${PN}-9.6_p1-chaff-logic.patch" -) - -pkg_pretend() { - local i enabled_eol_flags disabled_eol_flags - for i in hpn sctp X509; do - if has_version "net-misc/openssh[${i}]"; then - enabled_eol_flags+="${i}," - disabled_eol_flags+="-${i}," - fi - done - - if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then - # Skip for binary packages entirely because of environment saving, bug #907892 - [[ ${MERGE_TYPE} == binary ]] && return - - ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." - ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," - ewarn "since these USE flags required third-party patches that often trigger bugs" - ewarn "and are of questionable provenance." - ewarn - ewarn "If you must continue relying on this functionality, switch to" - ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" - ewarn "world file first: 'emerge --deselect net-misc/openssh'" - ewarn - ewarn "In order to prevent loss of SSH remote login access, we will abort the build." - ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" - ewarn "variant, when re-emerging you will have to set" - ewarn - ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" - - die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) - - default - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - # optional at runtime; guarantee a known path - --with-xauth="${EPREFIX}"/usr/bin/xauth - - # --with-hardening adds the following in addition to flags we - # already set in our toolchain: - # * -ftrapv (which is broken with GCC anyway), - # * -ftrivial-auto-var-init=zero (which is nice, but not the end of - # the world to not have) - # * -fzero-call-used-regs=used (history of miscompilations with - # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, - # gcc PR104820, gcc PR104817, gcc PR110934)). - # - # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, - # so we cannot just disable -fzero-call-used-regs=used. - # - # Therefore, just pass --without-hardening, given it doesn't negate - # our already hardened toolchain defaults, and avoids adding flags - # which are known-broken in both Clang and GCC and haven't been - # proven reliable. - --without-hardening - - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(use_with security-key security-key-builtin) - $(use_with ssl openssl) - $(use_with ssl ssl-engine) - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - - econf "${myconf[@]}" -} - -create_config_dropins() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die - # Send locale environment variables (bug #367017) - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM (bug #658540) - SendEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die - RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die - # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die - # Allow client to pass locale environment variables (bug #367017) - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM (bug #658540) - AcceptEnv COLORTERM - EOF - - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die - # override default of no subsystems - Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server - EOF - - if use pam ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die - UsePAM yes - # This interferes with PAM. - PasswordAuthentication no - # PAM can do its own handling of MOTD. - PrintMotd no - PrintLastLog no - EOF - fi - - if use livecd ; then - cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die - # Allow root login with password on livecds. - PermitRootLogin Yes - EOF - fi -} - -src_compile() { - default - create_config_dropins -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" </dev/null -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.socket - systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service - systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service' - - # Install dropins with explicit mode, bug 906638, 915840 - diropts -m0755 - insopts -m0644 - insinto /etc/ssh - doins -r "${WORKDIR}"/etc/ssh/ssh_config.d - doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts - diropts -m0700 - insopts -m0600 - doins -r "${WORKDIR}"/etc/ssh/sshd_config.d -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - # bug #139235 - optfeature "x11 forwarding" x11-apps/xauth - - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then - ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" - ewarn "'Restart=on-failure', which causes the service to automatically restart if it" - ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," - ewarn "but it can increase the vulnerability of the system in the event of a future exploit." - ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" - ewarn "set 'Restart=no' in your sshd unit file." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi -} diff --git a/net-misc/openssh/openssh-9.8_p1-r2.ebuild b/net-misc/openssh/openssh-9.9_p2-r3.ebuild index be1dd9e136e5..1b34d10467ef 100644 --- a/net-misc/openssh/openssh-9.8_p1-r2.ebuild +++ b/net-misc/openssh/openssh-9.9_p2-r3.ebuild @@ -1,10 +1,13 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc -inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver # Make it more portable between straight releases # and _p? releases. @@ -20,9 +23,9 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test xmss" +IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss" RESTRICT="!test? ( test )" @@ -79,7 +82,10 @@ PATCHES=( "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" - "${FILESDIR}/${PN}-9.8_p1-musl-connect.patch" + # Backports from upstream release branch + #"${FILESDIR}/${PV}" + # Our own backports + "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" ) pkg_pretend() { @@ -198,6 +204,7 @@ src_configure() { $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) $(use_with ldns) + $(use_enable legacy-ciphers dsa-keys) $(use_with libedit) $(use_with pam) $(use_with pie) @@ -308,6 +315,8 @@ src_install() { dobin contrib/ssh-copy-id newinitd "${FILESDIR}"/sshd-r1.initd sshd newconfd "${FILESDIR}"/sshd-r1.confd sshd + exeinto /etc/user/init.d + newexe "${FILESDIR}"/ssh-agent.initd ssh-agent if use pam; then newpamd "${FILESDIR}"/sshd.pam_include.2 sshd @@ -343,53 +352,50 @@ pkg_postinst() { # bug #139235 optfeature "x11 forwarding" x11-apps/xauth - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then - ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" - ewarn "'Restart=on-failure', which causes the service to automatically restart if it" - ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," - ewarn "but it can increase the vulnerability of the system in the event of a future exploit." - ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" - ewarn "set 'Restart=no' in your sshd unit file." - fi - done + if ver_replacing -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_replacing -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_replacing -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_replacing -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_replacing -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_replacing -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi if [[ -n ${show_ssl_warning} ]]; then elog "Be aware that by disabling openssl support in openssh, the server and clients" |