From 4c80e12f474f47f056a610a33c7971e2d2bc31a3 Mon Sep 17 00:00:00 2001 From: Daniel Ahlberg Date: Tue, 24 Feb 2004 21:58:52 +0000 Subject: Version bump --- net-misc/openssh/ChangeLog | 7 +- net-misc/openssh/Manifest | 16 ++- net-misc/openssh/files/digest-openssh-3.8_p1 | 1 + .../openssh/files/openssh-3.7.1_p1-selinux.diff | 14 +- net-misc/openssh/files/openssh-3.8_p1-chroot.patch | 74 ++++++++++ .../openssh/files/openssh-3.8_p1-kerberos.patch | 19 +++ .../files/openssh-3.8_p1-resolv_functions.patch | 12 ++ net-misc/openssh/files/openssh-3.8_p1-skey.patch | 11 ++ net-misc/openssh/openssh-3.8_p1.ebuild | 157 +++++++++++++++++++++ 9 files changed, 298 insertions(+), 13 deletions(-) create mode 100644 net-misc/openssh/files/digest-openssh-3.8_p1 create mode 100644 net-misc/openssh/files/openssh-3.8_p1-chroot.patch create mode 100644 net-misc/openssh/files/openssh-3.8_p1-kerberos.patch create mode 100644 net-misc/openssh/files/openssh-3.8_p1-resolv_functions.patch create mode 100644 net-misc/openssh/files/openssh-3.8_p1-skey.patch create mode 100644 net-misc/openssh/openssh-3.8_p1.ebuild diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index bd0d2887eafa..012685531deb 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for net-misc/openssh # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.64 2004/02/21 20:48:08 aliz Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.65 2004/02/24 21:58:52 aliz Exp $ + +*openssh-3.8_p1 (24 Feb 2004) + + 24 Feb 2004; Daniel Ahlberg openssh-3.8_p1.ebuild: + Version bump. 21 Feb 2004; Daniel Ahlberg openssh-3.7.1_p2-r2.ebuild: Fix openssh to work with multipe kerbers5 libs. Closing #30310. diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 2b7b842dc87f..87e561bbf0a0 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,13 +1,19 @@ -MD5 8c8a294d07508e312149700ff621d6ec ChangeLog 10487 MD5 c630114ddf3ed7bb9ba71d93967f6983 openssh-3.7.1_p2-r1.ebuild 4039 MD5 067cf4412f81f4793559abab21a9eb5e openssh-3.7.1_p2-r2.ebuild 4561 +MD5 8c8a294d07508e312149700ff621d6ec ChangeLog 10487 MD5 0feff9b09e482567359625301bddce1c metadata.xml 1329 +MD5 cfb2781ff0bce2c73f71ddc72b390304 openssh-3.8_p1.ebuild 4661 +MD5 f3838696f97d8942b708798fa021c688 files/openssh-3.8_p1-kerberos.patch 745 +MD5 5e42c267d017c8bcf5a68a8b16398736 files/openssh-3.8_p1-skey.patch 326 MD5 2cb187d8f60994c5e1b5fef2bcb6e85d files/openssh-3.5_p1-gentoo-sshd-gcc3.patch 315 +MD5 43abd80576688f5867520fdcd42f9d91 files/digest-openssh-3.8_p1 65 +MD5 9e179b1c0e3a139a5a9067c6e5bd6595 files/openssh-3.7.1_p1-selinux.diff 3389 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.8_p1-chroot.patch 2884 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.7.1_p2-chroot.patch 2884 +MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 +MD5 47853493e53ca7d4ac9942d6a76fb855 files/openssh-3.7.1_p2-kerberos.patch 1190 MD5 b86ae0c43a704c4ee2abd2ce5c955f8f files/sshd.pam 294 MD5 17b2fa077852f2c2990ec97c51bf198b files/sshd.rc6 1233 -MD5 49cc9062ff27ad7d4e8f94b136ed76a2 files/openssh-3.7.1_p1-selinux.diff 3394 +MD5 319cf9de283116bf886d3aab3d036249 files/openssh-3.8_p1-resolv_functions.patch 422 MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r1 142 MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r2 142 -MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 -MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.7.1_p2-chroot.patch 2884 -MD5 47853493e53ca7d4ac9942d6a76fb855 files/openssh-3.7.1_p2-kerberos.patch 1190 diff --git a/net-misc/openssh/files/digest-openssh-3.8_p1 b/net-misc/openssh/files/digest-openssh-3.8_p1 new file mode 100644 index 000000000000..9489824c3e92 --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-3.8_p1 @@ -0,0 +1 @@ +MD5 7861a4c0841ab69a6eec5c747daff6fb openssh-3.8p1.tar.gz 826588 diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-selinux.diff b/net-misc/openssh/files/openssh-3.7.1_p1-selinux.diff index 97bcc75f95b1..7a97fe7f877a 100644 --- a/net-misc/openssh/files/openssh-3.7.1_p1-selinux.diff +++ b/net-misc/openssh/files/openssh-3.7.1_p1-selinux.diff @@ -57,19 +57,19 @@ diff -urN openssh-3.7.1p1.orig/session.c openssh-3.7.1p1/session.c diff -urN openssh-3.7.1p1.orig/sshpty.c openssh-3.7.1p1/sshpty.c --- openssh-3.7.1p1.orig/sshpty.c 2003-08-24 20:16:21.000000000 -0500 +++ openssh-3.7.1p1/sshpty.c 2003-09-19 19:08:04.000000000 -0500 -@@ -22,6 +22,12 @@ - #include "log.h" - #include "misc.h" - +@@ -30,6 +30,12 @@ + #define O_NOCTTY 0 + #endif + +#ifdef WITH_SELINUX +#include +#include +#include +#endif + - /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */ - #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) - #undef HAVE_DEV_PTMX + /* + * Allocates and opens a pty. Returns 0 if no pty could be allocated, or + * nonzero if a pty was successfully allocated. On success, open file @@ -386,6 +392,37 @@ * Warn but continue if filesystem is read-only and the uids match/ * tty is owned by root. diff --git a/net-misc/openssh/files/openssh-3.8_p1-chroot.patch b/net-misc/openssh/files/openssh-3.8_p1-chroot.patch new file mode 100644 index 000000000000..13625995a88e --- /dev/null +++ b/net-misc/openssh/files/openssh-3.8_p1-chroot.patch @@ -0,0 +1,74 @@ +################################################################################ +################################################################################ +# # +# Original patch by Ricardo Cerqueira # +# # +# Updated by James Dennis for openssh-3.7.1p2 # +# # +# A patch to cause sshd to chroot when it encounters the magic token # +# '/./' in a users home directory. The directory portion before the # +# token is the directory to chroot() to, the portion after the # +# token is the user's home directory relative to the new root. # +# # +# Patch source using: patch -p0 < /path/to/patch # +# # +# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. # +# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about # +# other systems (unless you email me your experiences!). # +# # +################################################################################ +################################################################################ + +diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c +--- openssh-3.7.1p2/session.c Tue Sep 23 04:59:08 2003 ++++ openssh-3.7.1p2-chroot/session.c Fri Sep 26 13:42:52 2003 +@@ -58,6 +58,8 @@ + #include "session.h" + #include "monitor_wrap.h" + ++#define CHROOT ++ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif +@@ -1231,6 +1233,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1268,6 +1276,27 @@ + exit(1); + } + endgrent(); ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory % s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ ++ + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. diff --git a/net-misc/openssh/files/openssh-3.8_p1-kerberos.patch b/net-misc/openssh/files/openssh-3.8_p1-kerberos.patch new file mode 100644 index 000000000000..2d0694f0cc7e --- /dev/null +++ b/net-misc/openssh/files/openssh-3.8_p1-kerberos.patch @@ -0,0 +1,19 @@ +--- configure.ac 2004-02-24 21:05:46.781403118 +0000 ++++ configure.ac 2004-02-24 21:03:30.717786642 +0000 +@@ -2102,14 +2102,14 @@ + ) + else + AC_MSG_RESULT(no) +- CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" ++ CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include -I/usr/include/heimdal -I/usr/include/gssapi" + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) +- K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" ++ K5LIBS="-lkrb5 -lcom_err -lasn1 -lroken -lresolv" + ], + [ AC_MSG_RESULT(no) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" diff --git a/net-misc/openssh/files/openssh-3.8_p1-resolv_functions.patch b/net-misc/openssh/files/openssh-3.8_p1-resolv_functions.patch new file mode 100644 index 000000000000..2de0cca0ed96 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.8_p1-resolv_functions.patch @@ -0,0 +1,12 @@ +--- configure.ac 2004-02-24 21:03:30.717786642 +0000 ++++ configure.ac 2004-02-24 21:33:37.936501897 +0000 +@@ -2055,7 +2055,9 @@ + [ + # Needed by our getrrsetbyname() + AC_SEARCH_LIBS(res_query, resolv) ++ AC_SEARCH_LIBS(__res_query, resolv) + AC_SEARCH_LIBS(dn_expand, resolv) ++ AC_SEARCH_LIBS(__dn_expand, resolv) + AC_CHECK_FUNCS(_getshort _getlong) + AC_CHECK_MEMBER(HEADER.ad, + [AC_DEFINE(HAVE_HEADER_AD)],, diff --git a/net-misc/openssh/files/openssh-3.8_p1-skey.patch b/net-misc/openssh/files/openssh-3.8_p1-skey.patch new file mode 100644 index 000000000000..133635574c8d --- /dev/null +++ b/net-misc/openssh/files/openssh-3.8_p1-skey.patch @@ -0,0 +1,11 @@ +--- configure.ac 2004-02-24 21:07:25.510177659 +0000 ++++ configure.ac 2004-02-24 21:03:30.717786642 +0000 +@@ -721,7 +721,7 @@ + [ + #include + #include +-int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } ++int main() { char *ff = "true"; ff=""; exit(0); } + ], + [AC_MSG_RESULT(yes)], + [ diff --git a/net-misc/openssh/openssh-3.8_p1.ebuild b/net-misc/openssh/openssh-3.8_p1.ebuild new file mode 100644 index 000000000000..a09b598e40a0 --- /dev/null +++ b/net-misc/openssh/openssh-3.8_p1.ebuild @@ -0,0 +1,157 @@ +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.8_p1.ebuild,v 1.1 2004/02/24 21:58:52 aliz Exp $ + +inherit eutils flag-o-matic ccc gnuconfig + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +X509_PATCH="${PARCH}+x509g2.diff.gz" +SELINUX_PATCH="openssh-3.7.1_p1-selinux.diff" + +S=${WORKDIR}/${PARCH} +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +SRC_URI="mirror://openssh/${PARCH}.tar.gz" +# X509? ( http://roumenpetrov.info/openssh/x509g2/${X509_PATCH} )" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~amd64 ~ia64 ~ppc64" +IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509" + +# openssh recognizes when openssl has been slightly upgraded and refuses to run. +# This new rev will use the new openssl. +RDEPEND="virtual/glibc + pam? ( >=sys-libs/pam-0.73 + >=sys-apps/shadow-4.0.2-r2 ) + !mips? ( kerberos? ( virtual/krb5 ) ) + selinux? ( sys-libs/libselinux ) + !ppc64? ( skey? ( >=app-admin/skey-1.1.5-r1 ) ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.1.4 + !ppc64? ( tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) )" +DEPEND="${RDEPEND} + dev-lang/perl + sys-apps/groff + >=sys-apps/sed-4 + sys-devel/autoconf" +PROVIDE="virtual/ssh" + +src_unpack() { + unpack ${PARCH}.tar.gz ; cd ${S} + + epatch ${FILESDIR}/${P}-kerberos.patch + epatch ${FILESDIR}/${P}-resolv_functions.patch + + use selinux && epatch ${FILESDIR}/${SELINUX_PATCH} + use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch +# use X509 && epatch ${DISTDIR}/${X509_PATCH} + + use skey && { + # prevent the conftest from violating the sandbox + epatch ${FILESDIR}/${P}-skey.patch + + # updates to skey implementation. + epatch ${FILESDIR}/${PN}-skeychallenge-args.diff + } + + # feature request bug #26615 + use chroot && epatch ${FILESDIR}/${P}-chroot.patch +} + +src_compile() { + use ldap && filter-flags -funroll-loops + + autoconf + + local myconf + + # Allow OpenSSH to detect mips systems + use mips && gnuconfig_update + + myconf="\ + $( use_with tcpd tcp-wrappers ) \ + $( use_with kerberos kerberos5 ) \ + $( use_with pam ) \ + $( use_with skey )" + + use ipv6 || myconf="${myconf} --with-ipv4-default" + + # make sure .sbss is large enough + use skey && use alpha && append-ldflags -mlarge-data + + use selinux && append-flags "-DWITH_SELINUX" + + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --mandir=/usr/share/man \ + --libexecdir=/usr/lib/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --host=${CHOST} \ + ${myconf} \ + || die "bad configure" + + use static && { + # statically link to libcrypto -- good for the boot cd + sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile + } + + emake || die "compile problem" +} + +src_install() { + make install-files DESTDIR=${D} || die + chmod 600 ${D}/etc/ssh/sshd_config + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd + exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd + keepdir /var/empty + dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config + use pam && dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config +} + +pkg_postinst() { + # empty dir for the new priv separation auth chroot.. + #install -d -m0755 -o root -g root ${ROOT}/var/empty + # install doesn't seem to be doing its job, on amd64 at least + # Brad House 01/10/2004 + if [ ! -d "${ROOT}/var/empty" ] + then + mkdir -p "${ROOT}/var/empty" + chmod 0755 "${ROOT}/var/empty" + chown root:root "${ROOT}/var/empty" + fi + + enewgroup sshd 22 + enewuser sshd 22 /bin/false /var/empty sshd + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + ewarn + einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" + einfo "functionality, but please ensure that you do not explicitly disable" + einfo "this in your configuration as disabling it opens security holes" + einfo + einfo "This revision has removed your sshd user id and replaced it with a" + einfo "new one with UID 22. If you have any scripts or programs that" + einfo "that referenced the old UID directly, you will need to update them." + einfo + use pam >/dev/null 2>&1 && { + einfo "Please be aware users need a valid shell in /etc/passwd" + einfo "in order to be allowed to login." + einfo + } + + use X509 >/dev/null 2>&1 && { + ewarn "X509 support has been removed until upstream author" + ewarn "releases a patch aginst this version." + } +} -- cgit v1.2.3-65-gdbad