diff options
author | Ned Ludd <solar@gentoo.org> | 2004-01-08 10:07:50 +0000 |
---|---|---|
committer | Ned Ludd <solar@gentoo.org> | 2004-01-08 10:07:50 +0000 |
commit | c4114846cd6445e59ef7a0b0bdc361aa5c45c7a0 (patch) | |
tree | 304cbaf019dfc5b5e796d147867d9dc35674fa77 /net-misc/openssh | |
parent | slight tweaks to ebuild for reusability (diff) | |
download | historical-c4114846cd6445e59ef7a0b0bdc361aa5c45c7a0.tar.gz historical-c4114846cd6445e59ef7a0b0bdc361aa5c45c7a0.tar.bz2 historical-c4114846cd6445e59ef7a0b0bdc361aa5c45c7a0.zip |
added feature request for chrooting via sshd bug #26615
Diffstat (limited to 'net-misc/openssh')
-rw-r--r-- | net-misc/openssh/ChangeLog | 15 | ||||
-rw-r--r-- | net-misc/openssh/Manifest | 15 | ||||
-rw-r--r-- | net-misc/openssh/files/digest-openssh-3.5_p1-r1 | 1 | ||||
-rw-r--r-- | net-misc/openssh/files/digest-openssh-3.6.1_p2 | 1 | ||||
-rw-r--r-- | net-misc/openssh/files/digest-openssh-3.7.1_p2-r2 | 2 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-3.7.1_p2-chroot.patch | 74 | ||||
-rw-r--r-- | net-misc/openssh/openssh-3.5_p1-r1.ebuild | 123 | ||||
-rw-r--r-- | net-misc/openssh/openssh-3.6.1_p2.ebuild | 123 | ||||
-rw-r--r-- | net-misc/openssh/openssh-3.7.1_p2-r1.ebuild | 8 | ||||
-rw-r--r-- | net-misc/openssh/openssh-3.7.1_p2-r2.ebuild | 139 |
10 files changed, 239 insertions, 262 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index 642acb1a51e9..eed90b2e7f13 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,17 @@ # ChangeLog for net-misc/openssh -# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.59 2004/01/04 12:02:17 aliz Exp $ +# Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.60 2004/01/08 10:07:50 solar Exp $ + + 08 Jan 2004; <solar@gentoo.org> openssh-3.5_p1-r1.ebuild, + openssh-3.6.1_p2.ebuild, openssh-3.7.1_p2-r1.ebuild, + openssh-3.7.1_p2-r2.ebuild: + ppc64/mips nightmare.. had to remove tcpd and skey support for various arches + due to other things not being marked stable on those arches + +*openssh-3.7.1_p2-r2 (08 Jan 2004) + + 08 Jan 2004; <solar@gentoo.org> openssh-3.7.1_p2-r2.ebuild: + added feature request for chrooting via sshd bug #26615 04 Jan 2004; Daniel Ahlberg <aliz@gentoo.org> openssh-3.7.1_p2-r1.ebuild: Changeing sshd user shell. Closing #35063. diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index d6d08434a001..dc7dfe37b77d 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,13 +1,12 @@ -MD5 0bdab2263983cea3dfaa7872d917be1f openssh-3.5_p1-r1.ebuild 3562 -MD5 76d150d377a2b8aaf6a3a9e6b02a0080 openssh-3.7.1_p2-r1.ebuild 4004 -MD5 092b770f6fb3c69d8acf92b42ca717df openssh-3.6.1_p2.ebuild 3586 -MD5 320135796bde07c625d009bf82458083 ChangeLog 9519 +MD5 79436cfabe3756a5ec3c8323c9153a3b openssh-3.7.1_p2-r1.ebuild 4040 +MD5 fb15d39c8cc99c5482c19b433b834edb openssh-3.7.1_p2-r2.ebuild 4147 +MD5 1e9c564103466f2e9ad96f4452987c9f ChangeLog 9965 MD5 0feff9b09e482567359625301bddce1c metadata.xml 1329 MD5 2cb187d8f60994c5e1b5fef2bcb6e85d files/openssh-3.5_p1-gentoo-sshd-gcc3.patch 315 -MD5 49cc9062ff27ad7d4e8f94b136ed76a2 files/openssh-3.7.1_p1-selinux.diff 3394 -MD5 31789e51878741d2af4b1312db79fa2f files/digest-openssh-3.6.1_p2 67 -MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 MD5 b86ae0c43a704c4ee2abd2ce5c955f8f files/sshd.pam 294 MD5 17b2fa077852f2c2990ec97c51bf198b files/sshd.rc6 1233 -MD5 8f421fd8d19a104dc78150e4b1904a46 files/digest-openssh-3.5_p1-r1 65 +MD5 49cc9062ff27ad7d4e8f94b136ed76a2 files/openssh-3.7.1_p1-selinux.diff 3394 MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r1 142 +MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.7.1_p2-chroot.patch 2884 +MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r2 142 diff --git a/net-misc/openssh/files/digest-openssh-3.5_p1-r1 b/net-misc/openssh/files/digest-openssh-3.5_p1-r1 deleted file mode 100644 index e24f781804e4..000000000000 --- a/net-misc/openssh/files/digest-openssh-3.5_p1-r1 +++ /dev/null @@ -1 +0,0 @@ -MD5 42bd78508d208b55843c84dd54dea848 openssh-3.5p1.tar.gz 851486 diff --git a/net-misc/openssh/files/digest-openssh-3.6.1_p2 b/net-misc/openssh/files/digest-openssh-3.6.1_p2 deleted file mode 100644 index 70f355454a00..000000000000 --- a/net-misc/openssh/files/digest-openssh-3.6.1_p2 +++ /dev/null @@ -1 +0,0 @@ -MD5 f3879270bffe479e1bd057aa36258696 openssh-3.6.1p2.tar.gz 879629 diff --git a/net-misc/openssh/files/digest-openssh-3.7.1_p2-r2 b/net-misc/openssh/files/digest-openssh-3.7.1_p2-r2 new file mode 100644 index 000000000000..920c333856ca --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-3.7.1_p2-r2 @@ -0,0 +1,2 @@ +MD5 61cf5b059938718308836d00f6764a94 openssh-3.7.1p2.tar.gz 792280 +MD5 83e000a867eba10ef7f18c169d979360 openssh-3.7.1p2+x509g2.diff.gz 125455 diff --git a/net-misc/openssh/files/openssh-3.7.1_p2-chroot.patch b/net-misc/openssh/files/openssh-3.7.1_p2-chroot.patch new file mode 100644 index 000000000000..13625995a88e --- /dev/null +++ b/net-misc/openssh/files/openssh-3.7.1_p2-chroot.patch @@ -0,0 +1,74 @@ +################################################################################ +################################################################################ +# # +# Original patch by Ricardo Cerqueira <rmcc@clix.pt> # +# # +# Updated by James Dennis <james@firstaidmusic.com> for openssh-3.7.1p2 # +# # +# A patch to cause sshd to chroot when it encounters the magic token # +# '/./' in a users home directory. The directory portion before the # +# token is the directory to chroot() to, the portion after the # +# token is the user's home directory relative to the new root. # +# # +# Patch source using: patch -p0 < /path/to/patch # +# # +# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. # +# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about # +# other systems (unless you email me your experiences!). # +# # +################################################################################ +################################################################################ + +diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c +--- openssh-3.7.1p2/session.c Tue Sep 23 04:59:08 2003 ++++ openssh-3.7.1p2-chroot/session.c Fri Sep 26 13:42:52 2003 +@@ -58,6 +58,8 @@ + #include "session.h" + #include "monitor_wrap.h" + ++#define CHROOT ++ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif +@@ -1231,6 +1233,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1268,6 +1276,27 @@ + exit(1); + } + endgrent(); ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory % s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ ++ + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. diff --git a/net-misc/openssh/openssh-3.5_p1-r1.ebuild b/net-misc/openssh/openssh-3.5_p1-r1.ebuild deleted file mode 100644 index 47705a5f3f4a..000000000000 --- a/net-misc/openssh/openssh-3.5_p1-r1.ebuild +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 1999-2003 Gentoo Technologies, Inc. -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.5_p1-r1.ebuild,v 1.20 2003/12/08 07:38:37 vapier Exp $ - -inherit eutils - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_/} -S=${WORKDIR}/${PARCH} -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.com/" -SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="x86 ppc sparc alpha mips hppa arm" -IUSE="ipv6 static pam tcpd kerberos" - -# openssh recognizes when openssl has been slightly upgraded and refuses to run. -# This new rev will use the new openssl. -RDEPEND="virtual/glibc - pam? ( >=sys-libs/pam-0.73 >=sys-apps/shadow-4.0.2-r2 ) - kerberos? ( app-crypt/mit-krb5 ) - >=dev-libs/openssl-0.9.6d - sys-libs/zlib" - -DEPEND="${RDEPEND} - dev-lang/perl - sys-apps/groff - tcpd? ( >=sys-apps/tcp-wrappers-7.6 )" -PROVIDE="virtual/ssh" - -src_unpack() { - unpack ${A} - cd ${S} - - if [ `use alpha` ]; then - epatch ${FILESDIR}/${P}-gentoo-sshd-gcc3.patch || die - fi -} - -src_compile() { - local myconf - use tcpd || myconf="${myconf} --without-tcp-wrappers" - use tcpd && myconf="${myconf} --with-tcp-wrappers" - use pam || myconf="${myconf} --without-pam" - use pam && myconf="${myconf} --with-pam" - use ipv6 || myconf="${myconf} --with-ipv4-default" - - # app-crypt/mit-krb5 - use kerberos && myconf="${myconf} --with-kerberos5" - - # app-crypt/kth-krb - # KTH's implementation of kerberos IV - # KTH_KRB="yes" emerge openssh-3.5_p1-r1.ebuild - if [ ! -z $KTH_KRB ]; then - myconf="${myconf} --with-kerberos4=/usr/athena" - fi - - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --mandir=/usr/share/man \ - --libexecdir=/usr/lib/misc \ - --datadir=/usr/share/openssh \ - --disable-suid-ssh \ - --with-privsep-path=/var/empty \ - --with-privsep-user=sshd \ - --with-md5-passwords \ - --host=${CHOST} ${myconf} || die "bad configure" - - if [ "`use static`" ] - then - # statically link to libcrypto -- good for the boot cd - perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile - fi - - emake || die "compile problem" -} - -src_install() { - make install-files DESTDIR=${D} || die - chmod 600 ${D}/etc/ssh/sshd_config - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd - exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd - keepdir /var/empty -} - -pkg_preinst() { - - userdel sshd 2> /dev/null - if ! groupmod sshd; then - groupadd -g 90 sshd 2> /dev/null || \ - die "Failed to create sshd group" - fi - useradd -u 22 -g sshd -s /dev/null -d /var/empty -c "sshd" sshd || \ - die "Failed to create sshd user" - -} - -pkg_postinst() { - - # empty dir for the new priv separation auth chroot.. - install -d -m0755 -o root -g root ${ROOT}/var/empty - - einfo - einfo "Remember to merge your config files in /etc/ssh!" - einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" - einfo "functionality, but please ensure that you do not explicitly disable" - einfo "this in your configuration as disabling it opens security holes" - einfo - einfo "This revision has removed your sshd user id and replaced it with a" - einfo "new one with UID 22. If you have any scripts or programs that" - einfo "that referenced the old UID directly, you will need to update them." - einfo - if use pam >/dev/null 2>&1; then - einfo "Please be aware users need a valid shell in /etc/passwd" - einfo "in order to be allowed to login." - einfo - fi -} diff --git a/net-misc/openssh/openssh-3.6.1_p2.ebuild b/net-misc/openssh/openssh-3.6.1_p2.ebuild deleted file mode 100644 index 69deab43cccb..000000000000 --- a/net-misc/openssh/openssh-3.6.1_p2.ebuild +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 1999-2003 Gentoo Technologies, Inc. -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.6.1_p2.ebuild,v 1.10 2003/12/08 07:38:37 vapier Exp $ - -inherit eutils - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_/} -S=${WORKDIR}/${PARCH} -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.com/" -SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="x86 ppc sparc alpha mips hppa arm amd64" -IUSE="ipv6 static pam tcpd kerberos" - -# openssh recognizes when openssl has been slightly upgraded and refuses to run. -# This new rev will use the new openssl. -RDEPEND="virtual/glibc - pam? ( >=sys-libs/pam-0.73 >=sys-apps/shadow-4.0.2-r2 ) - kerberos? ( app-crypt/mit-krb5 ) - >=dev-libs/openssl-0.9.6d - sys-libs/zlib" - -DEPEND="${RDEPEND} - dev-lang/perl - sys-apps/groff - tcpd? ( >=sys-apps/tcp-wrappers-7.6 )" -PROVIDE="virtual/ssh" - -src_unpack() { - unpack ${PARCH}.tar.gz - cd ${S} - - if [ `use alpha` ]; then - epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch || die - fi -} - -src_compile() { - local myconf - use tcpd || myconf="${myconf} --without-tcp-wrappers" - use tcpd && myconf="${myconf} --with-tcp-wrappers" - use pam || myconf="${myconf} --without-pam" - use pam && myconf="${myconf} --with-pam" - use ipv6 || myconf="${myconf} --with-ipv4-default" - - # app-crypt/mit-krb5 - use kerberos && myconf="${myconf} --with-kerberos5" - - # app-crypt/kth-krb - # KTH's implementation of kerberos IV - # KTH_KRB="yes" emerge openssh-3.5_p1-r1.ebuild - if [ ! -z $KTH_KRB ]; then - myconf="${myconf} --with-kerberos4=/usr/athena" - fi - - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc/ssh \ - --mandir=/usr/share/man \ - --libexecdir=/usr/lib/misc \ - --datadir=/usr/share/openssh \ - --disable-suid-ssh \ - --with-privsep-path=/var/empty \ - --with-privsep-user=sshd \ - --with-md5-passwords \ - --host=${CHOST} ${myconf} || die "bad configure" - - if [ "`use static`" ] - then - # statically link to libcrypto -- good for the boot cd - perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile - fi - - emake || die "compile problem" -} - -src_install() { - make install-files DESTDIR=${D} || die - chmod 600 ${D}/etc/ssh/sshd_config - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd - exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd - keepdir /var/empty -} - -pkg_preinst() { - - userdel sshd 2> /dev/null - if ! groupmod sshd; then - groupadd -g 90 sshd 2> /dev/null || \ - die "Failed to create sshd group" - fi - useradd -u 22 -g sshd -s /dev/null -d /var/empty -c "sshd" sshd || \ - die "Failed to create sshd user" - -} - -pkg_postinst() { - - # empty dir for the new priv separation auth chroot.. - install -d -m0755 -o root -g root ${ROOT}/var/empty - - einfo - einfo "Remember to merge your config files in /etc/ssh!" - einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" - einfo "functionality, but please ensure that you do not explicitly disable" - einfo "this in your configuration as disabling it opens security holes" - einfo - einfo "This revision has removed your sshd user id and replaced it with a" - einfo "new one with UID 22. If you have any scripts or programs that" - einfo "that referenced the old UID directly, you will need to update them." - einfo - if use pam >/dev/null 2>&1; then - einfo "Please be aware users need a valid shell in /etc/passwd" - einfo "in order to be allowed to login." - einfo - fi -} diff --git a/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild b/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild index b5ba915ba780..1f8b62c529b7 100644 --- a/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild +++ b/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2004 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild,v 1.7 2004/01/04 12:02:17 aliz Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p2-r1.ebuild,v 1.8 2004/01/08 10:07:50 solar Exp $ inherit eutils flag-o-matic ccc gnuconfig [ `use kerberos` ] && append-flags -I/usr/include/gssapi @@ -28,9 +28,9 @@ IUSE="ipv6 static pam tcpd kerberos skey selinux X509" RDEPEND="virtual/glibc pam? ( >=sys-libs/pam-0.73 >=sys-apps/shadow-4.0.2-r2 ) - kerberos? ( app-crypt/mit-krb5 ) + !mips? ( kerberos? ( app-crypt/mit-krb5 ) ) selinux? ( sys-libs/libselinux ) - skey? ( >=app-admin/skey-1.1.5-r1 ) + !ppc64? ( skey? ( >=app-admin/skey-1.1.5-r1 ) ) >=dev-libs/openssl-0.9.6d >=sys-libs/zlib-1.1.4 >=sys-apps/sed-4" @@ -38,7 +38,7 @@ RDEPEND="virtual/glibc DEPEND="${RDEPEND} dev-lang/perl sys-apps/groff - tcpd? ( >=sys-apps/tcp-wrappers-7.6 )" + !ppc64? ( tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) )" PROVIDE="virtual/ssh" src_unpack() { diff --git a/net-misc/openssh/openssh-3.7.1_p2-r2.ebuild b/net-misc/openssh/openssh-3.7.1_p2-r2.ebuild new file mode 100644 index 000000000000..f19fb23db2bd --- /dev/null +++ b/net-misc/openssh/openssh-3.7.1_p2-r2.ebuild @@ -0,0 +1,139 @@ +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p2-r2.ebuild,v 1.1 2004/01/08 10:07:50 solar Exp $ + +inherit eutils flag-o-matic ccc gnuconfig +[ `use kerberos` ] && append-flags -I/usr/include/gssapi + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +X509_PATCH="${PARCH}+x509g2.diff.gz" +SELINUX_PATCH="openssh-3.7.1_p1-selinux.diff" + +S=${WORKDIR}/${PARCH} +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +SRC_URI="mirror://openssh/${PARCH}.tar.gz + X509? ( http://roumenpetrov.info/openssh/x509g2/${X509_PATCH} )" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~arm ~amd64 ~ia64 ~ppc64" +IUSE="ipv6 static pam tcpd kerberos skey selinux X509 chroot" + +# openssh recognizes when openssl has been slightly upgraded and refuses to run. +# This new rev will use the new openssl. +RDEPEND="virtual/glibc + pam? ( >=sys-libs/pam-0.73 + >=sys-apps/shadow-4.0.2-r2 ) + !mips? ( kerberos? ( app-crypt/mit-krb5 ) ) + selinux? ( sys-libs/libselinux ) + !ppc64? ( skey? ( >=app-admin/skey-1.1.5-r1 ) ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.1.4 + >=sys-apps/sed-4" + +DEPEND="${RDEPEND} + dev-lang/perl + sys-apps/groff + !ppc64? ( tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) )" +PROVIDE="virtual/ssh" + +src_unpack() { + unpack ${PARCH}.tar.gz ; cd ${S} + + use selinux && epatch ${FILESDIR}/${SELINUX_PATCH} + use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch + use X509 && epatch ${DISTDIR}/${X509_PATCH} + + # looks like this one was rewriten somewhat. + # epatch ${FILESDIR}/${P}-memory-bugs.patch + + use skey && { + # prevent the conftest from violating the sandbox + sed -i 's#skey_keyinfo("")#"true"#g' configure + + # updates to skey implementation. + epatch ${FILESDIR}/${PN}-skeychallenge-args.diff + } + + # feature request bug #26615 + use chroot && epatch ${FILESDIR}/${PN}-${PV}-chroot.patch +} + +src_compile() { + local myconf + + # Allow OpenSSH to detect mips systems + use mips && gnuconfig_update + + myconf="\ + $( use_with tcpd tcp-wrappers ) \ + $( use_with kerberos kerberos5 ) \ + $( use_with pam ) \ + $( use_with skey )" + + use ipv6 || myconf="${myconf} --with-ipv4-default" + + use skey && { + # make sure .sbss is large enough + use alpha && append-ldflags -mlarge-data + } + + use selinux && append-flags "-DWITH_SELINUX" + + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc/ssh \ + --mandir=/usr/share/man \ + --libexecdir=/usr/lib/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --host=${CHOST} ${myconf} || die "bad configure" + + use static && { + # statically link to libcrypto -- good for the boot cd + sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile + } + + emake || die "compile problem" +} + +src_install() { + make install-files DESTDIR=${D} || die + chmod 600 ${D}/etc/ssh/sshd_config + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd + exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd + keepdir /var/empty +} + +pkg_postinst() { + # empty dir for the new priv separation auth chroot.. + install -d -m0755 -o root -g root ${ROOT}/var/empty + + enewgroup sshd 22 + enewuser sshd 22 /bin/false /var/empty sshd + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + ewarn + einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" + einfo "functionality, but please ensure that you do not explicitly disable" + einfo "this in your configuration as disabling it opens security holes" + einfo + einfo "This revision has removed your sshd user id and replaced it with a" + einfo "new one with UID 22. If you have any scripts or programs that" + einfo "that referenced the old UID directly, you will need to update them." + einfo + use pam >/dev/null 2>&1 && { + einfo "Please be aware users need a valid shell in /etc/passwd" + einfo "in order to be allowed to login." + einfo + } +} |