diff options
19 files changed, 0 insertions, 1838 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest deleted file mode 100644 index 3d8dbb29..00000000 --- a/net-misc/openssh/Manifest +++ /dev/null @@ -1,23 +0,0 @@ -AUX openssh-4.4_p1-ldap-hpn-glue.patch 1538 RMD160 eba0400a328f23b9329429d2da65b80ead546d4d SHA1 7190e861e8be4f03ae42ad43ba1770fdca95d46a SHA256 63e9f729fbb40babdf5cd2b4d87f4d1cb5a9aaed60bf7a8c072c22f9a6fb36ab -AUX openssh-4.5_p1-padlock.diff 1671 RMD160 39ba64e4395e26f6fa9a32ebd89e7524f3bda2a1 SHA1 ee46ce71be4a0a925a6c01889988bc6b014fc46f SHA256 ce6c2150522de13ba9f044810d80b4076eecced629182b893798d66a7dc68dc5 -AUX openssh-4.7_p1-CVE-2008-1483.patch 338 RMD160 b47fd4d07ae38c42a62c1abc740ff5477ef8fa53 SHA1 a77143c5203ce042d586bf4ecbcb1478016b03a5 SHA256 a9aa1c2ae2eae1b3cc54237aabdb5f2e9e74313d4c0b7151889002fd7950a9dc -AUX openssh-4.7_p1-ForceCommand.patch 939 RMD160 c1f8481d4f5afdf75f17472f7960e7043df336b7 SHA1 35398fa295ae4075d88ae830d09fbdc380802e26 SHA256 ac90408bf2d5fc9c008f13de560ab0e72428593b198df3bd30f257ee221d0e6a -AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 RMD160 4e02e0a85c0e33c917ec8c22b4e1c173a9d7d79e SHA1 d8a81eb92a49763106cfa5b319c22c6f188508ef SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 -AUX openssh-4.7_p1-engines.patch 4202 RMD160 33648508fc66d422eaea17ff5ed756ceb641083e SHA1 9b63b26544c13655ee60148f90e86b26085d61fd SHA256 0258978c9093a266d7db96c3203b7ed8b68437d0a5ce3378d6a1144f8a1e36d9 -AUX openssh-4.7_p1-lpk-64bit.patch 1096 RMD160 566e48f34b44add23e3d46456e54d6d3a453cac1 SHA1 83704313a423be33f9ac62499908b5da95c0d8f4 SHA256 442bb358ebeceaead8fd8a84c7c041f2bf7fb11ab623d74a902febeeb582903d -AUX openssh-4.7_p1-packet-size.patch 1130 RMD160 b604b500747f5b53c9ddc3950adfaca9af54cfff SHA1 ba13a01dceb5aadfa646c23b675b74b14123c68f SHA256 8d0c89ae533366d3f7808274eb4a46c969a51011d7c25e167e22a476d6b2f168 -AUX openssh-4.7p1-selinux.diff 541 RMD160 bcb8f1fef2ae8378e7000732223c6116e06e0d6f SHA1 395b4dcff3eb7b92582a4364e612fff87278e7bc SHA256 ef8d71c46059bdcc8487cad06914639a8237197561cc030d8eed3baf418cc810 -AUX openssh-5.2_p1-BJA-ldap-stdargs.diff 251 RMD160 b4b7fef4db654feb27d3752b3ba229097e663300 SHA1 a60afd12e1832e38d3ea37ee60779bda6dec5da8 SHA256 321a458d02e87d0928d254409c9452295f853f199f2a238a3e1fe0853199f243 -AUX openssh_4.7p1-blacklist.patch 29059 RMD160 0bd01594f8174ebd8e55ffc56cfe9de09137509b SHA1 6057cfa1e4357f7b116149a793824902fa37efa6 SHA256 37d05f2f5957d121d00219f2fb79089d1e4488232e16e0fded9f4403d9b05c2c -AUX sshd.confd 396 RMD160 029680b2281961130a815ef599750c4fc4e84987 SHA1 23c283d0967944b6125be26ed4628f49abf586b2 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 -AUX sshd.pam 294 RMD160 1d4499a7de54188e51e87a240ec7a1b3b1af583d SHA1 4cd17fb40793fa9ca77ac93698129f2c8cafd7b8 SHA256 f01cc51c624b21a815fb6c0be35edc590e2e6f8a5ffbdcabc220a9630517972f -AUX sshd.pam_include 205 RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 SHA1 122472d859c24f7c776bb10fbfcb0221146ed056 SHA256 8d59135e96f4eff6b80c143b82cced7beb0bbca19ff91b479f1ba92916243d5e -AUX sshd.pam_include.1 205 RMD160 3051b92836a496c7c431f41585de688f7c9f51a7 SHA1 b9eca146fcea016b7146f1ac11cf3d072d887b27 SHA256 3185075821bb1f76cdc584c28f690a7338f8db5489d5fce73fe4bcbbfd3dfbfa -AUX sshd.pam_include.2 156 RMD160 c4f6ba6e3a705eef63e571189e28de71e7d61178 SHA1 1223f7a43a5e124521d48852b2d23bb8ba0a788f SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c -AUX sshd.rc6 2123 RMD160 e1f655ae93bfed5dfe9ecc49a6adbe860e2f6364 SHA1 2c3117ff61d28d1d9f52ef0d8348c9cfc5b8d55d SHA256 b86a728768a1ce2d47cc5fef01627cb53da6ebb79d827ad4616ae6eb8c0f00f1 -DIST openssh-5.0p1-gsskex-20080404.patch 68272 RMD160 7adfadf11f0fbc8fb5f71848d6fb8c4231e4ebc4 SHA1 41dfe293b3a3c08163cd43926fefabd321f0c37f SHA256 8f8b9910af767ce8e2a5d4854e95c8eb8b089bb250b290d22add38e9ddb1791e -DIST openssh-5.2p1+x509-6.2.diff.gz 153010 RMD160 a4d7675edc87ee34d4fbc912ca03830936abee5e SHA1 cb5508827185412295b997705711f9f7697ace4e SHA256 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34 -DIST openssh-5.2p1.tar.gz 1016612 RMD160 7c53f342034b16e9faa9f5a09ef46390420722eb SHA1 8273a0237db98179fbdc412207ff8eb14ff3d6de SHA256 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae -DIST openssh-5.2pkcs11-0.26.tar.bz2 18642 RMD160 07093fb2ad47247b2f028fae4fe1b80edf4ddaf8 SHA1 755793398e1b04ee6c15458a69ce4ad68d2abee0 SHA256 9655f118c614f76cfdd3164b5c0e3e430f20a4ce16c65df0dc1b594648cf1c07 -DIST openssh-lpk-5.2p1-0.3.11.patch.gz 18116 RMD160 2ff9bdff19e0854a96063be1e0589fa3f85da0d7 SHA1 33b36cf94f68a80fca497da110529ce69d62fbb0 SHA256 450b56a989767aa65a974213e8f7e9d0ee9d08522247db7b787730e53685bebd -EBUILD openssh-5.2_p1-r1.ebuild 7024 RMD160 59a191d64bed42fd43af2aab54680bf87dd5db3f SHA1 e46bcd44b689971c599b7a5a8310aeb7edf53151 SHA256 ca385089dd54edcf68687efbd5ce535af6be7bb395e684be06ee55dac152d841 diff --git a/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch b/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch deleted file mode 100644 index 20e796b5..00000000 --- a/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch +++ /dev/null @@ -1,54 +0,0 @@ -allow ldap and hpn patches to play nice - ---- servconf.c -+++ servconf.c -@@ -116,24 +116,6 @@ - options->num_allow_groups = 0; - options->num_deny_groups = 0; - options->ciphers = NULL; -- options->macs = NULL; -- options->protocol = SSH_PROTO_UNKNOWN; -- options->gateway_ports = -1; -- options->num_subsystems = 0; -- options->max_startups_begin = -1; -- options->max_startups_rate = -1; -- options->max_startups = -1; -- options->max_authtries = -1; -- options->banner = NULL; -- options->use_dns = -1; -- options->client_alive_interval = -1; -- options->client_alive_count_max = -1; -- options->authorized_keys_file = NULL; -- options->authorized_keys_file2 = NULL; -- options->num_accept_env = 0; -- options->permit_tun = -1; -- options->num_permitted_opens = -1; -- options->adm_forced_command = NULL; - #ifdef WITH_LDAP_PUBKEY - /* XXX dirty */ - options->lpk.ld = NULL; -@@ -152,6 +134,24 @@ - options->lpk.flags = FLAG_EMPTY; - #endif - -+ options->macs = NULL; -+ options->protocol = SSH_PROTO_UNKNOWN; -+ options->gateway_ports = -1; -+ options->num_subsystems = 0; -+ options->max_startups_begin = -1; -+ options->max_startups_rate = -1; -+ options->max_startups = -1; -+ options->max_authtries = -1; -+ options->banner = NULL; -+ options->use_dns = -1; -+ options->client_alive_interval = -1; -+ options->client_alive_count_max = -1; -+ options->authorized_keys_file = NULL; -+ options->authorized_keys_file2 = NULL; -+ options->num_accept_env = 0; -+ options->permit_tun = -1; -+ options->num_permitted_opens = -1; -+ options->adm_forced_command = NULL; - } - - void diff --git a/net-misc/openssh/files/openssh-4.5_p1-padlock.diff b/net-misc/openssh/files/openssh-4.5_p1-padlock.diff deleted file mode 100644 index 6c56bd87..00000000 --- a/net-misc/openssh/files/openssh-4.5_p1-padlock.diff +++ /dev/null @@ -1,35 +0,0 @@ ---- openssh-4.5_p1.ebuild 2007-01-08 21:06:30.000000000 +0100 -+++ openssh-4.5_p1-padlock.ebuild 2007-01-20 19:52:40.000000000 +0100 -@@ -15,6 +15,7 @@ - SECURID_PATCH="${PARCH/4.5/4.4}+SecurID_v1.3.2.patch" - LDAP_PATCH="${PARCH/-4.5p1/-lpk-4.4p1}-0.3.7.patch" - HPN_PATCH="${PARCH}-hpn12v14.diff.gz" -+PADLOCK_PATCH="openssh-4.5p1-engines.diff" - - DESCRIPTION="Port of OpenBSD's free SSH release" - HOMEPAGE="http://www.openssh.com/" -@@ -22,12 +23,13 @@ - X509? ( http://roumenpetrov.info/openssh/x509-5.5.2/${X509_PATCH} ) - ldap? ( http://dev.inversepath.com/openssh-lpk/${LDAP_PATCH} ) - hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} ) -- smartcard? ( http://omniti.com/~jesus/projects/${SECURID_PATCH} )" -+ smartcard? ( http://omniti.com/~jesus/projects/${SECURID_PATCH} ) -+ padlock? ( http://www.logix.cz/michal/devel/padlock/contrib/${PADLOCK_PATCH} )" - - LICENSE="as-is" - SLOT="0" - KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" --IUSE="static pam tcpd kerberos skey selinux chroot X509 ldap smartcard hpn libedit X" -+IUSE="static pam tcpd kerberos skey selinux chroot X509 ldap smartcard hpn libedit X padlock" - - RDEPEND="pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) -@@ -75,6 +77,8 @@ - use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${PN}-4.4_p1-x509-hpn-glue.patch - use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch - use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch -+ use padlock && epatch "${DISTDIR}"/${PADLOCK_PATCH} -+ - if ! use X509 ; then - if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then - epatch "${DISTDIR}"/${SECURID_PATCH} \ diff --git a/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch b/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch deleted file mode 100644 index 8282bf1d..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-CVE-2008-1483.patch +++ /dev/null @@ -1,16 +0,0 @@ -Ripped from Fedora for CVE-2008-1483 - -http://bugs.gentoo.org/214985 - ---- openssh-3.9p1/channels.c -+++ openssh-3.9p1/channels.c -@@ -2653,9 +2653,6 @@ - debug2("bind port %d: %.100s", port, strerror(errno)); - close(sock); - -- if (ai->ai_next) -- continue; -- - for (n = 0; n < num_socks; n++) { - close(socks[n]); - } diff --git a/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch b/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch deleted file mode 100644 index 93072236..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-ForceCommand.patch +++ /dev/null @@ -1,24 +0,0 @@ -security fix - -http://bugs.gentoo.org/215702 -ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/001_openssh.patch - -Index: usr.bin/ssh/session.c -=================================================================== -RCS file: /cvs/src/usr.bin/ssh/session.c,v -retrieving revision 1.230 -diff -u -r1.230 session.c ---- usr.bin/ssh/session.c 22 Feb 2008 05:58:56 -0000 1.230 -+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000 -@@ -878,8 +878,9 @@ - do_xauth = - s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; - -- /* ignore _PATH_SSH_USER_RC for subsystems */ -- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { -+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ -+ if (!s->is_subsystem && options.adm_forced_command == NULL && -+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) { - snprintf(cmd, sizeof cmd, "%s -c '%s %s'", - shell, _PATH_BSHELL, _PATH_SSH_USER_RC); - if (debug_flag) diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch deleted file mode 100644 index c81ae5cb..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,127 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - -Index: readconf.c -=================================================================== -RCS file: /cvs/openssh/readconf.c,v -retrieving revision 1.135 -diff -u -r1.135 readconf.c ---- readconf.c 5 Aug 2006 02:39:40 -0000 1.135 -+++ readconf.c 19 Aug 2006 11:59:52 -0000 -@@ -126,6 +126,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, -@@ -163,9 +164,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -444,6 +447,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1010,6 +1017,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1100,6 +1108,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -Index: readconf.h -=================================================================== -RCS file: /cvs/openssh/readconf.h,v -retrieving revision 1.63 -diff -u -r1.63 readconf.h ---- readconf.h 5 Aug 2006 02:39:40 -0000 1.63 -+++ readconf.h 19 Aug 2006 11:59:52 -0000 -@@ -45,6 +45,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -Index: ssh_config.5 -=================================================================== -RCS file: /cvs/openssh/ssh_config.5,v -retrieving revision 1.97 -diff -u -r1.97 ssh_config.5 ---- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97 -+++ ssh_config.5 19 Aug 2006 11:59:53 -0000 -@@ -483,7 +483,16 @@ - Forward (delegate) credentials to the server. - The default is - .Dq no . --Note that this option applies to protocol version 2 only. -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -Index: sshconnect2.c -=================================================================== -RCS file: /cvs/openssh/sshconnect2.c,v -retrieving revision 1.151 -diff -u -r1.151 sshconnect2.c ---- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151 -+++ sshconnect2.c 19 Aug 2006 11:59:53 -0000 -@@ -499,6 +499,12 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -511,7 +517,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; diff --git a/net-misc/openssh/files/openssh-4.7_p1-engines.patch b/net-misc/openssh/files/openssh-4.7_p1-engines.patch deleted file mode 100644 index 6da355e4..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-engines.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff -urN openssh-4.7p1.orig/ssh-add.c openssh-4.7p1/ssh-add.c ---- openssh-4.7p1.orig/ssh-add.c 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-4.7p1/ssh-add.c 2007-05-19 02:52:09.000000000 +0200 -@@ -42,6 +42,7 @@ - #include <sys/param.h> - - #include <openssl/evp.h> -+#include <openssl/engine.h> - - #include <fcntl.h> - #include <pwd.h> -@@ -343,6 +344,11 @@ - - SSLeay_add_all_algorithms(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - /* At first, get a connection to the authentication agent. */ - ac = ssh_get_authentication_connection(); - if (ac == NULL) { -diff -urN openssh-4.7p1.orig/ssh-agent.c openssh-4.7p1/ssh-agent.c ---- openssh-4.7p1.orig/ssh-agent.c 2007-02-28 11:19:58.000000000 +0100 -+++ openssh-4.7p1/ssh-agent.c 2007-05-19 02:52:09.000000000 +0200 -@@ -51,6 +51,7 @@ - - #include <openssl/evp.h> - #include <openssl/md5.h> -+#include <openssl/engine.h> - - #include <errno.h> - #include <fcntl.h> -@@ -1043,6 +1044,11 @@ - - SSLeay_add_all_algorithms(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - __progname = ssh_get_progname(av[0]); - init_rng(); - seed_rng(); -diff -urN openssh-4.7p1.orig/ssh-keygen.c openssh-4.7p1/ssh-keygen.c ---- openssh-4.7p1.orig/ssh-keygen.c 2007-02-19 12:10:25.000000000 +0100 -+++ openssh-4.7p1/ssh-keygen.c 2007-05-19 02:52:09.000000000 +0200 -@@ -21,6 +21,7 @@ - - #include <openssl/evp.h> - #include <openssl/pem.h> -+#include <openssl/engine.h> - - #include <errno.h> - #include <fcntl.h> -@@ -1073,6 +1074,12 @@ - __progname = ssh_get_progname(argv[0]); - - SSLeay_add_all_algorithms(); -+ -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - - init_rng(); -diff -urN openssh-4.7p1.orig/ssh-keysign.c openssh-4.7p1/ssh-keysign.c ---- openssh-4.7p1.orig/ssh-keysign.c 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-4.7p1/ssh-keysign.c 2007-05-19 02:52:09.000000000 +0200 -@@ -38,6 +38,7 @@ - #include <openssl/evp.h> - #include <openssl/rand.h> - #include <openssl/rsa.h> -+#include <openssl/engine.h> - - #include "xmalloc.h" - #include "log.h" -@@ -195,6 +196,12 @@ - fatal("could not open any host key"); - - SSLeay_add_all_algorithms(); -+ -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); -diff -urN openssh-4.7p1.orig/ssh.c openssh-4.7p1/ssh.c ---- openssh-4.7p1.orig/ssh.c 2007-01-05 06:30:17.000000000 +0100 -+++ openssh-4.7p1/ssh.c 2007-05-19 02:52:09.000000000 +0200 -@@ -72,6 +72,7 @@ - - #include <openssl/evp.h> - #include <openssl/err.h> -+#include <openssl/engine.h> - - #include "xmalloc.h" - #include "ssh.h" -@@ -556,6 +557,11 @@ - SSLeay_add_all_algorithms(); - ERR_load_crypto_strings(); - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - /* Initialize the command to execute on remote host. */ - buffer_init(&command); - -diff -urN openssh-4.7p1.orig/sshd.c openssh-4.7p1/sshd.c ---- openssh-4.7p1.orig/sshd.c 2007-02-25 10:37:22.000000000 +0100 -+++ openssh-4.7p1/sshd.c 2007-05-19 02:52:09.000000000 +0200 -@@ -75,6 +75,7 @@ - #include <openssl/bn.h> - #include <openssl/md5.h> - #include <openssl/rand.h> -+#include <openssl/engine.h> - #ifdef HAVE_SECUREWARE - #include <sys/security.h> - #include <prot.h> -@@ -1027,6 +1028,11 @@ - for (i = 0; i < options.max_startups; i++) - startup_pipes[i] = -1; - -+ /* Init available hardware crypto engines. */ -+ ENGINE_load_builtin_engines(); -+ ENGINE_register_all_complete(); -+ ENGINE_set_default_ciphers(ENGINE_by_id("padlock")); -+ - /* - * Stay listening for connections until the system crashes or - * the daemon is killed with a signal. diff --git a/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch b/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch deleted file mode 100644 index 836073f4..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-lpk-64bit.patch +++ /dev/null @@ -1,45 +0,0 @@ -http://bugs.gentoo.org/210110 - ---- servconf.c -+++ servconf.c -@@ -690,6 +690,7 @@ - { - char *cp, **charptr, *arg, *p; - int cmdline = 0, *intptr, value, n; -+ unsigned long lvalue, *longptr; - ServerOpCodes opcode; - u_short port; - u_int i, flags = 0; -@@ -704,6 +705,7 @@ - if (!arg || !*arg || *arg == '#') - return 0; - intptr = NULL; -+ longptr = NULL; - charptr = NULL; - opcode = parse_token(arg, filename, linenum, &flags); - -@@ -1421,11 +1423,20 @@ - *intptr = value; - break; - case sBindTimeout: -- intptr = (int *) &options->lpk.b_timeout.tv_sec; -- goto parse_int; -+ longptr = (unsigned long *) &options->lpk.b_timeout.tv_sec; -+parse_ulong: -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing integer value.", -+ filename, linenum); -+ lvalue = atol(arg); -+ if (*activep && *longptr == -1) -+ *longptr = lvalue; -+ break; -+ - case sSearchTimeout: -- intptr = (int *) &options->lpk.s_timeout.tv_sec; -- goto parse_int; -+ longptr = (unsigned long *) &options->lpk.s_timeout.tv_sec; -+ goto parse_ulong; - break; - case sLdapConf: - arg = cp; diff --git a/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch b/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch deleted file mode 100644 index 85023b4a..00000000 --- a/net-misc/openssh/files/openssh-4.7_p1-packet-size.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix from upstream - -http://bugs.gentoo.org/212433 -https://bugzilla.mindrot.org/show_bug.cgi?id=1360 - -Index: clientloop.c -=================================================================== -RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v -retrieving revision 1.170 -diff -u -p -r1.170 clientloop.c ---- clientloop.c 28 Dec 2007 15:45:07 -0000 1.170 -+++ clientloop.c 28 Dec 2007 18:14:10 -0000 -@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha - } - c = channel_new("forwarded-tcpip", - SSH_CHANNEL_CONNECTING, sock, sock, -1, -- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, -+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - originator_address, 1); - xfree(originator_address); - xfree(listen_address); -@@ -1803,7 +1803,7 @@ client_request_agent(const char *request - return NULL; - c = channel_new("authentication agent connection", - SSH_CHANNEL_OPEN, sock, sock, -1, -- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, -+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, - "authentication agent connection", 1); - c->force_drain = 1; - return c; diff --git a/net-misc/openssh/files/openssh-4.7p1-selinux.diff b/net-misc/openssh/files/openssh-4.7p1-selinux.diff deleted file mode 100644 index f1c5c872..00000000 --- a/net-misc/openssh/files/openssh-4.7p1-selinux.diff +++ /dev/null @@ -1,11 +0,0 @@ -diff -purN openssh-4.7p1.orig/configure.ac openssh-4.7p1/configure.ac ---- openssh-4.7p1.orig/configure.ac 2007-08-10 00:36:12.000000000 -0400 -+++ openssh-4.7p1/configure.ac 2008-03-31 19:38:54.548935620 -0400 -@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux, - AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], - AC_MSG_ERROR(SELinux support requires libselinux library)) - SSHDLIBS="$SSHDLIBS $LIBSELINUX" -+ LIBS="$LIBS $LIBSELINUX" - AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) - LIBS="$save_LIBS" - fi ] diff --git a/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff b/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff deleted file mode 100644 index edac277a..00000000 --- a/net-misc/openssh/files/openssh-5.2_p1-BJA-ldap-stdargs.diff +++ /dev/null @@ -1,10 +0,0 @@ ---- ldapauth.c.ori 2009-04-18 18:06:38.000000000 +0200 -+++ ldapauth.c 2009-04-18 18:06:11.000000000 +0200 -@@ -31,6 +31,7 @@ - #include <stdlib.h> - #include <unistd.h> - #include <string.h> -+#include <stdarg.h> - - #include "ldapauth.h" - #include "log.h" diff --git a/net-misc/openssh/files/openssh_4.7p1-blacklist.patch b/net-misc/openssh/files/openssh_4.7p1-blacklist.patch deleted file mode 100644 index d4df4b1a..00000000 --- a/net-misc/openssh/files/openssh_4.7p1-blacklist.patch +++ /dev/null @@ -1,969 +0,0 @@ -openssh (1:4.7p1-9) unstable; urgency=critical - - * Mitigate OpenSSL security vulnerability (CVE-2008-0166): - - Add key blacklisting support. Keys listed in - /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by - sshd, unless "PermitBlacklistedKeys yes" is set in - /etc/ssh/sshd_config. - - Add a new program, ssh-vulnkey, which can be used to check keys - against these blacklists. - - -- Colin Watson <cjwatson@debian.org> Tue, 13 May 2008 12:33:38 +0100 - -Index: openssh-4.7p1/sshd_config.5 -=================================================================== ---- openssh-4.7p1.orig/sshd_config.5 -+++ openssh-4.7p1/sshd_config.5 -@@ -677,6 +677,20 @@ are refused if the number of unauthentic - Specifies whether password authentication is allowed. - The default is - .Dq yes . -+.It Cm PermitBlacklistedKeys -+Specifies whether -+.Xr sshd 8 -+should allow keys recorded in its blacklist of known-compromised keys (see -+.Xr ssh-vulnkey 1 ) . -+If -+.Dq yes , -+then attempts to authenticate with compromised keys will be logged but -+accepted. -+If -+.Dq no , -+then attempts to authenticate with compromised keys will be rejected. -+The default is -+.Dq no . - .It Cm PermitEmptyPasswords - When password authentication is allowed, it specifies whether the - server allows login to accounts with empty password strings. -Index: openssh-4.7p1/sshd.c -=================================================================== ---- openssh-4.7p1.orig/sshd.c -+++ openssh-4.7p1/sshd.c -@@ -1469,6 +1469,21 @@ main(int ac, char **av) - - for (i = 0; i < options.num_host_key_files; i++) { - key = key_load_private(options.host_key_files[i], "", NULL); -+ if (key && blacklisted_key(key)) { -+ char *fp; -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (options.permit_blacklisted_keys) -+ error("Host key %s blacklisted (see " -+ "ssh-vulnkey(1)); continuing anyway", fp); -+ else -+ error("Host key %s blacklisted (see " -+ "ssh-vulnkey(1))", fp); -+ xfree(fp); -+ if (!options.permit_blacklisted_keys) { -+ sensitive_data.host_keys[i] = NULL; -+ continue; -+ } -+ } - sensitive_data.host_keys[i] = key; - if (key == NULL) { - error("Could not load host key: %s", -Index: openssh-4.7p1/servconf.c -=================================================================== ---- openssh-4.7p1.orig/servconf.c -+++ openssh-4.7p1/servconf.c -@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -+ options->permit_blacklisted_keys = -1; - options->permit_empty_passwd = -1; - options->permit_user_env = -1; - options->use_login = -1; -@@ -248,6 +249,8 @@ fill_default_server_options(ServerOption - options->kbd_interactive_authentication = 0; - if (options->challenge_response_authentication == -1) - options->challenge_response_authentication = 1; -+ if (options->permit_blacklisted_keys == -1) -+ options->permit_blacklisted_keys = 0; - if (options->permit_empty_passwd == -1) - options->permit_empty_passwd = 0; - if (options->permit_user_env == -1) -@@ -349,7 +352,7 @@ typedef enum { - sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, -- sStrictModes, sEmptyPasswd, sTCPKeepAlive, -+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, - sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, -@@ -439,6 +442,7 @@ static struct { - { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, - { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, - { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, -+ { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, - { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, - { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, - { "uselogin", sUseLogin, SSHCFG_GLOBAL }, -@@ -1003,6 +1007,10 @@ parse_flag: - intptr = &options->tcp_keep_alive; - goto parse_flag; - -+ case sPermitBlacklistedKeys: -+ intptr = &options->permit_blacklisted_keys; -+ goto parse_flag; -+ - case sEmptyPasswd: - intptr = &options->permit_empty_passwd; - goto parse_flag; -Index: openssh-4.7p1/servconf.h -=================================================================== ---- openssh-4.7p1.orig/servconf.h -+++ openssh-4.7p1/servconf.h -@@ -117,6 +117,7 @@ typedef struct { - * authentication. */ - int kbd_interactive_authentication; /* If true, permit */ - int challenge_response_authentication; -+ int permit_blacklisted_keys; /* If true, permit */ - int permit_empty_passwd; /* If false, do not permit empty - * passwords. */ - int permit_user_env; /* If true, read ~/.ssh/environment */ -Index: openssh-4.7p1/Makefile.in -=================================================================== ---- openssh-4.7p1.orig/Makefile.in -+++ openssh-4.7p1/Makefile.in -@@ -73,7 +73,7 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAN - SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o - X509STORE_OBJS=x509store.o $(LDAP_OBJS) $(OCSP_OBJS) - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) - - LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ -@@ -101,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o $(X509STORE_OBJS) - --MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 -+MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out -+MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 - MANTYPE = @MANTYPE@ - - CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -182,6 +182,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft - ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o - $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - -+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o -+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ - # test driver for the loginrec code - not built by default - logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o - $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -284,6 +287,7 @@ install-files: scard-install - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 - $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 - $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -299,6 +303,7 @@ install-files: scard-install - $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 - $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 - -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -380,6 +385,7 @@ uninstall: - -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) - -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) - -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) -+ -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT) - -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) - -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -@@ -392,6 +398,7 @@ uninstall: - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 -+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -Index: openssh-4.7p1/auth-rh-rsa.c -=================================================================== ---- openssh-4.7p1.orig/auth-rh-rsa.c -+++ openssh-4.7p1/auth-rh-rsa.c -@@ -20,6 +20,7 @@ - #include <pwd.h> - #include <stdarg.h> - -+#include "xmalloc.h" - #include "packet.h" - #include "uidswap.h" - #include "log.h" -@@ -27,6 +28,7 @@ - #include "servconf.h" - #include "key.h" - #include "hostfile.h" -+#include "authfile.h" - #include "pathnames.h" - #include "auth.h" - #include "canohost.h" -@@ -42,8 +44,22 @@ int - auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, - Key *client_host_key) - { -+ char *fp; - HostStatus host_status; - -+ if (blacklisted_key(client_host_key)) { -+ fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX); -+ if (options.permit_blacklisted_keys) -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1)); continuing anyway", fp); -+ else -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1))", fp); -+ xfree(fp); -+ if (!options.permit_blacklisted_keys) -+ return 0; -+ } -+ - /* Check if we would accept it using rhosts authentication. */ - if (!auth_rhosts(pw, cuser)) - return 0; -Index: openssh-4.7p1/authfile.h -=================================================================== ---- openssh-4.7p1.orig/authfile.h -+++ openssh-4.7p1/authfile.h -@@ -23,4 +23,7 @@ Key *key_load_private_type(int, const ch - Key *key_load_private_pem(int, int, const char *, char **); - int key_perm_ok(int, const char *); - -+char *blacklist_filename(const Key *key); -+int blacklisted_key(const Key *key); -+ - #endif -Index: openssh-4.7p1/ssh-vulnkey.1 -=================================================================== ---- /dev/null -+++ openssh-4.7p1/ssh-vulnkey.1 -@@ -0,0 +1,151 @@ -+.\" Copyright (c) 2008 Canonical Ltd. All rights reserved. -+.\" -+.\" Redistribution and use in source and binary forms, with or without -+.\" modification, are permitted provided that the following conditions -+.\" are met: -+.\" 1. Redistributions of source code must retain the above copyright -+.\" notice, this list of conditions and the following disclaimer. -+.\" 2. Redistributions in binary form must reproduce the above copyright -+.\" notice, this list of conditions and the following disclaimer in the -+.\" documentation and/or other materials provided with the distribution. -+.\" -+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+.\" -+.Dd $Mdocdate: May 12 2008 $ -+.Dt SSH-VULNKEY 1 -+.Os -+.Sh NAME -+.Nm ssh-vulnkey -+.Nd check blacklist of compromised keys -+.Sh SYNOPSIS -+.Nm -+.Op Fl q -+.Ar file ... -+.Nm -+.Fl a -+.Sh DESCRIPTION -+.Nm -+checks a key against a blacklist of compromised keys. -+.Pp -+A substantial number of keys are known to have been generated using a broken -+version of OpenSSL distributed by Debian which failed to seed its random -+number generator correctly. -+Keys generated using these OpenSSL versions should be assumed to be -+compromised. -+This tool may be useful in checking for such keys. -+.Pp -+Keys that are compromised cannot be repaired; replacements must be generated -+using -+.Xr ssh-keygen 1 . -+Make sure to update -+.Pa authorized_keys -+files on all systems where compromised keys were permitted to authenticate. -+.Pp -+The argument list will be interpreted as a list of paths to public key files -+or -+.Pa authorized_keys -+files. -+If no suitable file is found at a given path, -+.Nm -+will append -+.Pa .pub -+and retry, in case it was given a private key file. -+If no files are given as arguments, -+.Nm -+will check -+.Pa ~/.ssh/id_rsa , -+.Pa ~/.ssh/id_dsa , -+.Pa ~/.ssh/identity , -+.Pa ~/.ssh/authorized_keys -+and -+.Pa ~/.ssh/authorized_keys2 , -+as well as the system's host keys if readable. -+.Pp -+If -+.Dq - -+is given as an argument, -+.Nm -+will read from standard input. -+This can be used to process output from -+.Xr ssh-keyscan 1 , -+for example: -+.Pp -+.Dl $ ssh-keyscan -t rsa remote.example.org | ssh-vulnkey - -+.Pp -+.Nm -+will exit zero if any of the given keys were in the compromised list, -+otherwise non-zero. -+.Pp -+Unless the -+.Cm PermitBlacklistedKeys -+option is used, -+.Xr sshd 8 -+will reject attempts to authenticate with keys in the compromised list. -+.Pp -+The options are as follows: -+.Bl -tag -width Ds -+.It Fl a -+Check keys of all users on the system. -+You will typically need to run -+.Nm -+as root to use this option. -+For each user, -+.Nm -+will check -+.Pa ~/.ssh/id_rsa , -+.Pa ~/.ssh/id_dsa , -+.Pa ~/.ssh/identity , -+.Pa ~/.ssh/authorized_keys -+and -+.Pa ~/.ssh/authorized_keys2 . -+It will also check the system's host keys. -+.It Fl q -+Quiet mode. -+Normally, -+.Nm -+outputs the fingerprint of each key scanned, with a description of its -+status. -+This option suppresses that output. -+.El -+.Sh BLACKLIST FILE FORMAT -+The blacklist file may start with comments, on lines starting with -+.Dq # . -+After these initial comments, it must follow a strict format: -+.Pp -+.Bl -bullet -offset indent -compact -+.It -+All the lines must be exactly the same length (20 characters followed by a -+newline) and must be in sorted order. -+.It -+Each line must consist of the lower-case hexadecimal MD5 key fingerprint, -+without colons, and with the first 12 characters removed (that is, the least -+significant 80 bits of the fingerprint). -+.El -+.Pp -+The key fingerprint may be generated using -+.Xr ssh-keygen 1 : -+.Pp -+.Dl $ ssh-keygen -l -f /path/to/key -+.Pp -+This strict format is necessary to allow the blacklist file to be checked -+quickly, using a binary-search algorithm. -+.Sh SEE ALSO -+.Xr ssh-keygen 1 , -+.Xr sshd 8 -+.Sh AUTHORS -+.An -nosplit -+.An Colin Watson Aq cjwatson@ubuntu.com -+.Pp -+Florian Weimer suggested the option to check keys of all users, and the idea -+of processing -+.Xr ssh-keyscan 1 -+output. -Index: openssh-4.7p1/auth2-hostbased.c -=================================================================== ---- openssh-4.7p1.orig/auth2-hostbased.c -+++ openssh-4.7p1/auth2-hostbased.c -@@ -40,6 +40,7 @@ - #include "compat.h" - #include "key.h" - #include "hostfile.h" -+#include "authfile.h" - #include "auth.h" - #include "canohost.h" - #ifdef GSSAPI -@@ -170,10 +171,24 @@ int - hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, - Key *key) - { -+ char *fp; - const char *resolvedname, *ipaddr, *lookup; - HostStatus host_status; - int len; - -+ if (blacklisted_key(key)) { -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (options.permit_blacklisted_keys) -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1)); continuing anyway", fp); -+ else -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1))", fp); -+ xfree(fp); -+ if (!options.permit_blacklisted_keys) -+ return 0; -+ } -+ - resolvedname = get_canonical_hostname(options.use_dns); - ipaddr = get_remote_ipaddr(); - -Index: openssh-4.7p1/authfile.c -=================================================================== ---- openssh-4.7p1.orig/authfile.c -+++ openssh-4.7p1/authfile.c -@@ -68,6 +68,7 @@ - #include "ssh-x509.h" - #include "misc.h" - #include "atomicio.h" -+#include "pathnames.h" - - /* Version identification string for SSH v1 identity files. */ - static const char authfile_id_string[] = -@@ -696,3 +697,113 @@ key_load_public(const char *filename, ch - key_free(pub); - return NULL; - } -+ -+char * -+blacklist_filename(const Key *key) -+{ -+ char *name; -+ -+ xasprintf(&name, "%s.%s-%u", -+ _PATH_BLACKLIST, key_type(key), key_size(key)); -+ return name; -+} -+ -+/* Scan a blacklist of known-vulnerable keys. */ -+int -+blacklisted_key(const Key *key) -+{ -+ char *blacklist_file; -+ int fd = -1; -+ char *dgst_hex = NULL; -+ char *dgst_packed = NULL, *p; -+ int i; -+ size_t line_len; -+ struct stat st; -+ char buf[256]; -+ off_t start, lower, upper; -+ int ret = 0; -+ -+ blacklist_file = blacklist_filename(key); -+ debug("Checking blacklist file %s", blacklist_file); -+ fd = open(blacklist_file, O_RDONLY); -+ if (fd < 0) -+ goto out; -+ -+ dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ /* Remove all colons */ -+ dgst_packed = xcalloc(1, strlen(dgst_hex) + 1); -+ for (i = 0, p = dgst_packed; dgst_hex[i]; i++) -+ if (dgst_hex[i] != ':') -+ *p++ = dgst_hex[i]; -+ /* Only compare least-significant 80 bits (to keep the blacklist -+ * size down) -+ */ -+ line_len = strlen(dgst_packed + 12); -+ if (line_len > 32) -+ goto out; -+ -+ /* Skip leading comments */ -+ start = 0; -+ for (;;) { -+ ssize_t r; -+ char *newline; -+ -+ r = atomicio(read, fd, buf, 256); -+ if (r <= 0) -+ goto out; -+ if (buf[0] != '#') -+ break; -+ -+ newline = memchr(buf, '\n', 256); -+ if (!newline) -+ goto out; -+ start += newline + 1 - buf; -+ if (lseek(fd, start, SEEK_SET) < 0) -+ goto out; -+ } -+ -+ /* Initialise binary search record numbers */ -+ if (fstat(fd, &st) < 0) -+ goto out; -+ lower = 0; -+ upper = (st.st_size - start) / (line_len + 1); -+ -+ while (lower != upper) { -+ off_t cur; -+ char buf[32]; -+ int cmp; -+ -+ cur = lower + (upper - lower) / 2; -+ -+ /* Read this line and compare to digest; this is -+ * overflow-safe since cur < max(off_t) / (line_len + 1) */ -+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0) -+ break; -+ if (atomicio(read, fd, buf, line_len) != line_len) -+ break; -+ cmp = memcmp(buf, dgst_packed + 12, line_len); -+ if (cmp < 0) { -+ if (cur == lower) -+ break; -+ lower = cur; -+ } else if (cmp > 0) { -+ if (cur == upper) -+ break; -+ upper = cur; -+ } else { -+ debug("Found %s in blacklist", dgst_hex); -+ ret = 1; -+ break; -+ } -+ } -+ -+out: -+ if (dgst_packed) -+ xfree(dgst_packed); -+ if (dgst_hex) -+ xfree(dgst_hex); -+ if (fd >= 0) -+ close(fd); -+ xfree(blacklist_file); -+ return ret; -+} -Index: openssh-4.7p1/ssh-vulnkey.c -=================================================================== ---- /dev/null -+++ openssh-4.7p1/ssh-vulnkey.c -@@ -0,0 +1,311 @@ -+/* -+ * Copyright (c) 2008 Canonical Ltd. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "includes.h" -+ -+#include <sys/types.h> -+#include <sys/stat.h> -+ -+#include <string.h> -+#include <stdio.h> -+#include <fcntl.h> -+#include <unistd.h> -+ -+#include <openssl/evp.h> -+ -+#include "xmalloc.h" -+#include "ssh.h" -+#include "log.h" -+#include "key.h" -+#include "authfile.h" -+#include "pathnames.h" -+#include "misc.h" -+ -+extern char *__progname; -+ -+/* Default files to check */ -+static char *default_host_files[] = { -+ _PATH_HOST_RSA_KEY_FILE, -+ _PATH_HOST_DSA_KEY_FILE, -+ _PATH_HOST_KEY_FILE, -+ NULL -+}; -+static char *default_files[] = { -+ _PATH_SSH_CLIENT_ID_RSA, -+ _PATH_SSH_CLIENT_ID_DSA, -+ _PATH_SSH_CLIENT_IDENTITY, -+ _PATH_SSH_USER_PERMITTED_KEYS, -+ _PATH_SSH_USER_PERMITTED_KEYS2, -+ NULL -+}; -+ -+static int quiet = 0; -+ -+static void -+usage(void) -+{ -+ fprintf(stderr, "usage: %s [-aq] [file ...]\n", __progname); -+ fprintf(stderr, "Options:\n"); -+ fprintf(stderr, " -a Check keys of all users.\n"); -+ fprintf(stderr, " -q Quiet mode.\n"); -+ exit(1); -+} -+ -+void -+describe_key(const char *msg, const Key *key, const char *comment) -+{ -+ char *fp; -+ -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (!quiet) -+ printf("%s: %u %s %s\n", msg, key_size(key), fp, comment); -+ xfree(fp); -+} -+ -+int -+do_key(const Key *key, const char *comment) -+{ -+ char *blacklist_file; -+ struct stat st; -+ int ret = 1; -+ -+ blacklist_file = blacklist_filename(key); -+ if (stat(blacklist_file, &st) < 0) -+ describe_key("Unknown (no blacklist information)", -+ key, comment); -+ else if (blacklisted_key(key)) { -+ describe_key("COMPROMISED", key, comment); -+ ret = 0; -+ } else -+ describe_key("Not blacklisted", key, comment); -+ xfree(blacklist_file); -+ -+ return ret; -+} -+ -+int -+do_filename(const char *filename, int quiet_open) -+{ -+ FILE *f; -+ char line[SSH_MAX_PUBKEY_BYTES]; -+ char *cp; -+ u_long linenum = 0; -+ Key *key; -+ char *comment = NULL; -+ int found = 0, ret = 1; -+ -+ /* Copy much of key_load_public's logic here so that we can read -+ * several keys from a single file (e.g. authorized_keys). -+ */ -+ -+ if (strcmp(filename, "-") != 0) { -+ f = fopen(filename, "r"); -+ if (!f) { -+ char pubfile[MAXPATHLEN]; -+ if (strlcpy(pubfile, filename, sizeof pubfile) < -+ sizeof(pubfile) && -+ strlcat(pubfile, ".pub", sizeof pubfile) < -+ sizeof(pubfile)) -+ f = fopen(pubfile, "r"); -+ } -+ if (!f) { -+ if (!quiet_open) -+ perror(filename); -+ return -1; -+ } -+ } else -+ f = stdin; -+ while (read_keyfile_line(f, filename, line, sizeof(line), -+ &linenum) != -1) { -+ cp = line; -+ switch (*cp) { -+ case '#': -+ case '\n': -+ case '\0': -+ continue; -+ } -+ /* Skip leading whitespace. */ -+ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) -+ ; -+ /* Cope with ssh-keyscan output. */ -+ comment = NULL; -+ if (*cp) { -+ char *space; -+ int type; -+ -+ space = strchr(cp, ' '); -+ if (!space) -+ continue; -+ *space = '\0'; -+ type = key_type_from_name(cp); -+ if (type == KEY_UNSPEC) { -+ comment = xstrdup(cp); -+ cp = space + 1; -+ } -+ *space = ' '; -+ } -+ if (!comment) -+ comment = xstrdup(filename); -+ if (*cp) { -+ key = key_new(KEY_RSA1); -+ if (key_read(key, &cp) == 1) { -+ if (!do_key(key, comment)) -+ ret = 0; -+ key_free(key); -+ found = 1; -+ } else { -+ key_free(key); -+ key = key_new(KEY_UNSPEC); -+ if (key_read(key, &cp) == 1) { -+ if (!do_key(key, comment)) -+ ret = 0; -+ key_free(key); -+ found = 1; -+ } -+ } -+ } -+ xfree(comment); -+ comment = NULL; -+ } -+ if (f != stdin) -+ fclose(f); -+ -+ if (!found && filename) { -+ key = key_load_public(filename, &comment); -+ if (key) { -+ if (!do_key(key, comment)) -+ ret = 0; -+ found = 1; -+ } -+ if (comment) -+ xfree(comment); -+ } -+ -+ return ret; -+} -+ -+int -+do_host(void) -+{ -+ int i; -+ struct stat st; -+ int ret = 1; -+ -+ for (i = 0; default_host_files[i]; i++) { -+ if (stat(default_host_files[i], &st) < 0) -+ continue; -+ if (!do_filename(default_host_files[i], 1)) -+ ret = 0; -+ } -+ -+ return ret; -+} -+ -+int -+do_user(const char *dir) -+{ -+ int i; -+ char buf[MAXPATHLEN]; -+ struct stat st; -+ int ret = 1; -+ -+ for (i = 0; default_files[i]; i++) { -+ snprintf(buf, sizeof(buf), "%s/%s", dir, default_files[i]); -+ if (stat(buf, &st) < 0) -+ continue; -+ if (!do_filename(buf, 0)) -+ ret = 0; -+ } -+ -+ return ret; -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int opt, all_users = 0; -+ int ret = 1; -+ extern int optind; -+ -+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ -+ sanitise_stdfd(); -+ -+ __progname = ssh_get_progname(argv[0]); -+ -+ SSLeay_add_all_algorithms(); -+ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); -+ -+ /* We don't need the RNG ourselves, but symbol references here allow -+ * ld to link us properly. -+ */ -+ init_rng(); -+ seed_rng(); -+ -+ while ((opt = getopt(argc, argv, "ahq")) != -1) { -+ switch (opt) { -+ case 'a': -+ all_users = 1; -+ break; -+ case 'q': -+ quiet = 1; -+ break; -+ case 'h': -+ default: -+ usage(); -+ } -+ } -+ -+ if (all_users) { -+ struct passwd *pw; -+ -+ if (!do_host()) -+ ret = 0; -+ -+ while ((pw = getpwent()) != NULL) { -+ if (pw->pw_dir) { -+ if (!do_user(pw->pw_dir)) -+ ret = 0; -+ } -+ } -+ } else if (optind == argc) { -+ struct passwd *pw; -+ -+ if (!do_host()) -+ ret = 0; -+ -+ if ((pw = getpwuid(getuid())) == NULL) -+ fprintf(stderr, "No user found with uid %u\n", -+ (u_int)getuid()); -+ else { -+ if (!do_user(pw->pw_dir)) -+ ret = 0; -+ } -+ } else { -+ while (optind < argc) -+ if (!do_filename(argv[optind++], 0)) -+ ret = 0; -+ } -+ -+ return ret; -+} -Index: openssh-4.7p1/auth-rsa.c -=================================================================== ---- openssh-4.7p1.orig/auth-rsa.c -+++ openssh-4.7p1/auth-rsa.c -@@ -40,6 +40,7 @@ - #include "servconf.h" - #include "key.h" - #include "hostfile.h" -+#include "authfile.h" - #include "auth.h" - #ifdef GSSAPI - #include "ssh-gss.h" -@@ -221,6 +222,7 @@ auth_rsa_key_allowed(struct passwd *pw, - char *cp; - char *key_options; - int keybits; -+ char *fp; - - /* Skip leading whitespace, empty and comment lines. */ - for (cp = line; *cp == ' ' || *cp == '\t'; cp++) -@@ -265,6 +267,19 @@ auth_rsa_key_allowed(struct passwd *pw, - "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); - -+ if (blacklisted_key(key)) { -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (options.permit_blacklisted_keys) -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1)); continuing anyway", fp); -+ else -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1))", fp); -+ xfree(fp); -+ if (!options.permit_blacklisted_keys) -+ continue; -+ } -+ - /* We have found the desired key. */ - /* - * If our options do not allow this key to be used, -Index: openssh-4.7p1/pathnames.h -=================================================================== ---- openssh-4.7p1.orig/pathnames.h -+++ openssh-4.7p1/pathnames.h -@@ -66,6 +66,8 @@ - /* Backwards compatibility */ - #define _PATH_DH_PRIMES SSHDIR "/primes" - -+#define _PATH_BLACKLIST SSHDIR "/blacklist" -+ - #ifndef _PATH_SSH_PROGRAM - #define _PATH_SSH_PROGRAM "/usr/bin/ssh" - #endif -Index: openssh-4.7p1/auth2-pubkey.c -=================================================================== ---- openssh-4.7p1.orig/auth2-pubkey.c -+++ openssh-4.7p1/auth2-pubkey.c -@@ -47,6 +47,7 @@ - #include "compat.h" - #include "key.h" - #include "hostfile.h" -+#include "authfile.h" - #include "auth.h" - #include "pathnames.h" - #include "uidswap.h" -@@ -411,9 +412,23 @@ user_key_allowed2(struct passwd *pw, Key - int - user_key_allowed(struct passwd *pw, Key *key) - { -+ char *fp; - int success; - char *file; - -+ if (blacklisted_key(key)) { -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (options.permit_blacklisted_keys) -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1)); continuing anyway", fp); -+ else -+ logit("Public key %s blacklisted (see " -+ "ssh-vulnkey(1))", fp); -+ xfree(fp); -+ if (!options.permit_blacklisted_keys) -+ return 0; -+ } -+ - file = authorized_keys_file(pw); - success = user_key_allowed2(pw, key, file); - xfree(file); diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd deleted file mode 100644 index 28952b4a..00000000 --- a/net-misc/openssh/files/sshd.confd +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/conf.d/sshd: config file for /etc/init.d/sshd - -# Where is your sshd_config file stored? - -SSHD_CONFDIR="/etc/ssh" - - -# Any random options you want to pass to sshd. -# See the sshd(8) manpage for more info. - -SSHD_OPTS="" - - -# Pid file to use (needs to be absolute path). - -#SSHD_PIDFILE="/var/run/sshd.pid" - - -# Path to the sshd binary (needs to be absolute path). - -#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam b/net-misc/openssh/files/sshd.pam deleted file mode 100644 index 51149402..00000000 --- a/net-misc/openssh/files/sshd.pam +++ /dev/null @@ -1,9 +0,0 @@ -#%PAM-1.0 - -auth required pam_stack.so service=system-auth -auth required pam_shells.so -auth required pam_nologin.so -account required pam_stack.so service=system-auth -password required pam_stack.so service=system-auth -session required pam_stack.so service=system-auth - diff --git a/net-misc/openssh/files/sshd.pam_include b/net-misc/openssh/files/sshd.pam_include deleted file mode 100644 index 14d9016a..00000000 --- a/net-misc/openssh/files/sshd.pam_include +++ /dev/null @@ -1,8 +0,0 @@ -#%PAM-1.0 - -auth include system-auth -auth required pam_shells.so -auth required pam_nologin.so -account include system-auth -password include system-auth -session include system-auth diff --git a/net-misc/openssh/files/sshd.pam_include.1 b/net-misc/openssh/files/sshd.pam_include.1 deleted file mode 100644 index 567ba4ac..00000000 --- a/net-misc/openssh/files/sshd.pam_include.1 +++ /dev/null @@ -1,8 +0,0 @@ -#%PAM-1.0 - -auth required pam_shells.so -auth required pam_nologin.so -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 deleted file mode 100644 index b801aaaf..00000000 --- a/net-misc/openssh/files/sshd.pam_include.2 +++ /dev/null @@ -1,4 +0,0 @@ -auth include system-remote-login -account include system-remote-login -password include system-remote-login -session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6 deleted file mode 100644 index aeaf09c9..00000000 --- a/net-misc/openssh/files/sshd.rc6 +++ /dev/null @@ -1,80 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2006 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.24 2009/04/12 20:12:49 robbat2 Exp $ - -opts="${opts} reload" - -depend() { - use logger dns - need net -} - -SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} -SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} -SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} - -checkconfig() { - if [ ! -d /var/empty ] ; then - mkdir -p /var/empty || return 1 - fi - - if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then - eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" - eerror "There is a sample file in /usr/share/doc/openssh" - return 1 - fi - - gen_keys || return 1 - - "${SSHD_BINARY}" -t ${myopts} || return 1 -} - -gen_keys() { - if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] ; then - einfo "Generating Hostkey..." - /usr/bin/ssh-keygen -t rsa1 -b 1024 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1 - fi - if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then - einfo "Generating DSA-Hostkey..." - /usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1 - fi - if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then - einfo "Generating RSA-Hostkey..." - /usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1 - fi - return 0 -} - -start() { - local myopts="" - [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ - && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}" - [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ - && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config" - - checkconfig || return 1 - ebegin "Starting ${SVCNAME}" - start-stop-daemon --start --exec "${SSHD_BINARY}" \ - --pidfile "${SSHD_PIDFILE}" \ - -- ${myopts} ${SSHD_OPTS} - eend $? -} - -stop() { - if [ "${RC_CMD}" = "restart" ] ; then - checkconfig || return 1 - fi - - ebegin "Stopping ${SVCNAME}" - start-stop-daemon --stop --exec "${SSHD_BINARY}" \ - --pidfile "${SSHD_PIDFILE}" --quiet - eend $? -} - -reload() { - ebegin "Reloading ${SVCNAME}" - start-stop-daemon --stop --signal HUP --oknodo \ - --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" - eend $? -} diff --git a/net-misc/openssh/openssh-5.2_p1-r1.ebuild b/net-misc/openssh/openssh-5.2_p1-r1.ebuild deleted file mode 100644 index deb4dde3..00000000 --- a/net-misc/openssh/openssh-5.2_p1-r1.ebuild +++ /dev/null @@ -1,224 +0,0 @@ -# Copyright 1999-2009 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.2_p1-r1.ebuild,v 1.10 2009/04/12 22:39:03 vapier Exp $ - -inherit eutils flag-o-matic multilib autotools pam - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_/} - -#HPN_PATCH="${PARCH/2/1}-hpn13v5.diff.gz" -LDAP_PATCH="${PARCH/openssh/openssh-lpk}-0.3.11.patch.gz" -PKCS11_PATCH="${PARCH/p1}pkcs11-0.26.tar.bz2" -X509_VER="6.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - http://www.sxw.org.uk/computing/patches/openssh-5.0p1-gsskex-20080404.patch - ${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${PKCS11_PATCH:+pkcs11? ( http://alon.barlev.googlepages.com/${PKCS11_PATCH} )} - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}" - -LICENSE="as-is" -SLOT="0" -KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" -IUSE="hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd X X509" - -RDEPEND="pam? ( virtual/pam ) - kerberos? ( virtual/krb5 ) - selinux? ( >=sys-libs/libselinux-1.28 ) - skey? ( >=sys-auth/skey-1.1.5-r1 ) - ldap? ( net-nds/openldap ) - libedit? ( dev-libs/libedit ) - >=dev-libs/openssl-0.9.6d - >=sys-libs/zlib-1.2.3 - smartcard? ( dev-libs/opensc ) - pkcs11? ( dev-libs/pkcs11-helper ) - tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) - X? ( x11-apps/xauth ) - userland_GNU? ( sys-apps/shadow )" -DEPEND="${RDEPEND} - dev-util/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 )" -PROVIDE="virtual/ssh" - -S=${WORKDIR}/${PARCH} - -pkg_setup() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && use ${1} && echo ${1} ; } - local fail=" - $(maybe_fail ldap LDAP_PATCH) - $(maybe_fail pkcs11 PKCS11_PATCH) - $(maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi -} - -src_unpack() { - unpack ${PARCH}.tar.gz - cd "${S}" - - sed -i \ - -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \ - pathnames.h || die - - if use pkcs11 ; then - cd "${WORKDIR}" - unpack "${PKCS11_PATCH}" - cd "${S}" - EPATCH_OPTS="-p1" epatch "${WORKDIR}"/*pkcs11*/{1,2,4}* - use X509 && EPATCH_OPTS="-R" epatch "${WORKDIR}"/*pkcs11*/1000_all_log.patch - fi - use X509 && epatch "${DISTDIR}"/${X509_PATCH} - use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch - if ! use X509 ; then - if [[ -n ${LDAP_PATCH} ]] && use ldap ; then - # The patch for bug 210110 64-bit stuff is now included. - epatch "${DISTDIR}"/${LDAP_PATCH} - # Not needed anymore of 0.3.11. Merged into the main patch. - #epatch "${FILESDIR}"/${PN}-5.1_p1-ldap-hpn-glue.patch - fi - #epatch "${DISTDIR}"/openssh-5.0p1-gsskex-20080404.patch #115553 #216932 - else - use ldap && ewarn "Sorry, X509 and ldap don't get along, disabling ldap" - fi - epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - [[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH} - epatch "${FILESDIR}"/${PN}-4.7p1-selinux.diff #191665 - use ldap && epatch "${FILESDIR}"/${P}-BJA-ldap-stdargs.diff - - sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die - - # Disable PATH reset, trust what portage gives us. bug 254615 - sed -i -e 's:^PATH=/:#PATH=/:' configure || die - - eautoreconf -} - -src_compile() { - addwrite /dev/ptmx - addpredict /etc/skey/skeykeys #skey configure code triggers this - - local myconf="" - if use static ; then - append-ldflags -static - use pam && ewarn "Disabling pam support becuse of static flag" - myconf="${myconf} --without-pam" - else - myconf="${myconf} $(use_with pam)" - fi - - econf \ - --with-ldflags="${LDFLAGS}" \ - --disable-strip \ - --sysconfdir=/etc/ssh \ - --libexecdir=/usr/$(get_libdir)/misc \ - --datadir=/usr/share/openssh \ - --with-privsep-path=/var/empty \ - --with-privsep-user=sshd \ - --with-md5-passwords \ - --with-ssl-engine \ - $(use_with kerberos kerberos5 /usr) \ - ${LDAP_PATCH:+$(use ldap && use_with ldap)} \ - $(use_with libedit) \ - ${PKCS11_PATCH:+$(use pkcs11 && use_with pkcs11)} \ - $(use_with selinux) \ - $(use_with skey) \ - $(use_with smartcard opensc) \ - $(use_with tcpd tcp-wrappers) \ - ${myconf} \ - || die "bad configure" - emake || die "compile problem" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" || die - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - keepdir /var/empty - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${D}"/etc/ssh/sshd_config || die "sed of configuration file failed" - fi - - doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config - - diropts -m 0700 - dodir /etc/skel/.ssh -} - -src_test() { - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(getent passwd ${UID} | cut -d: -f7) - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped="${skipped} tests" - else - tests="${tests} tests" - fi - for t in ${tests} ; do - # Some tests read from stdin ... - emake -k -j1 ${t} </dev/null \ - && passed="${passed}${t} " \ - || failed="${failed}${t} " - done - einfo "Passed tests: ${passed}" - ewarn "Skipped tests: ${skipped}" - if [[ -n ${failed} ]] ; then - ewarn "Failed tests: ${failed}" - die "Some tests failed: ${failed}" - else - einfo "Failed tests: ${failed}" - return 0 - fi -} - -pkg_postinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd - - # help fix broken perms caused by older ebuilds. - # can probably cut this after the next stage release. - chmod u+x "${ROOT}"/etc/skel/.ssh >& /dev/null - - ewarn "Remember to merge your config files in /etc/ssh/ and then" - ewarn "restart sshd: '/etc/init.d/sshd restart'." - if use pam ; then - echo - ewarn "Please be aware users need a valid shell in /etc/passwd" - ewarn "in order to be allowed to login." - fi - if use pkcs11 ; then - echo - einfo "For PKCS#11 you should also emerge one of the askpass softwares" - einfo "Example: net-misc/x11-ssh-askpass" - fi -} |