From de4f2cab643b353fe63de080c5180a2cb09f81a1 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Thu, 19 Jul 2007 21:09:52 +0200 Subject: ssl & ssh padlocked --- net-misc/openssh/Manifest | 25 ++++ net-misc/openssh/files/digest-openssh-4.5_p1-r1 | 18 +++ net-misc/openssh/files/sshd.confd | 21 +++ net-misc/openssh/files/sshd.pam_include | 8 ++ net-misc/openssh/files/sshd.rc6 | 76 +++++++++++ net-misc/openssh/openssh-4.5_p1-r1.ebuild | 171 ++++++++++++++++++++++++ 6 files changed, 319 insertions(+) create mode 100644 net-misc/openssh/Manifest create mode 100644 net-misc/openssh/files/digest-openssh-4.5_p1-r1 create mode 100644 net-misc/openssh/files/sshd.confd create mode 100644 net-misc/openssh/files/sshd.pam_include create mode 100644 net-misc/openssh/files/sshd.rc6 create mode 100644 net-misc/openssh/openssh-4.5_p1-r1.ebuild (limited to 'net-misc') diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest new file mode 100644 index 00000000..52af5014 --- /dev/null +++ b/net-misc/openssh/Manifest @@ -0,0 +1,25 @@ +AUX sshd.confd 396 RMD160 029680b2281961130a815ef599750c4fc4e84987 SHA1 23c283d0967944b6125be26ed4628f49abf586b2 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 +MD5 b35e9f3829f4cfca07168fcba98749c7 files/sshd.confd 396 +RMD160 029680b2281961130a815ef599750c4fc4e84987 files/sshd.confd 396 +SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 files/sshd.confd 396 +AUX sshd.pam_include 205 RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 SHA1 122472d859c24f7c776bb10fbfcb0221146ed056 SHA256 8d59135e96f4eff6b80c143b82cced7beb0bbca19ff91b479f1ba92916243d5e +MD5 2b66f75047edfac5d5e6cdbffa35383e files/sshd.pam_include 205 +RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 files/sshd.pam_include 205 +SHA256 8d59135e96f4eff6b80c143b82cced7beb0bbca19ff91b479f1ba92916243d5e files/sshd.pam_include 205 +AUX sshd.rc6 2046 RMD160 68df8ff7933b7a232882b2a6140fe1a2637609b6 SHA1 c3f74dbd764d570f69e60f18a081f19e3cefb037 SHA256 6569cb934cb1d5b9016c2828ff8c79b5c8477dd27b7078c609445cfc16692e9e +MD5 c3acc27dddafb1e8c6d437e668e08c25 files/sshd.rc6 2046 +RMD160 68df8ff7933b7a232882b2a6140fe1a2637609b6 files/sshd.rc6 2046 +SHA256 6569cb934cb1d5b9016c2828ff8c79b5c8477dd27b7078c609445cfc16692e9e files/sshd.rc6 2046 +DIST openssh-4.4p1+SecurID_v1.3.2.patch 48240 RMD160 45d5734f7e65709cce581f1f85c06f60a73b825b SHA1 10bece428f6f36a0bb59b8fe9b9fb4321b544fa5 SHA256 189ad59139d86e5c808650add131af20ade00439713c3abcfac9a4e53580a196 +DIST openssh-4.5p1+x509-5.5.2.diff.gz 137561 RMD160 2e7597bc97d634ecc3d434cc714cc5b1d4076fec SHA1 5f29fbf73a991d778f81f9029fd90ffc4be9b726 SHA256 580b9b2be2a5224852f9979180fa9570059c1aa398b908dc1907d2a5a5e1f4a2 +DIST openssh-4.5p1-engines.diff 4190 RMD160 f20464e72d6138df287c694e0dc7c47c3a601b88 SHA1 ba47f2557b08c68464f1ed09cfd2767967e38670 SHA256 48e1dd6e218f9583fb896b19c7632b8b023e511dc9fc697e5834c8e7181592f6 +DIST openssh-4.5p1-hpn12v14.diff.gz 15791 RMD160 1f937174d5418d578da5d9dfab16b5cc8960efc5 SHA1 8bea17b13e7e91135785f4222252c28d08c9c887 SHA256 5cc6cd882cbb94498483b44722b3e81c8e6d7854dc2b2c57e1d56040bfdc23bd +DIST openssh-4.5p1.tar.gz 965925 RMD160 3f70b6f4228e84c7b9b8b3bee7fd3875f3e3bad3 SHA1 2eefcbbeb9e4fa16fa4500dec107d1a09d3d02d7 SHA256 7046b9d372f9e31ca654a66492310c188470480ddab300eb715dbf5e2177ae55 +DIST openssh-lpk-4.4p1-0.3.7.patch 61187 RMD160 90b0bbe07a3617f6eecb9f77c1a38c5f4dd4dcaf SHA1 b1854a4391c5d11f1a5ab09059643bbaf2278009 SHA256 c74aa642b4b2eeceb0c3f554752d172f8d5a7cd30f2aae517e93ef3bf1bd24e7 +EBUILD openssh-4.5_p1-r1.ebuild 5573 RMD160 f0f1336dffb2eb92af883b18c850f2f9bb201d0c SHA1 2cd9ca7bbd9b25a7f97645e9f453b324e5494c9a SHA256 7c95b14eb03eb2f4d150ce43744a384a10bbed67d10b66db914d354aace86201 +MD5 52ca8a17777a04b98d06be2221abca6b openssh-4.5_p1-r1.ebuild 5573 +RMD160 f0f1336dffb2eb92af883b18c850f2f9bb201d0c openssh-4.5_p1-r1.ebuild 5573 +SHA256 7c95b14eb03eb2f4d150ce43744a384a10bbed67d10b66db914d354aace86201 openssh-4.5_p1-r1.ebuild 5573 +MD5 aba975f88f0adfab72938ca76c488b61 files/digest-openssh-4.5_p1-r1 1584 +RMD160 ff35f63baac9cb01986718a9e171da1d2d3a1c5d files/digest-openssh-4.5_p1-r1 1584 +SHA256 d2234f3b58e6ce9fc342ad82e0be4aa8bec6c63355e05638f481dd5cdecbb0ea files/digest-openssh-4.5_p1-r1 1584 diff --git a/net-misc/openssh/files/digest-openssh-4.5_p1-r1 b/net-misc/openssh/files/digest-openssh-4.5_p1-r1 new file mode 100644 index 00000000..ba123bc4 --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-4.5_p1-r1 @@ -0,0 +1,18 @@ +MD5 4a374fe5f6c353bc051b00781de8067c openssh-4.4p1+SecurID_v1.3.2.patch 48240 +RMD160 45d5734f7e65709cce581f1f85c06f60a73b825b openssh-4.4p1+SecurID_v1.3.2.patch 48240 +SHA256 189ad59139d86e5c808650add131af20ade00439713c3abcfac9a4e53580a196 openssh-4.4p1+SecurID_v1.3.2.patch 48240 +MD5 9a7987815f6901150f843dd21d8a339e openssh-4.5p1+x509-5.5.2.diff.gz 137561 +RMD160 2e7597bc97d634ecc3d434cc714cc5b1d4076fec openssh-4.5p1+x509-5.5.2.diff.gz 137561 +SHA256 580b9b2be2a5224852f9979180fa9570059c1aa398b908dc1907d2a5a5e1f4a2 openssh-4.5p1+x509-5.5.2.diff.gz 137561 +MD5 2b8dee2d9bfaa51d263446b3ea96f031 openssh-4.5p1-engines.diff 4190 +RMD160 f20464e72d6138df287c694e0dc7c47c3a601b88 openssh-4.5p1-engines.diff 4190 +SHA256 48e1dd6e218f9583fb896b19c7632b8b023e511dc9fc697e5834c8e7181592f6 openssh-4.5p1-engines.diff 4190 +MD5 86d3751f777c9c99663aebbb36281a0e openssh-4.5p1-hpn12v14.diff.gz 15791 +RMD160 1f937174d5418d578da5d9dfab16b5cc8960efc5 openssh-4.5p1-hpn12v14.diff.gz 15791 +SHA256 5cc6cd882cbb94498483b44722b3e81c8e6d7854dc2b2c57e1d56040bfdc23bd openssh-4.5p1-hpn12v14.diff.gz 15791 +MD5 6468c339886f78e8a149b88f695839dd openssh-4.5p1.tar.gz 965925 +RMD160 3f70b6f4228e84c7b9b8b3bee7fd3875f3e3bad3 openssh-4.5p1.tar.gz 965925 +SHA256 7046b9d372f9e31ca654a66492310c188470480ddab300eb715dbf5e2177ae55 openssh-4.5p1.tar.gz 965925 +MD5 4db76f98b1ecbcff2bda11ff8050ad71 openssh-lpk-4.4p1-0.3.7.patch 61187 +RMD160 90b0bbe07a3617f6eecb9f77c1a38c5f4dd4dcaf openssh-lpk-4.4p1-0.3.7.patch 61187 +SHA256 c74aa642b4b2eeceb0c3f554752d172f8d5a7cd30f2aae517e93ef3bf1bd24e7 openssh-lpk-4.4p1-0.3.7.patch 61187 diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 00000000..28952b4a --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include b/net-misc/openssh/files/sshd.pam_include new file mode 100644 index 00000000..14d9016a --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include @@ -0,0 +1,8 @@ +#%PAM-1.0 + +auth include system-auth +auth required pam_shells.so +auth required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6 new file mode 100644 index 00000000..258c3a3f --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6 @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.22 2007/02/23 10:51:48 uberlord Exp $ + +opts="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + "${SSHD_BINARY}" -t ${myopts} || return 1 +} + +gen_keys() { + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] ; then + einfo "Generating Hostkey..." + /usr/bin/ssh-keygen -t rsa1 -b 1024 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then + einfo "Generating DSA-Hostkey..." + /usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1 + fi + if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then + einfo "Generating RSA-Hostkey..." + /usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1 + fi + return 0 +} + +start() { + local myopts="" + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && myopts="${myopts} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config" + + checkconfig || return 1 + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${myopts} ${SSHD_OPTS} + eend $? +} + +stop() { + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/openssh-4.5_p1-r1.ebuild b/net-misc/openssh/openssh-4.5_p1-r1.ebuild new file mode 100644 index 00000000..933b9fc3 --- /dev/null +++ b/net-misc/openssh/openssh-4.5_p1-r1.ebuild @@ -0,0 +1,171 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.5_p1-r1.ebuild,v 1.4 2007/04/24 22:03:29 eroyf Exp $ + +WANT_AUTOCONF="latest" +WANT_AUTOMAKE="latest" +# Please leave pam at end, so that dopamd and newpamd from eutils eclass are not used +inherit eutils flag-o-matic ccc multilib autotools pam + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +X509_PATCH="${PARCH}+x509-5.5.2.diff.gz" +SECURID_PATCH="${PARCH/4.5/4.4}+SecurID_v1.3.2.patch" +LDAP_PATCH="${PARCH/-4.5p1/-lpk-4.4p1}-0.3.7.patch" +HPN_PATCH="${PARCH}-hpn12v14.diff.gz" +PADLOCK_PATCH="openssh-4.5p1-engines.diff" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + X509? ( http://roumenpetrov.info/openssh/x509-5.5.2/${X509_PATCH} ) + ldap? ( http://dev.inversepath.com/openssh-lpk/${LDAP_PATCH} ) + hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} ) + smartcard? ( http://omniti.com/~jesus/projects/${SECURID_PATCH} ) + padlock? ( http://www.logix.cz/michal/devel/padlock/contrib/${PADLOCK_PATCH} )" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" +IUSE="static pam tcpd kerberos skey selinux chroot X509 ldap smartcard hpn libedit X padlock" + +RDEPEND="pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + selinux? ( >=sys-libs/libselinux-1.28 ) + skey? ( >=app-admin/skey-1.1.5-r1 ) + ldap? ( net-nds/openldap ) + libedit? ( dev-libs/libedit ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.2.3 + smartcard? ( dev-libs/opensc ) + tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) + X? ( x11-apps/xauth ) + userland_GNU? ( sys-apps/shadow )" +DEPEND="${RDEPEND} + dev-util/pkgconfig + virtual/os-headers + sys-devel/autoconf" +PROVIDE="virtual/ssh" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + local fail="" + [[ -z ${X509_PATCH} ]] && use X509 && fail="${fail} X509" + [[ -z ${SECURID_PATCH} ]] && use smartcard && fail="${fail} smartcard" + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi +} + +src_unpack() { + unpack ${PARCH}.tar.gz + cd "${S}" + + sed -i \ + -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \ + pathnames.h || die + + use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${PN}-4.4_p1-x509-hpn-glue.patch + use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch + use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch + use padlock && epatch "${DISTDIR}"/${PADLOCK_PATCH} + + if ! use X509 ; then + if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then + epatch "${DISTDIR}"/${SECURID_PATCH} \ + "${FILESDIR}"/${PN}-4.3_p2-securid-updates.patch \ + "${FILESDIR}"/${PN}-4.3_p2-securid-hpn-glue.patch + use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch + fi + if use ldap ; then + epatch "${DISTDIR}"/${LDAP_PATCH} "${FILESDIR}"/${PN}-4.4_p1-ldap-hpn-glue.patch + fi + elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then + ewarn "Sorry, X509 and smartcard/ldap don't get along, disabling smartcard/ldap" + fi + [[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH} + + sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid" + + sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die + + eautoreconf +} + +src_compile() { + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys #skey configure code triggers this + + local myconf="" + if use static ; then + append-ldflags -static + use pam && ewarn "Disabling pam support becuse of static flag" + myconf="${myconf} --without-pam" + else + myconf="${myconf} $(use_with pam)" + fi + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --sysconfdir=/etc/ssh \ + --libexecdir=/usr/$(get_libdir)/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + $(use_with ldap) \ + $(use_with libedit) \ + $(use_with kerberos kerberos5 /usr) \ + $(use_with tcpd tcp-wrappers) \ + $(use_with selinux) \ + $(use_with skey) \ + $(use_with smartcard opensc) \ + ${myconf} \ + || die "bad configure" + emake || die "compile problem" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" || die + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include sshd + dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config + use pam \ + && dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \ + && dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh +} + +pkg_postinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + if use pam ; then + echo + ewarn "Please be aware users need a valid shell in /etc/passwd" + ewarn "in order to be allowed to login." + fi +} -- cgit v1.2.3