diff options
Diffstat (limited to 'main/openssh/APKBUILD')
| -rw-r--r-- | main/openssh/APKBUILD | 73 |
1 files changed, 44 insertions, 29 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 1a513db4c62..0b8feae7602 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -3,29 +3,28 @@ # Contributor: Will Sinatra <wpsinatra@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openssh -pkgver=9.0_p1 +pkgver=9.7_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=1 +pkgrel=3 pkgdesc="Port of OpenBSD's free SSH release" url="https://www.openssh.com/portable.html" arch="all" -license="BSD" +license="SSH-OpenSSH" options="suid" depends="openssh-client openssh-sftp-server openssh-server" +makedepends_build="autoconf automake" makedepends_host=" - autoconf - automake linux-headers - openssl1.1-compat-dev + openssl-dev>3 zlib-dev " -[ -z "$BOOTSTRAP" ] && makedepends_host="$makedepends_host utmps-dev utmps-static" # # NOTE: if you edit this file, please make sure that it builds with `BOOTSTRAP=1 abuild -r` # # build bootstrap sshd without libedit, linux-pam and krb5 if [ -z "$BOOTSTRAP" ]; then - makedepends_host="$makedepends_host libedit-dev linux-pam-dev krb5-dev libfido2-dev" + makedepends_host="$makedepends_host libedit-dev linux-pam-dev krb5-dev libfido2-dev + utmps-dev utmps-static" subpackages="$pkgname-client-krb5:_client_krb5 $pkgname-server-pam:_server_with_flavor $pkgname-server-krb5:_server_with_flavor @@ -44,21 +43,24 @@ subpackages="$pkgname-dbg $pkgname-sftp-server:_sftp_server $pkgname-server-common:_server_common:noarch $pkgname-server + $pkgname-server-common-openrc " source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar.gz fix-utmp.patch - sftp-interactive.patch disable-forwarding-by-default.patch - fix-verify-dns-segfault.patch avoid-redefined-warnings-when-building-with-utmps.patch - gss-serv.c.patch + default-internal-sftp.patch + include-config-dir.patch sshd.initd sshd.confd + sshd.pam " # secfixes: +# 9.6_p1-r0: +# - CVE-2023-48795 # 8.8_p1-r0: # - CVE-2021-41617 # 8.5_p1-r0: @@ -78,6 +80,8 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar # - CVE-2016-10010 # - CVE-2016-10011 # - CVE-2016-10012 +# 0: +# - CVE-2023-38408 builddir="$srcdir"/$pkgname-$_myver @@ -106,6 +110,8 @@ _do_configure() { --with-cflags="$CFLAGS $_extra_cflags" \ --with-libs="$_extra_libs" \ --with-ldflags="$LDFLAGS" \ + --disable-utmp \ + --disable-wtmp \ --disable-lastlog \ --disable-strip \ --with-privsep-path=/var/empty \ @@ -124,7 +130,7 @@ build() { if [ -z "$BOOTSTRAP" ]; then msg "Building openssh with pam support..." - _do_configure --without-kerberos5 --with-pam + _do_configure --without-kerberos5 --with-pam --with-pam-service=sshd make mv sshd sshd.pam @@ -146,7 +152,7 @@ check() { # Run all tests except the t-exec tests which fail on the # builders for some reason but pass locally (needs further # investigation). -# TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit + TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit if [ -z "$BOOTSTRAP" ]; then msg "verify pam build" @@ -171,9 +177,13 @@ package() { if [ -z "$BOOTSTRAP" ]; then install -m755 -t "$pkgdir"/usr/sbin/ sshd.pam sshd.krb5 install -m755 -t "$pkgdir"/usr/bin/ ssh.krb5 + install -Dm644 "$srcdir"/sshd.pam "$pkgdir"/etc/pam.d/sshd fi mkdir -p "$pkgdir"/var/empty + mkdir -p "$pkgdir"/etc/ssh/ssh_config.d + mkdir -p "$pkgdir"/etc/ssh/sshd_config.d + install -D -m755 "$srcdir"/sshd.initd \ "$pkgdir"/etc/init.d/sshd install -D -m644 "$srcdir"/sshd.confd \ @@ -190,7 +200,7 @@ package() { keygen() { pkgdesc="ssh helper program for generating keys" - depends= + depends="libcrypto3>=3.1.0" amove usr/bin/ssh-keygen } @@ -199,42 +209,43 @@ _client_krb5() { pkgdesc="OpenBSD's SSH client with kerberos support" depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-default" provides="openssh-client=$pkgver-r$pkgrel" - provider_priority=0 + provider_priority=1 amove usr/bin/ssh.krb5 mv "$subpkgdir"/usr/bin/ssh.krb5 "$subpkgdir"/usr/bin/ssh } _ssh_sk_helper() { - pkgdesc="OpenSSH libfido2 security key helper" - depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel" - amove usr/lib/ssh/ssh-sk-helper + pkgdesc="OpenSSH libfido2 security key helper" + depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel" + amove usr/lib/ssh/ssh-sk-helper } _client_default() { pkgdesc="OpenBSD's SSH client" depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-krb5" provides="openssh-client=$pkgver-r$pkgrel" - provider_priority=1 + provider_priority=2 amove usr/bin/ssh } _client_common() { pkgdesc="OpenBSD's SSH client common files" - depends="" + depends="libcrypto3>=3.1.0" install -d "$subpkgdir"/usr/lib/ssh \ "$subpkgdir"/var/empty amove usr/bin amove etc/ssh/ssh_config + amove etc/ssh/ssh_config.d amove etc/ssh/moduli } keysign() { pkgdesc="ssh helper program for host-based authentication" - depends="openssh-client=$pkgver-r$pkgrel" + depends="openssh-client=$pkgver-r$pkgrel libcrypto3>=3.1.0" amove usr/lib/ssh/ssh-keysign } @@ -251,8 +262,7 @@ _server_common() { depends="" amove etc/ssh/sshd_config - amove etc/init.d/sshd - amove etc/conf.d/sshd + amove etc/ssh/sshd_config.d } server() { @@ -267,17 +277,22 @@ _server_with_flavor() { pkgdesc="OpenSSH server with $_flavor support" depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel" + # pam flavor also ships a pam entry + if [ "$_flavor" = "pam" ]; then + amove etc/pam.d/sshd + fi + amove usr/sbin/sshd.$_flavor } sha512sums=" -613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9 openssh-9.0p1.tar.gz -f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch -c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch +0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55 openssh-9.7p1.tar.gz +b10a9eb167cfbb23b144fdb03f30a0363be9a715ceb3c202c971ec4f36160e434cc6bbad91d0e49106189e07152067f7e227df28b5a1b82f3901cb36cba321b5 fix-utmp.patch 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch -b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch e85754b2b6c4c37b432d166e63d6293e58c9c8bb6ebd8d3527c83afa2337f14c06d6a4e008ffcc0afd7dc3409e960b89c1dde41d2543c4be7d4813d477ff3a5e avoid-redefined-warnings-when-building-with-utmps.patch -f659641b841981f78b03281b7a01add9fbf35b91c0f21c11335a56d7e389ddf965d83d18d73b724385311cdb597b6d6c46446cbc702cdd4d15e8f43591306cb3 gss-serv.c.patch -50e407d72bfafc7fb276a1e56b1701f8cd91dfcbad2304bec516d69fc5e8334857ef96510dff76d0c407f29955dc2b18570d6f7b557688ceb641280f8279af83 sshd.initd +1fb55aae445dfd9ededeba1f204a0c3e4a752128ad0a388f473ace074e68b040112f309192243621fd4f16b0d1cce4f083612b1639c3e18166abf92babe52c93 default-internal-sftp.patch +ff73563e6018e94a1b2dd320cf32426f3945c0f4aa509eeb95783c34dd5c5c8dec91f6d71e4d538c4735539a4d8c724cf61d71513887d8a96b84109ae3a5562e include-config-dir.patch +2cab1b844d4efb53f848308b4aaedbe74888d2e85bcb2e4dfdae7c18ac3ecea707829072a4276fbe90dfe2f537bbf48127d96f29ec5154e96c0bfb7437910d53 sshd.initd be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09 sshd.confd +5d3b62d724d930bafb6263d0600828771e667751cb5ba5070414dce7c3d0559bebdfb05960b721cfd20c81d3ad824291ffb10498798171c8bbbcbf389b706265 sshd.pam " |