blob: 50432c73aa5d44bffa6f5b13a7c973cecfe60426 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
|
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssh
pkgver=8.6_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
license="BSD"
options="suid"
depends="openssh-client openssh-sftp-server openssh-server"
makedepends_host="openssl-dev zlib-dev linux-headers"
#
# NOTE: if you edit this file, please make sure that it builds with `BOOSTRAP=1 abuild -r`
#
# build boostrap sshd without libedit, linux-pam and krb5
if [ -z "$BOOTSTRAP" ]; then
makedepends_host="$makedepends_host libedit-dev linux-pam-dev krb5-dev"
subpackages="$pkgname-client-krb5:_client_krb5
$pkgname-server-pam:_server_with_flavor
$pkgname-server-krb5:_server_with_flavor"
fi
makedepends="$makedepends_build $makedepends_host"
subpackages="$pkgname-dbg
$subpackages
$pkgname-doc
$pkgname-keygen
$pkgname-client-default:_client_default
$pkgname-client-common:_client_common
$pkgname-keysign
$pkgname-sftp-server:_sftp_server
$pkgname-server-common:_server_common:noarch
$pkgname-server
"
source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar.gz
fix-utmp.patch
sftp-interactive.patch
disable-forwarding-by-default.patch
fix-verify-dns-segfault.patch
sshd.initd
sshd.confd
"
# secfixes:
# 8.5_p1-r0:
# - CVE-2021-28041
# 8.4_p1-r0:
# - CVE-2020-14145
# 7.9_p1-r3:
# - CVE-2018-20685
# - CVE-2019-6109
# - CVE-2019-6111
# 7.7_p1-r4:
# - CVE-2018-15473
# 7.5_p1-r8:
# - CVE-2017-15906
# 7.4_p1-r0:
# - CVE-2016-10009
# - CVE-2016-10010
# - CVE-2016-10011
# - CVE-2016-10012
builddir="$srcdir"/$pkgname-$_myver
_do_configure() {
local _with_libedit="--with-libedit"
if [ -n "$BOOTSTRAP" ]; then
_with_libedit="--without-libedit"
fi
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/ssh \
--mandir=/usr/share/man \
--with-pid-dir=/run \
--with-mantype=doc \
--with-ldflags="${LDFLAGS}" \
--disable-lastlog \
--disable-strip \
--disable-wtmp \
--with-privsep-path=/var/empty \
--with-xauth=/usr/bin/xauth \
--with-privsep-user=sshd \
--with-md5-passwords \
--with-ssl-engine \
$_with_libedit \
"$@"
}
build() {
export LD="$CC"
export TEST_SSH_UTF8=no # utf8 test fails
if [ -z "$BOOTSTRAP" ]; then
msg "Building openssh with pam support..."
_do_configure --without-kerberos5 --with-pam
make
mv sshd sshd.pam
msg "Building openssh with kerberos5"
_do_configure --with-kerberos5 --with-pam
make
mv sshd sshd.krb5
mv ssh ssh.krb5
fi
msg "Building openssh without pam and kerberos5"
_do_configure --without-kerberos5 --without-pam
make
}
check() {
# Run all tests except the t-exec tests which fail on the
# builders for some reason but pass locally (needs further
# investigation).
# TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit
if [ -z "$BOOTSTRAP" ]; then
msg "verify pam build"
scanelf -n sshd.pam | grep libpam
msg "verify krb5 build"
scanelf -n sshd.krb5 | grep krb5
scanelf -n ssh.krb5 | grep krb5
fi
msg "verify minimal build"
for i in sshd ssh; do
if scanelf -n $i | grep -E '(libpam|krb5)'; then
error "$i should not be linked to libpam or libkrb5"
return 1
fi
done
}
package() {
make DESTDIR="$pkgdir" install
if [ -z "$BOOTSTRAP" ]; then
install -m755 -t "$pkgdir"/usr/sbin/ sshd.pam sshd.krb5
install -m755 -t "$pkgdir"/usr/bin/ ssh.krb5
fi
mkdir -p "$pkgdir"/var/empty
install -D -m755 "$srcdir"/sshd.initd \
"$pkgdir"/etc/init.d/sshd
install -D -m644 "$srcdir"/sshd.confd \
"$pkgdir"/etc/conf.d/sshd
install -Dm644 "$builddir"/contrib/ssh-copy-id.1 \
"$pkgdir"/usr/share/man/man1/ssh-copy-id.1
install -Dm755 "$builddir"/contrib/findssl.sh \
"$pkgdir"/usr/bin/findssl.sh
install -Dm755 "$builddir"/contrib/ssh-copy-id \
"$pkgdir"/usr/bin/ssh-copy-id
install -Dm755 "$builddir"/ssh-pkcs11-helper \
"$pkgdir"/usr/bin/ssh-pkcs11-helper
}
keygen() {
pkgdesc="ssh helper program for generating keys"
depends=
install -d "$subpkgdir"/usr/bin
mv "$pkgdir"/usr/bin/ssh-keygen \
"$subpkgdir"/usr/bin/
}
_client_krb5() {
pkgdesc="OpenBSD's SSH client with kerberos support"
depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-default"
provides="openssh-client=$pkgver-r$pkgrel"
provider_priority=0
amove usr/bin/ssh.krb5
mv "$subpkgdir"/usr/bin/ssh.krb5 "$subpkgdir"/usr/bin/ssh
}
_client_default() {
pkgdesc="OpenBSD's SSH client"
depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-krb5"
provides="openssh-client=$pkgver-r$pkgrel"
provider_priority=1
amove usr/bin/ssh
}
_client_common() {
pkgdesc="OpenBSD's SSH client common files"
depends=""
install -d "$subpkgdir"/usr/bin \
"$subpkgdir"/usr/lib/ssh \
"$subpkgdir"/etc/ssh \
"$subpkgdir"/var/empty
mv "$pkgdir"/usr/bin/* \
"$subpkgdir"/usr/bin/
mv "$pkgdir"/etc/ssh/ssh_config \
"$pkgdir"/etc/ssh/moduli \
"$subpkgdir"/etc/ssh/
}
keysign() {
pkgdesc="ssh helper program for host-based authentication"
depends="openssh-client=$pkgver-r$pkgrel"
install -d "$subpkgdir"/usr/lib/ssh
mv "$pkgdir"/usr/lib/ssh/ssh-keysign \
"$subpkgdir"/usr/lib/ssh/
}
_sftp_server() {
pkgdesc="ssh sftp server module"
depends=""
install -d "$subpkgdir"/usr/lib/ssh
mv "$pkgdir"/usr/lib/ssh/sftp-server \
"$subpkgdir"/usr/lib/ssh/
}
_server_common() {
pkgdesc="OpenSSH server configuration files"
depends=""
amove etc/ssh/sshd_config \
etc/init.d/sshd \
etc/conf.d/sshd
}
server() {
pkgdesc="OpenSSH server"
depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"
cd "$builddir"
install -d "$subpkgdir"/usr/sbin
mv "$pkgdir"/usr/sbin/sshd "$subpkgdir"/usr/sbin/
}
_server_with_flavor() {
local _flavor="${subpkgname#openssh-server-}"
pkgdesc="OpenSSH server with $_flavor support"
depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"
amove usr/sbin/sshd.$_flavor
}
sha512sums="
9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6 openssh-8.6p1.tar.gz
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch
48f3f2deb2425d77ff60a54f584c19209d9f202efd664a151626f1af77709e85142f4cf2a76c686cf59344b6a7fe5d2b65713e267b083b4b1b7ef905a71fe846 sshd.initd
be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09 sshd.confd
"
|