1 # Copyright 1999-2015 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
6 inherit eutils user flag-o-matic multilib autotools pam systemd versionator
8 # Make it more portable between straight releases
12 HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
13 LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
14 X509_VER="8.5" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
16 DESCRIPTION="Port of OpenBSD's free SSH release"
17 HOMEPAGE="http://www.openssh.org/"
18 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
19 mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
21 mirror://gentoo/${HPN_PATCH}
22 https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
23 mirror://sourceforge/hpnssh/${HPN_PATCH}
25 ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
26 ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
31 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
32 # Probably want to drop ssl defaulting to on in a future version.
33 IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
34 REQUIRED_USE="ldns? ( ssl )
37 static? ( !kerberos !pam )
42 net-libs/ldns[static-libs(+)]
43 !bindist? ( net-libs/ldns[ecdsa,ssl] )
44 bindist? ( net-libs/ldns[-ecdsa,ssl] )
46 libedit? ( dev-libs/libedit[static-libs(+)] )
47 sctp? ( net-misc/lksctp-tools[static-libs(+)] )
48 selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
49 skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
51 >=dev-libs/openssl-0.9.6d:0[bindist=]
52 dev-libs/openssl[static-libs(+)]
54 >=sys-libs/zlib-1.2.3[static-libs(+)]"
56 !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
58 kerberos? ( virtual/krb5 )
59 ldap? ( net-nds/openldap )"
61 static? ( ${LIB_DEPEND} )
66 pam? ( >=sys-auth/pambase-20081028 )
67 userland_GNU? ( virtual/shadow )
68 X? ( x11-apps/xauth )"
73 # this sucks, but i'd rather have people unable to `emerge -u openssh`
74 # than not be able to log in to their server any more
75 maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
77 $(use X509 && maybe_fail X509 X509_PATCH)
78 $(use ldap && maybe_fail ldap LDAP_PATCH)
79 $(use hpn && maybe_fail hpn HPN_PATCH)
82 if [[ -n ${fail} ]] ; then
83 eerror "Sorry, but this version does not yet support features"
84 eerror "that you requested: ${fail}"
85 eerror "Please mask ${PF} for now and check back later:"
86 eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
90 # Make sure people who are using tcp wrappers are notified of its removal. #531156
91 if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
92 ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
93 ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
98 # version.h patch conflict avoidence
99 mv version.h version.h.$1
100 cp -f version.h.pristine version.h
105 -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
107 # keep this as we need it to avoid the conflict between LPK and HPN changing
109 cp version.h version.h.pristine
111 # don't break .ssh/authorized_keys2 for fun
112 sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
116 #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
117 epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
119 epatch "${WORKDIR}"/${X509_PATCH%.*}
120 epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
121 epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
125 epatch "${WORKDIR}"/${LDAP_PATCH%.*}
128 epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
129 epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
130 # The X509 patchset fixes this independently.
131 use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
132 epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
134 EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
135 EPATCH_MULTI_MSG="Applying HPN patchset ..." \
136 epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
142 -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
143 # Disable PATH reset, trust what portage gives us #254615
144 -e 's:^PATH=/:#PATH=/:'
145 # Disable fortify flags ... our gcc does this for us
146 -e 's:-D_FORTIFY_SOURCE=2::'
148 # The -ftrapv flag ICEs on hppa #505182
149 use hppa && sed_args+=(
150 -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
151 -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
153 sed -i "${sed_args[@]}" configure{.ac,} || die
157 # Now we can build a sane merged version.h
159 sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
161 for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
162 printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
170 addpredict /etc/skey/skeykeys # skey configure code triggers this
172 use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
173 use static && append-ldflags -static
176 --with-ldflags="${LDFLAGS}"
178 --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
179 --sysconfdir="${EPREFIX}"/etc/ssh
180 --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
181 --datadir="${EPREFIX}"/usr/share/openssh
182 --with-privsep-path="${EPREFIX}"/var/empty
183 --with-privsep-user=sshd
184 $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
185 # We apply the ldap patch conditionally, so can't pass --without-ldap
186 # unconditionally else we get unknown flag warnings.
187 $(use ldap && use_with ldap)
196 # The X509 patch deletes this option entirely.
197 $(use X509 || use_with ssl openssl)
198 $(use_with ssl md5-passwords)
199 $(use_with ssl ssl-engine)
202 # The seccomp sandbox is broken on x32, so use the older method for now. #553748
203 use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
205 # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
206 if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
207 myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
208 append-ldflags -lutil
215 emake install-nokeys DESTDIR="${D}"
216 fperms 600 /etc/ssh/sshd_config
217 dobin contrib/ssh-copy-id
218 newinitd "${FILESDIR}"/sshd.rc6.4 sshd
219 newconfd "${FILESDIR}"/sshd.confd sshd
222 newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
225 -e "/^#UsePAM /s:.*:UsePAM yes:" \
226 -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
227 -e "/^#PrintMotd /s:.*:PrintMotd no:" \
228 -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
229 "${ED}"/etc/ssh/sshd_config || die
232 # Gentoo tweaks to default config files
233 cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
235 # Allow client to pass locale environment variables #367017
238 cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
240 # Send locale environment variables #367017
244 if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
245 insinto /etc/openldap/schema/
246 newins openssh-lpk_openldap.schema openssh-lpk.schema
249 doman contrib/ssh-copy-id.1
250 dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
255 systemd_dounit "${FILESDIR}"/sshd.{service,socket}
256 systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
260 local t tests skipped failed passed shell
261 tests="interop-tests compat-tests"
263 shell=$(egetshell ${UID})
264 if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
265 elog "Running the full OpenSSH testsuite"
266 elog "requires a usable shell for the 'portage'"
267 elog "user, so we will run a subset only."
268 skipped="${skipped} tests"
270 tests="${tests} tests"
272 # It will also attempt to write to the homedir .ssh
273 local sshhome=${T}/homedir
274 mkdir -p "${sshhome}"/.ssh
275 for t in ${tests} ; do
276 # Some tests read from stdin ...
277 HOMEDIR="${sshhome}" \
278 emake -k -j1 ${t} </dev/null \
279 && passed="${passed}${t} " \
280 || failed="${failed}${t} "
282 einfo "Passed tests: ${passed}"
283 ewarn "Skipped tests: ${skipped}"
284 if [[ -n ${failed} ]] ; then
285 ewarn "Failed tests: ${failed}"
286 die "Some tests failed: ${failed}"
288 einfo "Failed tests: ${failed}"
295 enewuser sshd 22 -1 /var/empty sshd
299 if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
300 elog "Starting with openssh-5.8p1, the server will default to a newer key"
301 elog "algorithm (ECDSA). You are encouraged to manually update your stored"
302 elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
304 if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
305 elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
307 if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
308 elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
309 elog "Make sure to update any configs that you might have. Note that xinetd might"
310 elog "be an alternative for you as it supports USE=tcpd."
312 if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
313 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
314 elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
315 elog "adding to your sshd_config:"
316 elog " PubkeyAcceptedKeyTypes=+ssh-dss"
317 elog "You should however generate new keys using rsa or ed25519."
319 if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
320 elog "Be aware that by disabling openssl support in openssh, the server and clients"
321 elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
322 elog "and update all clients/servers that utilize them."