net-misc/openssh/openssh-7.0_p1.ebuild

   1 # Copyright 1999-2015 Gentoo Foundation
   2 # Distributed under the terms of the GNU General Public License v2
   3 # $Id$
   4
   5 EAPI="4"
   6 inherit eutils user flag-o-matic multilib autotools pam systemd versionator
   7
   8 # Make it more portable between straight releases
   9 # and _p? releases.
  10 PARCH=${P/_}
  11
  12 HPN_PATCH="${PN}-7.0p1-hpnssh14v5.tar.xz"
  13 LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
  14 X509_VER="8.5" X509_PATCH="${PN}-${PV//_/}+x509-${X509_VER}.diff.gz"
  15
  16 DESCRIPTION="Port of OpenBSD's free SSH release"
  17 HOMEPAGE="http://www.openssh.org/"
  18 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
  19         mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
  20         ${HPN_PATCH:+hpn? (
  21                 mirror://gentoo/${HPN_PATCH}
  22                 https://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
  23                 mirror://sourceforge/hpnssh/${HPN_PATCH}
  24         )}
  25         ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
  26         ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
  27         "
  28
  29 LICENSE="BSD GPL-2"
  30 SLOT="0"
  31 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
  32 # Probably want to drop ssl defaulting to on in a future version.
  33 IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
  34 REQUIRED_USE="ldns? ( ssl )
  35         pie? ( !static )
  36         ssh1? ( ssl )
  37         static? ( !kerberos !pam )
  38         X509? ( !ldap ssl )"
  39
  40 LIB_DEPEND="
  41         ldns? (
  42                 net-libs/ldns[static-libs(+)]
  43                 !bindist? ( net-libs/ldns[ecdsa,ssl] )
  44                 bindist? ( net-libs/ldns[-ecdsa,ssl] )
  45         )
  46         libedit? ( dev-libs/libedit[static-libs(+)] )
  47         sctp? ( net-misc/lksctp-tools[static-libs(+)] )
  48         selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
  49         skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
  50         ssl? (
  51                 >=dev-libs/openssl-0.9.6d:0[bindist=]
  52                 dev-libs/openssl[static-libs(+)]
  53         )
  54         >=sys-libs/zlib-1.2.3[static-libs(+)]"
  55 RDEPEND="
  56         !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
  57         pam? ( virtual/pam )
  58         kerberos? ( virtual/krb5 )
  59         ldap? ( net-nds/openldap )"
  60 DEPEND="${RDEPEND}
  61         static? ( ${LIB_DEPEND} )
  62         virtual/pkgconfig
  63         virtual/os-headers
  64         sys-devel/autoconf"
  65 RDEPEND="${RDEPEND}
  66         pam? ( >=sys-auth/pambase-20081028 )
  67         userland_GNU? ( virtual/shadow )
  68         X? ( x11-apps/xauth )"
  69
  70 S=${WORKDIR}/${PARCH}
  71
  72 pkg_setup() {
  73         # this sucks, but i'd rather have people unable to `emerge -u openssh`
  74         # than not be able to log in to their server any more
  75         maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
  76         local fail="
  77                 $(use X509 && maybe_fail X509 X509_PATCH)
  78                 $(use ldap && maybe_fail ldap LDAP_PATCH)
  79                 $(use hpn && maybe_fail hpn HPN_PATCH)
  80         "
  81         fail=$(echo ${fail})
  82         if [[ -n ${fail} ]] ; then
  83                 eerror "Sorry, but this version does not yet support features"
  84                 eerror "that you requested:      ${fail}"
  85                 eerror "Please mask ${PF} for now and check back later:"
  86                 eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
  87                 die "booooo"
  88         fi
  89
  90         # Make sure people who are using tcp wrappers are notified of its removal. #531156
  91         if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
  92                 ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
  93                 ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
  94         fi
  95 }
  96
  97 save_version() {
  98         # version.h patch conflict avoidence
  99         mv version.h version.h.$1
 100         cp -f version.h.pristine version.h
 101 }
 102
 103 src_prepare() {
 104         sed -i \
 105                 -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
 106                 pathnames.h || die
 107         # keep this as we need it to avoid the conflict between LPK and HPN changing
 108         # this file.
 109         cp version.h version.h.pristine
 110
 111         # don't break .ssh/authorized_keys2 for fun
 112         sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 113
 114         if use X509 ; then
 115                 pushd .. >/dev/null
 116                 #epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
 117                 epatch "${FILESDIR}"/${PN}-7.0_p1-sctp-x509-glue.patch
 118                 popd >/dev/null
 119                 epatch "${WORKDIR}"/${X509_PATCH%.*}
 120                 epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
 121                 epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
 122                 save_version X509
 123         fi
 124         if use ldap ; then
 125                 epatch "${WORKDIR}"/${LDAP_PATCH%.*}
 126                 save_version LPK
 127         fi
 128         epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 129         epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 130         # The X509 patchset fixes this independently.
 131         use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
 132         epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
 133         if use hpn ; then
 134                 EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
 135                         EPATCH_MULTI_MSG="Applying HPN patchset ..." \
 136                         epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
 137                 save_version HPN
 138         fi
 139
 140         tc-export PKG_CONFIG
 141         local sed_args=(
 142                 -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
 143                 # Disable PATH reset, trust what portage gives us #254615
 144                 -e 's:^PATH=/:#PATH=/:'
 145                 # Disable fortify flags ... our gcc does this for us
 146                 -e 's:-D_FORTIFY_SOURCE=2::'
 147         )
 148         # The -ftrapv flag ICEs on hppa #505182
 149         use hppa && sed_args+=(
 150                 -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
 151                 -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
 152         )
 153         sed -i "${sed_args[@]}" configure{.ac,} || die
 154
 155         epatch_user #473004
 156
 157         # Now we can build a sane merged version.h
 158         (
 159                 sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
 160                 macros=()
 161                 for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
 162                 printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
 163         ) > version.h
 164
 165         eautoreconf
 166 }
 167
 168 src_configure() {
 169         addwrite /dev/ptmx
 170         addpredict /etc/skey/skeykeys # skey configure code triggers this
 171
 172         use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
 173         use static && append-ldflags -static
 174
 175         local myconf=(
 176                 --with-ldflags="${LDFLAGS}"
 177                 --disable-strip
 178                 --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
 179                 --sysconfdir="${EPREFIX}"/etc/ssh
 180                 --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
 181                 --datadir="${EPREFIX}"/usr/share/openssh
 182                 --with-privsep-path="${EPREFIX}"/var/empty
 183                 --with-privsep-user=sshd
 184                 $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
 185                 # We apply the ldap patch conditionally, so can't pass --without-ldap
 186                 # unconditionally else we get unknown flag warnings.
 187                 $(use ldap && use_with ldap)
 188                 $(use_with ldns)
 189                 $(use_with libedit)
 190                 $(use_with pam)
 191                 $(use_with pie)
 192                 $(use_with sctp)
 193                 $(use_with selinux)
 194                 $(use_with skey)
 195                 $(use_with ssh1)
 196                 # The X509 patch deletes this option entirely.
 197                 $(use X509 || use_with ssl openssl)
 198                 $(use_with ssl md5-passwords)
 199                 $(use_with ssl ssl-engine)
 200         )
 201
 202         # The seccomp sandbox is broken on x32, so use the older method for now. #553748
 203         use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
 204
 205         # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
 206         if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
 207                 myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
 208                 append-ldflags -lutil
 209         fi
 210
 211         econf "${myconf[@]}"
 212 }
 213
 214 src_install() {
 215         emake install-nokeys DESTDIR="${D}"
 216         fperms 600 /etc/ssh/sshd_config
 217         dobin contrib/ssh-copy-id
 218         newinitd "${FILESDIR}"/sshd.rc6.4 sshd
 219         newconfd "${FILESDIR}"/sshd.confd sshd
 220         keepdir /var/empty
 221
 222         newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
 223         if use pam ; then
 224                 sed -i \
 225                         -e "/^#UsePAM /s:.*:UsePAM yes:" \
 226                         -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
 227                         -e "/^#PrintMotd /s:.*:PrintMotd no:" \
 228                         -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
 229                         "${ED}"/etc/ssh/sshd_config || die
 230         fi
 231
 232         # Gentoo tweaks to default config files
 233         cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
 234
 235         # Allow client to pass locale environment variables #367017
 236         AcceptEnv LANG LC_*
 237         EOF
 238         cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
 239
 240         # Send locale environment variables #367017
 241         SendEnv LANG LC_*
 242         EOF
 243
 244         if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
 245                 insinto /etc/openldap/schema/
 246                 newins openssh-lpk_openldap.schema openssh-lpk.schema
 247         fi
 248
 249         doman contrib/ssh-copy-id.1
 250         dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
 251
 252         diropts -m 0700
 253         dodir /etc/skel/.ssh
 254
 255         systemd_dounit "${FILESDIR}"/sshd.{service,socket}
 256         systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
 257 }
 258
 259 src_test() {
 260         local t tests skipped failed passed shell
 261         tests="interop-tests compat-tests"
 262         skipped=""
 263         shell=$(egetshell ${UID})
 264         if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
 265                 elog "Running the full OpenSSH testsuite"
 266                 elog "requires a usable shell for the 'portage'"
 267                 elog "user, so we will run a subset only."
 268                 skipped="${skipped} tests"
 269         else
 270                 tests="${tests} tests"
 271         fi
 272         # It will also attempt to write to the homedir .ssh
 273         local sshhome=${T}/homedir
 274         mkdir -p "${sshhome}"/.ssh
 275         for t in ${tests} ; do
 276                 # Some tests read from stdin ...
 277                 HOMEDIR="${sshhome}" \
 278                 emake -k -j1 ${t} </dev/null \
 279                         && passed="${passed}${t} " \
 280                         || failed="${failed}${t} "
 281         done
 282         einfo "Passed tests: ${passed}"
 283         ewarn "Skipped tests: ${skipped}"
 284         if [[ -n ${failed} ]] ; then
 285                 ewarn "Failed tests: ${failed}"
 286                 die "Some tests failed: ${failed}"
 287         else
 288                 einfo "Failed tests: ${failed}"
 289                 return 0
 290         fi
 291 }
 292
 293 pkg_preinst() {
 294         enewgroup sshd 22
 295         enewuser sshd 22 -1 /var/empty sshd
 296 }
 297
 298 pkg_postinst() {
 299         if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
 300                 elog "Starting with openssh-5.8p1, the server will default to a newer key"
 301                 elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
 302                 elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
 303         fi
 304         if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
 305                 elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
 306         fi
 307         if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
 308                 elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
 309                 elog "Make sure to update any configs that you might have.  Note that xinetd might"
 310                 elog "be an alternative for you as it supports USE=tcpd."
 311         fi
 312         if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
 313                 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
 314                 elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
 315                 elog "adding to your sshd_config:"
 316                 elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
 317                 elog "You should however generate new keys using rsa or ed25519."
 318         fi
 319         if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
 320                 elog "Be aware that by disabling openssl support in openssh, the server and clients"
 321                 elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
 322                 elog "and update all clients/servers that utilize them."
 323         fi
 324 }