1 # Copyright 1999-2020 Gentoo Authors
2 # Distributed under the terms of the GNU General Public License v2
6 inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs
8 # Make it more portable between straight releases
12 HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
13 SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
14 X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
16 PATCH_SET="openssh-7.7p1-patches-1.2"
18 DESCRIPTION="Port of OpenBSD's free SSH release"
19 HOMEPAGE="https://www.openssh.com/"
20 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
21 https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
22 ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
23 ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
24 ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
29 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
30 # Probably want to drop ssl defaulting to on in a future version.
31 IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
32 RESTRICT="!test? ( test )"
33 REQUIRED_USE="ldns? ( ssl )
35 static? ( !kerberos !pam )
40 audit? ( sys-process/audit[static-libs(+)] )
42 net-libs/ldns[static-libs(+)]
43 !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
44 bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
46 libedit? ( dev-libs/libedit:=[static-libs(+)] )
47 sctp? ( net-misc/lksctp-tools[static-libs(+)] )
48 selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
49 skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
52 >=dev-libs/openssl-1.0.1:0=[bindist=]
53 dev-libs/openssl:0=[static-libs(+)]
55 libressl? ( dev-libs/libressl:0=[static-libs(+)] )
57 >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
59 !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
61 kerberos? ( virtual/krb5 )"
63 static? ( ${LIB_DEPEND} )
68 pam? ( >=sys-auth/pambase-20081028 )
69 userland_GNU? ( !prefix? ( sys-apps/shadow ) )
70 X? ( x11-apps/xauth )"
72 S="${WORKDIR}/${PARCH}"
75 # this sucks, but i'd rather have people unable to `emerge -u openssh`
76 # than not be able to log in to their server any more
77 maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
79 $(use hpn && maybe_fail hpn HPN_PATCH)
80 $(use sctp && maybe_fail sctp SCTP_PATCH)
81 $(use X509 && maybe_fail X509 X509_PATCH)
84 if [[ -n ${fail} ]] ; then
85 eerror "Sorry, but this version does not yet support features"
86 eerror "that you requested: ${fail}"
87 eerror "Please mask ${PF} for now and check back later:"
88 eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
92 # Make sure people who are using tcp wrappers are notified of its removal. #531156
93 if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
94 ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
95 ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
101 -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
104 # don't break .ssh/authorized_keys2 for fun
105 sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
107 eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
108 eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
109 eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
111 local PATCHSET_VERSION_MACROS=()
114 eapply "${WORKDIR}"/${X509_PATCH%.*}
116 # We need to patch package version or any X.509 sshd will reject our ssh client
117 # with "userauth_pubkey: could not parse key: string is too large [preauth]"
119 einfo "Patching package version for X.509 patch set ..."
121 -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
122 "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
124 einfo "Patching version.h to expose X.509 patch set ..."
126 -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
127 "${S}"/version.h || die "Failed to sed-in X.509 patch version"
128 PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
130 einfo "Disabling broken X.509 agent test ..."
133 "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
135 # The following patches don't apply on top of X509 patch
136 rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
137 rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
138 rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
139 rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
141 rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
142 rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
146 eapply "${WORKDIR}"/${SCTP_PATCH%.*}
148 einfo "Patching version.h to expose SCTP patch set ..."
150 -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
151 "${S}"/version.h || die "Failed to sed-in SCTP patch version"
152 PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
154 einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
156 -e "/\t\tcfgparse \\\/d" \
157 "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
161 eapply "${WORKDIR}"/${HPN_PATCH%.*}
163 einfo "Patching Makefile.in for HPN patch set ..."
165 -e "/^LIBS=/ s/\$/ -lpthread/" \
166 "${S}"/Makefile.in || die "Failed to patch Makefile.in"
168 einfo "Patching version.h to expose HPN patch set ..."
170 -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
171 "${S}"/version.h || die "Failed to sed-in HPN patch version"
172 PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
174 if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
175 einfo "Disabling known non-working MT AES cipher per default ..."
177 cat > "${T}"/disable_mtaes.conf <<- EOF
179 # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
180 # and therefore disabled per default.
184 -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
185 "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
188 -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
189 "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
193 if use X509 || use hpn ; then
194 einfo "Patching packet.c for X509 and/or HPN patch set ..."
196 -e "s/const struct sshcipher/struct sshcipher/" \
197 "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
200 if use X509 || use sctp || use hpn ; then
201 einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
203 -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
204 "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
206 einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
208 -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
209 "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
211 einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
213 -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
214 "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
218 -e "/#UseLogin no/d" \
219 "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
221 eapply "${WORKDIR}"/patch/*.patch
227 -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
228 # Disable PATH reset, trust what portage gives us #254615
229 -e 's:^PATH=/:#PATH=/:'
230 # Disable fortify flags ... our gcc does this for us
231 -e 's:-D_FORTIFY_SOURCE=2::'
234 # The -ftrapv flag ICEs on hppa #505182
235 use hppa && sed_args+=(
236 -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
237 -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
239 # _XOPEN_SOURCE causes header conflicts on Solaris
240 [[ ${CHOST} == *-solaris* ]] && sed_args+=(
241 -e 's/-D_XOPEN_SOURCE//'
243 sed -i "${sed_args[@]}" configure{.ac,} || die
251 use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
252 use static && append-ldflags -static
255 --with-ldflags="${LDFLAGS}"
257 --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
258 --sysconfdir="${EPREFIX}"/etc/ssh
259 --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
260 --datadir="${EPREFIX}"/usr/share/openssh
261 --with-privsep-path="${EPREFIX}"/var/empty
262 --with-privsep-user=sshd
263 $(use_with audit audit linux)
264 $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
265 # We apply the sctp patch conditionally, so can't pass --without-sctp
266 # unconditionally else we get unknown flag warnings.
267 $(use sctp && use_with sctp)
274 $(use_with ssl openssl)
275 $(use_with ssl md5-passwords)
276 $(use_with ssl ssl-engine)
277 $(use_with !elibc_Cygwin hardening) #659210
280 # stackprotect is broken on musl x86
281 use elibc_musl && use x86 && myconf+=( --without-stackprotect )
283 # The seccomp sandbox is broken on x32, so use the older method for now. #553748
284 use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
290 local t skipped=() failed=() passed=()
291 local tests=( interop-tests compat-tests )
293 local shell=$(egetshell "${UID}")
294 if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
295 elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
296 elog "user, so we will run a subset only."
302 # It will also attempt to write to the homedir .ssh.
303 local sshhome=${T}/homedir
304 mkdir -p "${sshhome}"/.ssh
305 for t in "${tests[@]}" ; do
306 # Some tests read from stdin ...
307 HOMEDIR="${sshhome}" HOME="${sshhome}" \
308 emake -k -j1 ${t} </dev/null \
309 && passed+=( "${t}" ) \
310 || failed+=( "${t}" )
313 einfo "Passed tests: ${passed[*]}"
314 [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
315 [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
318 # Gentoo tweaks to default config files.
319 tweak_ssh_configs() {
321 # These are language variables that POSIX defines.
322 # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
323 LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
325 # These are the GNU extensions.
326 # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
327 LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
330 # First the server config.
331 cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
333 # Allow client to pass locale environment variables. #367017
334 AcceptEnv ${locale_vars[*]}
336 # Allow client to pass COLORTERM to match TERM. #658540
340 # Then the client config.
341 cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
343 # Send locale environment variables. #367017
344 SendEnv ${locale_vars[*]}
346 # Send COLORTERM to match TERM. #658540
352 -e "/^#UsePAM /s:.*:UsePAM yes:" \
353 -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
354 -e "/^#PrintMotd /s:.*:PrintMotd no:" \
355 -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
356 "${ED%/}"/etc/ssh/sshd_config || die
361 -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
362 "${ED%/}"/etc/ssh/sshd_config || die
367 emake install-nokeys DESTDIR="${D}"
368 fperms 600 /etc/ssh/sshd_config
369 dobin contrib/ssh-copy-id
370 newinitd "${FILESDIR}"/sshd.initd sshd
371 newconfd "${FILESDIR}"/sshd-r1.confd sshd
373 newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
377 doman contrib/ssh-copy-id.1
378 dodoc CREDITS OVERVIEW README* TODO sshd_config
379 use hpn && dodoc HPN-README
380 use X509 || dodoc ChangeLog
387 systemd_dounit "${FILESDIR}"/sshd.{service,socket}
388 systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
393 enewuser sshd 22 -1 /var/empty sshd
397 if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
398 elog "Starting with openssh-5.8p1, the server will default to a newer key"
399 elog "algorithm (ECDSA). You are encouraged to manually update your stored"
400 elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
402 if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
403 elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
404 elog "Make sure to update any configs that you might have. Note that xinetd might"
405 elog "be an alternative for you as it supports USE=tcpd."
407 if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
408 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
409 elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
410 elog "adding to your sshd_config or ~/.ssh/config files:"
411 elog " PubkeyAcceptedKeyTypes=+ssh-dss"
412 elog "You should however generate new keys using rsa or ed25519."
414 elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
415 elog "to 'prohibit-password'. That means password auth for root users no longer works"
416 elog "out of the box. If you need this, please update your sshd_config explicitly."
418 if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
419 elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
420 elog "Furthermore, rsa keys with less than 1024 bits will be refused."
422 if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
423 elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
424 elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
425 elog "if you need to authenticate against LDAP."
426 elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
428 if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
429 elog "Be aware that by disabling openssl support in openssh, the server and clients"
430 elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
431 elog "and update all clients/servers that utilize them."
434 if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
436 elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
437 elog "and therefore disabled at runtime per default."
438 elog "Make sure your sshd_config is up to date and contains"
440 elog " DisableMTAES yes"
442 elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."