commit: 8e24db02f210b7240deaca8c2c53f6bac1eb902c Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org> AuthorDate: Tue Oct 7 22:46:31 2025 +0000 Commit: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org> CommitDate: Tue Oct 7 22:46:31 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e24db02
net-misc/openssh: add 10.1_p1-r1 with backported patches This is mainly to fix terminal lags with 10.1p1 [1], but in the process, we backport other patches from the current 10.1 branch. Link: https://www.spinics.net/lists/openssh-unix-dev/msg10290.html [1] Closes: https://bugs.gentoo.org/963913 Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org> ...n-t-reuse-c-isatty-for-signalling-that-th.patch | 76 ++++ .../0002-Add-clock_gettime-compat-shim.patch | 69 ++++ ...-copy-native-host-keys-for-hostbased-test.patch | 27 ++ ...M_RHOST-if-the-remote-host-is-not-UNKNOWN.patch | 32 ++ .../10.1_p1/0005-Add-fcntl.h-to-includes.patch | 29 ++ ...lloc-for-sshkeys-if-mmap-is-not-supported.patch | 68 ++++ net-misc/openssh/openssh-10.1_p1-r1.ebuild | 432 +++++++++++++++++++++ 7 files changed, 733 insertions(+) diff --git a/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch b/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch new file mode 100644 index 000000000000..6ba29a219cb2 --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch @@ -0,0 +1,76 @@ +From 979cbc2c1e0c9cd2f60d45d8d1da69519ec425cf Mon Sep 17 00:00:00 2001 +From: "[email protected]" <[email protected]> +Date: Tue, 7 Oct 2025 08:02:32 +0000 +Subject: [PATCH 1/6] upstream: don't reuse c->isatty for signalling that the + remote channel + +has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). +bz3872 + +ok markus@ + +OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 +--- + channels.c | 9 +++++---- + channels.h | 3 ++- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/channels.c b/channels.c +index f1d7bcf34..80014ff34 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ + /* + * Author: Tatu Ylonen <[email protected]> + * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland +@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) + { + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; +- const char *classifier = c->isatty ? ++ const char *classifier = (c->isatty || c->remote_has_tty) ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, + void + channel_set_tty(struct ssh *ssh, Channel *c) + { +- c->isatty = 1; ++ c->remote_has_tty = 1; + channel_classify(ssh, c); + } + +@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) + c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, + c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, + c->io_want, c->io_ready, +- c->isatty ? "T" : "", c->bulk ? "B" : "I"); ++ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), ++ c->bulk ? "B" : "I"); + return ret; + } + +diff --git a/channels.h b/channels.h +index df7c7f364..7456541f8 100644 +--- a/channels.h ++++ b/channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ + + /* + * Author: Tatu Ylonen <[email protected]> +@@ -145,6 +145,7 @@ struct Channel { + int ctl_chan; /* control channel (multiplexed connections) */ + uint32_t ctl_child_id; /* child session for mux controllers */ + int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ ++ int remote_has_tty; /* remote side has a tty */ + int isatty; /* rfd is a tty */ + #ifdef _AIX + int wfd_isatty; /* wfd is a tty */ +-- +2.51.0 + diff --git a/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch b/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch new file mode 100644 index 000000000000..1c23ababbacd --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch @@ -0,0 +1,69 @@ +From 28a2788d609efe363b403432b08511c801d13667 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <[email protected]> +Date: Tue, 7 Oct 2025 20:04:40 +1100 +Subject: [PATCH 2/6] Add clock_gettime compat shim. + +This fixes the build on macOS prior to 10.12 Sierra, since it does not +have it. Found and tested by Sevan Janiyan. +--- + openbsd-compat/bsd-misc.c | 24 ++++++++++++++++++++++++ + openbsd-compat/bsd-misc.h | 8 ++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c +index 983cd3fe6..2c196ec23 100644 +--- a/openbsd-compat/bsd-misc.c ++++ b/openbsd-compat/bsd-misc.c +@@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result) + } + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++int ++clock_gettime(clockid_t clockid, struct timespec *ts) ++{ ++ struct timeval tv; ++ ++ if (clockid != CLOCK_REALTIME) { ++ errno = ENOSYS; ++ return -1; ++ } ++ if (ts == NULL) { ++ errno = EFAULT; ++ return -1; ++ } ++ ++ if (gettimeofday(&tv, NULL) == -1) ++ return -1; ++ ++ ts->tv_sec = tv.tv_sec; ++ ts->tv_nsec = (long)tv.tv_usec * 1000; ++ return 0; ++} ++#endif ++ + #ifdef ASAN_OPTIONS + const char *__asan_default_options(void) { + return ASAN_OPTIONS; +diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h +index 2ad89cd83..8495f471c 100644 +--- a/openbsd-compat/bsd-misc.h ++++ b/openbsd-compat/bsd-misc.h +@@ -202,6 +202,14 @@ int flock(int, int); + struct tm *localtime_r(const time_t *, struct tm *); + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++typedef int clockid_t; ++#ifndef CLOCK_REALTIME ++# define CLOCK_REALTIME 0 ++#endif ++int clock_gettime(clockid_t, struct timespec *); ++#endif ++ + #ifndef HAVE_REALPATH + #define realpath(x, y) (sftp_realpath((x), (y))) + #endif +-- +2.51.0 + diff --git a/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch b/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch new file mode 100644 index 000000000000..e863233a290b --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch @@ -0,0 +1,27 @@ +From aefeee5bedcf117aa9278014eda5f099b5898a10 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <[email protected]> +Date: Tue, 7 Oct 2025 20:10:56 +1100 +Subject: [PATCH 3/6] Don't copy native host keys for hostbased test. + +Some github runners (notably macos-14) seem to have host keys where +public and private do not match, so generate our own keys for testing +purposes. +--- + .github/run_test.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/.github/run_test.sh b/.github/run_test.sh +index aac9ce579..33c90ac29 100755 +--- a/.github/run_test.sh ++++ b/.github/run_test.sh +@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf +- $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ +-- +2.51.0 + diff --git a/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch b/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch new file mode 100644 index 000000000000..001280ab9c87 --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch @@ -0,0 +1,32 @@ +From acb690b499e0ec2ce37869c26133615762f53cab Mon Sep 17 00:00:00 2001 +From: Daan De Meyer <[email protected]> +Date: Mon, 20 Mar 2023 20:22:14 +0100 +Subject: [PATCH 4/6] Only set PAM_RHOST if the remote host is not "UNKNOWN" + +When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 +socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then +set as the value of PAM_RHOST, causing pam to try to do a reverse DNS +query of "UNKNOWN", which times out multiple times, causing a +substantial slowdown when logging in. + +To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". +--- + auth-pam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 5dee7601b..5591f094e 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -758,7 +758,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) + sshpam_laddr = get_local_ipaddr( + ssh_packet_get_connection_in(ssh)); + } +- if (sshpam_rhost != NULL) { ++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { + debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, + sshpam_rhost); +-- +2.51.0 + diff --git a/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch b/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch new file mode 100644 index 000000000000..0874978ee8e5 --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch @@ -0,0 +1,29 @@ +From 9f0dd9505db695aab1148a977e2668666ad4d177 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <[email protected]> +Date: Tue, 7 Oct 2025 20:25:07 +1100 +Subject: [PATCH 5/6] Add fcntl.h to includes. + +From FreeBSD via bz#3874: "This was previously included due to nested +includes in Heimdal's headers. Without this, the build fails with an +error due to redefining AT_FDCWD." +--- + includes.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/includes.h b/includes.h +index 8f933568d..96cddbc26 100644 +--- a/includes.h ++++ b/includes.h +@@ -34,6 +34,9 @@ + #ifdef HAVE_ENDIAN_H + # include <endian.h> + #endif ++#ifdef HAVE_FCNTL_H ++# include <fcntl.h> ++#endif + #ifdef HAVE_TTYENT_H + # include <ttyent.h> + #endif +-- +2.51.0 + diff --git a/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch b/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch new file mode 100644 index 000000000000..4a952738d5bb --- /dev/null +++ b/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch @@ -0,0 +1,68 @@ +From fabf4cd14108a60d9486f38ae58694d615592bc9 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <[email protected]> +Date: Tue, 7 Oct 2025 21:07:05 +1100 +Subject: [PATCH 6/6] Use calloc for sshkeys if mmap is not supported. + +Based on Github PR#597 from Mike Frysinger, any bugs added by me. +--- + configure.ac | 2 ++ + sshkey.c | 8 ++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 3eb6d4697..98f2e3e1c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,7 @@ AC_CHECK_HEADERS([ \ + nlist.h \ + poll.h \ + stdint.h \ ++ sys/mmap.h \ + sys/stat.h \ + sys/time.h \ + sys/un.h \ +@@ -2103,6 +2104,7 @@ AC_CHECK_FUNCS([ \ + memmove \ + memset_s \ + mkdtemp \ ++ mmap \ + ngetaddrinfo \ + nlist \ + nsleep \ +diff --git a/sshkey.c b/sshkey.c +index e17e929e0..206b72921 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -723,6 +723,7 @@ sshkey_sk_cleanup(struct sshkey *k) + static int + sshkey_prekey_alloc(u_char **prekeyp, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + u_char *prekey; + + *prekeyp = NULL; +@@ -734,14 +735,21 @@ sshkey_prekey_alloc(u_char **prekeyp, size_t len) + #endif + *prekeyp = prekey; + return 0; ++#else ++ *prekeyp = calloc(1, len); ++#endif /* HAVE_MMAP et al */ + } + + static void + sshkey_prekey_free(void *prekey, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + if (prekey == NULL) + return; + munmap(prekey, len); ++#else ++ free(prekey); ++#endif /* HAVE_MMAP et al */ + } + + static void +-- +2.51.0 + diff --git a/net-misc/openssh/openssh-10.1_p1-r1.ebuild b/net-misc/openssh/openssh-10.1_p1-r1.ebuild new file mode 100644 index 000000000000..9d9f389b16d3 --- /dev/null +++ b/net-misc/openssh/openssh-10.1_p1-r1.ebuild @@ -0,0 +1,432 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/"; +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + static? ( !kerberos !pam ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" + # Our own backports +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK + # until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests file-tests unit ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" </dev/null +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + exeinto /etc/user/init.d + newexe "${FILESDIR}"/ssh-agent.initd ssh-agent + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 '[email protected]' + + # Install dropins with explicit mode, bug 906638, 915840 + diropts -m0755 + insopts -m0644 + insinto /etc/ssh + doins -r "${WORKDIR}"/etc/ssh/ssh_config.d + doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts + diropts -m0700 + insopts -m0600 + doins -r "${WORKDIR}"/etc/ssh/sshd_config.d +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + # bug #139235 + optfeature "x11 forwarding" x11-apps/xauth + + if ver_replacing -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_replacing -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_replacing -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_replacing -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_replacing -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_replacing -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + openssh_maybe_restart +} + +openssh_maybe_restart() { + local ver + declare -a versions + read -ra versions <<<"${REPLACING_VERSIONS}" + for ver in "${versions[@]}"; do + # Exclude 9.8_p1 because it didn't have the safety check + [[ ${ver} == 9.8_p1 ]] && break + + if [[ ${ver%_*} == "${PV%_*}" ]]; then + # No major version change has occurred + return + fi + done + + if [[ ${ROOT} ]]; then + return + elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +}
