diff options
author | Lars Wendler <polynomial-c@gentoo.org> | 2014-04-25 07:11:59 +0000 |
---|---|---|
committer | Lars Wendler <polynomial-c@gentoo.org> | 2014-04-25 07:11:59 +0000 |
commit | 11275458b52f4e6ff46fd60eb5cd2c36b0043136 (patch) | |
tree | 1db01eca7e53d95278cf4b7f06a981e0f31cce5c /net-misc/openssh | |
parent | Version bump. (diff) | |
download | gentoo-2-11275458b52f4e6ff46fd60eb5cd2c36b0043136.tar.gz gentoo-2-11275458b52f4e6ff46fd60eb5cd2c36b0043136.tar.bz2 gentoo-2-11275458b52f4e6ff46fd60eb5cd2c36b0043136.zip |
Version bump by James Cloos (bug #508604)
(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0x981CA6FC)
Diffstat (limited to 'net-misc/openssh')
-rw-r--r-- | net-misc/openssh/ChangeLog | 10 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 | ||||
-rw-r--r-- | net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 | ||||
-rw-r--r-- | net-misc/openssh/openssh-6.6.1_p1.ebuild | 319 |
4 files changed, 521 insertions, 1 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index a1071e2c1595..3972f13f5dfd 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-misc/openssh # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.520 2014/04/24 17:02:01 polynomial-c Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.521 2014/04/25 07:11:59 polynomial-c Exp $ + +*openssh-6.6.1_p1 (25 Apr 2014) + + 25 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> +openssh-6.6.1_p1.ebuild, + +files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch, + +files/openssh-6.6.1_p1.patch: + Version bump by James Cloos (bug #508604). This is an unusual one as upstream + only provides a patch (not a release tarball). 24 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -files/openssh-5.2p1-ldap-stdargs.diff, -files/openssh-5.4_p1-openssl.patch, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch new file mode 100644 index 000000000000..c76015dd93b8 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch @@ -0,0 +1,26 @@ +make the hpn patch apply when the x509 patch has also been applied + +--- openssh-6.6.1p1-hpnssh14v4.diff ++++ openssh-6.6.1p1-hpnssh14v4.diff +@@ -1742,18 +1742,14 @@ + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +-@@ -345,9 +393,10 @@ ++@@ -345,6 +393,7 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, +-- sAuthenticationMethods, sHostKeyAgent, +-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, +- sDeprecated, sUnsupported +- } ServerOpCodes; +- ++ sAuthenticationMethods, sHostKeyAgent, + @@ -468,6 +517,10 @@ + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch new file mode 100644 index 000000000000..b11f6fb1a75e --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch @@ -0,0 +1,167 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256 at libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=================================================================== +RCS file: /var/cvs/openssh/version.h,v +retrieving revision 1.82 +diff -u -p -r1.82 version.h +--- version.h 27 Feb 2014 23:01:54 -0000 1.82 ++++ version.h 20 Apr 2014 03:35:15 -0000 +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=================================================================== +RCS file: /var/cvs/openssh/compat.c,v +retrieving revision 1.82 +retrieving revision 1.85 +diff -u -p -r1.82 -r1.85 +--- compat.c 31 Dec 2013 01:25:41 -0000 1.82 ++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; ++} ++ ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; + } + +Index: compat.h +=================================================================== +RCS file: /var/cvs/openssh/compat.h,v +retrieving revision 1.42 +retrieving revision 1.43 +diff -u -p -r1.42 -r1.43 +--- compat.h 31 Dec 2013 01:25:41 -0000 1.42 ++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char * + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +Index: sshd.c +=================================================================== +RCS file: /var/cvs/openssh/sshd.c,v +retrieving revision 1.448 +retrieving revision 1.453 +diff -u -p -r1.448 -r1.453 +--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 ++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 +@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +Index: sshconnect2.c +=================================================================== +RCS file: /var/cvs/openssh/sshconnect2.c,v +retrieving revision 1.197 +retrieving revision 1.199 +diff -u -p -r1.197 -r1.199 +--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 ++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 +@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, +Index: bufaux.c +=================================================================== +RCS file: /var/cvs/openssh/bufaux.c,v +retrieving revision 1.62 +retrieving revision 1.63 +diff -u -p -r1.62 -r1.63 +--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 ++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ ++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo at cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to diff --git a/net-misc/openssh/openssh-6.6.1_p1.ebuild b/net-misc/openssh/openssh-6.6.1_p1.ebuild new file mode 100644 index 000000000000..50c2d746c73d --- /dev/null +++ b/net-misc/openssh/openssh-6.6.1_p1.ebuild @@ -0,0 +1,319 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6.1_p1.ebuild,v 1.1 2014/04/25 07:11:59 polynomial-c Exp $ + +EAPI="4" +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/.1_} + +#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz" +HPN_PATCH="${PN}-6.6.1p1-hpnssh14v4.diff.xz" +LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz" +X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )} + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509" + +LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + >=dev-libs/openssl-0.9.6d:0[bindist=] + dev-libs/openssl[static-libs(+)] + >=sys-libs/zlib-1.2.3[static-libs(+)] + tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )" +RDEPEND=" + !static? ( + ${LIB_DEPEND//\[static-libs(+)]} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( + ${LIB_DEPEND} + ldns? ( + !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] ) + ) + ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_setup() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + epatch "${FILESDIR}"/${P}.patch #508604 + + epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361 + if use X509 ; then + pushd .. >/dev/null + epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch + use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v4-glue-p2.patch + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch + save_version X509 + fi + if ! use X509 ; then + if [[ -n ${LDAP_PATCH} ]] && use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + else + use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" + fi + epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch + if [[ -n ${HPN_PATCH} ]] && use hpn; then + epatch "${WORKDIR}"/${HPN_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632 + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +static_use_with() { + local flag=$1 + if use static && use ${flag} ; then + ewarn "Disabling '${flag}' support because of USE='static'" + # rebuild args so that we invert the first one (USE flag) + # but otherwise leave everything else working so we can + # just leverage use_with + shift + [[ -z $1 ]] && flag="${flag} ${flag}" + set -- !${flag} "$@" + fi + use_with "$@" +} + +src_configure() { + local myconf + addwrite /dev/ptmx + addpredict /etc/skey/skeykeys #skey configure code triggers this + + use static && append-ldflags -static + + # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011) + if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then + myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx" + append-ldflags -lutil + fi + + econf \ + --with-ldflags="${LDFLAGS}" \ + --disable-strip \ + --with-pid-dir="${EPREFIX}"/var/run \ + --sysconfdir="${EPREFIX}"/etc/ssh \ + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \ + --datadir="${EPREFIX}"/usr/share/openssh \ + --with-privsep-path="${EPREFIX}"/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + --with-ssl-engine \ + $(static_use_with pam) \ + $(static_use_with kerberos kerberos5 /usr) \ + ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \ + $(use_with ldns) \ + $(use_with libedit) \ + $(use_with selinux) \ + $(use_with skey) \ + $(use_with tcpd tcp-wrappers) \ + ${myconf} +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + # not all openssl installs support ecc, or are functional #352645 + if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then + elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support" + sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die + fi + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed" + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + keepdir /var/empty/dev + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "reload sshd: '/etc/init.d/sshd reload'." + # This instruction is from the HPN webpage, + # Used for the server logging functionality + if [[ -n ${HPN_PATCH} ]] && use hpn ; then + echo + einfo "For the HPN server logging patch, you must ensure that" + einfo "your syslog application also listens at /var/empty/dev/log." + fi +} |