blob: 9df791880ce58a4a3c65969a740e0970d91eb22c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.3_p1.ebuild,v 1.6 2006/06/27 01:09:53 vapier Exp $
inherit eutils flag-o-matic ccc pam
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_/}
X509_PATCH="${PARCH}+x509-5.3.diff.gz"
SECURID_PATCH="" #${PARCH}+SecurID_v1.3.2.patch"
LDAP_PATCH="${PARCH/-4.3/-lpk-4.3}-0.3.7.patch"
HPN_PATCH="${PARCH}-hpn11.diff"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
X509? ( http://roumenpetrov.info/openssh/x509-5.3/${X509_PATCH} )
ldap? ( http://www.opendarwin.org/projects/openssh-lpk/files/${LDAP_PATCH} )"
# smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )
LICENSE="as-is"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard sftplogging hpn libedit"
RDEPEND="pam? ( virtual/pam )
kerberos? ( virtual/krb5 )
selinux? ( sys-libs/libselinux )
skey? ( >=app-admin/skey-1.1.5-r1 )
ldap? ( net-nds/openldap )
libedit? ( dev-libs/libedit )
>=dev-libs/openssl-0.9.6d
>=sys-libs/zlib-1.2.3
smartcard? ( dev-libs/opensc )
tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"
DEPEND="${RDEPEND}
virtual/os-headers
sys-devel/autoconf"
PROVIDE="virtual/ssh"
S=${WORKDIR}/${PARCH}
src_unpack() {
unpack ${PARCH}.tar.gz
cd "${S}"
sed -i \
-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
pathnames.h || die
epatch "${FILESDIR}"/openssh-4.3_p2-configure.patch #137921
use X509 && epatch "${DISTDIR}"/${X509_PATCH}
use sftplogging && epatch "${FILESDIR}"/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2
use chroot && epatch "${FILESDIR}"/openssh-3.9_p1-chroot.patch
epatch "${FILESDIR}"/openssh-4.2_p1-selinux.patch
use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
if ! use X509 ; then
if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
epatch "${DISTDIR}"/${SECURID_PATCH}
use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch
fi
if use ldap ; then
use sftplogging \
&& ewarn "Sorry, sftplogging and ldap don't get along, disabling ldap" \
|| epatch "${DISTDIR}"/${LDAP_PATCH}
fi
elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then
ewarn "Sorry, x509 and smartcard/ldap don't get along"
fi
[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid"
autoconf || die "autoconf failed"
}
src_compile() {
addwrite /dev/ptmx
addpredict /etc/skey/skeykeys #skey configure code triggers this
local myconf
# make sure .sbss is large enough
use skey && use alpha && append-ldflags -mlarge-data
if use ldap ; then
filter-flags -funroll-loops
myconf="${myconf} --with-ldap"
fi
use selinux && append-flags -DWITH_SELINUX && append-ldflags -lselinux
if use static ; then
append-ldflags -static
use pam && ewarn "Disabling pam support becuse of static flag"
myconf="${myconf} --without-pam"
else
myconf="${myconf} $(use_with pam)"
fi
use ipv6 || myconf="${myconf} --with-ipv4-default"
econf \
--with-ldflags="${LDFLAGS}" \
--disable-strip \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/$(get_libdir)/misc \
--datadir=/usr/share/openssh \
--disable-suid-ssh \
--with-privsep-path=/var/empty \
--with-privsep-user=sshd \
--with-md5-passwords \
$(use_with libedit) \
$(use_with kerberos kerberos5 /usr) \
$(use_with tcpd tcp-wrappers) \
$(use_with skey) \
$(use_with smartcard opensc) \
${myconf} \
|| die "bad configure"
emake || die "compile problem"
}
src_install() {
make install-nokeys DESTDIR="${D}" || die
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd.rc6 sshd
newconfd "${FILESDIR}"/sshd.confd sshd
keepdir /var/empty
newpamd "${FILESDIR}"/sshd.pam_include sshd
dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config
use pam \
&& dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \
&& dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
}
pkg_postinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
ewarn "Remember to merge your config files in /etc/ssh/ and then"
ewarn "restart sshd: '/etc/init.d/sshd restart'."
ewarn
einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
einfo "functionality, but please ensure that you do not explicitly disable"
einfo "this in your configuration as disabling it opens security holes"
einfo
einfo "This revision has removed your sshd user id and replaced it with a"
einfo "new one with UID 22. If you have any scripts or programs that"
einfo "that referenced the old UID directly, you will need to update them."
einfo
if use pam ; then
einfo "Please be aware users need a valid shell in /etc/passwd"
einfo "in order to be allowed to login."
einfo
fi
}
|