aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Löthberg <johannes@kyriasis.com>2014-08-06 04:30:10 +0100
committerJohannes Löthberg <johannes@kyriasis.com>2015-06-01 16:03:41 +0200
commit415d616004de7a6d999a38d93bbbc5a34b460751 (patch)
tree3d0709fda1f74495427ad16b5f3951b05cdf50d2
downloadpkgbuilds-415d616004de7a6d999a38d93bbbc5a34b460751.tar.xz
openssh → openssh-princ-fp
-rw-r--r--.SRCINFO46
-rw-r--r--GSS_AUTH_KRB5_PRINC-env4openssh.diff14
-rw-r--r--PKGBUILD102
-rw-r--r--curve25519pad.patch171
-rw-r--r--install10
-rw-r--r--pubkey_fingerprint.patch10
-rw-r--r--sshd.pam6
-rw-r--r--sshd.service17
-rw-r--r--sshd.socket10
-rw-r--r--sshd@.service8
-rw-r--r--sshdgenkeys.service17
11 files changed, 411 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 0000000..246d995
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,46 @@
+# Generated by makepkg 4.2.1
+# Mon Jun 1 14:54:07 UTC 2015
+pkgbase = openssh-princ-fp
+ pkgdesc = Free version of the SSH connectivity tools
+ pkgver = 6.6p1
+ pkgrel = 1
+ url = http://www.openssh.org/portable.html
+ install = install
+ arch = i686
+ arch = x86_64
+ license = custom:BSD
+ makedepends = linux-headers
+ depends = krb5
+ depends = openssl
+ depends = libedit
+ depends = ldns
+ optdepends = xorg-xauth: X11 forwarding
+ optdepends = x11-ssh-askpass: input passphrase in X
+ conflicts = openssh
+ replaces = openssh
+ backup = etc/ssh/ssh_config
+ backup = etc/ssh/sshd_config
+ backup = etc/pam.d/sshd
+ source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz
+ source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz.asc
+ source = GSS_AUTH_KRB5_PRINC-env4openssh.diff
+ source = pubkey_fingerprint.patch
+ source = curve25519pad.patch
+ source = sshdgenkeys.service
+ source = sshd@.service
+ source = sshd.service
+ source = sshd.socket
+ source = sshd.pam
+ sha1sums = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
+ sha1sums = SKIP
+ sha1sums = 34f85eeb736fab630926f1ac59e752556cae43ee
+ sha1sums = 83ba34572eb6c1ee250034a69a7eb9e9137d7068
+ sha1sums = 13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad
+ sha1sums = cc1ceec606c98c7407e7ac21ade23aed81e31405
+ sha1sums = 6a0ff3305692cf83aca96e10f3bb51e1c26fccda
+ sha1sums = ec49c6beba923e201505f5669cea48cad29014db
+ sha1sums = e12fa910b26a5634e5a6ac39ce1399a132cf6796
+ sha1sums = d93dca5ebda4610ff7647187f8928a3de28703f3
+
+pkgname = openssh-princ-fp
+
diff --git a/GSS_AUTH_KRB5_PRINC-env4openssh.diff b/GSS_AUTH_KRB5_PRINC-env4openssh.diff
new file mode 100644
index 0000000..60b555f
--- /dev/null
+++ b/GSS_AUTH_KRB5_PRINC-env4openssh.diff
@@ -0,0 +1,14 @@
+--- gss-serv-krb5.c.orig 2012-07-12 14:33:31.117551679 +0200
++++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200
+@@ -104,6 +104,11 @@
+ } else
+ retval = 0;
+
++#ifdef USE_PAM
++ if (options.use_pam)
++ do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value);
++#endif
++
+ krb5_free_principal(krb_context, princ);
+ return retval;
+ }
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 0000000..a730206
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,102 @@
+pkgname=openssh-princ-fp
+pkgver=6.6p1
+pkgrel=1
+
+pkgdesc='Free version of the SSH connectivity tools'
+url='http://www.openssh.org/portable.html'
+arch=('i686' 'x86_64')
+license=('custom:BSD')
+
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+ 'x11-ssh-askpass: input passphrase in X')
+makedepends=('linux-headers')
+
+conflicts=('openssh')
+replaces=('openssh')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ 'GSS_AUTH_KRB5_PRINC-env4openssh.diff'
+ 'pubkey_fingerprint.patch'
+ 'curve25519pad.patch'
+ 'sshdgenkeys.service'
+ 'sshd@.service'
+ 'sshd.service'
+ 'sshd.socket'
+ 'sshd.pam')
+sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP'
+ '34f85eeb736fab630926f1ac59e752556cae43ee'
+ '83ba34572eb6c1ee250034a69a7eb9e9137d7068'
+ '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad'
+ 'cc1ceec606c98c7407e7ac21ade23aed81e31405'
+ '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
+ 'ec49c6beba923e201505f5669cea48cad29014db'
+ 'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+ 'd93dca5ebda4610ff7647187f8928a3de28703f3')
+
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p0 -i ../GSS_AUTH_KRB5_PRINC-env4openssh.diff
+ patch -p0 -i ../pubkey_fingerprint.patch
+ patch -p0 -i ../curve25519pad.patch
+}
+
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib/ssh \
+ --sysconfdir=/etc/ssh \
+ --with-ldns \
+ --with-libedit \
+ --with-ssl-engine \
+ --with-pam \
+ --with-privsep-user=nobody \
+ --with-kerberos5=/usr \
+ --with-xauth=/usr/bin/xauth \
+ --with-mantype=man \
+ --with-md5-passwords \
+ --with-pid-dir=/run \
+
+ make
+}
+
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make tests || true
+ # hard to suitably test connectivity:
+ # - fails with /bin/false as login shell
+ # - fails with firewall activated, etc.
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make DESTDIR="${pkgdir}" install
+
+ ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+ install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+ install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+ install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service
+ install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
+ install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket
+ install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+ install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+ install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+ install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+ sed \
+ -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+ -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+ -e '/^#UsePAM no$/c UsePAM yes' \
+ -i "${pkgdir}"/etc/ssh/sshd_config
+}
diff --git a/curve25519pad.patch b/curve25519pad.patch
new file mode 100644
index 0000000..9774a93
--- /dev/null
+++ b/curve25519pad.patch
@@ -0,0 +1,171 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
+_______________________________________________
+openssh-unix-dev mailing list
+openssh-unix-dev@mindrot.org
+https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev \ No newline at end of file
diff --git a/install b/install
new file mode 100644
index 0000000..6f0cd37
--- /dev/null
+++ b/install
@@ -0,0 +1,10 @@
+post_upgrade() {
+ if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+ cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+ fi
+}
diff --git a/pubkey_fingerprint.patch b/pubkey_fingerprint.patch
new file mode 100644
index 0000000..4956fe7
--- /dev/null
+++ b/pubkey_fingerprint.patch
@@ -0,0 +1,10 @@
+--- auth2-pubkey.c 2013-12-31 02:25:41.000000000 +0100
++++ auth2-pubkey.c 2014-08-06 03:08:06.841409407 +0200
+@@ -409,6 +409,7 @@
+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ debug("matching key found: file %s, line %lu %s %s",
+ file, linenum, key_type(found), fp);
++ do_pam_putenv("SSH_FINGERPRINT", fp);
+ free(fp);
+ break;
+ }
diff --git a/sshd.pam b/sshd.pam
new file mode 100644
index 0000000..7ecef08
--- /dev/null
+++ b/sshd.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth required pam_securetty.so #disable remote root
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/sshd.service b/sshd.service
new file mode 100644
index 0000000..55ed953
--- /dev/null
+++ b/sshd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service.
diff --git a/sshd.socket b/sshd.socket
new file mode 100644
index 0000000..e09e328
--- /dev/null
+++ b/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/sshd@.service b/sshd@.service
new file mode 100644
index 0000000..7ce3d37
--- /dev/null
+++ b/sshd@.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog
diff --git a/sshdgenkeys.service b/sshdgenkeys.service
new file mode 100644
index 0000000..1d01b7a
--- /dev/null
+++ b/sshdgenkeys.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes