Update hpn and x509 patches #135691 by Scott Jones.

(Portage version: 2.1_rc4-r3)

7 files changed, 298 insertions, 5 deletions

diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index 0670f736622c..1de220671e8c 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-misc/openssh
 # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.172 2006/06/07 19:15:40 kumba Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.173 2006/06/08 11:23:45 vapier Exp $
+
+*openssh-4.3_p2-r2 (08 Jun 2006)
+
+  08 Jun 2006; Mike Frysinger <vapier@gentoo.org>
+  +files/openssh-4.3_p2-securid-hpn-glue.patch,
+  +files/openssh-4.3_p2-x509-hpn-glue.patch, openssh-4.2_p1-r1.ebuild,
+  +openssh-4.3_p2-r2.ebuild:
+  Update hpn and x509 patches #135691 by Scott Jones.
 
   07 Jun 2006; Joshua Kinard <kumba@gentoo.org> openssh-4.3_p2-r1.ebuild:
   Add sys-apps/shadow to RDEPEND/DEPEND so group/useradd is available. Fixes
diff --git a/net-misc/openssh/files/digest-openssh-4.2_p1-r1 b/net-misc/openssh/files/digest-openssh-4.2_p1-r1
index f18dee7ee02f..0a6a607a2b73 100644
--- a/net-misc/openssh/files/digest-openssh-4.2_p1-r1
+++ b/net-misc/openssh/files/digest-openssh-4.2_p1-r1
@@ -1,5 +1,7 @@
 MD5 6c89525f43b93fb2671af345dd85783b openssh-4.2p1+SecurID_v1.3.2.patch 616248
-MD5 bd234f201844fac2c4c44ffadd396741 openssh-4.2p1+x509-5.3.diff.gz 128507
+MD5 f2317f7a413f1d132a37e036166975b1 openssh-4.2p1+x509-5.5.diff.gz 133405
+RMD160 fba6bc99857d890cda0e5a88bf195b7e327f0aff openssh-4.2p1+x509-5.5.diff.gz 133405
+SHA256 42509cdd9edce6e6f2cb635cb480bfc0e3c0f26a0747760559742355a8b1ddce openssh-4.2p1+x509-5.5.diff.gz 133405
 MD5 4b8f0befa09f234d6e7f1a5849b86197 openssh-4.2p1-hpn11.diff 14765
 MD5 df899194a340c933944b193477c628fa openssh-4.2p1.tar.gz 914165
 MD5 b779906d657d63794144cabe2bf978b8 openssh-lpk-4.1p1-0.3.6.patch 60312
diff --git a/net-misc/openssh/files/digest-openssh-4.3_p2-r2 b/net-misc/openssh/files/digest-openssh-4.3_p2-r2
new file mode 100644
index 000000000000..d3a4d9bcd77b
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-4.3_p2-r2
@@ -0,0 +1,11 @@
+MD5 3611a21a0098c32416d4b8f75232c796 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+MD5 bc93a31436941ae32e7f9d20c592eca7 openssh-4.3p2+x509-5.5.diff.gz 136017
+RMD160 21069550bbb05ea22870da853f68ee9910b2b71e openssh-4.3p2+x509-5.5.diff.gz 136017
+SHA256 b62ee8afd927d9c97367ac738be55464327deacabf803a610159a98c569e72ad openssh-4.3p2+x509-5.5.diff.gz 136017
+MD5 5ade4be51e0d49c18f4107013c60ac14 openssh-4.3p2-hpn12.diff.gz 14806
+RMD160 38ca2a73a3ff9aae8c6b9eba6c07eb962b4beb71 openssh-4.3p2-hpn12.diff.gz 14806
+SHA256 d98d8a016d6b7a83c9c821339e6d01b8d67a7607ec7ace11a72b347689411a74 openssh-4.3p2-hpn12.diff.gz 14806
+MD5 7e9880ac20a9b9db0d3fea30a9ff3d46 openssh-4.3p2.tar.gz 941455
+RMD160 ccd5967e3296347e6dd2be43c3d6caacde2b6833 openssh-4.3p2.tar.gz 941455
+SHA256 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f openssh-4.3p2.tar.gz 941455
+MD5 d9eacb819a73daddb3d21ca7aa8e5c25 openssh-lpk-4.3p1-0.3.7.patch 60451
diff --git a/net-misc/openssh/files/openssh-4.3_p2-securid-hpn-glue.patch b/net-misc/openssh/files/openssh-4.3_p2-securid-hpn-glue.patch
new file mode 100644
index 000000000000..01f11970b35f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p2-securid-hpn-glue.patch
@@ -0,0 +1,69 @@
+tweak the secure id code a little so hpn patches cleanly
+
+--- servconf.c
++++ servconf.c
+@@ -643,6 +643,32 @@
+ 			*intptr = value;
+ 		break;
+ 
++#ifdef SECURID
++	case sSecurIDAuthentication:
++		intptr = &options->securid_authentication;
++		goto parse_flag;
++
++	case sSecurIDFallBack:
++		intptr = &options->securid_fallback;
++		goto parse_flag;
++
++	case sAllowNonSecurID:
++		intptr = &options->allow_nonsecurid;
++		goto parse_flag;
++
++	case sNegateSecurIDUsers:
++		intptr = &options->negate_securid_users;
++		goto parse_flag;
++
++	case sSecurIDUsersFile:
++		charptr = &options->securid_usersfile;
++		goto parse_filename;
++
++	case sSecurIDIgnoreShell:
++		intptr = &options->securid_ignore_shell;
++		goto parse_flag;
++#endif
++
+ 	case sIgnoreRhosts:
+ 		intptr = &options->ignore_rhosts;
+ parse_flag:
+@@ -662,31 +688,6 @@
+ 			*intptr = value;
+ 		break;
+ 
+-#ifdef SECURID
+-        case sSecurIDAuthentication:
+-                intptr = &options->securid_authentication;
+-                goto parse_flag;
+-
+-        case sSecurIDFallBack:
+-                intptr = &options->securid_fallback;
+-                goto parse_flag;
+-
+-        case sAllowNonSecurID:
+-                intptr = &options->allow_nonsecurid;
+-                goto parse_flag;
+-
+-        case sNegateSecurIDUsers:
+-                intptr = &options->negate_securid_users;
+-                goto parse_flag;
+-
+-        case sSecurIDUsersFile:
+-                charptr = &options->securid_usersfile;
+-                goto parse_filename;
+-
+-        case sSecurIDIgnoreShell:
+-                intptr = &options->securid_ignore_shell;
+-                goto parse_flag;
+-#endif
+ 	case sIgnoreUserKnownHosts:
+ 		intptr = &options->ignore_user_known_hosts;
+ 		goto parse_flag;
diff --git a/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch b/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch
new file mode 100644
index 000000000000..6b027da99afc
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p2-x509-hpn-glue.patch
@@ -0,0 +1,36 @@
+tweak the x509 code a little so hpn patches cleanly
+
+--- servconf.c
++++ servconf.c
+@@ -335,6 +335,7 @@
+ 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sUsePrivilegeSeparation,
++	sDeprecated, sUnsupported
+ 	sHostbasedAlgorithms,
+ 	sPubkeyAlgorithms,
+ 	sX509KeyAlgorithm,
+@@ -345,7 +346,6 @@
+ 	sCAldapVersion, sCAldapURL,
+ 	sVAType, sVACertificateFile,
+ 	sVAOCSPResponderURL,
+-	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+ /* Textual representation of the tokens. */
+@@ -446,6 +446,7 @@
+ 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
+ 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
+ 	{ "acceptenv", sAcceptEnv },
++	{ "permittunnel", sPermitTunnel },
+ 	{ "hostbasedalgorithms", sHostbasedAlgorithms },
+ 	{ "pubkeyalgorithms", sPubkeyAlgorithms },
+ 	{ "x509rsasigtype", sDeprecated },
+@@ -462,7 +463,6 @@
+ 	{ "vatype", sVAType },
+ 	{ "vacertificatefile", sVACertificateFile },
+ 	{ "vaocspresponderurl", sVAOCSPResponderURL },
+-	{ "permittunnel", sPermitTunnel },
+ 	{ NULL, sBadOption }
+ };
+ 
diff --git a/net-misc/openssh/openssh-4.2_p1-r1.ebuild b/net-misc/openssh/openssh-4.2_p1-r1.ebuild
index 7cb8bba2761d..fa7b818bad45 100644
--- a/net-misc/openssh/openssh-4.2_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-4.2_p1-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2006 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.2_p1-r1.ebuild,v 1.13 2006/02/19 18:22:20 kumba Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.2_p1-r1.ebuild,v 1.14 2006/06/08 11:23:45 vapier Exp $
 
 inherit eutils flag-o-matic ccc pam
 
@@ -8,7 +8,7 @@ inherit eutils flag-o-matic ccc pam
 # and _p? releases.
 PARCH=${P/_/}
 
-X509_PATCH="${PARCH}+x509-5.3.diff.gz"
+X509_PATCH="${PARCH}+x509-5.5.diff.gz"
 SECURID_PATCH="${PARCH}+SecurID_v1.3.2.patch"
 LDAP_PATCH="${PARCH/-4.2/-lpk-4.1}-0.3.6.patch"
 HPN_PATCH="${PARCH}-hpn11.diff"
@@ -17,7 +17,7 @@ DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="http://www.openssh.com/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	ldap? ( http://www.opendarwin.org/en/projects/openssh-lpk/files/${LDAP_PATCH} )
-	X509? ( http://roumenpetrov.info/openssh/x509-5.3/${X509_PATCH} )
+	X509? ( http://roumenpetrov.info/openssh/x509-5.5/${X509_PATCH} )
 	hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
 	smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )"
 
diff --git a/net-misc/openssh/openssh-4.3_p2-r2.ebuild b/net-misc/openssh/openssh-4.3_p2-r2.ebuild
new file mode 100644
index 000000000000..4a1e05099a03
--- /dev/null
+++ b/net-misc/openssh/openssh-4.3_p2-r2.ebuild
@@ -0,0 +1,167 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.3_p2-r2.ebuild,v 1.1 2006/06/08 11:23:45 vapier Exp $
+
+inherit eutils flag-o-matic ccc pam
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH="${PARCH}+x509-5.5.diff.gz"
+SECURID_PATCH="${PARCH}+SecurID_v1.3.2.patch"
+LDAP_PATCH="${PARCH/-4.3p2/-lpk-4.3p1}-0.3.7.patch"
+HPN_PATCH="${PARCH}-hpn12.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
+	X509? ( http://roumenpetrov.info/openssh/x509-5.5/${X509_PATCH} )
+	smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )
+	ldap? ( http://www.opendarwin.org/projects/openssh-lpk/files/${LDAP_PATCH} )"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard sftplogging hpn libedit"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=app-admin/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( || ( dev-libs/libedit sys-freebsd/freebsd-lib ) )
+	>=dev-libs/openssl-0.9.6d
+	>=sys-libs/zlib-1.2.3
+	smartcard? ( dev-libs/opensc )
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	sys-devel/autoconf"
+PROVIDE="virtual/ssh"
+
+S=${WORKDIR}/${PARCH}
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz
+	cd "${S}"
+
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+
+	epatch "${FILESDIR}"/openssh-4.3_p1-krb5-typos.patch #124494
+	use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${P}-x509-hpn-glue.patch
+	use sftplogging && epatch "${FILESDIR}"/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2
+	use chroot && epatch "${FILESDIR}"/openssh-3.9_p1-chroot.patch
+	if use X509 ; then
+		cp "${FILESDIR}"/openssh-4.3_p2-selinux.patch .
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch.glue ./openssh-4.3_p2-selinux.patch
+	else
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch
+	fi
+	use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
+	if ! use X509 ; then
+		if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
+			epatch "${DISTDIR}"/${SECURID_PATCH} "${FILESDIR}"/${P}-securid-hpn-glue.patch
+			use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch
+		fi
+		if use ldap ; then
+			use sftplogging \
+				&& ewarn "Sorry, sftplogging and ldap don't get along, disabling ldap" \
+				|| epatch "${DISTDIR}"/${LDAP_PATCH}
+		fi
+	elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then
+		ewarn "Sorry, x509 and smartcard/ldap don't get along"
+	fi
+	[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
+
+	sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid"
+
+	autoconf || die "autoconf failed"
+}
+
+src_compile() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	local myconf
+	# make sure .sbss is large enough
+	use skey && use alpha && append-ldflags -mlarge-data
+	if use ldap ; then
+		filter-flags -funroll-loops
+		myconf="${myconf} --with-ldap"
+	fi
+	use selinux && append-flags -DWITH_SELINUX && append-ldflags -lselinux
+
+	if use static ; then
+		append-ldflags -static
+		use pam && ewarn "Disabling pam support becuse of static flag"
+		myconf="${myconf} --without-pam"
+	else
+		myconf="${myconf} $(use_with pam)"
+	fi
+
+	use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--disable-suid-ssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		$(use_with libedit) \
+		$(use_with kerberos kerberos5 /usr) \
+		$(use_with tcpd tcp-wrappers) \
+		$(use_with skey) \
+		$(use_with smartcard opensc) \
+		${myconf} \
+		|| die "bad configure"
+
+	emake || die "compile problem"
+}
+
+src_install() {
+	make install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include sshd
+	dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config
+	use pam \
+		&& dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \
+		&& dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+}
+
+pkg_postinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "restart sshd: '/etc/init.d/sshd restart'."
+	ewarn
+	einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+	einfo "functionality, but please ensure that you do not explicitly disable"
+	einfo "this in your configuration as disabling it opens security holes"
+	einfo
+	einfo "This revision has removed your sshd user id and replaced it with a"
+	einfo "new one with UID 22.  If you have any scripts or programs that"
+	einfo "that referenced the old UID directly, you will need to update them."
+	einfo
+	if use pam ; then
+		einfo "Please be aware users need a valid shell in /etc/passwd"
+		einfo "in order to be allowed to login."
+		einfo
+	fi
+}