new blfs: net-misc/openssh-10.2_p1

2026-01-21 22:05:53 -05:00
parent 065013c0df
commit bf478e196e
9 changed files with 303 additions and 0 deletions
--- a/net-misc/openssh-10.2_p1.PKGBUILD
+++ b/net-misc/openssh-10.2_p1.PKGBUILD
@@ -0,0 +1,193 @@
+pkgname=openssh
+pkgver=10.2_p1
+_ver=${pkgver/_}
+pkgdesc="Port of OpenBSD's free SSH release"
+homepage="https://www.openssh.com/"
+license=("BSD" "GPL-2")
+depends=(
+  openssl
+  libxcrypt
+  zlib
+  linux-headers
+  pam
+  shadow
+)
+bdepends=(
+  autoconf
+  pkgconf
+)
+_patches=("openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
+  "openssh-9.7_p1-config-tweaks.patch"
+)
+_patch_sums=("d8fc604795d8bb4228ccbfe5714d5503bb1e0d63818d2fac65d533530d01fe4ce4fac0743b8b415f646322fec859b699fa7365beba8a42bd880d737b7c6bd7df"
+  "bfc39aa573dd3934bae2a496a8a730f99dd7d6217c4d6e146ca4c401151f5e803f704719f29213548c67db015ba9f4cae749dd7ee5bc3b8cee0395892abae01f"
+)
+sources=("${pkgname}-${_ver}.tar.gz"
+  "sshd_at.service.1"
+  "sshd.pam_include.2"
+  "sshd.service.2"
+  "sshd.socket"
+  "acct-user-sshd.conf"
+  "acct-group-sshd.conf"
+  "${_patches[@]}"
+)
+urls=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${sources[0]}"
+  "sshd_at.service.1"
+  "sshd.pam_include.2"
+  "sshd.service.2"
+  "sshd.socket"
+  "acct-user-sshd.conf"
+  "acct-group-sshd.conf"
+  "${_patches[@]}"
+)
+sha512sums=("66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5"
+  "fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f"
+  "d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c"
+  "24c04f0608b478b3aa600a0bdfeb31b196bd9524fdd9c78bcbef5f603a797e17ffbf2ce503af707800b67d789b24fbe1ce15e87df58003752156709d497fca3b"
+  "4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42"
+  "72ede363950bcc1d31959bab94efdb4e87d3f913ead96ecf593041000e9d63e0872b1f9ddc75a06a67e5c7ab23e24aa0398ee99ea9b0ca921bde83b6d486c568"
+  "2f477d9a83086b23b00ec6fff576ce04ec5da7e73154c566292cd6192741d7775c19b7564fe0eacfa5ef9314282545217a9e6d39c4d9593db82fe2c4967b5cdc"
+  "${_patch_sums[@]}"
+)
+
+src_prepare() {
+  tar -xf ${distdir}/${sources[0]} --strip-components=1
+
+  sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config
+
+  for _patch in ${_patches[@]}; do
+    patch -p1 -i ${filedir}/${_patch}
+  done
+
+  if [[ -d patches ]]; then
+    find patches -type f -name "*.patch" -exec patch -p1 -i {} \;
+  fi
+
+  sed -e '/\t\tpercent \\/ d' \
+      -i regress/Makefile
+
+  local sed_args=(
+      -e "s:-lcrypto:$(pkg-config --libs openssl):"
+      # Disable fortify flags ... our gcc does this for us
+      -e 's:-D_FORTIFY_SOURCE=2::'
+  )
+  sed -i "${sed_args[@]}" configure{.ac,}
+
+  autoreconf -fiv
+}
+
+create_config_dropins() {
+  local locale_vars=(
+    # These are language variables that POSIX defines.
+    # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+    LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+    # These are the GNU extensions.
+    # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+    LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+  )
+
+  mkdir -p etc/ssh/ssh{,d}_config.d
+
+  cat > etc/ssh/ssh_config.d/9999999gentoo.conf << EOF
+# Send locale environment variables (bug #367017)
+SendEnv ${locale_vars[*]}
+
+# Send COLORTERM to match TERM (bug #658540)
+SendEnv COLORTERM
+EOF
+
+  cat << EOF > etc/ssh/ssh_config.d/9999999gentoo-security.conf
+RevokedHostKeys "/etc/ssh/ssh_revoked_hosts"
+EOF
+
+  cat << EOF > etc/ssh/ssh_revoked_hosts
+# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+EOF
+
+  cat << EOF > etc/ssh/sshd_config.d/9999999gentoo.conf
+# Allow client to pass locale environment variables (bug #367017)
+AcceptEnv ${locale_vars[*]}
+
+# Allow client to pass COLORTERM to match TERM (bug #658540)
+AcceptEnv COLORTERM
+EOF
+
+  cat << EOF > etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf
+# override default of no subsystems
+Subsystem  sftp  /usr/lib/ssh/sftp-server
+EOF
+
+  cat << EOF > etc/ssh/sshd_config.d/9999999gentoo-pam.conf
+UsePAM yes
+# This interferes with PAM.
+PasswordAuthentication no
+# PAM can do its own handling of MOTD.
+PrintMotd no
+PrintLastLog no
+EOF
+}
+
+src_build() {
+  local conf_args=(
+    --prefix=/usr
+    --disable-strip
+    --with-pid-dir=/run
+    --sysconfdir=/etc/ssh
+    --libexecdir=/usr/lib/ssh
+    --datadir=/usr/share/openssh
+    --with-privsep-path=/var/empty
+    --with-privsep-user=sshd
+    --with-xauth=/usr/bin/xauth
+    --without-hardening
+    --without-pie
+    --without-stackprotect
+    --without-wtmpdb
+    --without-audit
+    --without-kerberos5
+    --without-ldns
+    --without-libedit
+    --with-pam
+    --without-selinux
+    --without-security-key-builtin
+    --with-openssl
+    --with-ssl-engine
+  )
+  ./configure "${conf_args[@]}"
+  make
+  create_config_dropins
+}
+
+src_check() {
+  local tests=(compat-tests interop-tests file-tests unit)
+  chown -R leaf .
+  chown -R leaf $HOME
+  chown -R leaf $TMPDIR
+  su leaf -c "mkdir -pv $HOME/.ssh && make -j1 ${tests[@]}"
+}
+
+src_install() {
+  make install-nokeys DESTDIR="${pkgdir}"
+  chmod 600 "${pkgdir}/etc/ssh/sshd_config"
+  install -vDm755 contrib/ssh-copy-id -t "${pkgdir}/usr/bin/"
+
+  install -vDm644 "${filedir}"/sshd.pam_include.2 "${pkgdir}/etc/pam.d/sshd"
+
+  install -vDm644 contrib/ssh-copy-id.1 -t "${pkgdir}/usr/share/man/man1/"
+
+  install -vDm644 "${filedir}/sshd.socket" -t "${pkgdir}/usr/lib/systemd/system/"
+  install -vDm644 "${filedir}/sshd.service.2" "${pkgdir}/usr/lib/systemd/system/sshd.service"
+  install -vDm644 "${filedir}/sshd_at.service.1" "${pkgdir}/usr/lib/systemd/system/sshd@.service"
+
+  install -vdm755 "${pkgdir}/etc/ssh/ssh_config.d"
+  install -vDm644 etc/ssh/ssh_config.d/* -t "${pkgdir}/etc/ssh/ssh_config.d"
+  install -vdm700 "${pkgdir}/etc/ssh/sshd_config.d"
+  install -vDm600 etc/ssh/sshd_config.d/* -t "${pkgdir}/etc/ssh/sshd_config.d"
+  install -vDm644 etc/ssh/ssh_revoked_hosts -t "${pkgdir}/etc/ssh"
+
+  install -vDm644 "${filedir}"/acct-user-sshd.conf -t "${pkgdir}/usr/lib/sysusers.d/"
+  install -vDm644 "${filedir}"/acct-group-sshd.conf -t "${pkgdir}/usr/lib/sysusers.d/"
+}
+
+# vim:ft=sh syn=sh et sw=2:
--- a/net-misc/openssh/acct-group-sshd.conf
+++ b/net-misc/openssh/acct-group-sshd.conf
@@ -0,0 +1 @@
+g	sshd	22
--- a/net-misc/openssh/acct-user-sshd.conf
+++ b/net-misc/openssh/acct-user-sshd.conf
@@ -0,0 +1 @@
+u	sshd	22:sshd	User\ for\ ssh	/var/empty	/sbin/nologin
--- a/net-misc/openssh/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch
+++ b/net-misc/openssh/openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch
@@ -0,0 +1,44 @@
+From 45b491ce13fcf7dbc0b3bd6df986c9cf59190721 Mon Sep 17 00:00:00 2001
+From: Jordan R Abrahams-Whitehead <ajordanr@google.com>
+Date: Tue, 12 Dec 2023 22:54:02 +0000
+Subject: [PATCH] Allow MAP_NORESERVE in sandbox seccomp filter maps
+
+While debugging Scudo on ChromeOS, we found that the no reserve mode
+immediately crashed `sshd`. We tracked it down to the
+sandbox-seccomp-filter.
+
+Being able to mmap with MAP_NORESERVE is useful (if not necessary) for
+some overcommitting allocators.
+
+During mmap calls, the flag MAP_NORESERVE is used by some allocators
+such as LLVM's Scudo for layout optimisation. This causes the sandbox
+seccomp filter for the client subprocess to die with some Scudo
+configurations.
+
+Upstream patch submission:
+https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-December/041095.html
+---
+ sandbox-seccomp-filter.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..a49c5ca99 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -190,9 +190,11 @@
+ 
+ #if defined(__NR_mmap) || defined(__NR_mmap2)
+ # ifdef MAP_FIXED_NOREPLACE
+-#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED|MAP_FIXED_NOREPLACE
+#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
+		|MAP_NORESERVE|MAP_FIXED_NOREPLACE
+ # else
+-#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED
+#  define SC_MMAP_FLAGS MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED \
+		|MAP_NORESERVE
+ # endif /* MAP_FIXED_NOREPLACE */
+ /* Use this for both __NR_mmap and __NR_mmap2 variants */
+ # define SC_MMAP(_nr) \
+-- 
+2.43.0.472.g3155946c3a-goog
+
--- a/net-misc/openssh/openssh-9.7_p1-config-tweaks.patch
+++ b/net-misc/openssh/openssh-9.7_p1-config-tweaks.patch
@@ -0,0 +1,27 @@
+diff -Naur a/ssh_config b/ssh_config
+--- a/ssh_config	2024-03-11 05:20:49.000000000 +0000
+++ b/ssh_config	2024-06-10 16:30:15.863023773 +0100
+@@ -13,6 +13,9 @@
+ # Thus, host-specific definitions should be at the beginning of the
+ # configuration file, and defaults at the end.
+ 
+# Make sure that all Host and Match options are below this Include!
+Include "/etc/ssh/ssh_config.d/*.conf"
+
+ # Site-wide defaults for some commonly used options.  For a comprehensive
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+diff -Naur a/sshd_config b/sshd_config
+--- a/sshd_config	2024-06-10 16:19:01.530491925 +0100
+++ b/sshd_config	2024-06-10 16:32:49.766386759 +0100
+@@ -105,8 +105,8 @@
+ # no default banner path
+ #Banner none
+ 
+-# override default of no subsystems
+-Subsystem	sftp	/usr/libexec/sftp-server
+# Make sure that all Match options are below this Include!
+Include "/etc/ssh/sshd_config.d/*.conf"
+ 
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
--- a/net-misc/openssh/sshd.pam_include.2
+++ b/net-misc/openssh/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth       include	system-remote-login
+account    include	system-remote-login
+password   include	system-remote-login
+session	   include	system-remote-login
--- a/net-misc/openssh/sshd.service.2
+++ b/net-misc/openssh/sshd.service.2
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+Type=notify-reload
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
--- a/net-misc/openssh/sshd.socket
+++ b/net-misc/openssh/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
--- a/net-misc/openssh/sshd_at.service.1
+++ b/net-misc/openssh/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal
				`@@ -0,0 +1 @@`
				`u sshd 22:sshd User\ for\ ssh /var/empty /sbin/nologin`