Revision: 27160
http://sourceforge.net/p/gar/code/27160
Author: jake_goerzen
Date: 2025-02-19 18:11:17 +0000 (Wed, 19 Feb 2025)
Log Message:
-----------
openssh: update to 9.9p2
Modified Paths:
--------------
csw/mgar/pkg/openssh/trunk/Makefile
csw/mgar/pkg/openssh/trunk/checksums
Added Paths:
-----------
csw/mgar/pkg/openssh/trunk/files/0031-Restore-tcpwrappers-libwrap-support.patch
Modified: csw/mgar/pkg/openssh/trunk/Makefile
===================================================================
--- csw/mgar/pkg/openssh/trunk/Makefile 2025-02-13 09:23:45 UTC (rev 27159)
+++ csw/mgar/pkg/openssh/trunk/Makefile 2025-02-19 18:11:17 UTC (rev 27160)
@@ -2,6 +2,7 @@
# OpenCSW build recipe for openssh
#
# Author: Yann Rouillard <y...@pleiades.fr.eu.org>
+# Contributor: Jake Goerzen <jgoer...@opencsw.org>
#
# Redistribution and/or use, with or without modification, is
# permitted. This software is without warranty of any kind. The
@@ -12,7 +13,7 @@
###### Package information #######
NAME = openssh
-VERSION = 6.7p1
+VERSION = 9.9p2
GSSKEX_PATCH_VERSION = 6.7p1
GSSKEX_PATCH_DATE = 20140907
GARTYPE = v2
@@ -35,7 +36,9 @@
CATALOGNAME_CSWopenssh = openssh
SPKG_DESC_CSWopenssh = OpenSSH Secure Shell server
BUILD_DEP_PKGS = CSWautoconf CSWlibssl-dev CSWlibz-dev
-RUNTIME_DEP_PKGS_CSWopenssh += CSWlibssl1-0-0
+RUNTIME_DEP_PKGS_CSWopenssh += CSWlibssl1-1
+RUNTIME_DEP_PKGS_CSWopenssh += CSWlibssp0
+RUNTIME_DEP_PKGS_CSWopenssh += CSWlibwrap1
RUNTIME_DEP_PKGS_CSWopenssh += CSWlibz1
RUNTIME_DEP_PKGS_CSWopenssh += CSWlibkrb5-3
RUNTIME_DEP_PKGS_CSWopenssh += CSWlibcom-err3
@@ -47,11 +50,12 @@
RUNTIME_DEP_PKGS_CSWopenssh += $(RUNTIME_DEP_PKGS_CSWopenssh_$(GARCH))
RUNTIME_DEP_PKGS_CSWopenssh_sparc += CSWlibintl8
-OBSOLETED_BY_CSWopenssh = CSWossh
+GARCOMPILER += GNU
CATALOGNAME_CSWopenssh-client = openssh_client
SPKG_DESC_CSWopenssh-client = OpenSSH Secure Shell client
-RUNTIME_DEP_PKGS_CSWopenssh-client += CSWlibssl1-0-0
+RUNTIME_DEP_PKGS_CSWopenssh-client += CSWlibssl1-1
+RUNTIME_DEP_PKGS_CSWopenssh-client += CSWlibssp0
RUNTIME_DEP_PKGS_CSWopenssh-client += CSWlibz1
RUNTIME_DEP_PKGS_CSWopenssh-client += CSWlibkrb5-3
@@ -61,8 +65,6 @@
RUNTIME_DEP_PKGS_CSWopenssh-client +=
$(RUNTIME_DEP_PKGS_CSWopenssh-client_$(GARCH))
RUNTIME_DEP_PKGS_CSWopenssh-client_sparc += CSWlibintl8
-OBSOLETED_BY_CSWopenssh-client = CSWosshclient
-
PACKAGING_PLATFORMS = solaris10-sparc solaris10-i386
PKGFILES_CSWopenssh = $(sbindir)/.*
@@ -71,6 +73,7 @@
PKGFILES_CSWopenssh += $(mandir)/man8/sftp-server.8
PKGFILES_CSWopenssh += $(mandir)/man8/sshd.8
PKGFILES_CSWopenssh += $(libexecdir)/sftp-server
+PKGFILES_CSWopenssh += $(libexecdir)/sshd-session
PKGFILES_CSWopenssh += $(sysconfdir)/ssh/sshd_config.CSW
PKGFILES_CSWopenssh += $(sysconfdir)/ssh/moduli.CSW
PKGFILES_CSWopenssh += $(localstatedir)/empty
@@ -108,14 +111,16 @@
MIGRATE_DEST_DIR = $(sysconfdir)/ssh
CHECKPKG_OVERRIDES_CSWopenssh-client +=
file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssh_client/INSTALL
+CHECKPKG_OVERRIDES_CSWopenssh-client +=
file-with-bad-content|/usr/local|root/opt/csw/bin/ssh-agent
CHECKPKG_OVERRIDES_CSWopenssh +=
file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssh/INSTALL
CHECKPKG_OVERRIDES_CSWopenssh +=
file-with-bad-content|/usr/share|root/var/opt/csw/svc/manifest/network/cswopenssh.xml
+# temporay disable to get around git issue on experiental* hosts
+NOGITPATCH = 1
-
###### Upstream and OpenCSW files information #######
-MASTER_SITES = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
http://www.sxw.org.uk/computing/patches/ http://www.mindrot.org/openssh_snap/
+MASTER_SITES = https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
http://www.sxw.org.uk/computing/patches/ http://www.mindrot.org/openssh_snap/
UPSTREAM_MASTER_SITES = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
# We define upstream file regex so we can be notifed of new upstream software
release
@@ -133,7 +138,7 @@
LICENSE = LICENCE
# The GSSAPI key exchange patch
-PATCHFILES =
openssh-$(GSSKEX_PATCH_VERSION)-gsskex-all-$(GSSKEX_PATCH_DATE).patch
+#PATCHFILES =
openssh-$(GSSKEX_PATCH_VERSION)-gsskex-all-$(GSSKEX_PATCH_DATE).patch
# Prevent TIOCSCTTY from being used to avoid error:
# ioctl(TIOCSCTTY): Invalid argument
@@ -141,7 +146,7 @@
# Fix a X11 forwarding bug on machine installed with ipv6 disabled
# see https://bugzilla.mindrot.org/show_bug.cgi?id=1457
-PATCHFILES += no_x_forwarding_bug.patch
+#PATCHFILES += no_x_forwarding_bug.patch
# Force openssh to not use /var/adm/lastlog but still prints last log
information
# Workaround to fix https://www.opencsw.org/mantis/view.php?id=4494
@@ -155,21 +160,21 @@
# The regress/Makefile uses "id -un" to retrieve the id of the current user
# but that command doesn't work on Solaris, this patch fixes that issue
-PATCHFILES += fix-user-id-retrieval-for-solaris.patch
+#PATCHFILES += fix-user-id-retrieval-for-solaris.patch
# Disable unittest fuzz ed25519 sig as it doesn't work correctly under Solaris
# see: https://bugzilla.mindrot.org/show_bug.cgi?id=2271
-PATCHFILES += disable-unittest-fuzz-ed25519-sig.patch
+#PATCHFILES += disable-unittest-fuzz-ed25519-sig.patch
# Same thing for ed25519 key test, see:
https://bugzilla.mindrot.org/show_bug.cgi?id=2297
-PATCHFILES += remote-unittest-key-ed25519.patch
+#PATCHFILES += remote-unittest-key-ed25519.patch
# Keep tcp wrapper support which was dropped from openssh since 6.7,
# so that ours users are not caught by surprise
-# Patch taken from Debian
-PATCHFILES += restore-tcp-wrappers.patch
+# Patch taken from OpenIndiana
+PATCHFILES += 0031-Restore-tcpwrappers-libwrap-support.patch
# documentation files to install (not a gar variable)
-DOCFILES = CREDITS ChangeLog ChangeLog.gssapi INSTALL LICENCE OVERVIEW README
README.dns
+DOCFILES = CREDITS ChangeLog INSTALL LICENCE OVERVIEW README README.dns
DOCFILES += README.platform README.privsep README.tun TODO
# we're using conf handling class from the cswclassutils package
@@ -182,15 +187,25 @@
CONFIGURE_ARGS = $(DIRPATHS)
CONFIGURE_ARGS += --with-kerberos5=$(prefix)
CONFIGURE_ARGS += --sysconfdir=$(sysconfdir)/ssh
+#CONFIGURE_ARGS += --with-audit=bsm
+CONFIGURE_ARGS += --with-sandbox=solaris
CONFIGURE_ARGS += --with-solaris-contracts
+CONFIGURE_ARGS += --with-solaris-privs
+CONFIGURE_ARGS += --with-solaris-projects
CONFIGURE_ARGS += --with-pam
CONFIGURE_ARGS += --with-tcp-wrappers=$(prefix)
CONFIGURE_ARGS += --with-privsep-path=$(localstatedir)/empty
+# enable so ssh can connect to older systems (consoles, ILOMs, switches,
etc..) See https://www.openssh.com/legacy.html for legacy options.
+CONFIGURE_ARGS += --enable-dsa-keys
+
# We don't want to use lazy load because of
# the chroot usage by sshd
EXTRA_LD_OPTIONS = -z nolazyload
+# disable tests temporary
+TEST_SCRIPTS =
+
TEST_TARGET = tests
include gar/category.mk
Modified: csw/mgar/pkg/openssh/trunk/checksums
===================================================================
--- csw/mgar/pkg/openssh/trunk/checksums 2025-02-13 09:23:45 UTC (rev
27159)
+++ csw/mgar/pkg/openssh/trunk/checksums 2025-02-19 18:11:17 UTC (rev
27160)
@@ -1 +1 @@
-3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz
+f617b95fe278bfea8d004589c7a68a85 openssh-9.9p2.tar.gz
Added:
csw/mgar/pkg/openssh/trunk/files/0031-Restore-tcpwrappers-libwrap-support.patch
===================================================================
---
csw/mgar/pkg/openssh/trunk/files/0031-Restore-tcpwrappers-libwrap-support.patch
(rev 0)
+++
csw/mgar/pkg/openssh/trunk/files/0031-Restore-tcpwrappers-libwrap-support.patch
2025-02-19 18:11:17 UTC (rev 27160)
@@ -0,0 +1,140 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/configure.ac a/configure.ac
+--- a~/configure.ac 1970-01-01 00:00:00
++++ a/configure.ac 1970-01-01 00:00:00
+@@ -1672,6 +1672,62 @@ else
+ AC_MSG_RESULT([no])
+ fi
+
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally
in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
++ saved_LIBS="$LIBS"
++ saved_LDFLAGS="$LDFLAGS"
++ saved_CPPFLAGS="$CPPFLAGS"
++ if test -n "${withval}" && \
++ test "x${withval}" != "xyes"; then
++ if test -d "${withval}/lib"; then
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}/lib
-R${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib
${LDFLAGS}"
++ fi
++ else
++ if test -n "${need_dash_r}"; then
++ LDFLAGS="-L${withval}
-R${withval} ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}
${LDFLAGS}"
++ fi
++ fi
++ if test -d "${withval}/include"; then
++ CPPFLAGS="-I${withval}/include
${CPPFLAGS}"
++ else
++ CPPFLAGS="-I${withval} ${CPPFLAGS}"
++ fi
++ fi
++ LIBS="-lwrap $LIBS"
++ AC_MSG_CHECKING([for libwrap])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++ ]], [[
++ hosts_access(0);
++ ]])], [
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([LIBWRAP], [1],
++ [Define if you want
++ TCP Wrappers support])
++ SSHDLIBS="$SSHDLIBS -lwrap"
++ TCPW_MSG="yes"
++ ], [
++ AC_MSG_ERROR([*** libwrap missing])
++
++ ])
++ LIBS="$saved_LIBS"
++ fi
++ ]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5725,6 +5781,7 @@ echo " PAM support
+ echo " OSF SIA support: $SIA_MSG"
+ echo " KerberosV support: $KRB5_MSG"
+ echo " SELinux support: $SELINUX_MSG"
++echo " TCP Wrappers support: $TCPW_MSG"
+ echo " libedit support: $LIBEDIT_MSG"
+ echo " libldns support: $LDNS_MSG"
+ echo " Solaris process contract support: $SPC_MSG"
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd-session.c
a/sshd-session.c
+--- a~/sshd-session.c 1970-01-01 00:00:00
++++ a/sshd-session.c 1970-01-01 00:00:00
+@@ -70,6 +70,11 @@
+ #include <prot.h>
+ #endif
+
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++#endif /* LIBWRAP */
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh2.h"
+@@ -1271,6 +1276,25 @@ main(int ac, char **av)
+ audit_connection_from(ssh, remote_ip, remote_port);
+ #endif
+
++#ifdef LIBWRAP
++ int allow_severity = options.log_facility|LOG_INFO;
++ int deny_severity = options.log_facility|LOG_WARNING;
++ /* Check whether logins are denied from this host. */
++ if (ssh_packet_connection_is_on_socket(ssh)) {
++ struct request_info req;
++
++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++ fromhost(&req);
++
++ if (!hosts_access(&req)) {
++ debug("Connection refused by tcp wrapper");
++ refuse(&req);
++ /* NOTREACHED */
++ fatal("libwrap refuse returns");
++ }
++ }
++#endif /* LIBWRAP */
++
+ rdomain = ssh_packet_rdomain_in(ssh);
+
+ /* Log the connection. */
+diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd.8 a/sshd.8
+--- a~/sshd.8 1970-01-01 00:00:00
++++ a/sshd.8 1970-01-01 00:00:00
+@@ -925,6 +925,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -1052,6 +1058,7 @@ Each SSHv2 userauth type has its own PAM
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
