kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/security/openssh/Makefile

181 lines
5.4 KiB
Makefile
Raw Normal View History

Update openssh package to 5.8.1 (5.8p1). For changes from 5.5 to 5.7, please refer http://openssh.com/txt/release-5.7 and http://openssh.com/txt/release-5.6 in detail. Changes since OpenSSH 5.7 ========================= Security: * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from the stack in place of a random nonce field. The contents of the stack do not appear to contain private data at this point, but this cannot be stated with certainty for all platform, library and compiler combinations. In particular, there exists a risk that some bytes from the privileged CA key may be accidentally included. A full advisory for this issue is available at: http://www.openssh.com/txt/legacy-cert.adv Portable OpenSSH Bugfixes: * Fix compilation failure when enableing SELinux support. * Do not attempt to call SELinux functions when SELinux is disabled. bz#1851
2011-02-16 18:45:08 +01:00
# $NetBSD: Makefile,v 1.199 2011/02/16 17:45:08 taca Exp $
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
Update openssh package to 5.8.1 (5.8p1). For changes from 5.5 to 5.7, please refer http://openssh.com/txt/release-5.7 and http://openssh.com/txt/release-5.6 in detail. Changes since OpenSSH 5.7 ========================= Security: * Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski. Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from the stack in place of a random nonce field. The contents of the stack do not appear to contain private data at this point, but this cannot be stated with certainty for all platform, library and compiler combinations. In particular, there exists a risk that some bytes from the privileged CA key may be accidentally included. A full advisory for this issue is available at: http://www.openssh.com/txt/legacy-cert.adv Portable OpenSSH Bugfixes: * Fix compilation failure when enableing SELinux support. * Do not attempt to call SELinux functions when SELinux is disabled. bz#1851
2011-02-16 18:45:08 +01:00
DISTNAME= openssh-5.8p1
PKGNAME= openssh-5.8.1
SVR4 packages have a limit of 9 chars for a package name. The automatic truncation in gensolpkg doesn't work for packages which have the same package name for the first 5-6 chars. e.g. amanda-server and amanda-client would be named amanda and amanda. Now, we add a SVR4_PKGNAME and use amacl for amanda-client and amase for amanda-server. All svr4 packages also have a vendor tag, so we have to reserve some chars for this tag, which is normaly 3 or 4 chars. Thats why we can only use 6 or 5 chars for SVR4_PKGNAME. I used 5 for all the packages, to give the vendor tag enough room. All p5-* packages and a few other packages have now a SVR4_PKGNAME.
2001-10-18 17:20:01 +02:00
SVR4_PKGNAME= ossh
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
CATEGORIES= security
move ftp.openssh.com to the top, as it's the only site which has the new distfile so far.
2003-09-17 01:06:22 +02:00
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
update mirrors and add a few more from the mirror list.
2009-05-01 16:27:34 +02:00
ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
add some faster mirrors to MASTER_SITES.
2003-04-10 22:20:55 +02:00
ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
update mirrors and add a few more from the mirror list.
2009-05-01 16:27:34 +02:00
ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/ \
remove pacnet mirror. service down.
2010-04-17 12:39:33 +02:00
ftp://ftp.belnet.be/packages/openbsd/OpenSSH/portable/
Add master site on ftp.openssh.com. Add note why we have both openssh.com entries.
2000-08-09 19:47:31 +02:00
# Don't delete the last entry -- it's there if the pkgsrc version is not
# up-to-date and the mirrors already removed the old distfile.
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no developer is officially maintaining the package. The rationale for changing this from "tech-pkg" to "pkgsrc-users" is that it implies that any user can try to maintain the package (by submitting patches to the mailing list). Since the folks most likely to care about the package are the folks that want to use it or are already using it, this would leverage the energy of users who aren't developers.
2006-03-04 22:28:51 +01:00
MAINTAINER= pkgsrc-users@NetBSD.org
correct homepage (www.openssh.org is not the official site!)
2000-03-07 13:02:35 +01:00
HOMEPAGE= http://www.openssh.com/
Update to new COMMENT style: COMMENT var in Makefile instead of pkg/COMMENT.
2001-02-17 18:42:09 +01:00
COMMENT= Open Source Secure shell client and server (remote login program)
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
Mechanical changes to 375 files to change dependency patterns of the form foo-* to foo-[0-9]*. This is to cause the dependencies to match only the packages whose base package name is "foo", and not those named "foo-bar". A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also change dependency examples in Packages.txt to reflect this.
2001-09-28 01:17:41 +02:00
CONFLICTS= sftp-[0-9]*
add CONFLICT with ssh2-nox11.
2004-07-25 14:36:03 +02:00
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
Mark conflicts with openssh+gssapi.
2003-07-24 22:59:03 +02:00
CONFLICTS+= openssh+gssapi-[0-9]*
Add CONFLICTS with lsh (common man page).
2005-04-28 16:11:13 +02:00
CONFLICTS+= lsh>2.0
Add a CONFLICTS entry for sftp. Detected by pkgconflict.
2001-04-12 12:42:52 +02:00
Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes
2008-04-27 02:34:27 +02:00
PKG_DESTDIR_SUPPORT= user-destdir
Get rid of USE_PERL5. The new way to express needing the Perl executable around at either build-time or at run-time is: USE_TOOLS+= perl # build-time USE_TOOLS+= perl:run # run-time Also remove some places where perl5/buildlink3.mk was being included by a package Makefile, but all that the package wanted was the Perl executable.
2005-07-16 03:19:06 +02:00
USE_TOOLS+= perl
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
Reorganize crypto handling, as discussed on tech-pkg. Remove all RESTRICTED= variables that were predicated on former U.S. export regulations. Add CRYPTO=, as necessary, so it's still possible to exclude all crypto packages from a build by setting MKCRYPTO=no (but "lintpkgsrc -R" will no longer catch them). Specifically, - - All packages which set USE_SSL just lose their RESTRICTED variable, since MKCRYPTO responds to USE_SSL directly. - - realplayer7 and ns-flash keep their RESTRICTED, which is based on license terms, but also gain the CRYPTO variable. - - srp-client is now marked broken, since the distfile is evidently no longer available. On this, we're no worse off than before. [We haven't been mirroring the distfile, or testing the build!] - - isakmpd gets CRYPTO for RESTRICTED, but remains broken. - - crack loses all restrictions, as it does not evidently empower a user to utilize strong encryption (working definition: ability to encode a message that requires a secret key plus big number arithmetic to decode).
2000-09-09 21:40:14 +02:00
CRYPTO= yes
Drop trailing whitespace. Ok'ed by wiz.
2003-05-06 19:40:18 +02:00
# retain the following line, for IPv6-ready pkgsrc webpage
Convert packages that test and use USE_INET6 to use the options framework and to support the "inet6" option instead. Remaining usage of USE_INET6 was solely for the benefit of the scripts that generate the README.html files. Replace: BUILD_DEFS+= USE_INET6 with BUILD_DEFS+= IPV6_READY and teach the README-generation tools to look for that instead. This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code to continue to support USE_INET6 for pkgsrc-wip until it has been nuked from there as well.
2007-09-08 00:12:10 +02:00
BUILD_DEFS+= IPV6_READY
Replace MIRROR_DISTFILES and NO_CDROM with the more descriptive and more fine-grained NO_{BIN,SRC}_ON_{FTP,CDROM} definitions. MIRROR_DISTFILES and NO_CDROM are now dead.
2000-08-19 00:46:29 +02:00
Make it easier to build and install packages "unprivileged", where the owner of all installed files is a non-root user. This change affects most packages that require special users or groups by making them use the specified unprivileged user and group instead. (1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to unprivileged.mk. These two variables are lists of other bmake variables that define package-specific users and groups. Packages that have user-settable variables for users and groups, e.g. apache and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP}, etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER} and ${UNPRIVILEGED_GROUP}. (2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
2007-07-04 22:54:31 +02:00
PKG_GROUPS_VARS+= OPENSSH_GROUP
PKG_USERS_VARS+= OPENSSH_USER
BUILD_DEFS+= OPENSSH_CHROOT
Update openssh package to 4.4.1 (openssh-4.4p1). - A few pkglint warning clean up. - Major changes are here. For complete changes, see http://www.openssh.com/txt/release-4.4. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option.
2006-10-31 04:31:19 +01:00
BUILD_DEFS+= VARBASE
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
INSTALL_TARGET= install-nokeys
PLIST_SRC= # empty
Noticed that the PAM +DISPLAY message was not displayed and extra pam file was not included in +CONTENTS. So moved the include of options.mk to after the PLIST_SRC and MESSAGE_SRC are defined as empty. (MESSAGE_SRC is redefined if Interix and if PAM PKG_OPTION was enabled then this still needs to be fixed.)
2005-05-25 21:37:18 +02:00
.include "options.mk"
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
.if ${OPSYS} == "Interix"
MESSAGE file removed. As mentioned on tech-pkg in May, /etc/ssh.conf and /etc/sshd.conf is old (and I assume some configurations from there don't apply any more), user and group are not created automatically (only if PKG_CREATE_USERGROUP is at default YES), UsePrivilegeSeparation is the default, and seems to imply that openssh is insecure without it. Bump PKGREVISION. Change comment regarding MESSAGE.Interix. Removed unused MESSAGE_SUBST settings. Move one to the options.mk as it is for "pam" only.
2005-07-28 19:54:57 +02:00
# OpenSSH on Interix has some important caveats
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
Fixes build on SUA. * header file location of libbind is differ than SFU. * treat all Interxi as same, not only interix3.
2011-02-06 12:31:18 +01:00
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
CONFIGURE_ENV+= ac_cv_func_openpty=no
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
Add explicit IOV_MAX for Interix -- openssh tries to use _XOPEN_IOV_MAX in an autoarray, but on Interix that is the same as INT_MAX[!].
2006-11-21 18:47:53 +01:00
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
Fixes build on SUA. * header file location of libbind is differ than SFU. * treat all Interxi as same, not only interix3.
2011-02-06 12:31:18 +01:00
.if exists(/usr/local/include/bind/resolv.h)
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
CPPFLAGS+= -I/usr/local/include/bind
Fixes build on SUA. * header file location of libbind is differ than SFU. * treat all Interxi as same, not only interix3.
2011-02-06 12:31:18 +01:00
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
.elif exists(/usr/local/bind/include/resolv.h)
CPPFLAGS+= -I/usr/local/bind/include
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
.endif
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
LDFLAGS+= -L/usr/local/lib/bind
LIBS+= -lbind -ldb -lcrypt
.else # not Interix
Whitespace cleanup, courtesy of pkglint. Patch provided by Sergey Svishchev in private mail.
2007-02-22 20:26:05 +01:00
PKG_GROUPS= ${OPENSSH_GROUP}
Modify packages that set PKG_USERS and PKG_GROUPS to follow the new syntax as specified in pkgsrc/mk/install/bsd.pkginstall.mk:1.47.
2006-04-23 02:12:35 +02:00
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
Add variables for openssh privilege separation to bsd.pkg.defaults.mk: OPENSSH_USER OPENSSH_UID OPENSSH_GROUP OPENSSH_GID OPENSSH_CHROOT Use these to automatically create user/group if they do not already exist. Assists platforms which do not have an 'sshd' user by default, while adding flexibility for NetBSD systems. Checked by Stoned Elipot <seb@netbsd.org>.
2002-08-31 12:08:59 +02:00
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
.endif
Convert to use bsd.options.mk with the following options: hpn-patch kerberos PAM (only Linux) The hpn-patch option uses the patch available in: http://www.psc.edu/networking/projects/hpn-ssh/ to enable high performance connections. Also use VARBASE intead of hardcoding /var. Bump PKGREVISION.
2004-11-25 20:25:28 +01:00
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
Add automatic ${VARIABLE} handling for MESSAGE files. Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced, not @VARIABLE@, nor @@VARIABLE@@). By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX, X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST. Clean up some packages while I'm there; add RCS tags to most MESSAGEs. Remove some uninteresting MESSAGEs.
2001-01-29 12:34:21 +01:00
Back out previous and do it in a simpler way by setting PKG_SYSCONFSUBDIR (the subdirectory of ${PKG_SYSCONFBASE} where all of the config files for thii package will be found) to be "ssh".
2002-06-25 08:43:50 +02:00
PKG_SYSCONFSUBDIR= ssh
Add ability to update the in-tree OpenSSH directly from pkgsrc. This installs the binaries directly in /usr and places the manpages and example files in the correct hier(7) locations. We don't register installation in this case because the package database can't handle it. We deal with the ssh config files and directories as follows: NetBSD-1.5.* use /etc/ssh_config, /etc/sshd_config NetBSD-1.6 use /etc/ssh/ssh_config, /etc/ssh/sshd_config We also emit a warning in the MESSAGE file that /etc/ssh.conf and /etc/sshd.conf should be renamed in order to keep using them. Lastly, there is a new target "tarball" to generate a tarball of the installed files that might be used to install quickly on many machines, though it may be only of limited utility. These changes are only active if UPDATE_INTREE_OPENSSH is defined.
2002-06-28 19:10:16 +02:00
Update openssh to 2.1.1p4. Package changes: * Factor out common post-install code from PLIST and package Makefile into files/INSTALL. * Enhance files/sshd.sh to handle start/stop/restart/status. * Check for usable installed version of OpenSSL. This bit possibly closes the following PRs: 10404, 10501, 10593 Changes from 2.1.1p3: * allow multiple whitespace but only one '=' between tokens * close can fail on AFS * allow leading whitespace in configuration files * Always create ~/.ssh with mode 700
2000-07-22 10:21:59 +02:00
GNU_CONFIGURE= yes
Force manual pages installation, because some systems like IRIX will install them like preformatted manual pages (cat). Reported by Georg Schwarz in PR pkg/24428.
2004-02-21 07:26:41 +01:00
CONFIGURE_ARGS+= --with-mantype=man
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
2005-12-06 00:55:01 +01:00
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR:Q}
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
Support building with S/Key support on Darwin, and move the check for libcrypt-before-libcrypto into a section that is protected by something we can set in the configure script (check_for_libcrypt_before). This should fix the latter part of pkg/18091 by grant beattie.
2002-08-28 06:55:18 +02:00
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
.if ${OPSYS} != "Interix"
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
2005-12-06 00:55:01 +01:00
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q}
nb5: Rework Interix support, based on work done by Interop Systems *before* a BSD-with-advertising license was added to their diffs, and other work done personally by me. sshd now works. Most permissions checks work properly. Privsep is off by default, and the sshd user is not created, on Interix until some problems with privsep are fixed (perhaps by abstracting the auth functionality out to openpam).
2005-03-08 00:29:49 +01:00
.endif
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
stop openssh from complaining about zlib version numbers, as pkgsrc already enforces a "secure" version of zlib via dependencies.
2005-11-14 23:36:17 +01:00
# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+= --without-zlib-version-check
set LD=CC again for all platforms with an appropriate comment - I don't know why this didn't originally work as it should, but I've just tested it with gcc3 and Forte 8 on Solaris and I couldn't make it fail. fixes coredump problem on Solaris observed by some, and also PR pkg/23120 from Alex Gerasimoff. bump PKGREVISION to differentiate between broken and unbroken package.
2003-10-12 12:13:53 +02:00
# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
Don't set LD=${CC} globally, but only pass it to CONFIGURE_ENV, which is the only relevant place that wants it.
2004-02-08 00:58:49 +01:00
CONFIGURE_ENV+= LD=${CC:Q}
On non-SunOS, bring back LD=${CC}
2003-09-23 22:53:52 +02:00
Fix up OpenSSH sources to allow building with S/Key support on NetBSD as well. Bump the PKGREVISION. XXX The right fix is to create a autoconf check for the number of args XXX that skeychallenge takes and do the right thing accordingly.
2004-04-28 06:00:17 +02:00
# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
Convert to bl3; update comments in Makefile.intree.
2004-04-26 01:36:52 +02:00
. include "../../security/skey/buildlink3.mk"
Support building with S/Key support on Darwin, and move the check for libcrypt-before-libcrypto into a section that is protected by something we can set in the configure script (check_for_libcrypt_before). This should fix the latter part of pkg/18091 by grant beattie.
2002-08-28 06:55:18 +02:00
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+= --without-skey
Add skey support on Solaris.
2002-07-26 11:24:22 +02:00
.endif
Building with Kerberos 4 support doesn't work when using mit-krb5. Only allow building with Kerberos 4 support when using Heimdal and if the kerberosIV headers exist.
2004-04-28 05:54:08 +02:00
.if (${OPSYS} == "NetBSD") && exists(/usr/include/utmpx.h)
Add handling of utmpx/wtmpx on NetBSD-current. Bump PKGREVISION.
2004-04-27 14:30:23 +02:00
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+= --disable-libutil
.endif
Building with Kerberos 4 support doesn't work when using mit-krb5. Only allow building with Kerberos 4 support when using Heimdal and if the kerberosIV headers exist.
2004-04-28 05:54:08 +02:00
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
Something in our framework interferes with configure disabling utmp/wtmp handling on Solaris >= 8 so do it explicitly.
2004-04-27 14:26:31 +02:00
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
.endif
Enable md5 passwords support in Linux. This closes PR pkg/25322 by Piotr Meyer.
2004-05-02 19:30:37 +02:00
.if ${OPSYS} == "Linux"
CONFIGURE_ARGS+= --enable-md5-password
.endif
Something in our framework interferes with configure disabling utmp/wtmp handling on Solaris >= 8 so do it explicitly.
2004-04-27 14:26:31 +02:00
The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending on whether it's part of the X11 distribution or installed from pkgsrc. Use correct path depending on if ${X11BASE}/bin/ssh-askpass exists.
2000-09-05 11:43:02 +02:00
# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
# (security/ssh-askpass).
Set location of ssh-askpass to be ${X11PREFIX}/bin/ssh-askpass. Closes PR#10774.
2000-08-11 07:19:42 +02:00
#
The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending on whether it's part of the X11 distribution or installed from pkgsrc. Use correct path depending on if ${X11BASE}/bin/ssh-askpass exists.
2000-09-05 11:43:02 +02:00
.if exists(${X11BASE}/bin/ssh-askpass)
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending on whether it's part of the X11 distribution or installed from pkgsrc. Use correct path depending on if ${X11BASE}/bin/ssh-askpass exists.
2000-09-05 11:43:02 +02:00
.else
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
ASKPASS_PROGRAM= ${X11PREFIX}/bin/ssh-askpass
The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending on whether it's part of the X11 distribution or installed from pkgsrc. Use correct path depending on if ${X11BASE}/bin/ssh-askpass exists.
2000-09-05 11:43:02 +02:00
.endif
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 21:49:47 +01:00
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
Set location of ssh-askpass to be ${X11PREFIX}/bin/ssh-askpass. Closes PR#10774.
2000-08-11 07:19:42 +02:00
tell configure where to find xauth(1) so that X forwarding over ssh works when using pkgsrc X11. bump PKGREVISION.
2004-10-24 04:52:15 +02:00
# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+= --with-xauth=${X11PREFIX}/bin/xauth
.endif
Merge CONF_FILES/SUPPORT_FILES and CONF_FILES_PERMS/SUPPORT_FILES_PERMS as the INSTALL and DEINSTALL scripts no longer distinguish between the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the packages in pkgsrc accordingly.
2005-08-19 20:12:36 +02:00
CONFS= ssh_config sshd_config moduli
Unify NetBSD and Solaris package lists and use dynamic modification.
2001-06-18 21:54:14 +02:00
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
.if exists(/dev/urandom)
Only use the NetBSD-specific MESSAGE.urandom for NetBSD. It says to use "pseudo-device rnd" kernel configuration. TODO: if the above instructions are fine for other operating systems with /dev/urandom then add.
2004-05-22 01:00:23 +02:00
. if ${OPSYS} == "NetBSD"
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.urandom
Only use the NetBSD-specific MESSAGE.urandom for NetBSD. It says to use "pseudo-device rnd" kernel configuration. TODO: if the above instructions are fine for other operating systems with /dev/urandom then add.
2004-05-22 01:00:23 +02:00
. endif
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
.else
CONFIGURE_ARGS+= --without-random
CONFS+= ssh_prng_cmds
PLIST_SRC+= ${.CURDIR}/PLIST.prng
Make this package work under SunOS.
2001-01-10 17:05:52 +01:00
.endif
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
CONF_FILES= # empty
Update openssh package to 4.4.1 (openssh-4.4p1). - A few pkglint warning clean up. - Major changes are here. For complete changes, see http://www.openssh.com/txt/release-4.4. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option.
2006-10-31 04:31:19 +01:00
.for f in ${CONFS}
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
.endfor
Add variables for openssh privilege separation to bsd.pkg.defaults.mk: OPENSSH_USER OPENSSH_UID OPENSSH_GROUP OPENSSH_GID OPENSSH_CHROOT Use these to automatically create user/group if they do not already exist. Assists platforms which do not have an 'sshd' user by default, while adding flexibility for NetBSD systems. Checked by Stoned Elipot <seb@netbsd.org>.
2002-08-31 12:08:59 +02:00
OWN_DIRS= ${OPENSSH_CHROOT}
* SSH_CONF_DIR has been obsoleted. Use PKG_SYSCONFDIR instead. * Build properly on systems that don't have /dev/urandom by testing for the presence of /dev/urandom, instead of just testing for Solaris. * Add disabled code to handle PAM (not quite working yet with security/PAM). * Make the sshd rc.d script more /etc/rc.subr-friendly. * Minimize amount of diffs from pristine OpenSSH sources.
2002-02-05 05:17:31 +01:00
RCD_SCRIPTS= sshd
PLIST_SRC+= ${.CURDIR}/PLIST
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 21:49:47 +01:00
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q}
Make this work more like the ssh package: - don't install setuid unless SSH_SUID=YES - use libwrap (--with-tcp-wrappers) on NetBSD I also want to fix S/Key support and Kerberos IV, so I've left some comments in Makefile for that.
2001-08-17 21:49:08 +02:00
Update openssh package to 4.4.1 (openssh-4.4p1). - A few pkglint warning clean up. - Major changes are here. For complete changes, see http://www.openssh.com/txt/release-4.4. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option.
2006-10-31 04:31:19 +01:00
SUBST_CLASSES+= patch
SUBST_STAGE.patch= pre-configure
SUBST_FILES.patch= session.c
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_MESSAGE.patch= More patch a file.
Building with Kerberos 4 support doesn't work when using mit-krb5. Only allow building with Kerberos 4 support when using Heimdal and if the kerberosIV headers exist.
2004-04-28 05:54:08 +02:00
.include "../../devel/zlib/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"
Clean this up, sync with the ssh package, and update to 1.2.2 (fixing PR 9304 by David Rankin <drankin@bohemians.lexington.ky.us>. Changes: 20000125 - Fix NULL pointer dereference in login.c. Fix from Andre Lucas <andre.lucas@dial.pipex.com> - Reorder PAM initialisation so it does not mess up lastlog. Reported by Andre Lucas <andre.lucas@dial.pipex.com> - Use preformatted manpages on SCO, report from Gary E. Miller <gem@rellim.com> - New URL for x11-ssh-askpass. - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble <jmknoble@pobox.com> - Added 'DESTDIR' option to Makefile to ease package building. Patch from Jim Knoble <jmknoble@pobox.com> - Updated RPM spec files to use DESTDIR 20000124 - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number increment) 20000123 - OpenBSD CVS: - [packet.c] getsockname() requires initialized tolen; andy@guildsoftware.com - AIX patch from Matt Richards <v2matt@btv.ibm.com> and David Rankin <drankin@bohemians.lexington.ky.us> - Fix lastlog support, patch from Andre Lucas <andre.lucas@dial.pipex.com> 20000122 - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor <bent@clark.net> - Merge preformatted manpage patch from Andre Lucas <andre.lucas@dial.pipex.com> - Make IPv4 use the default in RPM packages - Irix uses preformatted manpages - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - OpenBSD CVS updates: - [packet.c] use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; from Holger.Trapp@Informatik.TU-Chemnitz.DE - [sshd.c] log with level log() not fatal() if peer behaves badly. - [readpass.c] instead of blocking SIGINT, catch it ourselves, so that we can clean the tty modes up and kill ourselves -- instead of our process group leader (scp, cvs, ...) going away and leaving us in noecho mode. people with cbreak shells never even noticed.. - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] ie. -> i.e., 20000120 - Don't use getaddrinfo on AIX - Update to latest OpenBSD CVS: - [auth-rsa.c] - fix user/1056, sshd keeps restrictions; dbt@meat.net - [sshconnect.c] - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. - destroy keys earlier - split key exchange (kex) and user authentication (user-auth), ok: provos@ - [sshd.c] - no need for poll.h; from bright@wintelcom.net - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. - split key exchange (kex) and user authentication (user-auth), ok: provos@ - [sshd.c] - no need for poll.h; from bright@wintelcom.net - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. - split key exchange (kex) and user authentication (user-auth), ok: provos@ - Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages - Doc updates - NetBSD patch from David Rankin <drankin@bohemians.lexington.ky.us> and Christos Zoulas <christos@netbsd.org> 20000119 - SCO compile fixes from Gary E. Miller <gem@rellim.com> - Compile fix from Darren_Hall@progressive.com - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC addresses using getaddrinfo(). Added a configure switch to make the default lookup mode AF_INET 20000118 - Fixed --with-pid-dir option - Makefile fix from Gary E. Miller <gem@rellim.com> - Compile fix for HPUX and Solaris from Andre Lucas <andre.lucas@dial.pipex.com>
2000-01-27 18:12:02 +01:00
post-install:
Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes
2008-04-27 02:34:27 +02:00
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
Merge CONF_FILES/SUPPORT_FILES and CONF_FILES_PERMS/SUPPORT_FILES_PERMS as the INSTALL and DEINSTALL scripts no longer distinguish between the two types of files. Drop SUPPORT_FILES{,_PERMS} and modify the packages in pkgsrc accordingly.
2005-08-19 20:12:36 +02:00
cd ${WRKSRC}; for file in ${CONFS}; do \
Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes
2008-04-27 02:34:27 +02:00
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
Unify NetBSD and Solaris package lists and use dynamic modification.
2001-06-18 21:54:14 +02:00
done
Update openssh to 4.2p1. This is from PR #31331. Thank you, Jason. Some changes different from patches provided in that PR are: - patch-aj, patch-aq, and patch-as not changed (they appeared to be identical to previous patches) - DragonFly support also added to configure script (patch-aa) because compilation failed due to missing crypt - and install-sysconf target removed from the installation target in Makefile.in (patch-ah). Just let the pkgsrc framework install this since it now will allow it to be removed correctly on deinstall. - use "pam" instead of "PAM" as option name in the post-install target. This removes patch-ai. This also now uses openssh-4.2p1-hpn11.diff patch. I didn't test with kerberos and hpn-patch options. I did test with PAM on Linux. (The PR reported that kerberos and hpn-patch options were tested for compiling.) I tested on NetBSD 2.0.2, Linux, and DragonFly. This includes two security fixes and several bug fixes and many improvemens. The changes are listed at http://www.mindrot.org/pipermail/openssh-unix-announce/2005-September/000083.html http://www.mindrot.org/pipermail/openssh-unix-announce/2005-May/000079.html TODO: get some of these patches committed upstream.
2005-09-21 20:07:09 +02:00
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted bug fixes
2008-04-27 02:34:27 +02:00
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
${DESTDIR}${EGDIR}/sshd.pam
The makefile had a comment saying PAM authentication causes memory faults, and haven't tracked down why yet. No allow PAM authentication if Linux (and USE_PAM is defined). This will close my 20846 PR from March 2003. Also, install the contrib/sshd.pam.generic file as the example sshd.pam instead of the FreeBSD version, but this okay since it was commented out in the first place. TODO: test the PAM support on other platforms and allow if USE_PAM is defined.
2004-05-22 00:54:43 +02:00
.endif
New openssh package [needs some cleanup] - it is not enabled by default (need to think what to do with the ssh conflict) - only tested under 1.4.1 so far
2000-01-17 06:34:32 +01:00
.include "../../mk/bsd.pkg.mk"
Reference in a new issue Copy permalink