kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/security/openssh/Makefile
taca 3dd52fd750 Update openssh package to 5.2.1(5.2p1). 
Changes since OpenSSH 5.1
=========================

Security:

 * This release changes the default cipher order to prefer the AES CTR
   modes and the revised "arcfour256" mode to CBC mode ciphers that are
   susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

 * This release also adds countermeasures to mitigate CPNI-957037-style
   attacks against the SSH protocol's use of CBC-mode ciphers. Upon
   detection of an invalid packet length or Message Authentication
   Code, ssh/sshd will continue reading up to the maximum supported
   packet length rather than immediately terminating the connection.
   This eliminates most of the known differences in behaviour that
   leaked information about the plaintext of injected data which formed
   the basis of this attack. We believe that these attacks are rendered
   infeasible by these changes.

New features:

 * Added a -y option to ssh(1) to force logging to syslog rather than
   stderr, which is useful when running daemonised (ssh -f)

 * The sshd_config(5) ForceCommand directive now accepts commandline
   arguments for the internal-sftp server.

 * The ssh(1) ~C escape commandline now support runtime creation of
   dynamic (-D) port forwards.

 * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards.
   (bz#1482)

 * Support remote port forwarding with a listen port of '0'. This
   informs the server that it should dynamically allocate a listen
   port and report it back to the client. (bz#1003)

 * sshd(8) now supports setting PermitEmptyPasswords and
   AllowAgentForwarding in Match blocks

Bug and documentation fixes

 * Repair a ssh(1) crash introduced in openssh-5.1 when the client is
   sent a zero-length banner (bz#1496)

 * Due to interoperability problems with certain
   broken SSH implementations, the eow@openssh.com and
   no-more-sessions@openssh.com protocol extensions are now only sent
   to peers that identify themselves as OpenSSH.

 * Make ssh(1) send the correct channel number for
   SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
   avoid triggering 'Non-public channel' error messages on sshd(8) in
   openssh-5.1.

 * Avoid printing 'Non-public channel' warnings in sshd(8), since the
   ssh(1) has sent incorrect channel numbers since ~2004 (this reverts
   a behaviour introduced in openssh-5.1).

 * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)

 * Correct fail-on-error behaviour in sftp(1) batchmode for remote
   stat operations. (bz#1541)

 * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave
   connections. (bz#1543)

 * Avoid hang in ssh(1) when attempting to connect to a server that
   has MaxSessions=0 set.

 * Multiple fixes to sshd(8) configuration test (-T) mode

 * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
   1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540

 * Many manual page improvements.
2009-05-21 03:22:29 +00:00

177 lines
5.3 KiB
Makefile
Raw Blame History

# $NetBSD: Makefile,v 1.192 2009/05/21 03:22:29 taca Exp $
DISTNAME= openssh-5.2p1
PKGNAME= openssh-5.2.1
SVR4_PKGNAME= ossh
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.belnet.be/packages/openbsd/OpenSSH/portable/ \
ftp://mirror.pacific.net.au/OpenBSD/OpenSSH/portable/
# Don't delete the last entry -- it's there if the pkgsrc version is not
# up-to-date and the mirrors already removed the old distfile.
DIST_SUBDIR= ${PKGBASE}-5.2.1-20090521
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.openssh.com/
COMMENT= Open Source Secure shell client and server (remote login program)
CONFLICTS= sftp-[0-9]*
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+= openssh+gssapi-[0-9]*
CONFLICTS+= lsh>2.0
PKG_DESTDIR_SUPPORT= user-destdir
USE_TOOLS+= perl
CRYPTO= yes
# retain the following line, for IPv6-ready pkgsrc webpage
BUILD_DEFS+= IPV6_READY
PKG_GROUPS_VARS+= OPENSSH_GROUP
PKG_USERS_VARS+= OPENSSH_USER
BUILD_DEFS+= OPENSSH_CHROOT
BUILD_DEFS+= VARBASE
INSTALL_TARGET= install-nokeys
PLIST_SRC= # empty
.include "options.mk"
.if ${OPSYS} == "Interix"
# OpenSSH on Interix has some important caveats
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind /usr/local/lib/bind
CONFIGURE_ENV+= ac_cv_func_openpty=no
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
CPPFLAGS+= -I/usr/local/include/bind
LDFLAGS+= -L/usr/local/lib/bind
LIBS+= -lbind -ldb -lcrypt
.else # not Interix
PKG_GROUPS= ${OPENSSH_GROUP}
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
.endif
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
PKG_SYSCONFSUBDIR= ssh
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --with-mantype=man
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR:Q}
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
.if ${OPSYS} != "Interix"
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q}
.endif
# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+= --without-zlib-version-check
# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
CONFIGURE_ENV+= LD=${CC:Q}
# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
. include "../../security/skey/buildlink3.mk"
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+= --without-skey
.endif
.if (${OPSYS} == "NetBSD") && exists(/usr/include/utmpx.h)
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+= --disable-libutil
.endif
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
.endif
.if ${OPSYS} == "Linux"
CONFIGURE_ARGS+= --enable-md5-password
.endif
# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM= ${X11PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+= --with-xauth=${X11PREFIX}/bin/xauth
.endif
CONFS= ssh_config sshd_config moduli
.if exists(/dev/urandom)
. if ${OPSYS} == "NetBSD"
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.urandom
. endif
.else
CONFIGURE_ARGS+= --without-random
CONFS+= ssh_prng_cmds
PLIST_SRC+= ${.CURDIR}/PLIST.prng
.endif
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
CONF_FILES= # empty
.for f in ${CONFS}
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
OWN_DIRS= ${OPENSSH_CHROOT}
RCD_SCRIPTS= sshd
PLIST_SRC+= ${.CURDIR}/PLIST
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q}
SUBST_CLASSES+= patch
SUBST_STAGE.patch= pre-configure
SUBST_FILES.patch= session.c
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_MESSAGE.patch= More patch a file.
.include "../../devel/zlib/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"
post-install:
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
cd ${WRKSRC}; for file in ${CONFS}; do \
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
${DESTDIR}${EGDIR}/sshd.pam
.endif
.include "../../mk/bsd.pkg.mk"
Reference in a new issue View git blame Copy permalink