847296952e
Changes from OpenSSH 5.0 is huge to write here, please refer its release note: http://www.openssh.com/txt/release-5.1. I quote only Security section from the release note. Security: * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). Some operating systems, such as HP/UX, do not perform these checks and are vulnerable to an X11 man-in-the-middle attack when the sshd_config(5) option X11UseLocalhost has been set to "no" - an attacker may establish a more-specific bind, which will be used in preference to sshd's wildcard listener. Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes". Portable OpenSSH 5.1 avoids this problem for all operating systems by not setting SO_REUSEADDR when X11UseLocalhost is set to no. This vulnerability was reported by sway2004009 AT hotmail.com.
174 lines
5.2 KiB
Makefile
174 lines
5.2 KiB
Makefile
# $NetBSD: Makefile,v 1.190 2008/09/16 12:53:08 taca Exp $
|
|
|
|
DISTNAME= openssh-5.1p1
|
|
PKGNAME= openssh-5.1.1
|
|
SVR4_PKGNAME= ossh
|
|
CATEGORIES= security
|
|
MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
|
|
ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
|
|
http://public.planetmirror.com.au/pub/OpenBSD/OpenSSH/portable/ \
|
|
ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
|
|
ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
|
|
# Don't delete the last entry -- it's there if the pkgsrc version is not
|
|
# up-to-date and the mirrors already removed the old distfile.
|
|
DIST_SUBDIR= ${PKGBASE}-5.1.1-20080916
|
|
|
|
MAINTAINER= pkgsrc-users@NetBSD.org
|
|
HOMEPAGE= http://www.openssh.com/
|
|
COMMENT= Open Source Secure shell client and server (remote login program)
|
|
|
|
CONFLICTS= sftp-[0-9]*
|
|
CONFLICTS+= ssh-[0-9]* ssh6-[0-9]*
|
|
CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]*
|
|
CONFLICTS+= openssh+gssapi-[0-9]*
|
|
CONFLICTS+= lsh>2.0
|
|
|
|
PKG_DESTDIR_SUPPORT= user-destdir
|
|
|
|
USE_TOOLS+= perl
|
|
|
|
CRYPTO= yes
|
|
|
|
# retain the following line, for IPv6-ready pkgsrc webpage
|
|
BUILD_DEFS+= IPV6_READY
|
|
|
|
PKG_GROUPS_VARS+= OPENSSH_GROUP
|
|
PKG_USERS_VARS+= OPENSSH_USER
|
|
BUILD_DEFS+= OPENSSH_CHROOT
|
|
BUILD_DEFS+= VARBASE
|
|
|
|
INSTALL_TARGET= install-nokeys
|
|
PLIST_SRC= # empty
|
|
|
|
.include "options.mk"
|
|
|
|
.if ${OPSYS} == "Interix"
|
|
|
|
# OpenSSH on Interix has some important caveats
|
|
MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix
|
|
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind /usr/local/lib/bind
|
|
CONFIGURE_ENV+= ac_cv_func_openpty=no
|
|
CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes
|
|
CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large
|
|
CPPFLAGS+= -I/usr/local/include/bind
|
|
LDFLAGS+= -L/usr/local/lib/bind
|
|
LIBS+= -lbind -ldb -lcrypt
|
|
|
|
.else # not Interix
|
|
|
|
PKG_GROUPS= ${OPENSSH_GROUP}
|
|
PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}
|
|
|
|
PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user
|
|
PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT}
|
|
|
|
.endif
|
|
|
|
SSH_PID_DIR= ${VARBASE}/run # default directory for PID files
|
|
|
|
PKG_SYSCONFSUBDIR= ssh
|
|
|
|
GNU_CONFIGURE= yes
|
|
CONFIGURE_ARGS+= --with-mantype=man
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
|
|
CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR:Q}
|
|
CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q}
|
|
CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
|
|
|
|
.if ${OPSYS} != "Interix"
|
|
CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q}
|
|
CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q}
|
|
.endif
|
|
|
|
# pkgsrc already enforces a "secure" version of zlib via dependencies,
|
|
# so skip this bogus version check.
|
|
CONFIGURE_ARGS+= --without-zlib-version-check
|
|
|
|
# the openssh configure script finds and uses ${LD} if defined and
|
|
# defaults to ${CC} if not. we override LD here, since running the
|
|
# linker directly results in undefined symbols for obvious reasons.
|
|
#
|
|
CONFIGURE_ENV+= LD=${CC:Q}
|
|
|
|
# Enable S/Key support on NetBSD, Darwin, and Solaris.
|
|
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
|
|
. include "../../security/skey/buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey}
|
|
.else
|
|
CONFIGURE_ARGS+= --without-skey
|
|
.endif
|
|
|
|
.if (${OPSYS} == "NetBSD") && exists(/usr/include/utmpx.h)
|
|
# if we have utmpx et al do not try to use login()
|
|
CONFIGURE_ARGS+= --disable-libutil
|
|
.endif
|
|
.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
|
|
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp
|
|
.endif
|
|
.if ${OPSYS} == "Linux"
|
|
CONFIGURE_ARGS+= --enable-md5-password
|
|
.endif
|
|
|
|
# The ssh-askpass program is in ${X11BASE}/bin or ${X11PREFIX}/bin depending
|
|
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
|
|
# (security/ssh-askpass).
|
|
#
|
|
.if exists(${X11BASE}/bin/ssh-askpass)
|
|
ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass
|
|
.else
|
|
ASKPASS_PROGRAM= ${X11PREFIX}/bin/ssh-askpass
|
|
.endif
|
|
CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
|
MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
|
|
|
|
# do the same for xauth
|
|
.if exists(${X11BASE}/bin/xauth)
|
|
CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth
|
|
.else
|
|
CONFIGURE_ARGS+= --with-xauth=${X11PREFIX}/bin/xauth
|
|
.endif
|
|
|
|
CONFS= ssh_config sshd_config moduli
|
|
|
|
.if exists(/dev/urandom)
|
|
. if ${OPSYS} == "NetBSD"
|
|
MESSAGE_SRC+= ${.CURDIR}/MESSAGE.urandom
|
|
. endif
|
|
.else
|
|
CONFIGURE_ARGS+= --without-random
|
|
CONFS+= ssh_prng_cmds
|
|
PLIST_SRC+= ${.CURDIR}/PLIST.prng
|
|
.endif
|
|
|
|
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
|
|
CONF_FILES= # empty
|
|
.for f in ${CONFS}
|
|
CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
|
|
.endfor
|
|
OWN_DIRS= ${OPENSSH_CHROOT}
|
|
RCD_SCRIPTS= sshd
|
|
|
|
PLIST_SRC+= ${.CURDIR}/PLIST
|
|
FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q}
|
|
|
|
SUBST_CLASSES+= patch
|
|
SUBST_STAGE.patch= pre-configure
|
|
SUBST_FILES.patch= session.c
|
|
SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/'
|
|
SUBST_MESSAGE.patch= More patch a file.
|
|
|
|
.include "../../devel/zlib/buildlink3.mk"
|
|
.include "../../security/openssl/buildlink3.mk"
|
|
.include "../../security/tcp_wrappers/buildlink3.mk"
|
|
|
|
post-install:
|
|
${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
|
|
cd ${WRKSRC}; for file in ${CONFS}; do \
|
|
${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \
|
|
done
|
|
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
|
|
${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
|
|
${DESTDIR}${EGDIR}/sshd.pam
|
|
.endif
|
|
|
|
.include "../../mk/bsd.pkg.mk"
|