Return to Makefile CVS log | Up to [cvs.NetBSD.org] / pkgsrc / security / openssh |
File: [cvs.NetBSD.org] / pkgsrc / security / openssh / Makefile (download)
Revision 1.233, Thu Jul 9 16:14:23 2015 UTC (8 years, 9 months ago) by taca
Update openssh to 6.9.1 (OpenSSH 6.9p1) which contains security fix. pkgsrc change: * tcp_wrappers support was removed from release 6.7, but add it refering FreeBSD's ports. * hpn-patch is also based on FreeBSD's ports. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. For more information, please refer release announce. http://www.openssh.com/txt/release-6.9 http://www.openssh.com/txt/release-6.8 http://www.openssh.com/txt/release-6.7 |
# $NetBSD: Makefile,v 1.233 2015/07/09 16:14:23 taca Exp $ DISTNAME= openssh-6.9p1 PKGNAME= openssh-6.9.1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.openssh.com/ COMMENT= Open Source Secure shell client and server (remote login program) CONFLICTS= sftp-[0-9]* CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* CONFLICTS+= openssh+gssapi-[0-9]* CONFLICTS+= lsh>2.0 USE_GCC_RUNTIME= yes USE_TOOLS+= autoconf perl CRYPTO= yes # retain the following line, for IPv6-ready pkgsrc webpage BUILD_DEFS+= IPV6_READY PKG_GROUPS_VARS+= OPENSSH_GROUP PKG_USERS_VARS+= OPENSSH_USER BUILD_DEFS+= OPENSSH_CHROOT BUILD_DEFS+= VARBASE INSTALL_TARGET= install-nokeys .include "options.mk" .if ${OPSYS} == "Darwin" # fixes: dyld: Symbol not found: _allow_severity CONFIGURE_ARGS+= --disable-strip .endif .if ${OPSYS} == "Interix" # OpenSSH on Interix has some important caveats MESSAGE_SRC= ${.CURDIR}/MESSAGE.Interix BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind CONFIGURE_ENV+= ac_cv_func_openpty=no CONFIGURE_ENV+= ac_cv_type_struct_timespec=yes CPPFLAGS+= -DIOV_MAX=16 # default is INT_MAX, way too large .if exists(/usr/local/include/bind/resolv.h) CPPFLAGS+= -I/usr/local/include/bind BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind .elif exists(/usr/local/bind/include/resolv.h) CPPFLAGS+= -I/usr/local/bind/include BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include .endif LDFLAGS+= -L/usr/local/lib/bind LIBS+= -lbind -ldb -lcrypt .else # not Interix PKG_GROUPS= ${OPENSSH_GROUP} PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP} PKG_GECOS.${OPENSSH_USER}= sshd privsep pseudo-user PKG_HOME.${OPENSSH_USER}= ${OPENSSH_CHROOT} .endif SSH_PID_DIR= ${VARBASE}/run # default directory for PID files PKG_SYSCONFSUBDIR= ssh GNU_CONFIGURE= yes CONFIGURE_ARGS+= --with-mantype=man CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR:Q} CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE:Q} CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers} .if ${OPSYS} != "Interix" CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT:Q} CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER:Q} .endif # pkgsrc already enforces a "secure" version of zlib via dependencies, # so skip this bogus version check. CONFIGURE_ARGS+= --without-zlib-version-check # the openssh configure script finds and uses ${LD} if defined and # defaults to ${CC} if not. we override LD here, since running the # linker directly results in undefined symbols for obvious reasons. # CONFIGURE_ENV+= LD=${CC:Q} # Enable S/Key support on NetBSD, Darwin, and Solaris. .if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS") . include "../../security/skey/buildlink3.mk" CONFIGURE_ARGS+= --with-skey=${BUILDLINK_PREFIX.skey} .else CONFIGURE_ARGS+= --without-skey .endif .if (${OPSYS} == "NetBSD") . if exists(/usr/include/utmpx.h) # if we have utmpx et al do not try to use login() CONFIGURE_ARGS+= --disable-libutil . endif # # NetBSD current after 2011/03/12 has incompatible strnvis(3) and # prior version don't have it. So, disable use of strnvis(3) now. # CONFIGURE_ENV+= ac_cv_func_strnvis=no .endif .if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9") CONFIGURE_ARGS+= --disable-utmp --disable-wtmp .endif .if ${OPSYS} == "Linux" CONFIGURE_ARGS+= --enable-md5-password .endif # The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending # on if it's part of the X11 distribution, or if it's installed from pkgsrc # (security/ssh-askpass). # .if exists(${X11BASE}/bin/ssh-askpass) ASKPASS_PROGRAM= ${X11BASE}/bin/ssh-askpass .else ASKPASS_PROGRAM= ${PREFIX}/bin/ssh-askpass .endif CONFIGURE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q} MAKE_ENV+= ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q} # do the same for xauth .if exists(${X11BASE}/bin/xauth) CONFIGURE_ARGS+= --with-xauth=${X11BASE}/bin/xauth .else CONFIGURE_ARGS+= --with-xauth=${PREFIX}/bin/xauth .endif CONFS= ssh_config sshd_config moduli PLIST_VARS+= prng .if exists(/dev/urandom) . if ${OPSYS} == "NetBSD" MESSAGE_SRC+= ${.CURDIR}/MESSAGE.urandom . endif .else CONFIGURE_ARGS+= --without-random CONFS+= ssh_prng_cmds PLIST.prng= yes .endif EGDIR= ${PREFIX}/share/examples/${PKGBASE} CONF_FILES= # empty .for f in ${CONFS} CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} .endfor OWN_DIRS= ${OPENSSH_CHROOT} RCD_SCRIPTS= sshd RCD_SCRIPT_SRC.sshd= ${WRKDIR}/sshd.sh SMF_METHODS= sshd FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q} SUBST_CLASSES+= patch SUBST_STAGE.patch= pre-configure SUBST_FILES.patch= session.c SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' SUBST_MESSAGE.patch= More patch a file. .include "../../devel/zlib/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" .include "../../security/tcp_wrappers/buildlink3.mk" # # type of key "ecdsa" isn't always supported depends on OpenSSL. # pre-configure: cd ${WRKSRC} && autoconf -i post-configure: if ${EGREP} -q '^\#define[ ]+OPENSSL_HAS_ECC' \ ${WRKSRC}/config.h; then \ ${SED} -e '/HAVE_ECDSA/s/.*//' \ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ else \ ${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \ ${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \ fi post-install: ${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR} cd ${WRKSRC}; for file in ${CONFS}; do \ ${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file}; \ done .if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux" ${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \ ${DESTDIR}${EGDIR}/sshd.pam .endif .include "../../mk/bsd.pkg.mk"