pkgsrc/security/openssh/Makefile - view

Return to Makefile CVS log

Up to [cvs.NetBSD.org] / pkgsrc / security / openssh

File: [cvs.NetBSD.org] / pkgsrc / security / openssh / Makefile (download)

Revision 1.233, Thu Jul 9 16:14:23 2015 UTC (8 years, 9 months ago) by taca
Branch: MAIN
Changes since 1.232: +7 -5 lines

Update openssh to 6.9.1 (OpenSSH 6.9p1) which contains security fix.

pkgsrc change:

* tcp_wrappers support was removed from release 6.7, but add it refering
  FreeBSD's ports.
* hpn-patch is also based on FreeBSD's ports.


Security
--------

 * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
   connections made after ForwardX11Timeout expired could be permitted
   and no longer subject to XSECURITY restrictions because of an
   ineffective timeout check in ssh(1) coupled with "fail open"
   behaviour in the X11 server when clients attempted connections with
   expired credentials. This problem was reported by Jann Horn.

 * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
   password guessing by implementing an increasing failure delay,
   storing a salted hash of the password rather than the password
   itself and using a timing-safe comparison function for verifying
   unlock attempts. This problem was reported by Ryan Castellucci.

For more information, please refer release announce.

	http://www.openssh.com/txt/release-6.9
	http://www.openssh.com/txt/release-6.8
	http://www.openssh.com/txt/release-6.7

# $NetBSD: Makefile,v 1.233 2015/07/09 16:14:23 taca Exp $

DISTNAME=		openssh-6.9p1
PKGNAME=		openssh-6.9.1
CATEGORIES=		security
MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}

MAINTAINER=		pkgsrc-users@NetBSD.org
HOMEPAGE=		http://www.openssh.com/
COMMENT=		Open Source Secure shell client and server (remote login program)

CONFLICTS=		sftp-[0-9]*
CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+=		openssh+gssapi-[0-9]*
CONFLICTS+=		lsh>2.0

USE_GCC_RUNTIME=	yes
USE_TOOLS+=		autoconf perl

CRYPTO=			yes

# retain the following line, for IPv6-ready pkgsrc webpage
BUILD_DEFS+=		IPV6_READY

PKG_GROUPS_VARS+=	OPENSSH_GROUP
PKG_USERS_VARS+=	OPENSSH_USER
BUILD_DEFS+=		OPENSSH_CHROOT
BUILD_DEFS+=		VARBASE

INSTALL_TARGET=		install-nokeys

.include "options.mk"

.if ${OPSYS} == "Darwin"
# fixes: dyld: Symbol not found: _allow_severity
CONFIGURE_ARGS+=	--disable-strip
.endif

.if ${OPSYS} == "Interix"

# OpenSSH on Interix has some important caveats
MESSAGE_SRC=		${.CURDIR}/MESSAGE.Interix
BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
CONFIGURE_ENV+=		ac_cv_func_openpty=no
CONFIGURE_ENV+=		ac_cv_type_struct_timespec=yes
CPPFLAGS+=		-DIOV_MAX=16 # default is INT_MAX, way too large
.if exists(/usr/local/include/bind/resolv.h)
CPPFLAGS+=		-I/usr/local/include/bind
BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
.elif exists(/usr/local/bind/include/resolv.h)
CPPFLAGS+=		-I/usr/local/bind/include
BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
.endif
LDFLAGS+=		-L/usr/local/lib/bind
LIBS+=			-lbind -ldb -lcrypt

.else # not Interix

PKG_GROUPS=		${OPENSSH_GROUP}
PKG_USERS=		${OPENSSH_USER}:${OPENSSH_GROUP}

PKG_GECOS.${OPENSSH_USER}=	sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}=	${OPENSSH_CHROOT}

.endif

SSH_PID_DIR=		${VARBASE}/run	# default directory for PID files

PKG_SYSCONFSUBDIR=	ssh

GNU_CONFIGURE=		yes
CONFIGURE_ARGS+=	--with-mantype=man
CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+=	--with-pid-dir=${SSH_PID_DIR:Q}
CONFIGURE_ARGS+=	--with-ssl-dir=${SSLBASE:Q}
CONFIGURE_ARGS+=	--with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}

.if ${OPSYS} != "Interix"
CONFIGURE_ARGS+=	--with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+=	--with-privsep-user=${OPENSSH_USER:Q}
.endif

# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+=	--without-zlib-version-check

# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
CONFIGURE_ENV+=		LD=${CC:Q}

# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
.  include "../../security/skey/buildlink3.mk"
CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+=	--without-skey
.endif

.if (${OPSYS} == "NetBSD")
.  if exists(/usr/include/utmpx.h)
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+=	--disable-libutil
.  endif
#
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
# prior version don't have it.  So, disable use of strnvis(3) now.
#
CONFIGURE_ENV+=		ac_cv_func_strnvis=no
.endif

.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp
.endif
.if ${OPSYS} == "Linux"
CONFIGURE_ARGS+=	--enable-md5-password
.endif

# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM=	${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM=	${PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}

# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+=	--with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
.endif

CONFS=			ssh_config sshd_config moduli

PLIST_VARS+=		prng

.if exists(/dev/urandom)
.  if ${OPSYS} == "NetBSD"
MESSAGE_SRC+=		${.CURDIR}/MESSAGE.urandom
.  endif
.else
CONFIGURE_ARGS+=	--without-random
CONFS+=			ssh_prng_cmds
PLIST.prng=		yes
.endif

EGDIR=			${PREFIX}/share/examples/${PKGBASE}
CONF_FILES=		# empty
.for f in ${CONFS}
CONF_FILES+=		${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
OWN_DIRS=		${OPENSSH_CHROOT}
RCD_SCRIPTS=		sshd
RCD_SCRIPT_SRC.sshd=	${WRKDIR}/sshd.sh
SMF_METHODS=		sshd

FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR:Q}

SUBST_CLASSES+=		patch
SUBST_STAGE.patch=	pre-configure
SUBST_FILES.patch=	session.c
SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_MESSAGE.patch=	More patch a file.

.include "../../devel/zlib/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"

#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
#
pre-configure:
	cd ${WRKSRC} && autoconf -i

post-configure:
	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
	    ${WRKSRC}/config.h; then \
		${SED} -e '/HAVE_ECDSA/s/.*//' \
			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
	else \
		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
	fi

post-install:
	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
	cd ${WRKSRC}; for file in ${CONFS}; do				\
		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
	done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
	  ${DESTDIR}${EGDIR}/sshd.pam
.endif

.include "../../mk/bsd.pkg.mk"