5 files changed, 331 insertions, 0 deletions
diff --git a/testing/openssh/PKGBUILD b/testing/openssh/PKGBUILD
new file mode 100644
index 000000000..bf45e6396
--- /dev/null
+++ b/testing/openssh/PKGBUILD
@@ -0,0 +1,70 @@
+# $Id: PKGBUILD 131644 2011-07-13 07:48:58Z bisson $
+# Maintainer: Gaetan Bisson <bisson@archlinux.org>
+# Contributor: Aaron Griffin <aaron@archlinux.org>
+# Contributor: judd <jvinet@zeroflux.org>
+
+pkgname=openssh
+pkgver=5.8p2
+pkgrel=9
+pkgdesc='Free version of the SSH connectivity tools'
+arch=('i686' 'x86_64')
+license=('custom:BSD')
+url='http://www.openssh.org/portable.html'
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd')
+depends=('krb5' 'openssl' 'libedit')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"
+        'authfile.c.patch'
+        'sshd.confd'
+        'sshd.pam'
+        'sshd')
+sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
+          '3669cb5ca6149f69015df5ce8e60b82c540eb0a4'
+          'ec102deb69cad7d14f406289d2fc11fee6eddbdd'
+          '07fecd5880b1c4fdd8c94ddb2e89ddce88effdc1'
+          '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5')
+
+build() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+
+	patch -p1 -i ../authfile.c.patch # fix FS#24693 using http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95
+
+	./configure \
+		--prefix=/usr \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--with-privsep-user=nobody \
+		--with-md5-passwords \
+		--with-pam \
+		--with-mantype=man \
+		--mandir=/usr/share/man \
+		--with-xauth=/usr/bin/xauth \
+		--with-kerberos5=/usr \
+		--with-ssl-engine \
+		--with-libedit=/usr/lib \
+		--disable-strip # stripping is done by makepkg
+
+	make
+}
+
+package() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	make DESTDIR="${pkgdir}" install
+
+	install -Dm755 ../sshd "${pkgdir}"/etc/rc.d/sshd
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+	install -Dm644 ../sshd.confd "${pkgdir}"/etc/conf.d/sshd
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+	rm "${pkgdir}"/usr/share/man/man1/slogin.1
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+
+	# additional contrib scripts that we like
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+	# PAM is a common, standard feature to have
+	sed -i	-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+		-e '/^#UsePAM no$/c UsePAM yes' \
+		"${pkgdir}"/etc/ssh/sshd_config
+}
diff --git a/testing/openssh/authfile.c.patch b/testing/openssh/authfile.c.patch
new file mode 100644
index 000000000..6c18fe807
--- /dev/null
+++ b/testing/openssh/authfile.c.patch
@@ -0,0 +1,198 @@
+diff -aur old/authfile.c new/authfile.c
+--- old/authfile.c	2011-06-12 02:21:52.262338254 +0200
++++ new/authfile.c	2011-06-12 02:13:43.051467269 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */
++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -69,6 +69,8 @@
+ #include "misc.h"
+ #include "atomicio.h"
+ 
++#define MAX_KEY_FILE_SIZE	(1024 * 1024)
++
+ /* Version identification string for SSH v1 identity files. */
+ static const char authfile_id_string[] =
+     "SSH PRIVATE KEY FILE FORMAT 1.1\n";
+@@ -312,12 +314,12 @@
+ 	return pub;
+ }
+ 
+-/* Load the contents of a key file into a buffer */
+-static int
++/* Load a key from a fd into a buffer */
++int
+ key_load_file(int fd, const char *filename, Buffer *blob)
+ {
++	u_char buf[1024];
+ 	size_t len;
+-	u_char *cp;
+ 	struct stat st;
+ 
+ 	if (fstat(fd, &st) < 0) {
+@@ -325,30 +327,45 @@
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ",
+ 		    strerror(errno));
+-		close(fd);
+ 		return 0;
+ 	}
+-	if (st.st_size > 1*1024*1024) {
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size > MAX_KEY_FILE_SIZE) {
++ toobig:
+ 		error("%s: key file %.200s%stoo large", __func__,
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ");
+-		close(fd);
+ 		return 0;
+ 	}
+-	len = (size_t)st.st_size;		/* truncated */
+-
+ 	buffer_init(blob);
+-	cp = buffer_append_space(blob, len);
+-
+-	if (atomicio(read, fd, cp, len) != len) {
+-		debug("%s: read from key file %.200s%sfailed: %.100s", __func__,
+-		    filename == NULL ? "" : filename,
+-		    filename == NULL ? "" : " ",
+-		    strerror(errno));
++	for (;;) {
++		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
++			if (errno == EPIPE)
++				break;
++			debug("%s: read from key file %.200s%sfailed: %.100s",
++			    __func__, filename == NULL ? "" : filename,
++			    filename == NULL ? "" : " ", strerror(errno));
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			return 0;
++		}
++		buffer_append(blob, buf, len);
++		if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			goto toobig;
++		}
++	}
++	bzero(buf, sizeof(buf));
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size != buffer_len(blob)) {
++		debug("%s: key file %.200s%schanged size while reading",
++		    __func__, filename == NULL ? "" : filename,
++		    filename == NULL ? "" : " ");
+ 		buffer_clear(blob);
+-		close(fd);
+ 		return 0;
+ 	}
++
+ 	return 1;
+ }
+ 
+@@ -606,7 +623,7 @@
+ 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ 		error("Permissions 0%3.3o for '%s' are too open.",
+ 		    (u_int)st.st_mode & 0777, filename);
+-		error("It is recommended that your private key files are NOT accessible by others.");
++		error("It is required that your private key files are NOT accessible by others.");
+ 		error("This private key will be ignored.");
+ 		return 0;
+ 	}
+@@ -626,6 +643,7 @@
+ 	case KEY_UNSPEC:
+ 		return key_parse_private_pem(blob, type, passphrase, commentp);
+ 	default:
++		error("%s: cannot parse key type %d", __func__, type);
+ 		break;
+ 	}
+ 	return NULL;
+@@ -670,11 +688,38 @@
+ }
+ 
+ Key *
++key_parse_private(Buffer *buffer, const char *filename,
++    const char *passphrase, char **commentp)
++{
++	Key *pub, *prv;
++	Buffer pubcopy;
++
++	buffer_init(&pubcopy);
++	buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer));
++	/* it's a SSH v1 key if the public key part is readable */
++	pub = key_parse_public_rsa1(&pubcopy, commentp);
++	buffer_free(&pubcopy);
++	if (pub == NULL) {
++		prv = key_parse_private_type(buffer, KEY_UNSPEC,
++		    passphrase, NULL);
++		/* use the filename as a comment for PEM */
++		if (commentp && prv)
++			*commentp = xstrdup(filename);
++	} else {
++		key_free(pub);
++		/* key_parse_public_rsa1() has already loaded the comment */
++		prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
++		    NULL);
++	}
++	return prv;
++}
++
++Key *
+ key_load_private(const char *filename, const char *passphrase,
+     char **commentp)
+ {
+-	Key *pub, *prv;
+-	Buffer buffer, pubcopy;
++	Key *prv;
++	Buffer buffer;
+ 	int fd;
+ 
+ 	fd = open(filename, O_RDONLY);
+@@ -697,23 +742,7 @@
+ 	}
+ 	close(fd);
+ 
+-	buffer_init(&pubcopy);
+-	buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer));
+-	/* it's a SSH v1 key if the public key part is readable */
+-	pub = key_parse_public_rsa1(&pubcopy, commentp);
+-	buffer_free(&pubcopy);
+-	if (pub == NULL) {
+-		prv = key_parse_private_type(&buffer, KEY_UNSPEC,
+-		    passphrase, NULL);
+-		/* use the filename as a comment for PEM */
+-		if (commentp && prv)
+-			*commentp = xstrdup(filename);
+-	} else {
+-		key_free(pub);
+-		/* key_parse_public_rsa1() has already loaded the comment */
+-		prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase,
+-		    NULL);
+-	}
++	prv = key_parse_private(&buffer, filename, passphrase, commentp);
+ 	buffer_free(&buffer);
+ 	return prv;
+ }
+@@ -737,13 +766,19 @@
+ 			case '\0':
+ 				continue;
+ 			}
++			/* Abort loading if this looks like a private key */
++			if (strncmp(cp, "-----BEGIN", 10) == 0)
++				break;
+ 			/* Skip leading whitespace. */
+ 			for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+ 				;
+ 			if (*cp) {
+ 				if (key_read(k, &cp) == 1) {
+-					if (commentp)
+-						*commentp=xstrdup(filename);
++					cp[strcspn(cp, "\r\n")] = '\0';
++					if (commentp) {
++						*commentp = xstrdup(*cp ?
++						    cp : filename);
++					}
+ 					fclose(f);
+ 					return 1;
+ 				}
diff --git a/testing/openssh/sshd b/testing/openssh/sshd
new file mode 100755
index 000000000..2ee1091f0
--- /dev/null
+++ b/testing/openssh/sshd
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+. /etc/rc.conf
+. /etc/rc.d/functions
+. /etc/conf.d/sshd
+
+PIDFILE=/var/run/sshd.pid
+PID=$(cat $PIDFILE 2>/dev/null)
+if ! readlink -q /proc/$PID/exe | grep -q '^/usr/sbin/sshd'; then
+  PID=
+  rm $PIDFILE 2>/dev/null
+fi
+
+case "$1" in
+  start)
+    stat_busy "Starting Secure Shell Daemon"
+    [ -f /etc/ssh/ssh_host_key ] || { /usr/bin/ssh-keygen -t rsa1 -N "" -f /etc/ssh/ssh_host_key >/dev/null; }
+    [ -f /etc/ssh/ssh_host_rsa_key ] || { /usr/bin/ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key >/dev/null; }
+    [ -f /etc/ssh/ssh_host_dsa_key ] || { /usr/bin/ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key >/dev/null; }
+    [ -f /etc/ssh/ssh_host_ecdsa_key ] || { /usr/bin/ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key >/dev/null; }
+    [ -d /var/empty ] || mkdir -p /var/empty
+    [ -z "$PID" ] && /usr/sbin/sshd $SSHD_ARGS
+    if [ $? -gt 0 ]; then
+      stat_fail
+    else
+      add_daemon sshd
+      stat_done
+    fi
+    ;;
+  stop)
+    stat_busy "Stopping Secure Shell Daemon"
+    [ ! -z "$PID" ]  && kill $PID &> /dev/null
+    if [ $? -gt 0 ]; then
+      stat_fail
+    else
+      rm_daemon sshd
+      stat_done
+    fi
+    ;;
+  restart)
+    $0 stop
+    sleep 1
+    $0 start
+    ;;
+  *)
+    echo "usage: $0 {start|stop|restart}"  
+esac
+exit 0
diff --git a/testing/openssh/sshd.confd b/testing/openssh/sshd.confd
new file mode 100644
index 000000000..5ce7c0079
--- /dev/null
+++ b/testing/openssh/sshd.confd
@@ -0,0 +1,4 @@
+#
+# Parameters to be passed to sshd
+#
+SSHD_ARGS=""
diff --git a/testing/openssh/sshd.pam b/testing/openssh/sshd.pam
new file mode 100644
index 000000000..ff8829fe9
--- /dev/null
+++ b/testing/openssh/sshd.pam
@@ -0,0 +1,11 @@
+#%PAM-1.0
+#auth		required	pam_securetty.so	#Disable remote root
+auth		required	pam_unix.so
+auth		required	pam_env.so
+account		required	pam_nologin.so
+account		required	pam_unix.so
+account		required	pam_time.so
+password	required	pam_unix.so
+session		required	pam_unix_session.so
+session		required	pam_limits.so
+-session	optional	pam_ck_connector.so nox11