From 7500119d8dd5fc921f91aac8222e472477973740 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 16 Jul 2011 05:34:06 +0000 Subject: Sat Jul 16 05:34:06 UTC 2011 --- testing/openssh/PKGBUILD | 70 ++++++++++++++ testing/openssh/authfile.c.patch | 198 +++++++++++++++++++++++++++++++++++++++ testing/openssh/sshd | 48 ++++++++++ testing/openssh/sshd.confd | 4 + testing/openssh/sshd.pam | 11 +++ 5 files changed, 331 insertions(+) create mode 100644 testing/openssh/PKGBUILD create mode 100644 testing/openssh/authfile.c.patch create mode 100755 testing/openssh/sshd create mode 100644 testing/openssh/sshd.confd create mode 100644 testing/openssh/sshd.pam (limited to 'testing/openssh') diff --git a/testing/openssh/PKGBUILD b/testing/openssh/PKGBUILD new file mode 100644 index 000000000..bf45e6396 --- /dev/null +++ b/testing/openssh/PKGBUILD @@ -0,0 +1,70 @@ +# $Id: PKGBUILD 131644 2011-07-13 07:48:58Z bisson $ +# Maintainer: Gaetan Bisson +# Contributor: Aaron Griffin +# Contributor: judd + +pkgname=openssh +pkgver=5.8p2 +pkgrel=9 +pkgdesc='Free version of the SSH connectivity tools' +arch=('i686' 'x86_64') +license=('custom:BSD') +url='http://www.openssh.org/portable.html' +backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd') +depends=('krb5' 'openssl' 'libedit') +source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz" + 'authfile.c.patch' + 'sshd.confd' + 'sshd.pam' + 'sshd') +sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5' + '3669cb5ca6149f69015df5ce8e60b82c540eb0a4' + 'ec102deb69cad7d14f406289d2fc11fee6eddbdd' + '07fecd5880b1c4fdd8c94ddb2e89ddce88effdc1' + '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5') + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + + patch -p1 -i ../authfile.c.patch # fix FS#24693 using http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95 + + ./configure \ + --prefix=/usr \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --with-privsep-user=nobody \ + --with-md5-passwords \ + --with-pam \ + --with-mantype=man \ + --mandir=/usr/share/man \ + --with-xauth=/usr/bin/xauth \ + --with-kerberos5=/usr \ + --with-ssl-engine \ + --with-libedit=/usr/lib \ + --disable-strip # stripping is done by makepkg + + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + + install -Dm755 ../sshd "${pkgdir}"/etc/rc.d/sshd + install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + install -Dm644 ../sshd.confd "${pkgdir}"/etc/conf.d/sshd + install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + + rm "${pkgdir}"/usr/share/man/man1/slogin.1 + ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz + + # additional contrib scripts that we like + install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh + install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id + install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + + # PAM is a common, standard feature to have + sed -i -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ + -e '/^#UsePAM no$/c UsePAM yes' \ + "${pkgdir}"/etc/ssh/sshd_config +} diff --git a/testing/openssh/authfile.c.patch b/testing/openssh/authfile.c.patch new file mode 100644 index 000000000..6c18fe807 --- /dev/null +++ b/testing/openssh/authfile.c.patch @@ -0,0 +1,198 @@ +diff -aur old/authfile.c new/authfile.c +--- old/authfile.c 2011-06-12 02:21:52.262338254 +0200 ++++ new/authfile.c 2011-06-12 02:13:43.051467269 +0200 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */ ++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -69,6 +69,8 @@ + #include "misc.h" + #include "atomicio.h" + ++#define MAX_KEY_FILE_SIZE (1024 * 1024) ++ + /* Version identification string for SSH v1 identity files. */ + static const char authfile_id_string[] = + "SSH PRIVATE KEY FILE FORMAT 1.1\n"; +@@ -312,12 +314,12 @@ + return pub; + } + +-/* Load the contents of a key file into a buffer */ +-static int ++/* Load a key from a fd into a buffer */ ++int + key_load_file(int fd, const char *filename, Buffer *blob) + { ++ u_char buf[1024]; + size_t len; +- u_char *cp; + struct stat st; + + if (fstat(fd, &st) < 0) { +@@ -325,30 +327,45 @@ + filename == NULL ? "" : filename, + filename == NULL ? "" : " ", + strerror(errno)); +- close(fd); + return 0; + } +- if (st.st_size > 1*1024*1024) { ++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && ++ st.st_size > MAX_KEY_FILE_SIZE) { ++ toobig: + error("%s: key file %.200s%stoo large", __func__, + filename == NULL ? "" : filename, + filename == NULL ? "" : " "); +- close(fd); + return 0; + } +- len = (size_t)st.st_size; /* truncated */ +- + buffer_init(blob); +- cp = buffer_append_space(blob, len); +- +- if (atomicio(read, fd, cp, len) != len) { +- debug("%s: read from key file %.200s%sfailed: %.100s", __func__, +- filename == NULL ? "" : filename, +- filename == NULL ? "" : " ", +- strerror(errno)); ++ for (;;) { ++ if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) { ++ if (errno == EPIPE) ++ break; ++ debug("%s: read from key file %.200s%sfailed: %.100s", ++ __func__, filename == NULL ? "" : filename, ++ filename == NULL ? "" : " ", strerror(errno)); ++ buffer_clear(blob); ++ bzero(buf, sizeof(buf)); ++ return 0; ++ } ++ buffer_append(blob, buf, len); ++ if (buffer_len(blob) > MAX_KEY_FILE_SIZE) { ++ buffer_clear(blob); ++ bzero(buf, sizeof(buf)); ++ goto toobig; ++ } ++ } ++ bzero(buf, sizeof(buf)); ++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && ++ st.st_size != buffer_len(blob)) { ++ debug("%s: key file %.200s%schanged size while reading", ++ __func__, filename == NULL ? "" : filename, ++ filename == NULL ? "" : " "); + buffer_clear(blob); +- close(fd); + return 0; + } ++ + return 1; + } + +@@ -606,7 +623,7 @@ + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("Permissions 0%3.3o for '%s' are too open.", + (u_int)st.st_mode & 0777, filename); +- error("It is recommended that your private key files are NOT accessible by others."); ++ error("It is required that your private key files are NOT accessible by others."); + error("This private key will be ignored."); + return 0; + } +@@ -626,6 +643,7 @@ + case KEY_UNSPEC: + return key_parse_private_pem(blob, type, passphrase, commentp); + default: ++ error("%s: cannot parse key type %d", __func__, type); + break; + } + return NULL; +@@ -670,11 +688,38 @@ + } + + Key * ++key_parse_private(Buffer *buffer, const char *filename, ++ const char *passphrase, char **commentp) ++{ ++ Key *pub, *prv; ++ Buffer pubcopy; ++ ++ buffer_init(&pubcopy); ++ buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer)); ++ /* it's a SSH v1 key if the public key part is readable */ ++ pub = key_parse_public_rsa1(&pubcopy, commentp); ++ buffer_free(&pubcopy); ++ if (pub == NULL) { ++ prv = key_parse_private_type(buffer, KEY_UNSPEC, ++ passphrase, NULL); ++ /* use the filename as a comment for PEM */ ++ if (commentp && prv) ++ *commentp = xstrdup(filename); ++ } else { ++ key_free(pub); ++ /* key_parse_public_rsa1() has already loaded the comment */ ++ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase, ++ NULL); ++ } ++ return prv; ++} ++ ++Key * + key_load_private(const char *filename, const char *passphrase, + char **commentp) + { +- Key *pub, *prv; +- Buffer buffer, pubcopy; ++ Key *prv; ++ Buffer buffer; + int fd; + + fd = open(filename, O_RDONLY); +@@ -697,23 +742,7 @@ + } + close(fd); + +- buffer_init(&pubcopy); +- buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer)); +- /* it's a SSH v1 key if the public key part is readable */ +- pub = key_parse_public_rsa1(&pubcopy, commentp); +- buffer_free(&pubcopy); +- if (pub == NULL) { +- prv = key_parse_private_type(&buffer, KEY_UNSPEC, +- passphrase, NULL); +- /* use the filename as a comment for PEM */ +- if (commentp && prv) +- *commentp = xstrdup(filename); +- } else { +- key_free(pub); +- /* key_parse_public_rsa1() has already loaded the comment */ +- prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase, +- NULL); +- } ++ prv = key_parse_private(&buffer, filename, passphrase, commentp); + buffer_free(&buffer); + return prv; + } +@@ -737,13 +766,19 @@ + case '\0': + continue; + } ++ /* Abort loading if this looks like a private key */ ++ if (strncmp(cp, "-----BEGIN", 10) == 0) ++ break; + /* Skip leading whitespace. */ + for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) + ; + if (*cp) { + if (key_read(k, &cp) == 1) { +- if (commentp) +- *commentp=xstrdup(filename); ++ cp[strcspn(cp, "\r\n")] = '\0'; ++ if (commentp) { ++ *commentp = xstrdup(*cp ? ++ cp : filename); ++ } + fclose(f); + return 1; + } diff --git a/testing/openssh/sshd b/testing/openssh/sshd new file mode 100755 index 000000000..2ee1091f0 --- /dev/null +++ b/testing/openssh/sshd @@ -0,0 +1,48 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions +. /etc/conf.d/sshd + +PIDFILE=/var/run/sshd.pid +PID=$(cat $PIDFILE 2>/dev/null) +if ! readlink -q /proc/$PID/exe | grep -q '^/usr/sbin/sshd'; then + PID= + rm $PIDFILE 2>/dev/null +fi + +case "$1" in + start) + stat_busy "Starting Secure Shell Daemon" + [ -f /etc/ssh/ssh_host_key ] || { /usr/bin/ssh-keygen -t rsa1 -N "" -f /etc/ssh/ssh_host_key >/dev/null; } + [ -f /etc/ssh/ssh_host_rsa_key ] || { /usr/bin/ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key >/dev/null; } + [ -f /etc/ssh/ssh_host_dsa_key ] || { /usr/bin/ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key >/dev/null; } + [ -f /etc/ssh/ssh_host_ecdsa_key ] || { /usr/bin/ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key >/dev/null; } + [ -d /var/empty ] || mkdir -p /var/empty + [ -z "$PID" ] && /usr/sbin/sshd $SSHD_ARGS + if [ $? -gt 0 ]; then + stat_fail + else + add_daemon sshd + stat_done + fi + ;; + stop) + stat_busy "Stopping Secure Shell Daemon" + [ ! -z "$PID" ] && kill $PID &> /dev/null + if [ $? -gt 0 ]; then + stat_fail + else + rm_daemon sshd + stat_done + fi + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + echo "usage: $0 {start|stop|restart}" +esac +exit 0 diff --git a/testing/openssh/sshd.confd b/testing/openssh/sshd.confd new file mode 100644 index 000000000..5ce7c0079 --- /dev/null +++ b/testing/openssh/sshd.confd @@ -0,0 +1,4 @@ +# +# Parameters to be passed to sshd +# +SSHD_ARGS="" diff --git a/testing/openssh/sshd.pam b/testing/openssh/sshd.pam new file mode 100644 index 000000000..ff8829fe9 --- /dev/null +++ b/testing/openssh/sshd.pam @@ -0,0 +1,11 @@ +#%PAM-1.0 +#auth required pam_securetty.so #Disable remote root +auth required pam_unix.so +auth required pam_env.so +account required pam_nologin.so +account required pam_unix.so +account required pam_time.so +password required pam_unix.so +session required pam_unix_session.so +session required pam_limits.so +-session optional pam_ck_connector.so nox11 -- cgit v1.2.3-54-g00ecf