ports/138409: [MAINTAINER] security/openssh-portable: cumulative port update

Denis Barov dindin at yandex-team.ru
Thu Sep 17 10:50:05 UTC 2009 

The following reply was made to PR ports/138409; it has been noted by GNATS.

From: Denis Barov <dindin at yandex-team.ru>
To: bug-followup at FreeBSD.org, dindin at dindin.ru
Cc:  
Subject: ports/138409: [MAINTAINER] security/openssh-portable: cumulative
 port update
Date: Thu, 17 Sep 2009 14:27:17 +0400

 patch cleaned up, removed staled file, added support for opensshd/sshd
 listen ports check, allowing run opennsh in same time with base sshd only on
 another port, finally fixed kerberos libs autodetection on FreeBSD 8.
 
 
 
 diff -urN --exclude=CVS /usr/ports/security/openssh-portable/Makefile openssh-portable/Makefile
 --- /usr/ports/security/openssh-portable/Makefile	2009-08-08 11:13:49.000000000 +0400
 +++ openssh-portable/Makefile	2009-09-16 14:20:34.000000000 +0400
 @@ -7,7 +7,7 @@
  
  PORTNAME=	openssh
  DISTVERSION=	5.2p1
 -PORTREVISION=	1
 +PORTREVISION=	2
  PORTEPOCH=	1
  CATEGORIES=	security ipv6
  .if defined(OPENSSH_SNAPSHOT)
 @@ -57,6 +57,7 @@
  		LIBEDIT		"Enable readline support to sftp(1)"		on \
  		KERBEROS	"Enable kerberos (autodetection)"		on \
  		SUID_SSH	"Enable suid SSH (Recommended off)"		off \
 +		BSM				"Enable OpenBSM Auditing"						off \
  		GSSAPI		"Enable GSSAPI support (req: KERBEROS)"		off \
  		KERB_GSSAPI	"Enable Kerberos/GSSAPI patch (req: GSSAPI)"	off \
  		OPENSSH_CHROOT	"Enable CHROOT support"				off \
 @@ -69,10 +70,6 @@
  
  .include <bsd.port.pre.mk>
  
 -.if ${OSVERSION} >= 800037
 -BROKEN=		does not compile
 -.endif
 -
  .if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK))
  BROKEN=		X509 patch incompatible with HPN and LPK patches
  .endif
 @@ -97,18 +94,26 @@
  CONFIGURE_ARGS+=	--disable-suid-ssh
  .endif
  
 +.if defined(WITH_BSM)
 +CONFIGURE_ARGS+=	--with-audit=bsm
 +.endif
 +
  .if !defined(WITHOUT_KERBEROS)
  .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
  .if defined(WITH_KERB_GSSAPI)
 -BROKEN=			KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
  PATCH_DIST_STRIP=	-p0
  PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/
 -PATCHFILES+=		openssh-5.0p1-gsskex-20080404.patch
 +PATCHFILES+=		openssh-5.2p1-gsskex-all-20090726.patch
  .endif
  PORTABLE_SUFFIX=	# empty
  GSSAPI_SUFFIX=		-gssapi
  CONFLICTS+=		openssh-portable-*-[0-9]*
  CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME}
 +.if defined(HEIMDAL_HOME) && defined(KRB5_HOME) && ${HEIMDAL_HOME} == ${LOCALBASE}
 +LIB_DEPENDS+= krb5.23:${PORTSDIR}/security/heimdal
 +.elif defined(KRB5_HOME) && defined(LOCALBASE) && ${KRB5_HOME} == ${LOCALBASE}
 +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5
 +.endif
  .if ${OPENSSLBASE} == "/usr"
  CONFIGURE_ARGS+=	--without-rpath
  LDFLAGS=		# empty
 @@ -157,7 +162,7 @@
  # resolve some patches incompatibility between LPK and HPN patches
  
  .if defined(WITH_HPN) && defined(WITH_LPK)
 -EXTRA_PATCHES+=		${FILESDIR}/openssh-lpk+hpn-servconf.patch
 +EXTRA_PATCHES+=		${FILESDIR}/lpk+hpn-servconf.c.patch
  .elif defined(WITH_HPN) && !defined(WITH_LPK)
  EXTRA_PATCHES+=		${FILESDIR}/openssh-5.2p1-hpn13v6-servconf.c.diff
  .elif defined(WITH_LPK) && !defined(WITH_HPN)
 @@ -182,8 +187,7 @@
  EMPTYDIR=		/var/empty
  PREFIX=			/usr
  ETCSSH=			/etc/ssh
 -USE_RC_SUBR=		yes
 -SUB_FILES+=		openssh
 +USE_RC_SUBR=		openssh
  PLIST_SUB+=		NOTBASE="@comment "
  PLIST_SUB+=		BASE=""
  PLIST_SUB+=		BASEPREFIX="${PREFIX}"
 diff -urN --exclude=CVS /usr/ports/security/openssh-portable/distinfo openssh-portable/distinfo
 --- /usr/ports/security/openssh-portable/distinfo	2009-05-15 15:00:27.000000000 +0400
 +++ openssh-portable/distinfo	2009-09-09 20:02:43.000000000 +0400
 @@ -1,6 +1,6 @@
  MD5 (openssh-5.2p1.tar.gz) = ada79c7328a8551bdf55c95e631e7dad
  SHA256 (openssh-5.2p1.tar.gz) = 4023710c37d0b3d79e6299cb79b6de2a31db7d581fe59e775a5351784034ecae
  SIZE (openssh-5.2p1.tar.gz) = 1016612
 -MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
 -SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
 -SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010
 +MD5 (openssh-5.2p1-gsskex-all-20090726.patch) = e5c116b4bc3f4b816206e8403dd08af7
 +SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) = 6eb297d6fa74be3323c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7
 +SIZE (openssh-5.2p1-gsskex-all-20090726.patch) = 90959
 diff -urN --exclude=CVS /usr/ports/security/openssh-portable/files/openssh.in openssh-portable/files/openssh.in
 --- /usr/ports/security/openssh-portable/files/openssh.in	2006-02-21 22:28:37.000000000 +0300
 +++ openssh-portable/files/openssh.in	2009-09-17 14:21:54.000000000 +0400
 @@ -24,6 +24,7 @@
  
  : ${openssh_enable="NO"}
  : ${openssh_pidfile="/var/run/sshd.pid"}
 +: ${openssh_skipportscheck="NO"}
  
  command=%%PREFIX%%/sbin/sshd
  extra_commands="reload keygen"
 @@ -75,10 +76,69 @@
  	fi
  }
  
 +openssh_check_same_ports(){
 +    # check if opensshd don't use base system sshd's port
 +    #
 +    # openssh binds ports in priority (lowest first):
 +    # Port from sshd_config
 +    # -p option from command line
 +    # ListenAddress addr:port from sshd_config
 +
 +
 +    #check if opensshd-portable installed in replacement of base sshd
 +    if [ "%%ETCSSH%%" = "/etc/ssh" ]; then
 +        return 1
 +    fi
 +
 +    self_port=$(awk '$1~/^ListenAddress/ \
 +        {mlen=match($0,":[0-9]*$"); print \
 +        substr($0,mlen+1,length($0)-mlen)}' %%ETCSSH%%/sshd_config)
 +    if [ -z "$self_port" ]; then
 +        self_port=$(echo $openssh_flags | awk \
 +            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
 +            {i++; printf "%s", $i; break; }; }')
 +        if [ -z "$self_port" ]; then
 +            self_port=$(awk '$1~/^Port/ {print $2}' \
 +                %%ETCSSH%%/sshd_config)
 +        fi
 +    fi
 +    # assume default 22 port
 +    if [ -z "$self_port" ]; then
 +        self_port=22
 +    fi
 +
 +    load_rc_config "sshd"
 +
 +    base_sshd_port=$(awk '$1~/^ListenAddress/ \
 +        {mlen=match($0,":[0-9]*$"); print \
 +        substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
 +    if [ -z "$base_sshd_port" ]; then
 +        base_sshd_port=$(echo $sshd_flags | awk \
 +            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
 +            {i++; printf "%s", $i; break; }; }')
 +        if [ -z "$base_sshd_port" ]; then
 +            base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
 +                /etc/ssh/sshd_config)
 +        fi
 +    fi
 +    if [ -z "$base_sshd_port" ]; then
 +        base_sshd_port=22
 +    fi
 +
 +    if [ "${self_port}" -eq "${base_sshd_port}" ]; then 
 +        return 0
 +    else
 +        return 1
 +    fi
 +}
 +
  openssh_checks()
  {
  	if checkyesno sshd_enable ; then
 -		err 1 "sshd_enable is set. Please set sshd_enable to NO in your rc.conf"
 +      if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
 +          err 1 "sshd_enable is set and $name and sshd are use \
 +same port"
 +      fi
  	fi
  
  	run_rc_command keygen
 
 -- 
 Cheers
 Denis Barov

More information about the freebsd-ports-bugs mailing list