From d4c0a529aef02a39cca1ce2446f91e4082181e95 Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Wed, 12 Oct 2022 16:55:40 -0700 Subject: Updated to 9.1p1 Fix fPIE induced build errors. Use fPIC instead. --- PKGBUILD | 161 ++++++++++++++++++++-------------------- openssh-9.0p1-sshd_config.patch | 30 ++++++++ 2 files changed, 111 insertions(+), 80 deletions(-) create mode 100644 openssh-9.0p1-sshd_config.patch diff --git a/PKGBUILD b/PKGBUILD index 5fc5c7b..49c601d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,109 +7,110 @@ # # I maintain this because: # Artix version lacks additional optimization and hardening flags -# Artix version lacks signature checks +# Arch version lacks openrc support pkgname=openssh -pkgver=9.0p1 +pkgver=9.1p1 pkgrel=1 -pkgdesc='Premier connectivity tool for remote login with the SSH protocol' +pkgdesc="SSH protocol implementation for remote login, command execution and file transfer" +arch=('x86_64') url='https://www.openssh.com/portable.html' license=('custom:BSD') -arch=('x86_64') -depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt' 'libcrypt.so' 'zlib' 'pam') -makedepends=('linux-headers' 'libfido2') -checkdepends=('inetutils') -optdepends=('xorg-xauth: X11 forwarding' - 'x11-ssh-askpass: input passphrase in X' - 'libfido2: FIDO/U2F support') -validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') -#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1" -source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc} - 'sshd.conf' - 'sshd.pam') -sha1sums=('06dd658874dcd22d66311cf5999bd56c614de509' - 'SKIP' - 'c9b2e4ce259cd62ddb00364d3ee6f00a8bf2d05f' - 'd93dca5ebda4610ff7647187f8928a3de28703f3') -sha256sums=('03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a' +depends=( + 'glibc' + 'krb5' 'libkrb5.so' 'libgssapi_krb5.so' + 'ldns' + 'libedit' + 'libxcrypt' 'libcrypt.so' + 'openssl' + 'pam' 'libpam.so' + 'zlib' +) +makedepends=('libfido2' 'linux-headers') +optdepends=( + 'libfido2: FIDO/U2F support' + 'x11-ssh-askpass: input passphrase in X' + 'xorg-xauth: X11 forwarding' +) +backup=( + 'etc/pam.d/sshd' + 'etc/ssh/ssh_config' + 'etc/ssh/sshd_config' +) +# # For some reason this breaks compiling. "error: C compiler cannot create executables" +# # But old-fashioned raw injection of -flto=auto via export doesn't. +#options=('lto') +options=('debug') +source=( + "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc} + "$pkgname-9.0p1-sshd_config.patch" + 'sshd.conf' + 'sshd.pam' +) +sha256sums=('19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288' 'SKIP' + '27e43dfd1506c8a821ec8186bae65f2dc43ca038616d6de59f322bd14aa9d07f' '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846') -b2sums=('49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2' +b2sums=('287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5' 'SKIP' + '29e1a1c2744e0234830c6f93a46338ea8dc943370e20a24883d207d611025e54643da678f2826050c073a36be48dfdc7329d4cfb144c2ff90607a5f10f73dc59' '27571f728c3c10834a81652f3917188436474b588f8b047462e44b6c7a424f60d06ce8cb74839b691870177d7261592207d7f35d4ae6c79af87d6a7ea156d395' '557d015bca7008ce824111f235da67b7e0051a693aaab666e97b78e753ed7928b72274af03d7fde12033986b733d5f996faf2a4feb6ecf53f39accae31334930') +validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') # Damien Miller +# https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc -validpgpkeys=(7168B983815A5EEF59A4ADFD2A3F414E736060BA) # https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc - -backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') - -# prepare() { -# cd "${srcdir}/${pkgname}-${pkgver}" - -# patch goes here - -# autoreconf -# } +prepare() { + patch -Np1 -d "$pkgname-$pkgver" -i ../$pkgname-9.0p1-sshd_config.patch +} build() { - cd "${srcdir}/${pkgname}-${pkgver}" - - export CFLAGS="$CFLAGS -O3 -fstack-protector-all -flto=auto -fPIE" - export CXXFLAGS="$CXXFLAGS -O3 -fstack-protector-all -flto=auto -fPIE" - export LDFLAGS="$LDFLAGS,-pie" - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --libexecdir=/usr/lib/ssh \ - --sysconfdir=/etc/ssh \ - --disable-strip \ - --with-ldns \ - --with-libedit \ - --with-security-key-builtin \ - --with-ssl-engine \ - --with-pam \ - --with-privsep-user=nobody \ - --with-kerberos5=/usr \ - --with-xauth=/usr/bin/xauth \ - --with-md5-passwords \ - --with-pid-dir=/run \ - --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ - - make + cd "${pkgname}-${pkgver}" + + # -fPIE causes test errors + export CFLAGS="$CFLAGS -O3 -fstack-protector-all -flto=auto -fPIC" + export CXXFLAGS="$CXXFLAGS -O3 -fstack-protector-all -flto=auto -fPIC" + #export LDFLAGS="$LDFLAGS,-pie" + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --disable-strip \ + --with-ldns \ + --with-libedit \ + --with-security-key-builtin \ + --with-ssl-engine \ + --with-pam \ + --with-privsep-user=nobody \ + --with-kerberos5=/usr \ + --with-xauth=/usr/bin/xauth \ + --with-pid-dir=/run \ + --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ + + make } check() { - cd "${srcdir}/${pkgname}-${pkgver}" - - # Tests require openssh to be already installed system-wide, - # also connectivity tests will fail under makechrootpkg since - # it runs as nobody which has /bin/false as login shell. + cd "${pkgname}-${pkgver}" - if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then - make tests - fi + # NOTE: make t-exec does not work in our build environment + make file-tests interop-tests unit } package() { - cd "${srcdir}/${pkgname}-${pkgver}" - - make DESTDIR="${pkgdir}" install + cd "${pkgname}-${pkgver}" - ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz - install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + make DESTDIR="${pkgdir}" install - install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf - install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz + install -Dm644 LICENCE -t "${pkgdir}/usr/share/licenses/${pkgname}/" - install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh - install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id - install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + install -Dm644 ../sshd.conf -t "${pkgdir}"/usr/lib/tmpfiles.d/ + install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd - sed \ - -e '/^#KbdInteractiveAuthentication yes$/c KbdInteractiveAuthentication no' \ - -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ - -e '/^#UsePAM no$/c UsePAM yes' \ - -i "${pkgdir}"/etc/ssh/sshd_config + install -Dm755 contrib/findssl.sh -t "${pkgdir}"/usr/bin/ + install -Dm755 contrib/ssh-copy-id -t "${pkgdir}"/usr/bin/ + install -Dm644 contrib/ssh-copy-id.1 -t "${pkgdir}"/usr/share/man/man1/ } diff --git a/openssh-9.0p1-sshd_config.patch b/openssh-9.0p1-sshd_config.patch new file mode 100644 index 0000000..9100149 --- /dev/null +++ b/openssh-9.0p1-sshd_config.patch @@ -0,0 +1,30 @@ +diff -ruN a/sshd_config b/sshd_config +--- a/sshd_config 2022-04-06 02:47:48.000000000 +0200 ++++ b/sshd_config 2022-10-10 19:55:58.961117951 +0200 +@@ -58,7 +58,7 @@ + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +-#KbdInteractiveAuthentication yes ++KbdInteractiveAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -79,7 +79,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes +@@ -88,7 +88,7 @@ + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +-#PrintMotd yes ++PrintMotd no + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no -- cgit v1.2.1