initial commit

9 files changed, 426 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..d86ba3dba347
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,38 @@
+pkgbase = openssh-multiple-bindaddress
+	pkgdesc = SSH connectivity tools with multiple BindAddress patch
+	pkgver = 6.7p1
+	pkgrel = 1
+	url = http://www.openssh.org/portable.html
+	install = install
+	arch = i686
+	arch = x86_64
+	license = custom:BSD
+	makedepends = linux-headers
+	depends = krb5
+	depends = openssl
+	depends = libedit
+	depends = ldns
+	optdepends = xorg-xauth: X11 forwarding
+	optdepends = x11-ssh-askpass: input passphrase in X
+	provides = openssh
+	conflicts = openssh
+	backup = etc/ssh/ssh_config
+	backup = etc/ssh/sshd_config
+	backup = etc/pam.d/sshd
+	source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz
+	source = sshdgenkeys.service
+	source = sshd@.service
+	source = sshd.service
+	source = sshd.socket
+	source = sshd.pam
+	source = openssh_multiple_bindaddress.patch
+	sha512sums = 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d
+	sha512sums = 95a72fae435d294a89a70a8017b8e625c9fdeea5569999056176a1b8b342f4616e8c6a85e77e02a90d99358dfa990f167507d98464c19c5beff895af75b7105d
+	sha512sums = d63bfaa08225a4c467945b7b849747ce33f1c10e2e34ed4dbb8f02b31d392ba3a7f3c96377222ba25bfb9eec5beebfe9130358790bfd853c180c63015b4ec249
+	sha512sums = fbf8ba29eefef98a0596d255e7dab24790d828d466f06f209c63280d31a25950c88cc354296c0da9a5bd085384fa59f296809cad1ab8db6712d8158ac74da343
+	sha512sums = ea1d31d84ca30fffa60b6eb06d1f532c75ff5a8acec893479cbe0f3669c62e5da9ee81be8549bae75d63e4b6fe69a4ffe6dfd4e3008e731e320d6da4bc4beae9
+	sha512sums = 298e47a21c337101974fa5237b3110aa3c7638b5fa53bd07661413236c8ed3212b431abaeffd875af6c9a72b4f8e1c8512e1e1960cbfff15bfee62b32d305fc3
+	sha512sums = 9801d6db7f7bac0ccbccf12e24bf37f97304eba02e69298b2000bfbc30904f1eb2365687db43e40429ba53f39b8f9581babba292b8552a8ac2654452e5b92b44
+
+pkgname = openssh-multiple-bindaddress
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..bab100cd6872
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,96 @@
+# $Id: PKGBUILD 180812 2013-03-26 12:05:13Z bisson $
+# Maintainer: Gaetan Bisson <bisson@archlinux.org>
+# Contributor: Aaron Griffin <aaron@archlinux.org>
+# Contributor: judd <jvinet@zeroflux.org>
+
+pkgname=openssh-multiple-bindaddress
+_pkgname=openssh
+pkgver=6.7p1
+pkgrel=1
+pkgdesc='SSH connectivity tools with multiple BindAddress patch'
+url='http://www.openssh.org/portable.html'
+license=('custom:BSD')
+arch=('i686' 'x86_64')
+makedepends=('linux-headers')
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+            'x11-ssh-askpass: input passphrase in X')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${_pkgname}-${pkgver}.tar.gz"
+        'sshdgenkeys.service'
+        'sshd@.service'
+        'sshd.service'
+        'sshd.socket'
+        'sshd.pam'
+        'openssh_multiple_bindaddress.patch')
+sha512sums=('2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d'
+            '95a72fae435d294a89a70a8017b8e625c9fdeea5569999056176a1b8b342f4616e8c6a85e77e02a90d99358dfa990f167507d98464c19c5beff895af75b7105d'
+            'd63bfaa08225a4c467945b7b849747ce33f1c10e2e34ed4dbb8f02b31d392ba3a7f3c96377222ba25bfb9eec5beebfe9130358790bfd853c180c63015b4ec249'
+            'fbf8ba29eefef98a0596d255e7dab24790d828d466f06f209c63280d31a25950c88cc354296c0da9a5bd085384fa59f296809cad1ab8db6712d8158ac74da343'
+            'ea1d31d84ca30fffa60b6eb06d1f532c75ff5a8acec893479cbe0f3669c62e5da9ee81be8549bae75d63e4b6fe69a4ffe6dfd4e3008e731e320d6da4bc4beae9'
+            '298e47a21c337101974fa5237b3110aa3c7638b5fa53bd07661413236c8ed3212b431abaeffd875af6c9a72b4f8e1c8512e1e1960cbfff15bfee62b32d305fc3'
+            '9801d6db7f7bac0ccbccf12e24bf37f97304eba02e69298b2000bfbc30904f1eb2365687db43e40429ba53f39b8f9581babba292b8552a8ac2654452e5b92b44')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+conflicts=('openssh')
+provides=('openssh')
+
+build() {
+	cd "${_pkgname}-${pkgver}"
+
+	patch -p1 -i "${srcdir}/openssh_multiple_bindaddress.patch"
+
+	./configure \
+		--prefix=/usr \
+		--sbindir=/usr/bin \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--with-ldns \
+		--with-libedit \
+		--with-ssl-engine \
+		--with-pam \
+		--with-privsep-user=nobody \
+		--with-kerberos5=/usr \
+		--with-xauth=/usr/bin/xauth \
+		--with-mantype=man \
+		--with-md5-passwords \
+		--with-pid-dir=/run \
+
+	make
+}
+
+check() {
+	cd "${_pkgname}-${pkgver}"
+
+	make  || true
+	# hard to suitably test connectivity:
+	# - fails with /bin/false as login shell
+	# - fails with firewall activated, etc.
+}
+
+package() {
+	cd "${_pkgname}-${pkgver}"
+
+	make DESTDIR="${pkgdir}" install
+
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+	install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+	install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service
+	install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
+	install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+	sed \
+		-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+		-e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+		-e '/^#UsePAM no$/c UsePAM yes' \
+		-i "${pkgdir}"/etc/ssh/sshd_config
+}
diff --git a/install b/install
new file mode 100644
index 000000000000..6f0cd3703fb0
--- /dev/null
+++ b/install
@@ -0,0 +1,10 @@
+post_upgrade() {
+	if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+		cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+	fi
+}
diff --git a/openssh_multiple_bindaddress.patch b/openssh_multiple_bindaddress.patch
new file mode 100644
index 000000000000..32a2f9d3fc75
--- /dev/null
+++ b/openssh_multiple_bindaddress.patch
@@ -0,0 +1,224 @@
+From 510ee02f90b5c56d1abeafbbdb9fc7d21d173224 Mon Sep 17 00:00:00 2001
+Message-Id: <510ee02f90b5c56d1abeafbbdb9fc7d21d173224.1420755946.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Thu, 8 Jan 2015 22:19:36 +0100
+Subject: [PATCH] multibind patch
+
+---
+ readconf.c   |  8 ++++--
+ readconf.h   | 12 +++++++-
+ ssh.c        |  3 +-
+ ssh_config   |  5 ++++
+ ssh_config.5 |  7 +++--
+ sshconnect.c | 89 +++++++++++++++++++++++++++++++++++-------------------------
+ 6 files changed, 80 insertions(+), 44 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 7948ce1..95f9289 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1001,8 +1001,10 @@ parse_char_array:
+ 		goto parse_string;
+ 
+ 	case oBindAddress:
+-		charptr = &options->bind_address;
+-		goto parse_string;
++		cpptr = (char**)&options->bind_addresses;
++		uintptr = &options->num_bind_address;
++		max_entries = SSH_MAX_BIND_ADDRESSES;
++		goto parse_char_array;
+ 
+ 	case oPKCS11Provider:
+ 		charptr = &options->pkcs11_provider;
+@@ -1576,7 +1578,7 @@ initialize_options(Options * options)
+ 	options->clear_forwardings = -1;
+ 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+ 	options->preferred_authentications = NULL;
+-	options->bind_address = NULL;
++	options->num_bind_address = 0;
+ 	options->pkcs11_provider = NULL;
+ 	options->enable_ssh_keysign = - 1;
+ 	options->no_host_authentication_for_localhost = - 1;
+diff --git a/readconf.h b/readconf.h
+index 0b9cb77..9299c4b 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -27,6 +27,11 @@ struct allowed_cname {
+ 	char *source_list;
+ 	char *target_list;
+ };
++#define SSH_MAX_BIND_ADDRESSES	8	/* 16 addresses, should be enough */
++
++#define SSH_BIND_ADDRESS_ANY	"any"	/* any address mark, used in
++					 * configuration file */
++#define SSH_BIND_ADDRESS_ANYlen	strlen(SSH_BIND_ADDRESS_ANY)
+ 
+ typedef struct {
+ 	int     forward_agent;	/* Forward authentication agent. */
+@@ -86,7 +91,12 @@ typedef struct {
+ 	u_int	num_user_hostfiles;	/* Path for $HOME/.ssh/known_hosts */
+ 	char   *user_hostfiles[SSH_MAX_HOSTS_FILES];
+ 	char   *preferred_authentications;
+-	char   *bind_address;	/* local socket address for connection to sshd */
++
++	char   *bind_addresses[SSH_MAX_BIND_ADDRESSES];	/* local socket
++							 * address list for connection to sshd, main reason for this is ipv4 and
++							 * ipv6 only hosts, when using global host match */
++	u_int   num_bind_address;			/* count of bind_addresses */
++
+ 	char   *pkcs11_provider; /* PKCS#11 provider */
+ 	int	verify_host_key_dns;	/* Verify host key using DNS */
+ 
+diff --git a/ssh.c b/ssh.c
+index 26e9681..be59241 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -803,7 +803,8 @@ main(int ac, char **av)
+ 			options.control_path = xstrdup(optarg);
+ 			break;
+ 		case 'b':
+-			options.bind_address = optarg;
++			options.bind_addresses[0]  = optarg;
++			options.num_bind_address = 1;
+ 			break;
+ 		case 'F':
+ 			config = optarg;
+diff --git a/ssh_config b/ssh_config
+index 03a228f..c1b653b 100644
+--- a/ssh_config
++++ b/ssh_config
+@@ -46,3 +46,8 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
++
++#   --Example of BindAddress
++#   BindAddress 192.168.0.1 3004:aaaa::beef any
++#   This means, that ssh tries 192.168.0.1 if fail to bind, next address willbe 3004:aaaa::beef and if it fails,
++#    uses default bind strategy, bind on any address
+diff --git a/ssh_config.5 b/ssh_config.5
+index f9ede7a..f138d17 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -214,8 +214,11 @@ or
+ The default is
+ .Dq no .
+ .It Cm BindAddress
+-Use the specified address on the local machine as the source address of
+-the connection.
++Use the specified address (or addresses seperated by space ) on the
++local machine as the source address of
++the connection. This list can be interrupted with
++.Dq any
++address.
+ Only useful on systems with more than one address.
+ Note that this option does not work if
+ .Cm UsePrivilegedPort
+diff --git a/sshconnect.c b/sshconnect.c
+index ac09eae..5ba4959 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -280,49 +280,64 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
+ 	fcntl(sock, F_SETFD, FD_CLOEXEC);
+ 
+ 	/* Bind the socket to an alternative local IP address */
+-	if (options.bind_address == NULL && !privileged)
++	if (options.num_bind_address == 0 && !privileged)
+ 		return sock;
+ 
+-	if (options.bind_address) {
+-		memset(&hints, 0, sizeof(hints));
+-		hints.ai_family = ai->ai_family;
+-		hints.ai_socktype = ai->ai_socktype;
+-		hints.ai_protocol = ai->ai_protocol;
+-		hints.ai_flags = AI_PASSIVE;
+-		gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+-		if (gaierr) {
+-			error("getaddrinfo: %s: %s", options.bind_address,
+-			    ssh_gai_strerror(gaierr));
+-			close(sock);
+-			return -1;
++	verbose("Trying %d addresses to connect", options.num_bind_address);
++	uint i;
++	for (i = 0; i < options.num_bind_address || i == 0; i++) {
++		if (options.num_bind_address > 0)
++		    verbose("Trying bind address: %s", options.bind_addresses[i]);
++
++		if (options.num_bind_address > 0 && strncmp(options.bind_addresses[i], SSH_BIND_ADDRESS_ANY, SSH_BIND_ADDRESS_ANYlen) != 0) {
++			memset(&hints, 0, sizeof(hints));
++			hints.ai_family = ai->ai_family;
++			hints.ai_socktype = ai->ai_socktype;
++			hints.ai_protocol = ai->ai_protocol;
++			hints.ai_flags = AI_PASSIVE;
++			gaierr = getaddrinfo(options.bind_addresses[i], NULL, &hints, &res);
++			if (gaierr) {
++				error("getaddrinfo: %s: %s", options.bind_addresses[i],
++				      ssh_gai_strerror(gaierr));
++				continue;
++			}
+ 		}
+-	}
+-	/*
+-	 * If we are running as root and want to connect to a privileged
+-	 * port, bind our own socket to a privileged port.
+-	 */
+-	if (privileged) {
+-		PRIV_START;
+-		r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
+-		PRIV_END;
+-		if (r < 0) {
+-			error("bindresvport_sa: af=%d %s", ai->ai_family,
+-			    strerror(errno));
+-			goto fail;
++		else if (!privileged) {
++			return sock;
+ 		}
+-	} else {
+-		if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
+-			error("bind: %s: %s", options.bind_address,
+-			    strerror(errno));
+- fail:
+-			close(sock);
+-			freeaddrinfo(res);
+-			return -1;
++
++		/*
++		 * If we are running as root and want to connect to a privileged
++		 * port, bind our own socket to a privileged port.
++		 */
++		if (privileged) {
++			PRIV_START;
++			r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
++			PRIV_END;
++			if (r < 0) {
++				error("bindresvport_sa: af=%d %s", ai->ai_family,
++				      strerror(errno));
++				goto fail;
++			}
++		} else {
++			if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
++				error("bind: %s: %s", options.bind_addresses[i],
++				      strerror(errno));
++			  fail:
++				freeaddrinfo(res);
++				res = NULL;
++				continue;
++			}
+ 		}
++
++		if (res != NULL)
++			freeaddrinfo(res);
++
++		return sock;
+ 	}
+-	if (res != NULL)
+-		freeaddrinfo(res);
+-	return sock;
++
++	close(sock);
++	return -1;
+ }
+ 
+ static int
+-- 
+2.2.1
diff --git a/sshd.pam b/sshd.pam
new file mode 100644
index 000000000000..7ecef084d07a
--- /dev/null
+++ b/sshd.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth     required  pam_securetty.so     #disable remote root
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login
diff --git a/sshd.service b/sshd.service
new file mode 100644
index 000000000000..55ed95322da7
--- /dev/null
+++ b/sshd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service.
diff --git a/sshd.socket b/sshd.socket
new file mode 100644
index 000000000000..e09e328690fd
--- /dev/null
+++ b/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/sshd@.service b/sshd@.service
new file mode 100644
index 000000000000..7ce3d37baa43
--- /dev/null
+++ b/sshd@.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog
diff --git a/sshdgenkeys.service b/sshdgenkeys.service
new file mode 100644
index 000000000000..1d01b7acff4b
--- /dev/null
+++ b/sshdgenkeys.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes