diff options
author | Björn Wiedenmann | 2017-01-27 22:12:44 +0100 |
---|---|---|
committer | Björn Wiedenmann | 2017-01-27 22:12:44 +0100 |
commit | 40ff65e55cec29ee7fb7b37150f3dd8e241a68b5 (patch) | |
tree | 23ac3bbb591e164aee27118729e19040e142184d | |
download | aur-40ff65e55cec29ee7fb7b37150f3dd8e241a68b5.tar.gz |
Initial commit
-rw-r--r-- | .SRCINFO | 20 | ||||
-rw-r--r-- | PKGBUILD | 130 | ||||
-rw-r--r-- | pam_ssh_agent_auth-git.install | 88 |
3 files changed, 238 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..bab743b4d0ec --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,20 @@ +# Generated by mksrcinfo v8 +# Fri Jan 27 21:08:46 UTC 2017 +pkgbase = pam_ssh_agent_auth-git + pkgdesc = PAM module which permits authentication for arbitrary services via ssh-agent. (Git version including experimental ECC support) + pkgver = r19.0ff7282 + pkgrel = 1 + url = http://github.com/jbeverly/pam_ssh_agent_auth/ + install = pam_ssh_agent_auth-git.install + arch = i686 + arch = x86_64 + license = custom:OpenSSL + optdepends = openssh: standard ssh-agent + optdepends = gnupg: gpg ssh-agent + provides = pam_ssh_agent_auth + conflicts = pam_ssh_agent_auth + source = git+https://github.com/jbeverly/pam_ssh_agent_auth + md5sums = SKIP + +pkgname = pam_ssh_agent_auth-git + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..ac5118f1b99b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,130 @@ +# Maintainer: Björn Wiedenmann <archlinux@xorxor.de> +# Contributor: Daniel Wallace <danielwallace at gtmanfred dot com> +# Contributor: Anders Bergh <anders1@gmail.com> +# Contributer: Chris <alostengineer at narmos dot org> + +# Note: The bulk of this PKGBUILD is based off: +# https://aur.archlinux.org/packages/pam_ssh_agent_auth/ + +# IMPORTANT SECURITY NOTE: +# This PKGBUILD is packaging code whose status is rather unknown ! +# +# Since I do NOT maintain this code in any way, but merely +# package it for Arch Linux, there is absolutely no warranty for +# this code. It is totally possible that I got the wrong code repo +# altogether and that it still contains open security bugs which +# have already been fixed elsewhere. +# +# A bit of background on why this PKGBUILD exists anyway: +# +# As of 2017-01-27, the latest pam_ssh_agent_auth in AUR +# (0.10.2-1 at https://aur.archlinux.org/packages/pam_ssh_agent_auth/) +# as well as the latest upstream release (0.10.3, at +# https://sourceforge.net/projects/pamsshagentauth/) both DO NOT support +# any ECC ssh user keys (neither ECDSA nor ED25519 keys). +# The issue is known on the official bugtracker +# (https://sourceforge.net/p/pamsshagentauth/feature-requests/10/) +# and quite a few people seem to look for this feature but the original +# maintainer does not seem to get around to implementing it because +# doing it cleanly requires a rebase to the current OpenSSH code base. +# And that costs the volunteers' scarcest resource :) +# +# However, digging a little deeper revealed this very promising discussion +# between the original maintainer and a helper who claims to have ECC +# support implemented: +# https://sourceforge.net/p/pamsshagentauth/discussion/903801/thread/784a4a5c/ +# The link also mentions a Github repository which seems to be the +# maintainer's replacement for SoureForge. Inspection of the repo +# showed that some work did in fact go into ECC support as well as +# the incorporation of a pull request by the aforementioned helper. +# Unfortunately, it is also using another Github project as a submodule +# which introduces an additional dependency (one the original maintainer +# does not seem to be too fond of, judging by the commit message) +# +# Depending on your security sensitivity and awareness, those are a +# lot of "seems" for a PAM module :) +# +# To summerize, on the downside you have +# +# 1. A git repo which seems to be the next official development repo +# but wasn't officially announced as such anywhere +# 2. Code in the master branch with an unknown status regarding +# stability or feature completeness +# 3. No statement by the maintainer as to the future of the repo (or +# what looks like the "replacement repo's replacement" on Github +# "pam_ssh_agent_auth-2.0" +# 4. A hard dependency on another Git repo +# +# On the upside, the only thing this code has going for it is +# +# 1. ED22519 key support seems to work just fine (and ECDSA should be +# there but I didn't test it) +# +# That last point is honestly the ONLY reason why you might want to +# prefer this PKGBUILD over the non-Git one in AUR or the officially +# released versions. If you are hard pressed to support ECC user keys +# in your SSH setup, give this a shot, but keep in mind, this PKGBUILD +# is even more experimental than usual for the background given above. +# I am providing all of this information here hoping to give you a +# better chance at taking an educated decision whether this PKGBUILD +# is right for you or not. +# +# Feel free to verify or add to this information (via the comment section), +# I will gladly incorporate it. I am planning to keep an eye on both the +# other AUR pam_ssh_agent_auth PKGBUILD as well as the upstream development. +# Maybe this PKGBUILD will be obsolete soon, there was some development +# activity in recent months. +# +# USE THIS PKGBUILD AT YOUR OWN RISK AND ONLY IF YOU FULLY +# UNDERSTAND THE SECURITY IMPLICATIONS OF NOT USING THE OFFICIALLY +# ANNOUNCED pam_ssh_agent_auth CODE BASE ! +# +# Consider yourself warned. +# +# If security is paramount for you or in case of any doubt, +# please use the official pam_ssh_agent_auth code base instead. + +pkgname=pam_ssh_agent_auth-git +pkgver=r19.0ff7282 +pkgrel=1 +pkgdesc="PAM module which permits authentication for arbitrary services via ssh-agent. (Git version including experimental ECC support)" +arch=('i686' 'x86_64') +url="http://github.com/jbeverly/pam_ssh_agent_auth/" +license=('custom:OpenSSL') +optdepends=('openssh: standard ssh-agent' + 'gnupg: gpg ssh-agent') +provides=('pam_ssh_agent_auth') +conflicts=('pam_ssh_agent_auth') +source=('git+https://github.com/jbeverly/pam_ssh_agent_auth') +md5sums=('SKIP') + +install=$pkgname.install + +pkgver() { + cd "pam_ssh_agent_auth/" + ( set -o pipefail + git describe --long 2>/dev/null | sed 's/\([^-]*-g\)/r\1/;s/-/./g' || + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" + ) +} + +prepare() { + cd "pam_ssh_agent_auth/" + git submodule init + git submodule update +} + +build() { + cd "pam_ssh_agent_auth/" + ./configure --prefix=/usr --with-mantype=man --libexecdir=/usr/lib/security + make +} + +package() { + cd "pam_ssh_agent_auth/" + make DESTDIR="$pkgdir/" install + + install -Dm644 LICENSE.OpenSSL "$pkgdir/usr/share/licenses/$pkgname/LICENSE" +} + +# vim:set ts=2 sw=2 et: diff --git a/pam_ssh_agent_auth-git.install b/pam_ssh_agent_auth-git.install new file mode 100644 index 000000000000..0a4f86b25f89 --- /dev/null +++ b/pam_ssh_agent_auth-git.install @@ -0,0 +1,88 @@ +post_install() { + cat <<EOF + +IMPORTANT SECURITY NOTE: +This PKGBUILD is packaging code whose status is rather unknown ! + +Since I do NOT maintain this code in any way, but merely +package it for Arch Linux, there is absolutely no warranty for +this code. It is totally possible that I got the wrong code repo +altogether and that it still contains open security bugs which +have already been fixed elsewhere. + +A bit of background on why this PKGBUILD exists anyway: + +As of 2017-01-27, the latest pam_ssh_agent_auth in AUR +(0.10.2-1 at https://aur.archlinux.org/packages/pam_ssh_agent_auth/) +as well as the latest upstream release (0.10.3, at +https://sourceforge.net/projects/pamsshagentauth/) both DO NOT support +any ECC ssh user keys (neither ECDSA nor ED25519 keys). +The issue is known on the official bugtracker +(https://sourceforge.net/p/pamsshagentauth/feature-requests/10/) +and quite a few people seem to look for this feature but the original +maintainer does not seem to get around to implementing it because +doing it cleanly requires a rebase to the current OpenSSH code base. +And that costs the volunteers' scarcest resource :) + +However, digging a little deeper revealed this very promising discussion +between the original maintainer and a helper who claims to have ECC +support implemented: +https://sourceforge.net/p/pamsshagentauth/discussion/903801/thread/784a4a5c/ +The link also mentions a Github repository which seems to be the +maintainer's replacement for SoureForge. Inspection of the repo +showed that some work did in fact go into ECC support as well as +the incorporation of a pull request by the aforementioned helper. +Unfortunately, it is also using another Github project as a submodule +which introduces an additional dependency (one the original maintainer +does not seem to be too fond of, judging by the commit message) + +Depending on your security sensitivity and awareness, those are a +lot of "seems" for a PAM module :) + +To summerize, on the downside you have + +1. A git repo which seems to be the next official development repo + but wasn't officially announced as such anywhere +2. Code in the master branch with an unknown status regarding + stability or feature completeness +3. No statement by the maintainer as to the future of the repo (or + what looks like the "replacement repo's replacement" on Github + "pam_ssh_agent_auth-2.0" +4. A hard dependency on another Git repo + +On the upside, the only thing this code has going for it is + +1. ED22519 key support seems to work just fine (and ECDSA should be + there but I didn't test it) + +That last point is honestly the ONLY reason why you might want to +prefer this PKGBUILD over the non-Git one in AUR or the officially +released versions. If you are hard pressed to support ECC user keys +in your SSH setup, give this a shot, but keep in mind, this PKGBUILD +is even more experimental than usual for the background given above. +I am providing all of this information here hoping to give you a +better chance at taking an educated decision whether this PKGBUILD +is right for you or not. + +Feel free to verify or add to this information (via the comment section), +I will gladly incorporate it. I am planning to keep an eye on both the +other AUR pam_ssh_agent_auth PKGBUILD as well as the upstream development. +Maybe this PKGBUILD will be obsolete soon, there was some development +activity in recent months. + +USE THIS PKGBUILD AT YOUR OWN RISK AND ONLY IF YOU FULLY +UNDERSTAND THE SECURITY IMPLICATIONS OF NOT USING THE OFFICIALLY +ANNOUNCED pam_ssh_agent_auth CODE BASE ! + +Consider yourself warned. + +If security is paramount for you or in case of any doubt, +please use the official pam_ssh_agent_auth code base instead. + +EOF +} + +post_upgrade() { + post_install +} + |