diff options
author | Moritz Kaspar Rudert (mortzu) | 2015-05-21 15:59:37 +0200 |
---|---|---|
committer | Moritz Kaspar Rudert (mortzu) | 2015-05-21 15:59:37 +0200 |
commit | 9fea4c981ec889c714960d09479aebdac6b441a7 (patch) | |
tree | 92778276e13037375272c6a85ea9ef19ed1ac3b8 | |
download | aur-9fea4c981ec889c714960d09479aebdac6b441a7.tar.gz |
initial commit
-rw-r--r-- | .SRCINFO | 38 | ||||
-rw-r--r-- | PKGBUILD | 96 | ||||
-rw-r--r-- | install | 10 | ||||
-rw-r--r-- | openssh_multiple_bindaddress.patch | 224 | ||||
-rw-r--r-- | sshd.pam | 6 | ||||
-rw-r--r-- | sshd.service | 17 | ||||
-rw-r--r-- | sshd.socket | 10 | ||||
-rw-r--r-- | sshd@.service | 8 | ||||
-rw-r--r-- | sshdgenkeys.service | 17 |
9 files changed, 426 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..d86ba3dba347 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,38 @@ +pkgbase = openssh-multiple-bindaddress + pkgdesc = SSH connectivity tools with multiple BindAddress patch + pkgver = 6.7p1 + pkgrel = 1 + url = http://www.openssh.org/portable.html + install = install + arch = i686 + arch = x86_64 + license = custom:BSD + makedepends = linux-headers + depends = krb5 + depends = openssl + depends = libedit + depends = ldns + optdepends = xorg-xauth: X11 forwarding + optdepends = x11-ssh-askpass: input passphrase in X + provides = openssh + conflicts = openssh + backup = etc/ssh/ssh_config + backup = etc/ssh/sshd_config + backup = etc/pam.d/sshd + source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz + source = sshdgenkeys.service + source = sshd@.service + source = sshd.service + source = sshd.socket + source = sshd.pam + source = openssh_multiple_bindaddress.patch + sha512sums = 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d + sha512sums = 95a72fae435d294a89a70a8017b8e625c9fdeea5569999056176a1b8b342f4616e8c6a85e77e02a90d99358dfa990f167507d98464c19c5beff895af75b7105d + sha512sums = d63bfaa08225a4c467945b7b849747ce33f1c10e2e34ed4dbb8f02b31d392ba3a7f3c96377222ba25bfb9eec5beebfe9130358790bfd853c180c63015b4ec249 + sha512sums = fbf8ba29eefef98a0596d255e7dab24790d828d466f06f209c63280d31a25950c88cc354296c0da9a5bd085384fa59f296809cad1ab8db6712d8158ac74da343 + sha512sums = ea1d31d84ca30fffa60b6eb06d1f532c75ff5a8acec893479cbe0f3669c62e5da9ee81be8549bae75d63e4b6fe69a4ffe6dfd4e3008e731e320d6da4bc4beae9 + sha512sums = 298e47a21c337101974fa5237b3110aa3c7638b5fa53bd07661413236c8ed3212b431abaeffd875af6c9a72b4f8e1c8512e1e1960cbfff15bfee62b32d305fc3 + sha512sums = 9801d6db7f7bac0ccbccf12e24bf37f97304eba02e69298b2000bfbc30904f1eb2365687db43e40429ba53f39b8f9581babba292b8552a8ac2654452e5b92b44 + +pkgname = openssh-multiple-bindaddress + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..bab100cd6872 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,96 @@ +# $Id: PKGBUILD 180812 2013-03-26 12:05:13Z bisson $ +# Maintainer: Gaetan Bisson <bisson@archlinux.org> +# Contributor: Aaron Griffin <aaron@archlinux.org> +# Contributor: judd <jvinet@zeroflux.org> + +pkgname=openssh-multiple-bindaddress +_pkgname=openssh +pkgver=6.7p1 +pkgrel=1 +pkgdesc='SSH connectivity tools with multiple BindAddress patch' +url='http://www.openssh.org/portable.html' +license=('custom:BSD') +arch=('i686' 'x86_64') +makedepends=('linux-headers') +depends=('krb5' 'openssl' 'libedit' 'ldns') +optdepends=('xorg-xauth: X11 forwarding' + 'x11-ssh-askpass: input passphrase in X') +source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${_pkgname}-${pkgver}.tar.gz" + 'sshdgenkeys.service' + 'sshd@.service' + 'sshd.service' + 'sshd.socket' + 'sshd.pam' + 'openssh_multiple_bindaddress.patch') +sha512sums=('2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d' + '95a72fae435d294a89a70a8017b8e625c9fdeea5569999056176a1b8b342f4616e8c6a85e77e02a90d99358dfa990f167507d98464c19c5beff895af75b7105d' + 'd63bfaa08225a4c467945b7b849747ce33f1c10e2e34ed4dbb8f02b31d392ba3a7f3c96377222ba25bfb9eec5beebfe9130358790bfd853c180c63015b4ec249' + 'fbf8ba29eefef98a0596d255e7dab24790d828d466f06f209c63280d31a25950c88cc354296c0da9a5bd085384fa59f296809cad1ab8db6712d8158ac74da343' + 'ea1d31d84ca30fffa60b6eb06d1f532c75ff5a8acec893479cbe0f3669c62e5da9ee81be8549bae75d63e4b6fe69a4ffe6dfd4e3008e731e320d6da4bc4beae9' + '298e47a21c337101974fa5237b3110aa3c7638b5fa53bd07661413236c8ed3212b431abaeffd875af6c9a72b4f8e1c8512e1e1960cbfff15bfee62b32d305fc3' + '9801d6db7f7bac0ccbccf12e24bf37f97304eba02e69298b2000bfbc30904f1eb2365687db43e40429ba53f39b8f9581babba292b8552a8ac2654452e5b92b44') + +backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') + +install=install + +conflicts=('openssh') +provides=('openssh') + +build() { + cd "${_pkgname}-${pkgver}" + + patch -p1 -i "${srcdir}/openssh_multiple_bindaddress.patch" + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --with-ldns \ + --with-libedit \ + --with-ssl-engine \ + --with-pam \ + --with-privsep-user=nobody \ + --with-kerberos5=/usr \ + --with-xauth=/usr/bin/xauth \ + --with-mantype=man \ + --with-md5-passwords \ + --with-pid-dir=/run \ + + make +} + +check() { + cd "${_pkgname}-${pkgver}" + + make || true + # hard to suitably test connectivity: + # - fails with /bin/false as login shell + # - fails with firewall activated, etc. +} + +package() { + cd "${_pkgname}-${pkgver}" + + make DESTDIR="${pkgdir}" install + + ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz + install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + + install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service + install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service + install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service + install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket + install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + + install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh + install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id + install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + + sed \ + -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ + -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ + -e '/^#UsePAM no$/c UsePAM yes' \ + -i "${pkgdir}"/etc/ssh/sshd_config +} diff --git a/install b/install new file mode 100644 index 000000000000..6f0cd3703fb0 --- /dev/null +++ b/install @@ -0,0 +1,10 @@ +post_upgrade() { + if [[ $(vercmp $2 6.2p2) = -1 ]]; then + cat <<EOF + +==> The sshd daemon has been moved to /usr/bin alongside all binaries. +==> Please update this path in your scripts if applicable. + +EOF + fi +} diff --git a/openssh_multiple_bindaddress.patch b/openssh_multiple_bindaddress.patch new file mode 100644 index 000000000000..32a2f9d3fc75 --- /dev/null +++ b/openssh_multiple_bindaddress.patch @@ -0,0 +1,224 @@ +From 510ee02f90b5c56d1abeafbbdb9fc7d21d173224 Mon Sep 17 00:00:00 2001 +Message-Id: <510ee02f90b5c56d1abeafbbdb9fc7d21d173224.1420755946.git.mschiffer@universe-factory.net> +From: Matthias Schiffer <mschiffer@universe-factory.net> +Date: Thu, 8 Jan 2015 22:19:36 +0100 +Subject: [PATCH] multibind patch + +--- + readconf.c | 8 ++++-- + readconf.h | 12 +++++++- + ssh.c | 3 +- + ssh_config | 5 ++++ + ssh_config.5 | 7 +++-- + sshconnect.c | 89 +++++++++++++++++++++++++++++++++++------------------------- + 6 files changed, 80 insertions(+), 44 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 7948ce1..95f9289 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1001,8 +1001,10 @@ parse_char_array: + goto parse_string; + + case oBindAddress: +- charptr = &options->bind_address; +- goto parse_string; ++ cpptr = (char**)&options->bind_addresses; ++ uintptr = &options->num_bind_address; ++ max_entries = SSH_MAX_BIND_ADDRESSES; ++ goto parse_char_array; + + case oPKCS11Provider: + charptr = &options->pkcs11_provider; +@@ -1576,7 +1578,7 @@ initialize_options(Options * options) + options->clear_forwardings = -1; + options->log_level = SYSLOG_LEVEL_NOT_SET; + options->preferred_authentications = NULL; +- options->bind_address = NULL; ++ options->num_bind_address = 0; + options->pkcs11_provider = NULL; + options->enable_ssh_keysign = - 1; + options->no_host_authentication_for_localhost = - 1; +diff --git a/readconf.h b/readconf.h +index 0b9cb77..9299c4b 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -27,6 +27,11 @@ struct allowed_cname { + char *source_list; + char *target_list; + }; ++#define SSH_MAX_BIND_ADDRESSES 8 /* 16 addresses, should be enough */ ++ ++#define SSH_BIND_ADDRESS_ANY "any" /* any address mark, used in ++ * configuration file */ ++#define SSH_BIND_ADDRESS_ANYlen strlen(SSH_BIND_ADDRESS_ANY) + + typedef struct { + int forward_agent; /* Forward authentication agent. */ +@@ -86,7 +91,12 @@ typedef struct { + u_int num_user_hostfiles; /* Path for $HOME/.ssh/known_hosts */ + char *user_hostfiles[SSH_MAX_HOSTS_FILES]; + char *preferred_authentications; +- char *bind_address; /* local socket address for connection to sshd */ ++ ++ char *bind_addresses[SSH_MAX_BIND_ADDRESSES]; /* local socket ++ * address list for connection to sshd, main reason for this is ipv4 and ++ * ipv6 only hosts, when using global host match */ ++ u_int num_bind_address; /* count of bind_addresses */ ++ + char *pkcs11_provider; /* PKCS#11 provider */ + int verify_host_key_dns; /* Verify host key using DNS */ + +diff --git a/ssh.c b/ssh.c +index 26e9681..be59241 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -803,7 +803,8 @@ main(int ac, char **av) + options.control_path = xstrdup(optarg); + break; + case 'b': +- options.bind_address = optarg; ++ options.bind_addresses[0] = optarg; ++ options.num_bind_address = 1; + break; + case 'F': + config = optarg; +diff --git a/ssh_config b/ssh_config +index 03a228f..c1b653b 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -46,3 +46,8 @@ + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h ++ ++# --Example of BindAddress ++# BindAddress 192.168.0.1 3004:aaaa::beef any ++# This means, that ssh tries 192.168.0.1 if fail to bind, next address willbe 3004:aaaa::beef and if it fails, ++# uses default bind strategy, bind on any address +diff --git a/ssh_config.5 b/ssh_config.5 +index f9ede7a..f138d17 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -214,8 +214,11 @@ or + The default is + .Dq no . + .It Cm BindAddress +-Use the specified address on the local machine as the source address of +-the connection. ++Use the specified address (or addresses seperated by space ) on the ++local machine as the source address of ++the connection. This list can be interrupted with ++.Dq any ++address. + Only useful on systems with more than one address. + Note that this option does not work if + .Cm UsePrivilegedPort +diff --git a/sshconnect.c b/sshconnect.c +index ac09eae..5ba4959 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -280,49 +280,64 @@ ssh_create_socket(int privileged, struct addrinfo *ai) + fcntl(sock, F_SETFD, FD_CLOEXEC); + + /* Bind the socket to an alternative local IP address */ +- if (options.bind_address == NULL && !privileged) ++ if (options.num_bind_address == 0 && !privileged) + return sock; + +- if (options.bind_address) { +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = ai->ai_family; +- hints.ai_socktype = ai->ai_socktype; +- hints.ai_protocol = ai->ai_protocol; +- hints.ai_flags = AI_PASSIVE; +- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res); +- if (gaierr) { +- error("getaddrinfo: %s: %s", options.bind_address, +- ssh_gai_strerror(gaierr)); +- close(sock); +- return -1; ++ verbose("Trying %d addresses to connect", options.num_bind_address); ++ uint i; ++ for (i = 0; i < options.num_bind_address || i == 0; i++) { ++ if (options.num_bind_address > 0) ++ verbose("Trying bind address: %s", options.bind_addresses[i]); ++ ++ if (options.num_bind_address > 0 && strncmp(options.bind_addresses[i], SSH_BIND_ADDRESS_ANY, SSH_BIND_ADDRESS_ANYlen) != 0) { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = ai->ai_family; ++ hints.ai_socktype = ai->ai_socktype; ++ hints.ai_protocol = ai->ai_protocol; ++ hints.ai_flags = AI_PASSIVE; ++ gaierr = getaddrinfo(options.bind_addresses[i], NULL, &hints, &res); ++ if (gaierr) { ++ error("getaddrinfo: %s: %s", options.bind_addresses[i], ++ ssh_gai_strerror(gaierr)); ++ continue; ++ } + } +- } +- /* +- * If we are running as root and want to connect to a privileged +- * port, bind our own socket to a privileged port. +- */ +- if (privileged) { +- PRIV_START; +- r = bindresvport_sa(sock, res ? res->ai_addr : NULL); +- PRIV_END; +- if (r < 0) { +- error("bindresvport_sa: af=%d %s", ai->ai_family, +- strerror(errno)); +- goto fail; ++ else if (!privileged) { ++ return sock; + } +- } else { +- if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { +- error("bind: %s: %s", options.bind_address, +- strerror(errno)); +- fail: +- close(sock); +- freeaddrinfo(res); +- return -1; ++ ++ /* ++ * If we are running as root and want to connect to a privileged ++ * port, bind our own socket to a privileged port. ++ */ ++ if (privileged) { ++ PRIV_START; ++ r = bindresvport_sa(sock, res ? res->ai_addr : NULL); ++ PRIV_END; ++ if (r < 0) { ++ error("bindresvport_sa: af=%d %s", ai->ai_family, ++ strerror(errno)); ++ goto fail; ++ } ++ } else { ++ if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { ++ error("bind: %s: %s", options.bind_addresses[i], ++ strerror(errno)); ++ fail: ++ freeaddrinfo(res); ++ res = NULL; ++ continue; ++ } + } ++ ++ if (res != NULL) ++ freeaddrinfo(res); ++ ++ return sock; + } +- if (res != NULL) +- freeaddrinfo(res); +- return sock; ++ ++ close(sock); ++ return -1; + } + + static int +-- +2.2.1 diff --git a/sshd.pam b/sshd.pam new file mode 100644 index 000000000000..7ecef084d07a --- /dev/null +++ b/sshd.pam @@ -0,0 +1,6 @@ +#%PAM-1.0 +#auth required pam_securetty.so #disable remote root +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/sshd.service b/sshd.service new file mode 100644 index 000000000000..55ed95322da7 --- /dev/null +++ b/sshd.service @@ -0,0 +1,17 @@ +[Unit] +Description=OpenSSH Daemon +Wants=sshdgenkeys.service +After=sshdgenkeys.service +After=network.target + +[Service] +ExecStart=/usr/bin/sshd -D +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always + +[Install] +WantedBy=multi-user.target + +# This service file runs an SSH daemon that forks for each incoming connection. +# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service. diff --git a/sshd.socket b/sshd.socket new file mode 100644 index 000000000000..e09e328690fd --- /dev/null +++ b/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Conflicts=sshd.service +Wants=sshdgenkeys.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/sshd@.service b/sshd@.service new file mode 100644 index 000000000000..7ce3d37baa43 --- /dev/null +++ b/sshd@.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH Per-Connection Daemon +After=sshdgenkeys.service + +[Service] +ExecStart=-/usr/bin/sshd -i +StandardInput=socket +StandardError=syslog diff --git a/sshdgenkeys.service b/sshdgenkeys.service new file mode 100644 index 000000000000..1d01b7acff4b --- /dev/null +++ b/sshdgenkeys.service @@ -0,0 +1,17 @@ +[Unit] +Description=SSH Key Generation +ConditionPathExists=|!/etc/ssh/ssh_host_key +ConditionPathExists=|!/etc/ssh/ssh_host_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes |