diff options
| author | Nicolas Iooss | 2022-11-02 23:28:39 +0100 |
|---|---|---|
| committer | Nicolas Iooss | 2022-11-02 23:28:39 +0100 |
| commit | f6aa5ecd16474ff1662b4e2796f6fbbb072b4e07 (patch) | |
| tree | 8383fcb7ff83104cf950956adb540df72216a7ac | |
| parent | 4cc91024230b2f16d4ada54d24b2600bc2adfbc5 (diff) | |
| download | aur-f6aa5ecd16474ff1662b4e2796f6fbbb072b4e07.tar.gz | |
openssh-selinux 9.1p1-1 update
| -rw-r--r-- | .SRCINFO | 47 | ||||
| -rw-r--r-- | PKGBUILD | 174 | ||||
| -rw-r--r-- | install | 32 | ||||
| -rw-r--r-- | openssh-9.0p1-sshd_config.patch | 30 | ||||
| -rw-r--r-- | sshdgenkeys.service | 2 |
5 files changed, 133 insertions, 152 deletions
@@ -1,57 +1,56 @@ pkgbase = openssh-selinux - pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support - pkgver = 9.0p1 + pkgdesc = SSH protocol implementation for remote login, command execution and file transfer, with SELinux support + pkgver = 9.1p1 pkgrel = 1 url = https://www.openssh.com/portable.html - install = install arch = x86_64 arch = aarch64 groups = selinux license = custom:BSD - makedepends = linux-headers makedepends = libfido2 + makedepends = linux-headers depends = glibc depends = krb5 - depends = openssl - depends = libedit + depends = libkrb5.so + depends = libgssapi_krb5.so depends = ldns + depends = libedit depends = libxcrypt depends = libcrypt.so - depends = zlib + depends = openssl depends = pam + depends = libpam.so + depends = zlib depends = libselinux - optdepends = xorg-xauth: X11 forwarding - optdepends = x11-ssh-askpass: input passphrase in X optdepends = libfido2: FIDO/U2F support - provides = openssh=9.0p1-1 - provides = selinux-openssh=9.0p1-1 + optdepends = x11-ssh-askpass: input passphrase in X + optdepends = xorg-xauth: X11 forwarding + provides = openssh=9.1p1-1 + provides = selinux-openssh=9.1p1-1 conflicts = openssh conflicts = selinux-openssh + backup = etc/pam.d/sshd backup = etc/ssh/ssh_config backup = etc/ssh/sshd_config - backup = etc/pam.d/sshd - source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz - source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz.asc + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz + source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz.asc + source = openssh-9.0p1-sshd_config.patch source = sshdgenkeys.service source = sshd.service source = sshd.conf source = sshd.pam validpgpkeys = 7168B983815A5EEF59A4ADFD2A3F414E736060BA - sha1sums = 06dd658874dcd22d66311cf5999bd56c614de509 - sha1sums = SKIP - sha1sums = caaa801da59a5d14c0c29c43e9de5fef281ea03e - sha1sums = 8640ac6593602e74a863263223e92ab5c4711588 - sha1sums = c9b2e4ce259cd62ddb00364d3ee6f00a8bf2d05f - sha1sums = d93dca5ebda4610ff7647187f8928a3de28703f3 - sha256sums = 03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a + sha256sums = 19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 sha256sums = SKIP - sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7 + sha256sums = 27e43dfd1506c8a821ec8186bae65f2dc43ca038616d6de59f322bd14aa9d07f + sha256sums = e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611 sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7 sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6 sha256sums = 64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846 - b2sums = 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 + b2sums = 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 b2sums = SKIP - b2sums = 62f89107d3648a359b0307497a9f105d7ff1dddddb38a64afe3261000b5db494a5530e4b60a9aa1d7be4413599e54b72e2f53f0de8c1ff263a46a70bc5695c29 + b2sums = 29e1a1c2744e0234830c6f93a46338ea8dc943370e20a24883d207d611025e54643da678f2826050c073a36be48dfdc7329d4cfb144c2ff90607a5f10f73dc59 + b2sums = 09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50 b2sums = 07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e b2sums = 27571f728c3c10834a81652f3917188436474b588f8b047462e44b6c7a424f60d06ce8cb74839b691870177d7261592207d7f35d4ae6c79af87d6a7ea156d395 b2sums = 557d015bca7008ce824111f235da67b7e0051a693aaab666e97b78e753ed7928b72274af03d7fde12033986b733d5f996faf2a4feb6ecf53f39accae31334930 @@ -11,127 +11,113 @@ # If you want to help keep it up to date, please open a Pull Request there. pkgname=openssh-selinux -pkgver=9.0p1 +pkgver=9.1p1 pkgrel=1 -pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support' +pkgdesc="SSH protocol implementation for remote login, command execution and file transfer, with SELinux support" +arch=('x86_64' 'aarch64') url='https://www.openssh.com/portable.html' license=('custom:BSD') -arch=('x86_64' 'aarch64') -depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt' 'libcrypt.so' 'zlib' 'pam' 'libselinux') -makedepends=('linux-headers' 'libfido2') -optdepends=('xorg-xauth: X11 forwarding' - 'x11-ssh-askpass: input passphrase in X' - 'libfido2: FIDO/U2F support') +depends=( + 'glibc' + 'krb5' 'libkrb5.so' 'libgssapi_krb5.so' + 'ldns' + 'libedit' + 'libxcrypt' 'libcrypt.so' + 'openssl' + 'pam' 'libpam.so' + 'zlib' + 'libselinux' +) +makedepends=('libfido2' 'linux-headers') +optdepends=( + 'libfido2: FIDO/U2F support' + 'x11-ssh-askpass: input passphrase in X' + 'xorg-xauth: X11 forwarding' +) +backup=( + 'etc/pam.d/sshd' + 'etc/ssh/ssh_config' + 'etc/ssh/sshd_config' +) conflicts=("${pkgname/-selinux}" "selinux-${pkgname/-selinux}") provides=("${pkgname/-selinux}=${pkgver}-${pkgrel}" "selinux-${pkgname/-selinux}=${pkgver}-${pkgrel}") groups=('selinux') -validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') -#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1" -source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} - 'sshdgenkeys.service' - 'sshd.service' - 'sshd.conf' - 'sshd.pam') -sha1sums=('06dd658874dcd22d66311cf5999bd56c614de509' - 'SKIP' - 'caaa801da59a5d14c0c29c43e9de5fef281ea03e' - '8640ac6593602e74a863263223e92ab5c4711588' - 'c9b2e4ce259cd62ddb00364d3ee6f00a8bf2d05f' - 'd93dca5ebda4610ff7647187f8928a3de28703f3') -sha256sums=('03974302161e9ecce32153cfa10012f1e65c8f3750f573a73ab1befd5972a28a' +source=( + "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} + "${pkgname/-selinux}-9.0p1-sshd_config.patch" + 'sshdgenkeys.service' + 'sshd.service' + 'sshd.conf' + 'sshd.pam' +) +sha256sums=('19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288' 'SKIP' - '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7' + '27e43dfd1506c8a821ec8186bae65f2dc43ca038616d6de59f322bd14aa9d07f' + 'e5305767b2d317183ad1c5022a5f6705bd9014a8b22495a000fd482713738611' 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7' '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846') -b2sums=('49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2' +b2sums=('287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5' 'SKIP' - '62f89107d3648a359b0307497a9f105d7ff1dddddb38a64afe3261000b5db494a5530e4b60a9aa1d7be4413599e54b72e2f53f0de8c1ff263a46a70bc5695c29' + '29e1a1c2744e0234830c6f93a46338ea8dc943370e20a24883d207d611025e54643da678f2826050c073a36be48dfdc7329d4cfb144c2ff90607a5f10f73dc59' + '09fad3648f48f13ee80195b90913feeba21240d121b1178e0ce62f4a17b1f7e58e8edc22c04403e377ab300f5022a804c848f5be132765d5ca26a38aab262e50' '07ad5c7fb557411a6646ff6830bc9d564c07cbddc4ce819641d31c05dbdf677bfd8a99907cf529a7ee383b8c250936a6423f4b4b97ba0f1c14f627bbd629bd4e' '27571f728c3c10834a81652f3917188436474b588f8b047462e44b6c7a424f60d06ce8cb74839b691870177d7261592207d7f35d4ae6c79af87d6a7ea156d395' '557d015bca7008ce824111f235da67b7e0051a693aaab666e97b78e753ed7928b72274af03d7fde12033986b733d5f996faf2a4feb6ecf53f39accae31334930') +validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA') # Damien Miller <djm@mindrot.org> -backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') - -install=install - -# prepare() { -# cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - -# patch goes here - -# autoreconf -# } +prepare() { + patch -Np1 -d "${pkgname/-selinux}-$pkgver" -i ../${pkgname/-selinux}-9.0p1-sshd_config.patch +} build() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --libexecdir=/usr/lib/ssh \ - --sysconfdir=/etc/ssh \ - --disable-strip \ - --with-ldns \ - --with-libedit \ - --with-security-key-builtin \ - --with-ssl-engine \ - --with-pam \ - --with-privsep-user=nobody \ - --with-kerberos5=/usr \ - --with-xauth=/usr/bin/xauth \ - --with-md5-passwords \ - --with-pid-dir=/run \ - --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ - --with-selinux - - make + cd "${pkgname/-selinux}-${pkgver}" + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --disable-strip \ + --with-ldns \ + --with-libedit \ + --with-security-key-builtin \ + --with-ssl-engine \ + --with-pam \ + --with-privsep-user=nobody \ + --with-kerberos5=/usr \ + --with-xauth=/usr/bin/xauth \ + --with-pid-dir=/run \ + --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \ + --with-selinux \ + + make } check() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" + cd "${pkgname/-selinux}-${pkgver}" - # Tests require openssh to be already installed system-wide, - # also connectivity tests will fail under makechrootpkg since - # it runs as nobody which has /bin/false as login shell. - - if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then - # Running tests in parallel is broken in 8.1p1-4, so force -j1: - # - # openssh-selinux/src/openssh-8.1p1/regress/ssh-rsa already exists. - # Overwrite (y/n)? ssh-keygen for ssh-rsa failed - # putty interop tests not enabled - # run test putty-ciphers.sh ... - # ssh connect with failed - # failed simple connect - # make[1]: *** [Makefile:211: t-exec] Error 1 - # make[1]: Leaving directory 'openssh-selinux/src/openssh-8.1p1/regress' - # make: *** [Makefile:610: t-exec] Error 2 - make tests -j1 - fi + # NOTE: make t-exec does not work in our build environment + make file-tests interop-tests unit } package() { - cd "${srcdir}/${pkgname/-selinux}-${pkgver}" - - make DESTDIR="${pkgdir}" install + cd "${pkgname/-selinux}-${pkgver}" - ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz - install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + make DESTDIR="${pkgdir}" install - install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service - install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service - install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf - install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz + install -Dm644 LICENCE -t "${pkgdir}/usr/share/licenses/${pkgname}/" - install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh - install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id - install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + install -Dm644 ../sshdgenkeys.service -t "${pkgdir}"/usr/lib/systemd/system/ + install -Dm644 ../sshd.service -t "${pkgdir}"/usr/lib/systemd/system/ + install -Dm644 ../sshd.conf -t "${pkgdir}"/usr/lib/tmpfiles.d/ + install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd - sed \ - -e '/^#KbdInteractiveAuthentication yes$/c KbdInteractiveAuthentication no' \ - -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ - -e '/^#UsePAM no$/c UsePAM yes' \ - -i "${pkgdir}"/etc/ssh/sshd_config + install -Dm755 contrib/findssl.sh -t "${pkgdir}"/usr/bin/ + install -Dm755 contrib/ssh-copy-id -t "${pkgdir}"/usr/bin/ + install -Dm644 contrib/ssh-copy-id.1 -t "${pkgdir}"/usr/share/man/man1/ } + +# vim: ts=2 sw=2 et: diff --git a/install b/install deleted file mode 100644 index 47c1e770ab00..000000000000 --- a/install +++ /dev/null @@ -1,32 +0,0 @@ -pre_upgrade() { - # Remove socket activation. See: https://bugs.archlinux.org/task/62248 - if (( $(vercmp $2 8.0p1-3) < 0 )); then - if systemctl is-enabled -q sshd.socket; then - cat <<EOF -==> This package no longer provides sshd.socket and sshd@.service; -==> copies of those files will be placed under /etc/systemd/system -==> but please migrate to sshd.service whenever possible. -EOF - src=/usr/lib/systemd/system - dst=/etc/systemd/system - for i in sshd.socket sshd\@.service; do - if [[ ! -e "$dst/$i" ]]; then - cp -v "$src/$i" "$dst/$i" - fi - done - systemctl reenable sshd.socket - fi - fi -} - -post_upgrade() { - if (( $(vercmp $2 8.2p1-3) < 0 )); then - if systemctl is-active sshd.service >/dev/null; then - cat <<EOF -==> After this upgrade, your existing SSH daemon may be unable to accept -==> new connections. To fix this, your SSH daemon will now be restarted. -EOF - systemctl restart sshd.service - fi - fi -} diff --git a/openssh-9.0p1-sshd_config.patch b/openssh-9.0p1-sshd_config.patch new file mode 100644 index 000000000000..910014922bad --- /dev/null +++ b/openssh-9.0p1-sshd_config.patch @@ -0,0 +1,30 @@ +diff -ruN a/sshd_config b/sshd_config +--- a/sshd_config 2022-04-06 02:47:48.000000000 +0200 ++++ b/sshd_config 2022-10-10 19:55:58.961117951 +0200 +@@ -58,7 +58,7 @@ + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords +-#KbdInteractiveAuthentication yes ++KbdInteractiveAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -79,7 +79,7 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes +@@ -88,7 +88,7 @@ + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +-#PrintMotd yes ++PrintMotd no + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no diff --git a/sshdgenkeys.service b/sshdgenkeys.service index cfb9f6aa17f1..83230084f5dd 100644 --- a/sshdgenkeys.service +++ b/sshdgenkeys.service @@ -1,7 +1,5 @@ [Unit] Description=SSH Key Generation -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key -ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key |