Package Details: openssh-selinux 9.0p1-1

Git Clone URL: https://aur.archlinux.org/openssh-selinux.git (read-only, click to copy)
Package Base: openssh-selinux
Description: Premier connectivity tool for remote login with the SSH protocol, with SELinux support
Upstream URL: https://www.openssh.com/portable.html
Keywords: selinux
Licenses: custom:BSD
Conflicts: openssh, selinux-openssh
Provides: openssh, selinux-openssh
Submitter: Siosm
Maintainer: IooNag
Last Packager: IooNag
Votes: 20
Popularity: 0.88
First Submitted: 2013-11-03 20:05 (UTC)
Last Updated: 2022-04-16 10:56 (UTC)

Required by (323)

Sources (6)

Latest Comments

IooNag commented on 2021-10-12 18:20 (UTC)

@xavierbaez The package builds fine for me. There may be an application which is already listening on port 4242 on your machine. You can fix this issue by building the package in a clean environment (such as a virtual machine or a container), or by building without running tests (with makepkg --nocheck), or by installing the package which was built from GitHub's continuous integration system: https://github.com/archlinuxhardened/selinux/releases/tag/ArchLinux-SELinux

xavierbaez commented on 2021-10-11 07:22 (UTC) (edited on 2021-10-11 07:23 (UTC) by xavierbaez)

Have a problem installing openssh-selinux

Tried on two computers:

make[1]: Entering directory '~/.cache/yay/openssh-selinux/src/openssh-8.8p1/regress' run test connect.sh ... FATAL: no sshd running on port 4242 make[1]: [Makefile:219: t-exec] Error 1 make[1]: Leaving directory '~/.cache/yay/openssh-selinux/src/openssh-8.8p1/regress' make: [Makefile:722: t-exec] Error 2 ==> ERROR: A failure occurred in check(). Aborting... error making: openssh-selinux

kfollstad commented on 2021-07-27 21:23 (UTC) (edited on 2021-07-27 23:28 (UTC) by kfollstad)

It might be worth noting here the potential pitfalls that you might run into building this if you have python-twisted installed but not all of its optional dependencies as I did.

Part of the Makefile specifies interops tests with conch which are called by check() in PKGBUILD (only) if conch exists. However conch comes packaged in python-twisted but by default does not work unless you have also installed the optional dependencies: python-cryptography, python-pyasn1, python-appdirs, and python-bcrypt.

I was able to successfully build and install this using this slightly tweaked PKGBUILD

diff --git a/PKGBUILD b/PKGBUILD
index 35d457a..b6bd827 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -19,7 +19,8 @@ license=('custom:BSD')
 arch=('x86_64' 'aarch64')
 depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt'
          'libcrypt.so' 'zlib' 'pam' 'libselinux')
 makedepends=('linux-headers' 'libfido2')
-checkdepends=('inetutils')
+checkdepends=('inetutils' 'python-twisted' 'python-cryptography'
+              'python-pyasn1' 'python-appdirs' 'python-bcrypt')
 optdepends=('xorg-xauth: X11 forwarding'
             'x11-ssh-askpass: input passphrase in X'
             'libfido2: FIDO/U2F support')

It might be better is to disable the conch test or patch regress/test-exec.sh to check for the dependencies similarly to the below (untested) code.

--- regress/test-exec.sh
+++ /home/username/tmp/openssh-test-exec.patched.sh
@@ -148,6 +148,15 @@
    /*) CONCH="${TEST_SSH_CONCH}" ;;
    *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
    esac
+   # Arch specific as conch (as installed via python-twisted)
+   # is non-functional without these optional dependencies.
+   HAS_DEPENDS=0
+   pacman -Qq python-cryptography python-pyans1 \
+   python-appdirs python-bcrypt &> /dev/null || HAS_DEPENDS=1
+   if [ $HAS_DEPENDS -eq 1 ]; then
+       CONCH=""
+   fi
 fi
 if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
    SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"

Also, looNag, thank you very much for maintaining this and all you do for making Selinux work on Arch.

Unb0rn commented on 2020-02-17 06:16 (UTC)

I seem to have the same problem as in here: https://bugs.archlinux.org/task/65513 Maybe this should be updated too?

IooNag commented on 2020-02-16 07:26 (UTC)

@yar I updated openssh-selinux to 8.2p1-1 a few hours ago, because the tests worked and it fixed the issue of broken systems due to the glibc update (cf. https://github.com/archlinuxhardened/selinux/pull/27#issuecomment-586648511). openssh 8.2p1-1 was in testing a few hours ago, but is now in core, so the issue caused by glibc update is fixed. Thanks again for your bug report!

yar commented on 2020-02-16 03:36 (UTC)

Not sure offhand, but 8.2 is out, maybe that'll work?

Meanwhile anybody with this package who's Syu'd in the past few days has bricked their sshd :/

IooNag commented on 2020-02-14 08:23 (UTC)

@yar Thanks for the update! Unfortunately the tests are broken with the new version I am testing (8.1p1-4, with the backported patch): https://github.com/archlinuxhardened/selinux/pull/27

I do not have time at the moment to debug this and to investigate whether it is an issue from -selinux package, Arch package or OpenSSH upstream. So I will not update openssh-selinux today, but if you want to find out what is going wrong, it would be very helpful.

yar commented on 2020-02-14 07:32 (UTC)

This is broken by glibc 2.31, needs to incorporate new changes in arch package

IooNag commented on 2017-05-12 20:49 (UTC)

MrMuffin: is your system up-to-date? Which version of openssl are you using? The last version of the package is only compatible with 1.1.0.e-1, as OpenSSL 1.1.0 broke backward-compatibility.

MrMuffin commented on 2017-05-12 20:44 (UTC)

Hi. I am getting these errors: cipher.c: In function ‘cipher_get_keycontext’: cipher.c:696:35: error: ‘cc->evp’ is a pointer; did you mean to use ‘->’? #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size ^ -> cipher.c:708:10: note: in expansion of macro ‘EVP_X_STATE_LEN’ plen = EVP_X_STATE_LEN(cc->evp); ^~~~~~~~~~~~~~~ cipher.c:695:31: error: ‘cc->evp’ is a pointer; did you mean to use ‘->’? #define EVP_X_STATE(evp) (evp).cipher_data ^ -> cipher.c:711:15: note: in expansion of macro ‘EVP_X_STATE’ memcpy(dat, EVP_X_STATE(cc->evp), plen); ^~~~~~~~~~~ cipher.c: In function ‘cipher_set_keycontext’: cipher.c:696:35: error: ‘cc->evp’ is a pointer; did you mean to use ‘->’? #define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size ^ -> cipher.c:727:10: note: in expansion of macro ‘EVP_X_STATE_LEN’ plen = EVP_X_STATE_LEN(cc->evp); ^~~~~~~~~~~~~~~ cipher.c:695:31: error: ‘cc->evp’ is a pointer; did you mean to use ‘->’? #define EVP_X_STATE(evp) (evp).cipher_data ^ -> cipher.c:728:10: note: in expansion of macro ‘EVP_X_STATE’ memcpy(EVP_X_STATE(cc->evp), dat, plen); ^~~~~~~~~~~ make: *** [Makefile:152: cipher.o] Error 1 ==> ERROR: A failure occurred in build(). Aborting... ==> ERROR: Makepkg was unable to build openssh-selinux. Can you help me?

zer01 commented on 2017-05-07 21:59 (UTC)

Looks like API changes in the OpenSSL 1.1 libs have broken compatibility. Got it to compile again using the extra/openssl-1.0 package: depends=('krb5' 'openssl-1.0' 'libedit' 'ldns' 'libselinux') and in build(): export CFLAGS="$CFLAGS -I/usr/include/openssl-1.0" export LDFLAGS="$LDFLAGS -L/usr/lib/openssl-1.0"

RemoteAdmin commented on 2017-02-06 16:37 (UTC) (edited on 2017-02-06 16:37 (UTC) by RemoteAdmin)

@IooNag Unfortunately the first upstream fix wasn't working. Therefore you have to update the package again... But this time it has been verified to work. Thanks for keeping this up to date.

IooNag commented on 2017-02-04 09:17 (UTC)

@RemoteAdmin Thanks for having this bug fixed in the upstream package! I have updated openssh-selinux accordingly.

RemoteAdmin commented on 2017-02-04 08:57 (UTC) (edited on 2017-02-04 08:58 (UTC) by RemoteAdmin)

@IooNag An Alternative would be to update to upstream version of openssh. I have filed a bug which is now corrected (https://bugs.archlinux.org/task/52823). May be sufficient as well.

IooNag commented on 2017-02-02 23:35 (UTC)

@RemoteAdmin: thanks for the bug report. Instead of using makedepends I am thinking of adding "checkdepends=('openssh')" to the package, which would not do anything when running "makepkg --nocheck". I will test this option and modify the package this week-end if it works fine.

RemoteAdmin commented on 2017-02-02 12:48 (UTC) (edited on 2017-02-02 13:11 (UTC) by RemoteAdmin)

There is a problem with the PKGBUILD. If openssh is not installed the following error will occur at the check: "scp: failed copy /tmp/3bcb7602/0/aur-archlinux/openssh-selinux/src/openssh-7.4p1/regress/data" The Problem is stated in the "openssh-7.4p1/regress/README.regress": [README.regress] "Similarly, if you do not have "scp" in your system's $PATH then the multiplex scp tests will fail (since the system's shell startup scripts will determine where the shell started by sshd will look for scp)." Therefore openssh must either be added to the makedepends array (which might be kinda wrong 'cause it would test the scp of the openssh package and not the openssl-selinux package as far as I understand it) or the scp in the output folder must be added to the PATH variable.

Siosm commented on 2014-01-02 21:49 (UTC)

Renamed to openssh-selinux

Siosm commented on 2012-05-08 19:27 (UTC)

The group field is missing: groups=('selinux' 'selinux-system-utilities')

Nicky726 commented on 2011-09-06 11:30 (UTC)

Fixed and switched to version derived directly from [core] via a patch, so this should not happen again.

Siosm commented on 2011-08-30 14:03 (UTC)

I had to remove this line "--with-tcp-wrappers \" from the PKGBUILD as we don't have tcp wrappers anymore on Arch.

Nicky726 commented on 2010-07-26 09:21 (UTC)

Initial release.