Ticket #60385: Portfile

File Portfile, 12.2 KB (added by khepler, 4 years ago)

Portfile with osx_keychain variant (enabled by default on 10.6+)

Line 
1# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
2
3PortSystem          1.0
4
5PortGroup           compiler_blacklist_versions 1.0
6
7name                openssh
8version             8.1p1
9revision            9
10categories          net
11platforms           darwin
12maintainers         nomaintainer
13license             BSD
14installs_libs       no
15conflicts           lsh
16
17description         OpenSSH secure login server
18
19long_description    OpenSSH is a FREE version of the SSH protocol suite of \
20                    network connectivity tools that increasing numbers of people on the \
21                    Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
22                    and other such programs might not realize that their password is \
23                    transmitted across the Internet unencrypted, but it is. OpenSSH \
24                    encrypts all traffic (including passwords) to effectively eliminate \
25                    eavesdropping, connection hijacking, and other network-level \
26                    attacks. Additionally, OpenSSH provides a myriad of secure \
27                    tunneling capabilities, as well as a variety of authentication \
28                    methods.
29
30homepage            https://www.openbsd.org/openssh/
31
32checksums           rmd160  0d9bcaa22b77a8e26fbe4804ea4ae017e45b1568 \
33                    sha256  02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff \
34                    size    1625894
35
36master_sites        openbsd:OpenSSH/portable \
37                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
38                    http://openbsd.mirrors.pair.com/OpenSSH/portable
39
40if {${name} eq ${subport}} {
41    depends_lib         path:lib/libssl.dylib:openssl \
42                        port:libedit \
43                        port:ncurses \
44                        port:zlib
45    depends_run         port:ssh-copy-id
46
47    # the HPN patch needs this, so rewrite all other patches to support it, too
48    patch.args          -p1
49    patchfiles          launchd.patch \
50                        pam.patch \
51                        patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
52                        patch-sshd.c-apple-sandbox-named-external.diff \
53                        macports-config.patch \
54                        patch-openbsd_compat-memmem-bug.diff
55
56    # We need a couple of patches
57    # - pam.patch
58    #   getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
59    #   when run as root, so it can't be used for authentication. This patch just
60    #   forces the use of PAM regardless of the configuration.
61    # - patch-*-apple-sandbox-named-external.diff
62    #   Use Apple's sandbox_init(3) in addition to standard privilege separation.
63    #   This requires a sandbox profile (which we provide) and the sandbox_init(3)
64    #   call before the chroot(2) to privsep-path (${prefix}/var/empty), or it will
65    #   fail to load the sandbox description and libsandbox.1.dylib.
66    # - 0002-Apple-keychain-integration-other-changes.patch
67    #   Adds Apple Keychain integration and ssh-agent's launchd mode
68    # - macports-config.patch
69    #   Changes the default configuration from the upstream-provided one by popular
70    #   request.
71
72    post-patch {
73        # reinplace prefix in path to sandbox definition added by
74        # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
75        reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
76    }
77
78    use_autoreconf          yes
79
80    # strnvis(3) isn't actually "broken".  OpenBSD decided to be special and flip
81    # the order of arguments to strnvis and considers everyone else to be broken.
82    configure.cppflags-append -DBROKEN_STRNVIS=1
83
84    # Use Apple's sandboxing feature
85    configure.cppflags-append   -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
86                                -D__APPLE_API_STRICT_CONFORMANCE
87    configure.ldflags-append  -Wl,-search_paths_first
88    configure.args      --with-ssl-dir=${prefix} \
89                        --sysconfdir=${prefix}/etc/ssh \
90                        --with-privsep-path=/var/empty \
91                        --with-md5-passwords \
92                        --with-pid-dir=${prefix}/var/run \
93                        --with-pam \
94                        --mandir=${prefix}/share/man \
95                        --with-zlib=${prefix} \
96                        --without-kerberos5 \
97                        --with-libedit \
98                        --with-pie \
99                        --without-xauth \
100                        --without-ldns \
101                        --with-audit=bsm \
102                        --with-keychain=apple
103
104    use_parallel_build  yes
105
106    platform macosx {
107        variant osx_keychain description "integrate with Mac OS keychain" {
108            patchfiles-append 0002-Apple-keychain-integration-other-changes.patch
109
110            if {${os.major} <= 11} {
111                # clang is required to build the new Apple Keychain integration due
112                # to it using the Object Subscripting feature, c.f. #59397.
113                # We'll keep it simple and just blacklist any gcc version, cc
114                # (which could be anything), system clang versions prior to those
115                # shipped with Xcode 4.4.
116                # Regarding the macports-clang versions, any version in the
117                # MacPorts tree should suit our needs, since the clang
118                # documentation lists FOSS clang/llvm 3.1 as the first version to
119                # support Object Subscripting and the oldest version in our tree is
120                # now 3.3.
121                compiler.blacklist-append   *gcc* cc {clang < 421}
122            }
123        }
124    }
125
126    destroot.target     install-nokeys
127
128    test.run            yes
129    test.target         tests
130
131    post-destroot {
132        destroot.keepdirs ${destroot}${prefix}/var/run
133
134        # switch default port to avoid conflict with system sshd
135        reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
136
137        # install sandbox definition
138        xinstall -m 755 -d ${destroot}${prefix}/share/${name}
139        xinstall -m 644 ${filespath}/com.openssh.sshd.sb ${destroot}${prefix}/share/${name}
140
141        file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
142        file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
143    }
144
145    post-activate {
146        if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
147            copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
148        }
149        if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
150            copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
151        }
152    }
153
154    notes-append "
155                    Apple's keychain integration and launchd changes are now\
156                    included by default, not just with the gsskex variant.\
157
158                    The parameters were changed from -m/-M to -A/-K in\
159                    accordance with Apple's changes, because upstream started\
160                    using the former switches themselves recently."
161
162    variant xauth description {Build with support for xauth} {
163        configure.args-replace  --without-xauth \
164                                --with-xauth=${prefix}/bin/xauth
165        depends_run-append      port:xauth
166    }
167
168    variant hpn conflicts gsskex description {Apply high performance patch} {
169        # Current location(s):
170        #   https://github.com/rapier1/openssh-portable/
171        #   http://www.freshports.org/security/openssh-portable/
172        #     (is usually quick in updating the HPN patch for new versions,
173        #      take a look there, too.)
174
175        # Formerly taken directly from FreeBSD as a distfile, now copied over
176        # from either upstream at or FreeBSD's ports directory and rebased.
177        set hpn_patchfile       ${name}-${version}-hpnssh14v18
178        patchfiles-append       ${hpn_patchfile}.diff \
179                                ${hpn_patchfile}-openssl-1.1.diff
180    }
181
182    variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
183        patchfiles-append       openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
184        configure.ldflags-append \
185                                -Wl,-pie
186        configure.cflags-append -fPIE
187        configure.args-append   --with-4in6 \
188                                --disable-utmp \
189                                --disable-wtmp \
190                                --with-privsep-user=_sshd
191    }
192
193    variant kerberos5 description "Add Kerberos5 support" {
194        depends_lib-append      port:kerberos5
195        configure.args-delete   --without-kerberos5
196        configure.args-append   --with-kerberos5=${prefix}
197
198        if {${os.platform} eq "darwin"} {
199            post-extract {
200                xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/"
201            }
202
203            pre-configure {
204                reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin
205            }
206
207            post-destroot {
208                xinstall -m 0755 ${worksrcpath}/slogin \
209                                 ${destroot}${prefix}/bin/
210            }
211        }
212    }
213
214    variant ldns description "Use ldns for DNSSEC support" {
215        configure.args-replace  --without-ldns \
216                                --with-ldns
217        depends_lib-append      port:ldns
218    }
219
220    default_variants            +kerberos5 +xauth
221
222    platform darwin {
223        # create link to /usr/include/pam because 'security' was renamed to 'pam'
224        # in OS X.
225        # And then again back to security in 10.6.
226        if {${os.major} < 10} {
227            pre-configure {
228                xinstall -d ${workpath}/include
229                file delete ${workpath}/include/security
230                ln -s /usr/include/pam ${workpath}/include/security
231                configure.cppflags-append "-I${workpath}/include"
232            }
233        }
234
235        # include Keychain integration by default on Mac OS 10.6 and newer
236        if {${os.major} > 9} {
237            default_variants.append +osx_keychain
238        }
239    }
240
241    platform darwin 9 {
242        # 10.5/ppc doesn't like the sandbox file we supply
243        configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
244    }
245
246    startupitem.create  yes
247    startupitem.name    OpenSSH
248    startupitem.start   \
249        "if \[ -x ${prefix}/sbin/sshd \]; then
250            if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
251                ${prefix}/bin/ssh-keygen -t dsa -f \\
252                ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
253            fi
254            if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
255                ${prefix}/bin/ssh-keygen -t rsa -f \\
256                ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
257            fi
258            if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
259                ${prefix}/bin/ssh-keygen -t ecdsa -f \\
260                ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
261            fi
262            if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
263                ${prefix}/bin/ssh-keygen -t ed25519 -f \\
264                ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
265            fi
266            ${prefix}/sbin/sshd
267        fi"
268    startupitem.stop    \
269        "if \[ -r ${prefix}/var/run/sshd.pid \]; then
270            kill `cat ${prefix}/var/run/sshd.pid`
271        fi"
272}
273
274subport ssh-copy-id {
275    revision            0
276    platforms           darwin freebsd
277    supported_archs     noarch
278    maintainers         {l2dy @l2dy} openmaintainer
279    description         Shell script to install your public key(s) on a remote machine
280    long_description    ${description}
281
282    # Make sure to not create multiple copies of the same distfile.
283    distname            openssh-${version}
284    dist_subdir         openssh
285
286    use_configure       no
287    build               {}
288
289    destroot {
290        xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
291        xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
292    }
293}
294
295livecheck.type      regex
296livecheck.url       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
297livecheck.regex     openssh-(\[5-9\]+.\[0-9\]+p\[0-9\]+)[quotemeta ${extract.suffix}]