source: trunk/dports/net/openssh/Portfile

Last change on this file was 153360, checked in by ionic@…, 10 months ago

net/openssh: update to 7.3p1. Fixes: #51951, #48981, #50805.

Changes:

  • Rebase patches.
  • Update to newer HPN patchset version. Notable changes: HPN can't be forcefully disabled (if the variant has been selected), the None Cipher can't be forcefully enabled at compile time anymore. For HPN itself, this is fine, enabling the None Cipher will need to set NoneEnabled=yes on the server side and both NoneEnabled=yes and NoneSwitch=yes on the client side.
  • The sandbox check now doesn't try to access a private header anymore.
  • The removed slogin binary is provided as wrapper outputting a warning message on STDERR and executing the ssh binary.
  • none_cipher variant removed with no replacement, the code is always compiled when using the hpn variant now.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 10.0 KB
Line 
1# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
2# $Id: Portfile 153360 2016-09-29 13:49:14Z ryandesign@macports.org $
3
4PortSystem          1.0
5
6name                openssh
7version             7.3p1
8revision            0
9categories          net
10platforms           darwin
11maintainers         nomaintainer
12license             BSD
13installs_libs       no
14
15description         OpenSSH secure login server
16
17long_description    OpenSSH is a FREE version of the SSH protocol suite of \
18                    network connectivity tools that increasing numbers of people on the \
19                    Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
20                    and other such programs might not realize that their password is \
21                    transmitted across the Internet unencrypted, but it is. OpenSSH \
22                    encrypts all traffic (including passwords) to effectively eliminate \
23                    eavesdropping, connection hijacking, and other network-level \
24                    attacks. Additionally, OpenSSH provides a myriad of secure \
25                    tunneling capabilities, as well as a variety of authentication \
26                    methods.
27
28homepage            http://www.openbsd.org/openssh/
29
30checksums           ${distfiles} \
31                    rmd160  823fc1e16c5d27a2361ed0b22f5ee24be11d2c13 \
32                    sha256  3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
33
34master_sites        openbsd:OpenSSH/portable \
35                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
36                    ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
37                    ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
38                    ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
39                    ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/
40
41depends_lib         path:lib/libssl.dylib:openssl \
42                    port:libedit \
43                    port:ncurses \
44                    port:zlib
45
46# the HPN patch needs this, so rewrite all other patches to support it, too
47patch.args          -p1
48patchfiles          launchd.patch \
49                    pam.patch \
50                    patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
51                    patch-sshd.c-apple-sandbox-named-external.diff
52
53# We need a couple of patches
54# - pam.patch
55#   getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
56#   when run as root, so it can't be used for authentication. This patch just
57#   forces the use of PAM regardless of the configuration.
58# - patch-*-apple-sandbox-named-external.diff
59#   Use Apple's sandbox_init(3) in addition to standard privilege separation.
60#   This requires a sandbox profile (which we provide) and the sandbox_init(3)
61#   call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
62#   fail to load the sandbox description and libsandbox.1.dylib.
63
64post-patch {
65    # reinplace prefix in path to sandbox definition added by
66    # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
67    reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
68}
69
70# strnvis(3) isn't actually "broken".  OpenBSD decided to be special and flip
71# the order of arguments to strnvis and considers everyone else to be broken.
72configure.cppflags-append -DBROKEN_STRNVIS=1
73
74# Use Apple's sandboxing feature
75configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
76                          -D__APPLE_API_STRICT_CONFORMANCE
77configure.ldflags-append  -Wl,-search_paths_first
78configure.args      --with-ssl-dir=${prefix} \
79                    --sysconfdir=${prefix}/etc/ssh \
80                    --with-privsep-path=/var/empty \
81                    --with-md5-passwords \
82                    --with-pid-dir=${prefix}/var/run \
83                    --with-pam \
84                    --mandir=${prefix}/share/man \
85                    --with-zlib=${prefix} \
86                    --without-kerberos5 \
87                    --with-libedit \
88                    --with-pie \
89                    --without-xauth
90
91use_parallel_build  yes
92
93destroot.target     install-nokeys
94
95test.run            yes
96test.target         tests
97
98post-destroot {
99    destroot.keepdirs ${destroot}${prefix}/var/run
100
101    # switch default port to avoid conflict with system sshd
102    reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
103
104    # provide ssh-copy-id
105    xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
106    xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
107
108    # install sandbox definition
109    xinstall -m 755 -d ${destroot}${prefix}/share/${name}
110    xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}
111
112    file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
113    file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
114}
115
116post-activate {
117    if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
118        copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
119    }
120    if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
121        copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
122    }
123}
124
125variant xauth description {Build with support for xauth} {
126    configure.args-delete   --without-xauth
127    configure.args-append   --with-xauth=${prefix}/bin/xauth
128    depends_run-append      port:xauth
129}
130
131variant hpn conflicts gsskex description {Apply high performance patch} {
132    # Old location(s):
133    #   http://www.psc.edu/index.php/hpn-ssh
134    # Current location(s):
135    #   http://hpnssh.sourceforge.net/
136    #   http://www.freshports.org/security/openssh-portable/
137    #     (is usually quick in updating the HPN patch for new versions,
138    #      take a look there, too.)
139
140    # Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
141    #patch_sites-append     http://mirror.shatow.net/freebsd/${name}/ \
142    #                       freebsd
143    #set hpn_patchfile      ${name}-6.7p1-hpnssh14v5.diff.gz
144    #checksums-append       ${hpn_patchfile} \
145    #                       rmd160  0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
146    #                       sha256  846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
147
148    set hpn_patchfile       ${name}-${version}-hpnssh14v11.diff
149    patchfiles-append       ${hpn_patchfile}
150
151    use_autoreconf          yes
152
153    configure.args-append   --with-hpn
154}
155
156variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
157    use_autoreconf          yes
158    patchfiles-append       0002-Apple-keychain-integration-other-changes.patch \
159                            openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch
160    configure.cppflags-append \
161                            -F/System/Library/Frameworks/DirectoryService.framework \
162                            -F/System/Library/Frameworks/CoreFoundation.framework \
163                            -D_UTMPX_COMPAT \
164                            -D__APPLE_LAUNCHD__ \
165                            -D__APPLE_MEMBERSHIP__ \
166                            -D__APPLE_XSAN__
167    configure.ldflags-append \
168                            -Wl,-pie \
169                            -framework CoreFoundation \
170                            -framework DirectoryService
171    configure.cflags-append -fPIE
172    configure.args-append   --with-4in6 \
173                            --with-audit=bsm \
174                            --with-keychain=apple \
175                            --disable-utmp \
176                            --disable-wtmp \
177                            --with-privsep-user=_sshd
178}
179
180variant kerberos5 description "Add Kerberos5 support" {
181    depends_lib-append      port:kerberos5
182    configure.args-delete   --without-kerberos5
183    configure.args-append   --with-kerberos5=${prefix}
184
185    if {${os.platform} eq "darwin"} {
186        post-extract {
187            xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/"
188        }
189
190        pre-configure {
191            reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin
192        }
193
194        post-destroot {
195            xinstall -m 0755 ${worksrcpath}/slogin \
196                             ${destroot}${prefix}/bin/
197        }
198    }
199}
200
201variant ldns description "Use ldns for DNSSEC support" {
202    configure.args-append   --with-ldns
203    depends_lib-append      port:ldns
204}
205
206default_variants            +kerberos5 +xauth
207
208platform darwin {
209    # create link to /usr/include/pam because 'security' was renamed to 'pam'
210    # in OS X.
211    pre-configure {
212        xinstall -d ${workpath}/include
213        file delete ${workpath}/include/security
214        ln -s /usr/include/pam ${workpath}/include/security
215    }
216}
217
218platform darwin 9 {
219    # 10.5/ppc doesn't like the sandbox file we supply
220    configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
221}
222
223startupitem.create  yes
224startupitem.name    OpenSSH
225startupitem.start   \
226    "if \[ -x ${prefix}/sbin/sshd ]; then
227        if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
228            ${prefix}/bin/ssh-keygen -t dsa -f \\
229            ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
230        fi
231        if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
232            ${prefix}/bin/ssh-keygen -t rsa -f \\
233            ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
234        fi
235        if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
236            ${prefix}/bin/ssh-keygen -t ecdsa -f \\
237            ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
238        fi
239        if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
240            ${prefix}/bin/ssh-keygen -t ed25519 -f \\
241            ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
242        fi
243        ${prefix}/sbin/sshd
244    fi"
245startupitem.stop    \
246    "if \[ -r ${prefix}/var/run/sshd.pid \]; then
247        kill `cat ${prefix}/var/run/sshd.pid`
248    fi"
249
250livecheck.type      regex
251livecheck.url       http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/
252livecheck.regex     openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]
Note: See TracBrowser for help on using the repository browser.