source: trunk/dports/net/openssh/Portfile @ 138082

Last change on this file since 138082 was 138082, checked in by ionic@…, 4 years ago

openssh: add none_cipher variant to enable the none cipher feature of the HPN patch set. Fixes: #48044.

I don't see any benefit in enabling this by default. Users interested in
this functionality can use the new variant to enable it, though.

This could be a potential security issue, so be careful.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 9.8 KB
Line 
1# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
2# $Id: Portfile 138082 2015-06-28 01:13:19Z ionic@macports.org $
3
4PortSystem          1.0
5
6name                openssh
7version             6.8p1
8revision            1
9categories          net
10platforms           darwin
11maintainers         nomaintainer
12license             BSD
13installs_libs       no
14
15description         OpenSSH secure login server
16
17long_description    OpenSSH is a FREE version of the SSH protocol suite of \
18                    network connectivity tools that increasing numbers of people on the \
19                    Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
20                    and other such programs might not realize that their password is \
21                    transmitted across the Internet unencrypted, but it is. OpenSSH \
22                    encrypts all traffic (including passwords) to effectively eliminate \
23                    eavesdropping, connection hijacking, and other network-level \
24                    attacks. Additionally, OpenSSH provides a myriad of secure \
25                    tunneling capabilities, as well as a variety of authentication \
26                    methods.
27
28homepage            http://www.openbsd.org/openssh/
29
30checksums           ${distfiles} \
31                    rmd160  581e7f5dc3848f6247b5f15cd9e61dcb8f1c506b \
32                    sha256  3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e
33
34master_sites        openbsd:OpenSSH/portable \
35                    http://mirror.mcs.anl.gov/openssh/portable/ \
36                    ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
37                    ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
38                    ftp://mirror.mcs.anl.gov/pub/openssh/portable/ \
39                    ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
40                    ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
41                    ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/
42
43depends_lib         port:openssl \
44                    port:zlib
45
46# the HPN patch needs this, so rewrite all other patches to support it, too
47patch.args          -p1
48patchfiles          launchd.patch \
49                    pam.patch \
50                    patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
51                    patch-sshd.c-apple-sandbox-named-external.diff
52
53# We need a couple of patches
54# - pam.patch
55#   getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
56#   when run as root, so it can't be used for authentication. This patch just
57#   forces the use of PAM regardless of the configuration.
58# - patch-*-apple-sandbox-named-external.diff
59#   Use Apple's sandbox_init(3) in addition to standard privilege separation.
60#   This requires a sandbox profile (which we provide) and the sandbox_init(3)
61#   call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
62#   fail to load the sandbox description and libsandbox.1.dylib.
63
64post-patch {
65    # reinplace prefix in path to sandbox definition added by
66    # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
67    reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
68}
69
70# Use Apple's sandboxing feature
71configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__
72configure.ldflags-append  -Wl,-search_paths_first
73configure.args      --with-ssl-dir=${prefix} \
74                    --sysconfdir=${prefix}/etc/ssh \
75                    --with-privsep-path=/var/empty \
76                    --with-md5-passwords \
77                    --with-pid-dir=${prefix}/var/run \
78                    --with-tcp-wrappers \
79                    --with-pam \
80                    --mandir=${prefix}/share/man \
81                    --with-zlib=${prefix} \
82                    --without-kerberos5 \
83                    --with-libedit \
84                    --with-pie \
85                    --without-xauth
86
87use_parallel_build  yes
88
89destroot.target     install-nokeys
90
91test.run            yes
92test.target         tests
93
94if {${os.major} >= 12} {
95    depends_lib-append  port:tcp_wrappers
96}
97
98post-destroot {
99    destroot.keepdirs ${destroot}${prefix}/var/run
100
101    # switch default port to avoid conflict with system sshd
102    reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
103
104    # provide ssh-copy-id
105    xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
106    xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
107
108    # install sandbox definition
109    xinstall -m 755 -d ${destroot}${prefix}/share/${name}
110    xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}
111
112    file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
113    file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
114}
115
116post-activate {
117    if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
118        copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
119    }
120    if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
121        copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
122    }
123}
124
125variant xauth description {Build with support for xauth} {
126    configure.args-delete   --without-xauth
127    configure.args-append   --with-xauth=${prefix}/bin/xauth
128    depends_run-append      port:xauth
129}
130
131variant hpn conflicts gsskex description {Apply high performance patch} {
132    # http://www.psc.edu/index.php/hpn-ssh
133    # http://www.freshports.org/security/openssh-portable/ is usually quick in
134    # updating the HPN patch for new versions, take a look there, too.
135
136    # Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
137    #patch_sites-append     http://mirror.shatow.net/freebsd/${name}/ \
138    #                       freebsd
139    #set hpn_patchfile      ${name}-6.7p1-hpnssh14v5.diff.gz
140    #checksums-append       ${hpn_patchfile} \
141    #                       rmd160  0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
142    #                       sha256  846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
143
144    set hpn_patchfile       ${name}-${version}-hpnssh14v5.diff
145    patchfiles-append       ${hpn_patchfile}
146
147    configure.cppflags-append -DHPN_ENABLED=1
148}
149
150variant none_cipher conflicts gsskex requires hpn description {Enable optional NONE cipher in HPN patchset} {
151    configure.cppflags-append -DNONE_CIPHER_ENABLED=1
152}
153
154variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
155    use_autoreconf          yes
156    patchfiles-append       0002-Apple-keychain-integration-other-changes.patch \
157                            openssh-6.7p1-gsskex-all-20141021-284f364.patch
158    configure.cppflags-append \
159                            -F/System/Library/Frameworks/DirectoryService.framework \
160                            -F/System/Library/Frameworks/CoreFoundation.framework \
161                            -D_UTMPX_COMPAT \
162                            -D__APPLE_LAUNCHD__ \
163                            -D__APPLE_MEMBERSHIP__ \
164                            -D__APPLE_XSAN__
165    configure.ldflags-append \
166                            -Wl,-pie \
167                            -framework CoreFoundation \
168                            -framework DirectoryService
169    configure.cflags-append -fPIE
170    configure.args-append   --with-4in6 \
171                            --with-audit=bsm \
172                            --with-keychain=apple \
173                            --disable-utmp \
174                            --disable-wtmp \
175                            --with-privsep-user=_sshd
176}
177
178variant kerberos5 description "Add Kerberos5 support" {
179    depends_lib-append      port:kerberos5
180    configure.args-delete   --without-kerberos5
181    configure.args-append   --with-kerberos5=${prefix}
182}
183
184variant ldns description "Use ldns for DNSSEC support" {
185    configure.args-append   --with-ldns
186    depends_lib-append      port:ldns
187}
188
189default_variants            +kerberos5 +xauth
190
191platform darwin {
192    # create link to /usr/include/pam because 'security' was renamed to 'pam'
193    # in OS X.
194    pre-configure {
195        xinstall -d ${workpath}/include
196        file delete ${workpath}/include/security
197        ln -s /usr/include/pam ${workpath}/include/security
198    }
199}
200
201platform darwin 9 {
202    # 10.5/ppc doesn't like the sandbox file we supply
203    configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
204}
205
206startupitem.create  yes
207startupitem.name    OpenSSH
208startupitem.start   \
209    "if \[ -x ${prefix}/sbin/sshd ]; then
210        if \[ ! -f ${prefix}/etc/ssh/ssh_host_key \]; then
211            ${prefix}/bin/ssh-keygen -t rsa1 -f \\
212            ${prefix}/etc/ssh/ssh_host_key -N \"\" -C `hostname`
213        fi
214        if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
215            ${prefix}/bin/ssh-keygen -t dsa -f \\
216            ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
217        fi
218        if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
219            ${prefix}/bin/ssh-keygen -t rsa -f \\
220            ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
221        fi
222        if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
223            ${prefix}/bin/ssh-keygen -t ecdsa -f \\
224            ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
225        fi
226        if \[ ! -f ${prefix}/etc/ssh/ssh_ed25519_rsa_key \]; then
227            ${prefix}/bin/ssh-keygen -t ed25519 -f \\
228            ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
229        fi
230        ${prefix}/sbin/sshd
231    fi"
232startupitem.stop    \
233    "if \[ -r ${prefix}/var/run/sshd.pid \]; then
234        kill `cat ${prefix}/var/run/sshd.pid`
235    fi"
236
237livecheck.type      regex
238livecheck.url       http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/
239livecheck.regex     openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]
Note: See TracBrowser for help on using the repository browser.