# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 # $Id: Portfile 153360 2016-09-29 13:49:14Z ionic@macports.org $ PortSystem 1.0 name openssh version 7.3p1 revision 0 categories net platforms darwin maintainers nomaintainer license BSD installs_libs no description OpenSSH secure login server long_description OpenSSH is a FREE version of the SSH protocol suite of \ network connectivity tools that increasing numbers of people on the \ Internet are coming to rely on. Many users of telnet, rlogin, ftp, \ and other such programs might not realize that their password is \ transmitted across the Internet unencrypted, but it is. OpenSSH \ encrypts all traffic (including passwords) to effectively eliminate \ eavesdropping, connection hijacking, and other network-level \ attacks. Additionally, OpenSSH provides a myriad of secure \ tunneling capabilities, as well as a variety of authentication \ methods. homepage http://www.openbsd.org/openssh/ checksums ${distfiles} \ rmd160 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13 \ sha256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc master_sites openbsd:OpenSSH/portable \ ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \ ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \ ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \ ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/ depends_lib path:lib/libssl.dylib:openssl \ port:libedit \ port:ncurses \ port:zlib # the HPN patch needs this, so rewrite all other patches to support it, too patch.args -p1 patchfiles launchd.patch \ pam.patch \ patch-sandbox-darwin.c-apple-sandbox-named-external.diff \ patch-sshd.c-apple-sandbox-named-external.diff # We need a couple of patches # - pam.patch # getpwnam(3) on OS X always returns "*********" in the pw_passwd field even # when run as root, so it can't be used for authentication. This patch just # forces the use of PAM regardless of the configuration. # - patch-*-apple-sandbox-named-external.diff # Use Apple's sandbox_init(3) in addition to standard privilege separation. # This requires a sandbox profile (which we provide) and the sandbox_init(3) # call before the chroot(2) to privsep-path ($prefix/var/empty), or it will # fail to load the sandbox description and libsandbox.1.dylib. post-patch { # reinplace prefix in path to sandbox definition added by # patch-sandbox-darwin.c-apple-sandbox-named-external.diff reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c } # strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip # the order of arguments to strnvis and considers everyone else to be broken. configure.cppflags-append -DBROKEN_STRNVIS=1 # Use Apple's sandboxing feature configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \ -D__APPLE_API_STRICT_CONFORMANCE configure.ldflags-append -Wl,-search_paths_first configure.args --with-ssl-dir=${prefix} \ --sysconfdir=${prefix}/etc/ssh \ --with-privsep-path=/var/empty \ --with-md5-passwords \ --with-pid-dir=${prefix}/var/run \ --with-pam \ --mandir=${prefix}/share/man \ --with-zlib=${prefix} \ --without-kerberos5 \ --with-libedit \ --with-pie \ --without-xauth use_parallel_build yes destroot.target install-nokeys test.run yes test.target tests post-destroot { destroot.keepdirs ${destroot}${prefix}/var/run # switch default port to avoid conflict with system sshd reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config # provide ssh-copy-id xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1 # install sandbox definition xinstall -m 755 -d ${destroot}${prefix}/share/${name} xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name} file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example" file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example" } post-activate { if {![file exists "${prefix}/etc/ssh/sshd_config"]} { copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config" } if {![file exists "${prefix}/etc/ssh/ssh_config"]} { copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config" } } variant xauth description {Build with support for xauth} { configure.args-delete --without-xauth configure.args-append --with-xauth=${prefix}/bin/xauth depends_run-append port:xauth } variant hpn conflicts gsskex description {Apply high performance patch} { # Old location(s): # http://www.psc.edu/index.php/hpn-ssh # Current location(s): # http://hpnssh.sourceforge.net/ # http://www.freshports.org/security/openssh-portable/ # (is usually quick in updating the HPN patch for new versions, # take a look there, too.) # Formerly from FreeBSD, now copied over from FreeBSD's ports directory. #patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \ # freebsd #set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz #checksums-append ${hpn_patchfile} \ # rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \ # sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6 set hpn_patchfile ${name}-${version}-hpnssh14v11.diff patchfiles-append ${hpn_patchfile} use_autoreconf yes configure.args-append --with-hpn } variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" { use_autoreconf yes patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \ openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch configure.cppflags-append \ -F/System/Library/Frameworks/DirectoryService.framework \ -F/System/Library/Frameworks/CoreFoundation.framework \ -D_UTMPX_COMPAT \ -D__APPLE_LAUNCHD__ \ -D__APPLE_MEMBERSHIP__ \ -D__APPLE_XSAN__ configure.ldflags-append \ -Wl,-pie \ -framework CoreFoundation \ -framework DirectoryService configure.cflags-append -fPIE configure.args-append --with-4in6 \ --with-audit=bsm \ --with-keychain=apple \ --disable-utmp \ --disable-wtmp \ --with-privsep-user=_sshd } variant kerberos5 description "Add Kerberos5 support" { depends_lib-append port:kerberos5 configure.args-delete --without-kerberos5 configure.args-append --with-kerberos5=${prefix} if {${os.platform} eq "darwin"} { post-extract { xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/" } pre-configure { reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin } post-destroot { xinstall -m 0755 ${worksrcpath}/slogin \ ${destroot}${prefix}/bin/ } } } variant ldns description "Use ldns for DNSSEC support" { configure.args-append --with-ldns depends_lib-append port:ldns } default_variants +kerberos5 +xauth platform darwin { # create link to /usr/include/pam because 'security' was renamed to 'pam' # in OS X. pre-configure { xinstall -d ${workpath}/include file delete ${workpath}/include/security ln -s /usr/include/pam ${workpath}/include/security } } platform darwin 9 { # 10.5/ppc doesn't like the sandbox file we supply configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__ } startupitem.create yes startupitem.name OpenSSH startupitem.start \ "if \[ -x ${prefix}/sbin/sshd ]; then if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then ${prefix}/bin/ssh-keygen -t dsa -f \\ ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then ${prefix}/bin/ssh-keygen -t rsa -f \\ ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then ${prefix}/bin/ssh-keygen -t ecdsa -f \\ ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then ${prefix}/bin/ssh-keygen -t ed25519 -f \\ ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname` fi ${prefix}/sbin/sshd fi" startupitem.stop \ "if \[ -r ${prefix}/var/run/sshd.pid \]; then kill `cat ${prefix}/var/run/sshd.pid` fi" livecheck.type regex livecheck.url http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/ livecheck.regex openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]