[openssh-identitypersist] 6.5p1-1

openssh-identitypersist/PKGBUILD

@@ -0,0 +1,110 @@
+# $Id$
+# Maintainer: Christian Neukirchen <chneukirchen@gmail.com>
+# ABS-Maintainer: Gaetan Bisson <bisson@archlinux.org>
+# Contributor: Aaron Griffin <aaron@archlinux.org>
+# Contributor: judd <jvinet@zeroflux.org>
+
+# patch from: https://bugzilla.mindrot.org/attachment.cgi?id=2396
+
+pkgname=openssh-identitypersist
+_pkgname=openssh
+pkgver=6.5p1
+pkgrel=1
+pkgdesc='Free version of the SSH connectivity tools (with identitypersist patch)'
+url='http://www.openssh.org/portable.html'
+conflicts=('openssh')
+provides=('openssh')
+license=('custom:BSD')
+arch=('i686' 'x86_64')
+makedepends=('linux-headers')
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+            'x11-ssh-askpass: input passphrase in X')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${_pkgname}-${pkgver}.tar.gz"{,.asc}
+        'sshdgenkeys.service'
+        'sshd@.service'
+        'sshd.service'
+        'sshd.socket'
+        'sshd.pam'
+        'openssh-6.4p1-identitypersist.patch')
+sha1sums=('3363a72b4fee91b29cf2024ff633c17f6cd2f86d'
+          'SKIP'
+          'cc1ceec606c98c7407e7ac21ade23aed81e31405'
+          '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
+          'ec49c6beba923e201505f5669cea48cad29014db'
+          'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+          'd93dca5ebda4610ff7647187f8928a3de28703f3'
+          '62cadec49b95e640f150b7d05d7dd72993a54789')
+sha256sums=('a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027'
+            'SKIP'
+            'ea42d2a7e59cd47e3102229e6f29cef2284be3aa1b78ec651ee66735fa21150a'
+            '69cc2abaaae0aa8071b8eac338b2df725f60ce73381843179b74eaac78ba7f1d'
+            'c5ed9fa629f8f8dbf3bae4edbad4441c36df535088553fe82695c52d7bde30aa'
+            'de14363e9d4ed92848e524036d9e6b57b2d35cc77d377b7247c38111d2a3defd'
+            '64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846'
+            'a954b07edcb84a1aa055aef80b22780232ad47cb4e4c2e2c4d8293d189668d2a')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+prepare() {
+	cd "${srcdir}/${_pkgname}-${pkgver}"
+        patch -Np1 -i ../openssh-6.4p1-identitypersist.patch
+}
+
+build() {
+	cd "${srcdir}/${_pkgname}-${pkgver}"
+
+	./configure \
+		--prefix=/usr \
+		--sbindir=/usr/bin \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--with-ldns \
+		--with-libedit \
+		--with-ssl-engine \
+		--with-pam \
+		--with-privsep-user=nobody \
+		--with-kerberos5=/usr \
+		--with-xauth=/usr/bin/xauth \
+		--with-mantype=man \
+		--with-md5-passwords \
+		--with-pid-dir=/run \
+
+	make
+}
+
+check() {
+	cd "${srcdir}/${_pkgname}-${pkgver}"
+
+	make tests || true
+	# hard to suitably test connectivity:
+	# - fails with /bin/false as login shell
+	# - fails with firewall activated, etc.
+}
+
+package() {
+	cd "${srcdir}/${_pkgname}-${pkgver}"
+
+	make DESTDIR="${pkgdir}" install
+
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${_pkgname}/LICENCE"
+
+	install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+	install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service
+	install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
+	install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+	sed \
+		-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+		-e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+		-e '/^#UsePAM no$/c UsePAM yes' \
+		-i "${pkgdir}"/etc/ssh/sshd_config
+}

openssh-identitypersist/install

@@ -0,0 +1,10 @@
+post_upgrade() {
+	if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+		cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+	fi
+}

openssh-identitypersist/openssh-6.4p1-identitypersist.patch

@@ -0,0 +1,177 @@
+Index: openssh-6.4p1/readconf.c
+===================================================================
+--- openssh-6.4p1.orig/readconf.c	2013-12-28 17:46:55.855921275 +0900
++++ openssh-6.4p1/readconf.c	2013-12-28 17:46:55.851921275 +0900
+@@ -138,6 +138,7 @@
+ 	oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+ 	oGssServerIdentity, 
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
++	oIdentityPersist, oIdentityPersistConfirm,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+ 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -245,6 +246,8 @@
+ 	{ "addressfamily", oAddressFamily },
+ 	{ "serveraliveinterval", oServerAliveInterval },
+ 	{ "serveralivecountmax", oServerAliveCountMax },
++	{ "identitypersist", oIdentityPersist },
++	{ "identitypersistconfirm", oIdentityPersistConfirm },
+ 	{ "sendenv", oSendEnv },
+ 	{ "controlpath", oControlPath },
+ 	{ "controlmaster", oControlMaster },
+@@ -953,6 +956,33 @@
+ 		intptr = &options->server_alive_count_max;
+ 		goto parse_int;
+
++	case oIdentityPersist:
++		/* no/false/yes/true, or a time spec */
++		intptr = &options->identity_persist;
++		arg = strdelim(&s);
++		if (!arg || *arg == '\0')
++			fatal("%.200s line %d: Missing IdentityPersist"
++			    " argument.", filename, linenum);
++		value = 0;
++		value2 = 0;	/* lifetime */
++		if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
++			value = 0;
++		else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
++			value = 1;
++		else if ((value2 = convtime(arg)) >= 0)
++			value = 1;
++		else
++			fatal("%.200s line %d: Bad IdentityPersist argument.",
++			    filename, linenum);
++		if (*activep && *intptr == -1) {
++			*intptr = value;
++			options->identity_persist_lifetime = value2;
++		}
++		break;
++	case oIdentityPersistConfirm:
++		intptr = &options->identity_persist_confirm;
++		goto parse_flag;
++
+ 	case oSendEnv:
+ 		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+ 			if (strchr(arg, '=') != NULL)
+@@ -1265,6 +1295,9 @@
+ 	options->verify_host_key_dns = -1;
+ 	options->server_alive_interval = -1;
+ 	options->server_alive_count_max = -1;
++	options->identity_persist = -1;
++	options->identity_persist_lifetime = -1;
++	options->identity_persist_confirm = -1;
+ 	options->num_send_env = 0;
+ 	options->control_path = NULL;
+ 	options->control_master = -1;
+@@ -1419,6 +1452,12 @@
+ 	}
+ 	if (options->server_alive_count_max == -1)
+ 		options->server_alive_count_max = 3;
++	if (options->identity_persist == -1)
++		options->identity_persist = 0;
++        if (options->identity_persist_lifetime == -1)
++		options->identity_persist_lifetime = 0;
++	if (options->identity_persist_confirm == -1)
++		options->identity_persist_confirm = 0;
+ 	if (options->control_master == -1)
+ 		options->control_master = 0;
+ 	if (options->control_persist == -1) {
+Index: openssh-6.4p1/readconf.h
+===================================================================
+--- openssh-6.4p1.orig/readconf.h	2013-12-28 17:46:55.855921275 +0900
++++ openssh-6.4p1/readconf.h	2013-12-28 17:46:55.851921275 +0900
+@@ -122,6 +122,10 @@
+ 	int	server_alive_interval;
+ 	int	server_alive_count_max;
+
++	int	identity_persist;
++	int	identity_persist_lifetime;
++	int	identity_persist_confirm;
++
+ 	int     num_send_env;
+ 	char   *send_env[MAX_SEND_ENV];
+
+Index: openssh-6.4p1/sshconnect2.c
+===================================================================
+--- openssh-6.4p1.orig/sshconnect2.c	2013-12-28 17:46:55.855921275 +0900
++++ openssh-6.4p1/sshconnect2.c	2013-12-28 17:46:55.851921275 +0900
+@@ -371,7 +371,7 @@
+ static int sign_and_send_pubkey(Authctxt *, Identity *);
+ static void pubkey_prepare(Authctxt *);
+ static void pubkey_cleanup(Authctxt *);
+-static Key *load_identity_file(char *, int);
++static Key *load_identity_file(Authctxt *, char *, int);
+
+ static Authmethod *authmethod_get(char *authlist);
+ static Authmethod *authmethod_lookup(const char *name);
+@@ -1283,7 +1283,7 @@
+ #endif /* JPAKE */
+
+ static int
+-identity_sign(Identity *id, u_char **sigp, u_int *lenp,
++identity_sign(Authctxt *authctxt, Identity *id, u_char **sigp, u_int *lenp,
+     u_char *data, u_int datalen)
+ {
+ 	Key *prv;
+@@ -1300,7 +1300,7 @@
+ 	if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
+ 		return (key_sign(id->key, sigp, lenp, data, datalen));
+ 	/* load the private key from the file */
+-	if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
++	if ((prv = load_identity_file(authctxt, id->filename, id->userprovided)) == NULL)
+ 		return (-1);
+ 	ret = key_sign(prv, sigp, lenp, data, datalen);
+ 	key_free(prv);
+@@ -1352,7 +1352,7 @@
+ 	buffer_put_string(&b, blob, bloblen);
+
+ 	/* generate signature */
+-	ret = identity_sign(id, &signature, &slen,
++	ret = identity_sign(authctxt, id, &signature, &slen,
+ 	    buffer_ptr(&b), buffer_len(&b));
+ 	if (ret == -1) {
+ 		free(blob);
+@@ -1425,10 +1425,11 @@
+ }
+
+ static Key *
+-load_identity_file(char *filename, int userprovided)
++load_identity_file(Authctxt *authctxt, char *filename, int userprovided)
+ {
+ 	Key *private;
+ 	char prompt[300], *passphrase;
++ 	char *comment = NULL;
+ 	int perm_ok = 0, quit, i;
+ 	struct stat st;
+
+@@ -1452,7 +1453,20 @@
+ 			passphrase = read_passphrase(prompt, 0);
+ 			if (strcmp(passphrase, "") != 0) {
+ 				private = key_load_private_type(KEY_UNSPEC,
+-				    filename, passphrase, NULL, NULL);
++				    filename, passphrase, &comment, NULL);
++				if (authctxt && authctxt->agent &&
++				    private && options.identity_persist) {
++					if (comment == NULL)
++						comment = xstrdup(filename);
++					if (ssh_add_identity_constrained(authctxt->agent,
++					    private, comment,
++					    options.identity_persist_lifetime,
++					    options.identity_persist_confirm)) {
++						fprintf(stderr, "Identity added: %s (%s)\n",
++						    filename, comment);
++					}
++					free(comment);
++				}
+ 				quit = 0;
+ 			} else {
+ 				debug2("no passphrase given, try next key");
+@@ -1612,7 +1626,7 @@
+ 			sent = send_pubkey_test(authctxt, id);
+ 		} else if (id->key == NULL && id->filename) {
+ 			debug("Trying private key: %s", id->filename);
+-			id->key = load_identity_file(id->filename,
++			id->key = load_identity_file(authctxt, id->filename,
+ 			    id->userprovided);
+ 			if (id->key != NULL) {
+ 				id->isprivate = 1;

openssh-identitypersist/sshd.pam

@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth     required  pam_securetty.so     #disable remote root
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login

openssh-identitypersist/sshd.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service.

openssh-identitypersist/sshd.socket

@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

openssh-identitypersist/sshd@.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog

openssh-identitypersist/sshdgenkeys.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes