-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
867b59b
commit 7c3c125
Showing
8 changed files
with
355 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
# $Id$ | ||
# Maintainer: Christian Neukirchen <chneukirchen@gmail.com> | ||
# ABS-Maintainer: Gaetan Bisson <bisson@archlinux.org> | ||
# Contributor: Aaron Griffin <aaron@archlinux.org> | ||
# Contributor: judd <jvinet@zeroflux.org> | ||
|
||
# patch from: https://bugzilla.mindrot.org/attachment.cgi?id=2396 | ||
|
||
pkgname=openssh-identitypersist | ||
_pkgname=openssh | ||
pkgver=6.5p1 | ||
pkgrel=1 | ||
pkgdesc='Free version of the SSH connectivity tools (with identitypersist patch)' | ||
url='http://www.openssh.org/portable.html' | ||
conflicts=('openssh') | ||
provides=('openssh') | ||
license=('custom:BSD') | ||
arch=('i686' 'x86_64') | ||
makedepends=('linux-headers') | ||
depends=('krb5' 'openssl' 'libedit' 'ldns') | ||
optdepends=('xorg-xauth: X11 forwarding' | ||
'x11-ssh-askpass: input passphrase in X') | ||
source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${_pkgname}-${pkgver}.tar.gz"{,.asc} | ||
'sshdgenkeys.service' | ||
'sshd@.service' | ||
'sshd.service' | ||
'sshd.socket' | ||
'sshd.pam' | ||
'openssh-6.4p1-identitypersist.patch') | ||
sha1sums=('3363a72b4fee91b29cf2024ff633c17f6cd2f86d' | ||
'SKIP' | ||
'cc1ceec606c98c7407e7ac21ade23aed81e31405' | ||
'6a0ff3305692cf83aca96e10f3bb51e1c26fccda' | ||
'ec49c6beba923e201505f5669cea48cad29014db' | ||
'e12fa910b26a5634e5a6ac39ce1399a132cf6796' | ||
'd93dca5ebda4610ff7647187f8928a3de28703f3' | ||
'62cadec49b95e640f150b7d05d7dd72993a54789') | ||
sha256sums=('a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027' | ||
'SKIP' | ||
'ea42d2a7e59cd47e3102229e6f29cef2284be3aa1b78ec651ee66735fa21150a' | ||
'69cc2abaaae0aa8071b8eac338b2df725f60ce73381843179b74eaac78ba7f1d' | ||
'c5ed9fa629f8f8dbf3bae4edbad4441c36df535088553fe82695c52d7bde30aa' | ||
'de14363e9d4ed92848e524036d9e6b57b2d35cc77d377b7247c38111d2a3defd' | ||
'64576021515c0a98b0aaf0a0ae02e0f5ebe8ee525b1e647ab68f369f81ecd846' | ||
'a954b07edcb84a1aa055aef80b22780232ad47cb4e4c2e2c4d8293d189668d2a') | ||
|
||
backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') | ||
|
||
install=install | ||
|
||
prepare() { | ||
cd "${srcdir}/${_pkgname}-${pkgver}" | ||
patch -Np1 -i ../openssh-6.4p1-identitypersist.patch | ||
} | ||
|
||
build() { | ||
cd "${srcdir}/${_pkgname}-${pkgver}" | ||
|
||
./configure \ | ||
--prefix=/usr \ | ||
--sbindir=/usr/bin \ | ||
--libexecdir=/usr/lib/ssh \ | ||
--sysconfdir=/etc/ssh \ | ||
--with-ldns \ | ||
--with-libedit \ | ||
--with-ssl-engine \ | ||
--with-pam \ | ||
--with-privsep-user=nobody \ | ||
--with-kerberos5=/usr \ | ||
--with-xauth=/usr/bin/xauth \ | ||
--with-mantype=man \ | ||
--with-md5-passwords \ | ||
--with-pid-dir=/run \ | ||
|
||
make | ||
} | ||
|
||
check() { | ||
cd "${srcdir}/${_pkgname}-${pkgver}" | ||
|
||
make tests || true | ||
# hard to suitably test connectivity: | ||
# - fails with /bin/false as login shell | ||
# - fails with firewall activated, etc. | ||
} | ||
|
||
package() { | ||
cd "${srcdir}/${_pkgname}-${pkgver}" | ||
|
||
make DESTDIR="${pkgdir}" install | ||
|
||
ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz | ||
install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${_pkgname}/LICENCE" | ||
|
||
install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service | ||
install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service | ||
install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service | ||
install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket | ||
install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd | ||
|
||
install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh | ||
install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id | ||
install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 | ||
|
||
sed \ | ||
-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ | ||
-e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ | ||
-e '/^#UsePAM no$/c UsePAM yes' \ | ||
-i "${pkgdir}"/etc/ssh/sshd_config | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
post_upgrade() { | ||
if [[ $(vercmp $2 6.2p2) = -1 ]]; then | ||
cat <<EOF | ||
|
||
==> The sshd daemon has been moved to /usr/bin alongside all binaries. | ||
==> Please update this path in your scripts if applicable. | ||
|
||
EOF | ||
fi | ||
} |
177 changes: 177 additions & 0 deletions
177
openssh-identitypersist/openssh-6.4p1-identitypersist.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,177 @@ | ||
Index: openssh-6.4p1/readconf.c | ||
=================================================================== | ||
--- openssh-6.4p1.orig/readconf.c 2013-12-28 17:46:55.855921275 +0900 | ||
+++ openssh-6.4p1/readconf.c 2013-12-28 17:46:55.851921275 +0900 | ||
@@ -138,6 +138,7 @@ | ||
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, | ||
oGssServerIdentity, | ||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | ||
+ oIdentityPersist, oIdentityPersistConfirm, | ||
oSendEnv, oControlPath, oControlMaster, oControlPersist, | ||
oHashKnownHosts, | ||
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | ||
@@ -245,6 +246,8 @@ | ||
{ "addressfamily", oAddressFamily }, | ||
{ "serveraliveinterval", oServerAliveInterval }, | ||
{ "serveralivecountmax", oServerAliveCountMax }, | ||
+ { "identitypersist", oIdentityPersist }, | ||
+ { "identitypersistconfirm", oIdentityPersistConfirm }, | ||
{ "sendenv", oSendEnv }, | ||
{ "controlpath", oControlPath }, | ||
{ "controlmaster", oControlMaster }, | ||
@@ -953,6 +956,33 @@ | ||
intptr = &options->server_alive_count_max; | ||
goto parse_int; | ||
|
||
+ case oIdentityPersist: | ||
+ /* no/false/yes/true, or a time spec */ | ||
+ intptr = &options->identity_persist; | ||
+ arg = strdelim(&s); | ||
+ if (!arg || *arg == '\0') | ||
+ fatal("%.200s line %d: Missing IdentityPersist" | ||
+ " argument.", filename, linenum); | ||
+ value = 0; | ||
+ value2 = 0; /* lifetime */ | ||
+ if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) | ||
+ value = 0; | ||
+ else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) | ||
+ value = 1; | ||
+ else if ((value2 = convtime(arg)) >= 0) | ||
+ value = 1; | ||
+ else | ||
+ fatal("%.200s line %d: Bad IdentityPersist argument.", | ||
+ filename, linenum); | ||
+ if (*activep && *intptr == -1) { | ||
+ *intptr = value; | ||
+ options->identity_persist_lifetime = value2; | ||
+ } | ||
+ break; | ||
+ case oIdentityPersistConfirm: | ||
+ intptr = &options->identity_persist_confirm; | ||
+ goto parse_flag; | ||
+ | ||
case oSendEnv: | ||
while ((arg = strdelim(&s)) != NULL && *arg != '\0') { | ||
if (strchr(arg, '=') != NULL) | ||
@@ -1265,6 +1295,9 @@ | ||
options->verify_host_key_dns = -1; | ||
options->server_alive_interval = -1; | ||
options->server_alive_count_max = -1; | ||
+ options->identity_persist = -1; | ||
+ options->identity_persist_lifetime = -1; | ||
+ options->identity_persist_confirm = -1; | ||
options->num_send_env = 0; | ||
options->control_path = NULL; | ||
options->control_master = -1; | ||
@@ -1419,6 +1452,12 @@ | ||
} | ||
if (options->server_alive_count_max == -1) | ||
options->server_alive_count_max = 3; | ||
+ if (options->identity_persist == -1) | ||
+ options->identity_persist = 0; | ||
+ if (options->identity_persist_lifetime == -1) | ||
+ options->identity_persist_lifetime = 0; | ||
+ if (options->identity_persist_confirm == -1) | ||
+ options->identity_persist_confirm = 0; | ||
if (options->control_master == -1) | ||
options->control_master = 0; | ||
if (options->control_persist == -1) { | ||
Index: openssh-6.4p1/readconf.h | ||
=================================================================== | ||
--- openssh-6.4p1.orig/readconf.h 2013-12-28 17:46:55.855921275 +0900 | ||
+++ openssh-6.4p1/readconf.h 2013-12-28 17:46:55.851921275 +0900 | ||
@@ -122,6 +122,10 @@ | ||
int server_alive_interval; | ||
int server_alive_count_max; | ||
|
||
+ int identity_persist; | ||
+ int identity_persist_lifetime; | ||
+ int identity_persist_confirm; | ||
+ | ||
int num_send_env; | ||
char *send_env[MAX_SEND_ENV]; | ||
|
||
Index: openssh-6.4p1/sshconnect2.c | ||
=================================================================== | ||
--- openssh-6.4p1.orig/sshconnect2.c 2013-12-28 17:46:55.855921275 +0900 | ||
+++ openssh-6.4p1/sshconnect2.c 2013-12-28 17:46:55.851921275 +0900 | ||
@@ -371,7 +371,7 @@ | ||
static int sign_and_send_pubkey(Authctxt *, Identity *); | ||
static void pubkey_prepare(Authctxt *); | ||
static void pubkey_cleanup(Authctxt *); | ||
-static Key *load_identity_file(char *, int); | ||
+static Key *load_identity_file(Authctxt *, char *, int); | ||
|
||
static Authmethod *authmethod_get(char *authlist); | ||
static Authmethod *authmethod_lookup(const char *name); | ||
@@ -1283,7 +1283,7 @@ | ||
#endif /* JPAKE */ | ||
|
||
static int | ||
-identity_sign(Identity *id, u_char **sigp, u_int *lenp, | ||
+identity_sign(Authctxt *authctxt, Identity *id, u_char **sigp, u_int *lenp, | ||
u_char *data, u_int datalen) | ||
{ | ||
Key *prv; | ||
@@ -1300,7 +1300,7 @@ | ||
if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) | ||
return (key_sign(id->key, sigp, lenp, data, datalen)); | ||
/* load the private key from the file */ | ||
- if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL) | ||
+ if ((prv = load_identity_file(authctxt, id->filename, id->userprovided)) == NULL) | ||
return (-1); | ||
ret = key_sign(prv, sigp, lenp, data, datalen); | ||
key_free(prv); | ||
@@ -1352,7 +1352,7 @@ | ||
buffer_put_string(&b, blob, bloblen); | ||
|
||
/* generate signature */ | ||
- ret = identity_sign(id, &signature, &slen, | ||
+ ret = identity_sign(authctxt, id, &signature, &slen, | ||
buffer_ptr(&b), buffer_len(&b)); | ||
if (ret == -1) { | ||
free(blob); | ||
@@ -1425,10 +1425,11 @@ | ||
} | ||
|
||
static Key * | ||
-load_identity_file(char *filename, int userprovided) | ||
+load_identity_file(Authctxt *authctxt, char *filename, int userprovided) | ||
{ | ||
Key *private; | ||
char prompt[300], *passphrase; | ||
+ char *comment = NULL; | ||
int perm_ok = 0, quit, i; | ||
struct stat st; | ||
|
||
@@ -1452,7 +1453,20 @@ | ||
passphrase = read_passphrase(prompt, 0); | ||
if (strcmp(passphrase, "") != 0) { | ||
private = key_load_private_type(KEY_UNSPEC, | ||
- filename, passphrase, NULL, NULL); | ||
+ filename, passphrase, &comment, NULL); | ||
+ if (authctxt && authctxt->agent && | ||
+ private && options.identity_persist) { | ||
+ if (comment == NULL) | ||
+ comment = xstrdup(filename); | ||
+ if (ssh_add_identity_constrained(authctxt->agent, | ||
+ private, comment, | ||
+ options.identity_persist_lifetime, | ||
+ options.identity_persist_confirm)) { | ||
+ fprintf(stderr, "Identity added: %s (%s)\n", | ||
+ filename, comment); | ||
+ } | ||
+ free(comment); | ||
+ } | ||
quit = 0; | ||
} else { | ||
debug2("no passphrase given, try next key"); | ||
@@ -1612,7 +1626,7 @@ | ||
sent = send_pubkey_test(authctxt, id); | ||
} else if (id->key == NULL && id->filename) { | ||
debug("Trying private key: %s", id->filename); | ||
- id->key = load_identity_file(id->filename, | ||
+ id->key = load_identity_file(authctxt, id->filename, | ||
id->userprovided); | ||
if (id->key != NULL) { | ||
id->isprivate = 1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#%PAM-1.0 | ||
#auth required pam_securetty.so #disable remote root | ||
auth include system-remote-login | ||
account include system-remote-login | ||
password include system-remote-login | ||
session include system-remote-login |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[Unit] | ||
Description=OpenSSH Daemon | ||
Wants=sshdgenkeys.service | ||
After=sshdgenkeys.service | ||
After=network.target | ||
|
||
[Service] | ||
ExecStart=/usr/bin/sshd -D | ||
ExecReload=/bin/kill -HUP $MAINPID | ||
KillMode=process | ||
Restart=always | ||
|
||
[Install] | ||
WantedBy=multi-user.target | ||
|
||
# This service file runs an SSH daemon that forks for each incoming connection. | ||
# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
[Unit] | ||
Conflicts=sshd.service | ||
Wants=sshdgenkeys.service | ||
|
||
[Socket] | ||
ListenStream=22 | ||
Accept=yes | ||
|
||
[Install] | ||
WantedBy=sockets.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[Unit] | ||
Description=OpenSSH Per-Connection Daemon | ||
After=sshdgenkeys.service | ||
|
||
[Service] | ||
ExecStart=-/usr/bin/sshd -i | ||
StandardInput=socket | ||
StandardError=syslog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[Unit] | ||
Description=SSH Key Generation | ||
ConditionPathExists=|!/etc/ssh/ssh_host_key | ||
ConditionPathExists=|!/etc/ssh/ssh_host_key.pub | ||
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key | ||
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub | ||
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key | ||
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub | ||
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key | ||
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub | ||
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key | ||
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub | ||
|
||
[Service] | ||
ExecStart=/usr/bin/ssh-keygen -A | ||
Type=oneshot | ||
RemainAfterExit=yes |