/
Portfile
205 lines (173 loc) · 7.99 KB
/
Portfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
PortSystem 1.0
PortGroup compiler_blacklist_versions 1.0
name pkixssh
version 13.4.1
revision 1
categories net
platforms darwin
maintainers {@sstallion gmail.com:sstallion} openmaintainer
license BSD
installs_libs no
conflicts lsh openssh ssh-copy-id
description PKIX-SSH - an advanced secure shell implementation
long_description Implementation includes some of functionality provided by OpenSSH. OpenSSH \
itself is derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. \
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug \
Song removed many bugs, re-added newer features and created OpenSSH. Roumen \
Petrov adds X.509 certificate support, modernize use of cryptography library \
including FIPS mode and creates PKIX-SSH.
homepage https://roumenpetrov.info/secsh/
checksums rmd160 1a5d09524567912f15877859d5e3885425e4851c \
sha256 ff76f3c467512c6e83b908386beaffb6472fdfc0f877d1653404b8f13cdca8d8 \
size 1711233
master_sites https://roumenpetrov.info/secsh/src/
depends_lib path:lib/libssl.dylib:openssl \
port:libedit \
port:ncurses \
port:zlib
platform darwin 10 {
# /usr/bin/ranlib: object: libopenbsd-compat.a(base64.o) malformed object (unknown load command 2)
depends_build-append port:cctools
}
patch.pre_args-replace -p0 -p1
patchfiles launchd.patch \
agent.patch \
pam.patch \
patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
patch-sshd.c-apple-sandbox-named-external.diff \
macports-config.patch
# We need a couple of patches
# - pam.patch
# getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
# when run as root, so it can't be used for authentication. This patch just
# forces the use of PAM regardless of the configuration.
# - patch-*-apple-sandbox-named-external.diff
# Use Apple's sandbox_init(3) in addition to standard privilege separation.
# This requires a sandbox profile (which we provide) and the sandbox_init(3)
# call before the chroot(2) to privsep-path (${prefix}/var/empty), or it will
# fail to load the sandbox description and libsandbox.1.dylib.
# - macports-config.patch
# Changes the default configuration from the upstream-provided one by popular
# request.
# - agent.patch
# Adds -l flag to ssh-agent to work with launchd.
post-patch {
# reinplace prefix in path to sandbox definition added by
# patch-sandbox-darwin.c-apple-sandbox-named-external.diff
reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
}
use_autoreconf yes
# strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
# the order of arguments to strnvis and considers everyone else to be broken.
configure.cppflags-append -DBROKEN_STRNVIS=1
# Use Apple's sandboxing feature
configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
-D__APPLE_API_STRICT_CONFORMANCE
# Support Apple's launchd in ssh-agent
configure.cppflags-append -D__APPLE_LAUNCHD__
configure.ldflags-append -Wl,-search_paths_first
configure.args --with-ssl-dir=${prefix} \
--sysconfdir=${prefix}/etc/ssh \
--with-privsep-path=/var/empty \
--with-md5-passwords \
--with-pid-dir=${prefix}/var/run \
--with-pam \
--mandir=${prefix}/share/man \
--with-zlib=${prefix} \
--without-kerberos5 \
--with-libedit \
--with-pie \
--without-xauth \
--without-ldns \
--with-audit=bsm \
--with-keychain=apple
use_parallel_build yes
platform macosx {
if {${os.major} < 10} {
# See: https://trac.macports.org/ticket/60385
configure.args-delete --with-keychain=apple
} elseif {${os.major} <= 11} {
# clang is required to build the new Apple Keychain integration due
# to it using the Object Subscripting feature, c.f. #59397.
# We'll keep it simple and just blacklist any gcc version, cc
# (which could be anything), system clang versions prior to those
# shipped with Xcode 4.4.
# Regarding the macports-clang versions, any version in the
# MacPorts tree should suit our needs, since the clang
# documentation lists FOSS clang/llvm 3.1 as the first version to
# support Object Subscripting and the oldest version in our tree is
# now 3.3.
compiler.blacklist-append *gcc* cc {clang < 421}
}
}
destroot.target install-nokeys
test.run yes
test.target tests
post-destroot {
destroot.keepdirs ${destroot}${prefix}/var/run
# switch default port to avoid conflict with system sshd
reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
# install sandbox definition
xinstall -m 755 -d ${destroot}${prefix}/share/${name}
xinstall -m 644 ${filespath}/info.roumenpetrov.sshd.sb ${destroot}${prefix}/share/${name}
file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
# install ssh-copy-id
xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
}
post-activate {
if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
}
if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
}
}
platform darwin {
# create link to /usr/include/pam because 'security' was renamed to 'pam'
# in OS X.
# And then again back to security in 10.6.
if {${os.major} < 10} {
pre-configure {
xinstall -d ${workpath}/include
file delete ${workpath}/include/security
ln -s /usr/include/pam ${workpath}/include/security
configure.cppflags-append "-I${workpath}/include"
}
}
}
platform darwin 9 {
# 10.5/ppc doesn't like the sandbox file we supply
configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
}
startupitem.create yes
startupitem.name OpenSSH
startupitem.start \
"if \[ -x ${prefix}/sbin/sshd \]; then
if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
${prefix}/bin/ssh-keygen -t dsa -f \\
${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
${prefix}/bin/ssh-keygen -t rsa -f \\
${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
${prefix}/bin/ssh-keygen -t ecdsa -f \\
${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
${prefix}/bin/ssh-keygen -t ed25519 -f \\
${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
fi
${prefix}/sbin/sshd
fi"
startupitem.stop \
"if \[ -r ${prefix}/var/run/sshd.pid \]; then
kill `cat ${prefix}/var/run/sshd.pid`
fi"
livecheck.type regex
livecheck.url ${homepage}
livecheck.regex "Official version x509-(\\d+(?:\\.\\d+)*)"