public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssh: 7.7p1 -> 7.9p1 (#48784)

Browse Source 
added openssh_gssapi to make it easier to test the patched version

the HPN edition isn't available on top of 7.9p1 yet

fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.

release notes: https://www.openssh.com/txt/release-7.9
This commit is contained in:
zimbatm 2018-10-26 01:17:55 +02:00 committed by GitHub
parent 2cc4200de0
commit 2337c7522a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkgs/tools/networking/openssh/default.nix
View File

@ -13,39 +13,31 @@ let
gssapiPatch = fetchpatch { gssapiPatch = fetchpatch {
name = "openssh-gssapi.patch"; name = "openssh-gssapi.patch";
url = "https://salsa.debian.org/ssh-team/openssh/raw/" url = "https://salsa.debian.org/ssh-team/openssh/raw/"
+ "e395eed38096fcda74398424ea94de3ec44effd5" + "d80ebbf028196b2478beebf5a290b97f35e1eed9"
+ "/debian/patches/gssapi.patch"; + "/debian/patches/gssapi.patch";
sha256 = "0x7xysgdahb4jaq0f28g2d7yzp0d3mh59i4xnffszvjndhvbk27x"; sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
}; };
in in
with stdenv.lib; with stdenv.lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "openssh-${version}"; name = "openssh-${version}";
version = if hpnSupport then "7.7p1" else "7.7p1"; version = if hpnSupport then "7.8p1" else "7.9p1";
src = if hpnSupport then src = if hpnSupport then
fetchurl { fetchurl {
url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_7_P1.tar.gz"; url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz";
sha256 = "1l4k8mg3gnzxbz53cma8s6ak56waz03ijsr08p8vgpi0c2rc5ri5"; sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw";
} }
else else
fetchurl { fetchurl {
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
sha256 = "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp"; sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
}; };
patches = patches =
[ [
# Remove on update!
(fetchpatch {
name = "fix-tunnel-forwarding.diff";
url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff";
sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8";
})
./locale_archive.patch ./locale_archive.patch
./fix-host-key-algorithms-plus.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966 # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch ./dont_create_privsep_path.patch

52
pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
View File

@ -1,52 +0,0 @@
Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
setting any value for HostKeyAlgorithms causes the known host keys to
be ignored for the purpose of determining the priority of algorithms.
This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
in ssh_config. The fix is to apply order_hostkeyalgs() if the user
specifies a HostKeyAlgorithms starting with "+".
diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200
@@ -100,7 +100,7 @@
}
static char *
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
{
char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
size_t maxlen;
@@ -116,7 +116,7 @@
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup(algs);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -181,18 +181,21 @@
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (options.hostkeyalgorithms != NULL) {
+ int append = options.hostkeyalgorithms[0] == '+';
if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options.hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_namelist", __func__);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
+ compat_pkalg_proposal(append
+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
+ : options.hostkeyalgorithms);
} else {
/* Enforce default */
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
- order_hostkeyalgs(host, hostaddr, port));
+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
}
if (options.rekey_limit || options.rekey_interval)

4
pkgs/top-level/all-packages.nix
View File

@ -4515,6 +4515,10 @@ with pkgs;
openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; }); openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });
openssh_gssapi = pkgs.appendToName "with-gssapi" (openssh.override {
withGssapiPatches = true;
});
opensp = callPackage ../tools/text/sgml/opensp { }; opensp = callPackage ../tools/text/sgml/opensp { };
opentracker = callPackage ../applications/networking/p2p/opentracker { }; opentracker = callPackage ../applications/networking/p2p/opentracker { };