openssh: 7.7p1 -> 7.9p1 (#48784)

added openssh_gssapi to make it easier to test the patched version

the HPN edition isn't available on top of 7.9p1 yet

fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.

release notes: https://www.openssh.com/txt/release-7.9
This commit is contained in:
zimbatm 2018-10-26 01:17:55 +02:00 committed by GitHub
parent 2cc4200de0
commit 2337c7522a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 66 deletions

View file

@ -13,39 +13,31 @@ let
gssapiPatch = fetchpatch {
name = "openssh-gssapi.patch";
url = "https://salsa.debian.org/ssh-team/openssh/raw/"
+ "e395eed38096fcda74398424ea94de3ec44effd5"
+ "d80ebbf028196b2478beebf5a290b97f35e1eed9"
+ "/debian/patches/gssapi.patch";
sha256 = "0x7xysgdahb4jaq0f28g2d7yzp0d3mh59i4xnffszvjndhvbk27x";
sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
};
in
with stdenv.lib;
stdenv.mkDerivation rec {
name = "openssh-${version}";
version = if hpnSupport then "7.7p1" else "7.7p1";
version = if hpnSupport then "7.8p1" else "7.9p1";
src = if hpnSupport then
fetchurl {
url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_7_P1.tar.gz";
sha256 = "1l4k8mg3gnzxbz53cma8s6ak56waz03ijsr08p8vgpi0c2rc5ri5";
url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz";
sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw";
}
else
fetchurl {
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
sha256 = "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp";
sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
};
patches =
[
# Remove on update!
(fetchpatch {
name = "fix-tunnel-forwarding.diff";
url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff";
sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8";
})
./locale_archive.patch
./fix-host-key-algorithms-plus.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch

View file

@ -1,52 +0,0 @@
Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
setting any value for HostKeyAlgorithms causes the known host keys to
be ignored for the purpose of determining the priority of algorithms.
This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
in ssh_config. The fix is to apply order_hostkeyalgs() if the user
specifies a HostKeyAlgorithms starting with "+".
diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200
@@ -100,7 +100,7 @@
}
static char *
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
{
char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
size_t maxlen;
@@ -116,7 +116,7 @@
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup(algs);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -181,18 +181,21 @@
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (options.hostkeyalgorithms != NULL) {
+ int append = options.hostkeyalgorithms[0] == '+';
if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options.hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_namelist", __func__);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
+ compat_pkalg_proposal(append
+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
+ : options.hostkeyalgorithms);
} else {
/* Enforce default */
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
- order_hostkeyalgs(host, hostaddr, port));
+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
}
if (options.rekey_limit || options.rekey_interval)

View file

@ -4515,6 +4515,10 @@ with pkgs;
openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });
openssh_gssapi = pkgs.appendToName "with-gssapi" (openssh.override {
withGssapiPatches = true;
});
opensp = callPackage ../tools/text/sgml/opensp { };
opentracker = callPackage ../applications/networking/p2p/opentracker { };