openssh: 7.7p1 -> 7.9p1 (#48784)
added openssh_gssapi to make it easier to test the patched version the HPN edition isn't available on top of 7.9p1 yet fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's fixed. release notes: https://www.openssh.com/txt/release-7.9
This commit is contained in:
parent
2cc4200de0
commit
2337c7522a
3 changed files with 10 additions and 66 deletions
|
@ -13,39 +13,31 @@ let
|
|||
gssapiPatch = fetchpatch {
|
||||
name = "openssh-gssapi.patch";
|
||||
url = "https://salsa.debian.org/ssh-team/openssh/raw/"
|
||||
+ "e395eed38096fcda74398424ea94de3ec44effd5"
|
||||
+ "d80ebbf028196b2478beebf5a290b97f35e1eed9"
|
||||
+ "/debian/patches/gssapi.patch";
|
||||
sha256 = "0x7xysgdahb4jaq0f28g2d7yzp0d3mh59i4xnffszvjndhvbk27x";
|
||||
sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
|
||||
};
|
||||
|
||||
in
|
||||
with stdenv.lib;
|
||||
stdenv.mkDerivation rec {
|
||||
name = "openssh-${version}";
|
||||
version = if hpnSupport then "7.7p1" else "7.7p1";
|
||||
version = if hpnSupport then "7.8p1" else "7.9p1";
|
||||
|
||||
src = if hpnSupport then
|
||||
fetchurl {
|
||||
url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_7_P1.tar.gz";
|
||||
sha256 = "1l4k8mg3gnzxbz53cma8s6ak56waz03ijsr08p8vgpi0c2rc5ri5";
|
||||
url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz";
|
||||
sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw";
|
||||
}
|
||||
else
|
||||
fetchurl {
|
||||
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
|
||||
sha256 = "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp";
|
||||
sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
|
||||
};
|
||||
|
||||
patches =
|
||||
[
|
||||
# Remove on update!
|
||||
(fetchpatch {
|
||||
name = "fix-tunnel-forwarding.diff";
|
||||
url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff";
|
||||
sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8";
|
||||
})
|
||||
|
||||
./locale_archive.patch
|
||||
./fix-host-key-algorithms-plus.patch
|
||||
|
||||
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
|
||||
./dont_create_privsep_path.patch
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
|
||||
setting any value for HostKeyAlgorithms causes the known host keys to
|
||||
be ignored for the purpose of determining the priority of algorithms.
|
||||
This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
|
||||
in ssh_config. The fix is to apply order_hostkeyalgs() if the user
|
||||
specifies a HostKeyAlgorithms starting with "+".
|
||||
|
||||
diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
|
||||
--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100
|
||||
+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200
|
||||
@@ -100,7 +100,7 @@
|
||||
}
|
||||
|
||||
static char *
|
||||
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
|
||||
{
|
||||
char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
|
||||
size_t maxlen;
|
||||
@@ -116,7 +116,7 @@
|
||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
||||
|
||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
+ oavail = avail = xstrdup(algs);
|
||||
maxlen = strlen(avail) + 1;
|
||||
first = xmalloc(maxlen);
|
||||
last = xmalloc(maxlen);
|
||||
@@ -181,18 +181,21 @@
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
if (options.hostkeyalgorithms != NULL) {
|
||||
+ int append = options.hostkeyalgorithms[0] == '+';
|
||||
if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&options.hostkeyalgorithms) != 0)
|
||||
fatal("%s: kex_assemble_namelist", __func__);
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
- compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
+ compat_pkalg_proposal(append
|
||||
+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
|
||||
+ : options.hostkeyalgorithms);
|
||||
} else {
|
||||
/* Enforce default */
|
||||
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
/* Prefer algorithms that we already have keys for */
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(
|
||||
- order_hostkeyalgs(host, hostaddr, port));
|
||||
+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
|
||||
}
|
||||
|
||||
if (options.rekey_limit || options.rekey_interval)
|
|
@ -4515,6 +4515,10 @@ with pkgs;
|
|||
|
||||
openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });
|
||||
|
||||
openssh_gssapi = pkgs.appendToName "with-gssapi" (openssh.override {
|
||||
withGssapiPatches = true;
|
||||
});
|
||||
|
||||
opensp = callPackage ../tools/text/sgml/opensp { };
|
||||
|
||||
opentracker = callPackage ../applications/networking/p2p/opentracker { };
|
||||
|
|
Loading…
Reference in a new issue