From 2337c7522af3b186d4d7ecefe9e19c33aafc6626 Mon Sep 17 00:00:00 2001 From: zimbatm Date: Fri, 26 Oct 2018 01:17:55 +0200 Subject: [PATCH] openssh: 7.7p1 -> 7.9p1 (#48784) added openssh_gssapi to make it easier to test the patched version the HPN edition isn't available on top of 7.9p1 yet fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's fixed. release notes: https://www.openssh.com/txt/release-7.9 --- pkgs/tools/networking/openssh/default.nix | 20 +++---- .../fix-host-key-algorithms-plus.patch | 52 ------------------- pkgs/top-level/all-packages.nix | 4 ++ 3 files changed, 10 insertions(+), 66 deletions(-) delete mode 100644 pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 96bc2c56ece8..7aeae3ca9d12 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -13,39 +13,31 @@ let gssapiPatch = fetchpatch { name = "openssh-gssapi.patch"; url = "https://salsa.debian.org/ssh-team/openssh/raw/" - + "e395eed38096fcda74398424ea94de3ec44effd5" + + "d80ebbf028196b2478beebf5a290b97f35e1eed9" + "/debian/patches/gssapi.patch"; - sha256 = "0x7xysgdahb4jaq0f28g2d7yzp0d3mh59i4xnffszvjndhvbk27x"; + sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv"; }; in with stdenv.lib; stdenv.mkDerivation rec { name = "openssh-${version}"; - version = if hpnSupport then "7.7p1" else "7.7p1"; + version = if hpnSupport then "7.8p1" else "7.9p1"; src = if hpnSupport then fetchurl { - url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_7_P1.tar.gz"; - sha256 = "1l4k8mg3gnzxbz53cma8s6ak56waz03ijsr08p8vgpi0c2rc5ri5"; + url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz"; + sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw"; } else fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp"; + sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb"; }; patches = [ - # Remove on update! - (fetchpatch { - name = "fix-tunnel-forwarding.diff"; - url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff"; - sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8"; - }) - ./locale_archive.patch - ./fix-host-key-algorithms-plus.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch diff --git a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch deleted file mode 100644 index 02846e9bdad2..000000000000 --- a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch +++ /dev/null @@ -1,52 +0,0 @@ -Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because -setting any value for HostKeyAlgorithms causes the known host keys to -be ignored for the purpose of determining the priority of algorithms. -This was fixed upstream for HostKeyAlgorithms in sshd_config, but not -in ssh_config. The fix is to apply order_hostkeyalgs() if the user -specifies a HostKeyAlgorithms starting with "+". - -diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c ---- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100 -+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200 -@@ -100,7 +100,7 @@ - } - - static char * --order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) -+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs) - { - char *oavail, *avail, *first, *last, *alg, *hostname, *ret; - size_t maxlen; -@@ -116,7 +116,7 @@ - for (i = 0; i < options.num_system_hostfiles; i++) - load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); - -- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); -+ oavail = avail = xstrdup(algs); - maxlen = strlen(avail) + 1; - first = xmalloc(maxlen); - last = xmalloc(maxlen); -@@ -181,18 +181,21 @@ - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; - if (options.hostkeyalgorithms != NULL) { -+ int append = options.hostkeyalgorithms[0] == '+'; - if (kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options.hostkeyalgorithms) != 0) - fatal("%s: kex_assemble_namelist", __func__); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = -- compat_pkalg_proposal(options.hostkeyalgorithms); -+ compat_pkalg_proposal(append -+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms) -+ : options.hostkeyalgorithms); - } else { - /* Enforce default */ - options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); - /* Prefer algorithms that we already have keys for */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal( -- order_hostkeyalgs(host, hostaddr, port)); -+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); - } - - if (options.rekey_limit || options.rekey_interval) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e4293c40ba0b..57f65c28deb2 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4515,6 +4515,10 @@ with pkgs; openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; }); + openssh_gssapi = pkgs.appendToName "with-gssapi" (openssh.override { + withGssapiPatches = true; + }); + opensp = callPackage ../tools/text/sgml/opensp { }; opentracker = callPackage ../applications/networking/p2p/opentracker { };