Commit graph

124 commits

Author SHA1 Message Date
Graham Christensen
e2a54266c4
openssh: Build with Kerberos by default
This reverts commit 09696e32c390c232ec7ac506df6457fb93c1f536.
which reverted f596aa0f4a
to move it to staging
2018-01-28 16:36:01 -05:00
Graham Christensen
15a4977409
Revert "openssh: Build with Kerberos by default"
This reverts commit a232dd66ee.

Moving to staging
2018-01-28 16:36:01 -05:00
Aneesh Agrawal
716d1612af
openssh: Build with Kerberos by default
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.

Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
2018-01-28 16:36:00 -05:00
Orivej Desh
ac522cbe95
Merge pull request #30137 from aneeshusa/update-openssh-to-7.6p1
openssh: 7.5p1 -> 7.6p1
2017-11-11 01:23:41 +00:00
Aneesh Agrawal
d473ef2ed2 openssh: 7.5p1 -> 7.6p1
Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
2017-10-06 16:38:18 -04:00
John Ericson
531e4b80c9 misc pkgs: Basic sed to get fix pkgconfig and autoreconfHook buildInputs
Only acts on one-line dependency lists.
2017-09-21 15:49:53 -04:00
Jörg Thalheim
7786aab173 openssh: update gssapi patch 2017-09-12 14:28:33 +01:00
Silvan Mosberger
f5fa5fa4d6 pkgs: refactor needless quoting of homepage meta attribute (#27809)
* pkgs: refactor needless quoting of homepage meta attribute

A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.

* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit

* Fixed some instances
2017-08-01 22:03:30 +02:00
Thomas Tuegel
c1c314c36f
openssh: unset LD
Commit 093cc00cdd, sets the LD environment
variable by default, but this confuses the openssh Makefile because `configure'
does not respect it.
2017-07-21 15:44:33 -05:00
Vladimír Čunát
445b107d93
openssh: fixup build on Hydra
http://hydra.nixos.org/build/53993444
2017-06-07 09:33:56 +02:00
Tristan Helmich
c395568b7a
openssh_hpn: use new sources and version (7_5_P1)
Close #23990.
2017-04-14 12:22:15 +02:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Vladimír Čunát
0163f0c427
openssh: update the gssapi patch
Only building was tested.
2016-12-29 17:04:58 -05:00
Graham Christensen
11e8ed5ff4
Revert "Revert "openssh: security 7.3p1 -> 7.4p1""
This reverts commit 661b5a9875.
2016-12-29 17:04:39 -05:00
Vladimír Čunát
661b5a9875
Revert "openssh: security 7.3p1 -> 7.4p1"
This reverts commit 277080fea0.

I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
2016-12-25 22:15:56 +01:00
Vladimír Čunát
277080fea0
openssh: security 7.3p1 -> 7.4p1
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
2016-12-25 18:42:55 +01:00
Aneesh Agrawal
7374105a96 openssh: Patch CVE-2016-8858
Also add myself as a maintainer.
2016-10-20 14:55:14 -04:00
Graham Christensen
83a8cb1dc2
openssh: apply patch to fix https://bugzilla.redhat.com/show_bug.cgi?id=1380296 2016-10-06 08:54:10 -04:00
Tuomas Tynkkynen
5bf5de58ea treewide: Fix 'lib.optional' misuses
These add a singleton list of a package to buildInputs.
2016-10-01 23:38:06 +03:00
Benjamin Staffin
43dcb662e7 openssh: update gssapi patch, fix the build 2016-09-14 23:35:26 -04:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Aneesh Agrawal
f6eae2efab openssh: 7.2p2 -> 7.3p1 (#17493)
Also remove patch for CVE-2015-8325 that has been fixed upstream.
2016-08-07 19:55:20 +02:00
Robin Gloster
203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Rickard Nilsson
4f8f1c30cb openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-16 10:15:58 +02:00
Bjørn Forsman
2ad0a84751 Revert "openssh: Use the default privilege separation dir (/var/empty)"
This reverts commit a927709a35 because it
doesn't build:

$ nix-build -A openssh
...
mkdir /nix/store/yl2xap8n1by3dqxgc4rmrc4s753676a3-openssh-7.2p2/libexec
(umask 022 ; ./mkinstalldirs /var/empty)
mkdir /var
mkdir: cannot create directory '/var': Permission denied
mkdir /var/empty
mkdir: cannot create directory '/var/empty': No such file or directory
make: *** [Makefile:304: install-files] Error 1
builder for ‘/nix/store/ifygp4mqpv7l8cgp0njp8w7lmrl6brpp-openssh-7.2p2.drv’ failed with exit code 2
2016-07-15 12:42:37 +02:00
Rickard Nilsson
a927709a35 openssh: Use the default privilege separation dir (/var/empty)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-14 20:54:06 +02:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Aneesh Agrawal
6e4d06873f openssh: fix CVE-2015-8325
Debian Security Advisory: https://www.debian.org/security/2016/dsa-3550
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
2016-04-15 23:45:10 -04:00
Robin Gloster
696d85a62d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-03 11:01:57 +00:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Robin Gloster
3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
Aneesh Agrawal
2dd09b634e openssh: update homepage link
Unfortunately, the site is not available over HTTPS.
2016-03-10 18:40:00 -05:00
Aneesh Agrawal
e5ca25eb7a openssh: 7.2p1 -> 7.2p2 for OSA x11fwd.adv
Fixes OpenSSH Security Advisory x11fwd.adv, which is available at
http://www.openssh.com/txt/x11fwd.adv.
2016-03-10 18:01:33 -05:00
Aneesh Agrawal
ce74aac132 openssh: update GSSAPI patch to openssh 7.2 2016-03-08 16:11:56 -05:00
Aneesh Agrawal
9e86984fe0 openssh: decouple gssapi patch from kerberos
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
2016-03-08 15:14:25 -05:00
Franz Pletz
e9fc4e7db6 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-07 22:08:27 +01:00
joachifm
453686a24a Merge pull request #13705 from aneeshusa/use-bin-instead-of-sbin-for-openssh
openssh: use bin instead of sbin folder
2016-03-07 12:03:37 +00:00
Aneesh Agrawal
14201da332 openssh: allow building without linking openssl
http://undeadly.org/cgi?action=article&sid=20140430045723 has the
original announcement of this option. Note, openssl headers are still
required at build time, see this comment:
http://www.gossamer-threads.com/lists/openssh/dev/61125#61125
2016-03-06 16:36:55 -05:00
Aneesh Agrawal
bb39304ce6 openssh: use bin instead of sbin folder
References #11939.
2016-03-05 23:56:32 -05:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Robin Gloster
33f7d0b3f6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-01 22:46:39 +00:00
Eelco Dolstra
cc71804ab0 openssh: Fix build 2016-03-01 22:25:17 +01:00
Aneesh Agrawal
7f8d50b443 openssh: 7.1p2 -> 7.2p1 2016-03-01 22:25:16 +01:00
Robin Gloster
b6279950bd openssh: enable pie hardening 2016-02-26 16:30:26 +00:00
Benjamin Staffin
29711967a2 openssh: update gssapi patch to match openssh version
Should fix the openssh_with_kerberos build.

Fixes #13140

(cherry picked from commit 3dae6c7e1e1eb64b3ceb2796eea1ad0ae1596688)
2016-02-20 22:22:01 -08:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
koral
a7f09e9773 openssh: 6.9p1 -> 7.1p2 2016-02-01 16:31:43 +01:00
Franz Pletz
2d65772950 openssh: Disable roaming (security fix)
Fixes CVE-2016-0777 and CVE-0216-0778.

Closes #12385.
2016-01-14 16:40:27 +01:00
Benjamin Staffin
67f4c2a779 openssh: Add gssapi patch used by other major distros
This patch is borrowed verbatim from Debian, where it is actively
maintained for each openssh update.  It's also included in Fedora's
openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS
X, and presumably various other platforms and linux distros.

The main relevant parts of this patch:
- Adds several ssh_config options:
  GSSAPIKeyExchange, GSSAPITrustDNS,
  GSSAPIClientIdentity, GSSAPIServerIdentity
  GSSAPIRenewalForcesRekey
- Optionally use an in-memory credentials cache api for security

My primary motivation for wanting the patch is the GSSAPIKeyExchange
and GSSAPITrustDNS features. My user ssh_config is shared across
several OSes, and it's a lot easier to manage if they all support the
same options.
2016-01-05 14:50:05 -08:00
Tuomas Tynkkynen
919d44d29f openssh: Compile with '--with-pid-dir' to improve build purity
The configure script tries to probe whether /var/run exists when
determining the location for the pid file, which is not very nice when
doing chroot builds. Just set it explicitly to avoid the problem.

For reference, the culprit in configure.ac:
````
piddir=/var/run
if test ! -d $piddir ; then
        piddir=`eval echo ${sysconfdir}`
        case $piddir in
                NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
        esac
fi

AC_ARG_WITH([pid-dir],
        [  --with-pid-dir=PATH     Specify location of ssh.pid file],
...

````

Also, use the `install-nokeys` target in installPhase so we avoid
installing useless host keys into $out/etc/ssh and improve built purity
as well.
2015-12-28 18:40:21 +02:00