Commit graph

108 commits

Author SHA1 Message Date
Aneesh Agrawal
7374105a96 openssh: Patch CVE-2016-8858
Also add myself as a maintainer.
2016-10-20 14:55:14 -04:00
Graham Christensen
83a8cb1dc2
openssh: apply patch to fix https://bugzilla.redhat.com/show_bug.cgi?id=1380296 2016-10-06 08:54:10 -04:00
Tuomas Tynkkynen
5bf5de58ea treewide: Fix 'lib.optional' misuses
These add a singleton list of a package to buildInputs.
2016-10-01 23:38:06 +03:00
Benjamin Staffin
43dcb662e7 openssh: update gssapi patch, fix the build 2016-09-14 23:35:26 -04:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Aneesh Agrawal
f6eae2efab openssh: 7.2p2 -> 7.3p1 (#17493)
Also remove patch for CVE-2015-8325 that has been fixed upstream.
2016-08-07 19:55:20 +02:00
Robin Gloster
203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Rickard Nilsson
4f8f1c30cb openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-16 10:15:58 +02:00
Bjørn Forsman
2ad0a84751 Revert "openssh: Use the default privilege separation dir (/var/empty)"
This reverts commit a927709a35 because it
doesn't build:

$ nix-build -A openssh
...
mkdir /nix/store/yl2xap8n1by3dqxgc4rmrc4s753676a3-openssh-7.2p2/libexec
(umask 022 ; ./mkinstalldirs /var/empty)
mkdir /var
mkdir: cannot create directory '/var': Permission denied
mkdir /var/empty
mkdir: cannot create directory '/var/empty': No such file or directory
make: *** [Makefile:304: install-files] Error 1
builder for ‘/nix/store/ifygp4mqpv7l8cgp0njp8w7lmrl6brpp-openssh-7.2p2.drv’ failed with exit code 2
2016-07-15 12:42:37 +02:00
Rickard Nilsson
a927709a35 openssh: Use the default privilege separation dir (/var/empty)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-14 20:54:06 +02:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Aneesh Agrawal
6e4d06873f openssh: fix CVE-2015-8325
Debian Security Advisory: https://www.debian.org/security/2016/dsa-3550
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
2016-04-15 23:45:10 -04:00
Robin Gloster
696d85a62d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-03 11:01:57 +00:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Robin Gloster
3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
Aneesh Agrawal
2dd09b634e openssh: update homepage link
Unfortunately, the site is not available over HTTPS.
2016-03-10 18:40:00 -05:00
Aneesh Agrawal
e5ca25eb7a openssh: 7.2p1 -> 7.2p2 for OSA x11fwd.adv
Fixes OpenSSH Security Advisory x11fwd.adv, which is available at
http://www.openssh.com/txt/x11fwd.adv.
2016-03-10 18:01:33 -05:00
Aneesh Agrawal
ce74aac132 openssh: update GSSAPI patch to openssh 7.2 2016-03-08 16:11:56 -05:00
Aneesh Agrawal
9e86984fe0 openssh: decouple gssapi patch from kerberos
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
2016-03-08 15:14:25 -05:00
Franz Pletz
e9fc4e7db6 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-07 22:08:27 +01:00
joachifm
453686a24a Merge pull request #13705 from aneeshusa/use-bin-instead-of-sbin-for-openssh
openssh: use bin instead of sbin folder
2016-03-07 12:03:37 +00:00
Aneesh Agrawal
14201da332 openssh: allow building without linking openssl
http://undeadly.org/cgi?action=article&sid=20140430045723 has the
original announcement of this option. Note, openssl headers are still
required at build time, see this comment:
http://www.gossamer-threads.com/lists/openssh/dev/61125#61125
2016-03-06 16:36:55 -05:00
Aneesh Agrawal
bb39304ce6 openssh: use bin instead of sbin folder
References #11939.
2016-03-05 23:56:32 -05:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Robin Gloster
33f7d0b3f6 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-01 22:46:39 +00:00
Eelco Dolstra
cc71804ab0 openssh: Fix build 2016-03-01 22:25:17 +01:00
Aneesh Agrawal
7f8d50b443 openssh: 7.1p2 -> 7.2p1 2016-03-01 22:25:16 +01:00
Robin Gloster
b6279950bd openssh: enable pie hardening 2016-02-26 16:30:26 +00:00
Benjamin Staffin
29711967a2 openssh: update gssapi patch to match openssh version
Should fix the openssh_with_kerberos build.

Fixes #13140

(cherry picked from commit 3dae6c7e1e1eb64b3ceb2796eea1ad0ae1596688)
2016-02-20 22:22:01 -08:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
koral
a7f09e9773 openssh: 6.9p1 -> 7.1p2 2016-02-01 16:31:43 +01:00
Franz Pletz
2d65772950 openssh: Disable roaming (security fix)
Fixes CVE-2016-0777 and CVE-0216-0778.

Closes #12385.
2016-01-14 16:40:27 +01:00
Benjamin Staffin
67f4c2a779 openssh: Add gssapi patch used by other major distros
This patch is borrowed verbatim from Debian, where it is actively
maintained for each openssh update.  It's also included in Fedora's
openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS
X, and presumably various other platforms and linux distros.

The main relevant parts of this patch:
- Adds several ssh_config options:
  GSSAPIKeyExchange, GSSAPITrustDNS,
  GSSAPIClientIdentity, GSSAPIServerIdentity
  GSSAPIRenewalForcesRekey
- Optionally use an in-memory credentials cache api for security

My primary motivation for wanting the patch is the GSSAPIKeyExchange
and GSSAPITrustDNS features. My user ssh_config is shared across
several OSes, and it's a lot easier to manage if they all support the
same options.
2016-01-05 14:50:05 -08:00
Tuomas Tynkkynen
919d44d29f openssh: Compile with '--with-pid-dir' to improve build purity
The configure script tries to probe whether /var/run exists when
determining the location for the pid file, which is not very nice when
doing chroot builds. Just set it explicitly to avoid the problem.

For reference, the culprit in configure.ac:
````
piddir=/var/run
if test ! -d $piddir ; then
        piddir=`eval echo ${sysconfdir}`
        case $piddir in
                NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
        esac
fi

AC_ARG_WITH([pid-dir],
        [  --with-pid-dir=PATH     Specify location of ssh.pid file],
...

````

Also, use the `install-nokeys` target in installPhase so we avoid
installing useless host keys into $out/etc/ssh and improve built purity
as well.
2015-12-28 18:40:21 +02:00
Eelco Dolstra
2d4b6405b3 openssh: Apply some Fedora security backports 2015-08-20 14:08:21 +02:00
Eelco Dolstra
401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
William A. Kennington III
a8eb2a6a81 openssh: 6.9p1 -> 7.0p1 2015-08-11 10:59:12 -07:00
William A. Kennington III
243b2f79ce openssh: 6.8p1 -> 6.9p1 2015-07-06 19:30:02 -07:00
William A. Kennington III
81ace52e89 openssh: Refactor and install sample config files 2015-07-06 19:29:45 -07:00
William A. Kennington III
bea1c88205 openssh: 6.7p1 -> 6.8p1 2015-03-20 21:20:33 -07:00
Dan Peebles
3caa6f4d7d This doesn't hurt the current darwin stdenv and doesn't affect anything else, but is needed for the upcoming pure darwin stdenv 2015-02-18 01:19:59 -05:00
Franz Pletz
07e1566b7d fetchurl: add mirrors for OpenBSD (close #5551)
This changes source URLs for openssh and libressl accordingly.
2015-01-20 16:24:00 +01:00
Vladimír Čunát
abcb355453 restund, openssh_hpn: mark as broken 2014-11-27 01:19:24 +01:00
Eelco Dolstra
87419c016f openssh: Update to 6.7p1 2014-11-20 12:12:33 +01:00
Mateusz Kowalczyk
007f80c1d0 Turn more licenses into lib.licenses style
Should eval cleanly, as far as -A tarball tells me.

Relevant: issue #2999, issue #739
2014-11-06 00:48:16 +00:00
JB Giraudeau
04163fcc81 update hpn patch version to match openssh version
so that hpn_openssh is not boken anymore
2014-09-11 22:29:00 +02:00
Mateusz Kowalczyk
7a45996233 Turn some license strings into lib.licenses values 2014-07-28 11:31:14 +02:00
Eelco Dolstra
9b6eeecbde openssh: Fix broken URL 2014-05-22 12:11:52 +02:00
Vladimír Čunát
e50a76a469 openssh: fix CVE-2014-2653 by a Debian patch 2014-03-29 20:24:13 +01:00
Eelco Dolstra
d9f9bb1ab2 openssh: Update to 6.6p1
CVE-2014-2532

Note that this CVE only affects people who use AcceptEnv with
wildcards.
2014-03-20 12:39:00 +01:00