3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

127 commits

Author SHA1 Message Date
Franz Pletz 2d65772950 openssh: Disable roaming (security fix)
Fixes CVE-2016-0777 and CVE-0216-0778.

Closes #12385.
2016-01-14 16:40:27 +01:00
Benjamin Staffin 67f4c2a779 openssh: Add gssapi patch used by other major distros
This patch is borrowed verbatim from Debian, where it is actively
maintained for each openssh update.  It's also included in Fedora's
openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS
X, and presumably various other platforms and linux distros.

The main relevant parts of this patch:
- Adds several ssh_config options:
  GSSAPIKeyExchange, GSSAPITrustDNS,
  GSSAPIClientIdentity, GSSAPIServerIdentity
  GSSAPIRenewalForcesRekey
- Optionally use an in-memory credentials cache api for security

My primary motivation for wanting the patch is the GSSAPIKeyExchange
and GSSAPITrustDNS features. My user ssh_config is shared across
several OSes, and it's a lot easier to manage if they all support the
same options.
2016-01-05 14:50:05 -08:00
Tuomas Tynkkynen 919d44d29f openssh: Compile with '--with-pid-dir' to improve build purity
The configure script tries to probe whether /var/run exists when
determining the location for the pid file, which is not very nice when
doing chroot builds. Just set it explicitly to avoid the problem.

For reference, the culprit in configure.ac:
````
piddir=/var/run
if test ! -d $piddir ; then
        piddir=`eval echo ${sysconfdir}`
        case $piddir in
                NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
        esac
fi

AC_ARG_WITH([pid-dir],
        [  --with-pid-dir=PATH     Specify location of ssh.pid file],
...

````

Also, use the `install-nokeys` target in installPhase so we avoid
installing useless host keys into $out/etc/ssh and improve built purity
as well.
2015-12-28 18:40:21 +02:00
Eelco Dolstra 2d4b6405b3 openssh: Apply some Fedora security backports 2015-08-20 14:08:21 +02:00
Eelco Dolstra 401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
William A. Kennington III a8eb2a6a81 openssh: 6.9p1 -> 7.0p1 2015-08-11 10:59:12 -07:00
William A. Kennington III 243b2f79ce openssh: 6.8p1 -> 6.9p1 2015-07-06 19:30:02 -07:00
William A. Kennington III 81ace52e89 openssh: Refactor and install sample config files 2015-07-06 19:29:45 -07:00
William A. Kennington III bea1c88205 openssh: 6.7p1 -> 6.8p1 2015-03-20 21:20:33 -07:00
Dan Peebles 3caa6f4d7d This doesn't hurt the current darwin stdenv and doesn't affect anything else, but is needed for the upcoming pure darwin stdenv 2015-02-18 01:19:59 -05:00
Franz Pletz 07e1566b7d fetchurl: add mirrors for OpenBSD (close #5551)
This changes source URLs for openssh and libressl accordingly.
2015-01-20 16:24:00 +01:00
Vladimír Čunát abcb355453 restund, openssh_hpn: mark as broken 2014-11-27 01:19:24 +01:00
Eelco Dolstra 87419c016f openssh: Update to 6.7p1 2014-11-20 12:12:33 +01:00
Mateusz Kowalczyk 007f80c1d0 Turn more licenses into lib.licenses style
Should eval cleanly, as far as -A tarball tells me.

Relevant: issue #2999, issue #739
2014-11-06 00:48:16 +00:00
JB Giraudeau 04163fcc81 update hpn patch version to match openssh version
so that hpn_openssh is not boken anymore
2014-09-11 22:29:00 +02:00
Mateusz Kowalczyk 7a45996233 Turn some license strings into lib.licenses values 2014-07-28 11:31:14 +02:00
Eelco Dolstra 9b6eeecbde openssh: Fix broken URL 2014-05-22 12:11:52 +02:00
Vladimír Čunát e50a76a469 openssh: fix CVE-2014-2653 by a Debian patch 2014-03-29 20:24:13 +01:00
Eelco Dolstra d9f9bb1ab2 openssh: Update to 6.6p1
CVE-2014-2532

Note that this CVE only affects people who use AcceptEnv with
wildcards.
2014-03-20 12:39:00 +01:00
Vladimír Čunát f33d50c04e openssh_hpn: mark as broken ATM, cf. #1640 2014-02-01 09:08:13 +01:00
William A. Kennington III 62e78f6b23 openssh: Upgrade from 6.4p1 -> 6.5p1 2014-01-31 14:51:25 +01:00
William A. Kennington III c4e03f0739 openssh: Update from 6.2p2 -> 6.4p1
This patch also bumps up the HPN version of openssh so that it compiles
on top of 6.4. Along with the bump, a package was added for the high
performance networking version.

The gcmrekey patch was removed as this vulnerability is fixed in
version 6.4 onward. http://www.openssh.org/txt/gcmrekey.adv
2013-12-30 02:42:12 -06:00
Eelco Dolstra 52ad0eaca5 openssh: Security fix
CVE-2013-4548
2013-11-08 16:42:59 +01:00
Domen Kožar 9726dded27 openssh: build on unix platforms 2013-10-29 17:47:38 +01:00
Christophe Raffalli 2c089337e7 OpenSSH: add Kerberos support 2013-08-22 12:53:06 +03:00
Eelco Dolstra 7fc87a865e openssh: Update to 6.2p2 2013-08-12 14:50:55 +02:00
Eelco Dolstra acba9240cd nixos.org/tarballs -> tarballs.nixos.org
It's currently the same machine, but tarballs.nixos.org should become
an S3/CloudFront site eventually.
2013-06-25 14:12:16 +02:00
Eelco Dolstra 4d5ba15ea9 openssh: Update to 6.2p1 2013-04-12 15:27:13 +02:00
Shea Levy aacca1902c Merge branch 'upstream-master' into stdenv-updates 2013-02-19 10:09:39 -05:00
Eelco Dolstra 3a1d3990e5 openssh: Just use a mirror of the HPN patch 2013-02-19 11:03:10 +01:00
Lluís Batlle i Rossell cde20d6951 Fixing openssh hpn support for 6.1p1
I had to write a weird download derivation to overcome their download procedure.
2013-02-19 10:50:50 +01:00
Eelco Dolstra 3fa03df78c openssh: Remvoe unused Perl dependency
Since "buildNativeInputs" was misspelled, Perl is not actually used.
2012-12-28 19:26:28 +01:00
Eelco Dolstra 2322899a1f openssh: Update to 6.1p1 2012-09-18 17:01:08 -04:00
Eelco Dolstra 69c66055b7 * OpenSSH 6.0.
svn path=/nixpkgs/trunk/; revision=33988
2012-05-05 14:42:17 +00:00
Yury G. Kudryashov 215a07c1a9 svn merge ^/nixpkgs/trunk
Merge conflicts:
* unzip (almost trivial)
* dvswitch (trivial)
* gmp (copied result of `git merge`)

The last item introduced gmp-5.0.3, thus full rebuild.
+ensureDir->mkdir -p in TeX packages was catched by git but not svn.

svn path=/nixpkgs/branches/stdenv-updates/; revision=32091
2012-02-06 23:03:12 +00:00
Eelco Dolstra 4fe11e8438 * OpenSSH updated to 5.9p1.
svn path=/nixpkgs/trunk/; revision=31939
2012-01-31 11:01:12 +00:00
Eelco Dolstra c556a6ea46 * "ensureDir" -> "mkdir -p". "ensureDir" is a rather pointless
function, so obsolete it.

svn path=/nixpkgs/branches/stdenv-updates/; revision=31644
2012-01-18 20:16:00 +00:00
Eelco Dolstra 80d963dee0 * OpenSSH 5.8p2.
svn path=/nixpkgs/trunk/; revision=27223
2011-05-11 13:44:18 +00:00
Lluís Batlle i Rossell 68cb3535e1 Making openssh cross-build. And making linux-pam almost cross-build, I think.
This allows me to put sftp-server in the nanonote and use it through dropbear.


svn path=/nixpkgs/trunk/; revision=26971
2011-04-25 15:41:32 +00:00
Lluís Batlle i Rossell f4b6ea9ebc the hpn-ssh needs -lgcc_s, because of its pthread_cancel at the end.
svn path=/nixpkgs/trunk/; revision=26833
2011-04-13 20:44:17 +00:00
Lluís Batlle i Rossell 49a08c4f97 Updating the hpn-ssh patch.
svn path=/nixpkgs/trunk/; revision=26831
2011-04-13 20:24:06 +00:00
Eelco Dolstra 209939f6f2 * OpenSSH 5.8.
svn path=/nixpkgs/trunk/; revision=25808
2011-02-08 13:13:34 +00:00
Eelco Dolstra 412bd09ec1 * OpenSSH 5.6.
svn path=/nixpkgs/trunk/; revision=23432
2010-08-25 21:12:36 +00:00
Peter Simons 3353ed9c88 pkgs/top-level/all-packages.nix, pkgs/tools/networking/openssh: prefer makeOverridable over getPkgConfig to customize openssh
Changed 'openssh' expression to allow for argument overriding instead of
relying on getPkgConfig. While I was at it, I also simplified the build
expression a bit.

svn path=/nixpkgs/trunk/; revision=21868
2010-05-19 12:26:06 +00:00
Lluís Batlle i Rossell 8b311ba757 Adding the openssh patch I forgot in a recent commit
svn path=/nixpkgs/trunk/; revision=21681
2010-05-09 12:53:46 +00:00
Lluís Batlle i Rossell b7af00b889 Making openssh pass the LOCALE_ARCHIVE variable to the forked session processes,
so the session 'bash' will receive the proper locale archive, and thus process
UTF-8 properly.

svn path=/nixpkgs/trunk/; revision=21678
2010-05-09 12:44:09 +00:00
Lluís Batlle i Rossell c12db8f8dc I wrote wrong the openssh url. Btw, I changed the source server, because the old
mirror at Ultrech did not have the latest openssh even 6 days after the
5.5 release.

svn path=/nixpkgs/trunk/; revision=21247
2010-04-22 20:12:09 +00:00
Lluís Batlle i Rossell 5d04ec0364 Updating openssh, fixing libedit for openssh to link well with it, and... here we
finally have sftp with some kind of 'readline'!

svn path=/nixpkgs/trunk/; revision=21246
2010-04-22 18:16:18 +00:00
Eelco Dolstra b377b0233b * OpenSSH updated to 5.4.
svn path=/nixpkgs/trunk/; revision=20567
2010-03-11 16:08:55 +00:00
Eelco Dolstra 0e212964fb * openssh: Install the moduli file.
svn path=/nixpkgs/trunk/; revision=19753
2010-02-01 17:04:07 +00:00
Eelco Dolstra 947e2c71ad * openssh updated to 5.3p1. Also enabled the HPN patch by default.
svn path=/nixpkgs/trunk/; revision=19752
2010-02-01 16:56:10 +00:00
Lluís Batlle i Rossell 3cc62cefa8 Finally I decided to add High Performance SSH.
http://www.psc.edu/networking/projects/hpn-ssh/

I tried to keep the openssh hash not changing, unless the user sets hpn in getConfig
style. I think that does not look as good as a patch changing the hash, but it may
annoy less. Let me know if it is not ok.

I don't think hpn should be the default, because it may have some insecurity implications
I don't know of. But I used to enable it in all my machines, and I hope to do so unless
advised otherwise.

svn path=/nixpkgs/trunk/; revision=18073
2009-11-02 21:49:06 +00:00
Lluís Batlle i Rossell 5704c1854d Fixing openssh build, so it doesn't try to put anything in /etc/ssh (and of course, it doesn't
fail if /etc/ssh/sshd_config can't be overwritten, which was my main motivation on this patch)

svn path=/nixpkgs/trunk/; revision=17573
2009-10-01 13:06:41 +00:00
Peter Simons 9a833f026b OpenSSH: allow users to configure --sysconfdir via $NIXPKGS_CONFIG
The OpenSSH binaries built by the expression by default expect system-wide
configuration files in "/etc/ssh", which is a bit of an impurity (and certainly
inconsistent with the way other package handle --sysconfdir in Nix). Those who
prefer a clean installation, can now configure that directory path.

Adding the line "openssh = { etcDir = null; };" to $NIXPKGS_CONFIG configures
OpenSSH to use the default location, i.e. $out/etc. Setting that attribute to a
string will configure OpenSSH to use that concrete path instead.

svn path=/nixpkgs/trunk/; revision=17570
2009-10-01 12:07:33 +00:00
Eelco Dolstra 7d45b35d1e * OpenSSH 5.2.
svn path=/nixpkgs/trunk/; revision=15689
2009-05-23 16:14:26 +00:00
Eelco Dolstra f679021d11 * OpenSSH updated to 5.1p1.
svn path=/nixpkgs/trunk/; revision=13579
2008-12-04 13:16:38 +00:00
Eelco Dolstra 87d67364d8 * Use /etc/ssh/ssh_config to allow system-wide ssh configuration.
svn path=/nixpkgs/trunk/; revision=9853
2007-12-04 12:28:22 +00:00
Eelco Dolstra deb889e5f2 * OpenSSH 4.7p1. Also pass --with-mantype=man to prevent an impurity
where "make install" installs the manpages under either "man" or
  "cat" depending on whether it can run /usr/bin/groff (or something
  like that).

svn path=/nixpkgs/trunk/; revision=9503
2007-10-22 11:41:30 +00:00
Eelco Dolstra 1852a7d0f3 * Install ssh-copy-id from the contrib directory.
svn path=/nixpkgs/trunk/; revision=8700
2007-05-15 13:10:41 +00:00
Armijn Hemel 3463f1deeb new openssh
svn path=/nixpkgs/trunk/; revision=8394
2007-03-21 00:34:34 +00:00
Eelco Dolstra 35a9f7ecb6 * Remove the xauth dependency in openssh. We can set the xauth path
in sshd_config.

svn path=/nixpkgs/trunk/; revision=7547
2007-01-07 10:18:34 +00:00
Eelco Dolstra c63c32e3b2 * OpenSSH 4.5p1 (old version was ancient!).
svn path=/nixpkgs/trunk/; revision=7541
2007-01-06 16:53:10 +00:00
Eelco Dolstra e09f8061b7 * OpenSSH: optionally use PAM.
* Some purity fixes in OpenSSH: it needs Perl, and we now specify a
  location for the empty privsep directory.

svn path=/nixpkgs/trunk/; revision=7310
2006-12-11 03:24:35 +00:00
Eelco Dolstra ef9b025dbe * Remove a bunch of unused Nix expressions.
svn path=/nixpkgs/trunk/; revision=6716
2006-10-12 15:43:01 +00:00
Eelco Dolstra 1442e8ec22 * Copy a bunch of files to nix.cs.uu.nl.
svn path=/nixpkgs/trunk/; revision=6711
2006-10-12 13:50:54 +00:00
Armijn Hemel 2389b06fe7 add openssh 4.3p2
svn path=/nixpkgs/trunk/; revision=5595
2006-07-05 16:09:43 +00:00
Armijn Hemel 6a42433ee4 make X forwarding optional. If enabled "xauth" is a dependency
svn path=/nixpkgs/trunk/; revision=4573
2006-01-17 18:48:18 +00:00
Armijn Hemel 41047b0fc5 don't have the privilege seperation path in the store
svn path=/nixpkgs/trunk/; revision=4360
2005-12-13 12:48:12 +00:00
Eelco Dolstra 82e678362f * "." -> "source".
svn path=/nixpkgs/trunk/; revision=4335
2005-12-05 14:11:09 +00:00
Eelco Dolstra 454707da23 * catamaran.labs.cs.uu.nl -> nix.cs.uu.nl.
svn path=/nixpkgs/trunk/; revision=3660
2005-08-22 08:39:27 +00:00
Eelco Dolstra e6744d0f89 * Merge diff between trunk/pkgs@1646 and branches/nixos-pkgs@2256;
this contains mostly Armijn's pure stdenv-linux.

* After unpacking the statically linked GCC, patch all store paths to
  /nix/store/ffffffffffffffffffffffffffffffff.  Ugly hack to prevent
  undeclared references but it works.

* We don't need Glib's dynamic libraries in the first bootstrap stage;
  delete them.  Actually the downloaded Glibc binary is only needed
  for building Glibc, since GCC needs a C compiler to build some
  programs in `configure'.  So static linking is fine for that.  Maybe
  it would be better to patch `configure' so that we don't need a
  pre-built Glibc at all.

* Set the svn:executable property on `cp' and `patchelf'.

* In Glibc, revert to LinuxThreads.  Maybe NPTL will work, but TLS
  support is a problem.

* Delete most Glibc patches; they're no longer needed since the branch
  updated it to 20050110.
  
* Some cleanups.

svn path=/nixpkgs/trunk/; revision=2258
2005-02-21 16:03:34 +00:00
Eelco Dolstra e42507d182 * Move tarballs to catamaran so that we are no longer dependent on a
gazillion different servers.  Resurrected some 25 missing files.

svn path=/nixpkgs/trunk/; revision=2237
2005-02-15 14:44:19 +00:00
Armijn Hemel a8d8a8f82c don't install keys. The Nix scripts empty the whole environment, including
some variables that are used by ssh-keygen.

svn path=/nixpkgs/branches/nixos-pkgs/; revision=2001
2005-01-10 15:33:43 +00:00
Armijn Hemel 6537afc279 we no longer need this patch
svn path=/nixpkgs/branches/nixos-pkgs/; revision=1999
2005-01-10 11:37:56 +00:00
Armijn Hemel baf430cd23 don't let openssh generate a new hostkey when installing, let this be done afterwards by the sysadmin
svn path=/nixpkgs/branches/nixos-pkgs/; revision=1947
2004-12-24 14:10:19 +00:00
Armijn Hemel 4812b512f1 remove the generated keys (good? bad? not sure) and change the permissions of
the keysign binary. This is because of suid-nix on which the NixOS scripts barf

svn path=/nixpkgs/trunk/; revision=1366
2004-08-30 13:53:48 +00:00
Armijn Hemel ae04cf09b2 add OpenSSH client + server, needs a lot of thorough testing with regards to server configuration, this will be the test case for NixOS. No PAM configs, might need tweaking, etc.
svn path=/nixpkgs/trunk/; revision=1210
2004-08-02 11:55:31 +00:00