ssh-keysign is used for host-based authentication, and is designed to be used
as SUID-root program. OpenSSH defaults to referencing it from libexec, which
cannot be made SUID in Nix.
added openssh_gssapi to make it easier to test the patched version
the HPN edition isn't available on top of 7.9p1 yet
fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.
release notes: https://www.openssh.com/txt/release-7.9
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.
Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.
Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
This reverts commit 277080fea0.
I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow