From 9fe10288f01984963faf47e21bf1bae4d7d37962 Mon Sep 17 00:00:00 2001
From: edef <edef@edef.eu>
Date: Thu, 20 Jun 2019 17:15:33 +0000
Subject: [PATCH] openssh: use ssh-keysign from PATH

ssh-keysign is used for host-based authentication, and is designed to be used
as SUID-root program. OpenSSH defaults to referencing it from libexec, which
cannot be made SUID in Nix.
---
 pkgs/tools/networking/openssh/default.nix     |  2 ++
 .../networking/openssh/ssh-keysign.patch      | 29 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 pkgs/tools/networking/openssh/ssh-keysign.patch

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 6ce574b9cdc4..24adb554bc18 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
         url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
         sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
       })
+
+      ./ssh-keysign.patch
     ]
     ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
 
diff --git a/pkgs/tools/networking/openssh/ssh-keysign.patch b/pkgs/tools/networking/openssh/ssh-keysign.patch
new file mode 100644
index 000000000000..7258f4a4db15
--- /dev/null
+++ b/pkgs/tools/networking/openssh/ssh-keysign.patch
@@ -0,0 +1,29 @@
+diff --git a/pathnames.h b/pathnames.h
+index cb44caa4..354fdf05 100644
+--- a/pathnames.h
++++ b/pathnames.h
+@@ -124,7 +124,7 @@
+ 
+ /* Location of ssh-keysign for hostbased authentication */
+ #ifndef _PATH_SSH_KEY_SIGN
+-#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
++#define _PATH_SSH_KEY_SIGN		"ssh-keysign"
+ #endif
+ 
+ /* Location of ssh-pkcs11-helper to support keys in tokens */
+diff --git a/sshconnect2.c b/sshconnect2.c
+index dffee90b..e9a86e59 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
+ 		closefrom(sock + 1);
+ 		debug3("%s: [child] pid=%ld, exec %s",
+ 		    __func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
+-		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
++		execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ 		fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
+ 		    strerror(errno));
+ 	}
+-- 
+2.22.0
+