openssh: Build with Kerberos by default

This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.

Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
This commit is contained in:
Aneesh Agrawal 2017-12-25 14:51:40 -08:00 committed by Graham Christensen
parent 0cc73f2524
commit a232dd66ee
No known key found for this signature in database
GPG Key ID: ACA1C1D120C83D5C
4 changed files with 6 additions and 13 deletions

View File

@ -69,7 +69,6 @@ in
[ (self: super: { [ (self: super: {
openssh = super.openssh.override { openssh = super.openssh.override {
hpnSupport = true; hpnSupport = true;
withKerberos = true;
kerberos = self.libkrb5; kerberos = self.libkrb5;
}; };
}; };

View File

@ -1,15 +1,12 @@
{ stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam, autoreconfHook { stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam, autoreconfHook
, etcDir ? null , etcDir ? null
, hpnSupport ? false , hpnSupport ? false
, withKerberos ? false , withKerberos ? true
, withGssapiPatches ? false , withGssapiPatches ? false
, kerberos , kerberos
, linkOpenssl? true , linkOpenssl? true
}: }:
assert withKerberos -> kerberos != null;
assert withGssapiPatches -> withKerberos;
let let
# **please** update this patch when you update to a new openssh release. # **please** update this patch when you update to a new openssh release.
@ -23,8 +20,6 @@ let
in in
with stdenv.lib; with stdenv.lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
# Please ensure that openssh_with_kerberos still builds when
# bumping the version here!
name = "openssh-${version}"; name = "openssh-${version}";
version = if hpnSupport then "7.5p1" else "7.6p1"; version = if hpnSupport then "7.5p1" else "7.6p1";
@ -47,7 +42,7 @@ stdenv.mkDerivation rec {
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966 # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch ./dont_create_privsep_path.patch
] ]
++ optional withGssapiPatches gssapiPatch; ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
postPatch = postPatch =
# On Hydra this makes installation fail (sometimes?), # On Hydra this makes installation fail (sometimes?),
@ -59,7 +54,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ pkgconfig ]; nativeBuildInputs = [ pkgconfig ];
buildInputs = [ zlib openssl libedit pam ] buildInputs = [ zlib openssl libedit pam ]
++ optional withKerberos kerberos ++ optional withKerberos kerberos
++ optional hpnSupport autoreconfHook; ++ optional hpnSupport autoreconfHook
;
preConfigure = '' preConfigure = ''
# Setting LD causes `configure' and `make' to disagree about which linker # Setting LD causes `configure' and `make' to disagree about which linker
@ -78,7 +74,7 @@ stdenv.mkDerivation rec {
"--disable-strip" "--disable-strip"
(if pam != null then "--with-pam" else "--without-pam") (if pam != null then "--with-pam" else "--without-pam")
] ++ optional (etcDir != null) "--sysconfdir=${etcDir}" ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
++ optional withKerberos "--with-kerberos5=${kerberos}" ++ optional withKerberos (assert kerberos != null; "--with-kerberos5=${kerberos}")
++ optional stdenv.isDarwin "--disable-libutil" ++ optional stdenv.isDarwin "--disable-libutil"
++ optional (!linkOpenssl) "--without-openssl"; ++ optional (!linkOpenssl) "--without-openssl";

View File

@ -142,6 +142,7 @@ mapAliases (rec {
rdmd = dtools; # added 2017-08-19 rdmd = dtools; # added 2017-08-19
robomongo = robo3t; #added 2017-09-28 robomongo = robo3t; #added 2017-09-28
rssglx = rss-glx; #added 2015-03-25 rssglx = rss-glx; #added 2015-03-25
openssh_with_kerberos = openssh; # added 2018-01-28
rubygems = throw "deprecated 2016-03-02: rubygems is now bundled with ruby"; rubygems = throw "deprecated 2016-03-02: rubygems is now bundled with ruby";
rxvt_unicode_with-plugins = rxvt_unicode-with-plugins; # added 2015-04-02 rxvt_unicode_with-plugins = rxvt_unicode-with-plugins; # added 2015-04-02
samsungUnifiedLinuxDriver = samsung-unified-linux-driver; # added 2016-01-25 samsungUnifiedLinuxDriver = samsung-unified-linux-driver; # added 2016-01-25

View File

@ -3886,15 +3886,12 @@ with pkgs;
openssh = openssh =
callPackage ../tools/networking/openssh { callPackage ../tools/networking/openssh {
hpnSupport = false; hpnSupport = false;
withKerberos = stdenv.isDarwin;
etcDir = "/etc/ssh"; etcDir = "/etc/ssh";
pam = if stdenv.isLinux then pam else null; pam = if stdenv.isLinux then pam else null;
}; };
openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; }); openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });
openssh_with_kerberos = pkgs.appendToName "with-kerberos" (openssh.override { withKerberos = true; });
opensp = callPackage ../tools/text/sgml/opensp { }; opensp = callPackage ../tools/text/sgml/opensp { };
opentracker = callPackage ../applications/networking/p2p/opentracker { }; opentracker = callPackage ../applications/networking/p2p/opentracker { };