Commit Graph

136 Commits

Author SHA1 Message Date
edef
9bfec806df openssh: don't let configure override SSH_KEYSIGN
While 9fe10288f0 ensured that the
ssh-keysign path is searched for in PATH if not absolute,
it doesn't prevent the configure script from defaulting to an
absolute path in $out/libexec, making the whole effort rather
pointless.
2019-10-19 12:13:36 +00:00
edef
e6d641d957 openssh: mark hpnSupport as broken
We're hoping to deprecate HPN support, given that as far as we
can tell, nobody is using it, and the patches seem rather unmaintained.
2019-10-19 12:05:27 +00:00
Will Dietz
9199729df4 openssh: 7.9p1 -> 8.1p1
https://www.openwall.com/lists/oss-security/2019/04/18/1
2019-10-19 12:04:02 +00:00
volth
46420bbaa3 treewide: name -> pname (easy cases) (#66585)
treewide replacement of

stdenv.mkDerivation rec {
  name = "*-${version}";
  version = "*";

to pname
2019-08-15 13:41:18 +01:00
edef
9fe10288f0 openssh: use ssh-keysign from PATH
ssh-keysign is used for host-based authentication, and is designed to be used
as SUID-root program. OpenSSH defaults to referencing it from libexec, which
cannot be made SUID in Nix.
2019-07-31 12:19:36 +00:00
Andreas Rammhold
6d3a653f10
openssh: apply CVE-2018-20685 patch 2019-01-13 21:26:05 +01:00
Jörg Thalheim
3681fa5456
direnv: make cross-compile on windows 2018-11-24 10:43:47 +00:00
zimbatm
2337c7522a
openssh: 7.7p1 -> 7.9p1 (#48784)
added openssh_gssapi to make it easier to test the patched version

the HPN edition isn't available on top of 7.9p1 yet

fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.

release notes: https://www.openssh.com/txt/release-7.9
2018-10-26 01:17:55 +02:00
Vladimír Čunát
c2e6ca501e
openssh: fix tunnel forwarding (upstream patch)
Close #48031, fixes #48016.  I didn't use the PR commit
because I think it's better to fetch the patch.
2018-10-08 12:00:38 +02:00
volth
52f53c69ce pkgs/*: remove unreferenced function arguments 2018-07-21 02:48:04 +00:00
Aneesh Agrawal
2e2cbda290 openssh: 7.6p1 -> 7.7p1
Release notes at https://www.openssh.com/txt/release-7.7;
primarily bugfixes.

Update ssh-hpn as well.

Switch to salsa.debian.org (from anonscm.debian.org).
2018-05-23 12:18:15 +03:00
Silvan Mosberger
734bae2036
openssh_hpn: 7.5p1 -> 7.6p1 2018-04-07 00:32:51 +02:00
Graham Christensen
e2a54266c4
openssh: Build with Kerberos by default
This reverts commit 09696e32c390c232ec7ac506df6457fb93c1f536.
which reverted f596aa0f4a
to move it to staging
2018-01-28 16:36:01 -05:00
Graham Christensen
15a4977409
Revert "openssh: Build with Kerberos by default"
This reverts commit a232dd66ee.

Moving to staging
2018-01-28 16:36:01 -05:00
Aneesh Agrawal
716d1612af
openssh: Build with Kerberos by default
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.

Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
2018-01-28 16:36:00 -05:00
Orivej Desh
ac522cbe95
Merge pull request #30137 from aneeshusa/update-openssh-to-7.6p1
openssh: 7.5p1 -> 7.6p1
2017-11-11 01:23:41 +00:00
Aneesh Agrawal
d473ef2ed2 openssh: 7.5p1 -> 7.6p1
Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
2017-10-06 16:38:18 -04:00
John Ericson
531e4b80c9 misc pkgs: Basic sed to get fix pkgconfig and autoreconfHook buildInputs
Only acts on one-line dependency lists.
2017-09-21 15:49:53 -04:00
Jörg Thalheim
7786aab173 openssh: update gssapi patch 2017-09-12 14:28:33 +01:00
Silvan Mosberger
f5fa5fa4d6 pkgs: refactor needless quoting of homepage meta attribute (#27809)
* pkgs: refactor needless quoting of homepage meta attribute

A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.

* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit

* Fixed some instances
2017-08-01 22:03:30 +02:00
Thomas Tuegel
c1c314c36f
openssh: unset LD
Commit 093cc00cdd, sets the LD environment
variable by default, but this confuses the openssh Makefile because `configure'
does not respect it.
2017-07-21 15:44:33 -05:00
Vladimír Čunát
445b107d93
openssh: fixup build on Hydra
http://hydra.nixos.org/build/53993444
2017-06-07 09:33:56 +02:00
Tristan Helmich
c395568b7a
openssh_hpn: use new sources and version (7_5_P1)
Close #23990.
2017-04-14 12:22:15 +02:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Vladimír Čunát
0163f0c427
openssh: update the gssapi patch
Only building was tested.
2016-12-29 17:04:58 -05:00
Graham Christensen
11e8ed5ff4
Revert "Revert "openssh: security 7.3p1 -> 7.4p1""
This reverts commit 661b5a9875.
2016-12-29 17:04:39 -05:00
Vladimír Čunát
661b5a9875
Revert "openssh: security 7.3p1 -> 7.4p1"
This reverts commit 277080fea0.

I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
2016-12-25 22:15:56 +01:00
Vladimír Čunát
277080fea0
openssh: security 7.3p1 -> 7.4p1
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
2016-12-25 18:42:55 +01:00
Aneesh Agrawal
7374105a96 openssh: Patch CVE-2016-8858
Also add myself as a maintainer.
2016-10-20 14:55:14 -04:00
Graham Christensen
83a8cb1dc2
openssh: apply patch to fix https://bugzilla.redhat.com/show_bug.cgi?id=1380296 2016-10-06 08:54:10 -04:00
Tuomas Tynkkynen
5bf5de58ea treewide: Fix 'lib.optional' misuses
These add a singleton list of a package to buildInputs.
2016-10-01 23:38:06 +03:00
Benjamin Staffin
43dcb662e7 openssh: update gssapi patch, fix the build 2016-09-14 23:35:26 -04:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Aneesh Agrawal
f6eae2efab openssh: 7.2p2 -> 7.3p1 (#17493)
Also remove patch for CVE-2015-8325 that has been fixed upstream.
2016-08-07 19:55:20 +02:00
Robin Gloster
203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Rickard Nilsson
4f8f1c30cb openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-16 10:15:58 +02:00
Bjørn Forsman
2ad0a84751 Revert "openssh: Use the default privilege separation dir (/var/empty)"
This reverts commit a927709a35 because it
doesn't build:

$ nix-build -A openssh
...
mkdir /nix/store/yl2xap8n1by3dqxgc4rmrc4s753676a3-openssh-7.2p2/libexec
(umask 022 ; ./mkinstalldirs /var/empty)
mkdir /var
mkdir: cannot create directory '/var': Permission denied
mkdir /var/empty
mkdir: cannot create directory '/var/empty': No such file or directory
make: *** [Makefile:304: install-files] Error 1
builder for ‘/nix/store/ifygp4mqpv7l8cgp0njp8w7lmrl6brpp-openssh-7.2p2.drv’ failed with exit code 2
2016-07-15 12:42:37 +02:00
Rickard Nilsson
a927709a35 openssh: Use the default privilege separation dir (/var/empty)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-14 20:54:06 +02:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Aneesh Agrawal
6e4d06873f openssh: fix CVE-2015-8325
Debian Security Advisory: https://www.debian.org/security/2016/dsa-3550
Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
2016-04-15 23:45:10 -04:00
Robin Gloster
696d85a62d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-03 11:01:57 +00:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Robin Gloster
3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
Aneesh Agrawal
2dd09b634e openssh: update homepage link
Unfortunately, the site is not available over HTTPS.
2016-03-10 18:40:00 -05:00
Aneesh Agrawal
e5ca25eb7a openssh: 7.2p1 -> 7.2p2 for OSA x11fwd.adv
Fixes OpenSSH Security Advisory x11fwd.adv, which is available at
http://www.openssh.com/txt/x11fwd.adv.
2016-03-10 18:01:33 -05:00
Aneesh Agrawal
ce74aac132 openssh: update GSSAPI patch to openssh 7.2 2016-03-08 16:11:56 -05:00
Aneesh Agrawal
9e86984fe0 openssh: decouple gssapi patch from kerberos
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
2016-03-08 15:14:25 -05:00
Franz Pletz
e9fc4e7db6 Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-03-07 22:08:27 +01:00
joachifm
453686a24a Merge pull request #13705 from aneeshusa/use-bin-instead-of-sbin-for-openssh
openssh: use bin instead of sbin folder
2016-03-07 12:03:37 +00:00
Aneesh Agrawal
14201da332 openssh: allow building without linking openssl
http://undeadly.org/cgi?action=article&sid=20140430045723 has the
original announcement of this option. Note, openssl headers are still
required at build time, see this comment:
http://www.gossamer-threads.com/lists/openssh/dev/61125#61125
2016-03-06 16:36:55 -05:00