(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
The GSSAPI patch is useful but maintained by Debian, not upstream, and
can be slow to update. To avoid breaking openssh_with_kerberos when
the openssh version is bumped but the GSSAPI patch has not been updated,
don't enable the GSSAPI patch implicitly but require it to be explicitly
enabled.
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
This patch is borrowed verbatim from Debian, where it is actively
maintained for each openssh update. It's also included in Fedora's
openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS
X, and presumably various other platforms and linux distros.
The main relevant parts of this patch:
- Adds several ssh_config options:
GSSAPIKeyExchange, GSSAPITrustDNS,
GSSAPIClientIdentity, GSSAPIServerIdentity
GSSAPIRenewalForcesRekey
- Optionally use an in-memory credentials cache api for security
My primary motivation for wanting the patch is the GSSAPIKeyExchange
and GSSAPITrustDNS features. My user ssh_config is shared across
several OSes, and it's a lot easier to manage if they all support the
same options.
The configure script tries to probe whether /var/run exists when
determining the location for the pid file, which is not very nice when
doing chroot builds. Just set it explicitly to avoid the problem.
For reference, the culprit in configure.ac:
````
piddir=/var/run
if test ! -d $piddir ; then
piddir=`eval echo ${sysconfdir}`
case $piddir in
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
esac
fi
AC_ARG_WITH([pid-dir],
[ --with-pid-dir=PATH Specify location of ssh.pid file],
...
````
Also, use the `install-nokeys` target in installPhase so we avoid
installing useless host keys into $out/etc/ssh and improve built purity
as well.
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.
For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
This patch also bumps up the HPN version of openssh so that it compiles
on top of 6.4. Along with the bump, a package was added for the high
performance networking version.
The gcmrekey patch was removed as this vulnerability is fixed in
version 6.4 onward. http://www.openssh.org/txt/gcmrekey.adv
Merge conflicts:
* unzip (almost trivial)
* dvswitch (trivial)
* gmp (copied result of `git merge`)
The last item introduced gmp-5.0.3, thus full rebuild.
+ensureDir->mkdir -p in TeX packages was catched by git but not svn.
svn path=/nixpkgs/branches/stdenv-updates/; revision=32091
Changed 'openssh' expression to allow for argument overriding instead of
relying on getPkgConfig. While I was at it, I also simplified the build
expression a bit.
svn path=/nixpkgs/trunk/; revision=21868
http://www.psc.edu/networking/projects/hpn-ssh/
I tried to keep the openssh hash not changing, unless the user sets hpn in getConfig
style. I think that does not look as good as a patch changing the hash, but it may
annoy less. Let me know if it is not ok.
I don't think hpn should be the default, because it may have some insecurity implications
I don't know of. But I used to enable it in all my machines, and I hope to do so unless
advised otherwise.
svn path=/nixpkgs/trunk/; revision=18073
The OpenSSH binaries built by the expression by default expect system-wide
configuration files in "/etc/ssh", which is a bit of an impurity (and certainly
inconsistent with the way other package handle --sysconfdir in Nix). Those who
prefer a clean installation, can now configure that directory path.
Adding the line "openssh = { etcDir = null; };" to $NIXPKGS_CONFIG configures
OpenSSH to use the default location, i.e. $out/etc. Setting that attribute to a
string will configure OpenSSH to use that concrete path instead.
svn path=/nixpkgs/trunk/; revision=17570
where "make install" installs the manpages under either "man" or
"cat" depending on whether it can run /usr/bin/groff (or something
like that).
svn path=/nixpkgs/trunk/; revision=9503