# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 # $Id$ PortSystem 1.0 name openssh version 6.9p1 revision 0 categories net platforms darwin maintainers nomaintainer license BSD installs_libs no description OpenSSH secure login server long_description OpenSSH is a FREE version of the SSH protocol suite of \ network connectivity tools that increasing numbers of people on the \ Internet are coming to rely on. Many users of telnet, rlogin, ftp, \ and other such programs might not realize that their password is \ transmitted across the Internet unencrypted, but it is. OpenSSH \ encrypts all traffic (including passwords) to effectively eliminate \ eavesdropping, connection hijacking, and other network-level \ attacks. Additionally, OpenSSH provides a myriad of secure \ tunneling capabilities, as well as a variety of authentication \ methods. homepage http://www.openbsd.org/openssh/ checksums ${distfiles} \ rmd160 4fb2f0a0280db51024bf72b0f5cd3912d25cb59a \ sha256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe master_sites openbsd:OpenSSH/portable \ ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \ ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \ ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \ ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/ depends_lib port:openssl \ port:zlib # the HPN patch needs this, so rewrite all other patches to support it, too patch.args -p1 patchfiles launchd.patch \ pam.patch \ patch-sandbox-darwin.c-apple-sandbox-named-external.diff \ patch-sshd.c-apple-sandbox-named-external.diff # We need a couple of patches # - pam.patch # getpwnam(3) on OS X always returns "*********" in the pw_passwd field even # when run as root, so it can't be used for authentication. This patch just # forces the use of PAM regardless of the configuration. # - patch-*-apple-sandbox-named-external.diff # Use Apple's sandbox_init(3) in addition to standard privilege separation. # This requires a sandbox profile (which we provide) and the sandbox_init(3) # call before the chroot(2) to privsep-path ($prefix/var/empty), or it will # fail to load the sandbox description and libsandbox.1.dylib. post-patch { # reinplace prefix in path to sandbox definition added by # patch-sandbox-darwin.c-apple-sandbox-named-external.diff reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c } # Use Apple's sandboxing feature configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ configure.ldflags-append -Wl,-search_paths_first configure.args --with-ssl-dir=${prefix} \ --sysconfdir=${prefix}/etc/ssh \ --with-privsep-path=/var/empty \ --with-md5-passwords \ --with-pid-dir=${prefix}/var/run \ --with-tcp-wrappers \ --with-pam \ --mandir=${prefix}/share/man \ --with-zlib=${prefix} \ --without-kerberos5 \ --with-libedit \ --with-pie \ --without-xauth use_parallel_build yes destroot.target install-nokeys test.run yes test.target tests if {${os.major} >= 12} { depends_lib-append port:tcp_wrappers } post-destroot { destroot.keepdirs ${destroot}${prefix}/var/run # switch default port to avoid conflict with system sshd reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config # provide ssh-copy-id xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1 # install sandbox definition xinstall -m 755 -d ${destroot}${prefix}/share/${name} xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name} file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example" file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example" } post-activate { if {![file exists "${prefix}/etc/ssh/sshd_config"]} { copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config" } if {![file exists "${prefix}/etc/ssh/ssh_config"]} { copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config" } } variant xauth description {Build with support for xauth} { configure.args-delete --without-xauth configure.args-append --with-xauth=${prefix}/bin/xauth depends_run-append port:xauth } variant hpn conflicts gsskex description {Apply high performance patch} { # http://www.psc.edu/index.php/hpn-ssh # http://www.freshports.org/security/openssh-portable/ is usually quick in # updating the HPN patch for new versions, take a look there, too. # Formerly from FreeBSD, now copied over from FreeBSD's ports directory. #patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \ # freebsd #set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz #checksums-append ${hpn_patchfile} \ # rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \ # sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6 set hpn_patchfile ${name}-${version}-hpnssh14v5.diff patchfiles-append ${hpn_patchfile} configure.cppflags-append -DHPN_ENABLED=1 } variant none_cipher conflicts gsskex requires hpn description {Enable optional NONE cipher in HPN patchset} { configure.cppflags-append -DNONE_CIPHER_ENABLED=1 } variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" { use_autoreconf yes patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \ openssh-6.7p1-gsskex-all-20141021-284f364.patch configure.cppflags-append \ -F/System/Library/Frameworks/DirectoryService.framework \ -F/System/Library/Frameworks/CoreFoundation.framework \ -D_UTMPX_COMPAT \ -D__APPLE_LAUNCHD__ \ -D__APPLE_MEMBERSHIP__ \ -D__APPLE_XSAN__ configure.ldflags-append \ -Wl,-pie \ -framework CoreFoundation \ -framework DirectoryService configure.cflags-append -fPIE configure.args-append --with-4in6 \ --with-audit=bsm \ --with-keychain=apple \ --disable-utmp \ --disable-wtmp \ --with-privsep-user=_sshd } variant kerberos5 description "Add Kerberos5 support" { depends_lib-append port:kerberos5 configure.args-delete --without-kerberos5 configure.args-append --with-kerberos5=${prefix} } variant ldns description "Use ldns for DNSSEC support" { configure.args-append --with-ldns depends_lib-append port:ldns } default_variants +kerberos5 +xauth platform darwin { # create link to /usr/include/pam because 'security' was renamed to 'pam' # in OS X. pre-configure { xinstall -d ${workpath}/include file delete ${workpath}/include/security ln -s /usr/include/pam ${workpath}/include/security } } platform darwin 9 { # 10.5/ppc doesn't like the sandbox file we supply configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__ } startupitem.create yes startupitem.name OpenSSH startupitem.start \ "if \[ -x ${prefix}/sbin/sshd ]; then if \[ ! -f ${prefix}/etc/ssh/ssh_host_key \]; then ${prefix}/bin/ssh-keygen -t rsa1 -f \\ ${prefix}/etc/ssh/ssh_host_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then ${prefix}/bin/ssh-keygen -t dsa -f \\ ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then ${prefix}/bin/ssh-keygen -t rsa -f \\ ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then ${prefix}/bin/ssh-keygen -t ecdsa -f \\ ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname` fi if \[ ! -f ${prefix}/etc/ssh/ssh_ed25519_rsa_key \]; then ${prefix}/bin/ssh-keygen -t ed25519 -f \\ ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname` fi ${prefix}/sbin/sshd fi" startupitem.stop \ "if \[ -r ${prefix}/var/run/sshd.pid \]; then kill `cat ${prefix}/var/run/sshd.pid` fi" livecheck.type regex livecheck.url http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/ livecheck.regex openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]