# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
# $Id$
PortSystem 1.0
name openssh
version 7.3p1
revision 0
categories net
platforms darwin
maintainers nomaintainer
license BSD
installs_libs no
description OpenSSH secure login server
long_description OpenSSH is a FREE version of the SSH protocol suite of \
network connectivity tools that increasing numbers of people on the \
Internet are coming to rely on. Many users of telnet, rlogin, ftp, \
and other such programs might not realize that their password is \
transmitted across the Internet unencrypted, but it is. OpenSSH \
encrypts all traffic (including passwords) to effectively eliminate \
eavesdropping, connection hijacking, and other network-level \
attacks. Additionally, OpenSSH provides a myriad of secure \
tunneling capabilities, as well as a variety of authentication \
methods.
homepage http://www.openbsd.org/openssh/
checksums ${distfiles} \
rmd160 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13 \
sha256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
master_sites openbsd:OpenSSH/portable \
ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/
depends_lib path:lib/libssl.dylib:openssl \
port:libedit \
port:ncurses \
port:zlib
# the HPN patch needs this, so rewrite all other patches to support it, too
patch.args -p1
patchfiles launchd.patch \
pam.patch \
patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
patch-sshd.c-apple-sandbox-named-external.diff
# We need a couple of patches
# - pam.patch
# getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
# when run as root, so it can't be used for authentication. This patch just
# forces the use of PAM regardless of the configuration.
# - patch-*-apple-sandbox-named-external.diff
# Use Apple's sandbox_init(3) in addition to standard privilege separation.
# This requires a sandbox profile (which we provide) and the sandbox_init(3)
# call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
# fail to load the sandbox description and libsandbox.1.dylib.
post-patch {
# reinplace prefix in path to sandbox definition added by
# patch-sandbox-darwin.c-apple-sandbox-named-external.diff
reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
}
# strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
# the order of arguments to strnvis and considers everyone else to be broken.
configure.cppflags-append -DBROKEN_STRNVIS=1
# Use Apple's sandboxing feature
configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
-D__APPLE_API_STRICT_CONFORMANCE
configure.ldflags-append -Wl,-search_paths_first
configure.args --with-ssl-dir=${prefix} \
--sysconfdir=${prefix}/etc/ssh \
--with-privsep-path=/var/empty \
--with-md5-passwords \
--with-pid-dir=${prefix}/var/run \
--with-pam \
--mandir=${prefix}/share/man \
--with-zlib=${prefix} \
--without-kerberos5 \
--with-libedit \
--with-pie \
--without-xauth
use_parallel_build yes
destroot.target install-nokeys
test.run yes
test.target tests
post-destroot {
destroot.keepdirs ${destroot}${prefix}/var/run
# switch default port to avoid conflict with system sshd
reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
# provide ssh-copy-id
xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
# install sandbox definition
xinstall -m 755 -d ${destroot}${prefix}/share/${name}
xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}
file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
}
post-activate {
if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
}
if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
}
}
variant xauth description {Build with support for xauth} {
configure.args-delete --without-xauth
configure.args-append --with-xauth=${prefix}/bin/xauth
depends_run-append port:xauth
}
variant hpn conflicts gsskex description {Apply high performance patch} {
# Old location(s):
# http://www.psc.edu/index.php/hpn-ssh
# Current location(s):
# http://hpnssh.sourceforge.net/
# http://www.freshports.org/security/openssh-portable/
# (is usually quick in updating the HPN patch for new versions,
# take a look there, too.)
# Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
#patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \
# freebsd
#set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz
#checksums-append ${hpn_patchfile} \
# rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
# sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
set hpn_patchfile ${name}-${version}-hpnssh14v11.diff
patchfiles-append ${hpn_patchfile}
use_autoreconf yes
configure.args-append --with-hpn
}
variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
use_autoreconf yes
patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \
openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch
configure.cppflags-append \
-F/System/Library/Frameworks/DirectoryService.framework \
-F/System/Library/Frameworks/CoreFoundation.framework \
-D_UTMPX_COMPAT \
-D__APPLE_LAUNCHD__ \
-D__APPLE_MEMBERSHIP__ \
-D__APPLE_XSAN__
configure.ldflags-append \
-Wl,-pie \
-framework CoreFoundation \
-framework DirectoryService
configure.cflags-append -fPIE
configure.args-append --with-4in6 \
--with-audit=bsm \
--with-keychain=apple \
--disable-utmp \
--disable-wtmp \
--with-privsep-user=_sshd
}
variant kerberos5 description "Add Kerberos5 support" {
depends_lib-append port:kerberos5
configure.args-delete --without-kerberos5
configure.args-append --with-kerberos5=${prefix}
if {${os.platform} eq "darwin"} {
post-extract {
xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/"
}
pre-configure {
reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin
}
post-destroot {
xinstall -m 0755 ${worksrcpath}/slogin \
${destroot}${prefix}/bin/
}
}
}
variant ldns description "Use ldns for DNSSEC support" {
configure.args-append --with-ldns
depends_lib-append port:ldns
}
default_variants +kerberos5 +xauth
platform darwin {
# create link to /usr/include/pam because 'security' was renamed to 'pam'
# in OS X.
pre-configure {
xinstall -d ${workpath}/include
file delete ${workpath}/include/security
ln -s /usr/include/pam ${workpath}/include/security
}
}
platform darwin 9 {
# 10.5/ppc doesn't like the sandbox file we supply
configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
}
startupitem.create yes
startupitem.name OpenSSH
startupitem.start \
"if \[ -x ${prefix}/sbin/sshd ]; then
if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
${prefix}/bin/ssh-keygen -t dsa -f \\
${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
${prefix}/bin/ssh-keygen -t rsa -f \\
${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
${prefix}/bin/ssh-keygen -t ecdsa -f \\
${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
fi
if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
${prefix}/bin/ssh-keygen -t ed25519 -f \\
${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
fi
${prefix}/sbin/sshd
fi"
startupitem.stop \
"if \[ -r ${prefix}/var/run/sshd.pid \]; then
kill `cat ${prefix}/var/run/sshd.pid`
fi"
livecheck.type regex
livecheck.url http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/
livecheck.regex openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]