libedit: new dep of openssh

openssh: rebuild against krb5

libedit/PKGBUILD

@@ -0,0 +1,31 @@
+#
+# Chakra Packages for Chakra, part of chakra-project.org
+#
+# maintainer (i686): Phil Miller <philm[at]chakra-project[dog]org>
+# maintainer (x86_64): Manuel Tortosa <manutortosa[at]chakra-project[dot]org>
+
+pkgname=libedit
+pkgver=20110802_3.0
+pkgrel=1
+pkgdesc='Command line editor library providing generic line editing, history, and tokenization functions'
+arch=('i686' 'x86_64')
+url='http://www.thrysoee.dk/editline/'
+license=('BSD')
+depends=('ncurses')
+options=('!libtool')
+source=("http://www.thrysoee.dk/editline/libedit-${pkgver/_/-}.tar.gz")
+sha1sums=('b06e3cf248a4235617c71454e15ca3a54a61d467')
+
+build() {
+	cd "${srcdir}/${pkgname}-${pkgver/_/-}"
+	./configure --prefix=/usr --enable-widec --enable-static=no
+	make
+}
+
+package() {
+	cd "${srcdir}/${pkgname}-${pkgver/_/-}"
+	make prefix="${pkgdir}"/usr install
+
+	cp "${pkgdir}"/usr/share/man/man3/editline.3 "${pkgdir}"/usr/share/man/man3/el.3
+	install -D -m0644 COPYING "${pkgdir}"/usr/share/licenses/libedit/LICENSE
+}

librpcsecgss/PKGBUILD

@@ -6,12 +6,12 @@
 
 pkgname=librpcsecgss
 pkgver=0.19
-pkgrel=6
+pkgrel=5
 pkgdesc="Library for RPCSECGSS support"
 arch=('i686' 'x86_64')
 url="http://www.citi.umich.edu/projects/nfsv4/linux/"
 license=('GPL')
-depends=('glibc' 'heimdal' 'libgssglue')
+depends=('glibc' 'krb5' 'libgssglue')
 makedepends=('pkg-config' 'autoconf')
 options=('!libtool')
 source=("http://www.citi.umich.edu/projects/nfsv4/linux/${pkgname}/${pkgname}-${pkgver}.tar.gz")

openssh/PKGBUILD

@@ -1,64 +1,71 @@
-# $Id: PKGBUILD 75180 2010-04-01 01:39:08Z pierre $
+#
-# Maintainer: Aaron Griffin <aaron@archlinux.org>
+# Chakra Packages for Chakra, part of chakra-project.org
-# Contributor: judd <jvinet@zeroflux.org>
+#
+# maintainer (i686): Phil Miller <philm[at]chakra-project[dog]org>
+# maintainer (x86_64): Manuel Tortosa <manutortosa[at]chakra-project[dot]org>
 
 pkgname=openssh
-pkgver=5.4p1
+pkgver=5.8p2
-pkgrel=5
+pkgrel=1
-pkgdesc='A Secure SHell server/client'
+pkgdesc='Free version of the SSH connectivity tools'
 arch=('i686' 'x86_64')
-license=('custom')
+license=('custom:BSD')
-url="http://www.openssh.org/portable.html"
+url='http://www.openssh.org/portable.html'
-backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd')
-depends=('openssl' 'zlib' 'pam' 'tcp_wrappers' 'heimdal')
+depends=('krb5' 'openssl' 'libedit')
 source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"
-        'sshd' 'sshd.confd' 'sshd.pam')
+        'authfile.c.patch'
-md5sums=('da10af8a789fa2e83e3635f3a1b76f5e'
+        'sshd.confd'
-         '17b1b1bf0f578a55945ee204bd4462af'
+        'sshd.pam'
-         'e2cea70ac13af7e63d40eb04415eacd5'
+        'sshd')
-         '1c7c2ea8734ec7e3ca58d820634dc73a')
+sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
+          '3669cb5ca6149f69015df5ce8e60b82c540eb0a4'
+          'ec102deb69cad7d14f406289d2fc11fee6eddbdd'
+          '07fecd5880b1c4fdd8c94ddb2e89ddce88effdc1'
+          '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5')
 
 build() {
-  cd ${srcdir}/${pkgname}-${pkgver}
+	cd "${srcdir}/${pkgname}-${pkgver}"
 
-  #NOTE we disable-strip so that makepkg can decide whether to strip or not
+	patch -p1 -i ../authfile.c.patch # fix FS#24693 using http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95
-  ./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
+
-    --sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=nobody \
+	./configure \
-    --with-md5-passwords --with-pam --with-mantype=man --mandir=/usr/share/man \
+		--prefix=/usr \
-    --with-xauth=/usr/bin/xauth --with-kerberos5=/usr --with-ssl-engine \
+		--libexecdir=/usr/lib/ssh \
-    --disable-strip
+		--sysconfdir=/etc/ssh \
-  make || return 1
+		--with-privsep-user=nobody \
+		--with-md5-passwords \
+		--with-pam \
+		--with-mantype=man \
+		--mandir=/usr/share/man \
+		--with-xauth=/usr/bin/xauth \
+		--with-kerberos5=/usr \
+		--with-ssl-engine \
+		--with-libedit=/usr/lib \
+		--disable-strip # stripping is done by makepkg
+
+	make
 }
 
 package() {
-  cd ${srcdir}/${pkgname}-${pkgver}
+	cd "${srcdir}/${pkgname}-${pkgver}"
-  make DESTDIR=${pkgdir} install
+	make DESTDIR="${pkgdir}" install
 
-  install -Dm755 ${srcdir}/sshd ${pkgdir}/etc/rc.d/sshd
+	install -Dm755 ../sshd "${pkgdir}"/etc/rc.d/sshd
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+	install -Dm644 ../sshd.confd "${pkgdir}"/etc/conf.d/sshd
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
 
-  install -Dm644 LICENCE ${pkgdir}/usr/share/licenses/${pkgname}/LICENCE
+	rm "${pkgdir}"/usr/share/man/man1/slogin.1
-  install -Dm644 ${srcdir}/sshd.pam ${pkgdir}/etc/pam.d/sshd
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
-  install -Dm644 ${srcdir}/sshd.confd ${pkgdir}/etc/conf.d/sshd
 
-  rm ${pkgdir}/usr/share/man/man1/slogin.1
+	# additional contrib scripts that we like
-  ln -sf ssh.1.gz ${pkgdir}/usr/share/man/man1/slogin.1.gz
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
 
-  #additional contrib scripts that we like
+	# PAM is a common, standard feature to have
-  install -Dm755 contrib/findssl.sh ${pkgdir}/usr/bin/findssl.sh
+	sed -i	-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
-  install -Dm755 contrib/ssh-copy-id ${pkgdir}/usr/bin/ssh-copy-id
+		-e '/^#UsePAM no$/c UsePAM yes' \
-  install -Dm644 contrib/ssh-copy-id.1  ${pkgdir}/usr/share/man/man1/ssh-copy-id.1
+		"${pkgdir}"/etc/ssh/sshd_config
-
-  # sshd_config
-  sed -i \
-    -e 's|^#ListenAddress 0.0.0.0|ListenAddress 0.0.0.0|g' \
-    -e 's|^#UsePAM no|UsePAM yes|g' \
-    -e 's|^#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|g' \
-    ${pkgdir}/etc/ssh/sshd_config
-  echo "HashKnownHosts yes" >>  ${pkgdir}/etc/ssh/ssh_config
-  echo "StrictHostKeyChecking ask" >>  ${pkgdir}/etc/ssh/ssh_config
-
-  #ssh_config
-  sed -i \
-    -e 's|^# Host \*|Host *|g' \
-    ${pkgdir}/etc/ssh/ssh_config
 }

openssh/authfile.c.patch

@@ -0,0 +1,198 @@
+diff -aur old/authfile.c new/authfile.c
+--- old/authfile.c	2011-06-12 02:21:52.262338254 +0200
++++ new/authfile.c	2011-06-12 02:13:43.051467269 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */
++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -69,6 +69,8 @@
+ #include "misc.h"
+ #include "atomicio.h"
+ 
++#define MAX_KEY_FILE_SIZE	(1024 * 1024)
++
+ /* Version identification string for SSH v1 identity files. */
+ static const char authfile_id_string[] =
+     "SSH PRIVATE KEY FILE FORMAT 1.1\n";
+@@ -312,12 +314,12 @@
+ 	return pub;
+ }
+ 
+-/* Load the contents of a key file into a buffer */
+-static int
++/* Load a key from a fd into a buffer */
++int
+ key_load_file(int fd, const char *filename, Buffer *blob)
+ {
++	u_char buf[1024];
+ 	size_t len;
+-	u_char *cp;
+ 	struct stat st;
+ 
+ 	if (fstat(fd, &st) < 0) {
+@@ -325,30 +327,45 @@
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ",
+ 		    strerror(errno));
+-		close(fd);
+ 		return 0;
+ 	}
+-	if (st.st_size > 1*1024*1024) {
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size > MAX_KEY_FILE_SIZE) {
++ toobig:
+ 		error("%s: key file %.200s%stoo large", __func__,
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ");
+-		close(fd);
+ 		return 0;
+ 	}
+-	len = (size_t)st.st_size;		/* truncated */
+-
+ 	buffer_init(blob);
+-	cp = buffer_append_space(blob, len);
+-
+-	if (atomicio(read, fd, cp, len) != len) {
+-		debug("%s: read from key file %.200s%sfailed: %.100s", __func__,
+-		    filename == NULL ? "" : filename,
+-		    filename == NULL ? "" : " ",
+-		    strerror(errno));
++	for (;;) {
++		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
++			if (errno == EPIPE)
++				break;
++			debug("%s: read from key file %.200s%sfailed: %.100s",
++			    __func__, filename == NULL ? "" : filename,
++			    filename == NULL ? "" : " ", strerror(errno));
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			return 0;
++		}
++		buffer_append(blob, buf, len);
++		if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			goto toobig;
++		}
++	}
++	bzero(buf, sizeof(buf));
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size != buffer_len(blob)) {
++		debug("%s: key file %.200s%schanged size while reading",
++		    __func__, filename == NULL ? "" : filename,
++		    filename == NULL ? "" : " ");
+ 		buffer_clear(blob);
+-		close(fd);
+ 		return 0;
+ 	}
++
+ 	return 1;
+ }
+ 
+@@ -606,7 +623,7 @@
+ 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ 		error("Permissions 0%3.3o for '%s' are too open.",
+ 		    (u_int)st.st_mode & 0777, filename);
+-		error("It is recommended that your private key files are NOT accessible by others.");
++		error("It is required that your private key files are NOT accessible by others.");
+ 		error("This private key will be ignored.");
+ 		return 0;
+ 	}
+@@ -626,6 +643,7 @@
+ 	case KEY_UNSPEC:
+ 		return key_parse_private_pem(blob, type, passphrase, commentp);
+ 	default:
++		error("%s: cannot parse key type %d", __func__, type);
+ 		break;
+ 	}
+ 	return NULL;
+@@ -670,11 +688,38 @@
+ }
+ 
+ Key *
++key_parse_private(Buffer *buffer, const char *filename,
++    const char *passphrase, char **commentp)
++{
++	Key *pub, *prv;
++	Buffer pubcopy;
++
++	buffer_init(&pubcopy);
++	buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer));
++	/* it's a SSH v1 key if the public key part is readable */
++	pub = key_parse_public_rsa1(&pubcopy, commentp);
++	buffer_free(&pubcopy);
++	if (pub == NULL) {
++		prv = key_parse_private_type(buffer, KEY_UNSPEC,
++		    passphrase, NULL);
++		/* use the filename as a comment for PEM */
++		if (commentp && prv)
++			*commentp = xstrdup(filename);
++	} else {
++		key_free(pub);
++		/* key_parse_public_rsa1() has already loaded the comment */
++		prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
++		    NULL);
++	}
++	return prv;
++}
++
++Key *
+ key_load_private(const char *filename, const char *passphrase,
+     char **commentp)
+ {
+-	Key *pub, *prv;
+-	Buffer buffer, pubcopy;
++	Key *prv;
++	Buffer buffer;
+ 	int fd;
+ 
+ 	fd = open(filename, O_RDONLY);
+@@ -697,23 +742,7 @@
+ 	}
+ 	close(fd);
+ 
+-	buffer_init(&pubcopy);
+-	buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer));
+-	/* it's a SSH v1 key if the public key part is readable */
+-	pub = key_parse_public_rsa1(&pubcopy, commentp);
+-	buffer_free(&pubcopy);
+-	if (pub == NULL) {
+-		prv = key_parse_private_type(&buffer, KEY_UNSPEC,
+-		    passphrase, NULL);
+-		/* use the filename as a comment for PEM */
+-		if (commentp && prv)
+-			*commentp = xstrdup(filename);
+-	} else {
+-		key_free(pub);
+-		/* key_parse_public_rsa1() has already loaded the comment */
+-		prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase,
+-		    NULL);
+-	}
++	prv = key_parse_private(&buffer, filename, passphrase, commentp);
+ 	buffer_free(&buffer);
+ 	return prv;
+ }
+@@ -737,13 +766,19 @@
+ 			case '\0':
+ 				continue;
+ 			}
++			/* Abort loading if this looks like a private key */
++			if (strncmp(cp, "-----BEGIN", 10) == 0)
++				break;
+ 			/* Skip leading whitespace. */
+ 			for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+ 				;
+ 			if (*cp) {
+ 				if (key_read(k, &cp) == 1) {
+-					if (commentp)
+-						*commentp=xstrdup(filename);
++					cp[strcspn(cp, "\r\n")] = '\0';
++					if (commentp) {
++						*commentp = xstrdup(*cp ?
++						    cp : filename);
++					}
+ 					fclose(f);
+ 					return 1;
+ 				}

openssh/sshd

@@ -4,13 +4,20 @@
 . /etc/rc.d/functions
 . /etc/conf.d/sshd
 
-PID="$(cat /var/run/sshd.pid 2>/dev/null)"
+PIDFILE=/var/run/sshd.pid
+PID=$(cat $PIDFILE 2>/dev/null)
+if ! readlink -q /proc/$PID/exe | grep -q '^/usr/sbin/sshd'; then
+  PID=
+  rm $PIDFILE 2>/dev/null
+fi
+
 case "$1" in
   start)
     stat_busy "Starting Secure Shell Daemon"
     [ -f /etc/ssh/ssh_host_key ] || { /usr/bin/ssh-keygen -t rsa1 -N "" -f /etc/ssh/ssh_host_key >/dev/null; }
     [ -f /etc/ssh/ssh_host_rsa_key ] || { /usr/bin/ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key >/dev/null; }
     [ -f /etc/ssh/ssh_host_dsa_key ] || { /usr/bin/ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key >/dev/null; }
+    [ -f /etc/ssh/ssh_host_ecdsa_key ] || { /usr/bin/ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key >/dev/null; }
     [ -d /var/empty ] || mkdir -p /var/empty
     [ -z "$PID" ] && /usr/sbin/sshd $SSHD_ARGS
     if [ $? -gt 0 ]; then

openssh/sshd.pam

@@ -1,10 +1,11 @@
 #%PAM-1.0
 #auth		required	pam_securetty.so	#Disable remote root
 auth		required	pam_unix.so
-auth		required	pam_nologin.so
 auth		required	pam_env.so
+account		required	pam_nologin.so
 account		required	pam_unix.so
 account		required	pam_time.so
 password	required	pam_unix.so
 session		required	pam_unix_session.so
 session		required	pam_limits.so
+-session	optional	pam_ck_connector.so nox11