openssh: 6.9p1 -> 7.1p1

This intentionally leaves out support for using existing dsa keys as they are insecure and should not be enabled by default. If you need this support, please make the changes in your ssh_config and sshd_config.
2024-11-18 07:46:09 +01:00 · 2015-08-20 10:36:06 -07:00 · 2015-08-20 10:36:06 -07:00 · 88b8145750
commit 88b8145750
parent 3f1d497fbe
2 changed files with 3 additions and 68 deletions
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -17,11 +17,11 @@ let
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
-  name = "openssh-6.9p1";
+  name = "openssh-7.1p1";

  src = fetchurl {
    url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-    sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf";
+    sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw";
  };

  prePatch = optionalString hpnSupport
@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
      export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
    '';

-  patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch];
+  patches = [ ./locale_archive.patch ];

  buildInputs = [ zlib openssl libedit pkgconfig pam ]
    ++ optional withKerberos [ kerberos ];
--- a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch
+++ b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch
@ -1,65 +0,0 @@
-http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d
-
-diff --git a/sshpty.c b/sshpty.c
-index 7bb7641..15da8c6 100644
--- a/sshpty.c
-+++ b/sshpty.c
-@@ -1,4 +1,4 @@
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
-+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
- 	/* Determine the group to make the owner of the tty. */
- 	grp = getgrnam("tty");
- 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
-	mode = (grp != NULL) ? 0622 : 0600;
-+	mode = (grp != NULL) ? 0620 : 0600;
- 
- 	/*
- 	 * Change owner and mode of the tty as required.
-diff --git a/monitor.c b/monitor.c
-index b410965..f1b873d 100644
--- a/monitor.c
-+++ b/monitor.c
-@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
- int
- mm_answer_pam_init_ctx(int sock, Buffer *m)
- {
-
- 	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
- 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
- 	sshpam_authok = NULL;
- 	buffer_clear(m);
-@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
- int
- mm_answer_pam_free_ctx(int sock, Buffer *m)
- {
-+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
- 
- 	debug3("%s", __func__);
- 	(sshpam_device.free_ctx)(sshpam_ctxt);
-+	sshpam_ctxt = sshpam_authok = NULL;
- 	buffer_clear(m);
- 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
- 	auth_method = "keyboard-interactive";
- 	auth_submethod = "pam";
-	return (sshpam_authok == sshpam_ctxt);
-+	return r;
- }
- #endif
- 
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index e6217b3..eac421b 100644
--- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
- 
- 	debug3("%s", __func__);
- 	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
- 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
- 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
- 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);