1 | # -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 |
---|
2 | |
---|
3 | PortSystem 1.0 |
---|
4 | |
---|
5 | PortGroup compiler_blacklist_versions 1.0 |
---|
6 | |
---|
7 | name openssh |
---|
8 | version 8.1p1 |
---|
9 | revision 9 |
---|
10 | categories net |
---|
11 | platforms darwin |
---|
12 | maintainers nomaintainer |
---|
13 | license BSD |
---|
14 | installs_libs no |
---|
15 | conflicts lsh |
---|
16 | |
---|
17 | description OpenSSH secure login server |
---|
18 | |
---|
19 | long_description OpenSSH is a FREE version of the SSH protocol suite of \ |
---|
20 | network connectivity tools that increasing numbers of people on the \ |
---|
21 | Internet are coming to rely on. Many users of telnet, rlogin, ftp, \ |
---|
22 | and other such programs might not realize that their password is \ |
---|
23 | transmitted across the Internet unencrypted, but it is. OpenSSH \ |
---|
24 | encrypts all traffic (including passwords) to effectively eliminate \ |
---|
25 | eavesdropping, connection hijacking, and other network-level \ |
---|
26 | attacks. Additionally, OpenSSH provides a myriad of secure \ |
---|
27 | tunneling capabilities, as well as a variety of authentication \ |
---|
28 | methods. |
---|
29 | |
---|
30 | homepage https://www.openbsd.org/openssh/ |
---|
31 | |
---|
32 | checksums rmd160 0d9bcaa22b77a8e26fbe4804ea4ae017e45b1568 \ |
---|
33 | sha256 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff \ |
---|
34 | size 1625894 |
---|
35 | |
---|
36 | master_sites openbsd:OpenSSH/portable \ |
---|
37 | ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \ |
---|
38 | http://openbsd.mirrors.pair.com/OpenSSH/portable |
---|
39 | |
---|
40 | if {${name} eq ${subport}} { |
---|
41 | depends_lib path:lib/libssl.dylib:openssl \ |
---|
42 | port:libedit \ |
---|
43 | port:ncurses \ |
---|
44 | port:zlib |
---|
45 | depends_run port:ssh-copy-id |
---|
46 | |
---|
47 | # the HPN patch needs this, so rewrite all other patches to support it, too |
---|
48 | patch.args -p1 |
---|
49 | patchfiles launchd.patch \ |
---|
50 | pam.patch \ |
---|
51 | patch-sandbox-darwin.c-apple-sandbox-named-external.diff \ |
---|
52 | patch-sshd.c-apple-sandbox-named-external.diff \ |
---|
53 | macports-config.patch \ |
---|
54 | patch-openbsd_compat-memmem-bug.diff |
---|
55 | |
---|
56 | # We need a couple of patches |
---|
57 | # - pam.patch |
---|
58 | # getpwnam(3) on OS X always returns "*********" in the pw_passwd field even |
---|
59 | # when run as root, so it can't be used for authentication. This patch just |
---|
60 | # forces the use of PAM regardless of the configuration. |
---|
61 | # - patch-*-apple-sandbox-named-external.diff |
---|
62 | # Use Apple's sandbox_init(3) in addition to standard privilege separation. |
---|
63 | # This requires a sandbox profile (which we provide) and the sandbox_init(3) |
---|
64 | # call before the chroot(2) to privsep-path (${prefix}/var/empty), or it will |
---|
65 | # fail to load the sandbox description and libsandbox.1.dylib. |
---|
66 | # - 0002-Apple-keychain-integration-other-changes.patch |
---|
67 | # Adds Apple Keychain integration and ssh-agent's launchd mode |
---|
68 | # - macports-config.patch |
---|
69 | # Changes the default configuration from the upstream-provided one by popular |
---|
70 | # request. |
---|
71 | |
---|
72 | post-patch { |
---|
73 | # reinplace prefix in path to sandbox definition added by |
---|
74 | # patch-sandbox-darwin.c-apple-sandbox-named-external.diff |
---|
75 | reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c |
---|
76 | } |
---|
77 | |
---|
78 | use_autoreconf yes |
---|
79 | |
---|
80 | # strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip |
---|
81 | # the order of arguments to strnvis and considers everyone else to be broken. |
---|
82 | configure.cppflags-append -DBROKEN_STRNVIS=1 |
---|
83 | |
---|
84 | # Use Apple's sandboxing feature |
---|
85 | configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \ |
---|
86 | -D__APPLE_API_STRICT_CONFORMANCE |
---|
87 | configure.ldflags-append -Wl,-search_paths_first |
---|
88 | configure.args --with-ssl-dir=${prefix} \ |
---|
89 | --sysconfdir=${prefix}/etc/ssh \ |
---|
90 | --with-privsep-path=/var/empty \ |
---|
91 | --with-md5-passwords \ |
---|
92 | --with-pid-dir=${prefix}/var/run \ |
---|
93 | --with-pam \ |
---|
94 | --mandir=${prefix}/share/man \ |
---|
95 | --with-zlib=${prefix} \ |
---|
96 | --without-kerberos5 \ |
---|
97 | --with-libedit \ |
---|
98 | --with-pie \ |
---|
99 | --without-xauth \ |
---|
100 | --without-ldns \ |
---|
101 | --with-audit=bsm \ |
---|
102 | --with-keychain=apple |
---|
103 | |
---|
104 | use_parallel_build yes |
---|
105 | |
---|
106 | platform macosx { |
---|
107 | variant osx_keychain description "integrate with Mac OS keychain" { |
---|
108 | patchfiles-append 0002-Apple-keychain-integration-other-changes.patch |
---|
109 | |
---|
110 | if {${os.major} <= 11} { |
---|
111 | # clang is required to build the new Apple Keychain integration due |
---|
112 | # to it using the Object Subscripting feature, c.f. #59397. |
---|
113 | # We'll keep it simple and just blacklist any gcc version, cc |
---|
114 | # (which could be anything), system clang versions prior to those |
---|
115 | # shipped with Xcode 4.4. |
---|
116 | # Regarding the macports-clang versions, any version in the |
---|
117 | # MacPorts tree should suit our needs, since the clang |
---|
118 | # documentation lists FOSS clang/llvm 3.1 as the first version to |
---|
119 | # support Object Subscripting and the oldest version in our tree is |
---|
120 | # now 3.3. |
---|
121 | compiler.blacklist-append *gcc* cc {clang < 421} |
---|
122 | } |
---|
123 | } |
---|
124 | } |
---|
125 | |
---|
126 | destroot.target install-nokeys |
---|
127 | |
---|
128 | test.run yes |
---|
129 | test.target tests |
---|
130 | |
---|
131 | post-destroot { |
---|
132 | destroot.keepdirs ${destroot}${prefix}/var/run |
---|
133 | |
---|
134 | # switch default port to avoid conflict with system sshd |
---|
135 | reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config |
---|
136 | |
---|
137 | # install sandbox definition |
---|
138 | xinstall -m 755 -d ${destroot}${prefix}/share/${name} |
---|
139 | xinstall -m 644 ${filespath}/com.openssh.sshd.sb ${destroot}${prefix}/share/${name} |
---|
140 | |
---|
141 | file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example" |
---|
142 | file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example" |
---|
143 | } |
---|
144 | |
---|
145 | post-activate { |
---|
146 | if {![file exists "${prefix}/etc/ssh/sshd_config"]} { |
---|
147 | copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config" |
---|
148 | } |
---|
149 | if {![file exists "${prefix}/etc/ssh/ssh_config"]} { |
---|
150 | copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config" |
---|
151 | } |
---|
152 | } |
---|
153 | |
---|
154 | notes-append " |
---|
155 | Apple's keychain integration and launchd changes are now\ |
---|
156 | included by default, not just with the gsskex variant.\ |
---|
157 | |
---|
158 | The parameters were changed from -m/-M to -A/-K in\ |
---|
159 | accordance with Apple's changes, because upstream started\ |
---|
160 | using the former switches themselves recently." |
---|
161 | |
---|
162 | variant xauth description {Build with support for xauth} { |
---|
163 | configure.args-replace --without-xauth \ |
---|
164 | --with-xauth=${prefix}/bin/xauth |
---|
165 | depends_run-append port:xauth |
---|
166 | } |
---|
167 | |
---|
168 | variant hpn conflicts gsskex description {Apply high performance patch} { |
---|
169 | # Current location(s): |
---|
170 | # https://github.com/rapier1/openssh-portable/ |
---|
171 | # http://www.freshports.org/security/openssh-portable/ |
---|
172 | # (is usually quick in updating the HPN patch for new versions, |
---|
173 | # take a look there, too.) |
---|
174 | |
---|
175 | # Formerly taken directly from FreeBSD as a distfile, now copied over |
---|
176 | # from either upstream at or FreeBSD's ports directory and rebased. |
---|
177 | set hpn_patchfile ${name}-${version}-hpnssh14v18 |
---|
178 | patchfiles-append ${hpn_patchfile}.diff \ |
---|
179 | ${hpn_patchfile}-openssl-1.1.diff |
---|
180 | } |
---|
181 | |
---|
182 | variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" { |
---|
183 | patchfiles-append openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch |
---|
184 | configure.ldflags-append \ |
---|
185 | -Wl,-pie |
---|
186 | configure.cflags-append -fPIE |
---|
187 | configure.args-append --with-4in6 \ |
---|
188 | --disable-utmp \ |
---|
189 | --disable-wtmp \ |
---|
190 | --with-privsep-user=_sshd |
---|
191 | } |
---|
192 | |
---|
193 | variant kerberos5 description "Add Kerberos5 support" { |
---|
194 | depends_lib-append port:kerberos5 |
---|
195 | configure.args-delete --without-kerberos5 |
---|
196 | configure.args-append --with-kerberos5=${prefix} |
---|
197 | |
---|
198 | if {${os.platform} eq "darwin"} { |
---|
199 | post-extract { |
---|
200 | xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/" |
---|
201 | } |
---|
202 | |
---|
203 | pre-configure { |
---|
204 | reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin |
---|
205 | } |
---|
206 | |
---|
207 | post-destroot { |
---|
208 | xinstall -m 0755 ${worksrcpath}/slogin \ |
---|
209 | ${destroot}${prefix}/bin/ |
---|
210 | } |
---|
211 | } |
---|
212 | } |
---|
213 | |
---|
214 | variant ldns description "Use ldns for DNSSEC support" { |
---|
215 | configure.args-replace --without-ldns \ |
---|
216 | --with-ldns |
---|
217 | depends_lib-append port:ldns |
---|
218 | } |
---|
219 | |
---|
220 | default_variants +kerberos5 +xauth |
---|
221 | |
---|
222 | platform darwin { |
---|
223 | # create link to /usr/include/pam because 'security' was renamed to 'pam' |
---|
224 | # in OS X. |
---|
225 | # And then again back to security in 10.6. |
---|
226 | if {${os.major} < 10} { |
---|
227 | pre-configure { |
---|
228 | xinstall -d ${workpath}/include |
---|
229 | file delete ${workpath}/include/security |
---|
230 | ln -s /usr/include/pam ${workpath}/include/security |
---|
231 | configure.cppflags-append "-I${workpath}/include" |
---|
232 | } |
---|
233 | } |
---|
234 | |
---|
235 | # include Keychain integration by default on Mac OS 10.6 and newer |
---|
236 | if {${os.major} > 9} { |
---|
237 | default_variants.append +osx_keychain |
---|
238 | } |
---|
239 | } |
---|
240 | |
---|
241 | platform darwin 9 { |
---|
242 | # 10.5/ppc doesn't like the sandbox file we supply |
---|
243 | configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__ |
---|
244 | } |
---|
245 | |
---|
246 | startupitem.create yes |
---|
247 | startupitem.name OpenSSH |
---|
248 | startupitem.start \ |
---|
249 | "if \[ -x ${prefix}/sbin/sshd \]; then |
---|
250 | if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then |
---|
251 | ${prefix}/bin/ssh-keygen -t dsa -f \\ |
---|
252 | ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname` |
---|
253 | fi |
---|
254 | if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then |
---|
255 | ${prefix}/bin/ssh-keygen -t rsa -f \\ |
---|
256 | ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname` |
---|
257 | fi |
---|
258 | if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then |
---|
259 | ${prefix}/bin/ssh-keygen -t ecdsa -f \\ |
---|
260 | ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname` |
---|
261 | fi |
---|
262 | if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then |
---|
263 | ${prefix}/bin/ssh-keygen -t ed25519 -f \\ |
---|
264 | ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname` |
---|
265 | fi |
---|
266 | ${prefix}/sbin/sshd |
---|
267 | fi" |
---|
268 | startupitem.stop \ |
---|
269 | "if \[ -r ${prefix}/var/run/sshd.pid \]; then |
---|
270 | kill `cat ${prefix}/var/run/sshd.pid` |
---|
271 | fi" |
---|
272 | } |
---|
273 | |
---|
274 | subport ssh-copy-id { |
---|
275 | revision 0 |
---|
276 | platforms darwin freebsd |
---|
277 | supported_archs noarch |
---|
278 | maintainers {l2dy @l2dy} openmaintainer |
---|
279 | description Shell script to install your public key(s) on a remote machine |
---|
280 | long_description ${description} |
---|
281 | |
---|
282 | # Make sure to not create multiple copies of the same distfile. |
---|
283 | distname openssh-${version} |
---|
284 | dist_subdir openssh |
---|
285 | |
---|
286 | use_configure no |
---|
287 | build {} |
---|
288 | |
---|
289 | destroot { |
---|
290 | xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin |
---|
291 | xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1 |
---|
292 | } |
---|
293 | } |
---|
294 | |
---|
295 | livecheck.type regex |
---|
296 | livecheck.url https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ |
---|
297 | livecheck.regex openssh-(\[5-9\]+.\[0-9\]+p\[0-9\]+)[quotemeta ${extract.suffix}] |
---|