pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/dropbear Update dropbear to 0.52. Build an s...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/d58c8ca1cf7f
branches:  trunk
changeset: 564077:d58c8ca1cf7f
user:      snj <snj%pkgsrc.org@localhost>
date:      Wed Aug 26 21:10:11 2009 +0000

description:
Update dropbear to 0.52.  Build an scp binary and call it dbscp so it
doesn't conflict with openssh.

Changes since 0.50:

0.52 - Wed 12 November 2008

- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to
  tunnel standard input/output to a TCP port-forwarded remote host.

- Add "proxy command" support to dbclient, to allow using a spawned
  process for IO rather than a direct TCP connection. eg
          dbclient remotehost
  is equivalent to
          dbclient -J 'nc remotehost 22' remotehost
  (the hostname is still provided purely for looking up saved host keys)

- Combine netcat-alike and proxy support to allow "multihop"
  connections, with comma-separated host syntax.  Allows running

          dbclient user1@host1,user2@host2,user3@host3

  to end up at host3 via the other two, using SSH TCP forwarding. It's
  a bit like onion-routing. All connections are established from the
  local machine.  The comma-separated syntax can also be used for
  scp/rsync, eg

  rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/

  to bounce through a few hosts.

- Add -I "idle timeout" option (contributed by Farrell Aultman)

- Allow restrictions on authorized_keys logins such as restricting
  commands to be run etc. This is a subset of those allowed by OpenSSH,
  doesn't yet allow restricting source host.

- Use vfork() for scp on uClinux

- Default to PATH=/usr/bin:/bin for shells.

- Report errors if -R forwarding fails

- Add counter mode cipher support, which avoids some security problems
  with the standard CBC mode.

- Support zlib%openssh.com@localhost delayed compression for client/server. It
  can be required for the Dropbear server with the '-Z' option. This
  is useful for security as it avoids exposing the server to attacks
  on zlib by unauthenticated remote users, though requires client side
  support.

- options.h has been split into options.h (user-changable) and
  sysoptions.h (less commonly changed)

- Support "dbclient -s sftp" to specify a subsystem

- Fix a bug in replies to channel requests that could be triggered by
  recent versions of PuTTY

0.51 - Thu 27 March 2008

- Make a copy of password fields rather erroneously relying on getwpnam()
  to be safe to call multiple times

- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
  as well) always use that program, ignoring isatty() and $DISPLAY

- Wait until a process exits before the server closes a connection, so
  that an exit code can be sent. This fixes problems with exit codes not
  being returned, which could cause scp to fail.

diffstat:

 security/dropbear/Makefile         |  46 ++++++++++++++++++++++++++++---------
 security/dropbear/PLIST            |   3 +-
 security/dropbear/distinfo         |  11 ++++----
 security/dropbear/patches/patch-ab |  24 ++++++++-----------
 security/dropbear/patches/patch-af |  23 -------------------
 5 files changed, 52 insertions(+), 55 deletions(-)

diffs (168 lines):

diff -r 20bb9ee2e3eb -r d58c8ca1cf7f security/dropbear/Makefile
--- a/security/dropbear/Makefile        Wed Aug 26 21:09:24 2009 +0000
+++ b/security/dropbear/Makefile        Wed Aug 26 21:10:11 2009 +0000
@@ -1,17 +1,18 @@
-# $NetBSD: Makefile,v 1.23 2007/09/06 19:15:10 jlam Exp $
+# $NetBSD: Makefile,v 1.24 2009/08/26 21:10:11 snj Exp $
 
-DISTNAME=      dropbear-0.50
-PKGREVISION=   2
+DISTNAME=      dropbear-0.52
 CATEGORIES=    security
 MASTER_SITES=  http://matt.ucc.asn.au/dropbear/releases/
 
-MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
+MAINTAINER=    snj%NetBSD.org@localhost
 HOMEPAGE=      http://matt.ucc.asn.au/dropbear/dropbear.html
-COMMENT=       SSH2 server, aimed at embedded market
+COMMENT=       Small SSH2 server and client, aimed at embedded market
 
 GNU_CONFIGURE= yes
 USE_TOOLS+=    gmake
 
+PKG_DESTDIR_SUPPORT=   user-destdir
+
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR:Q}
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.dropbear
@@ -21,24 +22,47 @@
 .if !empty(PKG_OPTIONS:Mpam)
 .  include "../../mk/pam.buildlink3.mk"
 CONFIGURE_ARGS+=       --enable-pam
+SUBST_CLASSES+=                pam
+SUBST_MESSAGE.pam=     Enabling PAM in options.h
+SUBST_STAGE.pam=       post-patch
+SUBST_FILES.pam=       options.h
+SUBST_SED.pam=         -e "s/ENABLE_SVR_PASSWORD_AUTH/ENABLE_SVR_PAM_AUTH/"
 .endif
 
 MAKEFLAGS+=    ROOT_USER=${ROOT_USER:Q} ROOT_GROUP=${ROOT_GROUP:Q}
 
+OWN_DIRS+=             ${PKG_SYSCONFDIR}/dropbear
+
 SUBST_CLASSES+=                config
 SUBST_MESSAGE.config=  Fixing path to config directory.
 SUBST_STAGE.config=    post-build
 SUBST_FILES.config=    dropbear.8 dropbearkey.8
 SUBST_SED.config=      -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g"
 
-INSTALLATION_DIRS=     ${PKGMANDIR}/man1 ${PKGMANDIR}/man8
+# used by dbscp
+CPPFLAGS+=             -D_PATH_SSH_PROGRAM="\"${PREFIX}/bin/dbclient\""
+
+# XXX use base xauth if present, otherwise _ass_ume pkgsrc. better than nothing
+.if exists(${X11BASE}/bin/xauth)
+CPPFLAGS+=-DXAUTH_COMMAND="\"${X11BASE}/bin/xauth\""
+.else
+CPPFLAGS+=-DXAUTH_COMMAND="\"${X11PREFIX}/bin/xauth\""
+.endif
+
+INSTALLATION_DIRS=     share/doc/dropbear ${PKGMANDIR}/man1 ${PKGMANDIR}/man8
+
+BUILD_TARGET=          all scp
 
 post-install:
-       ${INSTALL_MAN} ${WRKSRC}/dbclient.1 ${PREFIX}/${PKGMANDIR}/man1
-       ${INSTALL_MAN} ${WRKSRC}/dropbear.8 ${PREFIX}/${PKGMANDIR}/man8
-       ${INSTALL_MAN} ${WRKSRC}/dropbearkey.8 ${PREFIX}/${PKGMANDIR}/man8
-       ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/dropbear
-       ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/dropbear
+       ${INSTALL_MAN} ${WRKSRC}/dbclient.1 \
+               ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man1
+       ${INSTALL_MAN} ${WRKSRC}/dropbear.8 \
+               ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man8
+       ${INSTALL_MAN} ${WRKSRC}/dropbearkey.8 \
+               ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man8
+       ${INSTALL_DATA} ${WRKSRC}/README \
+               ${DESTDIR}/${PREFIX}/share/doc/dropbear
+       ${INSTALL_PROGRAM} ${WRKSRC}/scp ${DESTDIR}/${PREFIX}/bin/dbscp
 
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 20bb9ee2e3eb -r d58c8ca1cf7f security/dropbear/PLIST
--- a/security/dropbear/PLIST   Wed Aug 26 21:09:24 2009 +0000
+++ b/security/dropbear/PLIST   Wed Aug 26 21:10:11 2009 +0000
@@ -1,5 +1,6 @@
-@comment $NetBSD: PLIST,v 1.4 2009/06/14 18:13:28 joerg Exp $
+@comment $NetBSD: PLIST,v 1.5 2009/08/26 21:10:11 snj Exp $
 bin/dbclient
+bin/dbscp
 bin/dropbearconvert
 bin/dropbearkey
 man/man1/dbclient.1
diff -r 20bb9ee2e3eb -r d58c8ca1cf7f security/dropbear/distinfo
--- a/security/dropbear/distinfo        Wed Aug 26 21:09:24 2009 +0000
+++ b/security/dropbear/distinfo        Wed Aug 26 21:10:11 2009 +0000
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.16 2007/09/06 19:15:10 jlam Exp $
+$NetBSD: distinfo,v 1.17 2009/08/26 21:10:11 snj Exp $
 
-SHA1 (dropbear-0.50.tar.gz) = 6f56bc88bc29a99c58fe85c98a60249b9782ef36
-RMD160 (dropbear-0.50.tar.gz) = c5e643cf068d6cdc19f5da8318ec90e0a0dfb0c3
-Size (dropbear-0.50.tar.gz) = 1790358 bytes
+SHA1 (dropbear-0.52.tar.gz) = ae927e8b90059a7ba2b2b514d9824c12885b1949
+RMD160 (dropbear-0.52.tar.gz) = 3cc8398ffc265e28d8c8d3c80845236b143a6268
+Size (dropbear-0.52.tar.gz) = 1789901 bytes
 SHA1 (patch-aa) = 01bf4d80c4e76f9a60341b448cd7e77b2a03c286
-SHA1 (patch-ab) = 2eb7675e013edbe80b0e456dbaac310f1bb6cbbc
+SHA1 (patch-ab) = 911a0525f309386901d32c23404d13ae67c2e2d1
 SHA1 (patch-ac) = 69b1349bb47ad6a6ae02096f1ebde87a1461dd9b
-SHA1 (patch-af) = 356a8ac535d2d08ff9fd9fe7e84ae58181ce32a0
diff -r 20bb9ee2e3eb -r d58c8ca1cf7f security/dropbear/patches/patch-ab
--- a/security/dropbear/patches/patch-ab        Wed Aug 26 21:09:24 2009 +0000
+++ b/security/dropbear/patches/patch-ab        Wed Aug 26 21:10:11 2009 +0000
@@ -1,17 +1,13 @@
-$NetBSD: patch-ab,v 1.6 2007/09/05 21:08:06 drochner Exp $
+$NetBSD: patch-ab,v 1.7 2009/08/26 21:10:11 snj Exp $
 
---- options.h.orig     2007-08-08 17:39:37.000000000 +0200
-+++ options.h
-@@ -132,8 +132,11 @@ etc) slower (perhaps by 50%). Recommende
-  * but there's an interface via a PAM module - don't bother using it otherwise.
-  * You can't enable both PASSWORD and PAM. */
+--- options.h.orig     2009-08-26 13:15:07.000000000 -0700
++++ options.h  2009-08-26 13:15:14.000000000 -0700
+@@ -232,7 +232,7 @@ etc) slower (perhaps by 50%). Recommende
  
-+#ifdef DISABLE_PAM
- #define ENABLE_SVR_PASSWORD_AUTH
--/*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
-+#else
-+#define ENABLE_SVR_PAM_AUTH /* requires ./configure --enable-pam */
-+#endif
- #define ENABLE_SVR_PUBKEY_AUTH
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define _PATH_SSH_PROGRAM "/usr/bin/dbclient"
++/*#define _PATH_SSH_PROGRAM "/usr/bin/dbclient"*/
  
- #define ENABLE_CLI_PASSWORD_AUTH
+ /* Whether to log commands executed by a client. This only logs the 
+  * (single) command sent to the server, not what a user did in a 
diff -r 20bb9ee2e3eb -r d58c8ca1cf7f security/dropbear/patches/patch-af
--- a/security/dropbear/patches/patch-af        Wed Aug 26 21:09:24 2009 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-$NetBSD: patch-af,v 1.1 2007/09/06 16:07:51 jlam Exp $
-
---- cli-runopts.c.orig 2007-08-08 11:39:36.000000000 -0400
-+++ cli-runopts.c
-@@ -89,6 +89,9 @@ void cli_getopts(int argc, char ** argv)
- #endif
-       char* dummy = NULL; /* Not used for anything real */
- 
-+      char* recv_window_arg = NULL;
-+      char* keepalive_arg = NULL;
-+
-       /* see printhelp() for options */
-       cli_opts.progname = argv[0];
-       cli_opts.remotehost = NULL;
-@@ -114,8 +117,6 @@ void cli_getopts(int argc, char ** argv)
-       opts.ipv6 = 1;
-       */
-       opts.recv_window = DEFAULT_RECV_WINDOW;
--      char* recv_window_arg = NULL;
--      char* keepalive_arg = NULL;
- 
-       /* Iterate all the arguments */
-       for (i = 1; i < (unsigned int)argc; i++) {



Home | Main Index | Thread Index | Old Index