diff options
| author | grant <grant> | 2002-08-31 10:08:59 +0000 |
|---|---|---|
| committer | grant <grant> | 2002-08-31 10:08:59 +0000 |
| commit | f089d4c29e5be89ec81b775cccd1886d61530ff5 (patch) | |
| tree | 57d2240c9efd5a2b57f82b3aa549a526a0a90d56 /security/openssh | |
| parent | f9d37a6c072432cd82f19f99bd2a4275621e160e (diff) | |
| download | pkgsrc-f089d4c29e5be89ec81b775cccd1886d61530ff5.tar.gz | |
Add variables for openssh privilege separation to bsd.pkg.defaults.mk:
OPENSSH_USER
OPENSSH_UID
OPENSSH_GROUP
OPENSSH_GID
OPENSSH_CHROOT
Use these to automatically create user/group if they do not already
exist. Assists platforms which do not have an 'sshd' user by default,
while adding flexibility for NetBSD systems.
Checked by Stoned Elipot <seb@netbsd.org>.
Diffstat (limited to 'security/openssh')
| -rw-r--r-- | security/openssh/MESSAGE | 16 | ||||
| -rw-r--r-- | security/openssh/Makefile | 12 |
2 files changed, 13 insertions, 15 deletions
diff --git a/security/openssh/MESSAGE b/security/openssh/MESSAGE index e96c0208959..339e26dbc66 100644 --- a/security/openssh/MESSAGE +++ b/security/openssh/MESSAGE @@ -1,24 +1,16 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.9 2002/06/29 01:34:59 grant Exp $ +$NetBSD: MESSAGE,v 1.10 2002/08/31 10:09:00 grant Exp $ *===* NOTICE *===* -The config files for ${PKGNAME} must be located in: - - ${PKG_SYSCONFDIR} - -and the example files are located in ${EGDIR}. If you have existing config files for OpenSSH located at /etc/ssh.conf and /etc/sshd.conf, then you will have to copy them: /etc/ssh.conf --> ${PKG_SYSCONFDIR}/ssh_config /etc/sshd.conf --> ${PKG_SYSCONFDIR}/sshd_config -You need to create UID sshd, and GID sshd, for privilege separation. For -security reasons, UsePrivilegeSeparation has to be yes (the default value). -For example, add the following into /etc/passwd and /etc/group: - - sshd:*:16:16::0:0:sshd privsep:/var/chroot/sshd:/sbin/nologin - sshd:*:16: +The `${OPENSSH_USER}' user and `${OPENSSH_GROUP}' group used for privilege separation +have been created if they did not already exist. For security reasons, +UsePrivilegeSeparation has to be yes (the default value). =========================================================================== diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 5ac6b1d300a..d60c09e6bfa 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.88 2002/08/28 04:55:18 jlam Exp $ +# $NetBSD: Makefile,v 1.89 2002/08/31 10:09:00 grant Exp $ DISTNAME= openssh-3.4p1 PKGNAME= openssh-3.4.0.1 @@ -34,6 +34,9 @@ INSTALL_TARGET= install-nokeys PLIST_SRC= # empty MESSAGE_SRC= ${.CURDIR}/MESSAGE +PKG_USERS= ${OPENSSH_USER}:${OPENSSH_GROUP}:${OPENSSH_UID}:sshd\\ privsep:${OPENSSH_CHROOT}:${NOLOGIN} +PKG_GROUPS= ${OPENSSH_GROUP}:${OPENSSH_GID} + SSH_PID_DIR= /var/run # default directory for PID files PKG_SYSCONFSUBDIR= ssh @@ -50,7 +53,8 @@ CONFIGURE_ARGS+= --mandir=${PREFIX}/${MANDIR} CONFIGURE_ARGS+= --with-pid-dir=${SSH_PID_DIR} CONFIGURE_ARGS+= --with-ssl-dir=${SSLBASE} CONFIGURE_ARGS+= --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers} -CONFIGURE_ARGS+= --with-privsep-path=/var/chroot/sshd +CONFIGURE_ARGS+= --with-privsep-path=${OPENSSH_CHROOT} +CONFIGURE_ARGS+= --with-privsep-user=${OPENSSH_USER} # XXX: PAM authentication causes memory faults, and I haven't tracked down # XXX: why yet. For the moment, disable PAM authentication. @@ -113,12 +117,14 @@ SUPPORT_FILES= # empty .for FILE in ${SUPPS} SUPPORT_FILES+= ${EGDIR}/${FILE} ${PKG_SYSCONFDIR}/${FILE} .endfor -OWN_DIRS= /var/chroot/sshd +OWN_DIRS= ${OPENSSH_CHROOT} RCD_SCRIPTS= sshd PLIST_SRC+= ${.CURDIR}/PLIST FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR} MESSAGE_SUBST+= EGDIR=${EGDIR} +MESSAGE_SUBST+= OPENSSH_USER=${OPENSSH_USER} +MESSAGE_SUBST+= OPENSSH_GROUP=${OPENSSH_GROUP} INSTALL_EXTRA_TMPL= ${.CURDIR}/INSTALL .if defined(UPDATE_INTREE_OPENSSH) |