diff options
author | snj <snj@pkgsrc.org> | 2009-08-26 21:10:11 +0000 |
---|---|---|
committer | snj <snj@pkgsrc.org> | 2009-08-26 21:10:11 +0000 |
commit | e60135222218c03d1c5b69889206221f6693254a (patch) | |
tree | 1c50db7cea08875ffb65effb3d8a64423a81150f /security | |
parent | 9fea215039e6e5e1ef56593f4113cab4fe3a6ea0 (diff) | |
download | pkgsrc-e60135222218c03d1c5b69889206221f6693254a.tar.gz |
Update dropbear to 0.52. Build an scp binary and call it dbscp so it
doesn't conflict with openssh.
Changes since 0.50:
0.52 - Wed 12 November 2008
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to
tunnel standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned
process for IO rather than a direct TCP connection. eg
dbclient remotehost
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop"
connections, with comma-separated host syntax. Allows running
dbclient user1@host1,user2@host2,user3@host3
to end up at host3 via the other two, using SSH TCP forwarding. It's
a bit like onion-routing. All connections are established from the
local machine. The comma-separated syntax can also be used for
scp/rsync, eg
rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/
to bounce through a few hosts.
- Add -I "idle timeout" option (contributed by Farrell Aultman)
- Allow restrictions on authorized_keys logins such as restricting
commands to be run etc. This is a subset of those allowed by OpenSSH,
doesn't yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems
with the standard CBC mode.
- Support zlib@openssh.com delayed compression for client/server. It
can be required for the Dropbear server with the '-Z' option. This
is useful for security as it avoids exposing the server to attacks
on zlib by unauthenticated remote users, though requires client side
support.
- options.h has been split into options.h (user-changable) and
sysoptions.h (less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by
recent versions of PuTTY
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
to be safe to call multiple times
- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
as well) always use that program, ignoring isatty() and $DISPLAY
- Wait until a process exits before the server closes a connection, so
that an exit code can be sent. This fixes problems with exit codes not
being returned, which could cause scp to fail.
Diffstat (limited to 'security')
-rw-r--r-- | security/dropbear/Makefile | 46 | ||||
-rw-r--r-- | security/dropbear/PLIST | 3 | ||||
-rw-r--r-- | security/dropbear/distinfo | 11 | ||||
-rw-r--r-- | security/dropbear/patches/patch-ab | 24 | ||||
-rw-r--r-- | security/dropbear/patches/patch-af | 23 |
5 files changed, 52 insertions, 55 deletions
diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile index 7a2c35eddeb..56fad223a05 100644 --- a/security/dropbear/Makefile +++ b/security/dropbear/Makefile @@ -1,17 +1,18 @@ -# $NetBSD: Makefile,v 1.23 2007/09/06 19:15:10 jlam Exp $ +# $NetBSD: Makefile,v 1.24 2009/08/26 21:10:11 snj Exp $ -DISTNAME= dropbear-0.50 -PKGREVISION= 2 +DISTNAME= dropbear-0.52 CATEGORIES= security MASTER_SITES= http://matt.ucc.asn.au/dropbear/releases/ -MAINTAINER= pkgsrc-users@NetBSD.org +MAINTAINER= snj@NetBSD.org HOMEPAGE= http://matt.ucc.asn.au/dropbear/dropbear.html -COMMENT= SSH2 server, aimed at embedded market +COMMENT= Small SSH2 server and client, aimed at embedded market GNU_CONFIGURE= yes USE_TOOLS+= gmake +PKG_DESTDIR_SUPPORT= user-destdir + CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} PKG_OPTIONS_VAR= PKG_OPTIONS.dropbear @@ -21,24 +22,47 @@ PKG_SUPPORTED_OPTIONS= pam .if !empty(PKG_OPTIONS:Mpam) . include "../../mk/pam.buildlink3.mk" CONFIGURE_ARGS+= --enable-pam +SUBST_CLASSES+= pam +SUBST_MESSAGE.pam= Enabling PAM in options.h +SUBST_STAGE.pam= post-patch +SUBST_FILES.pam= options.h +SUBST_SED.pam= -e "s/ENABLE_SVR_PASSWORD_AUTH/ENABLE_SVR_PAM_AUTH/" .endif MAKEFLAGS+= ROOT_USER=${ROOT_USER:Q} ROOT_GROUP=${ROOT_GROUP:Q} +OWN_DIRS+= ${PKG_SYSCONFDIR}/dropbear + SUBST_CLASSES+= config SUBST_MESSAGE.config= Fixing path to config directory. SUBST_STAGE.config= post-build SUBST_FILES.config= dropbear.8 dropbearkey.8 SUBST_SED.config= -e "s,/etc/dropbear/,"${PKG_SYSCONFDIR:Q}"/dropbear/,g" -INSTALLATION_DIRS= ${PKGMANDIR}/man1 ${PKGMANDIR}/man8 +# used by dbscp +CPPFLAGS+= -D_PATH_SSH_PROGRAM="\"${PREFIX}/bin/dbclient\"" + +# XXX use base xauth if present, otherwise _ass_ume pkgsrc. better than nothing +.if exists(${X11BASE}/bin/xauth) +CPPFLAGS+=-DXAUTH_COMMAND="\"${X11BASE}/bin/xauth\"" +.else +CPPFLAGS+=-DXAUTH_COMMAND="\"${X11PREFIX}/bin/xauth\"" +.endif + +INSTALLATION_DIRS= share/doc/dropbear ${PKGMANDIR}/man1 ${PKGMANDIR}/man8 + +BUILD_TARGET= all scp post-install: - ${INSTALL_MAN} ${WRKSRC}/dbclient.1 ${PREFIX}/${PKGMANDIR}/man1 - ${INSTALL_MAN} ${WRKSRC}/dropbear.8 ${PREFIX}/${PKGMANDIR}/man8 - ${INSTALL_MAN} ${WRKSRC}/dropbearkey.8 ${PREFIX}/${PKGMANDIR}/man8 - ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/dropbear - ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/dropbear + ${INSTALL_MAN} ${WRKSRC}/dbclient.1 \ + ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man1 + ${INSTALL_MAN} ${WRKSRC}/dropbear.8 \ + ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man8 + ${INSTALL_MAN} ${WRKSRC}/dropbearkey.8 \ + ${DESTDIR}/${PREFIX}/${PKGMANDIR}/man8 + ${INSTALL_DATA} ${WRKSRC}/README \ + ${DESTDIR}/${PREFIX}/share/doc/dropbear + ${INSTALL_PROGRAM} ${WRKSRC}/scp ${DESTDIR}/${PREFIX}/bin/dbscp .include "../../devel/zlib/buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/dropbear/PLIST b/security/dropbear/PLIST index a1e2b935cf4..1759e0be19b 100644 --- a/security/dropbear/PLIST +++ b/security/dropbear/PLIST @@ -1,5 +1,6 @@ -@comment $NetBSD: PLIST,v 1.4 2009/06/14 18:13:28 joerg Exp $ +@comment $NetBSD: PLIST,v 1.5 2009/08/26 21:10:11 snj Exp $ bin/dbclient +bin/dbscp bin/dropbearconvert bin/dropbearkey man/man1/dbclient.1 diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo index f6bcda46743..5fbd2e0021f 100644 --- a/security/dropbear/distinfo +++ b/security/dropbear/distinfo @@ -1,9 +1,8 @@ -$NetBSD: distinfo,v 1.16 2007/09/06 19:15:10 jlam Exp $ +$NetBSD: distinfo,v 1.17 2009/08/26 21:10:11 snj Exp $ -SHA1 (dropbear-0.50.tar.gz) = 6f56bc88bc29a99c58fe85c98a60249b9782ef36 -RMD160 (dropbear-0.50.tar.gz) = c5e643cf068d6cdc19f5da8318ec90e0a0dfb0c3 -Size (dropbear-0.50.tar.gz) = 1790358 bytes +SHA1 (dropbear-0.52.tar.gz) = ae927e8b90059a7ba2b2b514d9824c12885b1949 +RMD160 (dropbear-0.52.tar.gz) = 3cc8398ffc265e28d8c8d3c80845236b143a6268 +Size (dropbear-0.52.tar.gz) = 1789901 bytes SHA1 (patch-aa) = 01bf4d80c4e76f9a60341b448cd7e77b2a03c286 -SHA1 (patch-ab) = 2eb7675e013edbe80b0e456dbaac310f1bb6cbbc +SHA1 (patch-ab) = 911a0525f309386901d32c23404d13ae67c2e2d1 SHA1 (patch-ac) = 69b1349bb47ad6a6ae02096f1ebde87a1461dd9b -SHA1 (patch-af) = 356a8ac535d2d08ff9fd9fe7e84ae58181ce32a0 diff --git a/security/dropbear/patches/patch-ab b/security/dropbear/patches/patch-ab index bb684c83907..002400a1b24 100644 --- a/security/dropbear/patches/patch-ab +++ b/security/dropbear/patches/patch-ab @@ -1,17 +1,13 @@ -$NetBSD: patch-ab,v 1.6 2007/09/05 21:08:06 drochner Exp $ +$NetBSD: patch-ab,v 1.7 2009/08/26 21:10:11 snj Exp $ ---- options.h.orig 2007-08-08 17:39:37.000000000 +0200 -+++ options.h -@@ -132,8 +132,11 @@ etc) slower (perhaps by 50%). Recommende - * but there's an interface via a PAM module - don't bother using it otherwise. - * You can't enable both PASSWORD and PAM. */ +--- options.h.orig 2009-08-26 13:15:07.000000000 -0700 ++++ options.h 2009-08-26 13:15:14.000000000 -0700 +@@ -232,7 +232,7 @@ etc) slower (perhaps by 50%). Recommende -+#ifdef DISABLE_PAM - #define ENABLE_SVR_PASSWORD_AUTH --/*#define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */ -+#else -+#define ENABLE_SVR_PAM_AUTH /* requires ./configure --enable-pam */ -+#endif - #define ENABLE_SVR_PUBKEY_AUTH + /* This is used by the scp binary when used as a client binary. If you're + * not using the Dropbear client, you'll need to change it */ +-#define _PATH_SSH_PROGRAM "/usr/bin/dbclient" ++/*#define _PATH_SSH_PROGRAM "/usr/bin/dbclient"*/ - #define ENABLE_CLI_PASSWORD_AUTH + /* Whether to log commands executed by a client. This only logs the + * (single) command sent to the server, not what a user did in a diff --git a/security/dropbear/patches/patch-af b/security/dropbear/patches/patch-af deleted file mode 100644 index 29190f13506..00000000000 --- a/security/dropbear/patches/patch-af +++ /dev/null @@ -1,23 +0,0 @@ -$NetBSD: patch-af,v 1.1 2007/09/06 16:07:51 jlam Exp $ - ---- cli-runopts.c.orig 2007-08-08 11:39:36.000000000 -0400 -+++ cli-runopts.c -@@ -89,6 +89,9 @@ void cli_getopts(int argc, char ** argv) - #endif - char* dummy = NULL; /* Not used for anything real */ - -+ char* recv_window_arg = NULL; -+ char* keepalive_arg = NULL; -+ - /* see printhelp() for options */ - cli_opts.progname = argv[0]; - cli_opts.remotehost = NULL; -@@ -114,8 +117,6 @@ void cli_getopts(int argc, char ** argv) - opts.ipv6 = 1; - */ - opts.recv_window = DEFAULT_RECV_WINDOW; -- char* recv_window_arg = NULL; -- char* keepalive_arg = NULL; - - /* Iterate all the arguments */ - for (i = 1; i < (unsigned int)argc; i++) { |