summaryrefslogtreecommitdiff
path: root/security/openssh/Makefile
blob: e211f3e8f331abadd927ec7dca40f5d3cb079383 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# $NetBSD: Makefile,v 1.260 2019/06/04 09:08:06 he Exp $

DISTNAME=		openssh-8.0p1
PKGNAME=		${DISTNAME:S/p1/.1/}
PKGREVISION=		2
CATEGORIES=		security
MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}

MAINTAINER=		pkgsrc-users@NetBSD.org
HOMEPAGE=		http://www.openssh.com/
COMMENT=		Open Source Secure shell client and server (remote login program)
LICENSE=		modified-bsd

CONFLICTS=		sftp-[0-9]*
CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
CONFLICTS+=		openssh+gssapi-[0-9]*
CONFLICTS+=		lsh>2.0
BROKEN_ON_PLATFORM+=	OpenBSD-*-*

USE_GCC_RUNTIME=	yes
USE_TOOLS+=		autoconf perl

# retain the following line, for IPv6-ready pkgsrc webpage
BUILD_DEFS+=		IPV6_READY

PKG_GROUPS_VARS+=	OPENSSH_GROUP
PKG_USERS_VARS+=	OPENSSH_USER
BUILD_DEFS+=		OPENSSH_CHROOT
BUILD_DEFS+=		VARBASE

INSTALL_TARGET=		install-nokeys

.include "options.mk"

# fixes: dyld: Symbol not found: _allow_severity
CONFIGURE_ARGS.Darwin+=	--disable-strip

PKG_GROUPS=		${OPENSSH_GROUP}
PKG_USERS=		${OPENSSH_USER}:${OPENSSH_GROUP}

PKG_GECOS.${OPENSSH_USER}=	sshd privsep pseudo-user
PKG_HOME.${OPENSSH_USER}=	${OPENSSH_CHROOT}

SSH_PID_DIR=		${VARBASE}/run	# default directory for PID files

PKG_SYSCONFSUBDIR=	ssh

GNU_CONFIGURE=		yes
CONFIGURE_ARGS+=	--with-mantype=man
CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+=	--with-pid-dir=${SSH_PID_DIR}
CONFIGURE_ARGS+=	--with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}

CONFIGURE_ARGS+=	--with-privsep-path=${OPENSSH_CHROOT:Q}
CONFIGURE_ARGS+=	--with-privsep-user=${OPENSSH_USER}

# pkgsrc already enforces a "secure" version of zlib via dependencies,
# so skip this bogus version check.
CONFIGURE_ARGS+=	--without-zlib-version-check

.if ${_PKGSRC_MKPIE} != "no"
CONFIGURE_ARGS+=	--with-pie
.endif

# the openssh configure script finds and uses ${LD} if defined and
# defaults to ${CC} if not. we override LD here, since running the
# linker directly results in undefined symbols for obvious reasons.
#
CONFIGURE_ENV+=		LD=${CC:Q}

# Enable S/Key support on NetBSD, Darwin, and Solaris.
.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
.  include "../../security/skey/buildlink3.mk"
CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
.else
CONFIGURE_ARGS+=	--without-skey
.endif

.if (${OPSYS} == "NetBSD")
.  if exists(/usr/include/utmpx.h)
# if we have utmpx et al do not try to use login()
CONFIGURE_ARGS+=	--disable-libutil
.  endif
#
# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
# prior version don't have it.  So, disable use of strnvis(3) now.
#
CONFIGURE_ENV+=		ac_cv_func_strnvis=no
#
# workaround for ./configure problem, pkg/50936
#
CONFIGURE_ENV+=		ac_cv_func_reallocarray=no
.endif

.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp
.endif

CONFIGURE_ARGS.Linux+=	--enable-md5-password

# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
# on if it's part of the X11 distribution, or if it's installed from pkgsrc
# (security/ssh-askpass).
#
.if exists(${X11BASE}/bin/ssh-askpass)
ASKPASS_PROGRAM=	${X11BASE}/bin/ssh-askpass
.else
ASKPASS_PROGRAM=	${PREFIX}/bin/ssh-askpass
.endif
CONFIGURE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
MAKE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}

# do the same for xauth
.if exists(${X11BASE}/bin/xauth)
CONFIGURE_ARGS+=	--with-xauth=${X11BASE}/bin/xauth
.else
CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
.endif

CONFS=			ssh_config sshd_config moduli

PLIST_VARS+=		darwin

EGDIR=			${PREFIX}/share/examples/${PKGBASE}

# enable privsep patches
.if ${OPSYS} == "Darwin"
CONF_FILES+=		${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
CPPFLAGS+=		-D__APPLE_SANDBOX_NAMED_EXTERNAL__
PLIST.darwin=		yes
.endif

.for f in ${CONFS}
CONF_FILES+=		${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
.endfor
OWN_DIRS=		${OPENSSH_CHROOT}
RCD_SCRIPTS=		sshd
RCD_SCRIPT_SRC.sshd=	${WRKDIR}/sshd.sh
SMF_METHODS=		sshd

FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR}

SUBST_CLASSES+=		patch
SUBST_STAGE.patch=	pre-configure
SUBST_FILES.patch=	session.c sandbox-darwin.c
SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
SUBST_VARS.patch=	PKG_SYSCONFDIR

.include "../../devel/zlib/buildlink3.mk"
.include "../../security/tcp_wrappers/buildlink3.mk"

#
# type of key "ecdsa" isn't always supported depends on OpenSSL.
#
pre-configure:
	cd ${WRKSRC} && autoconf -i

post-configure:
	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
	    ${WRKSRC}/config.h; then \
		${SED} -e '/HAVE_ECDSA/s/.*//' \
			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
	else \
		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
	fi
	${SED} -e 's,@VARBASE@,${VARBASE},g' \
		< ${FILESDIR}/org.openssh.sshd.sb.in \
		> ${WRKDIR}/org.openssh.sshd.sb

post-install:
	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
	cd ${WRKSRC}; for file in ${CONFS}; do				\
		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
	done
.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
	  ${DESTDIR}${EGDIR}/sshd.pam
.endif
.if ${OPSYS} == "Darwin"
	${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
		${DESTDIR}${EGDIR}/org.openssh.sshd.sb
.endif

.include "../../mk/bsd.pkg.mk"