net-misc / openssh-contrib

Port of OpenBSD's free SSH release with HPN/X509 patches

Official package sites : https://www.openssh.com/ ·

OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. This package represents an effort to extend upstream OpenSSH with three big patchsets. WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have correctness issues. The patches are: * HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive buffering and/or multithreading, leading to better network throughput. Many of these optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or because more CPU performant ciphers are being used in this day and age (ChaCha20). WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon. * SCTP patches by Patrick McLean. These enable SSH over SCTP. * X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for authenticating users. This patch series adds support for X509 certificates.

v9.6_p1 :: 0 :: gentoo

Modified
License
BSD GPL-2
Keywords
~amd64
USE flags
X X509 audit debug hpn kerberos ldns libedit livecd pam pie security-key selinux ssl static test verify-sig xmss

v9.5_p1 :: 0 :: gentoo

Modified
License
BSD GPL-2
Keywords
~amd64
USE flags
X X509 audit debug hpn kerberos ldns libedit livecd pam pie security-key selinux ssl static test verify-sig xmss

General

X
Add support for X11
X509
Adds support for X.509 certificate authentication
audit
Enable support for Linux audit subsystem using sys-process/audit
debug
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
hpn
Enable high performance ssh
kerberos
Add kerberos support
ldns
Use LDNS for DNSSEC/SSHFP validation.
libedit
Use the libedit library (replacement for readline)
livecd
Enable root password logins for live-cd environment.
pam
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
pie
Build programs as Position Independent Executables (a security hardening technique)
security-key
Include builtin U2F/FIDO support
selinux
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
ssl
Enable additional crypto algorithms via OpenSSL
static
!!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
test
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
verify-sig
Verify upstream signatures on distfiles
xmss
Enable XMSS post-quantum authentication algorithm

abi_mips

n32
64-bit (32-bit pointer) libraries

acct-group / sshd : System group: sshd

acct-user / sshd : User for ssh

dev-libs / libedit : BSD replacement for libreadline

dev-libs / libfido2 : Provides library functionality for FIDO 2.0

dev-libs / openssl : Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)

net-libs / ldns : A library with the aim to simplify DNS programming in C

net-misc / openssh : Port of OpenBSD's free SSH release

sys-kernel / linux-headers : Linux system headers

sys-libs / libselinux : SELinux userland library

sys-libs / pam : Linux-PAM (Pluggable Authentication Modules)

sys-libs / zlib : Standard (de)compression library

sys-process / audit : Userspace utilities for storing and processing auditing records

virtual / krb5 : Virtual for Kerberos V implementation

virtual / libcrypt : Virtual for libcrypt.so

virtual / os-headers : Virtual for operating system headers

acct-group / sshd : System group: sshd

acct-user / sshd : User for ssh

dev-libs / libedit : BSD replacement for libreadline

dev-libs / libfido2 : Provides library functionality for FIDO 2.0

dev-libs / openssl : Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)

net-libs / ldns : A library with the aim to simplify DNS programming in C

net-misc / openssh : Port of OpenBSD's free SSH release

sys-apps / shadow : Utilities to deal with user accounts

sys-auth / pambase : PAM base configuration files

sys-libs / libselinux : SELinux userland library

sys-libs / pam : Linux-PAM (Pluggable Authentication Modules)

sys-libs / zlib : Standard (de)compression library

sys-process / audit : Userspace utilities for storing and processing auditing records

virtual / krb5 : Virtual for Kerberos V implementation

virtual / libcrypt : Virtual for libcrypt.so

x11-apps / xauth : X authority file utility

app-crypt / simple-tpm-pk11 : Simple PKCS11 provider for TPM chips

net-misc / openssh : Port of OpenBSD's free SSH release

virtual / openssh : Virtual for net-misc/openssh and variants

830623
net-misc/openssh-contrib fails with SecureCRT 9 when HPN is enabled
907880
net-misc/openssh-contrib-9.6_p1 has implicit function declarations in configure logs (MUSL-SYSTEM)
911264
net-misc/openssh-contrib-9.3_p2 fails test - cmp: .../copy: No such file or directory
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: drop 9.3_p1, 9.3_p2, 9.4_p1-r1
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Patrick McLean · gentoo
net-misc/openssh-contrib: add 9.6_p1
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Michał Górny · gentoo
Move {sys-devel → dev-build}/autoconf
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Mike Gilbert · gentoo
Remove BROOT from VERIFY_SIG_OPENPGP_KEY_PATH
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: add 9.5_p1
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: Add patch for zlib-1.3 (bug #912767)
Closes: https://bugs.gentoo.org/912767 Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Patrick McLean · gentoo
net-misc/openssh-contrib: Revbump, X509 14.2.1, zlib patch (bug #912767)
Bug: https://bugs.gentoo.org/912767 Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: add 9.4_p1
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: unkeyword 9.3_p1 for ~amd64
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Patrick McLean · gentoo
net-misc/openssh-contrib: add 9.3_p2
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Sam James · gentoo
net-misc/openssh-contrib: drop libc_Cygwin cruft
Support is already gone. Closes: https://bugs.gentoo.org/909191 Signed-off-by: Sam James <sam@gentoo.org>
Repository mirror & CI · gentoo
Merge updates from master
Sam James · gentoo
net-misc/openssh-contrib: tweak config file names
Signed-off-by: Sam James <sam@gentoo.org>
David Seifert · gentoo
net-misc/openssh-contrib: new package, add 9.3_p1
This package will include the three big third-party patch series for HPN/SCTP/X509 functionality in OpenSSH. Historically, these patches have caused numerous issues for users in the OpenSSH package and they are of questionable quality. By maintaining these patches in a separate package, we can minimize the effect of them on the garden path, which should be to provide our users with a minimally patched OpenSSH experience. Furthermore, since vanilla OpenSSH package will not require a large chunk of rebasing for these patches, we can more easily bump OpenSSH for new releases. Signed-off-by: David Seifert <soap@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org>
Sam James · gentoo
net-misc/openssh-contrib: revoke github.com's compromised RSA host key
See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/. It's necessary for the old github.com key to be explicitly removed (or revoked) rather than just selecting a new key, i.e. it's possible for users to be silently affected but not see the error because github.com may not serve them an RSA key. Revoke the old github.com key as part of the ebuild to help users out. Closes: https://github.com/gentoo/gentoo/pull/30327 Closes: https://github.com/gentoo/gentoo/pull/30897 Signed-off-by: Sam James <sam@gentoo.org>
Sam James · gentoo
net-misc/openssh-contrib: use /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d for config dropinsa
Debian patches this into their config already and we found ourselves wanting it when looking at handling the github.com SSH key change/rotation. /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d both become directories where users can add their own configuration files, but we also install the Gentoo snippets formerly in ssh_config and sshd_config in there instead. Signed-off-by: Sam James <sam@gentoo.org>