nixpkgs/pkgs/tools/networking/openssh/default.nix

{ callPackage, lib, fetchurl, fetchpatch, fetchFromGitHub, autoreconfHook }:
let
  common = opts: callPackage (import ./common.nix opts) { };
in
{

  openssh = common rec {
    pname = "openssh";
    version = "9.3p1";

    src = fetchurl {
      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
      hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";
    };

    extraPatches = [ ./ssh-keysign-8.5.patch ];
    extraMeta.maintainers = with lib.maintainers; [ das_j ];
  };

  openssh_hpn = common rec {
    pname = "openssh-with-hpn";
    version = "9.2p1";
    extraDesc = " with high performance networking patches";

    src = fetchurl {
      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
      hash = "sha256-P2bb8WVftF9Q4cVtpiqwEhjCKIB7ITONY068351xz0Y=";
    };

    extraPatches = [
      ./ssh-keysign-8.5.patch

      # HPN Patch from FreeBSD ports
      (fetchpatch {
        name = "ssh-hpn-wo-channels.patch";
        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/10491773d88012fe81d9c039cbbba647bde9ebc9/security/openssh-portable/files/extra-patch-hpn";
        stripLen = 1;
        excludes = [ "channels.c" ];
        sha256 = "sha256-kSj0oE7gNHfIciy0/ErhdfrbmfjQmd8hduyiRXFnVZA=";
      })

      (fetchpatch {
        name = "ssh-hpn-channels.patch";
        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/10491773d88012fe81d9c039cbbba647bde9ebc9/security/openssh-portable/files/extra-patch-hpn";
        extraPrefix = "";
        includes = [ "channels.c" ];
        sha256 = "sha256-pDLUbjv5XIyByEbiRAXC3WMUPKmn15af1stVmcvr7fE=";
      })
    ];

    extraNativeBuildInputs = [ autoreconfHook ];

    extraConfigureFlags = [ "--with-hpn" ];
    extraMeta = {
      maintainers = with lib.maintainers; [ abbe ];
      knownVulnerabilities = [ "CVE-2023-28531" ];
    };
  };

  openssh_gssapi = common rec {
    pname = "openssh-with-gssapi";
    version = "9.0p1";
    extraDesc = " with GSSAPI support";

    src = fetchurl {
      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
      sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
    };

    extraPatches = [
      ./ssh-keysign-8.5.patch

      (fetchpatch {
        name = "openssh-gssapi.patch";
        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch";
        sha256 = "sha256-VG7+2dfu09nvHWuSAB6sLGMmjRCDCysl/9FR1WSF21k=";
      })
    ];

    extraNativeBuildInputs = [ autoreconfHook ];
    extraMeta.knownVulnerabilities = [ "CVE-2023-28531" ];
  };
}
openssh: Add myself as maintainer 2021-09-30 19:12:47 +00:00			`{ callPackage, lib, fetchurl, fetchpatch, fetchFromGitHub, autoreconfHook }:`
* openssh updated to 5.3p1. Also enabled the HPN patch by default. svn path=/nixpkgs/trunk/; revision=19752 2010-02-01 16:56:10 +00:00			`let`
openssh-portable: switch to fetchFromGitHub 2021-09-19 17:10:58 +00:00			`common = opts: callPackage (import ./common.nix opts) { };`
			`in`
			`{`
OpenSSH: allow users to configure --sysconfdir via $NIXPKGS_CONFIG The OpenSSH binaries built by the expression by default expect system-wide configuration files in "/etc/ssh", which is a bit of an impurity (and certainly inconsistent with the way other package handle --sysconfdir in Nix). Those who prefer a clean installation, can now configure that directory path. Adding the line "openssh = { etcDir = null; };" to $NIXPKGS_CONFIG configures OpenSSH to use the default location, i.e. $out/etc. Setting that attribute to a string will configure OpenSSH to use that concrete path instead. svn path=/nixpkgs/trunk/; revision=17570 2009-10-01 12:07:33 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`openssh = common rec {`
			`pname = "openssh";`
openssh: 9.2p1 -> 9.3p1 2023-03-16 16:35:51 +00:00			`version = "9.3p1";`
openssh: Add gssapi patch used by other major distros This patch is borrowed verbatim from Debian, where it is actively maintained for each openssh update. It's also included in Fedora's openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS X, and presumably various other platforms and linux distros. The main relevant parts of this patch: - Adds several ssh_config options: GSSAPIKeyExchange, GSSAPITrustDNS, GSSAPIClientIdentity, GSSAPIServerIdentity GSSAPIRenewalForcesRekey - Optionally use an in-memory credentials cache api for security My primary motivation for wanting the patch is the GSSAPIKeyExchange and GSSAPITrustDNS features. My user ssh_config is shared across several OSes, and it's a lot easier to manage if they all support the same options. 2016-01-02 00:35:43 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`src = fetchurl {`
			`url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";`
openssh: 9.2p1 -> 9.3p1 2023-03-16 16:35:51 +00:00			`hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`};`
* OpenSSH: optionally use PAM. * Some purity fixes in OpenSSH: it needs Perl, and we now specify a location for the empty privsep directory. svn path=/nixpkgs/trunk/; revision=7310 2006-12-11 03:24:35 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraPatches = [ ./ssh-keysign-8.5.patch ];`
openssh: Add myself as maintainer 2021-09-30 19:12:47 +00:00			`extraMeta.maintainers = with lib.maintainers; [ das_j ];`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`};`
openssh: Just use a mirror of the HPN patch 2013-02-19 10:02:20 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`openssh_hpn = common rec {`
			`pname = "openssh-with-hpn";`
openssh_hpn: 9.1p1 -> 9.2p1 The latest patch has diffs with mixed strip prefixes counts (i.e. patch -pX) so it needs to be split into two diffs, one that can be applied with -p1 and one that needs to be fixed up 2023-02-18 11:24:44 +00:00			`version = "9.2p1";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraDesc = " with high performance networking patches";`
openssh: Use the default privilege separation dir (/var/empty) (This is a rewritten version of the reverted commit a927709a35cee56f878f0f57a932e1a6e2ebe23b, that disables the creation of /var/empty during build so that sandboxed builds also works. For more context, see https://github.com/NixOS/nixpkgs/pull/16966) If running NixOS inside a container where the host's root-owned files and directories have been mapped to some other uid (like nobody), the ssh daemon fails to start, producing this error message: fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable. The reason for this is that when openssh is built, we explicitly set `--with-privsep-path=$out/empty`. This commit removes that flag which causes the default directory /var/empty to be used instead. Since NixOS' activation script correctly sets up that directory, the ssh daemon now also works within containers that have a non-root-owned nix store. 2016-07-16 08:08:29 +00:00
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`src = fetchurl {`
			`url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";`
openssh_hpn: 9.1p1 -> 9.2p1 The latest patch has diffs with mixed strip prefixes counts (i.e. patch -pX) so it needs to be split into two diffs, one that can be applied with -p1 and one that needs to be fixed up 2023-02-18 11:24:44 +00:00			`hash = "sha256-P2bb8WVftF9Q4cVtpiqwEhjCKIB7ITONY068351xz0Y=";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`};`
openssh: apply CVE-2018-20685 patch 2019-01-13 20:26:05 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraPatches = [`
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`./ssh-keysign-8.5.patch`
[staging] openssh: Fix EOF: command not found 2020-11-19 08:15:23 +00:00
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`# HPN Patch from FreeBSD ports`
			`(fetchpatch {`
openssh_hpn: 9.1p1 -> 9.2p1 The latest patch has diffs with mixed strip prefixes counts (i.e. patch -pX) so it needs to be split into two diffs, one that can be applied with -p1 and one that needs to be fixed up 2023-02-18 11:24:44 +00:00			`name = "ssh-hpn-wo-channels.patch";`
			`url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/10491773d88012fe81d9c039cbbba647bde9ebc9/security/openssh-portable/files/extra-patch-hpn";`
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`stripLen = 1;`
openssh_hpn: 9.1p1 -> 9.2p1 The latest patch has diffs with mixed strip prefixes counts (i.e. patch -pX) so it needs to be split into two diffs, one that can be applied with -p1 and one that needs to be fixed up 2023-02-18 11:24:44 +00:00			`excludes = [ "channels.c" ];`
			`sha256 = "sha256-kSj0oE7gNHfIciy0/ErhdfrbmfjQmd8hduyiRXFnVZA=";`
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`})`
openssh: 9.1p1 -> 9.2p1 2023-02-02 15:18:12 +00:00
			`(fetchpatch {`
openssh_hpn: 9.1p1 -> 9.2p1 The latest patch has diffs with mixed strip prefixes counts (i.e. patch -pX) so it needs to be split into two diffs, one that can be applied with -p1 and one that needs to be fixed up 2023-02-18 11:24:44 +00:00			`name = "ssh-hpn-channels.patch";`
			`url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/10491773d88012fe81d9c039cbbba647bde9ebc9/security/openssh-portable/files/extra-patch-hpn";`
			`extraPrefix = "";`
			`includes = [ "channels.c" ];`
			`sha256 = "sha256-pDLUbjv5XIyByEbiRAXC3WMUPKmn15af1stVmcvr7fE=";`
openssh: 9.1p1 -> 9.2p1 2023-02-02 15:18:12 +00:00			`})`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`];`
openssh: fixup build on Hydra http://hydra.nixos.org/build/53993444 2017-06-07 07:33:26 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraNativeBuildInputs = [ autoreconfHook ];`
openssh_hpn/openssh_gssapi: Add CVE-2021-28041 2021-03-11 10:57:14 +00:00
openssh_hpn: 8.4p1 -> 8.8p1 - Switch to using patch from the FreeBSD port security/openssh-portable which is regularly maintained - Add myself as maintainer for openssh_hpn 2022-01-04 13:37:16 +00:00			`extraConfigureFlags = [ "--with-hpn" ];`
openssh_*: Add knownVulnerabilities 2023-03-21 08:22:28 +00:00			`extraMeta = {`
			`maintainers = with lib.maintainers; [ abbe ];`
			`knownVulnerabilities = [ "CVE-2023-28531" ];`
			`};`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`};`
openssh: Refactor and install sample config files 2015-07-07 02:29:45 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`openssh_gssapi = common rec {`
			`pname = "openssh-with-gssapi";`
openssh_gssapi: 8.4p1 -> 9.0p1 Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012 @moduon MT-904 2022-07-06 09:34:30 +00:00			`version = "9.0p1";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraDesc = " with GSSAPI support";`
openssh: don't let configure override SSH_KEYSIGN While 9fe10288f01984963faf47e21bf1bae4d7d37962 ensured that the ssh-keysign path is searched for in PATH if not absolute, it doesn't prevent the configure script from defaulting to an absolute path in $out/libexec, making the whole effort rather pointless. 2019-06-20 17:15:33 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`src = fetchurl {`
			`url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";`
openssh_gssapi: 8.4p1 -> 9.0p1 Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012 @moduon MT-904 2022-07-06 09:34:30 +00:00			`sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`};`
openssh: Update to 6.7p1 2014-11-20 11:12:33 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraPatches = [`
openssh_gssapi: 8.4p1 -> 9.0p1 Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012 @moduon MT-904 2022-07-06 09:34:30 +00:00			`./ssh-keysign-8.5.patch`
* Install ssh-copy-id from the contrib directory. svn path=/nixpkgs/trunk/; revision=8700 2007-05-15 13:10:41 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`(fetchpatch {`
			`name = "openssh-gssapi.patch";`
openssh_gssapi: 8.4p1 -> 9.0p1 Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012 @moduon MT-904 2022-07-06 09:34:30 +00:00			`url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch";`
			`sha256 = "sha256-VG7+2dfu09nvHWuSAB6sLGMmjRCDCysl/9FR1WSF21k=";`
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`})`
			`];`
* openssh updated to 5.3p1. Also enabled the HPN patch by default. svn path=/nixpkgs/trunk/; revision=19752 2010-02-01 16:56:10 +00:00
openssh: 8.4p1 -> 8.5p1 and refactor Also split out the variants of the package because I'm sick of waiting for random patches to be updated before I can update my unpatched openssh. Also make pname correspond to the attribute name. 2021-03-03 19:33:21 +00:00			`extraNativeBuildInputs = [ autoreconfHook ];`
openssh_*: Add knownVulnerabilities 2023-03-21 08:22:28 +00:00			`extraMeta.knownVulnerabilities = [ "CVE-2023-28531" ];`
* openssh updated to 5.3p1. Also enabled the HPN patch by default. svn path=/nixpkgs/trunk/; revision=19752 2010-02-01 16:56:10 +00:00			`};`
add OpenSSH client + server, needs a lot of thorough testing with regards to server configuration, this will be the test case for NixOS. No PAM configs, might need tweaking, etc. svn path=/nixpkgs/trunk/; revision=1210 2004-08-02 11:55:31 +00:00			`}`