d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0f74021fb6
freebsd-nq/crypto/openssh/.github/configs
Ed Maste 19261079b7 openssh: update to OpenSSH v8.7p1 
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00

171 lines
4.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# usage: configs vmname test_config (or '' for default)
#
# Sets the following variables:
# CONFIGFLAGS options to ./configure
# SSHD_CONFOPTS sshd_config options
# TEST_TARGET make target used when testing. defaults to "tests".
# LTESTS
config=$1
TEST_TARGET="tests"
LTESTS=""
SKIP_LTESTS=""
SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
case "$config" in
default|sol64)
;;
c89)
CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
CONFIGFLAGS="--without-openssl --without-zlib"
TEST_TARGET=t-exec
;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
;;
hardenedmalloc)
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
;;
kerberos5)
CONFIGFLAGS="--with-kerberos5"
;;
libedit)
CONFIGFLAGS="--with-libedit"
;;
pam-krb5)
CONFIGFLAGS="--with-pam --with-kerberos5"
SSHD_CONFOPTS="UsePam yes"
;;
*pam)
CONFIGFLAGS="--with-pam"
SSHD_CONFOPTS="UsePam yes"
;;
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
openssl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
;;
selinux)
CONFIGFLAGS="--with-selinux"
;;
sk)
CONFIGFLAGS="--with-security-key-builtin"
;;
without-openssl)
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
valgrind-[1-4]|valgrind-unit)
# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
CONFIGFLAGS="--without-sandbox --without-hardening"
CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
TEST_TARGET="t-exec USE_VALGRIND=1"
TEST_SSH_ELAPSED_TIMES=1
export TEST_SSH_ELAPSED_TIMES
# Valgrind slows things down enough that the agent timeout test
# won't reliably pass, and the unit tests run longer than allowed
# by github so split into three separate tests.
tests2="rekey integrity"
tests3="krl forward-control sshsig"
tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment"
case "$config" in
valgrind-1)
# All tests except agent-timeout (which is flaky under valgrind)
#) and slow ones that run separately to increase parallelism.
SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
;;
valgrind-2)
LTESTS="${tests2}"
;;
valgrind-3)
LTESTS="${tests3}"
;;
valgrind-4)
LTESTS="${tests4}"
;;
valgrind-unit)
TEST_TARGET="unit USE_VALGRIND=1"
;;
esac
;;
*)
echo "Unknown configuration $config"
exit 1
;;
esac
# The Solaris 64bit targets are special since they need a non-flag arg.
case "$config" in
sol64*)
CONFIGFLAGS="x86_64 --with-cflags=-m64 --with-ldflags=-m64 ${CONFIGFLAGS}"
LIBCRYPTOFLAGS="--with-ssl-dir=/usr/local/ssl64"
;;
esac
case "${TARGET_HOST}" in
dfly58*|dfly60*)
# scp 3-way connection hangs on these so skip until sorted.
SKIP_LTESTS=scp3
;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
minix3)
CC="clang"
LIBCRYPTOFLAGS="--without-openssl"
# Minix does not have a loopback interface so we have to skip any
# test that relies on it.
TEST_TARGET=t-exec
SKIP_LTESTS="addrmatch cfgparse key-options reexec agent connect"
SKIP_LTESTS="$SKIP_LTESTS keyscan rekey allow-deny-users connect-uri"
SKIP_LTESTS="$SKIP_LTESTS knownhosts-command sftp-uri brokenkeys"
SKIP_LTESTS="$SKIP_LTESTS exit-status login-timeout stderr-data"
SKIP_LTESTS="$SKIP_LTESTS cfgmatch forward-control multiplex transfer"
SKIP_LTESTS="$SKIP_LTESTS cfgmatchlisten forwarding reconfigure"
SUDO=""
;;
nbsd4)
# System compiler will ICE on some files with fstack-protector
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
# sol11 has 4 test configs so skip unit tests to speed up.
TEST_TARGET="tests SKIP_UNIT=1"
;;
win10)
# No sudo on Windows.
SUDO=""
;;
esac
# If we have a local openssl/libressl, use that.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
# last-match
for i in /usr/local /usr/local/ssl /usr/local/opt/openssl; do
if [ -x ${i}/bin/openssl ]; then
LIBCRYPTOFLAGS="--with-ssl-dir=${i}"
fi
done
fi
CONFIGFLAGS="${CONFIGFLAGS} ${LIBCRYPTOFLAGS}"
if [ -x "$(which plink 2>/dev/null)" ]; then
REGRESS_INTEROP_PUTTY=yes
export REGRESS_INTEROP_PUTTY
fi
export CC CFLAGS LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
Reference in New Issue View Git Blame Copy Permalink