From b541704ca106d9e2b202c1ed7cf9625dfa2b891f Mon Sep 17 00:00:00 2001
From: "Tom G. Christensen" <tgc@jupiterrise.com>
Date: Mon, 28 Apr 2008 19:26:05 +0000
Subject: [PATCH] Update to 5.0. I've decided to change BASEDIR to / and take
 all the init scripts and stuff out of the postintall script. This marks a
 change from how opensshs own make package target does it.

---
 openssh/build.sh                 |  42 ++++---
 openssh/meta/depend.openssh      |   2 -
 openssh/meta/pkgdef              |  35 +++++-
 openssh/meta/postinstall.openssh | 198 ++++++++++++++-----------------
 openssh/meta/postremove.openssh  |   3 +-
 openssh/meta/preremove.openssh   |   2 +-
 openssh/meta/space.openssh       |   4 -
 openssh/src/sshd.init            |  46 ++++++-
 8 files changed, 191 insertions(+), 141 deletions(-)
 delete mode 100644 openssh/meta/depend.openssh
 delete mode 100644 openssh/meta/space.openssh

diff --git a/openssh/build.sh b/openssh/build.sh
index 5a9024e..381af99 100755
--- a/openssh/build.sh
+++ b/openssh/build.sh
@@ -9,8 +9,8 @@
 ###########################################################
 # Check the following 4 variables before running the script
 topdir=openssh
-version=4.7p1
-pkgver=2
+version=5.0p1
+pkgver=1
 source[0]=$topdir-$version.tar.gz
 # If there are no patches, simply comment this
 #patch[0]=
@@ -19,14 +19,10 @@ source[0]=$topdir-$version.tar.gz
 . ${BUILDPKG_BASE}/scripts/buildpkg.functions
 
 # Global settings
-export LDFLAGS="-R/usr/local/lib -L/usr/local/lib"
-export CPPFLAGS="-I/usr/local/include"
-# Use prngd socket (For Solaris 2.6,7 & 8 without patch 112438)
-#export ENTROPY="--with-prngd-socket=/var/run/egd-pool"
-# Use /dev/random (For Solaris 9 & 8 with patch 112438)
-export ENTROPY="--without-prngd --without-rand-helper"
-configure_args='--prefix=$prefix --sysconfdir=$prefix/${_sysconfdir} --datadir=$prefix/${_sharedir}/openssh --with-default-path=/usr/bin:/usr/local/bin --with-mantype=cat --with-pam --disable-suid-ssh --without-rsh --with-privsep-user=sshd --with-privsep-path=/var/empty/sshd --with-superuser-path=/usr/bin:/usr/sbin:/usr/local/bin --with-lastlog=/var/adm/lastlog --without-zlib-version-check $ENTROPY'
+export LDFLAGS="-R$prefix/lib -L$prefix/lib"
+export CPPFLAGS="-I$prefix/include"
 
+configure_args="--prefix=$prefix --mandir=$prefix/$_mandir --sysconfdir=$prefix/${_sysconfdir}/ssh --datadir=$prefix/${_sharedir}/openssh --with-default-path=/usr/bin:$prefix/${_bindir} --with-mantype=cat --with-pam --disable-suid-ssh --without-rsh --with-privsep-user=sshd --with-privsep-path=/var/empty/sshd --with-superuser-path=/usr/bin:/usr/sbin:$prefix/$_bindir:$prefix/$_sbindir --with-lastlog=/var/adm/lastlog --without-zlib-version-check"
 
 reg prep
 prep()
@@ -45,18 +41,36 @@ install()
 {
     clean stage
     setdir source
-    $MAKE_PROG DESTDIR=$stagedir install-nokeys
-    setdir ${stagedir}${prefix}/${_sysconfdir}
-    for i in *; do ${MV} $i $i.default; done
-    ${CP} -p $srcdir/sshd.init $stagedir/usr/local/etc
+    ${__make} DESTDIR=$stagedir install-nokeys
+
+    ${__mkdir} -p ${stagedir}/${_sysconfdir}/init.d
+    ${__mkdir} -p ${stagedir}/${_sysconfdir}/rc0.d
+    ${__mkdir} -p ${stagedir}/${_sysconfdir}/rc1.d
+    ${__mkdir} -p ${stagedir}/${_sysconfdir}/rc2.d
+    ${__mkdir} -p ${stagedir}/${_sysconfdir}/rcS.d
+    ${__mkdir} -p ${stagedir}/var/empty/sshd
+
+    # Install initscript
+    ${__cp} $srcdir/sshd.init ${stagedir}/${_sysconfdir}/init.d/tgc_sshd
+    chmod 755 ${stagedir}/${_sysconfdir}/init.d/tgc_sshd
+    (setdir ${stagedir}/${_sysconfdir}/rc0.d; ${__ln} -sf ../init.d/tgc_sshd K02tgc_sshd)
+    (setdir ${stagedir}/${_sysconfdir}/rc1.d; ${__ln} -sf ../init.d/tgc_sshd K02tgc_sshd)
+    (setdir ${stagedir}/${_sysconfdir}/rcS.d; ${__ln} -sf ../init.d/tgc_sshd K02tgc_sshd)
+    (setdir ${stagedir}/${_sysconfdir}/rc2.d; ${__ln} -sf ../init.d/tgc_sshd S98tgc_sshd)
+
     custom_install=1
     generic_install
     doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG
- }
+
+    setdir ${stagedir}${prefix}/${_sysconfdir}/ssh
+    for i in *; do ${__mv} $i $i.default; done
+}
 
 reg pack
 pack()
 {
+    lprefix=${prefix#/*}
+    topinstalldir=/
     generic_pack
 }
 
diff --git a/openssh/meta/depend.openssh b/openssh/meta/depend.openssh
deleted file mode 100644
index 9b06836..0000000
--- a/openssh/meta/depend.openssh
+++ /dev/null
@@ -1,2 +0,0 @@
-P   SBossl098glib   OpenSSL - Secure Socket Layer
-P   SBlibgccso1	    libgcc_s.so.1 from gcc 3.3.2+
diff --git a/openssh/meta/pkgdef b/openssh/meta/pkgdef
index ab764c5..7c14c80 100644
--- a/openssh/meta/pkgdef
+++ b/openssh/meta/pkgdef
@@ -1,9 +1,36 @@
 [openssh]
-pkgname="$pkgprefix""ossh"
-name="OpenSSH portable for Solaris"
+pkgname="${pkgprefix}ossh"
+name="openssh - OpenSSH portable"
 pkgcat="application"
 pkgvendor="http://www.openssh.org"
-pkgdesc="Secure Shell remote access utility"
+pkgdesc="Secure remote access utilities"
 pkgver="$pkgver"
+#
 files(-,root,bin)
-*
+dir $_sysconfdir
+#
+files(775,root,sys)
+dir $_sysconfdir/init.d
+dir $_sysconfdir/rc0.d
+dir $_sysconfdir/rc1.d
+dir $_sysconfdir/rc2.d
+dir $_sysconfdir/rcS.d
+dir usr
+dir usr/tgcware
+dir var
+dir var/empty
+#
+files(711,root,sys)
+dir var/empty/sshd
+#
+files(-,root,sys)
+${_sysconfdir}/*/*tgc_sshd
+$lprefix/$_bindir
+$lprefix/$_sbindir
+$lprefix/$_mandir
+$lprefix/$_sysconfdir
+$lprefix/libexec/ssh-keysign
+$lprefix/libexec/sftp-server
+${lprefix}/${_sharedir}/openssh/Ssh.bin
+default_docs
+
diff --git a/openssh/meta/postinstall.openssh b/openssh/meta/postinstall.openssh
index 0750b68..f3b24db 100644
--- a/openssh/meta/postinstall.openssh
+++ b/openssh/meta/postinstall.openssh
@@ -1,125 +1,83 @@
-INSTALLF=/usr/sbin/installf
-REMOVEF=/usr/sbin/removef
 GROUPADD=/usr/sbin/groupadd
 USERADD=/usr/sbin/useradd
 GREP=/usr/bin/grep
 CUT=/usr/bin/cut
 CAT=/usr/bin/cat
 
-CONFDIR=${BASEDIR}/etc
-DESTBIN=${BASEDIR}/bin
+PREFIX=/usr/tgcware
+OLDCONFDIR=/usr/local/etc
+CONFDIR=${PREFIX}/etc/ssh
+DESTBIN=${PREFIX}/bin
 CHECKCONF=0
+OLDCONF=0
 SSHID=199
 
 # We provide default config-files, check and see if they should be installed.
-if [ ! -f "${CONFDIR}/ssh_config" ] ; then
-	cp -p ${CONFDIR}/ssh_config.default ${CONFDIR}/ssh_config
-	echo "Installing new ssh_config"
-else
-	echo "Keeping existing ssh_config"
-	CHECKCONF=1
-fi
-if [ ! -f "${CONFDIR}/sshd_config" ] ; then
-	cp -p ${CONFDIR}/sshd_config.default ${CONFDIR}/sshd_config
-	echo "Installing new sshd_config"
-else
-	echo "Keeping existing sshd_config"
-	CHECKCONF=1
-fi
-if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
-	rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
-	echo "Removing unneeded ssh_prng_cmds file"
-
-fi
-if [ ! -f "${CONFDIR}/moduli" ] ; then
-	if [ -f "${CONFDIR}/primes" ]; then
-		echo "Keeping existing primes but renaming it to moduli"
-		mv ${CONFDIR}/primes ${CONFDIR}/moduli
+for config in ssh_config sshd_config; do
+    if [ ! -f "${CONFDIR}/$config" ] ; then
+	# No config, it might be an upgrade scenario
+	if [ -f "${OLDCONFDIR}/$config" ] ; then
+	    cp -p ${OLDCONFDIR}/$config ${CONFDIR}
+	    echo "Migrating $OLDCONFDIR/$config to $CONFDIR"
+	    OLDCONF=1
 	else
-		echo "Installing new moduli (formerly known as primes)"
-		cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
+	    cp -p ${CONFDIR}/$config.default ${CONFDIR}/$config
+	    echo "Installing new $config"
 	fi
-else
-	echo "Keeping existing moduli"
+    else
+	echo "Keeping existing $config"
+	CHECKCONF=1
+    fi
+done
+
+if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
+    rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
+    echo "Removing unneeded ssh_prng_cmds file"
 fi
 
-# We will try to preserve any existing keys
-if [ -f "${CONFDIR}/ssh_host_key" ] ; then
-	echo "Keeping existing ssh_host_key"
+if [ ! -f "${CONFDIR}/moduli" ] ; then
+    if [ -f "${OLDCONFDIR}" ]; then
+	cp -p $OLDCONFDIR/moduli $CONFDIR
+	echo "Migrating $OLDCONFDIR/module to $CONFDIR"
+	OLDCONF=1
+    else
+	if [ -f "${CONFDIR}/primes" ]; then
+	    echo "Keeping existing primes but renaming it to moduli"
+	    mv ${CONFDIR}/primes ${CONFDIR}/moduli
+	else
+	    echo "Installing new moduli (formerly known as primes)"
+	    cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
+	fi
+    fi
 else
-	${DESTBIN}/ssh-keygen -t rsa1 -f ${CONFDIR}/ssh_host_key -N ""
-fi
-if [ -f "${CONFDIR}/ssh_host_dsa_key" ] ; then
-	echo "Keeping existing ssh_host_dsa_key"
-else
-	${DESTBIN}/ssh-keygen -t dsa -f ${CONFDIR}/ssh_host_dsa_key -N ""
-fi
-if [ -f "${CONFDIR}/ssh_host_rsa_key" ] ; then
-	echo "Keeping existing ssh_host_rsa_key"
-else
-	${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N ""
+    echo "Keeping existing moduli"
 fi
 
-# Right, now move the init script into place and make some symlinks 
-# for automatic startup.
-
-# start by removing knowledge of sshd.init from the pkgdb
-${REMOVEF} ${PKGINST} /usr/local/etc/sshd.init 2>&1 > /dev/null # suppress output
-
-# confirm the changes to the pkgdb (removef -f)
-${REMOVEF} -f ${PKGINST}
-
-# Now that the holds from the pkgdb are gone, move the script to it's final destination.
-mv /usr/local/etc/sshd.init /etc/init.d/sshd.local
-
-# Install new *symlinks*
-ln -sf /etc/init.d/sshd.local /etc/rc0.d/K30sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rc1.d/K30sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rc2.d/S78sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rcS.d/K30sshd.local
-
-# Then installf the new pathnames
-${INSTALLF} ${PKGINST} /etc/init.d/sshd.local f 744 root sys
-${INSTALLF} ${PKGINST} /etc/rc2.d/S78sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rc1.d/K30sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rc0.d/K30sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rcS.d/K30sshd.local=/etc/init.d/sshd.local s
-
-# confirm the changes to the pkgdb (installf -f)
-${INSTALLF} -f ${PKGINST}
-
-#uh yeah, better make sure that /var/run exists aswell (for pid files)
-echo "Checking to see if /var/run exists... \c"
-if [ ! -d /var/run ]; then
-   echo "no, creating..."
-   mkdir -p /var/run;
-   chown root:sys /var/run;
-   chmod 755 /var/run
-else
-    echo "yes"
-fi
-
-# New in OpenSSH 3.3+ is Privilege seperation, it requires an empty dir to chroot into
-# and an unprivileged user to run as.
-echo "Checking to see if /var/empty/sshd exists... \c"
-if [ ! -d /var/empty ]; then
-    echo "no, creating..."
-    mkdir -p /var/empty/sshd
-    chown root:sys /var/empty/sshd
-    chmod 755 /var/empty/sshd
-else
-    echo "yes"
-fi
+# We will try to preserve any existing keys from an old setup
+# Note that new keygen is done in the init script
+for keyfile in ssh_host_key ssh_host_dsa_key ssh_host_rsa_key; do
+    if [ ! -f "${CONFDIR}/$keyfile" ] ; then
+	# Check and see if we might find it in $OLDCONFDIR
+	if [ -f "${OLDCONFDIR}/$keyfile" ]; then
+	    cp -p $OLDCONFDIR/$keyfile $CONFDIR
+	    cp -p $OLDCONFDIR/${keyfile}.pub $CONFDIR
+	    echo "Migrating $OLDCONFDIR/$keyfile to $CONFDIR"
+	    OLDCONF=1
+	fi
+    fi
+done
 
+# OpenSSH 3.3+ has privilege seperation which requires a user/group to run
 # Attempt to create a group & user for sshd
 echo "Checking for sshd group... \c"
 temp=`$GREP sshd /etc/group`
 if [ -n "$temp" ]; then
     echo "yes"
-    gid=`echo $temp|$CUT -d : -f 3`
+    gid=`echo $temp|$CUT -d: -f3`
     if [ "$gid" != "$SSHID" ]; then
-	echo "  Group sshd found but gid does not match with the preferred ($SSHID)"
-	echo "  I will continue anyway, but please check up on this afterwards!"
+        echo "  Group sshd found but gid does not match with the preferred ($SSHID)!"
+	echo "  This is not a critical error but please make sure this group"
+	echo "  is one you actually want to use for sshd."
     fi
 else
     echo "no"
@@ -132,16 +90,28 @@ echo "Checking for sshd user... \c"
 temp=`$GREP sshd /etc/passwd`
 if [ -n "$temp" ]; then
     echo "yes"
-    uid=`echo $temp|$CUT -d : -f 3`
-    ugid=`echo $temp|$CUT -d : -f 4`
+    uid=`echo $temp|$CUT -d: -f3`
+    ugid=`echo $temp|$CUT -d: -f4`
     if [ "$uid" != "$SSHID" ]; then
-	echo "  User sshd found but uid doesn't match with the preferred ($SSHID)"
-	echo "  I will continue anyway, but please check up on this afterwards!"
+        echo "  User sshd found but uid doesn't match with the preferred ($SSHID)!"
+	echo "  This is not a critical error but please make sure this user"
+	echo "  is one you actually want to use for sshd."
     fi
     if [ "$ugid" != "$gid" ]; then
-	echo "  User sshd doesn't have group sshd!"
-	echo "  I will continue anyway, but this is a critical error that must be resolved"
-	echo "  before privilege seperation can be enabled!"
+        echo "  User sshd doesn't have group sshd!"
+        echo "  This is a critical error that must be resolved"
+        echo "  before privilege seperation can be enabled."
+	echo "  Since privilege seperation is on by default this problem"
+	echo "  will prevent sshd from starting."
+    fi
+    if [ "`echo $temp|$CUT -d: -f6`" != "/var/empty/sshd" ]; then
+	echo "  User sshd does not have homedir in /var/empty/sshd!"
+	echo "  This is a possible security risk so please make sure that"
+	echo "  user sshd has a homedir accessable only by root (perm 711)."
+    fi
+    if [ "`echo $temp|$CUT -d: -f7`" != "/bin/false" ]; then
+	echo "  User sshd does not have /bin/false as its shell!"
+	echo "  Please verify that the sshd user has a non-login shell."
     fi
 else
     echo "no"
@@ -149,10 +119,7 @@ else
     $USERADD -u $SSHID -g $SSHID -c "sshd privsep" -d /var/empty/sshd -s /bin/false sshd
 fi
 
-# FIXME Other stuff about the user/group situation should probably be checked
-# FIXME like the homedir and shell of the sshd user
-
-# Notice how the ssh host keys are not associated with the SBossh package.
+# Notice how the ssh host keys are not associated with the package.
 # I find that convenient as I'm sure that they don't disappear if someone
 # uninstalls the package.
 # This is nice because we can then avoid the "hostid changed" warnings.  
@@ -167,3 +134,16 @@ if [ "$CHECKCONF" = "1" ] ; then
 	echo "Please check the *.default config files for configuration hints"
 	echo "and update your existing config files accordingly."
 fi
+
+# Try and catch the upgrade scenario from previous packages which had
+# config in etc and not etc/ssh
+if [ "$OLDCONF" = "1" ] ; then
+	echo "#######"
+	echo ""
+	echo "Configuration files and keys was found in $OLDCONFDIR"
+	echo "If you're upgrading from a previous release then please"
+	echo "make sure to migrate any settings and keys to the new config location"
+	echo "in $CONFDIR and remove the old files."
+	echo "Also please check the *.default config files for configuration hints"
+	echo "and update your existing config files accordingly."
+fi
diff --git a/openssh/meta/postremove.openssh b/openssh/meta/postremove.openssh
index e2a69fd..de3dcda 100644
--- a/openssh/meta/postremove.openssh
+++ b/openssh/meta/postremove.openssh
@@ -1,7 +1,8 @@
+PREFIX=/usr/tgcware
 # Inform the operator that ssh configfiles and keys are intact
 echo ""
 echo "!!ATTENTION!!"
-echo "SSH configfiles and keys are still available in ${BASEDIR}/etc/"
+echo "SSH configfiles and keys are still available in ${PREFIX}/etc/ssh"
 echo "Please make sure that you remove these if you won't be using them again."
 echo ""
 echo "No attempt has been made to remove user and group sshd"
diff --git a/openssh/meta/preremove.openssh b/openssh/meta/preremove.openssh
index d65ad65..8f49cc0 100644
--- a/openssh/meta/preremove.openssh
+++ b/openssh/meta/preremove.openssh
@@ -1 +1 @@
-/etc/init.d/sshd.local stop
+/etc/init.d/tgc_sshd stop
diff --git a/openssh/meta/space.openssh b/openssh/meta/space.openssh
deleted file mode 100644
index 014670a..0000000
--- a/openssh/meta/space.openssh
+++ /dev/null
@@ -1,4 +0,0 @@
-/etc/rcS.d/K30sshd.local 0 1
-/etc/rc0.d/K30sshd.local 0 1
-/etc/rc1.d/K30sshd.local 0 1
-/etc/rc2.d/S78sshd.local 0 1
diff --git a/openssh/src/sshd.init b/openssh/src/sshd.init
index d3fb915..c4e0d17 100755
--- a/openssh/src/sshd.init
+++ b/openssh/src/sshd.init
@@ -1,13 +1,42 @@
 #!/bin/sh
 
 # Script to control ssh server start/stop
-# History:
-#   Please see CVS for history information
+# Written by Tom G. Christensen <swpkg@jupiterrise.com>
 
-SSHD=/usr/local/sbin/sshd
+SSHD=/usr/tgcware/sbin/sshd
+KEYGEN=/usr/tgcware/bin/ssh-keygen
+RSA1_KEY=/usr/tgcware/etc/ssh/ssh_host_key
+RSA_KEY=/usr/tgcware/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/usr/tgcware/etc/ssh/ssh_host_dsa_key
+ECHO=/usr/bin/echo
 
 pidfile=/var/run/sshd.pid
 
+check_pid_dir()
+{
+        if [ ! -d /var/run ]; then
+                mkdir -p /var/run
+                chown root.sys /var/run
+                chmod 755 /var/run
+        fi
+}
+
+do_hostkeygen()
+{
+        if [ ! -s $RSA1_KEY ]; then
+                $ECHO "Generating $RSA1_KEY: "
+                $KEYGEN -q -t rsa1 -f $RSA1_KEY -N '' > /dev/null 2>&1
+        fi
+        if [ ! -s $RSA_KEY ]; then
+                $ECHO "Generating $RSA_KEY: "
+                $KEYGEN -q -t rsa -f $RSA_KEY -N '' > /dev/null 2>&1
+        fi
+        if [ ! -s $DSA_KEY ]; then
+                $ECHO "Generating $DSA_KEY: "
+                $KEYGEN -q -t dsa -f $DSA_KEY -N '' > /dev/null 2>&1
+        fi
+}
+
 kill_sshd()
 {
         if [ -r $pidfile ]; then
@@ -26,9 +55,14 @@ if [ $1 = "0" ]; then
 case $mode in
     start)
 	kill_sshd
-	echo "Starting sshd" 
-	$SSHD
-	;;
+        if test -x $SSHD; then
+            $ECHO "Starting sshd:\c"
+            do_hostkeygen
+            check_pid_dir
+	    $SSHD
+            $ECHO "."
+        fi
+        ;;
     stop) 
 	kill_sshd
 	exit 0