ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
pkgs/tools/networking/openssh/common.nix Normal file
View File

@@ -0,0 +1,259 @@
{
pname,
version,
extraDesc ? "",
src,
extraPatches ? [ ],
extraNativeBuildInputs ? [ ],
extraConfigureFlags ? [ ],
extraMeta ? { },
}:
{
lib,
stdenv,
# This *is* correct, though unusual. as a way of getting krb5-config from the
# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
pkgs,
fetchurl,
fetchpatch,
autoreconfHook,
zlib,
openssl,
softhsm,
libedit,
ldns,
pkg-config,
pam,
libredirect,
etcDir ? null,
withKerberos ? false,
withLdns ? true,
krb5,
libfido2,
libxcrypt,
hostname,
nixosTests,
withSecurityKey ? !stdenv.hostPlatform.isStatic,
withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey,
withPAM ? stdenv.hostPlatform.isLinux,
# Attempts to mlock the entire sshd process on startup to prevent swapping.
# Currently disabled when PAM support is enabled due to crashes
# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103418
withLinuxMemlock ? (stdenv.hostPlatform.isLinux && !withPAM),
linkOpenssl ? true,
isNixos ? stdenv.hostPlatform.isLinux,
}:
# FIDO support requires SK support
assert withFIDO -> withSecurityKey;
stdenv.mkDerivation (finalAttrs: {
inherit pname version src;
patches = [
# Making openssh pass the LOCALE_ARCHIVE variable to the forked session processes,
# so the session 'bash' will receive the proper locale archive, and thus process
# UTF-8 properly.
./locale_archive.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch
]
++ extraPatches;
postPatch =
# On Hydra this makes installation fail (sometimes?),
# and nix store doesn't allow such fancy permission bits anyway.
''
substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
'';
strictDeps = true;
nativeBuildInputs = [
autoreconfHook
pkg-config
]
# This is not the same as the krb5 from the inputs! pkgs.krb5 is
# needed here to access krb5-config in order to cross compile. See:
# https://github.com/NixOS/nixpkgs/pull/107606
++ lib.optional withKerberos pkgs.krb5
++ extraNativeBuildInputs;
buildInputs = [
zlib
libedit
]
++ [ (if linkOpenssl then openssl else libxcrypt) ]
++ lib.optional withFIDO libfido2
++ lib.optional withKerberos krb5
++ lib.optional withLdns ldns
++ lib.optional withPAM pam;
preConfigure = ''
# Setting LD causes `configure' and `make' to disagree about which linker
# to use: `configure' wants `gcc', but `make' wants `ld'.
unset LD
'';
env = lib.optionalAttrs isNixos {
# openssh calls passwd to allow the user to reset an expired password, but nixos
# doesn't ship it at /usr/bin/passwd.
PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
};
# I set --disable-strip because later we strip anyway. And it fails to strip
# properly when cross building.
configureFlags = [
"--sbindir=\${out}/bin"
"--localstatedir=/var"
"--with-pid-dir=/run"
"--with-mantype=doc"
"--with-libedit=yes"
"--disable-strip"
(lib.withFeature withPAM "pam")
]
++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
++ lib.optional (!withSecurityKey) "--disable-security-key"
++ lib.optional withFIDO "--with-security-key-builtin=yes"
++ lib.optional withKerberos (
assert krb5 != null;
"--with-kerberos5=${lib.getDev krb5}"
)
++ lib.optional stdenv.hostPlatform.isDarwin "--disable-libutil"
++ lib.optional (!linkOpenssl) "--without-openssl"
++ lib.optional withLdns "--with-ldns"
++ lib.optional stdenv.hostPlatform.isOpenBSD "--with-bsd-auth"
++ lib.optional withLinuxMemlock "--with-linux-memlock-onfault"
++ extraConfigureFlags;
${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null} = [
"-laudit"
]
++ lib.optional withKerberos "-lkeyutils"
++ lib.optional withLdns "-lcrypto";
buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
enableParallelBuilding = true;
hardeningEnable = [ "pie" ];
doCheck = false;
enableParallelChecking = false;
nativeCheckInputs = [
openssl
]
++ lib.optional (!stdenv.hostPlatform.isDarwin) hostname
++ lib.optional (!stdenv.hostPlatform.isDarwin && !stdenv.hostPlatform.isMusl) softhsm;
preCheck = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) (
''
# construct a dummy HOME
export HOME=$(realpath ../dummy-home)
mkdir -p ~/.ssh
# construct a dummy /etc/passwd file for the sshd under test
# to use to look up the connecting user
DUMMY_PASSWD=$(realpath ../dummy-passwd)
cat > $DUMMY_PASSWD <<EOF
$(whoami)::$(id -u):$(id -g)::$HOME:$SHELL
EOF
# we need to NIX_REDIRECTS /etc/passwd both for processes
# invoked directly and those invoked by the "remote" session
cat > ~/.ssh/environment.base <<EOF
NIX_REDIRECTS=/etc/passwd=$DUMMY_PASSWD
${lib.optionalString (
!stdenv.buildPlatform.isStatic
) "LD_PRELOAD=${libredirect}/lib/libredirect.so"}
EOF
# use an ssh environment file to ensure environment is set
# up appropriately for build environment even when no shell
# is invoked by the ssh session. otherwise the PATH will
# only contain default unix paths like /bin which we don't
# have in our build environment
cat - regress/test-exec.sh > regress/test-exec.sh.new <<EOF
cp $HOME/.ssh/environment.base $HOME/.ssh/environment
echo "PATH=\$PATH" >> $HOME/.ssh/environment
EOF
mv regress/test-exec.sh.new regress/test-exec.sh
# explicitly enable the PermitUserEnvironment feature
substituteInPlace regress/test-exec.sh \
--replace \
'cat << EOF > $OBJ/sshd_config' \
$'cat << EOF > $OBJ/sshd_config\n\tPermitUserEnvironment yes'
# some tests want to use files under /bin as example files
for f in regress/sftp-cmds.sh regress/forwarding.sh; do
substituteInPlace $f --replace '/bin' "$(dirname $(type -p ls))"
done
# set up NIX_REDIRECTS for direct invocations
set -a; source ~/.ssh/environment.base; set +a
''
+ lib.optionalString (!stdenv.hostPlatform.isDarwin && !stdenv.hostPlatform.isMusl) ''
# The extra tests check PKCS#11 interactions, which softhsm emulates with software only
substituteInPlace regress/test-exec.sh \
--replace /usr/local/lib/softhsm/libsofthsm2.so ${lib.getLib softhsm}/lib/softhsm/libsofthsm2.so
''
);
# integration tests hard to get working on darwin with its shaky
# sandbox
# t-exec tests fail on musl
checkTarget =
lib.optionals (!stdenv.hostPlatform.isDarwin && !stdenv.hostPlatform.isMusl) [
"t-exec"
"extra-tests"
]
# other tests are less demanding of the environment
++ [
"unit"
"file-tests"
"interop-tests"
];
postInstall = ''
# Install ssh-copy-id, it's very useful.
cp contrib/ssh-copy-id $out/bin/
chmod +x $out/bin/ssh-copy-id
cp contrib/ssh-copy-id.1 $out/share/man/man1/
'';
installTargets = [ "install-nokeys" ];
installFlags = [
"sysconfdir=\${out}/etc/ssh"
];
doInstallCheck = true;
installCheckPhase = ''
for binary in ssh sshd; do
$out/bin/$binary -V 2>&1 | grep -P "$(printf '^OpenSSH_\\Q%s\\E,' "$version")"
done
'';
passthru = {
inherit withKerberos;
tests = {
borgbackup-integration = nixosTests.borgbackup;
nixosTest = nixosTests.openssh;
initrd-network-openssh = nixosTests.initrd-network-ssh;
openssh = finalAttrs.finalPackage.overrideAttrs (previousAttrs: {
pname = previousAttrs.pname + "-test";
doCheck = true;
});
};
};
meta = {
description = "Implementation of the SSH protocol${extraDesc}";
homepage = "https://www.openssh.com/";
changelog = "https://www.openssh.com/releasenotes.html";
license = lib.licenses.bsd2;
platforms = lib.platforms.unix ++ lib.platforms.windows;
maintainers = extraMeta.maintainers or [ ];
mainProgram = "ssh";
}
// extraMeta;
})

17
pkgs/tools/networking/openssh/copyid.nix Normal file
View File

@@ -0,0 +1,17 @@
{
lib,
runCommand,
openssh,
}:
runCommand "ssh-copy-id-${openssh.version}"
{
meta = openssh.meta // {
description = "Tool to copy SSH public keys to a remote machine";
priority = (openssh.meta.priority or lib.meta.defaultPriority) - 1;
};
}
''
install -Dm 755 {${openssh},$out}/bin/ssh-copy-id
install -Dm 644 {${openssh},$out}/share/man/man1/ssh-copy-id.1.gz
''

116
pkgs/tools/networking/openssh/default.nix Normal file
View File

@@ -0,0 +1,116 @@
{
callPackage,
lib,
fetchurl,
fetchpatch,
autoreconfHook,
}:
let
common = opts: callPackage (import ./common.nix opts) { };
# Gets the correct OpenSSH URL for a given version.
urlFor =
version:
let
urlVersion =
{
# 10.0p1 was accidentally released as 10.0p2:
# https://www.openwall.com/lists/oss-security/2025/04/09/6
"10.0p2" = "10.0p1";
}
.${version} or version;
in
"mirror://openbsd/OpenSSH/portable/openssh-${urlVersion}.tar.gz";
in
{
openssh = common rec {
pname = "openssh";
version = "10.0p2";
src = fetchurl {
url = urlFor version;
hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
};
extraPatches = [
# Use ssh-keysign from PATH
# ssh-keysign is used for host-based authentication, and is designed to be used
# as SUID-root program. OpenSSH defaults to referencing it from libexec, which
# cannot be made SUID in Nix.
./ssh-keysign-8.5.patch
];
extraMeta = {
maintainers = with lib.maintainers; [
philiptaron
numinit
];
teams = [ lib.teams.helsinki-systems ];
};
};
openssh_hpn = common rec {
pname = "openssh-with-hpn";
version = "10.0p2";
extraDesc = " with high performance networking patches";
src = fetchurl {
url = urlFor version;
hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
};
extraPatches =
let
url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/dde9561b3ff73639aeebe8ec33ad52ecca0bf58d/security/openssh-portable/files/extra-patch-hpn";
in
[
./ssh-keysign-8.5.patch
# HPN Patch from FreeBSD ports
(fetchpatch {
name = "ssh-hpn-wo-channels.patch";
inherit url;
stripLen = 1;
excludes = [ "channels.c" ];
hash = "sha256-0HQAacNdvqX+7CTDhkbgAyb0WbqnnH6iAYQBFh8XenA=";
})
(fetchpatch {
name = "ssh-hpn-channels.patch";
inherit url;
extraPrefix = "";
includes = [ "channels.c" ];
hash = "sha256-pDLUbjv5XIyByEbiRAXC3WMUPKmn15af1stVmcvr7fE=";
})
];
extraNativeBuildInputs = [ autoreconfHook ];
extraConfigureFlags = [ "--with-hpn" ];
extraMeta = {
maintainers = with lib.maintainers; [ abbe ];
};
};
openssh_gssapi = common rec {
pname = "openssh-with-gssapi";
version = "10.0p2";
extraDesc = " with GSSAPI support";
src = fetchurl {
url = urlFor version;
hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
};
extraPatches = [
./ssh-keysign-8.5.patch
(fetchpatch {
name = "openssh-gssapi.patch";
url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.0p1-1/debian/patches/gssapi.patch";
hash = "sha256-7Q27tvtCY3b9evC3lbqEz4u7v5DcerjWZfhh8azIAQo=";
})
];
extraNativeBuildInputs = [ autoreconfHook ];
};
}

12
pkgs/tools/networking/openssh/dont_create_privsep_path.patch Normal file
View File

@@ -0,0 +1,12 @@
diff --git i/Makefile.in w/Makefile.in
index 04e1c8e5..9bd5d01b 100644
--- i/Makefile.in
+++ w/Makefile.in
@@ -329,7 +329,6 @@ install-files:
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)

15
pkgs/tools/networking/openssh/locale_archive.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git i/session.c w/session.c
index 58826db1..658dd911 100644
--- i/session.c
+++ w/session.c
@@ -1053,6 +1053,10 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ /* NixOS path to the glibc locale archive, to be set in the systemd job */
+ if (getenv("LOCALE_ARCHIVE"))
+ child_set_env(&env, &envsize, "LOCALE_ARCHIVE", getenv("LOCALE_ARCHIVE"));
+
/* Set custom environment options from pubkey authentication. */
if (options.permit_user_env) {
for (n = 0 ; n < auth_opts->nenv; n++) {

24
pkgs/tools/networking/openssh/ssh-keysign-8.5.patch Normal file
View File

@@ -0,0 +1,24 @@
diff --git a/pathnames.h b/pathnames.h
index cb44caa4..354fdf05 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -124,7 +124,7 @@
/* Location of ssh-keysign for hostbased authentication */
#ifndef _PATH_SSH_KEY_SIGN
-#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign"
+#define _PATH_SSH_KEY_SIGN "ssh-keysign"
#endif
/* Location of ssh-pkcs11-helper to support keys in tokens */
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -2021,7 +2021,7 @@
debug3_f("[child] pid=%ld, exec %s",
(long)getpid(), _PATH_SSH_KEY_SIGN);
- execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
fatal_f("exec(%s): %s", _PATH_SSH_KEY_SIGN,
strerror(errno));
}