From 67f4c2a7799e2dc30cae20b3c313c7b186cd1d71 Mon Sep 17 00:00:00 2001 From: Benjamin Staffin Date: Fri, 1 Jan 2016 16:35:43 -0800 Subject: openssh: Add gssapi patch used by other major distros This patch is borrowed verbatim from Debian, where it is actively maintained for each openssh update. It's also included in Fedora's openssh package, in Arch linux as openssh-gssapi in the AUR, in MacOS X, and presumably various other platforms and linux distros. The main relevant parts of this patch: - Adds several ssh_config options: GSSAPIKeyExchange, GSSAPITrustDNS, GSSAPIClientIdentity, GSSAPIServerIdentity GSSAPIRenewalForcesRekey - Optionally use an in-memory credentials cache api for security My primary motivation for wanting the patch is the GSSAPIKeyExchange and GSSAPITrustDNS features. My user ssh_config is shared across several OSes, and it's a lot easier to manage if they all support the same options. --- pkgs/tools/networking/openssh/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 67bf5be7d5b..3a150f19ed2 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -1,7 +1,8 @@ -{ stdenv, fetchurl, zlib, openssl, perl, libedit, pkgconfig, pam +{ stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam , etcDir ? null , hpnSupport ? false , withKerberos ? false +, withGssapiPatches ? withKerberos , kerberos }: @@ -14,6 +15,11 @@ let sha256 = "682b4a6880d224ee0b7447241b684330b731018585f1ba519f46660c10d63950"; }; + gssapiSrc = fetchpatch { + url = "http://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?h=debian/6.9p1-3"; + sha256 = "03zlgkb3a1igj20kn8cz55ggaxg65h6f0kg20m39m0wsb94qjdb1"; + }; + in with stdenv.lib; stdenv.mkDerivation rec { @@ -30,7 +36,8 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch]; + patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ] + ++ optional withGssapiPatches gssapiSrc; buildInputs = [ zlib openssl libedit pkgconfig pam ] ++ optional withKerberos [ kerberos ]; -- cgit 1.4.1