security/ssh/Makefile


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

# New ports collection makefile for:	ssh
# Date created:		30 Jul 1995
# Whom:			torstenb@FreeBSD.org
#
# $FreeBSD$
#
# Maximal ssh package requires YES values for
# WITH_PERL, WITH_TCPWRAP
#

PORTNAME=	ssh
PORTVERSION= 	1.2.27
CATEGORIES=	security net ipv6
MASTER_SITES=	ftp://ftp.cs.hut.fi/pub/ssh/

MAINTAINER=	torstenb@FreeBSD.org

USE_AUTOCONF=	YES	# unfortunately... see comments in patch-xa for details

# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..

.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
MASTER_SITES+=	\
	ftp://ftp.replay.com/pub/replay/crypto/SSH/ \
	ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
	ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
	ftp://idea.sec.dsi.unimi.it/pub/security/crypt/math/ \
	ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
	ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/

CONFIGURE_ARGS+= --with-rsaref
LIB_DEPENDS+=	rsaref.2:${PORTSDIR}/security/rsaref
BUILD_DEPENDS+= /nonexistent:${PORTSDIR}/security/rsaref:extract
.endif

RESTRICTED=	"Crypto; export-controlled"
IS_INTERACTIVE=	YES

GNU_CONFIGURE=	YES

CONFIGURE_ARGS+= --with-etcdir=${PREFIX}/etc

#Uncomment if all your users are in their own group and their homedir
#is writeable by that group.  Beware the security implications!
#CONFIGURE_ARGS+= --enable-group-writeability

#Uncomment if you want to allow ssh to emulate an unencrypted rsh connection
#over a secure medium.  This is normally dangerous since it can lead to the
#disclosure keys and passwords.
#CONFIGURE_ARGS+= --with-none

.if defined(KRB5_HOME) && exists(${KRB5_HOME})
CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --enable-kerberos-tgt-passing \
	--disable-suid-ssh
.endif

# Include support for the SecureID card
# Warning: untested !
.if defined(WITH_SECUREID)
CONFIGURE_ARGS+= --with-secureid
.endif

# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
# commercial use may require a licence in a number of countries
# Warning: untested !
.if defined(WITHOUT_IDEA)
CONFIGURE_ARGS+= --without-idea
.endif

MAN1=		scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \
		make-ssh-known-hosts1.1
MAN8=		sshd1.8
MLINKS=		make-ssh-known-hosts1.1 make-ssh-known-hosts.1 \
		scp1.1 scp.1 \
		ssh-add1.1 ssh-add.1 \
		ssh-agent1.1 ssh-agent.1 \
		ssh-keygen1.1 ssh-keygen.1 \
		ssh1.1 ssh.1 \
		ssh.1 slogin.1 \
		ssh1.1 slogin1.1 \
		sshd1.8 sshd.8

pre-patch:
	@${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
	    ${WRKSRC}/make-ssh-known-hosts.pl.in

fetch-depends:
.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
	@ ${ECHO}
	@ ${ECHO} You must set the variable USA_RESIDENT to YES if you are a
	@ ${ECHO} United States resident, otherwise NO.
	@ ${ECHO} If you are a US resident then this port must also fetch
	@ ${ECHO} the RSAREF2 library from sources abroad \(RSA Inc. holds a
	@ ${ECHO} patent on RSA and public key crypto in general in the United
	@ ${ECHO} States so using RSA implementations other than RSAREF there
	@ ${ECHO} may violate US patent law\).
	@ ${FALSE}
.endif

post-install:
	@if [ ! -f ${PREFIX}/etc/ssh_host_key ]; then \
		${ECHO} "Generating a secret host key..."; \
		${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
	fi
	@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
		${ECHO} "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
		${SED} -e 's+!!PREFIX!!+${PREFIX}+g' ${FILESDIR}/sshd.sh \
			> ${PREFIX}/etc/rc.d/sshd.sh; \
		${CHMOD} 751 ${PREFIX}/etc/rc.d/sshd.sh; \
	fi

.include <bsd.port.pre.mk>

.if defined(WITH_PERL) || (exists(${PERL5}) && (!defined(WITHOUT_PERL)))
USE_PERL5=	yes
CONFIGURE_ENV+= PERL=${PERL5}
.else
CONFIGURE_ENV+= PERL=/replace_it_with_PERL_path
.endif

# Include tcp-wrapper support (call remote identd)
.if exists(/usr/include/tcpd.h)
CONFIGURE_ARGS+= --with-libwrap
.else
.if defined(WITH_TCPWRAP) || (exists(${PREFIX}/lib/libwrap.a) \
    && !defined(WITHOUT_TCPWRAP))
CONFIGURE_ENV+= LDFLAGS=-L${PREFIX}/lib CFLAGS="${CFLAGS} -I${PREFIX}/include"
CONFIGURE_ARGS+= --with-libwrap
LIB_DEPENDS+=   wrap.7:${PORTSDIR}/security/tcp_wrapper
.endif
.endif

# Original IPv6 patches were obtained from ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/
# ssh-1.2.27-IPv6-1.5-patch.gz
# We still use WITH_INET6 here and try to support pre 4.0 machines with kame
# IPv6 stack
.if ${OSVERSION} >= 400014 || ( ${OSVERSION} < 400014 && defined(WITH_INET6) )
CONFIGURE_ARGS+=	--enable-ipv6
.else
CONFIGURE_ARGS+=	--disable-ipv6
.endif

# Include SOCKS firewall support
.if defined(WITH_SOCKS)
CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5" --with-socks5
.endif

# Include extra files if X11 is installed
.if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \
    && !defined(WITHOUT_X11))
USE_XLIB=	yes
PLIST:=         ${WRKDIR}/PLIST
pre-install:
	@${CAT} ${PKGDIR}/PLIST.X11 > ${PLIST}
	@${CAT} ${PKGDIR}/PLIST >> ${PLIST}
.else
CONFIGURE_ARGS+= --without-x
.endif

.include <bsd.port.post.mk>