pkgs/tools/networking/openssh/default.nix at devShellTools-shell · tjh.dev/nixpkgs

tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / tools / networking / openssh / default.nix
at devShellTools-shell 116 lines 3.0 kB view raw
  1{
  2  callPackage,
  3  lib,
  4  fetchurl,
  5  fetchpatch,
  6  autoreconfHook,
  7}:
  8let
  9  common = opts: callPackage (import ./common.nix opts) { };
 10
 11  # Gets the correct OpenSSH URL for a given version.
 12  urlFor =
 13    version:
 14    let
 15      urlVersion =
 16        {
 17          # 10.0p1 was accidentally released as 10.0p2:
 18          # https://www.openwall.com/lists/oss-security/2025/04/09/6
 19          "10.0p2" = "10.0p1";
 20        }
 21        .${version} or version;
 22    in
 23    "mirror://openbsd/OpenSSH/portable/openssh-${urlVersion}.tar.gz";
 24in
 25{
 26  openssh = common rec {
 27    pname = "openssh";
 28    version = "10.0p2";
 29
 30    src = fetchurl {
 31      url = urlFor version;
 32      hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
 33    };
 34
 35    extraPatches = [
 36      # Use ssh-keysign from PATH
 37      # ssh-keysign is used for host-based authentication, and is designed to be used
 38      # as SUID-root program. OpenSSH defaults to referencing it from libexec, which
 39      # cannot be made SUID in Nix.
 40      ./ssh-keysign-8.5.patch
 41    ];
 42    extraMeta = {
 43      maintainers = with lib.maintainers; [
 44        philiptaron
 45        numinit
 46      ];
 47      teams = [ lib.teams.helsinki-systems ];
 48    };
 49  };
 50
 51  openssh_hpn = common rec {
 52    pname = "openssh-with-hpn";
 53    version = "10.0p2";
 54    extraDesc = " with high performance networking patches";
 55
 56    src = fetchurl {
 57      url = urlFor version;
 58      hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
 59    };
 60
 61    extraPatches =
 62      let
 63        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/dde9561b3ff73639aeebe8ec33ad52ecca0bf58d/security/openssh-portable/files/extra-patch-hpn";
 64      in
 65      [
 66        ./ssh-keysign-8.5.patch
 67
 68        # HPN Patch from FreeBSD ports
 69        (fetchpatch {
 70          name = "ssh-hpn-wo-channels.patch";
 71          inherit url;
 72          stripLen = 1;
 73          excludes = [ "channels.c" ];
 74          hash = "sha256-0HQAacNdvqX+7CTDhkbgAyb0WbqnnH6iAYQBFh8XenA=";
 75        })
 76
 77        (fetchpatch {
 78          name = "ssh-hpn-channels.patch";
 79          inherit url;
 80          extraPrefix = "";
 81          includes = [ "channels.c" ];
 82          hash = "sha256-pDLUbjv5XIyByEbiRAXC3WMUPKmn15af1stVmcvr7fE=";
 83        })
 84      ];
 85
 86    extraNativeBuildInputs = [ autoreconfHook ];
 87
 88    extraConfigureFlags = [ "--with-hpn" ];
 89    extraMeta = {
 90      maintainers = with lib.maintainers; [ abbe ];
 91    };
 92  };
 93
 94  openssh_gssapi = common rec {
 95    pname = "openssh-with-gssapi";
 96    version = "10.0p2";
 97    extraDesc = " with GSSAPI support";
 98
 99    src = fetchurl {
100      url = urlFor version;
101      hash = "sha256-AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=";
102    };
103
104    extraPatches = [
105      ./ssh-keysign-8.5.patch
106
107      (fetchpatch {
108        name = "openssh-gssapi.patch";
109        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%2510.0p1-1/debian/patches/gssapi.patch";
110        hash = "sha256-7Q27tvtCY3b9evC3lbqEz4u7v5DcerjWZfhh8azIAQo=";
111      })
112    ];
113
114    extraNativeBuildInputs = [ autoreconfHook ];
115  };
116}