init commit

.SRCINFO

@@ -0,0 +1,37 @@
+pkgbase = openssh-dotconfig
+	pkgdesc = Premier connectivity tool for remote login with the SSH protocol
+	pkgver = 8.8p1
+	pkgrel = 1
+	url = https://www.openssh.com/portable.html
+	arch = x86_64
+	license = custom:BSD
+	makedepends = linux-headers
+	makedepends = libfido2
+	depends = glibc
+	depends = krb5
+	depends = openssl
+	depends = libedit
+	depends = ldns
+	depends = libxcrypt
+	depends = libcrypt.so
+	depends = zlib
+	depends = pam
+	optdepends = xorg-xauth: X11 forwarding
+	optdepends = x11-ssh-askpass: input passphrase in X
+	optdepends = libfido2: FIDO/U2F support
+	provides = openssh
+	conflicts = openssh
+	backup = etc/ssh/ssh_config
+	backup = etc/ssh/sshd_config
+	backup = etc/pam.d/sshd
+	source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
+	source = sshd.conf
+	source = sshd.pam
+	source = glibc-2.31.patch
+	validpgpkeys = 7168B983815A5EEF59A4ADFD2A3F414E736060BA
+	sha256sums = 4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9
+	sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6
+	sha256sums = cbe71695511d3a62419299f45d3ca4efa3afaeada53f6ee439ec14cfb718c775
+	sha256sums = 25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93
+
+pkgname = openssh-dotconfig

PKGBUILD

@@ -0,0 +1,100 @@
+# Maintainer: Noah Vogt (noahvogt) <noah@noahvogt.com>
+# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
+# Maintainer: Giancarlo Razzolini <grazzolini@archlinux.org>
+# Contributor: Gaetan Bisson <bisson@archlinux.org>
+# Contributor: Aaron Griffin <aaron@archlinux.org>
+# Contributor: judd <jvinet@zeroflux.org>
+
+pkgname=openssh-dotconfig
+pkgver=8.8p1
+pkgrel=1
+pkgdesc='Premier connectivity tool for remote login with the SSH protocol'
+url='https://www.openssh.com/portable.html'
+license=('custom:BSD')
+arch=('x86_64')
+depends=('glibc' 'krb5' 'openssl' 'libedit' 'ldns' 'libxcrypt' 'libcrypt.so' 'zlib' 'pam')
+makedepends=('linux-headers' 'libfido2')
+optdepends=('xorg-xauth: X11 forwarding'
+            'x11-ssh-askpass: input passphrase in X'
+            'libfido2: FIDO/U2F support')
+validpgpkeys=('7168B983815A5EEF59A4ADFD2A3F414E736060BA')
+#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1"
+source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname%-*}-${pkgver}.tar.gz"
+        'sshd.conf'
+        'sshd.pam'
+        'glibc-2.31.patch')
+sha256sums=('4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9'
+            '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
+            'cbe71695511d3a62419299f45d3ca4efa3afaeada53f6ee439ec14cfb718c775'
+            '25b4a4d9e2d9d3289ef30636a30e85fa1c71dd930d5efd712cca1a01a5019f93')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+provides=('openssh')
+conflicts=('openssh')
+
+prepare() {
+	cd "${srcdir}/${pkgname%-*}-${pkgver}"
+
+	patch -p1 -i ../glibc-2.31.patch
+    grep -rl "\.ssh" * | xargs sed -i 's/\.ssh/.config\/ssh/g'
+
+	autoreconf
+}
+
+build() {
+	cd "${srcdir}/${pkgname%-*}-${pkgver}"
+
+	./configure \
+		--prefix=/usr \
+		--sbindir=/usr/bin \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--disable-strip \
+		--with-ldns \
+		--with-libedit \
+		--with-security-key-builtin \
+		--with-ssl-engine \
+		--with-pam \
+		--with-privsep-user=nobody \
+		--with-kerberos5=/usr \
+		--with-xauth=/usr/bin/xauth \
+		--with-md5-passwords \
+		--with-pid-dir=/run \
+		--with-default-path='/usr/local/sbin:/usr/local/bin:/usr/bin' \
+
+	make
+}
+
+#check() {
+	#cd "${srcdir}/${pkgname%-*}-${pkgver}"
+#
+	## Tests require openssh to be already installed system-wide,
+	## also connectivity tests will fail under makechrootpkg since
+        ## it runs as nobody which has /bin/false as login shell.
+#
+	#if [[ -e /usr/bin/scp && ! -e /.arch-chroot ]]; then
+		#make tests
+	#fi
+#}
+
+package() {
+	cd "${srcdir}/${pkgname%-*}-${pkgver}"
+
+	make DESTDIR="${pkgdir}" install
+
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname%-*}/LICENCE"
+
+	install -Dm644 ../sshd.conf "${pkgdir}"/usr/lib/tmpfiles.d/sshd.conf
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+	sed \
+		-e '/^#KbdInteractiveAuthentication yes$/c KbdInteractiveAuthentication no' \
+		-e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+		-e '/^#UsePAM no$/c UsePAM yes' \
+		-i "${pkgdir}"/etc/ssh/sshd_config
+}

glibc-2.31.patch

@@ -0,0 +1,100 @@
+From beee0ef61866cb567b9abc23bd850f922e59e3f0 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+---
+ sandbox-seccomp-filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..96ab141f7 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,12 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ 	SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From 69298ebfc2c066acee5d187eac8ce9f38c796630 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:27:31 +1100
+Subject: [PATCH] Remove duplicate __NR_clock_nanosleep
+
+---
+ sandbox-seccomp-filter.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 96ab141f7..be2397671 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,9 +245,6 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ 	SC_ALLOW(__NR_clock_nanosleep),
+ #endif
+-#ifdef __NR_clock_nanosleep
+-	SC_ALLOW(__NR_clock_nanosleep),
+-#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From 030b4c2b8029563bc8a9fd764288fde08fa2347c Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index be2397671..3ef30c9d5 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -245,6 +245,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep
+ 	SC_ALLOW(__NR_clock_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep_time64
++	SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
+From a991cc5ed5a7c455fefe909a30cf082011ef5dff Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+---
+ sandbox-seccomp-filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 3ef30c9d5..999c46c9f 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_nanosleep_time64
+ 	SC_ALLOW(__NR_clock_nanosleep_time64),
+ #endif
++#ifdef __NR_clock_gettime64
++	SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif

sshd.conf

@@ -0,0 +1 @@
+d /var/empty 0755 root root

sshd.pam

@@ -0,0 +1,7 @@
+#%PAM-1.0
+#auth     required  pam_securetty.so     #disable remote root
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login
+