Gentoo Packages

Search

Package Information

Description:

OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. This package represents an effort to extend upstream OpenSSH with three big patchsets. WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have correctness issues. The patches are: * HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive buffering and/or multithreading, leading to better network throughput. Many of these optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or because more CPU performant ciphers are being used in this day and age (ChaCha20). WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon. * SCTP patches by Patrick McLean. These enable SSH over SCTP. * X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for authenticating users. This patch series adds support for X509 certificates.

Homepage:

https://www.openssh.com/

License:

BSD GPL-2

Versions

Metadata

Description

• OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. This package represents an effort to extend upstream OpenSSH with three big patchsets. WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have correctness issues. The patches are: * HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive buffering and/or multithreading, leading to better network throughput. Many of these optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or because more CPU performant ciphers are being used in this day and age (ChaCha20). WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon. * SCTP patches by Patrick McLean. These enable SSH over SCTP. * X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for authenticating users. This patch series adds support for X509 certificates.

Maintainers

• Patrick McLean (chutzpah@gentoo.org) - Type: person
• Robin H. Johnson (robbat2@gentoo.org) - Type: person

Upstream

• Remote IDs:
  • cpe: cpe:/a:openbsd:openssh
  • github: openssh/openssh-portable
  • sourceforge: hpnssh

<pkgmetadata>
	<maintainer type="person">
		<email>chutzpah@gentoo.org</email>
		<name>Patrick McLean</name>
	</maintainer>
	<maintainer type="person">
		<email>robbat2@gentoo.org</email>
		<name>Robin H. Johnson</name>
	</maintainer>
	<longdescription>
		OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
		increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
		rlogin, ftp, and other such programs might not realize that their password is transmitted
		across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
		to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
		Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
		of authentication methods.

		The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
		replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
		the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
		ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.

		This package represents an effort to extend upstream OpenSSH with three big patchsets.

		WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have
		correctness issues.

		The patches are:

		* HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive
		buffering and/or multithreading, leading to better network throughput. Many of these
		optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or
		because more CPU performant ciphers are being used in this day and age (ChaCha20).

		WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon.

		* SCTP patches by Patrick McLean. These enable SSH over SCTP.

		* X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for
		authenticating users. This patch series adds support for X509 certificates.
	</longdescription>
	<use>
		<flag name="hpn">Enable high performance ssh</flag>
		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
		<flag name="livecd">Enable root password logins for live-cd environment.</flag>
		<flag name="security-key">Include builtin U2F/FIDO support</flag>
		<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
		<flag name="X509">Adds support for X.509 certificate authentication</flag>
		<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
	</use>
	<upstream>
		<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
		<remote-id type="github">openssh/openssh-portable</remote-id>
		<remote-id type="sourceforge">hpnssh</remote-id>
	</upstream>
</pkgmetadata>

Lint Warnings

• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'abi_mips_n32' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'audit' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'kerberos' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'libedit' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'pam' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'pie' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'selinux' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'static' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Ebuild 9.7_p1-r4 uses IUSE flag 'X' which is not documented in metadata.xml. Add the flag to metadata.xml <use> section.
• [Warning] Missing md5-cache for version 9.7_p1-r4. Run 'ebuild <ebuild_file> manifest' or 'egencache' to generate it.

USE Flags

Files

• openssh-9.0_p1-X509-uninitialized-delay.patch
• openssh-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch
• openssh-9.6_p1-CVE-2024-6387.patch
• openssh-9.6_p1-chaff-logic.patch
• openssh-9.6_p1-fix-xmss-c99.patch
• openssh-9.6_p1-hpn-version.patch
• openssh-9.7_p1-X509-CVE-2024-6387.patch
• openssh-9.7_p1-config-tweaks.patch
• sshd-r1.confd
• sshd-r1.initd
• sshd.pam_include.2
• sshd.service.1
• sshd.socket
• sshd_at.service.1

Manifest