Bug 250559 (Moduli, Own) - security/openssh-portable: support self-generated moduli in opensshd-portable
Summary: security/openssh-portable: support self-generated moduli in opensshd-portable
Status: Closed FIXED
Alias: Moduli, Own
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mateusz Piotrowski
URL: https://mastodon.social/@mpts/1050449...
Depends on:
Reported: 2020-10-23 14:14 UTC by Michał "rysiek" Woźniak
Modified: 2020-11-07 14:58 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (bdrewery)

the moduli.sample patch (1.84 KB, patch)
2020-10-23 14:14 UTC, Michał "rysiek" Woźniak
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michał "rysiek" Woźniak 2020-10-23 14:14:39 UTC
Created attachment 219000 [details]
the moduli.sample patch

Currently , if the moduli file is self-generated, pkg complains about the file having been changed:

[root@abox /etc]# pkg check -s openssh-portable
Checking openssh-portable:   0%
openssh-portable-8.2.p1_1,1: checksum mismatch for /usr/local/etc/ssh/moduli
Checking openssh-portable: 100%

The patch installs the moduli file as `/usr/local/etc/ssh/moduli.sample` instead, and symlinks it as `/usr/local/etc/ssh/moduli`. the `moduli.sample` is added to `pkg-plist`, but `moduli` is not -- making it possible to self-generate a moduli file without having pkg complain about checksum mismatch for it.

This is a bit improved version of a patch created by @mpts here:
(credit where credit's due)
Comment 1 Mateusz Piotrowski freebsd_committer 2020-10-27 11:07:47 UTC
Comment on attachment 219000 [details]
the moduli.sample patch

>diff -u ./Makefile ../openssh-portable-moduli-patch/Makefile
>--- ./Makefile	2020-03-23 23:15:09.000000000 +0000
>+++ ../openssh-portable-moduli-patch/Makefile	2020-10-22 22:04:34.305030000 +0000
>@@ -191,8 +191,12 @@
> 	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
> post-install:
>+	${MV} ${STAGEDIR}${ETCDIR}/moduli \
>+	    ${STAGEDIR}${ETCDIR}/moduli.sample
>+	${RLN} ${STAGEDIR}${ETCDIR}/moduli.sample \
>+	    ${STAGEDIR}${ETCDIR}/moduli

I am not sure but this RLN command should not be needed. AFAIR, @sample in pkg-plist instructs pkg to 1. copy file.sample to file if file does not exist 2. on package upgrade, the new file.sample is copied again to file if it has not been modified since the last time. I'd have to double check with the documentation/implementation.
Comment 2 commit-hook freebsd_committer 2020-11-07 14:47:33 UTC
A commit references this bug:

Author: 0mp
Date: Sat Nov  7 14:46:39 UTC 2020
New revision: 554395
URL: https://svnweb.freebsd.org/changeset/ports/554395

  Install the moduli file as a @sample

  PR:		250559
  Submitted by:	Micha? "rysiek" Wo?niak <rysiek % isnic.is>
  Approved by:	maintainer timeout

Comment 3 Mateusz Piotrowski freebsd_committer 2020-11-07 14:58:29 UTC
Committed! Thanks!