openssh: 6.9p1 -> 7.1p1

This intentionally leaves out support for using existing dsa keys as
they are insecure and should not be enabled by default. If you need this
support, please make the changes in your ssh_config and sshd_config.

2 files changed, 3 insertions, 68 deletions

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 2004e453a0d9..50d53bdff2cd 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -17,11 +17,11 @@ let
 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
-  name = "openssh-6.9p1";
+  name = "openssh-7.1p1";
 
   src = fetchurl {
     url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-    sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf";
+    sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw";
   };
 
   prePatch = optionalString hpnSupport
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
       export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
     '';
 
-  patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch];
+  patches = [ ./locale_archive.patch ];
 
   buildInputs = [ zlib openssl libedit pkgconfig pam ]
     ++ optional withKerberos [ kerberos ];
diff --git a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch
deleted file mode 100644
index 02e9eb3a9739..000000000000
--- a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d
-
-diff --git a/sshpty.c b/sshpty.c
-index 7bb7641..15da8c6 100644
---- a/sshpty.c
-+++ b/sshpty.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
-+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
- 	/* Determine the group to make the owner of the tty. */
- 	grp = getgrnam("tty");
- 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
--	mode = (grp != NULL) ? 0622 : 0600;
-+	mode = (grp != NULL) ? 0620 : 0600;
- 
- 	/*
- 	 * Change owner and mode of the tty as required.
-diff --git a/monitor.c b/monitor.c
-index b410965..f1b873d 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
- int
- mm_answer_pam_init_ctx(int sock, Buffer *m)
- {
--
- 	debug3("%s", __func__);
--	authctxt->user = buffer_get_string(m, NULL);
- 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
- 	sshpam_authok = NULL;
- 	buffer_clear(m);
-@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
- int
- mm_answer_pam_free_ctx(int sock, Buffer *m)
- {
-+	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
- 
- 	debug3("%s", __func__);
- 	(sshpam_device.free_ctx)(sshpam_ctxt);
-+	sshpam_ctxt = sshpam_authok = NULL;
- 	buffer_clear(m);
- 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
- 	auth_method = "keyboard-interactive";
- 	auth_submethod = "pam";
--	return (sshpam_authok == sshpam_ctxt);
-+	return r;
- }
- #endif
- 
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index e6217b3..eac421b 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
- 
- 	debug3("%s", __func__);
- 	buffer_init(&m);
--	buffer_put_cstring(&m, authctxt->user);
- 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
- 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
- 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);