| blob | 55babb4ca2dc66ceed4bcf4a11a02770077cd44b |
1 { pname
2 , version
3 , extraDesc ? ""
4 , src
5 , extraPatches ? []
6 , extraNativeBuildInputs ? []
7 , extraMeta ? {}
8 }:
10 { lib, stdenv
11 # This *is* correct, though unusual. as a way of getting krb5-config from the
12 # package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
13 , pkgs
14 , fetchurl
15 , fetchpatch
16 , zlib
17 , openssl
18 , libedit
19 , pkg-config
20 , pam
21 , etcDir ? null
22 , withKerberos ? true
23 , libkrb5
24 , libfido2
25 , withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
26 , linkOpenssl ? true
27 }:
29 with lib;
30 stdenv.mkDerivation rec {
31 inherit pname version src;
33 patches = [
34 ./locale_archive.patch
36 # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
37 ./dont_create_privsep_path.patch
38 ] ++ extraPatches;
40 postPatch =
41 # On Hydra this makes installation fail (sometimes?),
42 # and nix store doesn't allow such fancy permission bits anyway.
43 ''
44 substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
45 '';
47 nativeBuildInputs = [ pkg-config ]
48 # This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
49 # needed here to access krb5-config in order to cross compile. See:
50 # https://github.com/NixOS/nixpkgs/pull/107606
51 ++ optional withKerberos pkgs.libkrb5
52 ++ extraNativeBuildInputs;
53 buildInputs = [ zlib openssl libedit ]
54 ++ optional withFIDO libfido2
55 ++ optional withKerberos libkrb5
56 ++ optional stdenv.isLinux pam;
58 preConfigure = ''
59 # Setting LD causes `configure' and `make' to disagree about which linker
60 # to use: `configure' wants `gcc', but `make' wants `ld'.
61 unset LD
62 ''
63 # Upstream build system does not support static build, so we fall back
64 # on fragile patching of configure script.
65 #
66 # libedit is found by pkg-config, but without --static flag, required
67 # to get also transitive dependencies for static linkage, hence sed
68 # expression.
69 #
70 # Kerberos can be found either by krb5-config or by fall-back shell
71 # code in openssh's configure.ac. Neither of them support static
72 # build, but patching code for krb5-config is simpler, so to get it
73 # into PATH, libkrb5.dev is added into buildInputs.
74 + optionalString stdenv.hostPlatform.isStatic ''
75 sed -i "s,PKGCONFIG --libs,PKGCONFIG --libs --static,g" configure
76 sed -i 's#KRB5CONF --libs`#KRB5CONF --libs` -lkrb5support -lkeyutils#g' configure
77 sed -i 's#KRB5CONF --libs gssapi`#KRB5CONF --libs gssapi` -lkrb5support -lkeyutils#g' configure
78 '';
80 # I set --disable-strip because later we strip anyway. And it fails to strip
81 # properly when cross building.
82 configureFlags = [
83 "--sbindir=\${out}/bin"
84 "--localstatedir=/var"
85 "--with-pid-dir=/run"
86 "--with-mantype=man"
87 "--with-libedit=yes"
88 "--disable-strip"
89 (if stdenv.isLinux then "--with-pam" else "--without-pam")
90 ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
91 ++ optional withFIDO "--with-security-key-builtin=yes"
92 ++ optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
93 ++ optional stdenv.isDarwin "--disable-libutil"
94 ++ optional (!linkOpenssl) "--without-openssl";
96 buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
98 enableParallelBuilding = true;
100 hardeningEnable = [ "pie" ];
102 postInstall = ''
103 # Install ssh-copy-id, it's very useful.
104 cp contrib/ssh-copy-id $out/bin/
105 chmod +x $out/bin/ssh-copy-id
106 cp contrib/ssh-copy-id.1 $out/share/man/man1/
107 '';
109 installTargets = [ "install-nokeys" ];
110 installFlags = [
111 "sysconfdir=\${out}/etc/ssh"
112 ];
114 meta = {
115 description = "An implementation of the SSH protocol${extraDesc}";
116 homepage = "https://www.openssh.com/";
117 changelog = "https://www.openssh.com/releasenotes.html";
118 license = licenses.bsd2;
119 platforms = platforms.unix ++ platforms.windows;
120 maintainers = with maintainers; [ eelco aneeshusa ];
121 } // extraMeta;
122 }