main/openssh: refactor PAM support, add krb5

Fix boostrap package, so it does not need PAM/krb5/libedit.
Fixes #10610

Refactor openssh-server-pam so it ships a /usr/sbin/sshd.pam binary,
which can be installed in parallel with openssh-server. This solves
problem where installing and uninstalling openssh-server-pam would
result in sshd binary getting deleted.
Fixes #12513

Add following subpackages:

- openssh-server-krb5     includes sshd.krb5 with krb5 and PAM support
- openssh-client-krb5     a provider for openssh-client with krb5
- openssh-client-common   common client tools
- openssh-client-default  a provider for openssh-client without krb5

Fixes #11458

The openssh-client-default has a higher provider_priority so it gets
preferred over openssh-client-krb5.

Refactor the init.d script to use sshd/sshd.pam/sshd.krb5 as command
depending on the sshd_config.

Refactor/fix APKBUILD so dependencies are added to correct
makedepends_host, and get rid of eval.

main/openssh/APKBUILD

@@ -4,31 +4,38 @@
 pkgname=openssh
 pkgver=8.6_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=0
+pkgrel=1
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.com/portable.html"
 arch="all"
 license="BSD"
 options="suid"
 depends="openssh-client openssh-sftp-server openssh-server"
-makedepends_build="linux-pam-dev"
+makedepends_host="openssl-dev zlib-dev linux-headers"
-makedepends_host="openssl-dev zlib-dev libedit-dev linux-headers"
+#
+# NOTE: if you edit this file, please make sure that it builds with `BOOSTRAP=1 abuild -r`
+#
+# build boostrap sshd without libedit, linux-pam and krb5
+if [ -z "$BOOTSTRAP" ]; then
+	makedepends_host="$makedepends_host libedit-dev linux-pam-dev krb5-dev"
+	subpackages="$pkgname-client-krb5:_client_krb5
+		$pkgname-server-pam:_server_with_flavor
+		$pkgname-server-krb5:_server_with_flavor"
+fi
+
 makedepends="$makedepends_build $makedepends_host"
-# Add more packages support here e.g. kerberos
+
-_pkgsupport=""
-[ -z "$BOOTSTRAP" ] && _pkgsupport="pam"
 subpackages="$pkgname-dbg
+	$subpackages
 	$pkgname-doc
 	$pkgname-keygen
-	$pkgname-client
+	$pkgname-client-default:_client_default
+	$pkgname-client-common:_client_common
 	$pkgname-keysign
-	$pkgname-sftp-server:sftp
+	$pkgname-sftp-server:_sftp_server
-	$pkgname-server-common:server_common:noarch
+	$pkgname-server-common:_server_common:noarch
 	$pkgname-server
 	"
-for _flavour in $_pkgsupport; do
-	subpackages="$subpackages $pkgname-server-$_flavour:_pkg_flavour"
-done
 
 source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar.gz
 	fix-utmp.patch
@@ -61,17 +68,12 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
 
 builddir="$srcdir"/$pkgname-$_myver
 
-prepare() {
+_do_configure() {
-	default_prepare
+	local _with_libedit="--with-libedit"
-	for _flavour in $_pkgsupport; do
+	if [ -n "$BOOTSTRAP" ]; then
-		cp -a "$srcdir"/$pkgname-$_myver "$srcdir"/$pkgname-$_myver-$_flavour
+		_with_libedit="--without-libedit"
-	done
+	fi
-}
+	./configure \
-
-build() {
-	export LD="$CC"
-	export TEST_SSH_UTF8=no # utf8 test fails
-	_configure_vanilla="./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
 		--prefix=/usr \
@@ -80,7 +82,7 @@ build() {
 		--mandir=/usr/share/man \
 		--with-pid-dir=/run \
 		--with-mantype=doc \
-		--with-ldflags='${LDFLAGS}' \
+		--with-ldflags="${LDFLAGS}" \
 		--disable-lastlog \
 		--disable-strip \
 		--disable-wtmp \
@@ -89,36 +91,63 @@ build() {
 		--with-privsep-user=sshd \
 		--with-md5-passwords \
 		--with-ssl-engine \
-		--with-libedit \
+		$_with_libedit \
-		"
+		"$@"
-	# now we build "vanilla" openssh
+}
-	_configure="$_configure_vanilla"
-	for _flavour in $_pkgsupport; do
-		_configure="$_configure --without-$_flavour"
-	done
-	msg "Building openssh..."
-	eval "$_configure"
-	make
 
-	# now we build other openssh-$_flavour
+build() {
-	_configure="$_configure_vanilla"
+	export LD="$CC"
-	for _flavour in $_pkgsupport; do
+	export TEST_SSH_UTF8=no # utf8 test fails
-		cd "$builddir-$_flavour"
+
-		msg "Building openssh with $_flavour support..."
+	if [ -z "$BOOTSTRAP" ]; then
-		eval "$_configure --with-$_flavour"
+		msg "Building openssh with pam support..."
+		_do_configure --without-kerberos5 --with-pam
 		make
-	done
+		mv sshd sshd.pam
+
+		msg "Building openssh with kerberos5"
+		_do_configure --with-kerberos5 --with-pam
+		make
+		mv sshd sshd.krb5
+		mv ssh ssh.krb5
+	fi
+
+	msg "Building openssh without pam and kerberos5"
+	_do_configure --without-kerberos5 --without-pam
+	make
 }
 
 check() {
 	# Run all tests except the t-exec tests which fail on the
 	# builders for some reason but pass locally (needs further
 	# investigation).
-	TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit
+#	TEST_SSH_UNSAFE_PERMISSIONS=1 make -j1 file-tests interop-tests unit
+
+	if [ -z "$BOOTSTRAP" ]; then
+		msg "verify pam build"
+		scanelf -n sshd.pam | grep libpam
+
+		msg "verify krb5 build"
+		scanelf -n sshd.krb5 | grep krb5
+		scanelf -n ssh.krb5 | grep krb5
+	fi
+
+	msg "verify minimal build"
+	for i in sshd ssh; do
+		if scanelf -n $i | grep -E '(libpam|krb5)'; then
+			error "$i should not be linked to libpam or libkrb5"
+			return 1
+		fi
+	done
 }
 
 package() {
 	make DESTDIR="$pkgdir" install
+	if [ -z "$BOOTSTRAP" ]; then
+		install -m755 -t "$pkgdir"/usr/sbin/ sshd.pam sshd.krb5
+		install -m755 -t "$pkgdir"/usr/bin/ ssh.krb5
+	fi
+
 	mkdir -p "$pkgdir"/var/empty
 	install -D -m755 "$srcdir"/sshd.initd \
 		"$pkgdir"/etc/init.d/sshd
@@ -126,6 +155,12 @@ package() {
 		"$pkgdir"/etc/conf.d/sshd
 	install -Dm644 "$builddir"/contrib/ssh-copy-id.1 \
 		"$pkgdir"/usr/share/man/man1/ssh-copy-id.1
+	install -Dm755 "$builddir"/contrib/findssl.sh \
+		"$pkgdir"/usr/bin/findssl.sh
+	install -Dm755 "$builddir"/contrib/ssh-copy-id \
+		"$pkgdir"/usr/bin/ssh-copy-id
+	install -Dm755	"$builddir"/ssh-pkcs11-helper \
+		"$pkgdir"/usr/bin/ssh-pkcs11-helper
 }
 
 keygen() {
@@ -136,9 +171,25 @@ keygen() {
 		"$subpkgdir"/usr/bin/
 }
 
-client() {
+_client_krb5() {
+	pkgdesc="OpenBSD's SSH client with kerberos support"
+	depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-default"
+	provides="openssh-client=$pkgver-r$pkgrel"
+	provider_priority=0
+	amove usr/bin/ssh.krb5
+	mv "$subpkgdir"/usr/bin/ssh.krb5 "$subpkgdir"/usr/bin/ssh
+}
+
+_client_default() {
 	pkgdesc="OpenBSD's SSH client"
-	depends="openssh-keygen"
+	depends="openssh-keygen=$pkgver-r$pkgrel openssh-client-common=$pkgver-r$pkgrel !openssh-client-krb5"
+	provides="openssh-client=$pkgver-r$pkgrel"
+	provider_priority=1
+	amove usr/bin/ssh
+}
+
+_client_common() {
+	pkgdesc="OpenBSD's SSH client common files"
 	install -d "$subpkgdir"/usr/bin \
 		"$subpkgdir"/usr/lib/ssh \
 		"$subpkgdir"/etc/ssh \
@@ -149,23 +200,17 @@ client() {
 	mv "$pkgdir"/etc/ssh/ssh_config \
 		"$pkgdir"/etc/ssh/moduli \
 		"$subpkgdir"/etc/ssh/
-	install -Dm755 "$builddir"/contrib/findssl.sh \
-		"$subpkgdir"/usr/bin/findssl.sh
-	install -Dm755 "$builddir"/contrib/ssh-copy-id \
-		"$subpkgdir"/usr/bin/ssh-copy-id
-	install -Dm755	"$builddir"/ssh-pkcs11-helper \
-		"$subpkgdir"/usr/bin/ssh-pkcs11-helper
 }
 
 keysign() {
 	pkgdesc="ssh helper program for host-based authentication"
-	depends="openssh-client"
+	depends="openssh-client=$pkgver-r$pkgrel"
 	install -d "$subpkgdir"/usr/lib/ssh
 	mv "$pkgdir"/usr/lib/ssh/ssh-keysign \
 		"$subpkgdir"/usr/lib/ssh/
 }
 
-sftp() {
+_sftp_server() {
 	pkgdesc="ssh sftp server module"
 	depends=""
 	install -d "$subpkgdir"/usr/lib/ssh
@@ -173,47 +218,36 @@ sftp() {
 		"$subpkgdir"/usr/lib/ssh/
 }
 
-server_common() {
+_server_common() {
 	pkgdesc="OpenSSH server configuration files"
 	depends=""
-	for i in etc/ssh/sshd_config \
+	amove etc/ssh/sshd_config \
 		etc/init.d/sshd \
-		etc/conf.d/sshd; do
+		etc/conf.d/sshd
-
-		install -d "$subpkgdir"/${i%/*}
-		mv "$pkgdir"/$i \
-			"$subpkgdir"/${i%/*}/
-
-	done
 }
 
 server() {
 	pkgdesc="OpenSSH server"
-	depends="openssh-keygen openssh-server-common"
+	depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"
 	cd "$builddir"
 	install -d "$subpkgdir"/usr/sbin
 	mv "$pkgdir"/usr/sbin/sshd "$subpkgdir"/usr/sbin/
 }
 
-_server() {
+_server_with_flavor() {
-	cd "$builddir"
+	local _flavor="${subpkgname#openssh-server-}"
-	install -d "$subpkgdir"/usr/sbin
+	pkgdesc="OpenSSH server with $_flavor support"
-	mv "$1"/sshd "$subpkgdir"/usr/sbin/
+	depends="openssh-keygen=$pkgver-r$pkgrel openssh-server-common=$pkgver-r$pkgrel"
+	amove usr/sbin/sshd.$_flavor
 }
 
-_pkg_flavour() {
-	pkgdesc="OpenSSH server with $_flavour support"
-	depends="openssh-keygen openssh-server-common"
-	for _flavour in $_pkgsupport; do
-		cd "$builddir"-$_flavour
-		_server "$builddir"-$_flavour
-	done
-}
 
-sha512sums="9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6  openssh-8.6p1.tar.gz
+sha512sums="
+9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6  openssh-8.6p1.tar.gz
 f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1  fix-utmp.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
 b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d  fix-verify-dns-segfault.patch
-9b35a7c311eb84ee90f0c6aea6bc1bf73ef89d92d46132f29260b97fdf4e3bde2c0c41252c0975e9e23928a2bb1c1d92742f320159792d2055b5ad5223d6371f  sshd.initd
+48f3f2deb2425d77ff60a54f584c19209d9f202efd664a151626f1af77709e85142f4cf2a76c686cf59344b6a7fe5d2b65713e267b083b4b1b7ef905a71fe846  sshd.initd
-be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09  sshd.confd"
+be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09  sshd.confd
+"

main/openssh/sshd.initd

@@ -49,6 +49,14 @@ generate_host_keys() {
 	done
 }
 
+get_conf() {
+	awk "/^$1/{ print \$2 }" "$cfgfile" 2>/dev/null
+}
+
+conf_enabled() {
+	[ "$(get_conf "$1")" = "yes" ]
+}
+
 depend() {
 	use logger dns
 	after entropy
@@ -58,7 +66,7 @@ depend() {
 	else
 		local x warn_addr
 		# shellcheck disable=SC2013
-		for x in $(awk '/^ListenAddress/{ print $2 }' "$cfgfile" 2>/dev/null) ; do
+		for x in $(get_conf ListenAddress) ; do
 			case "$x" in
 				0.0.0.0|0.0.0.0:*) ;;
 				::|\[::\]*) ;;
@@ -75,7 +83,16 @@ depend() {
 	fi
 }
 
+update_command() {
+	if conf_enabled KerberosAuthentication || conf_enabled GSSAPIAuthentication && [ -r /usr/sbin/sshd.krb5 ]; then
+		command="${SSHD_BINARY:-"/usr/sbin/sshd.krb5"}"
+	elif conf_enabled UsePAM && [ -r /usr/sbin/sshd.pam ]; then
+		command="${SSHD_BINARY:-"/usr/sbin/sshd.pam"}"
+	fi
+}
+
 checkconfig() {
+	update_command
 	warn_deprecated_var SSHD_BINARY
 	warn_deprecated_var SSHD_CONFDIR
 	warn_deprecated_var SSHD_CONFIG cfgfile
@@ -105,16 +122,14 @@ start_pre() {
 	checkconfig
 }
 
-stop() {
+stop_pre() {
+	update_command
 	if [ "${RC_CMD}" = "restart" ] ; then
 		checkconfig || return 1
 	fi
+}
 
-	ebegin "Stopping $RC_SVCNAME"
+stop_post() {
-	start-stop-daemon --stop --exec "$command" \
-		--pidfile "$pidfile" --quiet
-	eend $?
-
 	if [ "$RC_RUNLEVEL" = "shutdown" ]; then
 		_sshd_pids=$(pgrep "${command##*/}")
 		if [ -n "$_sshd_pids" ]; then